| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 894755: WIP Add feature to set --vm-driver name for minikube https://review.opendev.org/c/zuul/zuul-jobs/+/894755 | 06:56 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Simon Westphahl: [zuul/zuul] 896191: Surface mutiple configuration issues as warnings https://review.opendev.org/c/zuul/zuul/+/896191 | 09:13 | |
| @dpawlik:matrix.org | Clark: I was trying many times to run pure minikube, as it is done in job: zuul-jobs-test-ensure-kubernetes-crio-ubuntu-jammy and each time DNS resolution inside the pod does not work. Even when I do pure script execution https://gist.github.com/danpawlik/c42bac76efef1baa99af7870946a7f87 it also does not work | 09:58 |
|---|---|---|
| @dpawlik:matrix.org | I guess that is not working for a while and now it would be a good puzzle what is going on | 09:58 |
| @dpawlik:matrix.org | also what is strange, I can not reproduce the issue locally, when te --driver=podman https://zuul.opendev.org/t/zuul/build/45a4148fddb845d4bd8efcad8242be38 | 09:59 |
| @dpawlik:matrix.org | but on the gates it is failing each time | 09:59 |
| @dpawlik:matrix.org | main change: https://review.opendev.org/c/zuul/zuul-jobs/+/894755 | 09:59 |
| -@gerrit:opendev.org- Daniel Blixt proposed: [zuul/zuul-jobs] 896640: Make prepare-workspace-git work with unique scheme https://review.opendev.org/c/zuul/zuul-jobs/+/896640 | 10:57 | |
| @phoenikzz:matrix.org | Hi, just tried out the workspace-scheme unique on a job with required-projects that have paths that conflict in both flat and golang schemes. We also use the roles prepare-workspace-git (without git-cache) and mirror-workspace-git-repos (not yet updated). I get the problem that any repo with %2F will keep those characters in the clone step of the prepare-role, but the push step of the mirror role will have the urlencoding translated to /. | 11:00 |
| I think I have a solution, have also tried on a kubernetes pod - as the ext::kubectl protocol those think % is a placeholder marker | ||
| https://review.opendev.org/c/zuul/zuul-jobs/+/896640 | ||
| Requesting reviews | ||
| @dpawlik:matrix.org | aha, cri-docker is down | 11:28 |
| @dpawlik:matrix.org | Clark: there is a solution: https://github.com/kubernetes/minikube/issues/13370#issuecomment-1720468886 | 11:54 |
| @dpawlik:matrix.org | I will split my PS and add test in other one | 11:55 |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out from the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 12:04 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 896501: Store frozen jobs using UUID instead of name https://review.opendev.org/c/zuul/zuul/+/896501 | 12:05 | |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 12:24 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 896501: Store frozen jobs using UUID instead of name https://review.opendev.org/c/zuul/zuul/+/896501 | 12:28 | |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 12:32 | |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 12:59 | |
| -@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 896581: Emit stats for more build results https://review.opendev.org/c/zuul/zuul/+/896581 | 13:02 | |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 13:19 | |
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 13:31 | |
| @sjal:matrix.org | hey, I got an email today from Azure regarding enforcing Trusted Launch in their VM API - it's going to be a new default - https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch | 14:16 |
| ``` | ||
| In alignment with security best practices, new Virtual Machines (VM), Virtual Machine Scale Sets (VMSS) & OS Disks created using Azure PowerShell & CLI will default to security type Trusted Launch. This change will be made in Azure PowerShell (version: 11.0.0) and Azure CLI (version: 2.54.0) November 2023 release. We're implementing this default change to enable foundational compute security in all new VMs, VMSS & OS Disk resources and to provide you with Secure-by-default Azure Compute resources. | ||
| If you're already using security type "TrustedLaunch" in Azure PowerShell & CLI deployments, these settings will already be applied, and this change won't affect new deployments. | ||
| ``` | ||
| there are some caveats (as always) though: | ||
| ``` | ||
| If you are using a Linux image and anticipate the VM may have kernel drivers either unsigned or not signed by the Linux distro vendor, then you may want to consider turning off secure boot. In the Azure portal, in the ‘Create a virtual machine’ page for ‘Security type’ parameter with ‘Trusted Launch Virtual Machines’ selected, click on ‘Configure security features’ and uncheck the ‘Enable secure boot’ checkbox. In CLI, PowerShell, or SDK, set secure boot parameter to false. | ||
| ``` | ||
| ``` | ||
| For the most current technology, customers are encouraged to use Azure Compute Gallery. All new features, like ARM64, **Trusted Launch**, and Confidential VM are only supported through Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image. | ||
| ``` | ||
| There are some prereqs that user should do it when he doesn't change the flag: https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2#prerequisites | ||
| And to just not bother with it we have to: | ||
| ``` | ||
| You can use parameter securityType with value Standard to disable Trusted Launch in new VM/VMSS deployments using Azure PowerShell (v10.3.0+) and CLI (v2.53.0+) | ||
| ``` | ||
| I'm afraid it could affect the API Zuul is using to deploy new vms. What do you guys think? | ||
| @sjal:matrix.org | and yes, I know it says for just az cli and powershell and I didn't find any information about their API we are using (assuming it's the same as CLI) | 14:17 |
| @sjal:matrix.org | * and yes, I know it says for just az cli and powershell and I didn't find any information about the API we are using (assuming it's the same as CLI) | 14:17 |
| @sjal:matrix.org | * hey, I got an email today from Azure regarding enforcing Trusted Launch in their VM API - it's going to be a new default - https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch | 14:18 |
| `In alignment with security best practices, new Virtual Machines (VM), Virtual Machine Scale Sets (VMSS) & OS Disks created using Azure PowerShell & CLI will default to security type Trusted Launch. This change will be made in Azure PowerShell (version: 11.0.0) and Azure CLI (version: 2.54.0) November 2023 release. We're implementing this default change to enable foundational compute security in all new VMs, VMSS & OS Disk resources and to provide you with Secure-by-default Azure Compute resources. ` | ||
| `If you're already using security type "TrustedLaunch" in Azure PowerShell & CLI deployments, these settings will already be applied, and this change won't affect new deployments. ` | ||
| there are some caveats (as always) though: | ||
| `If you are using a Linux image and anticipate the VM may have kernel drivers either unsigned or not signed by the Linux distro vendor, then you may want to consider turning off secure boot. In the Azure portal, in the ‘Create a virtual machine’ page for ‘Security type’ parameter with ‘Trusted Launch Virtual Machines’ selected, click on ‘Configure security features’ and uncheck the ‘Enable secure boot’ checkbox. In CLI, PowerShell, or SDK, set secure boot parameter to false.` | ||
| `For the most current technology, customers are encouraged to use Azure Compute Gallery. All new features, like ARM64, **Trusted Launch**, and Confidential VM are only supported through Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image.` | ||
| There are some prereqs that user should do it when he doesn't change the flag: https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2#prerequisites | ||
| And to just not bother with it we have to: | ||
| `You can use parameter securityType with value Standard to disable Trusted Launch in new VM/VMSS deployments using Azure PowerShell (v10.3.0+) and CLI (v2.53.0+)` | ||
| I'm afraid it could affect the API Zuul is using to deploy new vms. What do you guys think? | ||
| -@gerrit:opendev.org- daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org proposed: [zuul/zuul-jobs] 896646: Add workaround to accept traffic in/out the bridge; add dns test https://review.opendev.org/c/zuul/zuul-jobs/+/896646 | 14:20 | |
| @clarkb:matrix.org | > <@sjal:matrix.org> hey, I got an email today from Azure regarding enforcing Trusted Launch in their VM API - it's going to be a new default - https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch | 14:59 |
| > | ||
| > `In alignment with security best practices, new Virtual Machines (VM), Virtual Machine Scale Sets (VMSS) & OS Disks created using Azure PowerShell & CLI will default to security type Trusted Launch. This change will be made in Azure PowerShell (version: 11.0.0) and Azure CLI (version: 2.54.0) November 2023 release. We're implementing this default change to enable foundational compute security in all new VMs, VMSS & OS Disk resources and to provide you with Secure-by-default Azure Compute resources. ` | ||
| > | ||
| > `If you're already using security type "TrustedLaunch" in Azure PowerShell & CLI deployments, these settings will already be applied, and this change won't affect new deployments. ` | ||
| > | ||
| > there are some caveats (as always) though: | ||
| > | ||
| > `If you are using a Linux image and anticipate the VM may have kernel drivers either unsigned or not signed by the Linux distro vendor, then you may want to consider turning off secure boot. In the Azure portal, in the ‘Create a virtual machine’ page for ‘Security type’ parameter with ‘Trusted Launch Virtual Machines’ selected, click on ‘Configure security features’ and uncheck the ‘Enable secure boot’ checkbox. In CLI, PowerShell, or SDK, set secure boot parameter to false.` | ||
| > | ||
| > `For the most current technology, customers are encouraged to use Azure Compute Gallery. All new features, like ARM64, **Trusted Launch**, and Confidential VM are only supported through Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image.` | ||
| > | ||
| > There are some prereqs that user should do it when he doesn't change the flag: https://learn.microsoft.com/en-gb/azure/virtual-machines/trusted-launch-portal?tabs=portal%2Cportal3%2Cportal2#prerequisites | ||
| > | ||
| > And to just not bother with it we have to: | ||
| > | ||
| > | ||
| > `You can use parameter securityType with value Standard to disable Trusted Launch in new VM/VMSS deployments using Azure PowerShell (v10.3.0+) and CLI (v2.53.0+)` | ||
| > | ||
| > I'm afraid it could affect the API Zuul is using to deploy new vms. What do you guys think? | ||
| It says you can disable secure boot in the sdk calls. We probably want to update nodepool to support an image property for secure boot then the various drivers can enable or disable it as supported. That said unless you are building weird images it may be a non issue. | ||
| @clarkb:matrix.org | In the case of OpenDev's nodepool we build images using mbt and bios. But dib does support everything you need to make efi and secure boot work | 15:01 |
| @clarkb:matrix.org | I'm assuming that is fairly standard in azure if they are going to do that by default | 15:01 |
| -@gerrit:opendev.org- Bernhard Berg proposed wip on behalf of Lukas Kranz: [zuul/zuul-jobs] 887917: prepare-workspace-git: Add ability to define synced pojects https://review.opendev.org/c/zuul/zuul-jobs/+/887917 | 15:13 | |
| @clarkb:matrix.org | * In the case of OpenDev's nodepool we build images using mbr and bios. But dib does support everything you need to make efi and secure boot work | 15:51 |
| @jim:acmegating.com | I'm going to be traveling to the gerrit user summit and speaking there this weekend, then visiting some acme gating customers in europe afterwords; so i'll be less available until october 9. | 15:53 |
| @fungicide:matrix.org | thanks for the heads up, safe travels and good luck! | 16:04 |
| @harbott.osism.tech:regio.chat | how can I search builds/buildsets for a ref? e.g. https://zuul.opendev.org/t/openstack/buildsets?project=openstack%2Freleases&pipeline=post&skip=0 I see a lot of SHAs in the change column, but if I try to filter for one, zuul says "must be an integer" | 17:40 |
| @clarkb:matrix.org | > <@harbott.osism.tech:regio.chat> how can I search builds/buildsets for a ref? e.g. https://zuul.opendev.org/t/openstack/buildsets?project=openstack%2Freleases&pipeline=post&skip=0 I see a lot of SHAs in the change column, but if I try to filter for one, zuul says "must be an integer" | 17:51 |
| I suspect this is a bug introduced by https://review.opendev.org/c/zuul/zuul/+/871259 and we probably need to do better validation. In parituclar change,patchset should be split on , and change taken as well as allowing sha1s assuming the note about it passing to the db is correct | ||
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!