| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | 00:37 | |
| -@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 837567: Fix default python paths in aws, azure, ibmvpc drivers https://review.opendev.org/c/zuul/nodepool/+/837567 | 06:59 | |
| @mhuin:matrix.org | hey zuul-maint, I submit this for your consideration: https://review.opendev.org/c/zuul/zuul/+/837407 - This will make the admin client behave the same way that it did prior to the gearmanectomy, ie handle auth tokens silently if there is a config file to generate them | 09:20 |
|---|---|---|
| @mhuin:matrix.org | This may be less confusing for admins used to zuul prior to v5 | 09:21 |
| -@gerrit:opendev.org- yatin proposed: [zuul/zuul-jobs] 837735: ensure-sphix: upgrade setuptools in venv https://review.opendev.org/c/zuul/zuul-jobs/+/837735 | 15:08 | |
| -@gerrit:opendev.org- Zuul merged on behalf of yatin: [zuul/zuul-jobs] 837735: ensure-sphix: upgrade setuptools in venv https://review.opendev.org/c/zuul/zuul-jobs/+/837735 | 15:58 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Simon Westphahl: [zuul/zuul] 837117: Update change deps on refresh after cache miss https://review.opendev.org/c/zuul/zuul/+/837117 | 16:10 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Dong Zhang: [zuul/zuul] 834324: Create remote ref when it does not exist https://review.opendev.org/c/zuul/zuul/+/834324 | 16:10 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | 16:29 | |
| @jim:acmegating.com | dmsimard: i'm adding ansible 5 support to zuul, and i have a q for you (and anyone else) -- let's take it as a given that we're going to use the ansible community distro (so "pip install ansible>5.0"). but recall that zuul supports multiple ansible versions. in the zuul job definitions, where users can specify what version they want, should we ask them to say "ansible-version: 5" or should we say "ansible-version: 2.12" and just leave it as an implementation detail that we're installing the community distro? | 16:34 |
| @jim:acmegating.com | my inclination, and the way the patch is currently written, is to go with "ansible-version: 5" because that seems to me to be the thing that users are most likely to associate with "ansible". but i have a small doubt after seeing that ansible itself reports "{{ansible.version_major}}" as 2. | 16:36 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 17:37 | |
| - [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | ||
| - [zuul/zuul] 837752: Remove built-in ARA support https://review.opendev.org/c/zuul/zuul/+/837752 | ||
| @jim:acmegating.com | I think the time is right to remove the built-in ara support; if that's a hardship for anyone let me know. (cc dmsimard) | 17:38 |
| @clarkb:matrix.org | corvus: fwiw I've found the ansible version to be extremely confusing due to all that and I never know what the correct version is | 17:38 |
| @clarkb:matrix.org | we might want to use a lookup table and map between both types of versions as a result | 17:39 |
| @jim:acmegating.com | Clark: i feel another way of phrasing my question is "what do most people think 'ansible version' means?" | 17:39 |
| @clarkb:matrix.org | or maybe we can find docuemtnation that explains it and link to that (I'm not aware of that existing but it must?) | 17:39 |
| @jim:acmegating.com | Clark: yeah, a lookup table (so you can specify both) is a possibility -- but then it makes grepping for "ansible-version: X" difficult if you want to look for what's being used. | 17:40 |
| @clarkb:matrix.org | it also allows the current confusion in the ansible world to continue on without abandon | 17:41 |
| @clarkb:matrix.org | but I've definitely seen ansible refered to in both ways | 17:41 |
| @clarkb:matrix.org | https://pypi.org/project/ansible/ is maybe what we should consider canonical? | 17:42 |
| @clarkb:matrix.org | what do the ansible docs say | 17:42 |
| @clarkb:matrix.org | https://docs.ansible.com/ansible/latest/index.html they say '5' in the top left too | 17:42 |
| @jim:acmegating.com | Clark: both of those weighed heavily in my thinking | 17:42 |
| @clarkb:matrix.org | thsoe two things together have me leaning towards '5' instead of '2.x' | 17:42 |
| @clarkb:matrix.org | https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-community-changelogs too | 17:44 |
| @dmsimard:matrix.org | > <@jim:acmegating.com> I think the time is right to remove the built-in ara support; if that's a hardship for anyone let me know. (cc dmsimard) | 18:09 |
| I have no strong opinion on it and don't have the bandwidth for tackling some form of upgrade of the current implementation, thank you for maintaining it all this time. | ||
| In the future I'd love to see an easy way for operators (or users?) to enable arbitrary callback plugins in Zuul which could be used to enable ara, amongst other things :) | ||
| @dmsimard:matrix.org | ara has grown an API and a lot of useful features in the meantime, feel free to reach out if you have questions :p | 18:10 |
| @dmsimard:matrix.org | > <@jim:acmegating.com> dmsimard: i'm adding ansible 5 support to zuul, and i have a q for you (and anyone else) -- let's take it as a given that we're going to use the ansible community distro (so "pip install ansible>5.0"). but recall that zuul supports multiple ansible versions. in the zuul job definitions, where users can specify what version they want, should we ask them to say "ansible-version: 5" or should we say "ansible-version: 2.12" and just leave it as an implementation detail that we're installing the community distro? | 18:12 |
| 2.12 would be `ansible-core`, 5 would be `ansible` so not exactly the same thing. ansible contains the "battery included" (kind of like ansible 2.9) whereas ansible-core has just a set of built-in plugins/modules. | ||
| @dmsimard:matrix.org | There's a use case for both -- some install the ansible package and run with that, some install just ansible-core and then cherry-pick the collections they want | 18:14 |
| @jim:acmegating.com | > <@dmsimard:matrix.org> I have no strong opinion on it and don't have the bandwidth for tackling some form of upgrade of the current implementation, thank you for maintaining it all this time. | 18:16 |
| > In the future I'd love to see an easy way for operators (or users?) to enable arbitrary callback plugins in Zuul which could be used to enable ara, amongst other things :) | ||
| Totally agree -- I event wrote basically the same thing in the commit msg. :) | ||
| @dmsimard:matrix.org | Note that there are security implications with callback plugins in that they can run arbitrary code on the controller and receive unfiltered output (i.e, the callback is the one responsible for "respecting" no_log, flashback to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7473) | 18:20 |
| @dmsimard:matrix.org | So if you do want to enable arbitrary callbacks, there's probably some gotchas | 18:21 |
| @jim:acmegating.com | good point; probably would be better as operator-configured rather than user-configured because of that | 18:24 |
| @dmsimard:matrix.org | yeah, allowing someone to send a change request/PR that adds a callback which gets loaded and can read/write anything is probably a box better left closed | 18:25 |
| @tristanc_:matrix.org | corvus: how about available libraries, for example ibm-cos-sdk, is this going to be hard-coded in the ansible-config.conf ? | 18:27 |
| @tristanc_:matrix.org | dmsimard: i think the unrestricted ansible already enabels that, read/write anything where ansible-playbook is running | 18:29 |
| @dmsimard:matrix.org | oh I forgot about that spec, my zuul is rusty but I was thinking in the current context with bubblewrap with the forked modules | 18:32 |
| @jim:acmegating.com | > <@tristanc_:matrix.org> dmsimard: i think the unrestricted ansible already enabels that, read/write anything where ansible-playbook is running | 18:32 |
| yeah, though in the case of hypethetical user-configured callback plugins, we'd want to avoid a situation where an untrusted-job could configure a callback plugin that was included in a run of a trusted pre-playbook. | ||
| @jim:acmegating.com | so i think even in the brave new world of unrestricted ansible, we have to be careful about that. there may still be a way to do it user-level though, if we scope it to the playbook context of the job... anyway... details probably aren't important now; i think we all agree something like that would be cool. :) | 18:34 |
| @jim:acmegating.com | > <@tristanc_:matrix.org> corvus: how about available libraries, for example ibm-cos-sdk, is this going to be hard-coded in the ansible-config.conf ? | 18:38 |
| yeah, i think we have included the libraries required for log uploading by default, but i forgot that for ibm and azure | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837757: Add IBM and Azure deps to the default ansible config https://review.opendev.org/c/zuul/zuul/+/837757 | 18:40 | |
| @jim:acmegating.com | tristanC: ^ i put that at the end of the stack to avoid conflicts; but we could move it to the beginning if that is preferred | 18:41 |
| @clarkb:matrix.org | corvus: if they are missing from current installations may be better to land that separately sooner? | 18:42 |
| @clarkb:matrix.org | sorry git exploded yseterday and I haven't had a chance to look at those changes yet | 18:43 |
| @jim:acmegating.com | np, i'm still finalizing the ansible 5 change (slightly slower dev/test cycle on that because of the remote tests) | 18:43 |
| @jim:acmegating.com | yeah, i can do that. will just take a few mins to rebase and patch bomb. | 18:44 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 18:47 | |
| - [zuul/zuul] 837757: Add IBM and Azure deps to the default ansible config https://review.opendev.org/c/zuul/zuul/+/837757 | ||
| - [zuul/zuul] 837418: Remove restricted Ansible documentation https://review.opendev.org/c/zuul/zuul/+/837418 | ||
| - [zuul/zuul] 837419: Remove ansible plugin tests https://review.opendev.org/c/zuul/zuul/+/837419 | ||
| - [zuul/zuul] 837436: Remove unused remote module tests https://review.opendev.org/c/zuul/zuul/+/837436 | ||
| - [zuul/zuul] 837420: Remove unused ansible modules https://review.opendev.org/c/zuul/zuul/+/837420 | ||
| - [zuul/zuul] 837421: Remove localhost restriction from command.py https://review.opendev.org/c/zuul/zuul/+/837421 | ||
| - [zuul/zuul] 837422: Remove workspace path check from zuul_return https://review.opendev.org/c/zuul/zuul/+/837422 | ||
| - [zuul/zuul] 837423: Remove unused functions from zuul.ansible.paths https://review.opendev.org/c/zuul/zuul/+/837423 | ||
| - [zuul/zuul] 837424: Remove actiongeneral / actiontrusted dirs https://review.opendev.org/c/zuul/zuul/+/837424 | ||
| - [zuul/zuul] 837425: Remove plugin tests https://review.opendev.org/c/zuul/zuul/+/837425 | ||
| - [zuul/zuul] 837426: Remove executor plugin checks https://review.opendev.org/c/zuul/zuul/+/837426 | ||
| - [zuul/zuul] 837427: Add docs about additional security considerations https://review.opendev.org/c/zuul/zuul/+/837427 | ||
| - [zuul/zuul] 837428: Remove unrestricted Ansible spec https://review.opendev.org/c/zuul/zuul/+/837428 | ||
| - [zuul/zuul] 837752: Remove built-in ARA support https://review.opendev.org/c/zuul/zuul/+/837752 | ||
| - [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | 18:54 | |
| @jim:acmegating.com | Clark: is this error the git thing you mentioned yesterday? | 20:38 |
| @jim:acmegating.com | https://zuul.opendev.org/t/zuul/build/641bc13973a74f22bd674446da11111e | 20:38 |
| @clarkb:matrix.org | yes looks like it | 20:38 |
| @clarkb:matrix.org | the underlying cause is that when you run pip install the resulting pbr invocation does git commands to inspect the repo to find things like what is the version and what files should we include. When git runs in a repo now it by default only succeeds if the repo files are owned by the current user | 20:39 |
| @clarkb:matrix.org | what this means is that you can run pip as a different user to match the files, you can chown the files, you can do an sdist/wheel build in the repo as the user then install as another user (helpful for global installs if needing to install as root), or you can tell git you trust the repo by doing `git config --system safe.directory=/path/to/repo` or `git config --global safe.directory=/path/to/repo` | 20:41 |
| @jim:acmegating.com | https://opendev.org/zuul/zuul/src/branch/master/playbooks/zuul-stream/pre.yaml#L15 is the line | 20:42 |
| @jim:acmegating.com | seems like doing the build would be an easy/correct fix? | 20:42 |
| @clarkb:matrix.org | maybe. fungi has been struggling to get devstack to do that reliably today (there are details that have to be worked through) | 20:43 |
| @clarkb:matrix.org | another option might be to install to a virtualenv and not set become: yes | 20:43 |
| @clarkb:matrix.org | (then optionally symlink the binary names into path or update path) | 20:43 |
| @jim:acmegating.com | venv sounds like a can of worms i would not like to open | 20:43 |
| @clarkb:matrix.org | fungi: can probably evaluate how difficult doing the package build first would be in this case though. Its a lot less generic than the devstack case | 20:43 |
| @clarkb:matrix.org | since you don't have extras to worry about and its a specific package (zuul) | 20:43 |
| @jim:acmegating.com | if the build is problematic, then the global option may be better | 20:43 |
| @clarkb:matrix.org | so ya actually I think making a wheel/sdist and installing that may be straightforward here | 20:44 |
| @jim:acmegating.com | k | 20:44 |
| @jim:acmegating.com | i'll see if i can mock that up in a container real quick to verify it (since this is the stream job, it's not easy to replicate) | 20:44 |
| @clarkb:matrix.org | as a side note git doesn't care about shared group ownership. Only user ownership matters for its check | 20:46 |
| @clarkb:matrix.org | (we tested this and ianw read the C and we reached the same conclusion on that) | 20:46 |
| @jim:acmegating.com | in our docker builds, i think we build a wheel and install it; and we have this comment: https://opendev.org/zuul/zuul/src/branch/master/Dockerfile#L37-L40 | 20:53 |
| @jim:acmegating.com | which is referring to this: https://opendev.org/zuul/zuul/src/branch/master/zuul/_setup_hook.py | 20:53 |
| @jim:acmegating.com | so iiuc, if we do an sdist or wheel build and install -- that may not run? | 20:54 |
| @clarkb:matrix.org | that is possible but you are lready running it explicitly in that playbook https://opendev.org/zuul/zuul/src/branch/master/playbooks/zuul-stream/pre.yaml#L19 | 20:54 |
| @jim:acmegating.com | having said that; i don't actually see anything about manage ansible in that setup hook | 20:54 |
| @clarkb:matrix.org | and ya I'm not sure it is automatic either way. maybe it was intended to be then we never did it or changed our minds? | 20:55 |
| @jim:acmegating.com | yeah, i think that comment may be wrong | 20:55 |
| @jim:acmegating.com | wrong in that it should really say that the javascript build isn't automatic | 20:55 |
| @jim:acmegating.com | that's probably not important for this job, so i'll proceed as discussed earlier | 20:55 |
| @clarkb:matrix.org | ++ | 20:55 |
| @clarkb:matrix.org | oh also worth noting you cannot do `git push -c safe.directory=/path/to/repo origin master` that config option is only respected if in the global or system config files | 20:56 |
| @clarkb:matrix.org | global in this case is global per user | 20:56 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837766: Fix git error in stream jobs https://review.opendev.org/c/zuul/zuul/+/837766 | 21:05 | |
| @jim:acmegating.com | Clark: ^ how's that look? | 21:05 |
| @clarkb:matrix.org | I think fungi found that doing the install wiht *.whl will install all of the wheels that were installed to make the wheel. In openstack this causes problems due to constraints but here we should be fine. I think that may just work | 21:06 |
| @jim:acmegating.com | yeah, should be a single file | 21:07 |
| @clarkb:matrix.org | oh that may just be doing pip wheel though | 21:07 |
| @clarkb:matrix.org | not bdist_wheel | 21:07 |
| @clarkb:matrix.org | I called out one other thing (bdist_wheel is expected to go away one day in favor of using the `build` tool) | 21:07 |
| @clarkb:matrix.org | but I think that may work | 21:07 |
| @jim:acmegating.com | i just used the incantation from the assemble script, assuming it was doing approximately what we wanted | 21:07 |
| @jim:acmegating.com | Clark: it looks like the stream jobs passed on that change | 21:14 |
| @jim:acmegating.com | https://zuul.opendev.org/t/zuul/build/7b693b3a41124887aff893a73985d586/console | 21:15 |
| @jim:acmegating.com | i think that's good enough for me to rebase the stack and patchbomb again | 21:15 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 21:17 | |
| - [zuul/zuul] 837766: Fix git error in stream jobs https://review.opendev.org/c/zuul/zuul/+/837766 | ||
| - [zuul/zuul] 837757: Add IBM and Azure deps to the default ansible config https://review.opendev.org/c/zuul/zuul/+/837757 | ||
| - [zuul/zuul] 837418: Remove restricted Ansible documentation https://review.opendev.org/c/zuul/zuul/+/837418 | ||
| - [zuul/zuul] 837419: Remove ansible plugin tests https://review.opendev.org/c/zuul/zuul/+/837419 | ||
| - [zuul/zuul] 837436: Remove unused remote module tests https://review.opendev.org/c/zuul/zuul/+/837436 | ||
| - [zuul/zuul] 837420: Remove unused ansible modules https://review.opendev.org/c/zuul/zuul/+/837420 | ||
| - [zuul/zuul] 837421: Remove localhost restriction from command.py https://review.opendev.org/c/zuul/zuul/+/837421 | ||
| - [zuul/zuul] 837422: Remove workspace path check from zuul_return https://review.opendev.org/c/zuul/zuul/+/837422 | ||
| - [zuul/zuul] 837423: Remove unused functions from zuul.ansible.paths https://review.opendev.org/c/zuul/zuul/+/837423 | ||
| - [zuul/zuul] 837424: Remove actiongeneral / actiontrusted dirs https://review.opendev.org/c/zuul/zuul/+/837424 | ||
| - [zuul/zuul] 837425: Remove plugin tests https://review.opendev.org/c/zuul/zuul/+/837425 | ||
| - [zuul/zuul] 837426: Remove executor plugin checks https://review.opendev.org/c/zuul/zuul/+/837426 | ||
| - [zuul/zuul] 837427: Add docs about additional security considerations https://review.opendev.org/c/zuul/zuul/+/837427 | ||
| - [zuul/zuul] 837428: Remove unrestricted Ansible spec https://review.opendev.org/c/zuul/zuul/+/837428 | ||
| - [zuul/zuul] 837752: Remove built-in ARA support https://review.opendev.org/c/zuul/zuul/+/837752 | ||
| - [zuul/zuul] 837629: Add suuport for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 21:21 | |
| - [zuul/zuul] 837752: Remove built-in ARA support https://review.opendev.org/c/zuul/zuul/+/837752 | ||
| - [zuul/zuul] 837629: Add support for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837770: Delete repo if unable to reset https://review.opendev.org/c/zuul/zuul/+/837770 | 21:46 | |
| @gchauvel:matrix.org | corvus: I used bisect to find that https://review.opendev.org/c/zuul/zuul/+/835100 is breaking quick-start tutorial for users. check and gate pipelines are not displayed on the web interface, I had to restart the web container to see them. | 21:54 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul-jobs] 837416: Add per-build WinRM cert generation https://review.opendev.org/c/zuul/zuul-jobs/+/837416 | 22:05 | |
| @jim:acmegating.com | guillaumec: thanks; i'm surprised we don't check that in the test | 22:06 |
| @jim:acmegating.com | i guess by that point we assume that if the pipelines are working, they probably show up in the web ui | 22:06 |
| @jim:acmegating.com | guillaumec: i see the problem and will work on a test+fix | 22:51 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837774: Fix background layout updates in zuul-web https://review.opendev.org/c/zuul/zuul/+/837774 | 23:07 | |
| @jim:acmegating.com | guillaumec: ^ thanks again for finding that. zuul-maint: that's probably a relatively important bugfix -- i think it doesn't just affect startup but could cause zuul-web to show out-of date info during ongoing operation too. | 23:09 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837774: Fix background layout updates in zuul-web https://review.opendev.org/c/zuul/zuul/+/837774 | 23:09 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 23:44 | |
| - [zuul/zuul] 837752: Remove built-in ARA support https://review.opendev.org/c/zuul/zuul/+/837752 | ||
| - [zuul/zuul] 837629: Add support for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837629: Add support for Ansible 5 https://review.opendev.org/c/zuul/zuul/+/837629 | 23:52 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 837770: Delete repo if unable to reset https://review.opendev.org/c/zuul/zuul/+/837770 | 23:53 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!