| dmsimard | SpamapS: +1 | 00:04 |
|---|---|---|
| *** harlowja has quit IRC | 00:34 | |
| *** rlandy has quit IRC | 01:34 | |
| *** bhavikdbavishi has joined #zuul | 05:42 | |
| *** bhavikdbavishi has quit IRC | 05:58 | |
| openstackgerrit | Simon Westphahl proposed openstack-infra/nodepool master: Update static nodes in Zookeeper on config change https://review.openstack.org/598156 | 06:37 |
| *** hashar has joined #zuul | 06:53 | |
| *** pcaruana has joined #zuul | 07:19 | |
| *** jpena|off is now known as jpena | 07:31 | |
| openstackgerrit | Sorin Sbarnea proposed openstack-infra/zuul master: Display correct cursor when hovering over patchset header https://review.openstack.org/598222 | 07:41 |
| *** electrofelix has joined #zuul | 08:08 | |
| *** eumel8 has joined #zuul | 08:30 | |
| ssbarnea | zuul tox-py35 seems broken, see https://review.openstack.org/#/c/598222/ -- can someone look at it? | 09:08 |
| -openstackstatus- NOTICE: Jobs using devstack-gate (legacy devstack jobs) have been failing due to an ara update. We use now a newer ansible version, it's safe to recheck if you see "ImportError: No module named manager" in the logs. | 09:58 | |
| *** jpena is now known as jpena|lunch | 11:28 | |
| *** jpena|lunch is now known as jpena | 12:23 | |
| *** rlandy has joined #zuul | 12:40 | |
| *** EmilienM is now known as EvilienM | 12:57 | |
| *** samccann has joined #zuul | 12:59 | |
| *** hashar is now known as hasharAway | 13:38 | |
| *** jpena is now known as jpena|off | 14:42 | |
| *** jpena|off is now known as jpena | 14:43 | |
| Shrews | corvus: left you a question on 592213 | 14:55 |
| corvus | Shrews: when would it be none? | 14:56 |
| Shrews | corvus: you allow for it in __init__ | 14:57 |
| corvus | Shrews: oh! keystorage. i thought you meant the path | 14:57 |
| Shrews | right | 14:57 |
| corvus | Shrews: it's none only for the config syntax validation, in real use, it always needs to be set, so if we screw that up, bombing out is the correct thing anyway | 14:58 |
| Shrews | ok. i couldn't yet discern the circumstances when it would actually be None | 14:59 |
| corvus | Shrews: yeah, there's a zuul cli command to do basic yaml validation of the tenant config; there's a test case that covers it. | 15:01 |
| Shrews | corvus: it's None when called from _loadDynamicLayout() also | 15:02 |
| Shrews | is that covered? | 15:02 |
| Shrews | that doesn't appear to call fromYaml(), so i think that's ok | 15:05 |
| *** samccann has quit IRC | 15:06 | |
| corvus | Shrews: oh yep, forgot about that. yeah that's got lots of coverage too. basically, as long as we aren't adding any new projects to the system, we're fine. that requires a full reconfiguration; it can't be done in a dynamic configuration. | 15:07 |
| Shrews | corvus: stack lgtm. only +2'd to allow clarkb to have a look if he's interested | 15:18 |
| Shrews | and pabelanger | 15:18 |
| *** pcaruana has quit IRC | 15:26 | |
| *** jlvillal is now known as jlvilla-viva | 15:30 | |
| openstackgerrit | Markus Hosch proposed openstack-infra/zuul master: Add a sanity check for all refs returned by Gerrit https://review.openstack.org/599011 | 15:36 |
| pabelanger | Shrews: corvus: I also +2'd, left comment for request for documentation. But exciting feature | 15:41 |
| corvus | yeah, there's still more work to do -- but this was a good checkpoint | 15:42 |
| pabelanger | agree, we may want to consider different SSH key format in the future, in case users say only support ed25519. | 15:43 |
| pabelanger | adding, more formats | 15:44 |
| *** electrofelix has quit IRC | 15:47 | |
| *** jpena is now known as jpena|off | 16:03 | |
| *** openstackgerrit has quit IRC | 16:06 | |
| *** dkehn has quit IRC | 16:25 | |
| *** dkehn_ has quit IRC | 16:30 | |
| *** openstackgerrit has joined #zuul | 16:47 | |
| openstackgerrit | Fabien Boucher proposed openstack-infra/zuul-jobs master: ensure-sphinx: do not attempt a gettext install if exists https://review.openstack.org/599028 | 16:47 |
| clarkb | ok finally in a spot to review those changes /me checks if they are still waiting | 17:11 |
| *** samccann has joined #zuul | 17:20 | |
| openstackgerrit | Fabien Boucher proposed openstack-infra/zuul-jobs master: ensure-sphinx: do not attempt a gettext install if exists https://review.openstack.org/599028 | 17:20 |
| clarkb | (I think I found a bug in the key migration code, so please don't merge/approve until I can finish reviewing) | 17:28 |
| openstackgerrit | Trevor Bramwell proposed openstack-infra/zuul master: Fix typo in documentation chown commands https://review.openstack.org/599040 | 17:28 |
| corvus | marked wip | 17:30 |
| clarkb | corvus: ok posted, it may end up being relatively minor in the current state of things but potential problems for the future. I'll let you decide if you want to fix it in base change or in a followup | 17:36 |
| clarkb | I did -1 it, but feel free to approve and override if you do a followup | 17:37 |
| *** sshnaidm|off has quit IRC | 17:37 | |
| *** sshnaidm|off has joined #zuul | 17:38 | |
| clarkb | I love the use of recursion there btw | 17:39 |
| *** sshnaidm|off has quit IRC | 17:41 | |
| *** sshnaidm|off has joined #zuul | 17:41 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Improve keystorage migration https://review.openstack.org/599043 | 17:48 |
| corvus | clarkb: ^ done, thx! | 17:49 |
| corvus | fungi: oh i didn't notice https://review.openstack.org/591870 was ready | 18:09 |
| corvus | SpamapS, pabelanger: ^ maybe one of you wants to review that? | 18:10 |
| corvus | oh, we can change the storyboard link on the website to the new project deep-link | 18:10 |
| fungi | ahh, yep sorry i probably forgot to pester anyone about it | 18:12 |
| clarkb | corvus: reading through this stack the motivation seems to be to simplify the CD use cases of Zuul (which is cool), why not leverage the secrets system for this though? Eg have a secret that contains the private ssh key? | 18:15 |
| corvus | clarkb: basically to close this gap: http://lists.zuul-ci.org/pipermail/zuul-discuss/2018-June/000458.html | 18:19 |
| clarkb | aha | 18:20 |
| clarkb | thanks | 18:20 |
| corvus | (we could also close that gap by creating a new way to add an ssh key without allowing arbitrary code execution on the executor, and maybe we should still do that. but this seems like good convenience for an expected use case) | 18:20 |
| corvus | also, uh, i guess i should reply to that mail :) | 18:21 |
| clarkb | corvus: https://review.openstack.org/#/c/597727/2 minor thing on that change that I may have convinced myself to leave as is (arguments for both are inline) | 18:24 |
| clarkb | probably worth a read | 18:24 |
| clarkb | other than that stack lgtm now | 18:26 |
| *** goern has quit IRC | 18:42 | |
| *** goern has joined #zuul | 18:42 | |
| corvus | clarkb: i am in 50% agreement with your ambivalence. :) | 18:57 |
| *** openstackstatus has quit IRC | 18:58 | |
| *** samccann has quit IRC | 19:07 | |
| *** openstackstatus has joined #zuul | 19:39 | |
| *** ChanServ sets mode: +v openstackstatus | 19:39 | |
| * SpamapS begins process of booking/registering for PTG | 19:48 | |
| SpamapS | hopefully we can talk zuul in some corners. ;) | 19:48 |
| clarkb | SpamapS: the way infra team schedule is on paper is monday and tuesday is the "help room" wednesday and thursday are the infra hacking time and friday is "free" | 19:49 |
| clarkb | SpamapS: I expect there will be plenty of ability to zuul monday, tuesday, and friday if people are present and interested | 19:49 |
| SpamapS | I am going to be doing kolla stuff Wed/Thur so that would fit well | 19:50 |
| SpamapS | Though I'd like to skip a day.. so maybe I'll skip Friday. | 19:52 |
| *** hasharAway is now known as hashar | 19:53 | |
| *** openstackstatus has quit IRC | 19:55 | |
| corvus | SpamapS: infra is going to be focused on ansible-ifying our control plane, ideally with the help of zuul as a CD-driver, so there may be some nice cross-pollination chats wed/thurs | 19:55 |
| SpamapS | Definitely | 19:55 |
| SpamapS | I've been thinking a lot about how to CD with zuul and I have some ideas about keeping it simple. | 19:56 |
| corvus | related: this ssh key thing i'm working on isn't going to work with add-build-sshkey as written, since add-build-sshkey revokes all the existing keys in the agent | 19:56 |
| SpamapS | yeah I noticed that and wondered :) | 19:57 |
| corvus | i think i need to find a way to just revoke the nodepool key | 19:57 |
| SpamapS | ssh-agent is pretty flexible, should be entirely doable. | 19:57 |
| corvus | SpamapS: heh, i just noticed it as i was sprucing up the docs to recommend the use of add-build-sshkey | 19:57 |
| SpamapS | So is the idea that each repo/branch potentially has its own SSH key that it uses for ansible runs, so you can add that key to target hosts? | 19:58 |
| corvus | SpamapS: repo yes; hadn't thought about branches | 19:59 |
| SpamapS | combined with static driver.. should mean you can have a post job that zuul runs? | 19:59 |
| *** openstackstatus has joined #zuul | 19:59 | |
| *** ChanServ sets mode: +v openstackstatus | 19:59 | |
| corvus | SpamapS: yes -- though should also work with add_host -- that's probably what we'll try first for infra | 19:59 |
| corvus | SpamapS: we're actually trying to get to a point where zuul is running our infra *without* using the fact that we're also root on the zuul install | 19:59 |
| SpamapS | So the reason I might care about branches is that one pattern I very much like is having deployment branches, so like master->stage->prod or master->stage->[prod-west,prod-east,prod-south] ... etc. | 19:59 |
| SpamapS | I very much dislike using add_host most of the time.. but I guess it makes sense in a zuul context where you don't have control over what inventory gets pushed in. | 20:00 |
| corvus | SpamapS: i think in principle we could expand to support branches | 20:00 |
| SpamapS | cool | 20:01 |
| corvus | SpamapS: yeah; another option (aside from add_host and static inventory) is to teach zuul itself about static nodes. so you basically just tell zuul what to put in the inventory. that's also an unimplemented idea from the original spec. might be worth swinging back around to that too. | 20:01 |
| SpamapS | I really want to explore a pattern where master commits are automatically proposed and merged into stage, and then proposed against prod branches, and then users can just approve those prod changes as a way to say "yes deploy this" | 20:02 |
| corvus | sounds cool :) | 20:02 |
| SpamapS | Which also allows the "oh crap we broke prod-south because [xyz]" where you can revert a change in one area temporarily. | 20:02 |
| clarkb | that should be doable as a post job and you can make it supercedent to aggregate things if many changes are merging together | 20:04 |
| clarkb | and as long as you never out of band to the target branch it should always be fast forwardable | 20:05 |
| SpamapS | supercedent? | 20:06 |
| SpamapS | is that something new? | 20:06 |
| clarkb | SpamapS: yes, basically you can tell zuul to only queue the most recent event behind the active item | 20:06 |
| clarkb | SpamapS: openstack uses it in post so that we don't publish docs for every intermediate ref | 20:06 |
| SpamapS | Yeah | 20:07 |
| SpamapS | I am flipping a few of my post jobs to it now :) | 20:07 |
| corvus | https://zuul-ci.org/docs/zuul/user/config.html#value-pipeline.manager.supercedent | 20:07 |
| SpamapS | cool | 20:07 |
| corvus | hrm. ssh-add requires, for some reason, access to the file to delete a key from the agent | 20:07 |
| SpamapS | can we have one that is anticdent that only merges things that Chris Dent approves? | 20:07 |
| corvus | that's probably why we used -D in the first case | 20:08 |
| pabelanger | 409992 | 20:09 |
| pabelanger | 328470 | 20:09 |
| clarkb | change numbers or oauth tokens? | 20:09 |
| pabelanger | 913895 | 20:10 |
| corvus | we may need to talk to the ssh agent directly: https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.3 | 20:10 |
| SpamapS | corvus: yeah maybe that's why I gave up and just purged | 20:10 |
| corvus | the protocol lets you remove a key via the public key blob (which you can get by listing the keys) | 20:10 |
| pabelanger | sorry, kids got computer | 20:11 |
| *** openstackstatus has quit IRC | 20:11 | |
| corvus | pabelanger: that's okay as long as they review some changes while they're at it | 20:11 |
| *** openstackstatus has joined #zuul | 20:13 | |
| *** ChanServ sets mode: +v openstackstatus | 20:13 | |
| openstackgerrit | Merged openstack-infra/zuul master: Fix typo in documentation chown commands https://review.openstack.org/599040 | 20:16 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Serve project SSH keys and document https://review.openstack.org/599063 | 20:20 |
| *** elyezer_ has joined #zuul | 20:26 | |
| *** elyezer has quit IRC | 20:29 | |
| *** openstackstatus has quit IRC | 20:36 | |
| corvus | neat. if you send ssh-agent an invalid message, it exits. that will slow this down a bit :) | 20:36 |
| *** openstackstatus has joined #zuul | 20:39 | |
| *** ChanServ sets mode: +v openstackstatus | 20:39 | |
| *** harlowja has joined #zuul | 20:46 | |
| *** cmurphy|vacation is now known as cmurphy | 20:58 | |
| *** hashar has quit IRC | 21:02 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul-jobs master: WIP: add-build-sshkey: interact with ssh agent directly https://review.openstack.org/599073 | 21:03 |
| corvus | clarkb, SpamapS: ^ that's the gist of it. that will list keys and delete the first one it finds | 21:03 |
| corvus | we're going to need to be able to identify the keys. we can do that with the comment field, but ssh-add doesn't let us specify the comment (and the values it uses -- filename or "(stdin)" aren't enough for us to identify keys) | 21:04 |
| corvus | so i think we'll need to have the executor add the keys using the protocol rather than ssh-add as well | 21:05 |
| corvus | then we can give them nice comments like "Zuul: master key" and "Zuul: project key for ..." | 21:06 |
| clarkb | corvus: ssh-add doesn't set the comment then? | 21:11 |
| clarkb | its in the file so it could, but I guess it doesn't | 21:11 |
| corvus | clarkb: it sets it to the filename | 21:11 |
| corvus | in the case of the master key, that's unpredictable, and all other keys (per-project, per-tenant) will be "(stdin)" | 21:12 |
| clarkb | ya just confirmed locally with ssh-add -L | 21:12 |
| corvus | hrm. i guess we could just have add-build-sshkey just delete the only key with a real filename. | 21:12 |
| corvus | that will probably work today; until some point in the future where someone wants to delete just the tenant key in a job or something. | 21:13 |
| corvus | i can't think of why you'd want that, so we can probably kick the can down the road. | 21:13 |
| clarkb | could we do it based on the blob value itself? this is happening at job time so maybe we don't have that state anymore | 21:13 |
| corvus | we could pass the public key through zuul. but i don't think that gives us much over just matching the comment. | 21:15 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul-jobs master: add-build-sshkey: Remove only the master key https://review.openstack.org/599073 | 21:43 |
| corvus | clarkb, SpamapS: ^ i think that's ready | 21:43 |
| clarkb | corvus: left a couple notes | 21:58 |
| *** EvilienM is now known as EmilienM | 22:04 | |
| *** rlandy has quit IRC | 22:16 | |
| *** harlowja has quit IRC | 22:24 | |
| *** dkehn has joined #zuul | 22:25 | |
| SpamapS | corvus: pretty cool! I left a -1 but I think a simple rename should clear it up. | 22:31 |
| corvus | SpamapS, clarkb: thanks; i'll do all those in the next ps | 22:48 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul-jobs master: add-build-sshkey: Remove only the master key https://review.openstack.org/599073 | 23:03 |
| corvus | clarkb, SpamapS: ^ | 23:03 |
| SpamapS | corvus: caught a bug | 23:07 |
| corvus | doh | 23:07 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul-jobs master: add-build-sshkey: Remove only the master key https://review.openstack.org/599073 | 23:08 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!