| *** annabelleB has quit IRC | 00:05 | |
| openstackgerrit | Merged openstack-infra/zuul-jobs master: use find instead of ls to list interfaces https://review.openstack.org/604677 | 00:26 |
|---|---|---|
| openstackgerrit | Merged openstack-infra/zuul-jobs master: Add Gentoo iptables handling https://review.openstack.org/604688 | 00:50 |
| *** hashar has joined #zuul | 00:56 | |
| *** rlandy has joined #zuul | 01:05 | |
| *** rlandy has quit IRC | 01:19 | |
| *** hashar has quit IRC | 01:26 | |
| pabelanger | for an untrusted job, do you think we can have it be able to read zuul.executor.inventory_file but not write it? Today log-inventory needs to be a trusted job and trying to see how to make it untrusted | 01:48 |
| clarkb | pabelanger: you might be able to make an exception for that one file but in general arbitrary reads are not safe for the executor either | 01:49 |
| clarkb | could expose sensitive data that way | 01:49 |
| pabelanger | clarkb: yah, agree. Given we don't do any filter of the inventory file today, I would assume sensitive data is okay in this case | 01:51 |
| pabelanger | I know we don't want to allow writes, to prevent an trusted job from changing the file for the next playbook run | 01:52 |
| pabelanger | s/trusted/untrusted | 01:52 |
| clarkb | its a general restriction we dont allow read or wrotes outside the workspace for the job | 01:53 |
| clarkb | and I dont think we can allow reads generally is what I mean | 01:53 |
| clarkb | for this one file it is probably ok | 01:53 |
| clarkb | (since we copy it anyway for logging) | 01:53 |
| pabelanger | Yup, will raise it again in the morning. | 01:54 |
| pabelanger | see what others say | 01:54 |
| *** pcaruana has joined #zuul | 04:14 | |
| *** pcaruana has quit IRC | 04:38 | |
| tobiash | pabelanger: I think making an exception for this file will open the door for subtile security issues. I think it would be safer to just copy the inventory file into the work root too so an untrusted job can fetch it from there (and writing to it will be harmless) | 04:45 |
| openstackgerrit | Merged openstack-infra/zuul master: Web: don't update the status cache more than once https://review.openstack.org/605243 | 04:57 |
| *** quique|rover|off is now known as quiquell|rover | 05:40 | |
| *** pcaruana has joined #zuul | 05:43 | |
| *** quiquell|rover is now known as quique|rover|brb | 06:43 | |
| *** chkumar|off is now known as chkumar|ruck | 06:44 | |
| *** quique|rover|brb is now known as quiquell|rover | 07:00 | |
| *** hashar has joined #zuul | 07:06 | |
| *** jpena|off is now known as jpena | 07:51 | |
| *** hashar has quit IRC | 08:06 | |
| *** hashar has joined #zuul | 08:06 | |
| openstackgerrit | Fabien Boucher proposed openstack-infra/zuul master: Doc: executor operations document pause, remove graceful https://review.openstack.org/602455 | 08:55 |
| openstackgerrit | Fabien Boucher proposed openstack-infra/zuul master: Doc: executor operations - explain jobs will be restarted at restart https://review.openstack.org/603136 | 08:55 |
| *** chkumar|ruck has quit IRC | 08:58 | |
| *** chandankumar has joined #zuul | 08:59 | |
| *** chandankumar is now known as chkumar|ruck | 09:00 | |
| *** electrofelix has joined #zuul | 09:26 | |
| *** ssbarnea|bkp has quit IRC | 09:28 | |
| *** hashar is now known as hasharAway | 09:51 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: CLI: add create-web-token command https://review.openstack.org/605386 | 10:06 |
| electrofelix | For the independent pipeline manager, does zuul still merge the change to the target branch before testing? Know it doesn't merge changes in the pipeline together, but unclear about whether it's the change under test that is just checked out or a merged result of the target branch (usually master) + change proposed merged together | 10:14 |
| *** pcaruana has quit IRC | 11:15 | |
| *** jpena is now known as jpena|lunch | 11:21 | |
| *** bbayszczak has joined #zuul | 11:59 | |
| *** jimi_|ansible has joined #zuul | 12:13 | |
| *** rlandy has joined #zuul | 12:18 | |
| *** quiquell|rover is now known as quique|rover|lch | 12:20 | |
| *** panda|off is now known as panda | 12:21 | |
| pabelanger | tobiash: yah, that is an option too. | 12:22 |
| *** jpena|lunch is now known as jpena | 12:28 | |
| *** quique|rover|lch is now known as quiquell|rover | 12:44 | |
| logan- | electrofelix: yes it is merged to the target branch | 12:47 |
| *** sshnaidm is now known as sshnaidm|mtg | 13:07 | |
| dmsimard | btw: Ansible to adopt molecule and ansible-lint projects, https://groups.google.com/forum/m/#!topic/ansible-project/ehrb6AEptzA | 13:13 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: CLI: add create-web-token command https://review.openstack.org/605386 | 13:18 |
| *** chkumar|ruck is now known as chandankumar | 13:26 | |
| *** samccann has joined #zuul | 13:27 | |
| electrofelix | logan-: thanks, good to have it confirmed | 13:29 |
| electrofelix | I thought this was the case but couldn't find the right doc to confirm to dispel some confusion about merging multiple changes versus individual ones | 13:30 |
| *** panda has quit IRC | 13:32 | |
| *** bbayszczak has quit IRC | 13:39 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: CLI: add create-web-token command https://review.openstack.org/605386 | 13:58 |
| *** bbayszczak has joined #zuul | 14:09 | |
| pabelanger | corvus: do you some time later today to help debug upload-logs-swift things? Last week we started testing it for ansible-network, but ran into some issue with indexes not working for tox-docs jobs | 14:16 |
| pabelanger | I am unsure if an issue with zuul-job side, or something to debug with mnaser | 14:16 |
| *** panda has joined #zuul | 14:21 | |
| *** bbayszczak has left #zuul | 14:26 | |
| *** bbayszczak has joined #zuul | 14:26 | |
| bbayszczak | Hi guys. In leboncoin we are using Hashicorp Vault to manage our secrets. Is a Vault integration something you would like to see in Zuul ? | 14:26 |
| *** bbayszczak has quit IRC | 14:29 | |
| *** bbayszczak has joined #zuul | 14:30 | |
| pabelanger | bbayszczak: I've seen the question raised before but so far just secrets with existing system. I think so far has been no, just to keep secret management simple | 14:35 |
| *** bbayszczak has quit IRC | 14:35 | |
| *** bbayszczak has joined #zuul | 14:36 | |
| mordred | yeah - I think we'd need to think pretty deeply about what integration with an external secrets system would look like ... | 14:43 |
| mordred | but I imagine that what one might want to do is store an access key for vault as a zuul secret, so that a given job could make use of vault secrets | 14:44 |
| mordred | but so that the zuul structures and constraints related to trusted/untrusted job content can still apply to the access key | 14:45 |
| mordred | it's certainly worth pondering how the two interact so that we at least have a story | 14:45 |
| *** annabelleB has joined #zuul | 14:51 | |
| dmsimard | mordred: how far away are we from landing the zuul ui refactor ? | 14:53 |
| dmsimard | there's a good amount of backlog in the openstack queues and http://logs.openstack.org/04/591604/27/check/zuul-build-dashboard/3acc9d4/npm/html/status makes my browser happier than zuul.openstack.org :D | 14:54 |
| corvus | hopefully soon, but https://review.openstack.org/591604 is currently failing tests | 14:56 |
| dmsimard | tristanC: ^ | 14:58 |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: rewrite interface in react https://review.openstack.org/591604 | 14:58 |
| dmsimard | corvus: thanks | 14:58 |
| corvus | timely :) | 14:59 |
| *** pcaruana has joined #zuul | 15:01 | |
| *** bbayszczak has quit IRC | 15:01 | |
| *** bbayszczak has joined #zuul | 15:02 | |
| mordred | corvus, dmsimard: speaking of - have y'all looked at the puppet-zuul patch tristanC wrote? | 15:24 |
| *** annabelleB has quit IRC | 15:24 | |
| mordred | https://review.openstack.org/#/c/604251 | 15:25 |
| bbayszczak | mordred: as you said we will try to provide Vault access to job through Zuul secrets | 15:26 |
| bbayszczak | mordred: we will come back with a feedback on it :) | 15:26 |
| bbayszczak | mordred: thanks | 15:26 |
| dmsimard | mordred: I have not | 15:26 |
| mordred | bbayszczak: cool - I'll be interested to hear how it works for you - it's probably a recipe that other people will be interested in | 15:26 |
| *** chandankumar is now known as chkumar|off | 15:26 | |
| dmsimard | mordred: personally I think that there's a bit too much logic in the vhost | 15:27 |
| *** quiquell|rover is now known as quique|rover|off | 15:27 | |
| mordred | dmsimard, corvus: also, I don't know if you've tried it out (it works on the preview versions) - but if you naviagate to that link above on a phone, you can add the dashboard as an "app" on your phone, because the progressive web stuff is all enabled. it's super cool | 15:27 |
| *** quique|rover|off is now known as quique|off | 15:28 | |
| mordred | it'll be more cooler once we've deployed it, because the 'app' will then auto-update itself in the background | 15:28 |
| dmsimard | mordred: I'm not sure what you mean, wouldn't that just be a browser bookmark ? | 15:29 |
| *** sshnaidm|mtg is now known as sshnaidm | 15:29 | |
| mordred | dmsimard: no - it does a $something that's different, and when you launch it from the saved launcher, it doesn't launch in a browser, it behaves like a phone app | 15:31 |
| bbayszczak | corvus: Hi, Monty Taylor asked for your opinion on https://review.openstack.org/#/c/602054 . If you could have a look :) . Thanks in advance | 15:32 |
| mordred | dmsimard: if you browse to that logs link above and ten click the browser menu, you'll see "Add to Home Screen" | 15:35 |
| dmsimard | completely unrelated | 15:35 |
| dmsimard | zuul now puts comments on the gerrit lines for highlighting syntax errors | 15:35 |
| dmsimard | what ? | 15:35 |
| corvus | bbayszczak: good call, thanks :) | 15:35 |
| dmsimard | that is awesome | 15:35 |
| mordred | dmsimard: yah man - how cool is that? | 15:35 |
| mordred | dmsimard: I've got a half-done patch to get the pep8 jobs to do the same thing | 15:36 |
| dmsimard | I will buy an alcoholic beverage to the fine person who contributed this feature | 15:36 |
| * mordred introduces dmsimard to his friend corvus | 15:36 | |
| dmsimard | What a coincidence, I'll be in Austin next week :p | 15:36 |
| corvus | do they even have booze in austin? ;) | 15:37 |
| dmsimard | It'll be my first time but Robyn says there's a good place nearby | 15:37 |
| mordred | dmsimard: https://review.openstack.org/#/c/589634/ | 15:37 |
| pabelanger | tacos! | 15:37 |
| clarkb | corvus: they are very proud of their vodka in austin (which is weird to me but ok) | 15:38 |
| corvus | wow logs expired on that :) | 15:38 |
| dmsimard | http://sevengrandbars.com/austin/ | 15:38 |
| mordred | corvus: do you remember what I was waiting on for that pep8 update? I feel like it was important I hold off and wait for something, but I think that something got done | 15:38 |
| corvus | clarkb: i did not know that | 15:38 |
| mordred | corvus: oh - it was the mapping of line numbers | 15:38 |
| corvus | mordred: and that's done! | 15:38 |
| dmsimard | mordred: it would be interesting to brainstorm how the new ara api can help pinpoint errors and send people in the right direction | 15:39 |
| mordred | clarkb, corvus: Tito's is one of the best vodkas | 15:39 |
| mordred | like, I now get really sad when I go to a bar that doesn't stock it and I want vodka. ketel one is the next best thing, but it's really not as good at tito's | 15:40 |
| dmsimard | mordred: parsing the output seems a bit fragile ? Is there a programmatic interface ? like can we export the results to a format we don't need to parse ? | 15:40 |
| mordred | dmsimard: not to my knowledge, no - pep8 doesn't support that | 15:41 |
| dmsimard | mordred: https://pep8.readthedocs.io/en/release-1.7.x/intro.html#example-usage-and-output | 15:41 |
| dmsimard | pep8 testsuite/E40.py --format='%(path)s|%(row)d|%(col)d| %(code)s %(text)s' | 15:41 |
| corvus | parsing is likely to be reusable for other things though, which is nice. | 15:41 |
| mordred | yah - but that's still parsing the output | 15:42 |
| dmsimard | well, if we enforce our own format, we're less likely to be broken by an update of pep8 or whatever | 15:42 |
| clarkb | you could have that write json too | 15:42 |
| clarkb | maybe | 15:42 |
| mordred | dmsimard: yes, totally agree | 15:42 |
| dmsimard | clarkb: that's what I had in mind but at first glance it doesn't look like it's a thing | 15:43 |
| clarkb | --format='{ path: "%(path)s" } | 15:43 |
| mordred | yah - but that doesn't really help- since it'll be multiple strings inline in the output text | 15:44 |
| mordred | so you'd still have to scan to find them | 15:44 |
| mordred | and to find their ending point | 15:44 |
| dmsimard | ¯\_(ツ)_/¯ | 15:44 |
| mordred | if we updated flake8 to have a '--json-output' option that would write all of the errors to a single json file at the end, that would be great | 15:44 |
| dmsimard | I'm trying to forget all about my days of parsing text with perl scripts | 15:44 |
| dmsimard | mordred: https://pypi.org/project/flake8-json/ heh | 15:45 |
| dmsimard | It's seeking maintainers apparently so YMMV | 15:45 |
| *** annabelleB has joined #zuul | 15:47 | |
| dmsimard | seems simple enough https://gitlab.com/pycqa/flake8-json/blob/master/src/flake8_json_reporter/reporters.py | 15:48 |
| dmsimard | Oh, it's sort of ugly, though... like manually writing brackets inline | 15:48 |
| mordred | yeah - I was just thinking the same thing | 15:51 |
| mordred | I'd think accumulating the things into a datastructure and json.dump ing to a file at the end would be more useful | 15:51 |
| *** panda is now known as panda|bbl | 15:52 | |
| mordred | of course, then there is the problem that as a plugin it would need to be installed, and also tox envs would have to be updated to use it | 15:52 |
| mordred | for now I think just parsing the output is a decent enough step forward | 15:52 |
| dmsimard | yeah, I guess we have to start somewhere | 15:52 |
| *** annabelleB has quit IRC | 16:06 | |
| *** annabelleB has joined #zuul | 16:17 | |
| openstackgerrit | Monty Taylor proposed openstack-infra/zuul-jobs master: WIP Extract pep8 messages for inline comments https://review.openstack.org/589634 | 16:18 |
| *** che-arne has joined #zuul | 16:27 | |
| *** bbayszczak has quit IRC | 16:29 | |
| *** panda|bbl is now known as panda | 16:35 | |
| *** jpena is now known as jpena|off | 17:09 | |
| mordred | tobiash: did you ever happen to learn if alpine was related to your crashes? | 17:27 |
| tobiash | mordred: not yet, I'm on a team workshop today and tomorrow | 17:27 |
| mordred | tobiash: kk. | 17:28 |
| SpamapS | alpine crashes? | 17:34 |
| tobiash | SpamapS: we get random segfaults of amsible on fedora based openshift nodes and alpine based executors | 17:42 |
| tobiash | Centos based compute nodes don't show this | 17:42 |
| tobiash | With maybe 1 percent of job runs | 17:44 |
| clarkb | python2.7 is running ansible on all of them? | 17:45 |
| clarkb | (zuul hard codes this currently but could be local patch to use python3 I guess) | 17:45 |
| tobiash | clarkb: I think the ansible-playbook process is actually py3, just on the target we force py2 | 17:46 |
| clarkb | ah | 17:47 |
| clarkb | I wonder if it is a python3 vs python2 issue in that case | 17:47 |
| *** electrofelix has quit IRC | 17:56 | |
| SpamapS | hmmm... you know... | 18:00 |
| SpamapS | I saw some weird segfaults of docker on my alpine based executors. | 18:00 |
| SpamapS | I do python3 on everything. | 18:00 |
| mordred | SpamapS: yah - I'd love to learn what's up - I could imagine alpine being involved because of musl vs glic | 18:11 |
| mordred | glibc | 18:11 |
| mordred | but also alpine could be a distraction and the issue could be something else | 18:11 |
| clarkb | mordred: fedora doesn't musl though. Which is why I was wondering if python3 is at fault | 18:12 |
| clarkb | we have seen segfaults in newer python | 18:12 |
| clarkb | (in the past) | 18:12 |
| mordred | clarkb: right - but musl is the c-lib inside the container | 18:14 |
| clarkb | oh gotcha it is fedora hosting alpine | 18:15 |
| mordred | so it's the c library that the python running the ansible is linked to - so it could just be python3+musl - it could just bepython3 - or it cold be a combo of those with the libc on the container host | 18:15 |
| clarkb | not fedora containers | 18:15 |
| mordred | fedora containers aren't involved | 18:15 |
| mordred | the containers are all alpine | 18:15 |
| mordred | they're running on a mix of fedora and centos hosts | 18:15 |
| tobiash | I did a kernel upgrade yesterday to 4.18.6, can look tomorrow if that helped | 18:16 |
| mordred | cool | 18:17 |
| tobiash | If not we'll switch to bionic based executors | 18:17 |
| tobiash | And hope that solves the problem | 18:17 |
| tobiash | If not... Well I'm not really keen in debugging python to track down a heisenbug | 18:18 |
| mordred | tobiash: me either :) | 18:19 |
| clarkb | if you can get a core dump and a stacktrace that mighe help narrow it down (like maybe its a specific syscall) | 18:19 |
| clarkb | of course it could be happening forever down the road and we'll never line the two up | 18:19 |
| *** pcaruana has quit IRC | 18:24 | |
| *** annabelleB has quit IRC | 18:25 | |
| tobiash | I'm not sure how to get one of processes running in containers in openshift, have to check that first | 18:26 |
| *** annabelleB has joined #zuul | 18:27 | |
| SpamapS | mordred: I'll dig out the logs for mine later today. I think it may have been something else.. because the docker build would still succeed.. it just exited with some weird stack dump. | 18:38 |
| *** annabelleB has quit IRC | 19:09 | |
| mnaser | mordred: on a zuul related note, did you get a chance to prepare/work out your zuul workshop @ openstack days nordic? | 19:13 |
| mordred | mnaser: still need to do some prep - pabelanger showed me the etherpad y'all worked from and he's going to work on things some more next week in austin - so I'm gonna try to sycn with him | 19:16 |
| *** annabelleB has joined #zuul | 19:19 | |
| mnaser | mordred: okay cool, let me know, im arriving to stockholm at 8:50 am on monday oct 8th! | 19:20 |
| mordred | mnaser: sweet - I arrive in the morning on tuesday ... | 19:24 |
| mnaser | oh boy | 19:24 |
| mnaser | good luck | 19:24 |
| mordred | mnaser: if anyone there decides to get stressed beause I'm not there yet - just let them know I'll be there and it'll be fine :) | 19:24 |
| mnaser | when i saw flights were arriving in the AM i moved a day back | 19:24 |
| mnaser | in case you're on an A350 | 19:24 |
| mnaser | i'll be prepared | 19:24 |
| mnaser | :P | 19:24 |
| mordred | hahahaha | 19:27 |
| mordred | (I wish I was on an A350) | 19:27 |
| mnaser | my long detroit to amsterdam flight is on an a350 | 19:28 |
| mnaser | but in the middle seat, couldn't get a window one in time :< | 19:28 |
| dmsimard | mnaser: hope you have internet this time | 19:28 |
| mnaser | mordred: i got one more connection in my plane just to get a delta flight to make sure i have wifi | 19:28 |
| mnaser | err sorry dmsimard ^ | 19:28 |
| mordred | mnaser: story of my life | 19:29 |
| mnaser | still dont know how at this day and age most large companies dont have wifi on flight | 19:29 |
| dmsimard | Montreal -> Detroit -> Amsterdam looks like a weird connection ? It's the wrong way! | 19:29 |
| mnaser | amsterdam to berlin too after | 19:30 |
| mnaser | yes it si the wrong way | 19:30 |
| mnaser | but if i went through a delta partner it would have been AF to paris then stockholm | 19:30 |
| mnaser | and air france is cool, i wanted to try the a380, never been in one, but no wifi = no bueno | 19:30 |
| mordred | yah | 19:30 |
| dmsimard | I hear AF isn't on strike right now :p | 19:30 |
| mordred | dmsimard: no way | 19:31 |
| * mnaser logs in to check if by any chance a window seat free'd up | 19:31 | |
| mnaser | https://imgur.com/5C7KIdk i think i should give up on that | 19:32 |
| dmsimard | Mucho legroom if graph is accurate | 19:33 |
| mnaser | oh yeah apparently to seatguru its an excellent amount of legroom | 19:33 |
| mnaser | but also twice the armrests to fight over too | 19:33 |
| mnaser | :P | 19:33 |
| dmsimard | ¯\_(ツ)_/¯ | 19:34 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907 | 19:51 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Fix node leak on job removal https://review.openstack.org/605527 | 20:34 |
| *** hasharAway has quit IRC | 20:37 | |
| *** samccann has quit IRC | 20:51 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: CLI: add create-web-token command https://review.openstack.org/605386 | 20:57 |
| *** panda is now known as panda|off | 21:13 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Don't report non-live items in stats https://review.openstack.org/605540 | 22:00 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Speed up build list query under mysql https://review.openstack.org/605170 | 22:07 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Improve docs for inventory_file https://review.openstack.org/602665 | 22:09 |
| corvus | clarkb: can you take a look at https://review.openstack.org/602830 and let me know if you anticipate any problems from that? | 22:45 |
| clarkb | corvus: I don't anticipate any issues with that and have +2'd it | 22:59 |
| pabelanger | okay, upload-logs-swift seems to be working now for tox-docs: https://object-storage-ca-ymq-1.vexxhost.net/v1/a0b4156a37f9453eb4ec7db5422272df/logs_45/45/8d13b58b7114c0ae2150a1fc49113516f0b2487e/check/tox-docs/214cb58/html/ | 23:05 |
| pabelanger | I decided to delete all containers / objects from vexxhost and have zuul create it again. This time things are happy | 23:06 |
| mordred | pabelanger: \o/ | 23:07 |
| pabelanger | mordred: indeed, going to roll it out into production this evening | 23:08 |
| pabelanger | great work corvus! | 23:08 |
| pabelanger | and everybody else who helped | 23:08 |
| *** annabelleB has quit IRC | 23:14 | |
| *** jlvillal has joined #zuul | 23:24 | |
| pabelanger | Hmm, set-zuul-log-path-fact might need to be tweaked for swift. emit-job-header log the properly header when setting zuul_log_url | 23:41 |
| pabelanger | can look more into that tomorrow | 23:41 |
| *** openstackgerrit has quit IRC | 23:49 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!