Tuesday, 2019-03-12

*** rlandy has quit IRC		00:20
openstackgerrit	Merged openstack-infra/zuul master: Remove default user for fingergw https://review.openstack.org/635632	01:16
openstackgerrit	Merged openstack-infra/zuul master: Remove default zookeeper hosts https://review.openstack.org/635633	01:16
*** openstackstatus has quit IRC		02:22
*** openstack has joined #zuul		02:26
*** ChanServ sets mode: +o openstack		02:26
*** saneax has joined #zuul		03:18
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Add API endpoint to get frozen jobs https://review.openstack.org/607077	03:50
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Get executor job params https://review.openstack.org/607078	03:50
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Separate out executor server from runner https://review.openstack.org/607079	03:50
*** saneax has quit IRC		03:51
*** mordred has quit IRC		04:14
*** Shrews has quit IRC		04:14
*** mordred has joined #zuul		04:21
*** Shrews has joined #zuul		04:21
*** mordred has quit IRC		04:37
*** Shrews has quit IRC		04:37
*** bjackman has joined #zuul		04:43
*** Shrews has joined #zuul		04:44
*** mordred has joined #zuul		04:45
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Add API endpoint to get frozen jobs https://review.openstack.org/607077	05:07
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Add API endpoint to get frozen jobs https://review.openstack.org/607077	05:11
bjackman	SpamapS, OK glad you agree, was mainly trying to make sure I understand correctly. I will add it to my growing list of things I would add to Zuul if I had the time!	05:54
bjackman	At the moment I cannot get the project.merge-mode to take effect at all for some reason	05:54
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Get executor job params https://review.openstack.org/607078	05:55
openstackgerrit	Joshua Hesketh proposed openstack-infra/zuul master: Separate out executor server from runner https://review.openstack.org/607079	05:55
*** rf0lc0 has joined #zuul		06:00
*** tristanC has quit IRC		06:02
*** tristanC2 has joined #zuul		06:04
*** rfolco\|ruck\|off has quit IRC		06:07
*** [GNU] has quit IRC		06:07
*** pabelanger has quit IRC		06:07
*** andreaf has quit IRC		06:09
*** panda\|rover\|off has quit IRC		06:10
*** andreaf has joined #zuul		06:12
*** panda has joined #zuul		06:12
*** saneax has joined #zuul		06:49
*** hashar has joined #zuul		07:08
tristanC2	jhesketh_: thanks for the follow-up on the zuul-update mail, i was about to send one myself	07:16
tristanC2	jhesketh_: i wanted to that even if it's not necessarly the case today with the client side refactor to use a config file and such, i did was able to execute a zuul job locally with the new api provided by the patch you referenced	07:17
tristanC2	to add* that even	07:18
*** [GNU] has joined #zuul		07:18
badboy	hi all	07:30
badboy	is there a way to check the "Expand by default" box in zuul-web?	07:31
*** pcaruana has joined #zuul		07:39
*** pcaruana has quit IRC		07:43
*** pcaruana has joined #zuul		07:43
*** AJaeger has quit IRC		07:46
*** themroc has joined #zuul		07:58
*** gtema has joined #zuul		08:02
*** jpena\|off is now known as jpena		08:44
*** AJaeger has joined #zuul		09:00
*** mgoddard has joined #zuul		09:01
bjackman	My zuul instance has no running jobs, the scheduler and executor seem to be "idle", but I have items in my gate queue which have some of their jobs still marked as "queued"	09:18
bjackman	Could this be a bug in the nodepool driver?	09:18
bjackman	Can't think of anything I can do to prod the system into continuing..	09:20
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: prevent exception if a parent job doesn't exists https://review.openstack.org/642702	09:22
*** rf0lc0 is now known as rfolco\|ruck		09:34
*** hashar has quit IRC		09:36
*** hashar has joined #zuul		09:41
openstackgerrit	Merged openstack-infra/zuul master: web: switch jobs list to a tree view https://review.openstack.org/633437	10:03
openstackgerrit	Merged openstack-infra/zuul master: web: add jobs list filter https://review.openstack.org/633652	10:06
openstackgerrit	Merged openstack-infra/zuul master: web: add flatten checkbox https://review.openstack.org/642047	10:15
*** panda is now known as panda\|rover		10:22
openstackgerrit	Merged openstack-infra/zuul-sphinx master: Add type to role variables https://review.openstack.org/641168	10:32
*** electrofelix has joined #zuul		10:49
*** dkehn has quit IRC		10:54
*** hashar has quit IRC		11:02
*** chkumar\|pto is now known as chandankumar		11:11
*** bjackman_ has joined #zuul		11:27
*** bjackman has quit IRC		11:29
*** chandankumar is now known as chkumar246		11:35
*** jpena is now known as jpena\|lunch		11:56
*** bjackman_ has quit IRC		11:58
*** rlandy has joined #zuul		12:01
*** bjackman_ has joined #zuul		12:03
*** gtema has quit IRC		12:08
*** gtema has joined #zuul		12:16
*** panda\|rover is now known as panda\|rover\|lunc		12:21
*** jpena\|lunch is now known as jpena		13:00
*** pabelanger has joined #zuul		13:04
*** gtema has quit IRC		13:05
*** panda\|rover\|lunc is now known as panda\|rover		13:12
*** irclogbot_3 has quit IRC		13:26
*** jamesmcarthur has joined #zuul		13:29
*** irclogbot_3 has joined #zuul		13:29
*** gtema has joined #zuul		13:43
*** jamesmcarthur has quit IRC		13:48
*** jamesmcarthur has joined #zuul		13:48
*** lennyb has quit IRC		13:51
fbo	Hi is some of you noticed that on chrome the zuul console page become sometime stuck and chrome proposes to close the unresponsible page ? I have confirmed that with two other colleagues on zuul.openstack.org.	13:52
Shrews	fbo: i believe someone said something similar about chrome in this channel recently	13:54
pabelanger	yup, I see that a lot on sf.io zuul	13:55
pabelanger	seems limited to chrome	13:55
fbo	yep also on sf deployements	13:56
*** openstack has joined #zuul		15:41
*** ChanServ sets mode: +o openstack		15:41
Shrews	hrm that zk jira ticket is interesting. /me will have to experiment with that	16:04
Shrews	oh, mordred even commented on the PR	16:08
mordred	Shrews: which PR?	16:08
Shrews	mordred: https://github.com/apache/zookeeper/pull/418	16:09
Shrews	i wonder what the "workaround" is...	16:10
*** themroc has quit IRC		16:11
clarkb	Shrews: mordred is that an issue if using the built in auth stuff?	16:11
clarkb	If it is limited to the plugins then we may be fine to use basic auth and/or kerberos	16:11
Shrews	no idea. that's the question corvus asked	16:12
Shrews	in his email	16:12
Shrews	we'll have to answer that	16:12
mordred	Shrews, clarkb: I don't know what the workaround is - but I think even with builtin auth the issue, iiuc, is that a client has to say "I'd like to auth" - and if it doesn't zk lets it connect happily	16:21
mordred	but maybe that's not the case	16:22
mordred	so this probably involves some investigation	16:22
Shrews	mordred: connects happily, but r/o mode, i think. i'm setting up some testing now	16:24
mordred	Shrews: so it can read the contents without authing?	16:24
mordred	and cool	16:25
clarkb	ya reading the docs authenticated users set perms on paths	16:25
Shrews	mordred: that was my reading of it, but i'm not sure either	16:25
clarkb	so a client can connect without auth then in theory can't read any data	16:25
clarkb	or write any data	16:25
clarkb	create /mynode content digest:user:tpUq/4Pn5A64fVZyQ0gOJ8ZWqkY=:cdrwa	16:26
mordred	clarkb: ah - so perhaps if we wrote initial data as an auth'd user and then set perms on those paths to say "must be auth'd" - then that would potentially work	16:26
clarkb	mordred: ya	16:26
clarkb	its definitely changes to how we write the data	16:26
clarkb	but I think it would work	16:26
mordred	clarkb: so might suck a little in terms of migration from unauth'd to auth'd	16:26
clarkb	its more like a filesystem in that way	16:26
corvus	tristanC2's nodpool patch does set acls i think?	16:55
tobiash	corvus: you're the provides/requires artifact handling expert. I got a bug report from a user that provides/requires doesn't work within the same buildset. Is it this expected or is this a bug?	16:55
corvus	tobiash: it's expected	16:55
Shrews	corvus: it sets a default acl when connecting, yes	16:56
corvus	tobiash: https://zuul-ci.org/docs/zuul/user/config.html#attr-job.provides "for other jobs for other changes"	16:56
Shrews	i'm trying to understand how zk does authentication though. if you pass "user:password", what does it authenticate that against? the docs are not very helpful so far	16:56
tobiash	corvus: ok, thanks, I guess the correct way for such a use case would be using zuul_return?	16:58
corvus	tobiash: yes, and manually using dependencies between jobs	16:58
tobiash	(instead of provides/requires)	16:58
Shrews	oh i see. those values are used to generate the acl, not for connecting	16:59
Shrews	digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text.	17:01
Shrews	oh dear	17:01
Shrews	that's less that good	17:01
corvus	Shrews: well, that's okay if tls is required	17:01
Shrews	corvus: we'll have to be sure to point that requirement out	17:03
corvus	tobiash: the practical issue is, imagine 2 jobs: "buildset-registry (requires)" and "image-build (provides)". you want buildset-registry to collect all the artifacts from previous buildsets, so it "requires" images. build-image "provides" them. zuul creates a dependency relationship where buildset-registry for change #2 depends on build-image for change #1.	17:03
corvus	tobiash: now imagine if we did the same within a buildset -- buildset-registry would depend on image-build, but image-build already depends on buildset-registry.	17:04
tobiash	corvus: thanks, got it, sounds like misuse by the user :)	17:05
tobiash	(I got that as a bug report)	17:05
corvus	we probably need a "..note::" in the docs saying "provides/requires are not automated ways of constructing job dependency graphs"	17:05
corvus	tobiash: it's understandable. no other system has an idea like "artifact dependency between multiple speculative unmerged states of different repositories". we just need to help people think bigger. :)	17:06
tobiash	:)	17:06
tobiash	oh, he did express the dependency and expected the variables to be there	17:07
corvus	tobiash: ah, then yes, i think this is the same thing tristanC2 mentioned	17:08
corvus	tobiash: i think we can/should add artifacts in that case	17:08
corvus	basically, at the same place we propagate variables from zuul_return from earlier jobs to later ones, we propogate artifacts as well	17:09
tobiash	ok, so the variable part can/should be fixed, but the depencency part (obviously) not?	17:10
corvus	right. it's really a separate thing from provides/requires.	17:11
tobiash	k, I'll try that when I have time :)	17:11
corvus	thx!	17:11
*** bjackman_ has quit IRC		17:23
*** panda\|rover is now known as panda\|rover\|off		17:24
Shrews	corvus: mordred: clarkb: with zk 3.4.10, confirmed that an unauthed connection can connect and do CRUD ops, but cannot read any data with ACLs set appropriately. i think we're ok (tested digest scheme only)	17:33
*** gtema has quit IRC		17:33
mordred	Shrews: cool - so assuming tls is required, that sounds workable	17:33
Shrews	yah	17:33
mordred	Shrews: can we update existing zk nodes to add ACLs?	17:34
Shrews	mordred: that might require deleting and recreating existing nodes after sending new creds to the client. totally guessing if that would actually work, but a reasonable assumption based on the existing api	17:36
Shrews	i don't see a way to update in place	17:36
Shrews	mordred: oh! there is a set_acls() api	17:36
Shrews	so... maybe?	17:36
mordred	woot! so we could potentialy write a $something to walk the tree and set acls on everything as part of moving from noauth to auth	17:37
Shrews	seems reasonable	17:37
corvus	Shrews, mordred: i think tristanC2's patch includes a script to update acls	17:48
mordred	sweet	17:48
corvus	and yes, it uses set_acls	17:49
Shrews	oh cool	17:49
corvus	https://review.openstack.org/#/c/619155/4/nodepool/cmd/update_zk_auth.py	17:49
Shrews	good job tristanC2 :)	17:50
*** sshnaidm is now known as sshnaidm\|afk		18:11
Shrews	fyi, i have to leave in a few minutes to listen to a doctor tell me not to do stupid things. not sure how long i'll be afk	18:17
*** electrofelix has quit IRC		18:19
*** jamesmcarthur has quit IRC		18:20
*** jamesmcarthur has joined #zuul		18:21
*** jamesmcarthur has quit IRC		18:27
*** electrofelix has joined #zuul		18:32
*** jamesmcarthur has joined #zuul		18:33
*** pcaruana has quit IRC		18:39
mordred	Shrews: if I tell you not to do stupid things, will you pay me what you normally pay your doctor?	18:42
*** jpena is now known as jpena\|off		18:44
*** jamesmcarthur has quit IRC		18:51
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Forward artifacts to child jobs within buildset https://review.openstack.org/642857	18:52
tobiash	corvus: ^	18:53
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Forward artifacts to child jobs within buildset https://review.openstack.org/642857	18:54
*** jamesmcarthur has joined #zuul		19:03
tobiash	corvus: responded on 631932	19:13
tobiash	and thanks for review !	19:14
dmsimard	It turns out there's an open source foundation for continuous delivery software now ? https://jenkins.io/blog/2019/03/12/cdf-launch/	19:16
dmsimard	¯\_(ツ)_/¯	19:16
dmsimard	A link with less Jenkins: https://www.linuxfoundation.org/press-release/2019/03/the-linux-foundation-announces-new-foundation-to-support-continuous-delivery-collaboration/	19:24
Shrews	mordred: you don't have the credentials	19:42
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Make ansible version configurable https://review.openstack.org/637422	19:50
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Install ansible during executor startup if needed https://review.openstack.org/640644	19:50
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Run tox remote concurrent https://review.openstack.org/640654	19:50
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.6 https://review.openstack.org/631931	19:50
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.7 https://review.openstack.org/631932	19:50
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Switch default ansible version to 2.7 https://review.openstack.org/637424	19:50
tobiash	corvus: I think I hopefully addressed all your points in that stack ^	19:52
*** daniel3 is now known as daniel2		19:55
*** electrofelix has quit IRC		20:05
*** electrofelix has joined #zuul		20:11
*** jamesmcarthur has quit IRC		20:14
*** jamesmcarthur has joined #zuul		20:15
*** electrofelix has quit IRC		20:15
*** jamesmcarthur has quit IRC		20:19
corvus	tobiash: minor error in 637422 causing docs job failure... also, tox-remote is failing consistently though i don't see why yet	20:26
tobiash	corvus: tox-remote needs rebase because of the security fix :)	20:26
corvus	tobiash: ah, yeah, i was just starting to suspect that :)	20:26
tobiash	corvus: do you mind if I rebase and fix that in one go or do you prefer to separate that in this case?	20:28
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Manage ansible installations within zuul https://review.openstack.org/631930	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Validate ansible installations on startup https://review.openstack.org/637418	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Make ansible version configurable https://review.openstack.org/637422	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Install ansible during executor startup if needed https://review.openstack.org/640644	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Run tox remote concurrent https://review.openstack.org/640654	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.6 https://review.openstack.org/631931	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.7 https://review.openstack.org/631932	20:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Switch default ansible version to 2.7 https://review.openstack.org/637424	20:30
tobiash	corvus: that is a rebase to include the secfix + the doc fix	20:31
tobiash	hopefully I didn't miss anyfurther things that break all jobs...	20:31
*** chkumar246 is now known as chandankumar		20:47
pabelanger	fungi: a few weeks ago we quickly discussed the issue where zuul requires our keys folder (/var/lib/zuul/keys) to be 0o700: http://git.zuul-ci.org/cgit/zuul/tree/zuul/scheduler.py#n587 I'm picking up again to see how to allow 0o750 but believe you mentioned something else to do with setuid bit?	21:26
fungi	pabelanger: yeah, if you want to set the group ownership of the directory to a group which isn't the zuul user's default group, then you'll need the directory setgid so that other files/directories beneath it get created with the same group owner	21:27
fungi	it's a fairly common unix permissions solution when you're trying to share files with a group of users	21:28
pabelanger	okay, in this case, I think keeping it zuul:zuul works, the backup user has been added into the zuul group, so it just needs to read perms I believe	21:28
fungi	in that case it should work fine	21:29
pabelanger	okay, thanks. Let me continue my testing	21:29
ianw	corvus: could you do a zuul-sphinx release?	21:40
corvus	ianw: did that change land? yes!	21:40
corvus	ianw: i'll tag 6a0034ebcabc86ec60f8fbb96303840e6b503a2e as 0.4.0 sound good?	21:42
ianw	excellent, thanks	21:42
corvus	pushed	21:42
ianw	thanks; just got a few tweaks i want on the testinfra bits but then letsencrypt bits should be review-able	21:44
ianw	i'll let you know ;)\	21:44
*** jamesmcarthur has joined #zuul		21:50
*** jamesmcarthur has quit IRC		22:22
*** jamesmcarthur has joined #zuul		22:23
*** jamesmcarthur has quit IRC		22:25
*** jamesmcarthur has joined #zuul		22:25
*** jamesmcarthur has quit IRC		22:27
openstackgerrit	Paul Belanger proposed openstack-infra/zuul master: Allow group read permissions on project keys directory https://review.openstack.org/642913	22:30
pabelanger	corvus: fungi: mordred: clarkb: tobiash: ^ is my first attempt to allow project keys folder to have group read permissions, so other users are also able to access the keys. In this case, for the purpose of backups.	22:32
*** jamesmcarthur has joined #zuul		22:43
*** ianychoi_ is now known as ianychoi		22:47
*** jamesmcarthur has quit IRC		22:55
*** tristanC2 is now known as tristanC		23:36
*** jamesmcarthur has joined #zuul		23:53

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!