openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Use the SQLAlchemy ORM https://review.openstack.org/620426 | 00:04 |
---|---|---|
openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Add artifact table https://review.openstack.org/620427 | 00:04 |
corvus | that's not out of left field -- that's the next step in two efforts: promotion pipelines, and better log display | 00:08 |
*** j^2 has quit IRC | 00:10 | |
openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Add artifact table https://review.openstack.org/620427 | 00:11 |
SpamapS | corvus: +++ | 00:20 |
SpamapS | If we can get a link between gate artifact and branch commit.. zomg. | 00:21 |
clarkb | corvus: left a note on the ORM change | 00:21 |
clarkb | corvus: a higher level thought there with more explicit ORM use is maybe we want to use sqlalchemy connection pooling too? Though with the cherrypy threading model I'm not sure that helps | 00:26 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul master: Rework zuul nodepool stats reporting https://review.openstack.org/620285 | 02:23 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul master: Add a statsd check for clashing keys https://review.openstack.org/620436 | 02:23 |
ianw | i wonder if that will find anything else | 02:23 |
*** bhavikdbavishi has joined #zuul | 02:51 | |
*** bhavikdbavishi has quit IRC | 03:30 | |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul master: Add a statsd check for clashing keys https://review.openstack.org/620436 | 04:08 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul-jobs master: upload-logs-swift: Cleanup temporary directories https://review.openstack.org/592340 | 04:48 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul-jobs master: upload-logs-swift: Make indexer more generic https://review.openstack.org/592852 | 04:48 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul-jobs master: upload-logs-swift: Stub out dry run in the uploader https://review.openstack.org/592929 | 04:48 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul-jobs master: upload-logs-swift: Create a download script https://review.openstack.org/592341 | 04:48 |
openstackgerrit | Ian Wienand proposed openstack-infra/zuul-jobs master: upload-logs-swift: Add a unicode file https://review.openstack.org/592853 | 04:48 |
*** pcaruana has joined #zuul | 05:09 | |
*** bhavikdbavishi has joined #zuul | 05:54 | |
openstackgerrit | Tobias Henkel proposed openstack-infra/nodepool master: Fix test race in test_hold_expiration_higher_than_default https://review.openstack.org/620222 | 06:20 |
*** chkumar|away is now known as chkumar|ruck | 06:59 | |
openstackgerrit | Tobias Henkel proposed openstack-infra/nodepool master: Fix test race in test_hold_expiration_higher_than_default https://review.openstack.org/620222 | 07:24 |
openstackgerrit | Tobias Henkel proposed openstack-infra/nodepool master: Fix test race in test_hold_expiration_higher_than_default https://review.openstack.org/620222 | 07:29 |
tobiash | Shrews: with that on top of the cache stack I have now 32 successful tox runs in a row and still running ^ | 07:31 |
openstackgerrit | Quique Llorente proposed openstack-infra/zuul master: Remove uneeded if statement https://review.openstack.org/617984 | 07:38 |
tobiash | 53 now, still no failure | 07:48 |
openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Fix stuck job caused by exception during repo update https://review.openstack.org/590697 | 07:50 |
tobiash | corvus: I overlooked your question in 610029, responded now | 07:56 |
*** hashar has joined #zuul | 08:03 | |
*** quiquell has joined #zuul | 08:11 | |
quiquell | Good morning | 08:12 |
tobiash | morning | 08:12 |
*** bjackman has joined #zuul | 08:13 | |
*** gtema has joined #zuul | 08:13 | |
quiquell | tobiash: Have an issue with a pipeline | 08:13 |
quiquell | tobiash: is defined like this https://paste.fedoraproject.org/paste/gBAutn05MBrOh9Vx9Cbwpg | 08:14 |
quiquell | tobiash: so there is no reference to my git.openstack.org connection | 08:14 |
quiquell | tobiash: I still see git.openstack.org changes appearing at check | 08:14 |
quiquell | tobiash: Do I have to explictily desactivate it ? | 08:14 |
tobiash | quiquell: what is the qinqon connection, that triggers on ref-updated? | 08:15 |
*** zer0c00l has joined #zuul | 08:16 | |
tobiash | quiquell: it should only trigger if a trigger matches | 08:16 |
quiquell | tobiash: A testing repo at github, "git" driver | 08:16 |
quiquell | tobiash: I have a connection with name "git.openstack.org" that points to openstack upstream gerrit | 08:16 |
tobiash | quiquell: can you share the connections in the zuul.conf too? | 08:17 |
quiquell | tobiash: https://paste.fedoraproject.org/paste/sP5h2JjsNm1os1wf1pinyA | 08:18 |
quiquell | tobiash: they appear and disappear at check pieppeline the ones not expected | 08:19 |
*** themroc has joined #zuul | 08:19 | |
quiquell | tobiash: Is like zuul is render them and later discard them | 08:19 |
zer0c00l | is there an example somewhere on how to make a nodepool-request? | 08:20 |
zer0c00l | i mean python code example? | 08:20 |
tobiash | quiquell: so it enters the pipeline, zuul notices that nothing should be running and it disappears? | 08:20 |
tobiash | zer0c00l: look here: https://git.zuul-ci.org/cgit/zuul/tree/zuul/nodepool.py#n54 | 08:21 |
zer0c00l | Thank you tobiash | 08:21 |
tobiash | zer0c00l: but beware that the zk model and interface is considered internal and might change without prior notice | 08:21 |
zer0c00l | i see | 08:22 |
quiquell | tobiash: Looks like, | 08:22 |
zer0c00l | so i have max-servers as 15 and min-ready as 10 | 08:22 |
quiquell | tobiash: Like zuul wrongly render it in the web before checking stuff | 08:22 |
tobiash | quiquell: in this case the scheduler logs would be helpful | 08:22 |
quiquell | tobiash: Something specific to find ? | 08:22 |
zer0c00l | Does that mean nodepool-launcher will automatically launch more nodes if it doesn't have 10 nodes in "ready" state? | 08:23 |
tobiash | quiquell: maybe you found a bug in event filtering | 08:23 |
quiquell | tobiash: Have it down now, will check if it appears again | 08:23 |
tobiash | quiquell: ok | 08:24 |
quiquell | tobiash: but pipeline looks correct ? | 08:24 |
tobiash | zer0c00l: yes, it regularly checks the number of nodes in ready state and creates more if there are less than min-ready | 08:24 |
zer0c00l | Thank you | 08:24 |
tobiash | quiquell: yes, the pipeline looks correct, so maybe you found a bug in event filtering | 08:25 |
openstackgerrit | Tobias Henkel proposed openstack-infra/nodepool master: Fix test race in test_hold_expiration_higher_than_default https://review.openstack.org/620222 | 08:30 |
tobiash | Shrews: ok, so that ran more than 100 times in a row without error on top of the caching stack, now rebased it to current master to aid landing the cache stack ^ | 08:31 |
*** goncalo has joined #zuul | 08:49 | |
*** jpena|off is now known as jpena | 08:57 | |
*** bhavikdbavishi has quit IRC | 10:06 | |
*** tobias-urdin has quit IRC | 10:10 | |
quiquell | tobiash: What's the format of log_config=/etc/zuul/scheduler-logging.yaml ? | 10:14 |
*** tobias-urdin has joined #zuul | 10:16 | |
*** electrofelix has joined #zuul | 10:39 | |
tobiash | quiquell: that's the standard python logging framework format | 10:40 |
tobiash | I think it supports both the ini style and the yaml style | 10:40 |
quiquell | tobiash: cool thanks | 10:50 |
*** hashar has quit IRC | 10:52 | |
openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Whitelist command processor thread in tests https://review.openstack.org/620559 | 10:57 |
tobiash | that should resolve a spurious test failure in zuul I discovered while running zuul tests in an endless loop ^ | 10:58 |
openstackgerrit | BenoƮt Bayszczak proposed openstack-infra/zuul master: add fetch_vault_secrets Ansible module https://review.openstack.org/620311 | 11:01 |
*** bhavikdbavishi has joined #zuul | 11:22 | |
*** dkehn has quit IRC | 11:26 | |
*** nilashishc has joined #zuul | 11:55 | |
*** jpena is now known as jpena|lunch | 12:02 | |
*** bhavikdbavishi has quit IRC | 12:03 | |
*** gtema has quit IRC | 12:05 | |
*** goncalo has quit IRC | 12:26 | |
*** goncalo has joined #zuul | 12:26 | |
*** hashar has joined #zuul | 12:49 | |
*** gtema has joined #zuul | 12:58 | |
*** rlandy has joined #zuul | 13:00 | |
*** jpena|lunch is now known as jpena | 13:02 | |
*** bjackman has quit IRC | 13:23 | |
*** dkehn has joined #zuul | 13:27 | |
frickler | hmm, weird issue on the web interface. looking at http://zuul.openstack.org/builds?job_name=docker-publish-monasca-base&job_name=legacy-monasca-common-localrepo-upload the first change is listed as "77a540", but that starts with the second char of the id, the link is correct https://git.openstack.org/cgit/openstack/monasca-common/commit/?id=d77a54053e993d0d49d1f74e15ed76376a0c5fb7 | 13:39 |
tristanC | frickler: indeed, nice catch :) the substr call is wrong | 13:44 |
openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: fix ref column value for newrev https://review.openstack.org/620602 | 13:49 |
openstackgerrit | Merged openstack-infra/zuul master: Use publish-zuul-python-branch-tarball job https://review.openstack.org/618634 | 14:29 |
mnaser | is there a nodepool 'docker' driver anywhere? i see openstack/k8s/static | 14:32 |
mnaser | trying to see if i can run containerized jobs in a vm with kata on it | 14:32 |
tristanC | mnaser: there is a runC under review that could be adapted to use docker instead: https://review.openstack.org/535556 | 14:38 |
pabelanger | mnaser: in the past we'd recommend the nova / docker integration for openstack, but don't think that is maintained any more | 14:41 |
mnaser | pabelanger: yeah it's not unfortunately | 14:42 |
mnaser | tristanC: i guess that could be but still not merged | 14:42 |
pabelanger | I've often thought, if nodepool could provision a node, then some how turn it static for x jobs, then you could write a playbook to leverage docker on that host | 14:43 |
*** hashar has quit IRC | 14:48 | |
*** bhavikdbavishi has joined #zuul | 15:04 | |
*** timrc has quit IRC | 15:06 | |
pabelanger | mordred: if you have a moment, http://logs.openstack.org/fe/fea3ebeae0a08e19a52227a52e40b09d61d7c801/post/publish-zuul-python-branch-tarball/2f8663b/job-output.txt.gz is the new publish job, which should work like our release job. But having trouble understanding if zuul run yarn commands | 15:06 |
pabelanger | warning: no files found matching 'zuul/web/static/static/*/*' | 15:08 |
pabelanger | that doesn't look right | 15:08 |
mordred | pabelanger: zuul should run yarn commands if the javascript tools are installed | 15:10 |
mordred | pabelanger: so the tarball job should include the install-yarn role | 15:10 |
pabelanger | mordred: it does | 15:10 |
pabelanger | however | 15:10 |
pabelanger | http://logs.openstack.org/fe/fea3ebeae0a08e19a52227a52e40b09d61d7c801/post/publish-zuul-python-branch-tarball/2f8663b/job-output.txt.gz#_2018-11-28_14_42_14_960951 | 15:10 |
pabelanger | seems to skip installing yarn for some reason | 15:11 |
pabelanger | let me look why | 15:11 |
mordred | cool. then it SHOULD be running the yarn commands and making the things ... so there might be an issue ... looking | 15:11 |
pabelanger | okay, seems we don't install yarn, if we find a yarn.lock file | 15:12 |
pabelanger | http://git.openstack.org/cgit/openstack-infra/zuul-jobs/tree/roles/install-yarn/tasks/main.yaml | 15:12 |
pabelanger | Is that right? don't we want to install yarn package if lock file is found? | 15:13 |
pabelanger | Oh | 15:13 |
pabelanger | it does that | 15:13 |
pabelanger | it is because our yarn.lock file is missing | 15:14 |
pabelanger | because we look in the wrong folder | 15:14 |
pabelanger | I think i see the issue | 15:14 |
mordred | oh - because it got moved into a subdir | 15:14 |
mordred | yeah | 15:14 |
pabelanger | k, let me update install-yarn | 15:15 |
pabelanger | and make the lock file patch configurable | 15:15 |
*** chkumar|ruck is now known as chkumar|away | 15:17 | |
mordred | pabelanger: nice catch | 15:18 |
pabelanger | mordred: started poking into ansible roles to deploy zuul dashboard again, and couldn't figure out why wheels wouldn't work | 15:20 |
mordred | :) | 15:20 |
openstackgerrit | Paul Belanger proposed openstack-infra/zuul-jobs master: Create yarn_lock_file_path variable for install-yarn https://review.openstack.org/620628 | 15:24 |
pabelanger | mordred: ^ | 15:24 |
openstackgerrit | Sorin Sbarnea proposed openstack-infra/zuul-jobs master: Use official pypi.python.org as fallback with pip https://review.openstack.org/620630 | 15:27 |
pabelanger | tobiash: thanks! | 15:29 |
mordred | pabelanger: +A - thanks! | 15:31 |
*** quiquell is now known as quiquell|off | 15:41 | |
openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: executor: harden add_host usage https://review.openstack.org/620635 | 15:42 |
tobiash | corvus, clarkb, mordred: ^ | 15:43 |
pabelanger | tobiash: thanks for helping drive this | 15:44 |
pabelanger | tristanC: you too | 15:45 |
tobiash | pabelanger: no problem | 15:45 |
*** panda|rover is now known as panda|pto | 15:45 | |
tobiash | actually that's tristanC's patch, I just pushed it up ;) | 15:45 |
openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Use the SQLAlchemy ORM https://review.openstack.org/620426 | 15:53 |
openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Add artifact table https://review.openstack.org/620427 | 15:53 |
*** rlandy is now known as rlandy|brb | 15:55 | |
mordred | corvus: when that add_host patch lands, perhaps we should cut a release? | 15:57 |
clarkb | is there work to add a test for it yet? | 15:59 |
clarkb | (I'd happily review it if so) | 15:59 |
corvus | mordred: yes; unfortunately the release will come with a behavior change for semaphores.... | 16:00 |
corvus | mordred, tobiash, clarkb: do you think that's okay, or should we revert the semaphore change, make the release, then add it back and make another release? | 16:00 |
clarkb | corvus: is the semaphore change the one where we don't grab node locks first by default? if it is that change I think we can release with that in. I really doubt that behavior is relied on and the new behavior should be better for most users | 16:01 |
corvus | (i feel like the semaphore change probably would not be too objectionable to have to deploy even for someone used to the other behavior) | 16:01 |
corvus | clarkb: yes | 16:01 |
clarkb | ++ to releasing with semaphore change | 16:02 |
corvus | like, i don't think it's going to break anyone, it just might be mildly annoying to someone. but most people will probably like it. | 16:02 |
mordred | corvus: yeah - I agree with it not being too objectionable | 16:04 |
corvus | https://zuul-ci.org/docs/zuul/releasenotes.html | 16:05 |
corvus | the new tenant options are the only other thing and they shouldn't be a prob | 16:05 |
mordred | ++ | 16:05 |
*** j^2 has joined #zuul | 16:12 | |
*** hashar has joined #zuul | 16:32 | |
*** rlandy|brb is now known as rlandy | 16:34 | |
SpamapS | every time we find one of these ansible restriction holes I am so happy we went with bubblewrap suspenders to go with the ansibelt. | 16:46 |
SpamapS | For the semaphore change, that's very much an "under the covers" behavior change IMO. | 16:47 |
SpamapS | The corner case that is affected is probably one relying on unstated behaviors of the semaphore. | 16:48 |
openstackgerrit | Sorin Sbarnea proposed openstack-infra/zuul-jobs master: Use official pypi.python.org as fallback with pip https://review.openstack.org/620630 | 17:00 |
*** pcaruana has quit IRC | 17:03 | |
*** bjackman has joined #zuul | 17:09 | |
*** themroc has quit IRC | 17:09 | |
*** gtema has quit IRC | 17:16 | |
*** ssbarnea|bkp2 has quit IRC | 17:20 | |
*** hashar has quit IRC | 17:27 | |
*** ssbarnea has joined #zuul | 17:29 | |
tobiash | ++ for release with semaphore change | 17:42 |
openstackgerrit | Merged openstack-infra/zuul master: Add allowed-labels tenant setting https://review.openstack.org/617740 | 17:52 |
*** sshnaidm is now known as sshnaidm|afk | 18:01 | |
*** bjackman has quit IRC | 18:05 | |
*** jpena is now known as jpena|off | 18:09 | |
* Shrews getting sick of vim assuming i want new features enabled on each upgrade | 18:13 | |
mordred | Shrews: ++ | 18:13 |
corvus | vim is getting new features? i thought.... nevermind. | 18:13 |
Shrews | no, i don't want auto indenting. no, i definitely do not want code folding | 18:13 |
clarkb | Shrews: the code folding thing is particularly annoying with rst files | 18:14 |
clarkb | zA ftw. I should figure out the vimrc incantation to just disable it | 18:15 |
Shrews | clarkb: that's *exactly* why i just disabled it | 18:15 |
clarkb | Shrews: please share the incantation if you have it :) | 18:15 |
Shrews | clarkb: set nofoldenable in .vimrc | 18:15 |
clarkb | tyty | 18:15 |
Shrews | i spent 5 minutes wondering where the hell the nodepool documentation went | 18:15 |
*** bhavikdbavishi has quit IRC | 18:20 | |
Shrews | pabelanger: the executor-zone value is a per-provider attribute, right? it doesn't have to be different for each pool within a provider | 18:21 |
mordred | clarkb, Shrews: I can think of no circumstances where I want code folding | 18:23 |
* Shrews folds mordred like a cheap suit | 18:23 | |
* mordred tries to get rid of the wrinkles | 18:23 | |
pabelanger | Shrews: I think we can do per pool, that is how I original wrote it. | 18:24 |
pabelanger | but open to what others think | 18:24 |
Shrews | pabelanger: ok, that's fine. our docs aren't really setup for common attributes within pools across drivers. just means i have to give that a bit of thought | 18:25 |
pabelanger | k | 18:25 |
corvus | Shrews, pabelanger: it should be pool because AZ's can be pool scoped | 18:25 |
corvus | (and you might want to match zuul executor zones to cloud availability zones) | 18:27 |
pabelanger | Yah, I think that is why I did per pool, to match how AZ's were done | 18:27 |
pabelanger | +1 | 18:27 |
Shrews | pabelanger: corvus: this exercise has revealed to me that we force each driver to parse and validate common config options (e.g., max-servers is common, but parsed in openstack driver). I think I'll spend some time fixing that up after this. | 18:27 |
clarkb | also pools are network scoped right? networking likely to be common reason for zoning | 18:27 |
fungi | Shrews: clarkb: what really got me lately was after a vim upgrade in debian it started grabbing all mouse events and doing strange things with cursor manipulation when all i wanted to do was highlight things to copy them into my x11 buffer and then middle-click to paste from it. not trivial to disable either | 18:27 |
corvus | Shrews: that sounds great | 18:27 |
corvus | clarkb: ++ | 18:28 |
Shrews | fungi: that sounds horrible | 18:28 |
Shrews | maybe emacs really *is* superior | 18:28 |
fungi | the "not easy to disable" part is because it hit all my servers where i need to disable it for root because `sudo vi /somefile` no longer did sane things in an x terminal when i wanted a basic x11 pointer | 18:29 |
corvus | jlk: https://github.com/sigmavirus24/github3.py/pull/904 should be gtg now | 18:30 |
fungi | Shrews: clarkb: the "fix" turned out to be creating an /etc/vim/vimrc.local on all my servers (making sure to have it world-readable too) and then put "let g:skip_defaults_vim = 1" in there | 18:30 |
openstackgerrit | Merged openstack-infra/nodepool master: Fix test race in test_hold_expiration_higher_than_default https://review.openstack.org/620222 | 18:30 |
openstackgerrit | Merged openstack-infra/nodepool master: Cache node request zNodes https://review.openstack.org/618806 | 18:30 |
jlk | corvus: rad! | 18:30 |
fungi | Shrews: clarkb: i expect that probably solves your other new default behaviors as well | 18:31 |
fungi | essentially stops vim from reading the kitchen-sink defaults configuration | 18:31 |
Shrews | fungi: ooh, neat. thx | 18:31 |
fungi | so that your personal configuration is all that gets turned on | 18:31 |
fungi | there was a time when vim shipped with example configuration you could copy and just include the features you wanted | 18:32 |
fungi | then at some point they decided it was a good idea to turn that example configuration into default configuration which always gets loaded unless you explicitly say to not do that | 18:33 |
fungi | frustrating to no end | 18:33 |
Shrews | fungi: hrm, that didn't work for me | 18:36 |
Shrews | oh well. good enough for now | 18:36 |
*** j^2 has quit IRC | 18:37 | |
fungi | Shrews: what distro? maybe there's no (conditional) "source /etc/vim/vimrc.local" in your /etc/vim/vimrc | 18:42 |
*** electrofelix has quit IRC | 18:45 | |
*** dkehn has quit IRC | 18:51 | |
*** dkehn has joined #zuul | 18:53 | |
Shrews | fungi: fedora 29 | 18:56 |
fungi | you could probably add that line to the end of your /etc/vim/vimrc instead (or whatever fedora uses) | 18:58 |
*** dkehn has quit IRC | 18:59 | |
openstackgerrit | Merged openstack-infra/zuul-jobs master: Create yarn_lock_file_path variable for install-yarn https://review.openstack.org/620628 | 18:59 |
openstackgerrit | James E. Blair proposed openstack-infra/zuul-website master: Remove summit event notices https://review.openstack.org/620681 | 19:21 |
openstackgerrit | Merged openstack-infra/zuul master: executor: harden add_host usage https://review.openstack.org/620635 | 19:24 |
*** nilashishc has quit IRC | 19:35 | |
*** mrhillsman is now known as mrhillsman|lunch | 19:46 | |
*** greg-g has joined #zuul | 19:53 | |
corvus | the executor patch landed... how about i go restart openstack's executors as a sanity check, then tag the release? | 20:27 |
openstackgerrit | David Shrewsbury proposed openstack-infra/nodepool master: Add arbitrary node metdata config option https://review.openstack.org/620691 | 20:27 |
tobiash | Sounds good | 20:28 |
openstackgerrit | David Shrewsbury proposed openstack-infra/nodepool master: Add arbitrary node metdata config option https://review.openstack.org/620691 | 20:30 |
Shrews | pabelanger: ^^^ | 20:34 |
*** mrhillsman|lunch is now known as mrhillsman | 20:35 | |
*** openstackgerrit has quit IRC | 20:36 | |
pabelanger | Shrews: cool, I'll review shortly. Of to meetup with family for photo with santa! | 20:36 |
corvus | pabelanger: nice -- i guess you don't have as far to go to meet with santa | 20:37 |
pabelanger | indeed | 20:37 |
AJaeger_ | pabelanger: too early for Santa... | 20:45 |
mordred | corvus: https://review.openstack.org/#/c/620427 had a sad. I think it's a timeout? | 20:52 |
mordred | Shrews: I'd like to discuss paint colors ... | 20:55 |
mordred | Shrews: for openstack, node-metadata reads to me like it would result in the key value pairs being set on the Server objects themselves, rather than being k/v data to be stored in zk. (reading the docs it's clear - but just looking at the config file my assumption would be metadata to be applied to the openstack object) | 20:56 |
mordred | Shrews: I'm not sure what name would be better than node-metadata that wouldn't have the same issue though | 20:57 |
clarkb | label-metadata maybe since that is a nodepool construct | 20:57 |
mordred | yah - that's better - but then we have a list of labels, so label-metadata as a sibling to labels: also feels a little strange | 20:58 |
mordred | maybe pool-metadata? | 20:59 |
mordred | or maybe nobody should ever listen to me about naming :) | 21:01 |
clarkb | we could also avoid "metadata" as the term and use attributes | 21:02 |
clarkb | then you have node-attributes these are nodepool ideas, and node-metadata is stuff that ends up in $cloud instance | 21:02 |
*** openstackgerrit has joined #zuul | 21:06 | |
openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Fix deletion of stale build dirs on startup https://review.openstack.org/620697 | 21:06 |
corvus | node attributes sounds good to me | 21:09 |
corvus | mordred: that's curious. i want to dismiss it as a random slow node (the py36 tests passed) but it is a sql change. i wish we had more data there. | 21:10 |
corvus | maybe the sql tests are just close to the timeout limit? | 21:10 |
openstackgerrit | Merged openstack-infra/zuul master: web: fix ref column value for newrev https://review.openstack.org/620602 | 21:14 |
mordred | corvus: maybe? | 21:15 |
mordred | corvus: and yes- I really wish we had more than "StringException" | 21:15 |
openstackgerrit | Merged openstack-infra/zuul master: Use the SQLAlchemy ORM https://review.openstack.org/620426 | 21:28 |
corvus | well, obviously the new executor code is working... | 21:29 |
corvus | so i'll tag 3.4.0 now? | 21:29 |
corvus | or is this 3.3.1? | 21:29 |
corvus | i think we've gone with point releases when the new features were minor before... | 21:31 |
corvus | so maybe 3.3.1 | 21:31 |
corvus | clarkb, mordred, tobiash: ^ ? | 21:31 |
clarkb | 3.3.1 wfm | 21:32 |
corvus | mordred: do you mind writing the security announcement? | 21:40 |
corvus | clarkb, mordred, tobiash: i'm ready to tag zuul 2728e5d4adac81b3c79c6a453676565fc10fda9d as 3.3.1 does that look right? | 21:40 |
clarkb | looking | 21:40 |
clarkb | 2728e5d4adac81b3c79c6a453676565fc10fda9d is the commit before the orm changes. I like not tagging the orm changes so that lgtm | 21:42 |
clarkb | also that commit includes that harden add_host change | 21:42 |
corvus | mordred: http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html is the last security email, you can pattern off of that | 21:43 |
Shrews | mordred: i also find openstack "node", zookeeper "node" and zookeeper "Node" object quite confusing. I'm never clear on anything | 21:54 |
mordred | corvus: sure - on it | 21:54 |
corvus | Shrews: at least one of those should be a "znode" :) | 21:54 |
Shrews | mordred: i say a rewrite from scratch using C++ is in order | 21:54 |
corvus | mordred: that commit sha look good to you? if so i'll push | 21:54 |
mordred | Shrews: ++ | 21:54 |
mordred | corvus: one sec | 21:54 |
corvus | Shrews: i'm in | 21:54 |
mordred | Shrews: we can use those nice new any variables now too | 21:55 |
Shrews | aroo? | 21:55 |
mordred | corvus: yes, that sha looks great | 21:55 |
corvus | 3.3.1 pushed | 21:56 |
corvus | i'll work on the regular release announcement email | 21:56 |
mordred | Shrews: oh - sorry - auto is what I meant | 21:56 |
Shrews | oh | 21:57 |
mordred | Shrews: auto mapret = mymap.insert(std::pair('a', 100)); seems so pleasing | 21:58 |
corvus | mordred: i think one would be typing "auto" a lot. :) | 21:59 |
corvus | maybe even more than "void". | 21:59 |
Shrews | https://www.acodersjourney.com/c-11-auto/ | 22:00 |
mordred | corvus: yes! but it's better than typing std::map<std::string, std::string> a lot :) | 22:02 |
clarkb | mordred: I think you got the type wrong (values seem to be ints) | 22:02 |
clarkb | :P | 22:02 |
clarkb | good thing the compiler will figure it out auto(matically) | 22:03 |
mordred | clarkb: ++ | 22:03 |
*** j^2 has joined #zuul | 22:03 | |
mordred | corvus: I think we should un-private the storyboard story, yes? I've got it open so can do that now | 22:03 |
corvus | mordred: yep, i think we're ready for that now | 22:03 |
mordred | corvus: how does this look: https://etherpad.openstack.org/p/lvQYbFXdeI | 22:07 |
clarkb | mordred: maybe a note about how the bwrap sandbox should have belt and suspendered things? | 22:08 |
pabelanger | and back | 22:08 |
clarkb | "We do not believe this would have given jobs access to the executor host as every job is sandboxed within a bubblewrap container with minimal access to the filesystem and other resources" | 22:08 |
pabelanger | only 3.3.0 was affected too, maybe we should specifically say that too | 22:09 |
pabelanger | also too | 22:09 |
corvus | mordred: lgtm | 22:10 |
mordred | pabelanger, clarkb: ++ | 22:10 |
pabelanger | clarkb: re bwrap, things bind mounted into brwap could have been accessed | 22:11 |
mordred | ok. sent | 22:11 |
clarkb | pabelanger: correct. ca trust chains, /bin /usr/bin/ etc | 22:11 |
clarkb | pabelanger: its a very minimal set that should be safe to read anyway I think. And jobs wouldn't have had access to secrets without being reviewed first which hopefully would've caught any issues there | 22:12 |
pabelanger | clarkb: /var/lib/zuul/ssh was what I was thinking | 22:12 |
pabelanger | which is our ssh key for nodepool nodes | 22:12 |
clarkb | pabelanger: ah | 22:13 |
pabelanger | so, maybe worth thinking about rotating it | 22:13 |
clarkb | I thought we used an ssh agent and carefully managed access to that, but maybe that happens in the container? | 22:13 |
pabelanger | yah, that is inside the container | 22:13 |
pabelanger | we still need to add the original key there first | 22:13 |
clarkb | pabelanger: right but the key could be added from outside the coantiner then the jobs wouldn't have access to the actual key data, just ability to use the key while running | 22:14 |
pabelanger | yah, I cannot remember why we did a trusted bindmount for it to be honest | 22:14 |
pabelanger | but is something we could leak if bwrap is accessed | 22:14 |
corvus | okay, pypi is updated, docs are published, and i've approved the announcements. thanks mordred, tristanC, tobiash, clarkb! | 22:15 |
clarkb | corvus: and thank you for getting that deployed on the openstack instance | 22:16 |
corvus | clarkb, pabelanger: what clarkb describes is exactly what zuul does; i don't know why openstack bind-mounts the key in, but we are definitely defeating our own security measures by doing that. | 22:17 |
clarkb | ya I didn't think zuul did that. Are we just configuring it poorly somewhere? | 22:17 |
corvus | clarkb: yes we configure it explicitly | 22:17 |
pabelanger | maybe it was before a time we added the ssh-agent | 22:18 |
pabelanger | and we never removed it | 22:18 |
clarkb | pabelanger: are you willing to push the change up to fix that? | 22:18 |
corvus | let's move to -infra | 22:18 |
*** dkehn has joined #zuul | 22:30 | |
SpamapS | Has anybody using GitHub figured out how to restrict write access on a particular branch to just the Zuul github app? IIRC, github doesn't let you do that for bot/app users. | 23:24 |
pabelanger | SpamapS: I too am also interested in that | 23:26 |
pabelanger | I've been wanting to try out the CODEOWNERS file, but unsure if that will help | 23:26 |
clarkb | pabelanger: isn't this the thing we discussed where using two accounts would solve it | 23:26 |
clarkb | coincidentally we are talking abouit whether or not we should use two accounts for github over in -infra for different reasons | 23:27 |
pabelanger | clarkb: no, that is for code review approval, you still need 2 accounts for that | 23:27 |
pabelanger | as you cannot approve your own PR | 23:27 |
pabelanger | for now, I've removed the need for approved code review, and just using labels | 23:28 |
clarkb | but if you had an admin account that could push code along with zuul then you'd never try to push from your own account? | 23:28 |
clarkb | I guess it wouldn't be just zuul. It would be just zuul + the admin account? | 23:28 |
pabelanger | I am intersted in SpamapS use case, but for me I'm actually wanting to remove admins from repos, or write access. However, I believe you also need write perms to even use labels | 23:30 |
*** rlandy is now known as rlandy|bbl | 23:33 | |
SpamapS | IMO labels are the better experience for self approve on GitHub. | 23:41 |
SpamapS | pabelanger: yes, you do need write to use labels. | 23:41 |
SpamapS | Which is why what I'd really like is to just have branch protection be able to list a bot user. | 23:41 |
SpamapS | but IIRC GitHub has said that's not a thing they're doing. | 23:41 |
goern | SpamapS, cant you manage that via teams? no.. maybe... a team cant restrict on branch, just repo?! | 23:43 |
SpamapS | goern: let me look.. | 23:44 |
SpamapS | I don't think you can put an app in a team anyway | 23:44 |
goern | argh | 23:45 |
SpamapS | correct, you cannot | 23:46 |
SpamapS | So yeah, the only thing you can currently do, I think, is remove everybody's write access, and make them use things like /label foo to add labels. | 23:46 |
SpamapS | which, IIRC, is what many large scale projects like Kubernetes and Ansible do. | 23:47 |
goern | ja, workflow control via labels is the way to go | 23:47 |
pabelanger | yah, ansible is big with slash commands in comments | 23:52 |
clarkb | I remember when we added magical comment comamnds to zuul from gerrit | 23:52 |
clarkb | and we were all "this is a major hack" | 23:53 |
clarkb | I'm glad this is now the canonical method of doing things in github :) | 23:53 |
pabelanger | I think we could create a zuul user in github, and not use github apps, but that would mean adding git user and webhook settings manually to each project I think | 23:55 |
goern | noooooo :) | 23:56 |
*** j^2 has quit IRC | 23:58 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!