Monday, 2020-11-30

« Sunday, 2020-11-29 Index Tuesday, 2020-12-01 »
*** ikhan has joined #zuul00:00
*** tosky has quit IRC00:39
*** wuchunyang has joined #zuul00:56
*** Goneri has quit IRC01:12
*** holser has quit IRC01:17
*** Goneri has joined #zuul01:38
*** zenkuro has quit IRC01:50
*** Goneri has quit IRC02:05
*** bhavikdbavishi has joined #zuul02:59
*** bhavikdbavishi1 has joined #zuul03:04
*** bhavikdbavishi has quit IRC03:06
*** bhavikdbavishi1 is now known as bhavikdbavishi03:06
*** wuchunyang has quit IRC04:00
*** bhavikdbavishi has quit IRC04:20
*** bhavikdbavishi has joined #zuul04:21
*** ikhan has quit IRC04:27
*** ianychoi__ has joined #zuul04:57
*** ianychoi_ has quit IRC04:59
*** saneax has joined #zuul05:03
*** evrardjp has quit IRC05:33
*** evrardjp has joined #zuul05:33
*** jfoufas1 has joined #zuul06:03
*** bhavikdbavishi1 has joined #zuul06:09
*** bhavikdbavishi has quit IRC06:10
*** bhavikdbavishi1 is now known as bhavikdbavishi06:10
*** lyr has joined #zuul06:58
*** bhavikdbavishi has quit IRC07:11
*** mach1na has joined #zuul07:13
*** sanjayu_ has joined #zuul07:22
*** saneax has quit IRC07:24
*** mach1na has quit IRC07:41
*** hashar has joined #zuul07:48
*** mach1na has joined #zuul07:54
*** zenkuro has joined #zuul07:58
*** jcapitao has joined #zuul07:59
*** bhavikdbavishi has joined #zuul08:17
*** bhavikdbavishi1 has joined #zuul08:20
*** bhavikdbavishi has quit IRC08:21
*** bhavikdbavishi1 is now known as bhavikdbavishi08:21
*** zenkuro has quit IRC08:35
*** tosky has joined #zuul08:37
*** jpena|off is now known as jpena08:58
*** wuchunyang has joined #zuul09:01
*** holser has joined #zuul09:08
*** zenkuro has joined #zuul09:25
*** rpittau|afk is now known as rpittau09:27
*** arxcruz|rover is now known as arxcruz|202109:28
*** wuchunyang has quit IRC09:36
*** bhavikdbavishi has quit IRC09:55
*** zenkuro has quit IRC10:17
*** zenkuro has joined #zuul10:19
*** bhavikdbavishi has joined #zuul10:28
*** bhavikdbavishi1 has joined #zuul10:30
*** bhavikdbavishi has quit IRC10:32
*** bhavikdbavishi1 is now known as bhavikdbavishi10:32
*** lyr has quit IRC10:33
*** lyr has joined #zuul10:34
*** holser has quit IRC10:35
*** holser has joined #zuul10:37
*** rfolco has joined #zuul11:56
*** mach1na has quit IRC12:05
*** jcapitao is now known as jcapitao_lunch12:06
*** tosky has quit IRC12:24
*** tosky has joined #zuul12:25
*** jpena is now known as jpena|lunch12:29
*** hashar has quit IRC12:30
*** sshnaidm|off is now known as sshnaidm12:38
*** jcapitao_lunch is now known as jcapitao12:42
*** rlandy has joined #zuul12:44
*** hashar has joined #zuul12:46
*** bhavikdbavishi has quit IRC12:54
*** mach1na has joined #zuul12:55
*** zenkuro has quit IRC13:26
*** zenkuro has joined #zuul13:26
*** jpena|lunch is now known as jpena13:28
*** ikhan has joined #zuul13:30
*** zenkuro has quit IRC13:33
*** zenkuro has joined #zuul13:34
openstackgerritTobias Henkel proposed zuul/zuul master: Make reporting asynchronous  https://review.opendev.org/c/zuul/zuul/+/69125313:35
*** mach1na has quit IRC13:58
avassI think zuul could benefit from a caching system like githubs action/cache (https://github.com/actions/cache) to store built dependencies14:28
avasssomething like a zuul_cache module that maybe could somehow have configurable backends14:29
*** hashar has quit IRC14:51
*** ajitha has joined #zuul14:53
*** bhavikdbavishi has joined #zuul14:54
*** bhavikdbavishi1 has joined #zuul14:56
*** bhavikdbavishi has quit IRC14:58
*** bhavikdbavishi1 is now known as bhavikdbavishi14:58
tobiashavass: are you still working on https://review.opendev.org/c/zuul/nodepool/+/735217 (aws image support) or would you be ok if a collegue of mine would continue on that?14:59
avasstobiash: that would be really nice to be honest15:03
avassI probably won't have time to work on it for a while15:03
*** jonass has joined #zuul15:03
tobiashjonass: ^15:03
jonassgreat, then i will have a look at it :)15:04
avassjonass: thanks! :)15:04
*** Goneri has joined #zuul15:17
ajithaHi all,  We are maintaining a third party CI for cinder. Recently our CI server migrated to a new environment where all ports are restricted and we can access internet only through proxy. Only port is 22 enough for the communication between review.openstack.org and the zuul server?15:24
tobiashajitha: theoretically port 22 is enough as long as you don't need to report file comments15:25
fungiajitha: this is probably more of a question for #opendev or #openstack-infra but the gerrit event stream is served on 29418/tcp not 22/tcp15:26
tobiashajitha: but I don't know the opendev rules about port 2215:26
tobiashof course 29418 ;)15:26
tobiashsorry15:26
ajithaok thank you15:26
ajitha@fungi and tobiash : Thank you15:27
*** mach1na has joined #zuul15:27
*** wuchunyang has joined #zuul15:51
*** wuchunyang has quit IRC15:56
zbravass: i would personally be very happy to see caching support in gerrit, similar to gh-actions.16:07
avasszbr: yeah I realized it would be nice to have after needing to build nim from source. Now I have the luxury of being able to cache that in the image nodepool uses but that's not always a viable solution :)16:14
zbravass: i was having pre-commit cache in mind.16:15
corvusi think you're talking about two different caches?16:15
corvusavass: is talking about caching artifacts in zuul and zbr is talking about gerrit?16:15
corvusavass: i agree some general-purpose roles could be useful there16:16
avasscorvus, zbr: i thought he ment zuul instead of gerrit16:16
zbrnope: that has nothing to do with gerrit16:16
avasscorvus: I'll write up a quick spec for it later, I have some ideas for it16:16
zbrahh, damn, now i see..16:16
avasscorvus: I was thinking a module if it's possible for it to handle credentials without exposing them to the job16:17
zbrif i remember well avass is not the first to mention caching but i remember that zuul architecture makes caching quite problematic16:17
corvuszbr: i don't understand what caching use case you have in mind.  i'm strugglying to reconcile your mentions of "pre-16:17
corvuszbr: i don't understand what caching use case you have in mind.  i'm strugglying to reconcile your mentions of "pre-commit" caching and "gerrit"16:18
corvuszbr: maybe you could elaborate16:18
zbrpre-commit tool installs linters inside ~/.cache/pre-commit folder, and they do not change very often. if this folder is caches between builds it would make execution much faster.16:19
corvuszbr: i don't think that zuul's architecture makes caching difficult, on the contrary, i think it makes it quite easy.  an ansible role in a trusted playbook can pull or push whatever needs caching.  the intermediate registry is an example of this (it's a complicated example, but only because the use-case is complicated)16:19
corvusavass: ^16:19
zbrthe tool knows when to invalidate the cache and even to cleanup old copies, but we need to be able to declare the folder as cached.16:20
corvus(most of the complexity in intermediate registry is due to containers; the actual idea of pulling/pushing in a trusted playbook on the executor to avoid secret exposure is straightforward)16:20
zbranother example is the wheel cache16:20
corvuszbr: 1) those should be quite easy to do in zuul; 2) in *opendev* we have a complicated history with caching and would not necessarily think that heavy caching is desirable.  so you may find that is why we aren't already doing them.16:21
corvusso on this subject, make sure you keep the zuul-in-general vs zuul-for-opendev threads distinct :)16:22
-openstackstatus- NOTICE: The Gerrit service on review.opendev.org is being restarted quickly to troubleshoot high load and poor query caching performance, downtime should be less than 5 minutes16:22
fungizbr: it's not zuul's architecture which makes caching problematic, it's the security concerns around trusting otherwise untrusted inputs to determine what to cache when and when to invalidate that cache16:23
corvuswhich is why it may make a lot of sense for avass's use case but not opendev's16:23
fungifor example, you can implement a global ccache in zuul, no problem. if untrusted users pollute your ccache with proposed changes which are malicious, they may be able to subvert or block your other builds16:24
zbrmy guess is that a "save-cache" should happen on a merge but clearly the cache must be unique per (job-name, repo)16:25
fungithat also assumes the cache maintained by updates on merges from one of your projects isn't used by other projects unless they trust the maintainers of that project16:25
avassI think I'd expect the cache to act for each repo independently at least16:28
*** jfoufas1 has quit IRC16:29
*** mach1na has quit IRC16:29
fungioh, yep zbr did also say unique by repo (and job name)16:32
fungithat seems reasonably safe. though rather than specifically only on merge, for consistency we'd probably make it so you could set it to only update for post-review pipeline results16:32
zbryep, any other approach would introduce security issues.16:32
avassfungi: what if you could validate it in a trusted context and update it?16:33
fungipost-review is our convention for builds triggered after the change has a positive maintainer review, even if not yet approved/merged16:33
zbrbut we could have variations, like allowing user to define cache keys, but even so the repository should always be implicit part of the key.16:33
avass(somehow)16:33
avassoh wait, update. yeah that makes sense16:34
fungionly let trusted tasks on the executor copy things into the cache rather than relying on job nodes to update the cache directly, we already solve that for all sorts of other build artifacts16:35
avassmy idea is something like this: https://etherpad.opendev.org/p/zuul_cache16:36
corvusavass: i think we should look at implementing this first in ansible; i don't think there's a need to do this in zuul itself16:36
avasscorvus: I think that would be harder to do since you'd need to delegate credentials to the job16:37
fungicache contents seem to fit the generic artifact profile anyway16:37
avassor I guess mark something to cache and then cache it in post16:37
corvusavass: right, there are options16:38
corvusavass: job variables could control the behavior16:39
avassI guess it would work similar to upload-artifactory role then, only with variables to choose which backend to use16:40
pabelangerquestion for zuul-registry, how do I know if the prune command is working? For the last few days, I've been manually running prune, but it doesn't look like anything on filesystem is getting removed. eg: cache is same size and grows each new image upload16:46
corvuspabelanger: i suspect it isn't working; i don't think it's well tested or that we're using it in opendev16:48
pabelangerkk16:49
pabelangerthat is what I suspected16:49
avasscorvus: updated the pad a bit :)16:59
fungiin opendev we use the swift backend and set expiration on the objects as they're stored, i think?17:00
avassbut the backend > executor > node could maybe be simplified17:00
*** hashar has joined #zuul17:00
openstackgerritMerged zuul/zuul-jobs master: Fix typo with container_images siblings logic  https://review.opendev.org/c/zuul/zuul-jobs/+/76423017:01
avassif was possible to do that with an action plugin instead to give the module a temporary credential it can use to fetch the artifact and then invalidate the credential it would be more effective17:02
avassI think that's why my initial idea was a module17:03
*** jcapitao has quit IRC17:16
*** hamalq has joined #zuul17:23
*** rpittau is now known as rpittau|afk17:42
*** hashar is now known as hasharAway17:44
*** jpena is now known as jpena|off17:57
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: Zuul Cache role  https://review.opendev.org/c/zuul/zuul-jobs/+/76480818:01
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: Zuul Cache role  https://review.opendev.org/c/zuul/zuul-jobs/+/76480818:03
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: Zuul Cache role  https://review.opendev.org/c/zuul/zuul-jobs/+/76480818:28
pabelangerQ: have we considered enabling anonymous access on zuul-registry in opendev? So we can pull images from one zuul system to another?18:31
pabelangereg: zuul.a.c being able to pull from zuul.o.o registry18:32
corvuspabelanger: do you mean "insecure-ci-registry.opendev.org"?18:32
pabelangeryes. I've been doing some POC using opendev python-builder, and have forked it into zuul.a.c for now18:32
corvuspabelanger: the intermediate registry does allow anonymous access.  but i'm not sure what that gets you?18:33
corvuspabelanger: you can fetch images used in check builds...18:33
pabelangeroh, cool. I thought it was disabled18:33
corvusthat's the intent -- so you can download a build that failed and test it out18:33
corvuspabelanger: what do you want to do with it?18:34
pabelangercorvus: basically, update opendev:python-builder, then use that in ansible job.18:34
corvuspabelanger: oh, so you want cross-zuul dependencies with artifacts?18:35
pabelangeryah18:35
corvuspabelanger: that won't work currently (the artifact system only works within a single tenant and relies on db access)18:35
corvuspabelanger: but you can kinda-sorta-hacky do it by changing your image to "BASE insecure-ci-registry.opendev.org/...."18:36
corvusobvs you'd have to continually change that as you make new patchsets to a python-builder change18:36
pabelangerAh, okay. Maybe that is step 1a, see if that works18:36
corvusjust never merge a change that depends on insecure-ci-registry.opendev.org.  :)18:36
corvusthere's a reason we named it that18:36
pabelangerindeed18:36
avassDid we want to have separate caches per job?18:38
avassjob+repo canonical name or just canonical name?18:39
corvusavass: seems like repo would be sufficient?18:43
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: Zuul Cache role  https://review.opendev.org/c/zuul/zuul-jobs/+/76480818:44
avassI think so too18:44
avassI'm gonna see if I can add some tests to that with minio but I think that's pretty solid ^ :)18:45
fungiper repo addresses the security concerns. beyond that, projects can choose to cache per-job data or not i expect, depending on how flexible the implementation is18:45
avassyeah the artifact name is configurable so it could be named something like "{{ zuul.job }}-dep-1.x"18:46
fungiyep, looking at 764808 it's just a matter of making sure your artifacts are named uniquely between your jobs, so not hard18:47
fungibut this also allows a project to share a cache of certain artifacts between jobs too, which could be extremely handy18:47
avasshuh I think also makes it a bit easier for jobs if they need to have separate jobs for building and testing18:48
avassyou could give it a name like "{{ zuul.build }}-my-package" and then use zuul-cache to pull that in the next job to test it18:49
avassfungi: oh maybe that's what you meant :)18:57
fungiyep, exactly that18:58
fungior not even so templatey, just remember to choose distinct artifact names in different jobs if you need them to be separate18:58
avassoh but then you might get another changes artifact if you've got a lot of jobs running18:59
fungicould be sufficient to say that builds of different jobs for the same project will reuse commonly-named artifacts among themselves, and that users should set different artifact names in their jobs if they want that19:00
*** bhavikdbavishi has quit IRC19:05
openstackgerritMerged zuul/zuul master: gerrit: restore change filter when querying  https://review.opendev.org/c/zuul/zuul/+/76406919:15
*** tosky has quit IRC19:45
*** wuchunyang has joined #zuul19:53
*** wuchunyang has quit IRC19:57
openstackgerritMerged zuul/zuul master: Clarify terms around pause-job documentation  https://review.opendev.org/c/zuul/zuul/+/76449920:43
*** tosky has joined #zuul20:48
*** ikhan has quit IRC20:49
*** rfolco has quit IRC20:59
*** ajitha has quit IRC22:08
-openstackstatus- NOTICE: The Gerrit service on review.opendev.org is being restarted quickly to make further query caching and Git garbage collection adjustments, downtime should be less than 5 minutes22:38
*** hasharAway has quit IRC22:58
*** wuchunyang has joined #zuul23:55
*** holser has quit IRC23:57
« Sunday, 2020-11-29 Index Tuesday, 2020-12-01 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!