| mordred | fungi: oh, i think that makes sense. And i THINK we chose that purposefully so that we'd control it for upgrades and stuff. But maybe we should rethink that strategy | 04:01 |
|---|---|---|
| fungi | it wasn't a big deal, just took me a moment to notice it wasn't starting on its own at boot | 04:13 |
| luk4s | Good afternoon | 12:31 |
| luk4s | I have some questions about setting up gerrit account and contributors agreement - is this the right place to discuss this? | 12:32 |
| fungi | luk4s: it's a fine place to discuss things, sure. what are your questions? but also it helps to say which documentation you're following and what project(s) you're preparing to participate in | 12:50 |
| luk4s | fungi, I'm following this documentation https://docs.openstack.org/contributors/common/setup-gerrit.html and the project I want to participate in is openstack/kayobe | 12:52 |
| fungi | great. what issues are you running into with account creation? | 12:53 |
| luk4s | My workplace has singed the CCLA but its not linked to my account - I guess my question is should it be automatically or are there additional steps that I need to complete to make it so? | 12:53 |
| fungi | the open infrastructure foundation's corporate contributor license agreement is legal paperwork between the foundation and employers who want to indicate which of their employees are contributing to projects, but it's not integrated into any of our systems. there is a separate "individual contributor license agreement" which is essentially an agreement between the contributor and the foundation | 12:56 |
| fungi | which *is* integrated into gerrit (our code review platform) and currently necessary to agree to if contributing to openstack projects | 12:56 |
| fungi | it's separate from any agreement your employer has signed | 12:56 |
| luk4s | so I should sign the individual contributor license agreement on top of the one that was signed by my employer? | 12:58 |
| fungi | correct | 12:59 |
| fungi | one is an agreement between your employer and the foundation, the other is an agreement between you and the foundation. the icla is required to push changes for review in some projects (including openstack) | 13:00 |
| fungi | the icla is an assertion that the changes you propose are your own work or that you have permission from the author(s) of that work to propose it for inclusion in the project | 13:01 |
| luk4s | fungi, ah that is where I went wrong - My reading was that its either the Individual or Corporate rather than both. | 13:02 |
| fungi | the individual is required for everyone contributing to those projects, while the corporate is a separate agreement limiting liability for things like patents the employer may hold for certain ideas/technologies | 13:02 |
| luk4s | fungi, many thanks for the explanation - all clear now :) | 13:03 |
| fungi | i get that it's a lot of paperwork, lawyers who the foundation trusts have insisted that this is important to safeguard the liability and sovereignty of the project | 13:04 |
| fungi | though we're working to simplify things and hopefully switch projects like openstack from that icla to something called "developer certificate of origin" (dco) which is more like what the linux kernel developers use | 13:05 |
| fungi | (unfortunately it wouldn't eliminate the ccla, but at least individual contributors would no longer have to agree in advance to an icla and could instead just include specific words in each of their git commit messages) | 13:06 |
| luk4s | Another question if I may, this time related to registration of additional email addresses in the gerrit account - I'm trying to add additional email address to the account, but it complains that the email address is in already use. I do have multiple accounts and are slowly trying to clean up the mess that I have created (already unified my launchpad accounts). Does the error relate to the Ubuntu SSO account, or the gerrit account that the email address is ass | 13:51 |
| luk4s | ociated with? | 13:51 |
| luk4s | I have stupidly used both accounts to log in to gerrit - I can close the Ubuntu SSO account, but I can't see the option to close the gerrit one. | 13:54 |
| fungi | luk4s: sorry, stepped away for a few minutes... our gerrit admins can deactivate an account, which may solve that problem. more generally we have a bunch of duplicate ids on accounts because earlier versions of gerrit particularly failed to enforce e-mail address uniqueness for accounts autocreated through new openid logins, and clarkb is nearing the end of a lengthy effort to clean all those | 14:30 |
| fungi | up | 14:30 |
| fungi | he may have more insight into how to solve that the next time he's around, which might not be until tomorrow | 14:31 |
| fungi | but if you can /msg me the e-mail address associated with an account you want marked inactive i'm happy to try that as a first step | 14:31 |
| Clark[m] | fungi: you have to delete the external ids associated with the unwanted account completely. Settings the account to inactive isn't sufficient but should be done as well | 14:36 |
| fungi | Clark[m]: okay, thanks. i've deactivated the old account luk4s asked for... what's the cleanest way to delete the id? rest api? | 14:37 |
| Clark[m] | Sort of, this gets complicated because if you orphan the preferred email address that becomes a config error too. What I've been doing is running the retirement script which deactivates and deletes the preferred email via a git push to all-users refs/users/xy/abxy | 14:39 |
| Clark[m] | Then you can use the rest api to list the external ids and then delete the external ids with the email address(es) | 14:39 |
| Clark[m] | All of that should be captured in the scripts I've pushed to system-config/tools | 14:40 |
| Clark[m] | Doing it manually might be useful for understanding the various components and not too bad for a single account | 14:40 |
| fungi | Clark[m]: thanks, i'll give it a shot | 14:41 |
| fungi | luk4s: i'm in the middle of some food prep, but as soon as i can get my hands clean i'll work on that part | 14:41 |
| luk4s | fungi, no rush | 14:45 |
| luk4s | and thank you | 14:45 |
| *** lukas is now known as Guest2148 | 14:56 | |
| *** Guest2148 is now known as luk4s | 14:58 | |
| fungi | okay, hands clean, looking at the account retirement scripts now | 15:08 |
| fungi | looks like i'll want to run https://opendev.org/opendev/system-config/src/branch/master/tools/gerrit-account-inconsistencies/retire-user.sh first so that the preferred_email is removed from the account record, and then https://opendev.org/opendev/system-config/src/branch/master/tools/gerrit-account-inconsistencies/remove-user-external-ids.py to remove the external id for that address from the | 15:11 |
| fungi | retired account | 15:11 |
| fungi | cloned the system-config repo into /tmp on the gerrit server | 15:15 |
| Clark[m] | fungi: note that the retire user account should probably be run as your admin user and will talk to the Gerrit git server and not the on disk repo. That ensures verification happens and all that | 15:19 |
| Clark[m] | And you might need to tweak the heredoc'd commit message | 15:19 |
| fungi | mmm, yeah i guess i need to set up account credentials to be able to push from the gerrit server? or is the idea that i would clone the all-users repo to my workstation? | 15:20 |
| fungi | i guess i can clone that as my admin user | 15:22 |
| Clark[m] | Ya workstation is how I've done it | 15:25 |
| fungi | cool, i just cloned all-users from gerrit to my workstation via ssh as my admin account, and tweaked the commit message in my checkout of the retire script, just trying to identify the account id number to retire now | 15:29 |
| fungi | ugh, once an account has been set inactive, you can't look it up from the rest api any longer | 15:34 |
| fungi | is there a faster way to find it than by brute-forcing all the id refs? | 15:36 |
| fungi | i need to step away for a few minutes, but will resume work on this shortly | 15:36 |
| Clark[m] | You can still lookup the account but need to be admin level privs | 15:48 |
| Clark[m] | Also don't forget the /a/ prefix | 15:48 |
| fungi | ahh, okay, so can do it through the rest api authenticated | 16:32 |
| fungi | Clark[m]: are you sure you can lookup an account via the /a/accounts/somebody@example.com if the associated account is set inactive? doesn't seem to be working for me (i can look up active accounts that way, but not inactive, even after elevating my account to administrators) | 16:36 |
| fungi | "In all cases except a bare account ID and self/me, inactive accounts are not considered. Inactive accounts should only be referenced by bare ID." https://review.opendev.org/Documentation/rest-api-accounts.html#account-id | 16:39 |
| fungi | seems like it's not expected to work, leaving me with a catch-22 | 16:39 |
| fungi | i'll start working on a brute-force search loop | 16:39 |
| Clark[m] | You have to use the account I'd number | 16:46 |
| Clark[m] | That is what the docs are saying | 16:46 |
| Clark[m] | I'm not sure how effective a brute force would be. You should have the account I'd as that is what you pushed to to deactivate the account? | 16:47 |
| Clark[m] | fungi ^ | 16:51 |
| fungi | i deactivated the account by e-mail address | 16:56 |
| Clark[m] | Oh | 16:57 |
| fungi | yeah, short-sighted on my part, i forgot the new gerrit version no longer let you look up inactive accounts any other way (also i was used to looking them up by sql query as a fallback) | 16:57 |
| fungi | i'm doing a brute force by id number now with git and unfortunately it takes several seconds per iteration (mostly due to the git fetch) | 16:57 |
| Clark[m] | So I guess you need to find the account id then you can remove the preferred email and external ids? | 16:58 |
| fungi | maybe brute-forcing rest api calls would be faster | 16:58 |
| fungi | also trying to cook lunch so slightly distracted as far as writing the script is concerned, but getting there | 16:58 |
| Clark[m] | One hack is to git grep the email address in the externid ids ref | 16:59 |
| Clark[m] | Checking that out is a bit slow since it has all the things in it. I think there may already be a checkout of it in ~gerrit2/tmp | 17:00 |
| Clark[m] | But just got grep foo@example.org with that checked out then look in the files to get the related account ids | 17:00 |
| fungi | oh, that's not a terrible idea. i forgot the addresses will be listed in there too and it's a flat tree rather than separate git refs | 17:01 |
| Clark[m] | I would double check any results you get back from that hack though since it's a separate data store | 17:04 |
| Clark[m] | Basically query the account state and make sure it is deactivated | 17:05 |
| fungi | yeah, but it's a place to start, and avoids me hammering either gerrit's ssh/git or rest api interfaces | 17:05 |
| fungi | can't find the existing checkout, what's the refname for that again? i can also go hunting in the gerrit docs but i remember it was buried | 17:09 |
| fungi | we don't seem to use it in the audit/cleanup scripts, already looked | 17:09 |
| Clark[m] | Is there nothing in ~gerrit2/tmp? | 17:10 |
| Clark[m] | In an All-Users repo? | 17:10 |
| Clark[m] | I'm grabbing my keys so I can look | 17:11 |
| fungi | there's an empty clarkb directory, also an ianw directory i didn't look in | 17:11 |
| fungi | maybe you're thinking of the old server? i can check there | 17:11 |
| Clark[m] | No it was the new server may be in ianws dir | 17:11 |
| Clark[m] | It was used to correct the two broken accounts when we moved servers | 17:11 |
| fungi | oh, it was in ianw | 17:11 |
| fungi | yep | 17:11 |
| fungi | thanks, git grep is underway | 17:13 |
| clarkb | fungi: if you don't see the account it will be newer than the server move | 17:14 |
| clarkb | fungi: did the grep show it? | 17:15 |
| fungi | it turned up | 17:20 |
| clarkb | ok cool so we don't need a newer checkout | 17:20 |
| fungi | though interestingly when i query the rest api (as an admin) for that id it returns a 404 | 17:23 |
| clarkb | how are you querying it? | 17:24 |
| clarkb | GET /a/accounts/abxy/detail ? | 17:25 |
| fungi | aha, accounts, sorry, not the bare account endpoint | 17:25 |
| fungi | and yeah, it comes up now | 17:25 |
| clarkb | I don't think there is a bare account endpoint | 17:25 |
| clarkb | fungi: the three things I tend to look at are /detail /emails and /external.ids | 17:25 |
| clarkb | in this case I think you want /detail to confirm this is the disabled account. Then also /external.ids to see what external ids may need cleanup in addition to the preferred email removal | 17:26 |
| fungi | and i was able to set that account back to --active to it seems to be fine and i should be able to fully retire it | 17:26 |
| fungi | yeah, it's the right one (there are no duplicate accounts for this address) | 17:27 |
| clarkb | cool | 17:27 |
| clarkb | separately there is complaint that ios devices can't load review anymore on the openstack mailing list. I've asked for more info and double checked it works in firefox and chrome on my desktop as well as chrome on my android device | 17:27 |
| fungi | on push i get "prohibited by Gerrit: not permitted: update" | 17:30 |
| fungi | that's with my admin account | 17:30 |
| fungi | nicely vague | 17:30 |
| clarkb | you need to be a bootstrapper too | 17:31 |
| clarkb | to do the push | 17:31 |
| clarkb | I always forget that then get the error then remember | 17:32 |
| clarkb | fungi: I'm going to transition to yard work now. I'll try to keep an eye on this | 17:36 |
| clarkb | Its good someone else is poking at the user management stuff though :) its definitely "fun" but good to have the experience and know how | 17:36 |
| fungi | yep, for sure. thanks! | 17:40 |
| fungi | and yeah, project bootstrappers membership solved that | 17:42 |
| fungi | so the retirement script is run, now i just have to do the external-id removal script | 17:43 |
| fungi | the external-id for that e-mail address has been removed from the old account now too. luk4s: please try to add it to your new account again when you have tie | 18:31 |
| fungi | when you have time, i mean | 18:31 |
| fungi | no tie required in this channel, we're all very casually dressed | 18:32 |
| luk4s | fungi will do :) | 18:45 |
| luk4s | fungi, clarkb many thanks for your help | 18:48 |
| fungi | apparently microsoft is refusing delivery for messages from the gerrit server too. i'm taking a look to see what we can do to get it allowed | 18:56 |
| opendevreview | Merged openstack/project-config master: tripleo-common-tempest-plugin - Step 4: Remove Project https://review.opendev.org/c/openstack/project-config/+/800157 | 19:11 |
| fungi | "The IP address you submitted 199.204.45.33 was successfully delisted. This may take up to 30 minutes to take effect." | 19:16 |
| fungi | #status log Delisted the new Gerrit server's IPv4 address from Microsoft's E-mail service spam filter | 19:17 |
| opendevstatus | fungi: finished logging | 19:17 |
| luk4s | fungi, I do a test in 30 mins | 19:17 |
| fungi | luk4s: great, i should still be around for a while after that too | 19:18 |
| fungi | luk4s: "Queued mail for delivery" this time according to the mta log on the gerrit server | 19:55 |
| luk4s | fungi, I can confirm that notifications are working for me now | 19:55 |
| fungi | awesome, thanks for working through this with us! | 19:56 |
| luk4s | no, thank you fungi :) | 19:57 |
| fungi | any time, it's my pleasure | 19:57 |
| ianw | fungi: on your prior comment on gerrit container not coming up but mariadb did, i proposed https://review.opendev.org/c/opendev/system-config/+/801667 after i accidentally restarted them | 22:47 |
| fungi | ahh, thanks! | 23:38 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!