| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 880138: Ensure cycle dependencies are enqueued ahead https://review.opendev.org/c/zuul/zuul/+/880138 | 07:13 | |
| @westphahl:matrix.org | Clark: thanks, I think there won't be an issue (see my reply), but I think your suggestion still makes sense | 07:16 |
|---|---|---|
| @newbie23:matrix.org | hi guys, we are using Zuul+GitHub(unprotected branches excluded, as suggested by the doc): what is the best way to implement stacked pull requests? | 08:30 |
| Essentially, we want the jobs when someone creates a pull request project-foo@branch-bar -> project-foo@branch@baz (so any branch). | ||
| The ideas would be to have exclude-unprotected-branches: true at tenant level, and then set the it to false for specific projects where developers want stacked PRs. | ||
| https://zuul-ci.org/docs/zuul/latest/tenants.html#tenant | ||
| Any comment, suggestion, experience to share? :) | ||
| @rancher:matrix.org | I'm out of ideas. GetProjectMetadata() error all over again. I don't see any other errors before it (apart from Gerrit ones, which I don't use). Here's the full log and config files, if someone can take a look, please: https://privatebin.net/?110f8c4d92adb803#BYCoH9MtChu4hrfUTDABUZzCvfwkuRwbRJYRMZw8Bqr | 08:49 |
| @jjbeckman:matrix.org | Hi folks, would appreciate any advice. In the documentation, I found the following snippet of information. | 09:03 |
| > Access to Zuul’s REST API and web interface can optionally be restricted. By default, anonymous read access to any tenant is permitted. Optionally, some administrative actions may also be enabled and restricted to authorized users. | ||
| https://zuul-ci.org/docs/zuul/latest/authentication.html | ||
| Apparently, there is an option to restrict access to the Web UI? I am unable to find any information on how this can be achieved. Could someone point me in the right direction? | ||
| @mhuin:matrix.org | jjbeckman: You can enable openID Connect authentication on the web UI with a third-party Identity Provider. This will enable authenticated users that match your defined admin rules to perform administrative actions such as dequeues and autoholds from the web UI | 09:09 |
| @mhuin:matrix.org | There is a step-by-step tutorial to do so with keycloak in the doc: https://zuul-ci.org/docs/zuul/latest/howtos/openid-with-keycloak.html | 09:09 |
| @mhuin:matrix.org | OpenID Connect being an open standard, doing so with other providers should be similar | 09:09 |
| @mhuin:matrix.org | you can also run a test compose with keycloak to test authentication on the web UI: https://zuul-ci.org/docs/zuul/latest/tutorials/keycloak.html | 09:10 |
| -@gerrit:opendev.org- Marvin Becker proposed: [zuul/nodepool] 873716: Add gpu support for k8s/openshift pods https://review.opendev.org/c/zuul/nodepool/+/873716 | 09:10 | |
| -@gerrit:opendev.org- Simon Westphahl proposed on behalf of Tobias Henkel: [zuul/nodepool] 883058: Defer node request when label is not available https://review.opendev.org/c/zuul/nodepool/+/883058 | 09:23 | |
| -@gerrit:opendev.org- Marvin Becker proposed: [zuul/nodepool] 883900: Add k8s annotations to pods https://review.opendev.org/c/zuul/nodepool/+/883900 | 09:29 | |
| @rancher:matrix.org | > <@jim:acmegating.com> Rancher: you might find the configurator at https://acmegating.com/acme-enterprise-zuul/#start helpful. it will help you make the configuration files with gitlab. you can use it on its own (it produces a docker-compose file like the quick-start), or just take the gitlab parts and splice them into the zuul quick-start. | 11:36 |
| Is there a way to download the configs without cloud settings? It throws some errors when I use its "docker-compose.yaml" file, and I'm not sure what to remove to disable AWS/Azure/Google. | ||
| Pipelines do work (they show up in the Status page), but I'd still like to use my own. There are some errors in the logs though, for instance: | ||
| ERROR zuul.Pipeline.tenant.check: Exception loading ZKObject <zuul.model.PipelineState object at 0x7f19e3076e50> at /zuul/tenant/tenant/pipeline/check | ||
| WARNING zuul.Pipeline.tenant.check: Initializing pipeline state for check; this is expected only for new pipelines | ||
| ERROR zuul.Pipeline.tenant.check: Exception loading ZKObject <zuul.model.PipelineChangeList object at 0x7f19e114be10> at /zuul/tenant/tenant/pipeline/check/change_list | ||
| WARNING zuul.Pipeline.tenant.check: Initializing pipeline change list for check; this is expected only for new pipelines | ||
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 883935: Add test for reporting of transient build errors https://review.opendev.org/c/zuul/zuul/+/883935 | 12:22 | |
| @jim:acmegating.com | Rancher: you can ignore those errors (those are new pipelines, so that's an expected error) | 13:33 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 883940: Parallelize static startup more https://review.opendev.org/c/zuul/nodepool/+/883940 | 14:07 | |
| -@gerrit:opendev.org- Clark Boylan proposed: [zuul/nodepool] 883864: Move nodepool functests to podman https://review.opendev.org/c/zuul/nodepool/+/883864 | 15:38 | |
| @jim:acmegating.com | fungi: i don't see an easy way to install podman >= 4.3.0 in our bullseye container; do you? https://packages.debian.org/search?searchon=names&keywords=podman | 16:16 |
| @jim:acmegating.com | fungi: (looking at that, i don't see it in any backport repos, so i think that means we'd need a rebuild, or we'd need to upgrade our images to bookworm) | 16:16 |
| @clarkb:matrix.org | Upgrading images to bookworm should be doable but we should probably do that after the revert to docker hub for those images if we do that | 16:18 |
| @clarkb:matrix.org | Those images will be first to move too so that rebuilds of other images use the proper location so shouldn't take long | 16:18 |
| @jim:acmegating.com | Clark: right because opendev doesn't have bookworm images yet, and that would be step 1 of that process? | 16:19 |
| @clarkb:matrix.org | yup | 16:20 |
| @clarkb:matrix.org | we also build atop the library/python images so would need them to have bookworm images too | 16:20 |
| @clarkb:matrix.org | https://hub.docker.com/_/python/tags?page=1&name=bookworm | 16:21 |
| @jim:acmegating.com | also doesn't show up as 'testing' which is an alias | 16:21 |
| @fungicide:matrix.org | > <@jim:acmegating.com> fungi: (looking at that, i don't see it in any backport repos, so i think that means we'd need a rebuild, or we'd need to upgrade our images to bookworm) | 16:31 |
| a middle ground might be to use apt pinning to pull podman and its deps from bookworm into the bullseye-based image, but given how close bookworm is to releasing (a couple weeks out) it probably makes more sense to switch the whole image to bookworm now | ||
| @jim:acmegating.com | fungi: it looks like podman requires a new libsemanage-common which may pull in a bunch of other stuff... | 16:32 |
| @fungicide:matrix.org | right, odds are you'd end up with an almost-bookworm image in the end anyway | 16:32 |
| @fungicide:matrix.org | but also now i see Clark 's comment about the python images not being bookworm based yet either | 16:33 |
| @fungicide:matrix.org | the need for newer libsemanage also means trying to make our own backport build (to stick in a ppa or similar) is probably going to be a royal pain | 16:34 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 883952: DNM: See if newer podman means we can remove the cgroup hack https://review.opendev.org/c/zuul/nodepool/+/883952 | 16:35 | |
| @fungicide:matrix.org | https://github.com/docker-library/python/pull/822 | 16:35 |
| @fungicide:matrix.org | that seems to be where it's happening | 16:35 |
| @jim:acmegating.com | fungi: i just did a hacky install of bookworm podman in that change ^ -- i did a dry run locally and got this: https://paste.opendev.org/show/b8mp3rE6C0ONbQaVkWzq/ | 16:36 |
| @jim:acmegating.com | `9 upgraded, 5 newly installed, 1 to remove and 173 not upgraded.` isn't too bad, but it's several source packages and some low level stuff | 16:37 |
| @jim:acmegating.com | so i think i still don't love the "bulid it ourselves". i think maybe we can just use this hacky approach to figure out what we might be able to do in a little bit when bookworm releases | 16:37 |
| @fungicide:matrix.org | yeah, doable as a backport i suppose, but maybe if we're going to build something ourselves temporarily anyway then building temporary bookworm python images based on the above pr would make more sense | 16:38 |
| @fungicide:matrix.org | or putting the podman work on hold until that pr lands (presumably in a couple of weeks when bookworm is out) | 16:40 |
| -@gerrit:opendev.org- Zuul merged on behalf of Simon Westphahl: [zuul/zuul] 880138: Ensure cycle dependencies are enqueued ahead https://review.opendev.org/c/zuul/zuul/+/880138 | 16:48 | |
| @jim:acmegating.com | i'm poking at this because Clark is switching to running podman as root, and i think this bugfix that's in a later podman might negate that need. so if this does all shake out, maybe we run podman as root for a few weeks then roll that back. | 16:49 |
| @fungicide:matrix.org | ooh, yeah that sounds promising | 16:56 |
| @clarkb:matrix.org | corvus: https://review.opendev.org/c/zuul/nodepool/+/883864 passed. So I guess I need to cleanup my comments so they are accurate and useful and then I'd like to run a dib change against it to exercise podman in podman then we can see about merging things | 17:00 |
| @jim:acmegating.com | Clark: sounds like a plan | 17:01 |
| -@gerrit:opendev.org- Clark Boylan proposed: [zuul/nodepool] 883864: Move nodepool functests to podman https://review.opendev.org/c/zuul/nodepool/+/883864 | 17:02 | |
| @clarkb:matrix.org | `remote: https://review.opendev.org/c/openstack/diskimage-builder/+/883958 DNM testing if depends-on parent change works with dib [NEW]` | 17:04 |
| @clarkb:matrix.org | https://zuul.opendev.org/t/openstack/build/5df4e0caa9f44a4d90a383ae9d8dd3a0 I think this shows that podman in podman is ok? | 18:30 |
| @clarkb:matrix.org | I suspect that we can proceed with the podman job updates for zuul and nodepool given ^ | 18:30 |
| @jim:acmegating.com | cool :) | 18:31 |
| @clarkb:matrix.org | also those jobs were just exploding due to the siblings stuff so the fact that it works implies siblings is also addressed (this was expected as the siblings issues are due to not being able to lookup tags for things outside of docker.io mirrors with docker) | 18:34 |
| -@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 877178: Conditionally render ANSI console text with a black background https://review.opendev.org/c/zuul/zuul/+/877178 | 19:50 | |
| @iwienand:matrix.org | the only thing i'd say about this is do we intend to switch the nodepool-builders in production to podman too? Because it seems like we'll have no testing of the production builders using docker? | 22:23 |
| @clarkb:matrix.org | ianw: we cannot because the builders are not jammy. We can replacethem with jammy nodes and switch them to podman but I think replacing them is necessary first | 22:44 |
| @clarkb:matrix.org | one thing we can do is improve the opendev ci of the builders too to cover the bases there | 22:44 |
| @clarkb:matrix.org | it is a risk but I think a relatively small one? the biggest risk is probably in doing the cgroup change removal with newer podman but we can revert that if necessary without too much fuss | 22:48 |
| @jim:acmegating.com | if we want, we can explicitly test that in opendev by pointing the image at an insecure-registry build | 22:49 |
| @jim:acmegating.com | * if we want, we can explicitly test that in opendev by pointing the image at an intermediate-registry build | 22:49 |
| @jim:acmegating.com | (but also, i suspect any issue with that would either show up in nodepool repo testing, or in a production workload, so probably not worth it) | 22:50 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 883985: Add error information to config-errors API endpoint https://review.opendev.org/c/zuul/zuul/+/883985 | 22:55 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 883985: Add error information to config-errors API endpoint https://review.opendev.org/c/zuul/zuul/+/883985 | 23:07 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 883952: DNM: See if newer podman means we can remove the cgroup hack https://review.opendev.org/c/zuul/nodepool/+/883952 | 23:29 | |
| @jim:acmegating.com | Clark: ^ we got an initial okay on removing the cgroup hack -- that update also removes the sudos you added, so that should be a complete test | 23:30 |
| @clarkb:matrix.org | corvus: there is one more sudo I added in https://review.opendev.org/c/zuul/nodepool/+/883864/6/tools/functional-test-check.sh that I think you want to remove | 23:31 |
| @jim:acmegating.com | oh heh it's a literal sudo | 23:32 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 883952: DNM: See if newer podman means we can remove the cgroup hack https://review.opendev.org/c/zuul/nodepool/+/883952 | 23:32 | |
| @jim:acmegating.com | Clark: thx | 23:32 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!