Monday, 2021-07-12

opendevreviewMerged opendev/system-config master: Connect Zuul to
ianwok, that has deployed.  i'm going to save queues and restart zuul & gerrit with new image00:51
ianwinteresting, the docker-compose.yaml on gerrit appears to have a syntax error of some sort00:56
ianwit appears to have got itself indented slightly00:57
ianwoh i see it.  i'll fix by hand and get things going00:58
ianwpulling new gerrit image now00:59
ianw is the one we want01:01
ianwno sorry, 3.201:02
ianwopendevorg/gerrit                                         3.2                                    sha256:e03d7652bb63f516611cb11d3642e9e3659548fbc99fdf9e265cbac225471459   847424025943        5 days ago          811MB01:02
ianwthat matches, ergo we have the correct image on the production server.  so i'll start it now01:02
ianwPowered by Gerrit Code Review (3.2.11-2-gf500af8500-dirty) 01:05
ianwok, zuul is restarting01:06
ianwok, looks like some events coming in via gerrit, so the connection should be ok01:08
opendevreviewIan Wienand proposed opendev/system-config master: gerrit: fix docker-compose template
ianweverything seems to be working so i think we're done01:36
ianw#status log pulled gerrit 3.2.11 image and restarted, restarted zuul to use full name when connecting01:36
opendevstatusianw: finished logging01:37
opendevreviewIan Wienand proposed opendev/ master: Add paste01
opendevreviewMerged opendev/ master: Add paste01
ianwhrm, there must be a new ffi release that we haven't wheeled yet, and the gerrit testing is failing03:27
opendevreviewchzhang8 proposed openstack/project-config master: add acls for tricirlce under x namespaces
ianwlast time it ran it got04:10
ianwCollecting cffi>=1.104:10
ianw  Downloading (401 kB)04:10
ianwCollecting cffi>=1.104:12
ianw  Downloading (475 kB)04:12
ianwit looks like they ahve a new release management process04:27
ianwand python35 wheels have been dropped04:29
opendevreviewIan Wienand proposed opendev/system-config master: gerrit: fix docker-compose template
opendevreviewIan Wienand proposed opendev/system-config master: install-docker: install build-essential for cffi on Xenial
opendevreviewMerged opendev/system-config master: Sync project-config before deploying accessbot
*** ysandeep- is now known as ysandeep05:59
*** bhagyashris__ is now known as bhagyashris|ruck06:51
*** amoralej|off is now known as amoralej07:01
*** rpittau|afk is now known as rpittau07:35
opendevreviewchzhang8 proposed openstack/project-config master: register and bring back tricircle under x namespaces
opendevreviewTakashi Kajinami proposed openstack/project-config master: tripleo-common-tempest-plugin - Step 2: End project Gating
opendevreviewTakashi Kajinami proposed openstack/project-config master: tripleo-common-tempest-plugin - Step 4: Remove Project
opendevreviewTakashi Kajinami proposed openstack/project-config master: tripleo-common-tempest-plugin - Step 4: Remove Project
*** ysandeep is now known as ysandeep|lunch08:16
*** ykarel is now known as ykarel|lunch08:17
opendevreviewMerged openstack/diskimage-builder master: Migrate from testr to stestr
*** rm_work| is now known as _rm_work08:54
*** _rm_work is now known as ]rm_work08:55
*** ]rm_work is now known as [rm_work08:55
*** [rm_work is now known as zrm_work08:55
*** cgoncalves_ is now known as cgoncalves09:13
opendevreviewchzhang8 proposed openstack/project-config master: register and bring back tricircle under x namespaces
*** ykarel|lunch is now known as ykarel09:47
opendevreviewMerged openstack/diskimage-builder master: cache-url : turn down verbose curl
*** ysandeep|lunch is now known as ysandeep09:58
opendevreviewMerged openstack/diskimage-builder master: Add a growvols utility for growing LVM volumes
*** ysandeep is now known as ysandeep|afk10:57
*** dviroel|out is now known as dviroel11:24
*** bhagyashris_ is now known as bhagyashris|ruck11:32
*** ysandeep|afk is now known as ysandeep11:52
opendevreviewVishal Manchanda proposed openstack/project-config master: Retire django-openstack-auth
*** ysandeep is now known as ysandeep|afk12:25
*** amoralej is now known as amoralej|lunch12:33
tristanCcorvus: mordred: the curl notes have been moved to unclutter the readme to
tristanCcorvus: yes i can have a look12:40
*** needssleep is now known as TheJulia12:44
*** ysandeep|afk is now known as ysandeep13:05
fungiianw: yeah, i similarly proposed to get gear's tests worknig again with new cffi13:14
fungiinfra-root: i'm sort of around today, in and out doing travel prep and errands. i'll be out of communication most of tomorrow and then much of the time through the 19th, but hope to be around again as usual on the 20th or 21st worst case13:16
*** amoralej|lunch is now known as amoralej13:31
walshh_Hi all, a quick question on Ocata and Newton if I may.  Both are EOL but I am wondering is it possible to still update the online docs e.g.
fungiwalshh_: nope, not as far as i understand, the branches those were built from have been deleted so there's no way to merge new commits to them14:33
walshh_Thank you fungi for the quick reply14:37
fungiwalshh_: someone could probably hand modify the html content for those in afs if there's something which badly needs to be fixed, but i recommend talking with the openstack cinder team and openstack technical committee to determine if it's serious enough to warrant that14:38
walshh_Thanks, as it is only applicable to the VMAX driver and is more 14:41
walshh_It is about hardware OS support so more informational than anything else14:43
clarkbfungi: can you review ianw's gerrit fixes stack at if you have time?14:46
rosmaitafungi: you know you there's that tag line that shows up on the pages, for example, the train release : "This is maintained, but not the current release. The current supported release is Wallaby."14:49
rosmaitai don't see something like that on newton14:49
rosmaitawould be helpful to say "This release is End of Life and the features and configuration described herein may no longer be accurate"14:50
clarkbrosmaita: the opendev team doesn't manage the docs or their contents. As fungi mentioned we could potentially do hand edits but we wouldn't be constructing those they would need to be provided to us14:51
clarkbmight also provide feedback to the openstack release team to have them double check stuff like that is in place before cleaning up branches14:52
rosmaitaclarkb: thanks ... didn't realize the release team supplied the wrapper for the docs, but that makes sense14:53
clarkbwell I don't know that they do. But they have a number of checks they make when doing releases and retiring release series14:54
clarkband this could be one of them14:54
rosmaitaok, thanks14:55
fungiyeah, i really have no idea how all that works. would need to consult the technical writers sig, the oslo team (who maintain the docs theme), maybe the release team and tc14:55
fungiit's a bigger discussion14:56
clarkbits possible when that was added it was never backported14:57
fungior it was backported but nothing merged to regenerate/publish those particular docs15:00
opendevreviewClark Boylan proposed opendev/system-config master: Update gitea to 1.14.4
*** ykarel is now known as ykarel|away15:03
*** dviroel is now known as dviroel|lunch15:05
clarkbtristanC: corvus: I was thinking it would be a good idea to test the bots you are working on in oftc bridged channels too. That way we don't have to run multiple copies of the bots (in fact I would consider not running multiple copies of bots for different protocols are requirement for this)15:21
corvusclarkb: the log bot will need a little extra work to strip the "oftc" stuff from the nicks, but otherwise, should be fine.15:29
corvusclarkb: note that limnoria currently provides meetbot+logging, and i have only written a logging replacement, not a meetbot replacement.  it's probably possible to turn off the channel logging in limnoria without disabling meetings, but i don't know.  just something to consider.15:33
*** ysandeep is now known as ysandeep|away15:35
clarkbyes, I think you can disable the limnoria logging. It is provided by a plugin and you remove/disable the plugin15:37
opendevreviewTristan Cacqueray proposed opendev/system-config master: Run matrix-gerritbot on eavesdrop
tristanCcorvus: ^ should contains the tasks required to setup the gerritbot-matrix, it includes a task to convert a yaml based configuration, but i think it would be better to keep the dhall format15:50
tristanC(otherwise we need to repeat the default settings such as branch name and gerrit events)15:52
*** jgwentworth is now known as melwitt16:07
*** dviroel|lunch is now known as dviroel16:10
*** ysandeep|away is now known as ysandeep16:20
*** rpittau is now known as rpittau|afk16:21
*** amoralej is now known as amoralej|off16:26
*** ysandeep is now known as ysandeep|away16:26
opendevreviewClark Boylan proposed opendev/system-config master: DNM force gitea failure for interaction
clarkbI've put a hold in place for ^ so that we can look at it16:46
opendevreviewTristan Cacqueray proposed opendev/system-config master: Run matrix-gerritbot on eavesdrop
opendevreviewVishal Manchanda proposed openstack/project-config master: Retire django-openstack-auth
opendevreviewTristan Cacqueray proposed opendev/system-config master: Run matrix-gerritbot on eavesdrop
clarkbinfra-root I think is ready for review. I left a comment on there with a held node link which you can use to poke at the updated system17:52
clarkbthis is the gitea upgrade change17:52
clarkboh wait the logos aren't right17:52
clarkbI think our logo override isn't working :/17:52
clarkbI'll dig into that. I think you can review the other bits of the change safely without that interferring too much though17:54
mordredclarkb: fwiw - the matrix well known files *are* serving as expected17:57
mordredso that's good at least17:58
opendevreviewMerged opendev/system-config master: install-docker: install build-essential for cffi on Xenial
opendevreviewVishal Manchanda proposed openstack/project-config master: Retire django-openstack-auth
clarkbmordred: yup, and the matrix side verified one half of them. The other half is failing due to cors but it would only give us element urls under so not super important18:02
clarkbI think I have osrted out the logo issue in the test build. I'll get udpatse up shortly and recycle the hold18:02
opendevreviewClark Boylan proposed opendev/system-config master: Update gitea to 1.14.4
opendevreviewClark Boylan proposed opendev/system-config master: DNM force gitea failure for interaction
opendevreviewMerged opendev/system-config master: gerrit: fix docker-compose template
opendevreviewVishal Manchanda proposed openstack/project-config master: Retire django-openstack-auth
opendevreviewGhanshyam proposed openstack/project-config master: End project gate for retired neutron-lbaas
clarkbtristanC: a lot of our users do override the branches and gerrit events that they want to see18:30
clarkbtristanC: as far as making this easier for humans to consume I think the existing yaml config is pretty straightforward. People will probably figure out dhall too if we preseed with enough examples (and I assume we would port our config over either way)18:31
opendevreviewTristan Cacqueray proposed opendev/system-config master: Run matrix-gerritbot on eavesdrop
clarkbmaybe the defaults should be in the application and not config if you feel strongly about them?18:31
tristanCclarkb: i'd rather not manage the configuration default in the application, and if you don't mind the repetition then we can keep the yaml format18:38
clarkbI don't mind. Its easy enough to capture them with an anchor and repeat them where applicable and just redefine them where it isn't (and i think that may happen a lot more than expected)18:39
efoleyfungi, clarkb: I've been locked out of my account for gerrit, can you help me please? I removed an old e-mail address from gerrit/ubuntu one and now can't log in with my current e-mail address.18:50
clarkbefoley: let me see. Chances are gerrit is preventing your openid from being used because it conflicts with another account18:51
clarkbyup that is exactly it18:52
clarkbefoley: let me gather more data on the gerrit accounts at play here so that we can understand it better18:52
efoleyclarkb, I first removed the account on gerrit, and then tried to log in again with ubuntu one, which sent my old e-mail and created a new gerrit account18:52
clarkbefoley: can you maybe be a bit more specific ( you don't need to use identifiable identifers). I am having a hard time parsing that18:54
efoleyclarkb: sequence of events?18:54
clarkbefoley: yes the sequence of events18:54
efoleyclarkb: 1- I removed the old e-mail from gerrit18:55
efoleyclarkb: 2- I logged out of gerrit and tried to log in via ubuntu one using my old account details which had not yet changed - Which should not have worked, and (I thought) should confirm that the old address was removed18:56
efoleyclarkb: 3- Logging into gerrit with the old address actually worked, and a new gerrit account was created, with my gerrit username and old e-mail address18:57
efoleyclarkb: 4- I set my ubuntu one account to use my current e-mail address, to see if I could log into gerrit with my current e-mail and username  -- this failed. 18:59
clarkbthanks that helps.18:59
clarkbSo there is a bit of difficulty in fixing these things. The first issue is taht gerrit isn't currently allowing us to edit external account ids individually because we have a few hundred similar conflicts (though in the case of existing problems it is because old gerrit allowed the conflcit that new gerrit prevents. basiclly old gerrit would've given you a third account at step 4,19:02
clarkbnew gerrit errors)19:02
clarkbI've been slowly working through those and doing surgery on them so that we can get to a point where we have no oustanding issues in the account config allowing us to push changes for individual edits/fixups. There are about 174 in lfight right now in fact. But that still leaves us with something like 80 more to go19:03
clarkbI think there are two easy options available to us right now (but I'll need todig into the account configs to confirm). 1) remove the external ids from the old accounts and disable them then roll forward on the new account or 2) reset your ubuntu one account to the old email so that you get the old openid back. This should log you into the old account19:04
clarkbin your sequence of events above I think step 3 logged you into your old account not a new one (but I'm not 100% of that). The reason I think this is that gerrit forces you to set the username manually and doesn't populate that from the openid info. If you logged in and saw the same username then it was likely the same account19:05
efoleyclarkb: step 3 logged me into a new account; the "account created" value was "x minutes ago" and none of my reviews were there 19:06
clarkbefoley: ok, I suspect the username wasn't set then19:06
clarkbin that case option 2) above may be functionaly similar to option 1) basically require a roll forward. I'll need to dig into the accounts information and try to sort out what gerrit did19:08
efoleyclarkb: can confirm: old e-mail/new account = no username set19:08
opendevreviewVishal Manchanda proposed openstack/project-config master: Retire django-openstack-auth
clarkbok cool that helps. efoley can you PM me the account id number(s) you see in the gerrit ui if you are able to get into the gerrit ui?19:08
clarkbI need to eat lunch but when I get back I can collect all the relevant info for the accounts in question then we can make more concrete statements on what our options are19:09
efoleyclarkb: okie dokie19:09
clarkbAlright I think I see what hapepend. The old account had old email removed from it. When you logged in again the openid that was provided was provided with the old email address. Gerrit decided that it needed a new account because no account matches that openid + email pair. It then created the new account and updated the existing openid externalid record to point to the new account19:37
clarkband removed it from the old19:37
opendevreviewTristan Cacqueray proposed opendev/system-config master: Run matrix-gerritbot on eavesdrop
clarkbThen when you updated the ubuntu one account to have the new email address logins fail because the old account's preferred email address is the new email address and the conflict19:38
efoleyclarkb: So now my old account doesn't have an openid associated with it.19:38
clarkbwith old gerrit we would do a quick and easy sql statement to move the external id back t oyour old account and then disable teh new account19:39
clarkbwith new gerrit all of that information is stored in the git notedb and we are not currently allowed to push updates to gerrit for those records without fixing all of the other existing conflicts first :/19:40
clarkb(there is a not great workaround for that which I'll get to in a bit)19:40
clarkbI think that means our easy option is 1) roll forward on the new account. 2) won't work because I assumed the openid had changed (another openid related issue we run into), but in reality the openid has stayed the same gerrit just happily moved it for us :(19:42
clarkbThe not great workaround we can try (we have yet to attempt it) is to stop gerrit, push into the git repo directly without gerrit verification, offline reindex accounts (and groups), then start gerrit and hope we did proper surgery19:42
clarkbThe downside to this workaround is that it requires a gerrit downtime. And not a super short one due to the reindexing though reindexing of accounts and groups does go reasonably quikcly19:43
efoleyclarkb: Option 2 sounds disruptive to everyone19:44
clarkbThe "good" news is that ianw has been working on a gerrit downtime to move servers and planned to reindex things anyway. It is possible that ianw would be open to incorporating an external id cleanup in that move19:44
efoleyclarkb: Option 1 sounds like I accept the loss and move to the new account, and am still stuck with the old e-mail address which I need to change.19:45
clarkbefoley: ^ if ianw is open to that and you are willing to wait a week (downtime is scheduled to begin at 23:00 UTC July 18) that may be a reasonable option19:45
clarkbefoley: if you do 1) we would remove the new address from the old account which should allow you to use it on the new account19:45
efoleyclarkb: What does that mean for patchsets and review associated with the old account? 19:49
efoleyclarkb: they will still be owned by the old account and mean that I can't easily search for them?19:49
clarkbthey will continue to be associated with the old account. We allow anyone to push new patchsets to existing changes regardless of ownership so that shouldn't be a big problem. Probably the biggest issues you'll have are searching as well as needing to use a different username to push19:50
efoleyclarkb: I'm going on vacation at the end of the week, and don't expect to push changes this week, however, there are some reviews I wanted to do (in theory, I can use the command line to apply votes to reviews, but maybe can't comment). I'm open to option 2 and can wait a week, if ianw is open to option 2.19:51
clarkbefoley: you should be able to vote and commetn via the command line iirc.19:52
clarkbit may be clunky to do inline comments though19:53
efoleyclarkb: I can deal with a bit of annoyance since it seems like I can piggyback on the cleanup that's on the TODO list anyway.19:55
clarkb(thinking out loud here) I wonder what would happen if we essentially retire and remove identities from the new account then add your old email address to the old account. Then you login again. Will it simply shift the account associating back to the old account?19:55
efoleyclarkb: Wouldn't that require verifying the old e-mail address?19:56
clarkbefoley: if you're going to be around for the next half hour or so I don't mind trying ^ I don't think we can make this any worse (it might create a third account)19:56
clarkbefoley: it shouldn't because I think I can set it directly as admin without verification19:56
fungiclarkb: i'm only semi-around but what you describe sounds plausible, worth a shot anyway19:57
efoleyclarkb: I'm curious, I was thinking that something like that might work IF I could skip the e-mail verification.19:57
clarkbefoley: give me a few minutes to read up on api calls and put together a list of curl commands to run but I'm game to try it19:58
fungii'm not too sure to what extent they've tied e-mail verification to the external-ids association19:58
fungii wouldn't be surprised if they just punted and it works (in which case, shhh, that could make it possible to squat other people's addresses if they don't have accounts with them yet)19:59
clarkbI suspect it will error because the external id has that email and belongs to another account20:00
fungioh, if it's still associated with the other account, yes20:01
clarkbyup because I can't delete the external id, if I do that it will for sure create a new account20:01
clarkbbut I also can't edit it. So I'm hoping we can simply convince it to sldie it back over like it did in the first place if I can convince it to add the email addr to the other account. But I expect this to error20:02
clarkbworth trying though20:02
clarkbok confirmed "Email 'foo' is in use by another account"20:05
clarkbit is so frustrating that the rest api has methods for updating just about everything but external ids. This forces you to push external ids to gerrit via git which doesn't work because of completely unrelated conflicts20:09
clarkbefoley: only key thing if we do the update during the downtime is that you'll want to stick to an email address on the ubuntu one side then we will update the external id's email address to match when we update the account id20:11
clarkbbecause if you log in with the old email id after we do that we'll be right back where we started I Think20:11
clarkbI guess I could add an email address externalid to the new account now for the old email address to prevent it causing this problem again. That seems like a reasonable idea20:12
efoleyYou mean make sure that my new e-mail address is on the ubuntuone account?20:12
clarkbefoley: yes, beacuse if we update the gerrit account to use the new address then you log back in with the old address I think it may create a new account again20:14
clarkbnot 100% sure of that but I think it is a risk20:14
clarkbalso I cannot add the old email to the new account anymore than it is already there. Api says "email exists"20:14
clarkbefoley: ianw's day should be starting in an hour or two. We probably don't need to keep you around any longer. I'll see what ianw has to say about this and we can sync up tomorrow?20:15
clarkbianw: efoley: also maybe we can test it on the new server before we do the cut over?20:17
clarkb is the related upstream bug for these issues fwiw20:17
efoleyclarkb: Thanks for your help so far! 20:20
clarkbbut ya as is we unfortunately have no great answers. Just mediocre options :(20:20
clarkbefoley: you're welcome20:20
efoleyclarkb: I would have thought this was a semi-common occurance, with people switching companies and still working on openstack.20:21
clarkbefoley: it sort of is. You're not the first to run into this. That said I think a lot of people use personal addresses to identify themselves then the work is an attribute against that rather than the identifier20:22
clarkbif you think about it from gerrit's perspective the issue is we're giving gerrit a new idnetifier and expecting it to not make a new account20:22
clarkbthe inability to easily edit things to fix that up after the fact is definitely a gerrit issue20:23
clarkband one that I wish was taken a bit more seriously upstream :/20:23
opendevreviewGhanshyam proposed openstack/project-config master: Use publish-to-pypi-stable-only template for deprecated repo
clarkbI should probably fiel a new bug about the shift of an openid though20:26
clarkbsince that is a subtle behavior that can probably stop as well20:26
efoleyclarkb: It's unfortunate that is isn't taken seriously. We can't think from the perspective of the software that is used in the infra, so one should expect a few mistakes now and then.  If it's difficult to fix mistakes, it can be offputting. Especially if someone's takeaway is that they should have known in advance not to try and change it, or to use a persistent e-mail address.20:29
efoleyclarkb: anyway, I should be taking off, thanks for the help so far.20:30
fungiefoley: gerrit upstream is somewhat blind to these sorts of problems since they don't rely on openid to authenticate (i think they use ldap backended by google's auth service, because of being a google project)20:31
opendevreviewGhanshyam proposed openstack/project-config master: Update deprecated repo description and release job template
clarkbya they force everyone to use a google account and those tend to map 1:1 with humans20:40
clarkbregardless of who your employer is20:40
clarkbfwiw I think it would work to update the ubuntu one side first, then clean up the gerrit side. Doing the other order does not20:40
clarkbinfra-root ok shoudl actually be ready for review now after I fixed the favicon thing20:42
clarkbactually no you need to update the gerrit account to include both sets of email addresses, update the ubuntu one side, then update gerrit to remove the old addresses to do this safely20:48
clarkbneat I'm not able to file issues in the gerrit issue tracker right now20:55
* clarkb gets on their slack20:55
mordredclarkb: you know, corvus has a matrix bridge for that20:59
clarkbmordred: ya, I have a tab for it in my browser that I have to restore after restarts21:00
clarkbmordred: corvus: how does the matrix bridge handle slack threading? I've noticed the gerrit slack isntance users like to make use of threading whcih means that basically 90% of all messages are completely lost to time for me21:04
clarkbdoes matrix/element handle that in a sane way?21:04
mordredit does - it does the message reply interface21:05
clarkbhrm not sure I like that better :P but I'll at least see the messages in that case21:05
mordredlemme find an example21:05
fungiweeslack annotates the message in the main channel which started the thread, and then you can use /thread with the id to open a new buffer for it21:06
fungibut yeah, it's a pain and easy to miss21:06
clarkbfungi: yup the official slack clients aren't much better than weeslack in that regard21:06
* mordred uploaded an image: (604KiB) < >21:06
mordredthere's the current gerrit slack channel in matrix21:06
clarkbthey basically do a little annotation forcing you to take action and the messages remain hidden otherwise. You can also go to "your threads" or something called something like that and it shows you all the threads you've participated in21:06
mordredyeah. threads in slack drive me CRAZY - it's the worst UI ever21:07
mordredwith the matrix bit - I can at least follow and notice when something happened21:07
clarkbya seems like you always get the messages front and center with what matrix does. You lose some context which may be a problem if people expect you to see hundreds of messages, but that is probably fine for gerrit slack since they don't do hundreds of messages in threads21:08
*** dviroel is now known as dviroel|out21:41
clarkbianw: morning!22:07
clarkbI've been digging into the gerrit code and what I think happens is if you delete an email address in the web ui and that is the email address associated with the openid it deletes the openid externalid22:08
clarkbthen when you try to log back in again it creates the openid externalid file again but with a new account id.22:08
clarkbAnyway gerrit slack has given me a workaround for the issue filing problem (i have to use a different template) so I'll try that22:09
clarkbianw: re scrollback tl;dr is that efoley managed to orphan their old account because gerrit moved their old externalid record to a new account22:09
clarkbianw: I've suggested that one way to fix this would be to do a All-Users:refs/meta/external-ids edit during the upgrade process since we will be reindexing then anyway22:09
clarkbianw: I'm happy to help with that and be around (and probably test it on review02 in the next few days) if you think that is reasonable. Otherwise I've suggested that efoley can roll forward with the new account or we can maybe delay another week and do it during the project rename outage22:10
clarkbianw: but wanted to gauge your comfort with that and will totally defer to you if you think that is too risky22:10
clarkbalso I'm almost ready to send out the meeting agenda, if you have anything to add now is a good time :)22:12
ianwi think we can do some edits as part of the update.  worse case roll-back scenario if edits cause problems it seems we re-rsync the data from review0122:12
clarkbianw: resync and probably reindex yup22:12
clarkband I agree that is why I felt you might be ok with it22:12
ianwso is the solution gerrit saying "you can't delete that email"?  22:18
clarkbianw: we can delete the email from the old account and retire/disable it. Then the new account would work as the email conflict would go away22:19
ianwlooks like cffi could produce 35 wheels without too much fuss and put them back ... not that we want to use them for much longer, but gives us some more runway22:19
clarkbBut if we want to restore the old account we have to edit the externalids for efoley's openid in All-Users:refs/meta/external-ids to set the accountId back to the old account and update the email address to match the account22:20
clarkbThis second thing is what we need to do during a gerrit outage followed by reindexing of accounts (and possibly groups)22:20
clarkb is the related issue I've just filed upstream22:21
clarkbianw: let me get the meeting agenda out then I'll put some notes on review02 with actual account numbers and emails and stuff22:21
ianwah, thanks, that bug answers my next question of "how do you update your email" :)22:22
ianwoh, and that also explains why my issue went in under "polygerrit" too22:23
clarkbthey default to polygerrit, but if you chagne it to "bug report" it just doesn't work22:23
clarkbianw: another thing that came to mind today is we should probably send reminders of the server move. Maybe one todayish and one your Fridayish22:25
ianwsure, can send follow-up mail22:25
ianwanother thing i thought is that i should pre-setup a maintenance splash page for review01's apache22:27
fungiianw: i think the bits from when we put one up for the breach cleanup are still there22:29
fungimay just need to flip the switch to redirect to it22:29
fungipretty sure i put it all in our config management22:29
fungitweak the message to suit, obviously22:30
clarkbyup I think that is in config management still22:30
ianw++ will check that out and add to checklist22:30
clarkbianw: review02:~clarkb/efoley-notes.txt for my notes with concrete info22:32
clarkbianw: if you've been testing with a running gerrit on review02 then we should be able to test that on 02 too. Maybe we can run through taht tomorrow?22:33
ianwsure, it hasn't been synced in a while.  i can poke at that today, also sync to the latest gerrit images for good measure22:34
clarkbsounds good22:34
clarkbfar less urgent and maybe worth punting on this week given everything else happening is to upgrade gitea22:34
clarkbIf you find yourself with extra time taking a look at that would be good but I suspect we won't land it until next week anyway22:35
clarkbianw: the other thing we can test is my suspicion on 1477622:37
ianwcool i noticed you had a held node, will poke at it22:37
clarkbI don't want to test that with my account on prod because I like being able to log in :)22:37
clarkbI'm going to go and read more gerrit code now to see if I can narrow that down22:38
clarkbok I think that my suspicion is exactly the problem22:42
clarkbthere is a accountBelongsToRealm() method that gets implemented on realm implementations to filter out externalids that belong to external account authentication22:42
clarkboauth and ldap do this but openid does not appear to22:43
* clarkb updates the bug22:44
clarkbthat explains why upstream doesn't hit this problem at least22:50
ianwthat's some good java readin'23:02
clarkbI think to fix this we can subclass DefaultRealm in a OpenIDRealm that only overrides accountBelongsToRealm() then update java/com/google/gerrit/server/config/ to set the OpenID realm to that OpenIDRealm instaed of DefaultRealm23:06
clarkbwhere it gets weird is there is no openid external id scheme so I guess you have to assume anything that is an http(s):// prefixed external id name is an openid (this is probably fine as other external ids get username:foo) prefixes23:07
clarkbI don't have a gerrit dev env set up, but I guess if I end up with time after server upgrades and upstream hasn't volunteered to fix it I can give it a go23:13
clarkbpublic abstract @Nullable String scheme(); public boolean isScheme(String scheme) { return scheme.equals(scheme()); }23:18
clarkbI suspect I'm about to learn something about java name scoping23:19
clarkbthis.scheme and scheme would be distinct in that function call23:20
clarkbI guess maybe it is smart based on the fact that one is accessed like an object and the other like a function23:21
ianwsure looks like it is calling a string as a function23:26
clarkbianw: that apparently becomes an autogenerated getter function due to @AutoValue annotation on the class23:30
clarkbthe public abstract @Nullable String scheme() definition tells the code generation that you want a getter for the attribute called scheme23:30
clarkband ya I think since you can't treat the passed argument scheme as a method the parser figures it out23:31

Generated by 2.17.2 by Marius Gedminas - find it at!