| -@gerrit:opendev.org- Zuul merged on behalf of Clark Boylan: [zuul/nodepool] 863093: Unpin openstacksdk https://review.opendev.org/c/zuul/nodepool/+/863093 | 07:20 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/nodepool] 866549: Correct documentation for image upload metric https://review.opendev.org/c/zuul/nodepool/+/866549 | 07:36 | |
| @sameer.deshpande:matrix.org | Have few queries on Zuul installation : | 08:36 |
|---|---|---|
| As per the latest documentation of zuul, the installation steps contains, running Zuul as Zuul Containers . | ||
| The earlier version namely 3.8.0 has also the installation steps for running Zuul services on physical machine/VM . Is this supported on the latest Zuul version as well? | ||
| Also which installation method is recommended for production setup ? | ||
| @jim:acmegating.com | sameer.deshpande: either should work, but i recommend containers. in addition to the tutorial which uses containers, you may find this configurator helpful to get started, and it also uses containers: https://acmegating.com/acme-enterprise-zuul/#start | 14:45 |
| @mubeenkhan:matrix.org | how to set password for noodpool diskimages? is there any default password? | 15:24 |
| @clarkb:matrix.org | > <@mubeenkhan:matrix.org> how to set password for noodpool diskimages? is there any default password? | 15:25 |
| Generally you would use cloud-init or glean to dynamically configure hosts on boot. This can include password configuration. However, zuul doesn't do password auth and instead uses ssh keys so configuring a password shouldn't be necessary. | ||
| @clarkb:matrix.org | If you need to set one for console debugging purposes you can write a dib element to do it. The devuser element might also be able to set it. | 15:26 |
| @mubeenkhan:matrix.org | > <@clarkb:matrix.org> If you need to set one for console debugging purposes you can write a dib element to do it. The devuser element might also be able to set it. | 15:29 |
| Hi Clark, thanks a lot. Any link for openstack cloud-init to set username and pwd? | ||
| @clarkb:matrix.org | > <@mubeenkhan:matrix.org> Hi Clark, thanks a lot. Any link for openstack cloud-init to set username and pwd? | 15:31 |
| https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords maybe? We don't use this because as I mentioned it isn't necessary with zuul and ssh auth. | ||
| @clarkb:matrix.org | * https://cloudinit.readthedocs.io/en/latest/topics/modules.html#set-passwords maybe? We don't use this because as I mentioned it isn't necessary with zuul and ssh key auth. | 15:41 |
| @jpew:matrix.org | Is there a way to leave a comment on a gerrit that's not a "warning" | 16:11 |
| @mubeenkhan:matrix.org | Clark: Hi Clark, Where to find the SSH key for VM's created using the nodepool disk image? | 16:17 |
| @clarkb:matrix.org | > <@mubeenkhan:matrix.org> Clark: Hi Clark, Where to find the SSH key for VM's created using the nodepool disk image? | 16:29 |
| This is something you need to configure in your image builds. OpenDev configures the Zuul user with this element: https://opendev.org/openstack/project-config/src/branch/master/nodepool/elements/zuul-worker | ||
| @clarkb:matrix.org | We also set root keys via label config https://opendev.org/openstack/project-config/src/branch/master/nodepool/nl01.opendev.org.yaml#L100 | 16:29 |
| @jim:acmegating.com | jpew: only other option is a line comment | 16:30 |
| @jpew:matrix.org | Any objection if I add non-warning messages? | 16:31 |
| @jpew:matrix.org | or try to at least :) | 16:32 |
| @jim:acmegating.com | it's just a label... | 16:35 |
| @jim:acmegating.com | like, i'm not sure we need another class of message | 16:36 |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/zone-zuul-ci.org] 866608: Temporarily lower the address TTLs for lists https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866608 | 17:11 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org: [opendev/zone-zuul-ci.org] 866608: Temporarily lower the address TTLs for lists https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866608 | 17:27 | |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: | 17:51 | |
| - [opendev/zone-zuul-ci.org] 866613: Temporarily point lists to review.o.o for deferral https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866613 | ||
| - [opendev/zone-zuul-ci.org] 866614: Switch lists to resolve to the new Mailman server https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866614 | ||
| - [opendev/zone-zuul-ci.org] 866615: Restore the default TTL to lists https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866615 | ||
| @hanson76:matrix.org | Is anyone running Zuul, in k8s and upgraded to 1.24+? | 19:34 |
| We upgraded to 1.24 today and missed a important check. | ||
| It looks like Nodepool is not working with Kubernetes 1.24+. | ||
| The kubernetes driver fails to create pods. | ||
| The problem is that the driver expect that the service account is created with a token | ||
| but Kubernetes 1.24+ does not automatically create the tokens anymore. | ||
| We are getting the following error: "couldn't find token for service account". | ||
| The stacktrace is: | ||
| Traceback (most recent call last): | ||
| File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/handler.py", line 61, in launch | ||
| self._launchLabel() | ||
| File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/handler.py", line 37, in _launchLabel | ||
| resource = self.handler.manager.createPod( | ||
| File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/provider.py", line 341, in createPod | ||
| resource = self.createNamespace(node, pool, restricted_access=True) | ||
| File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/provider.py", line 208, in createNamespace | ||
| raise exceptions.LaunchNodepoolException( | ||
| @clarkb:matrix.org | > <@hanson76:matrix.org> Is anyone running Zuul, in k8s and upgraded to 1.24+? | 19:46 |
| > We upgraded to 1.24 today and missed a important check. | ||
| > It looks like Nodepool is not working with Kubernetes 1.24+. | ||
| > The kubernetes driver fails to create pods. | ||
| > The problem is that the driver expect that the service account is created with a token | ||
| > but Kubernetes 1.24+ does not automatically create the tokens anymore. | ||
| > We are getting the following error: "couldn't find token for service account". | ||
| > The stacktrace is: | ||
| > | ||
| > Traceback (most recent call last): | ||
| > File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/handler.py", line 61, in launch | ||
| > self._launchLabel() | ||
| > File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/handler.py", line 37, in _launchLabel | ||
| > resource = self.handler.manager.createPod( | ||
| > File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/provider.py", line 341, in createPod | ||
| > resource = self.createNamespace(node, pool, restricted_access=True) | ||
| > File "/usr/local/lib/python3.10/site-packages/nodepool/driver/kubernetes/provider.py", line 208, in createNamespace | ||
| > raise exceptions.LaunchNodepoolException( | ||
| Nodepool is tested with minikube_version: v1.25.2 which I think implies a specific version of k8s (but I'm not sure which one). | ||
| -@gerrit:opendev.org- Zuul merged on behalf of Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org: [opendev/zone-zuul-ci.org] 866613: Temporarily point lists to review.o.o for deferral https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866613 | 19:48 | |
| @clarkb:matrix.org | Looks like 1.23.x k8s via that version of minikube | 19:48 |
| @clarkb:matrix.org | so that at least confirms we aren't successfully running against 1.24 somehow elsewhere | 19:49 |
| @clarkb:matrix.org | The reason it is pinned appears to be due to dockershim stuff | 19:49 |
| @clarkb:matrix.org | oh wait no its the driver=none setting | 19:49 |
| @hanson76:matrix.org | Trying to figure out if I can get around it and found the following. | 20:00 |
| "Now that the TokenRequest API has been stable since Kubernetes 1.22, it is time to do some cleaning and promote the use of this API over the old tokens. | ||
| Up until now, Kubernetes automatically created a service account Secret when creating a Pod. That token Secret contained the credentials for accessing the API. | ||
| Now, API credentials are obtained directly through the TokenRequest API, and are mounted into Pods using a projected volume. Also, these tokens will be automatically invalidated when their associated Pod is deleted. You can still create token secrets manually if you need it." | ||
| Not sure, but feels like there is no need for the loop "Wait for the token to be created" in the driver code (provider.py:188) | ||
| Is that code there to wait until the namespace is ready to be used? Maybe there is a better way. | ||
| The token is never used outside of that loop. | ||
| -@gerrit:opendev.org- Zuul merged on behalf of Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org: [opendev/zone-zuul-ci.org] 866614: Switch lists to resolve to the new Mailman server https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/866614 | 20:34 | |
| @hanson76:matrix.org | > <@hanson76:matrix.org> Trying to figure out if I can get around it and found the following. | 20:42 |
| > | ||
| > "Now that the TokenRequest API has been stable since Kubernetes 1.22, it is time to do some cleaning and promote the use of this API over the old tokens. | ||
| > | ||
| > Up until now, Kubernetes automatically created a service account Secret when creating a Pod. That token Secret contained the credentials for accessing the API. | ||
| > | ||
| > Now, API credentials are obtained directly through the TokenRequest API, and are mounted into Pods using a projected volume. Also, these tokens will be automatically invalidated when their associated Pod is deleted. You can still create token secrets manually if you need it." | ||
| > | ||
| > Not sure, but feels like there is no need for the loop "Wait for the token to be created" in the driver code (provider.py:188) | ||
| > Is that code there to wait until the namespace is ready to be used? Maybe there is a better way. | ||
| > The token is never used outside of that loop. | ||
| Looks like the ca_crt is actually used. | ||
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!