Tuesday, 2020-05-19

*** mlavalle has quit IRC00:04
*** slaweq has quit IRC00:26
*** jhesketh has joined #opendev00:52
*** kevinz has joined #opendev01:23
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874301:36
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874301:54
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874302:31
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874302:50
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874303:10
*** yuri has joined #opendev03:27
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874303:27
*** yuri has quit IRC03:31
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874303:57
*** ykarel|away is now known as ykarel04:57
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874305:03
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874305:28
*** ysandeep|away is now known as ysandeep05:46
*** dpawlik has joined #opendev06:02
*** redrobot has quit IRC06:20
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874306:23
*** slaweq has joined #opendev06:47
*** rpittau|afk is now known as rpittau06:51
*** hashar has joined #opendev07:05
hrwmorning07:12
openstackgerritMarcin Juszkiewicz proposed opendev/base-jobs master: add arm64 nodesets  https://review.opendev.org/72881007:18
hrwcentos-8, debian-buster and ubuntu-focal for arm6407:19
hrwso there will be no need to define them each time07:19
openstackgerritSimon Westphahl proposed openstack/diskimage-builder master: Use kpartx option to update partition mappings  https://review.opendev.org/72882407:21
hrwsent job for ubuntu-focal-arm64. will see how it goes07:24
*** mnasiadka has quit IRC07:25
*** mnasiadka has joined #opendev07:27
hrwok. NODE_FAILURE07:30
ianwhrm, did it build?07:45
ianwhttps://nb03.openstack.org/ubuntu-focal-arm64-0000000445.log07:45
ianw no .... and i know what's wrong ... that isn't deployed with our new container builder (buster era) yet07:46
ianwthe debootstrap on it is too old07:46
ianwi didn't think of that, bummer07:46
ianwwe know it does work on our recent nodes07:47
ianwbefore we take any drastic action, it's probably a question for mordred on where we're at with replacing the arm64 builder with our docker containers07:47
openstackgerritIan Wienand proposed opendev/system-config master: [wip] generate ssl check list directly from letsencrypt variables  https://review.opendev.org/72874307:53
*** tosky has joined #opendev07:56
*** lpetrut has joined #opendev08:01
*** moppy has quit IRC08:01
*** moppy has joined #opendev08:01
*** tkajinam has quit IRC08:02
hrwianw: ok08:02
hrwianw: I built focal image using dib on buster08:03
*** ysandeep is now known as ysandeep|lunch08:21
hrwianw: https://review.opendev.org/728798 (openstack/requirements) waits for ubuntu-focal-arm64 node08:24
hrwianw: it will be using it to make sure that each python package present there is available on aarch64.08:25
*** panda|off is now known as panda08:34
hrwianw: debootstrap from buster-backports knows focal08:54
hrwianw: that's why it worked for me08:54
*** DSpider has joined #opendev08:57
*** ykarel is now known as ykarel|lunch09:07
*** yuri has joined #opendev09:16
*** hashar is now known as hasharAway09:25
ianwhrw: yeah, unfortunately the arm builder nb03.openstack.org is xenial09:26
ianwwe have work in progress to deploy a new containerised version, that will work with focal09:27
hrwomg.09:27
hrwxenial.09:27
*** yuri has quit IRC09:30
hrwianw: any patch in review I could track?09:30
hrwdebootstrap (1.0.78+nmu1ubuntu1.10) xenial; urgency=medium09:30
hrw  * Add (Ubuntu) focal as a symlink to gutsy.  (LP: #1848716)09:31
openstackLaunchpad bug 1848716 in debootstrap (Ubuntu) "Add Ubuntu Focal as a known release" [High,Fix released] https://launchpad.net/bugs/1848716 - Assigned to Łukasz Zemczak (sil2100)09:31
hrwianw: update packages? :D09:31
ianwit has debootstrap                            1.0.114~bpo16.04+109:32
hrw~bpo suggests Debian by hand build09:32
ianwyeah ... we have a backport, i can't quite remember why, i'm sure there's a comment09:33
hrw1.0.114 is buster version09:33
ianwhttp://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2019-04-03.log.html#t2019-04-03T21:25:5009:34
ianwso we backported the buster version to build buster09:36
hrwI see09:37
ianwi can probably do the same -- link gutsy to focal09:39
*** sshnaidm|afk is now known as sshnaidm09:40
hrwshould be enough09:40
hrwfocal was added in 117 and does not look like much changed between 114 and 11709:41
hrwianw: what time is at your place? Trying to keep a list of timezone of people I work with09:42
ianwi'm in melbourne .au ... 19:4209:42
hrwthanks09:43
hrwI was not sure which of australian timezones to add09:44
*** ysandeep|lunch is now known as ysandeep09:51
*** ykarel|lunch is now known as ykarel09:53
ianwhrw: ok ... it's building ... https://launchpad.net/~openstack-ci-core/+archive/ubuntu/debootstrap/+sourcepub/11302190/+listing-archive-extra09:54
hrwyay09:54
hrwthank Ian09:54
ianwdon't thank me till it works :)09:56
hrw;)09:56
hrwianw: https://review.opendev.org/#/c/728810/ would be nice addon for it ;d09:59
ianwhrw: i don't know why i didn't just symlink it on the host ... which i've done now10:06
ianwhttps://nb03.openstack.org/ubuntu-focal-arm64-0000000566.log is the build ... it's got further10:06
ianwdebootstrap - 1.0.114~bpo16.04+2 is published, so everything's in sync10:07
ianwbummer, it looks like it hits some other package error10:08
ianwi'm afraid i'm out of time to debug10:08
ianwthe real solution here is to get the arm64 builder upgraded10:08
ianwas soon as mordred is online, i'm sure he can update you on specifics10:08
openstackgerritJens Harbott (frickler) proposed opendev/system-config master: Document the need to use sudo in order to access OSC  https://review.opendev.org/72919610:10
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: DNM: test  https://review.opendev.org/72864010:11
hrwianw: thanks for all the work.10:17
hrwianw: have a nice evening10:17
*** tkajinam has joined #opendev10:30
*** rpittau is now known as rpittau|bbl10:31
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305310:57
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305311:05
*** roman_g has joined #opendev11:25
*** hasharAway is now known as hashar11:51
*** sean-k-mooney has quit IRC11:53
*** rpittau|bbl is now known as rpittau12:04
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: Don't require tox_envlist  https://review.opendev.org/72682912:32
*** ysandeep is now known as ysandeep|brb12:44
openstackgerritMerged opendev/irc-meetings master: Update OSH meeting chair and agenda link  https://review.opendev.org/72901713:01
*** ykarel is now known as ykarel|afk13:11
*** ysandeep|brb is now known as ysandeep13:22
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305313:37
*** lpetrut has quit IRC13:52
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305313:57
*** mlavalle has joined #opendev13:57
*** hashar has quit IRC13:58
openstackgerritOleksandr Kozachenko proposed zuul/zuul-jobs master: Add DaemonSet check for wait-for-pods role  https://review.opendev.org/72850314:00
*** tkajinam has quit IRC14:11
*** tkajinam has joined #opendev14:11
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305314:26
openstackgerritBernard Cafarelli proposed openstack/project-config master: Update neutron stable grafana dashboards  https://review.opendev.org/72929114:42
*** ykarel|afk is now known as ykarel14:43
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305315:01
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305315:12
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900815:15
hrwmordred: ianw mentioned that you may know what is a status of arm64 image builder upgrade15:19
hrwmordred: current one is xenial based and even with debootstrap update is unable to build focal image. My arm64 box runs buster and builds focal image with d-i-b without problem15:20
mordredyah15:20
mordredhrw: it's ... we're getting closer. the other builders are all running in docker, so we needed to get multi-arch docker image support working. that's 90% working, but the other day we found an issue where the multi-arch docker image builder backend seemed to be pulling inappropriate layers and thus making bad images15:21
hrwmordred: ~5h ago in backlog15:21
mordredhrw: so, once we've figured out what's wrong there, we should be good15:21
hrwmordred: yeah.15:21
mordred(and we'll incidentally have arm64 docker images of nodepool, which will be neat)15:22
mordredI need to do some more debugging of the underlying issue though - make sure we understand it15:22
mordredcorvus: ^^ I *just* had a hunch about what might be happening there15:23
clarkbmordred: and the toolchain we are using is docker buildx as well as skopeo?15:23
hrwmordred: thanks15:23
mordredclarkb: yeah - but I think we observed the issue purely in buildx15:23
corvusmordred: o/15:24
mordredcorvus: my hunch is unfounded15:24
corvusboo15:24
mordredcorvus: yeah. I was thinking it had to do with our workaround for push races15:25
mordredbut we do all arches in step 115:25
mordred(I was thinking maybe if we were doing single arches at a time that the first arch could have pulled something wrong into the local cache)15:25
mordredbut that's not the situation15:25
openstackgerritJames E. Blair proposed opendev/system-config master: Run Zuul as the zuuld user  https://review.opendev.org/72695815:34
*** ykarel is now known as ykarel|away15:38
*** ysandeep is now known as ysandeep|afk15:45
openstackgerritClark Boylan proposed opendev/system-config master: Better pre merge testing of mirror configs  https://review.opendev.org/72930515:47
clarkbI've discovered that our quay caching mirror isn't working via ^. I'm also not entirely sure that the red hat registry is working properly either15:49
clarkbsshnaidm: ^ I think both were added for tripleo, any idea if they are being used?15:50
clarkbI see the fix for quay (or at least the first thing to fix) which I'll try to get up soon15:50
sshnaidmclarkb, looking15:52
corvusclarkb: is https://mirror01.dfw.rax.opendev.org:4444/ supposed to be reachable?15:53
corvusclarkb: (i'm just trying out the various urls in that change)15:54
mordredclarkb: I believe there have been many quay issues recently15:54
clarkbcorvus: not yet, https://review.opendev.org/#/c/728986/1 adds it (but its also buggy related to the quay thing)15:54
mordredclarkb: folks in #ansible-devel were talking a few hours ago about quay being broken15:54
clarkbI'm about to squash the two changes together since the additional testing is useful15:54
corvusclarkb: ah, the 8081 is the non-ssl version of that?15:55
clarkbcorvus: yes15:55
clarkbincrements start at 8080/4443 and bump by one for each case from there15:55
corvusclarkb: got it.  i'll see if i can find a better query for that (your TODO)15:55
clarkbcorvus: thanks15:55
*** cloudnull has joined #opendev15:56
cloudnullo/15:56
sshnaidmclarkb, as cloudnull points we use quay in some of our jobs15:57
sshnaidmclarkb, so, it's for tripleo, right15:57
* mordred waves to cloudnull15:58
openstackgerritClark Boylan proposed opendev/system-config master: Enable ssl on all mirror vhosts  https://review.opendev.org/72898615:59
cloudnullo/ https://media0.giphy.com/media/IgGLggVL4HXYDAot0Y/200.gif15:59
clarkbcorvus: ^ that is the squash I'll abandon the old child now15:59
clarkbcloudnull: sshnaidm so what I discovered is nothing on our mirrors is listening on the quay proxy port16:00
clarkbso it isn't possible for that to work at all as I understand it16:00
cloudnullI think I added quay, as well as rh registry, to the reverse proxy config a while back.16:01
cloudnullthough its quite likely i did it wrong16:02
clarkbya thats why I was asking if it is used anywhere16:02
clarkb(because I think we are about to change it in an effort to make it work but that may cause fallout on your side?)16:02
*** lpetrut has joined #opendev16:02
cloudnullwe intend to use quay instead of docker.io but that transition has been slow moving16:02
cloudnullwell quay is having a bad day today (throwing 500s) so today would be a good time to change it :D16:03
openstackgerritMerged zuul/zuul-jobs master: Add DaemonSet check for wait-for-pods role  https://review.opendev.org/72850316:03
mordredcloudnull: :)16:03
cloudnullits alraedy broken, cant be more broken16:03
clarkbcloudnull: k16:03
cloudnullif things change internally, we'll adjust.16:04
cloudnullclarkb I appreciate you fixing something i likely broke :D16:05
clarkbcloudnull: well ist a new feature that wasn't quite working16:05
cloudnullI'm someone who sees most bugs as just under appreciated features16:06
openstackgerritClark Boylan proposed opendev/system-config master: Listen on Quay Registry Mirror Ports  https://review.opendev.org/72931516:06
clarkbthats the first change to fix quay, its possible there will be more needed but we need that one at least I think16:06
cloudnull++16:07
cloudnullmakes total sense16:07
corvusclarkb: you want to test that the version check returns okay, or should we list some tags on a repository?16:07
* hrw out16:08
clarkbcorvus: I think we're ok with any normal expected output from the backend16:08
clarkbcorvus: The idea would probably be to set up a docker client and pull through each of those, but for now simple is probably sufficient16:08
clarkb*the ideal16:08
corvusclarkb: heh, to be fair, the Forbidden is expected normal output too :)16:08
clarkboh is it?16:08
corvusclarkb: yeah, a token is required for any access to docker.io  (which may have an impact on how well we're actually mitigating docker outages)16:09
clarkbah I see. We get the json doc back on the v2 side but just a http forbidden response for v1?16:09
corvus(i wonder if we're caching anything?)16:09
clarkbcorvus: I'm pretty sure we're caching the images I seem to recall checking that at one point, but it is possible that is just a bw reduction and not reliability thing for us16:10
corvusclarkb: i think authentication is required for both versions?16:11
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305316:11
clarkbcorvus: ya I think you're right16:11
clarkbunrelated on the other thing I've been pulling on https://zuul.opendev.org/t/openstack/build/5f6f67d2b83a441eaa5cb61aec6f5c37/log/jvb01.opendev.org/docker/jitsi-meet-docker_jvb_1.txt shows that the next thing for jvb scale out is configuring additional jvb's to talk to prosody somewhere other than localhost (and then I'll need to punch a firewall hole)16:12
openstackgerritRafael Folco proposed opendev/elastic-recheck master: DNM: Test query  https://review.opendev.org/72931916:15
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305316:16
*** hashar has joined #opendev16:18
*** rpittau is now known as rpittau|afk16:22
zbrwhat is the maintenance status of elastic-recheck repo? asking as it seems to need some maintenance.16:23
openstackgerritMonty Taylor proposed opendev/system-config master: Stop cloning more puppet modules  https://review.opendev.org/72932116:25
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900816:30
clarkbzbr: I've been trying to encourage the qa team to use it more and be more involved since the process of managing queries is largely a qa activity16:31
clarkbzbr: what sort of maintenance are you talking about?16:31
zbrclarkb: multiple levels, both query maintenance and also code (failing to run tox locally).16:32
zbri think that I have some people interested in my team, they will start proposing CRs.16:33
clarkbfor query maintenance I think we really need to get the qa team involved. I don't think it will be sustainable otherwise (we aren't well positioned to debug why openstack is failing and so on)16:33
clarkbfor tox I thinkwe can work on fixing that16:33
zbrsadly when they asked me for help, i realized that I need to fix few things.16:33
zbryep, i do plan to advertise it to our qa team.16:34
zbrone remark they had was concern regarding the time to merge a new rule, as if takes a lot of time it may not prove practical.16:34
zbranyway, I will propose few changes to fix testing jobs first.16:35
clarkbzbr: right the issue is we need the qa team to review changes16:35
openstackgerritMerged zuul/zuul-jobs master: Don't require tox_envlist  https://review.opendev.org/72682916:35
clarkbhistorically mtreinish and mriedem have "owned" that review process. But they've both moved on to other things and no one has stepped in to fill the gap16:35
clarkbI don't think the infra teams are well positioned to say what is and isn't a good query for identifying bugs, that should fall to the qa team16:35
clarkband if the qa team isn't interested in doing that we can see if anyone else is16:36
clarkb(one of the long standing todos with taht toolchange is to split the tooling away from the config then the interested debuggers can own the configs/queries and we can just run the service for them)16:36
clarkbunfortunately they are have been combined since day one which makes this confusing16:36
zbrthere is also a considerable number of issues that are infra-related, for which queries are very useful16:36
*** dpawlik has quit IRC16:37
clarkbright this sin't to say infra related issues never cause problems. Its identifying that the job of debugging failures should fall to the qa team16:37
zbrin case position is open, i will be interested in nurturing it16:37
clarkbif they identify an issue on the infrastructure we tend to try and fix it16:37
clarkband the reason for that is the infra team can't debug openstack and k8s and help and all the other technology in use16:38
clarkbthe people working with those tools can16:38
zbryep, but if jobs are failing due to more or less random mirror issue, we need to be able to see how often it happens, is not only about fixing it right away.16:39
zbrsome stuff may prove flaky and it would be very important to be able to identify this (docker hub, centos repos, ....), so people do not waste time investigating a bug which is caused by "external forceds".16:40
clarkbI agree, but I still think we can't be considered primary debuggers16:41
clarkbadd the bug for mirror is flaky, notify us about it, and we'll try to fix it16:41
zbrmy guess is that if we make it easier to use, and people start seeing reports from it, maybe QA people will be more inclined to use it16:41
*** ysandeep|afk is now known as ysandeep16:43
fungireports like http://status.openstack.org/elastic-recheck/ and http://status.openstack.org/openstack-health/ or something else?16:44
fungiproblem is so many of those queries (especially supposed "infrastructure-related" ones) are tracking symptoms, not causes16:45
clarkbyup that top one is caused by dns issues when jobs break host dns, packages going python3 only and trying to install on python2, pypi outages and so on16:46
fungifor example, the top query there right now for "Pip fails to find distribution for package" is matching the string "No matching distribution found for" which can be caused by outages or by bugs in projects16:47
fungiyeah, what clarkb said16:47
fungiso tracking symptoms doesn't tell us much16:47
*** lpetrut has quit IRC16:50
knikollais ubuntu one broken for logging in to gerrit?16:57
corvusi confirm it's malfunctioning16:58
corvusi end up at the generic gerrit openid page16:58
corvusand i just tried again and it worked16:59
corvusknikolla: try again?  maybe it was a momentary outage of ubuntu one?16:59
knikollacorvus: tried again and works now16:59
openstackgerritSorin Sbarnea (zbr) proposed opendev/elastic-recheck master: Bumped flake8  https://review.opendev.org/72932817:01
corvusclarkb: i don't understand how effective caching can be happening due to the authorization requirement.  at least looking at the first part of the process (the API getting tags, manifests, etc, before we get to blob serving), we have to pass an authorization header in, and there's no cache-control header returned.  so i assume apache would at least treat each request differently, because each one is going17:02
corvusto arrive with a different authz header.17:02
corvusclarkb: (we could consider setting CacheQuickHandler which may bypass the authz check, which may be fine for this situation -- but i don't think we're doing that right now)17:03
corvusclarkb: i haven't done manual requests all the way down to the level of the blob serving, so maybe we're caching the blobs themselves effectively, just not the api?17:04
clarkbcorvus: I believe we tell apache to ignore that stuff17:04
clarkbcorvus: specifically we tell apache it is safe to cache sha256 addressed items iirc because those are not going to change17:05
clarkbso ya it could be that it is just the blob content and not the api17:05
corvussounds like it17:05
openstackgerritSorin Sbarnea (zbr) proposed opendev/elastic-recheck master: Bumped flake8  https://review.opendev.org/72932817:06
openstackgerritSorin Sbarnea (zbr) proposed opendev/elastic-recheck master: Add py38 test jobs  https://review.opendev.org/72933017:06
corvusclarkb: oh wait, apparently cachequickhandler is *on* by default17:06
corvusclarkb: so, erm, i don't know why the authorization header is still required17:07
corvus(but it does appear to be)17:07
corvusaha17:07
corvus Requests with an "Authorization" header (for example, HTTP Basic Authentication) are neither cacheable nor served from the cache when mod_cache is running in this phase.17:07
corvusso that applies to us17:08
openstackgerritClark Boylan proposed opendev/system-config master: Enable ssl on all mirror vhosts  https://review.opendev.org/72898617:08
openstackgerritClark Boylan proposed opendev/system-config master: Listen on Quay Registry Mirror Ports  https://review.opendev.org/72931517:08
clarkbcorvus: and the blob serviing is just out of a cdn without auth I think17:09
clarkbcorvus: so that woudl explain it?17:09
corvusclarkb: yep17:09
clarkbalso testing is good, I'm finding all sorts of bugs :)17:09
zbrfungi: clarkb: we will always have false-positive on matches, that not the problem. The value is in quantity, if we spot random isolated issues we can assume it was related to the change itself, but if you see peaks of lots of similar errors at the same time, that is when you realize that is likely an infra issue.17:11
zbrwhen I say infra, it does not mean infra managed by opendev, any kind of infra.17:12
zbrcan we drop py27 support in elastic-recheck?17:12
clarkbzbr: thats just not true though. We see spikes due to bugs in the software all the time17:12
clarkbusing the top bug of pip having issues and perfect example is when a python package switches to python3 only and all the python2 jobs try to install it17:13
clarkbyou'll get a spike there17:13
fungiunless you want to consider the merged source code you're integrating as "infrastructure"17:13
clarkbhas nothing to do with infrastructure but with buggy requirements lists17:13
clarkbzbr: yes I think we can drop py27 support in e-r17:13
zbrhurrah! so happy each time I ditch a py27 env.17:14
openstackgerritSorin Sbarnea (zbr) proposed opendev/elastic-recheck master: Add py38 test jobs  https://review.opendev.org/72933017:14
corvusi've seen a few system-config-run jobs fail today due to an ubuntu keyserver timeout17:15
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900817:17
clarkbcorvus: that'll be jobs that use ppa's I think17:17
corvusyes, buth for ze01.openstack.org17:17
clarkbcorvus: one way to address that is to vendor the gpg pubkey for the ppa17:17
clarkbcorvus: I believe the zuul docker images do the vendoring now for this reason, doing similar in the anible puppet probably a good idea17:17
openstackgerritSorin Sbarnea (zbr) proposed opendev/elastic-recheck master: Drop py27 and add py38 jobs  https://review.opendev.org/72933017:18
corvusmordred: ^ reckon we ought to do that?17:18
corvusmordred: vendor ppa keys17:18
mordredcorvus: yeah17:19
mordredI think fetching the keys from the keyservers has proven to be unnecessarily flaky vs. putting the key into git - we refer to them by id anyway, so if someone changes the key we still have to change what's in git17:20
corvusokay, i'll take a look at what we do in docker and see if i can adapt it to ansible17:20
mordredcorvus: I think we have some places in ansible where we're vendoring already17:20
corvusmordred: cool any hints?17:21
mordredcorvus: playbooks/roles/install-docker has one version17:21
clarkbzbr: we may need to switch where we run it to use python3 but python3 is available on status.openstack.org17:21
mordredcorvus: which is probably a fine way to do it for production ansible17:21
corvusmordred: ack, thanks17:22
mordredcorvus: there is an "easier" version we're using in docker images where we just drop a file in a dir - but I think it needs newer apt to work - so I think what's in install-docker is the right way to go17:22
zbrclarkb: ok.17:22
mordredcorvus: also playbooks/roles/zuul-executor/tasks/main.yaml :)17:23
corvusmordred: wow that's some cognitive dissonance there :)17:25
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: WIP: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305317:28
openstackgerritDouglas Mendizábal proposed openstack/project-config master: Add storyboard project for ansible-role-lunasa-hsm  https://review.opendev.org/72933417:35
zbrclarkb: do i have to update puppet-elastic_recheck or do we have exiting ansible for it?17:37
clarkbzbr: its still puppet17:37
zbrclarkb: ouch, my puppeteering skills are as low as possible. what version do we use?17:40
mordred417:41
clarkbthe puppet version shouldn't matter too much. I expect its just a matter of changing pip to pip317:43
openstackgerritSorin Sbarnea (zbr) proposed opendev/puppet-elastic_recheck master: WIP: Use py3 with elastic-recheck  https://review.opendev.org/72933617:43
zbrhttps://260e67f8ff0e2abb7e19-6ad58f996ee59ccfe54ab476a81112a3.ssl.cf2.rackcdn.com/729336/1/check/legacy-puppet-lint/e13791f/job-output.txt17:53
zbrapparently being trolled17:53
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900817:55
clarkbzbr: ya that was a linter update we've been addressing as we fix things. The update itself is just silly but whatever puppet is gonna puppet and it will be gone one day17:55
clarkbzbr: have to remove the :: prefix beacuse it isn't necessary anymore (its actually perfectly valid still but they want you to remove it)17:56
clarkbI need to pop out now for some late breakfast/early lunch before the meeting17:57
zbri am clueless, as I unable to even get something useful from running `rake`.LoadError: cannot load such file -- puppetlabs_spec_helper/rake_tasks17:58
clarkbzbr: manifests/bot.pp - WARNING: class included by absolute name (::$class) on line 32 and manifests/init.pp - WARNING: class included by absolute name (::$class) on line 42 immediately above the ERROR line are the problem17:59
clarkbzbr: if you'd like I can push a fix for it18:01
clarkbbut may have to happen a bit later in the day as I've got a few things I need to do between now and the next 2 hours18:01
zbrit would be great, is late here and I am still trying to repair the ensure-docker, as is a blocker for tripleo test hobs.18:02
zbrclarkb: or at least comment with hints if you can, no pressure on that one. but hints are highly appreciated18:02
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305318:07
*** ysandeep is now known as ysandeep|away18:13
openstackgerritSorin Sbarnea (zbr) proposed zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305318:19
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: Deprecate default tox_envlist: venv  https://review.opendev.org/72683018:23
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: Remove unused tox_envlist in fetch-subunit-output  https://review.opendev.org/72934818:24
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: Deprecate default tox_envlist: venv  https://review.opendev.org/72683018:35
*** chandankumar is now known as raukadah18:48
openstackgerritClark Boylan proposed opendev/system-config master: Enable ssl on all mirror vhosts  https://review.opendev.org/72898618:52
openstackgerritClark Boylan proposed opendev/system-config master: Listen on Quay Registry Mirror Ports  https://review.opendev.org/72931518:52
clarkbI think ^ may actually have a chance of passig now18:52
*** diablo_rojo has joined #opendev18:52
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900818:54
clarkband ^ is getting closer to where the firewall will matter18:55
* clarkb preps for meeting now18:55
*** roman_g has quit IRC18:59
*** hashar has quit IRC18:59
*** roman_g has joined #opendev19:05
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: add simple test runner  https://review.opendev.org/72868419:09
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: WIP: add simple test runner  https://review.opendev.org/72868419:11
openstackgerritDouglas Mendizábal proposed openstack/project-config master: Add storyboard project for ansible-role-lunasa-hsm  https://review.opendev.org/72933419:12
openstackgerritJeremy Stanley proposed opendev/system-config master: Use ensure-nodejs in Gerrit deployment testing  https://review.opendev.org/72936219:18
openstackgerritJeremy Stanley proposed opendev/jeepyb master: Update OpenDev Manual URL in new contributor intro  https://review.opendev.org/72847919:30
openstackgerritJeremy Stanley proposed opendev/jeepyb master: Update OpenDev Manual URL in new contributor intro  https://review.opendev.org/72847919:31
openstackgerritDouglas Mendizábal proposed openstack/project-config master: Configure ansible-role-lunasa-hsm for release  https://review.opendev.org/72933419:31
openstackgerritMerged zuul/zuul-jobs master: ensure-docker: workaround for centos-8 conflicts  https://review.opendev.org/70305319:55
corvusmordred: i think you're right, we didn't decide one way or the other.  i *think* the use-ips-from-inventory thing is going well enough we don't need /etc/hosts, but maybe it's still a good idea?19:58
mordredcorvus: yeah - I think using ips from inventory is the better idea in most of the cases19:58
corvusmordred: ok; we'll see how that goes, and we've got 726910 in our back-pocket if we need it19:59
mordredbut I could imagine things that maybe want to be configured by hostname expecting to be able to talk to each other or something?19:59
mordredyeah19:59
corvusmordred: mostly it's just getting that change past the ppa gauntlet right now19:59
mordredturns out it's a very easy patch :)19:59
clarkbmordred: corvus: not sure if this changes your opinions there but the use case I've got is I need to tell jvb servers to talk to the meetpad prosody server20:00
clarkbI can look up the ip via inventory or I can also just say talk to meetpad.opendev.org port 522220:01
fungiheads up, if nobody's noticed, our gerrit deployment test jobs for versions other than 2.13 have been broken by the ensure-nodejs transition in zuul-jobs, https://review.opendev.org/729362 fixes them20:01
corvusclarkb, mordred: that sounds like a straightforward use-case for /etc/hosts20:03
ianwfungi: you might be interested in https://review.opendev.org/728743 to generate the ssl cert check list automatically.  yesterday i got stuck on testing ... we need some way in testinfra to know what job we're running under20:04
corvusclarkb, fungi, mordred: i restored and +2d https://review.opendev.org/72691020:04
mordredcorvus: ++ agree20:04
corvusianw: why should we care what job we're running?20:05
ianwcorvus: i that case, i want to deploy the ssl check on bridge.openstack.org to avoid a whole other node.  so i want to check in the output configuration that it put the letsencrypt hosts into the config file ... but what nodes go in the list varies by job20:07
clarkbmordred: corvus I've +2'd it20:07
clarkber +3'd it even20:07
fungias have i20:07
corvusianw: how about specifying the expected list of certs as a job variable?20:09
ianwcorvus: yeah the bit i need to work on is getting that into testinfra as something usable20:10
openstackgerritClark Boylan proposed opendev/system-config master: WIP add support for multiple jvbs behind meetpad  https://review.opendev.org/72900820:10
corvusianw: maybe write it out to a file that we read in from testinfra20:10
clarkbok ^ has been rebased on the firewall change and I'll just recheck it once the /etc/hosts change lands20:10
corvusianw: (write it to a file in ansible then read in in the testinfra python)20:10
ianwcorvus: yep, or we can set environment variables.  anyway, i haven't looked at it yet, i only realised what was wrong last night :)20:11
ianwi'll do something generic-ish and then base the change on that20:11
clarkbcorvus: etherpad updated to address your ???s thanks20:11
ianwbut, i think autogenerating the ssl domain list for checking has legs, that bit all seems to work20:12
corvusclarkb: http://eavesdrop.openstack.org/irclogs/%23opendev/%23opendev.2020-03-25.log.html#t2020-03-25T14:08:4520:12
corvusclarkb: that's frickler's scaling link20:12
corvuscouple of interesting links there20:13
clarkbthanks20:13
clarkbcorvus: that is a lot of jvb servers. Now to see if I can find how large they are20:14
corvusclarkb: i think there are some things in https://ffmuc.net/wiki/doku.php?id=knb:meet-server#prosody_setup_for_loadbalancing_control_server that aren't in your patch20:16
corvusclarkb: the prosody config?20:16
clarkbcorvus: ya I'm looking over it now. Some things we already seem to have like prosody listening on 0.0.0.020:16
clarkband for the component secrets I thought I read that with the Multi User Chat "MUC" setup that isn't necessary anymore20:17
clarkbthe stuff about stats looks important for load balancing though20:17
clarkbhttps://github.com/jitsi/docker-jitsi-meet/blob/master/jvb/rootfs/defaults/sip-communicator.properties is the config we are toggling via the docker-compose .env file. That apepars to already use stats20:19
corvusclarkb: what do you think about the admin section?20:19
clarkbcorvus: that admins bit is missing from our prosody config so that may need to be added20:20
clarkbfwiw the jvb logs in the job have been helpful in figuring out what is missing so far, I'm hoping that will give us an indication if there are more things to change20:20
openstackgerritClark Boylan proposed opendev/puppet-elastic_recheck master: Use py3 with elastic-recheck  https://review.opendev.org/72933620:24
clarkbzbr: ^ I think that will be happier with linting20:24
clarkbinfra-root I can monitor https://review.opendev.org/#/c/728986/4 this afternoon if I can get a second review on it (thanks ianw for rereviewing it)20:27
clarkbthats the https on more mirror vhosts20:27
clarkband now to review the firewall change20:29
openstackgerritJeremy Stanley proposed opendev/system-config master: Add OpenEdge CI mirror to Cacti config  https://review.opendev.org/72738920:33
openstackgerritJeremy Stanley proposed opendev/system-config master: Add missing HTTPS ports in ssldomains file  https://review.opendev.org/72741820:33
openstackgerritMerged opendev/system-config master: Run multi-node-hosts-file in run-base-pre  https://review.opendev.org/72691020:34
mordredianw: replied on https://review.opendev.org/#/c/720892 - I did a followup to remove more things and have discovered that we are in fact using puppet-openafs on mirror-update20:38
ianwoh yeah ... that's in the todo list!20:39
mordredianw: I think we can just remove the openstack_project::server afs block20:40
ianwif it matches the afs-client group i guess so20:41
mordredlooks like it does20:42
ianwmirror-update[0-9]*.opendev.org20:42
ianwi think that might what to go to open* ?20:42
clarkbcorvus: why do we split iptables_allowed_groups into iptables_base_allowed_groups and iptables_extra_allowed_groups? Everything else about teh chagne lgtm but that jumped out to me20:44
openstackgerritMonty Taylor proposed opendev/system-config master: Stop cloning more puppet modules  https://review.opendev.org/72932120:45
mordredclarkb: I think base / extra allows us to have a global allowed groups and then to just add additional ones per service20:46
mordredclarkb: otherwise if we wanted to add a service we'd have to remember to copy in any global groups to it20:46
clarkbgotcha20:46
mordred(we do that pattern in some other places already)20:46
corvusyes that's it20:51
corvusin practice, that's going to be hard to use because in order for it to appear in the rules in a test job, some node in the group is going to have to be in the inventory.  which is weird for a supposedly 'global' group.  that's part of why cacti isn't in there right now.  but i thought it worth keeping the pattern.20:52
corvusclarkb, mordred: note also the dependency on https://review.opendev.org/728952 and its parent20:53
clarkbI had missed that, looking now20:56
clarkbcorvus: that for loop with the split is a neat trick21:00
clarkbI've approved the zuul-jobs stack21:01
corvusclarkb: python is still occasionally fun :)21:06
corvusclarkb: any day i can use a for/else loop is a good day21:06
clarkbI've approved the mirror ssl'ing change21:07
clarkbI'll be around to watch it21:07
openstackgerritMerged zuul/zuul-jobs master: Update flake8 ignore rules to match Zuul  https://review.opendev.org/72901021:09
openstackgerritMerged zuul/zuul-jobs master: Allow mapping additional hostvars in write-inventory  https://review.opendev.org/72895221:15
openstackgerritMerged opendev/system-config master: Add OpenEdge CI mirror to Cacti config  https://review.opendev.org/72738921:24
openstackgerritMerged opendev/system-config master: Add missing HTTPS ports in ssldomains file  https://review.opendev.org/72741821:28
openstackgerritJames E. Blair proposed opendev/system-config master: Vendor the apt repo gpg keys used for Zuul  https://review.opendev.org/72940121:28
corvusmordred: ^ that look like what you were thinkin?21:28
openstackgerritDouglas Mendizábal proposed openstack/project-config master: DNM: sanity check  https://review.opendev.org/72940221:30
clarkbcorvus: I think that may only work on bionic and newer? xenial needs the old apt add-key command or whatever it was21:32
mordredcorvus: yes! you might want to put playbooks/roles/install-apt-repo into the files: list in zuul.d in places where zuul-executor role is listed21:32
clarkbfungi: ^ you probably know off the top of your head21:32
mordredclarkb: I think the ansible module should take care of that21:32
clarkboh aha21:32
mordred(I was going to mkae the same comment - but this is using apt_key - not just putting the file in place)21:32
clarkbroger21:32
mordredclarkb: we'll find out!21:33
clarkbbeing able to test so much of everything before we merge stuff has been excellent21:33
corvusah yeah, i'll add the zuul conf21:33
*** calcmandan has quit IRC21:34
clarkbI've rechecked the jvb change which should use the /etc/hosts magic now21:34
clarkband that should hopefully tell us more useful things21:34
*** calcmandan has joined #opendev21:35
openstackgerritJames E. Blair proposed opendev/system-config master: Vendor the apt repo gpg keys used for Zuul  https://review.opendev.org/72940121:36
openstackgerritMerged opendev/system-config master: Enable ssl on all mirror vhosts  https://review.opendev.org/72898621:38
fungiclarkb: yes, ubuntu-bionic is probably new enough, debian-buster and ubuntu-focal definitely are, ubuntu-xenial and debian-stretch are not21:38
* fungi checks manpage21:38
fungiyeah, bionic is new enough21:40
*** slaweq has quit IRC21:41
fungithe apt-key(8) manpage on a bionic server mentions: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.21:46
fungiwhat it doesn't exactly say is that you should use .gpg on raw exported keyring files and .asc on pem-format keys21:49
openstackgerritClark Boylan proposed zuul/zuul-jobs master: Add option to prefer https/ssl in configure-mirrors  https://review.opendev.org/72940721:58
hrwfungi: good to know ;)22:05
openstackgerritClark Boylan proposed openstack/project-config master: Escape use of % in tox.ini to avoid interpolation  https://review.opendev.org/72941222:16
openstackgerritJames E. Blair proposed opendev/system-config master: Vendor the apt repo gpg keys used for Zuul  https://review.opendev.org/72940122:17
clarkbinfra-root config-core 729412 addresses a problem that the new tox role reorg exposes in that tox.ini. Assuming it works (eg the escape doesn't break the print there) then we'll want to land that22:20
johnsomIs IPv6 not working at openedge a known issue or something I need to look into?22:20
clarkbjohnsom: that is not a known issue, its an ipv6 "only" cloud so we should expect it to work22:20
clarkbjohnsom: do you hvae examples?22:20
fungiopenedge is natively v6 and does all public v4 via nat, yeah22:20
johnsomhttps://89169a9b326532519e5e-7f1ab0a954aa845ce901e1b3383eb285.ssl.cf1.rackcdn.com/729391/1/check/octavia-v2-dsvm-scenario/b6e849e/22:21
johnsomJust the Ipv6 tests failed22:21
clarkboh thats in the nested cloud22:21
clarkbI don't think that relies on any of the cloud side networking in openedge22:21
johnsomWell, we have tempest picking the "external" ipv6 net so resources are reachable from the tempest instance. So, we do hop out typically.22:23
clarkbyou shouldn't hop out22:23
johnsomI just haven't noticed those before, so wondered if it was still coming up.22:23
clarkbon half the clouds there isn't anything to hop out to22:23
johnsomWell, yeah, I guess we don't really. I'm thinking of "hop out" of neutron's config. so not really going out.22:24
johnsomI will dig through logs and see what I find. Thanks22:24
clarkbah ya. I know for ipv4 we explicitly create an interface on the fip network so that the route table sees it as locally attached22:24
clarkbyou may need something like that for ipv6?22:24
johnsomWe haven't for a few years now, so wouldn't expect that to change.22:25
clarkbalso I don't see the worlddump log whihc would probably be helpful in this case22:25
clarkbI guess because worlddump is only when devstack fails22:25
clarkbnot when tempest fails22:25
clarkb(changing that to be when the job is going to fail would probably be useful)22:26
johnsomHa, yeah, I asked about that a few weeks ago. grin great minds think alike eh?22:26
ianwthese days it's probably better as a post role22:38
clarkbfwiw I've discovered that I forgot to add holes in the firewall for the mirror update. Everything else seems mostly happy. I'm working on a change to test via hitting the public interface so that we test that better in the future22:43
johnsomclarkb It looks like the IPv6 is working fine there. I see good addresses and VIPs. We can pass traffic to some other instances. So likely something in the nova or neutron level.22:44
openstackgerritClark Boylan proposed opendev/system-config master: Open mirror ssl ports externally  https://review.opendev.org/72941622:50
clarkbianw: ^ fyi22:50
clarkbI'll rebase the quay change on top of that22:50
ianwlgtm22:50
clarkbianw: do you have a moment for https://review.opendev.org/#/c/729412/ whihc addresses a tox issue that zuul-jobs update exposed22:51
ianwalso lgtm :)22:53
openstackgerritClark Boylan proposed opendev/system-config master: Listen on Quay Registry Mirror Ports  https://review.opendev.org/72931522:58
clarkbianw: also I think we need to restart apache2 on all of the mirrors which our current setupt doesn't do (it just reloads to be as graceful as possible)22:59
clarkbI'll probably wait for the iptables updates to get in then I can do a global restart22:59
ianwoh, i thought that would create the new vhosts?  maybe not as you say23:00
clarkbianw: when I first figured out hwat was wrong on mirror.dfw at least I had to restart it then only localhost worked which was why I realized it was iptables at fault23:00
clarkbI checked netstat -lnp output to confirm before restarting apache223:01
openstackgerritIan Wienand proposed opendev/system-config master: [wip] testinfra: create a fixture of data from zuul  https://review.opendev.org/72941823:07
openstackgerritMerged openstack/project-config master: Escape use of % in tox.ini to avoid interpolation  https://review.opendev.org/72941223:09
openstackgerritJames E. Blair proposed opendev/system-config master: Vendor the apt repo gpg keys used for Zuul  https://review.opendev.org/72940123:12
*** DSpider has quit IRC23:21
corvusmordred: where did the value for gearman_server_ssl_key come from in commit f0b77485ec559aa9cde2a5066ecb72a2ffa47ea9 ?23:38
corvusthe next error with testing zuul in the gate seems to be that the key does not match the cert23:38
mordredcorvus: I probably just made one using openssl23:41
corvusmordred: ok, there are a lot of certs; maybe the wrong one got added :)23:41
mordredcorvus: I imagine this is now one of those cases where we we'll need to override the public value too, since we'll want them to match23:42
clarkbhrm testinfra doesn't work quite the way I expected it to23:42
openstackgerritIan Wienand proposed opendev/system-config master: [wip] testinfra: create a fixture of data from zuul  https://review.opendev.org/72941823:42
corvusmordred: oh! i wonder if that's what's going on -- a fake private key but only the real public key23:43
mordredcorvus: like - isn't the cert in the public host_vars - but matches the private key23:43
mordredyeah23:43
mordredwe need a fake public key too23:43
corvusok.  so yeah, i'll make a new fake pair then23:43
mordredcorvus: there might be another issue ... I don't think our fake variables override our public hostvars23:43
corvus(i'd use zk-ca.sh for this, but this whole stack is in service of the patch that adds zk-ca.sh, so i'll just do it the hard way till we get things working)23:43
mordred(I think I ran in to that before but was able to punt on it)23:44
mordredbut in any case - I believe that is the situation23:44
corvusmordred: ok.  we can put all the certs in private vars.23:44
corvusthat's too big of a change now, so i'll pick this up tomorrow23:45
mordredyeah. it's also possible I'm not right about that23:45
mordredOR23:45
mordredthat maybe we should consider var precedence so that test fake vars _do_ take precedence over the public vars - no clue if it's even possible for us to do that23:45
corvusmordred: i don't see a reason to have the cert file as a public var23:46
mordredme either23:46
mordredmostly just thinking out loud23:46
openstackgerritClark Boylan proposed opendev/system-config master: Open mirror ssl ports externally  https://review.opendev.org/72941623:48
openstackgerritClark Boylan proposed opendev/system-config master: Listen on Quay Registry Mirror Ports  https://review.opendev.org/72931523:48
clarkbI'm not convinced ^ is entirely correct. I expected testinfra to make it easier to get the ip addrs of the host being operated on23:48
mordredclarkb: there you go expecting things again23:49
clarkbmordred: well even from the docs they are like "here is the addr object with the ip_addresses property"23:49
clarkbbut then I rtfs'd and realized that the addr object is a class object that you need to instantiate23:49
clarkbits really there to do ip lookups of arbitrary names from the host23:49
clarkbso I'll use that to have the host ask its own name :/23:50
ianwclarkb: or ... we pass the inventory in as a fixture which is what i'm coming at with 729418?23:50
clarkbianw: oh ya that would work too23:51
openstackgerritIan Wienand proposed opendev/system-config master: [wip] testinfra: create a fixture of data from zuul  https://review.opendev.org/72941823:59

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!