Tuesday, 2022-01-25

johnsomclarkb Yep. So, along that line.... openstackdocstheme , grep -r comes up empty00:00
ianwclarkb: lgtm; i think just approve them since you investigated 00:01
ianwi think i may have noticed the effects of that, but never dug into it, thanks00:01
clarkbianw: can do, I'll +A and monitor tomorrow then00:02
clarkbjohnsom: if you look in project-config/gerrit/projects.yaml it shows which acl file is used for every project (by default the file has the same name of the project if not specified)00:03
clarkbjohnsom: looks like that repo uses acls/openstack/oslo-independent.config00:03
johnsomAh, got it. I guess I am super rusty with working in project-config. lol Thanks!00:04
clarkbno problem. It isn't really self documented00:04
ianwhttps://review.opendev.org/c/opendev/grafyaml/+/825990 is a boring one but needed to run against the latest grafanas it seems.  pairs with https://review.opendev.org/c/opendev/system-config/+/825410 which proposes just using the latest tag for grafana, so we break on things like this early instead of having them sit latent 00:06
clarkbianw: ok. Does that take into account that the db is apparently ephemeral and if we update the containers we'll need to regenerate dashboard? I avoided rebooting grafana on friday for this reason00:07
clarkbI wasn't sure how to force it to regenerate afterwards00:07
clarkbI guess we probably have a service grafana job that can be manually triggered00:07
ianwyes i feel like we trigger updates when db's change or we restart the container00:08
ianwyeah it's in the deploy pipeline of project-config00:09
clarkbgot it, so worst case land a nop change to the grafyaml files00:09
ianwyeah, or run the playbook by hand i guess00:10
ianwi'm not sure the db being ephemeral is a bug or a feature00:11
clarkbif we load it back in again on a restart that is fine00:11
clarkbMy biggest concern is not being able to drop the container safely00:12
clarkband that would only be a problem if we need to do some crazy intervention afterwards I guess00:12
ianwwe should perhaps just have a script on disk in /usr/local/bin/ to quickly reload the dashboards00:12
clarkbthat would work too00:13
ianwok, on the todo list.  also need to update the documentation to account for not having grafyaml in the container as well00:13
opendevreviewMerged opendev/system-config master: Upgrade Gerrit to 3.4  https://review.opendev.org/c/opendev/system-config/+/82614800:15
opendevreviewMerged opendev/system-config master: Add docs for restoring an etherpad  https://review.opendev.org/c/opendev/system-config/+/82601700:15
clarkbI've made some updated to the meeting agenda. Is there anything else to add?00:18
clarkbif so please get it on there in the next little bit before I send it out00:18
clarkbhttps://opendev.org/opendev/system-config/commits/branch/master replication is still looking good00:19
clarkbok agenda sent00:44
clarkbthe job to set 3.4 in the docker compose file seems to have nooped that file as expected00:45
ianwyep agree lgtm01:17
opendevreviewIan Wienand proposed opendev/system-config master: grafana: update docs and make an import script  https://review.opendev.org/c/opendev/system-config/+/82624103:19
opendevreviewIan Wienand proposed openstack/diskimage-builder master: yum-minimal: don't strip -* from releasever  https://review.opendev.org/c/openstack/diskimage-builder/+/82624404:51
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Add debian-bullseye-arm64 build test  https://review.opendev.org/c/openstack/diskimage-builder/+/82165204:54
opendevreviewIan Wienand proposed openstack/diskimage-builder master: debian-minimal: remove old testing targets  https://review.opendev.org/c/openstack/diskimage-builder/+/82165404:54
*** ysandeep|out is now known as ysandeep05:41
*** amoralej|off is now known as amoralej08:04
*** jpena|off is now known as jpena08:35
*** ysandeep is now known as ysandeep|lunch09:27
*** ysandeep|lunch is now known as ysandeep10:28
*** rlandy|out is now known as rlandy|ruck11:14
*** dviroel|out is now known as dviroel11:20
*** sshnaidm|afk is now known as sshnaidm12:28
*** ysandeep is now known as ysandeep|mtg12:59
gthiemongeHey Folks, with the latest gerrit update, I can no longer use the "is:mergeable" search term, it fails with an error (400 Bad Request). It also seems that changes in "Merge Conflict" are no longer flagged when they are in a list view.13:11
*** mrunge_ is now known as mrunge13:11
*** amoralej is now known as amoralej|lunch13:31
Clark[m]gthiemonge: that is a known change https://www.gerritcodereview.com/3.4.html#ismergeable-predicate-is-disabled-per-default13:54
gthiemongeClark[m]: Ok, I can leave without is:mergeable, but the missing "merge conflict" status in a list is more annoying :-(13:59
Clark[m]They are essentially the same thing.14:00
Clark[m]Well from the Gerrit cost perspective as they are both calculated by the same process14:01
Clark[m]Th good news is zuul reports merge failures so we don't completely lose this info. However, zuul doesn't constantly recalculate it (which is where a lot of the cost is)14:01
*** amoralej|lunch is now known as amoralej14:02
opendevreviewMerged openstack/project-config master: Use same ACL for all OpenStack-Ansible Projects  https://review.opendev.org/c/openstack/project-config/+/82423014:06
opendevreviewMerged openstack/project-config master: Add Backport-Candidate label to openstack-ansible ACL  https://review.opendev.org/c/openstack/project-config/+/82422914:06
Clark[m]fungi: I won't be able to look for a bit yet but the releases change in behavior may be related to the MINA update between 3.3 and 3.4. This update doesn't get us far enough ahead to fix the ssh-rsa sha1 issue but they did move MINA ahead a bit.14:11
*** ysandeep|mtg is now known as ysandeep14:17
fungiClark[m]: yeah, looking deeper, i think that may have been a benign warning and the error is something to do with tag pushing permissions14:19
opendevreviewJeremy Stanley proposed openstack/project-config master: Update Gerrit IP addresses in SSH key secrets  https://review.opendev.org/c/openstack/project-config/+/82629414:25
fungielodilles: did something change about how tags are being created? this doesn't look like it's making a signed tag: https://zuul.opendev.org/t/openstack/build/a490703c83514eb7ba9d0ff6307f7371/log/job-output.txt#62614:27
fungioh, nevermind, there's multiple lines14:27
fungithe final line has the -s14:27
Clark[m]fungi: maybe check the Gerrit side logs if you haven't already?14:36
fungiyeah, i'm about to14:36
fungiit doesn't log any errors in the sshd_log14:42
funginothing related in error_log14:43
Clark[m]What about the error_log?14:43
Clark[m]Ah ok14:43
Clark[m]I wonder if trying it manually will produce stdout that is helpful like when we push changes and it gives you the change link or an error saying you can't push an identical patchset14:44
fungii'm pondering whether it's time to tag one of our own repos14:47
Clark[m]Or sandbox14:48
fungiwell, if git-review or bindep or similar are due for a release anyway, it would provide a direct means of troubleshooting14:49
fungiwe can also of course add a testinfra test where we push a tag, though there will be a bit of key generation to worry about14:49
Clark[m]I think bindep has a couple changes that would be ok to tag14:50
fungiyeah, looking14:50
fungiand trying to get settled in to listen to the board meeting in 10 minutes14:50
Clark[m]Ya that is why I'm up early today14:51
fungithe only non-test-related bindep change to land since 2.10.1 is a fix to support a missing newline on the last line of an input file14:53
fungiso i'll make it 2.10.214:54
clarkbfungi: once we have a bit more info from ^ I can send email to the gerrit mailing list with what we have found if it indicates a regression.14:55
fungiremote: You need 'Create Tag' rights to push a normal tag.14:58
fungi ! [remote rejected] 2.10.2 -> 2.10.2 (prohibited by Gerrit: not permitted: create tag)14:58
fungiso yes, i can replicate this14:59
clarkbfungi: and your tag was signed? I can send email about that in a bit. But in the meantime I guess we add that permission to the openstack meta perms and notify others?14:59
clarkb(and they can update perms as they go?)14:59
fungiright, pgp-signed tag14:59
fungigit tag -s14:59
clarkbfungi: or maybe we update bindep first and confirm that fixes it for signed tags14:59
clarkband if that works update openstack meta config14:59
clarkbsounds like a plan, thank you for looking at this15:00
fungiworking on it once i get the board meeting up15:00
*** sshnaidm is now known as sshnaidm|afk15:01
opendevreviewJames E. Blair proposed zuul/zuul-jobs master: Add upload-logs-ibm role  https://review.opendev.org/c/zuul/zuul-jobs/+/82615815:03
opendevreviewJeremy Stanley proposed openstack/project-config master: Grant Create Annotated Tag perms on bindep  https://review.opendev.org/c/openstack/project-config/+/82630515:10
fungiclarkb: ^15:10
clarkbfungi: side note looks like pushSignedTag and pushTag are legacy values that are translated to createTag and createSignedTag15:12
clarkbwe can sort that out later. I'll approve ^15:12
fungioh neat, i wonder if that's related15:12
clarkbI dno't think so looking at the code, but it is possible I suppose15:13
clarkbfungi: I guess if you want we could change to createSignedTag first15:13
clarkbmaybe that is a better thing to check first15:13
clarkbI'll remove my +A15:13
fungiyeah, i'll give that a shot, thanks15:13
opendevreviewJeremy Stanley proposed openstack/project-config master: Update bindep ACL to use new createSignedTag perm  https://review.opendev.org/c/openstack/project-config/+/82630915:17
fungiclarkb: i pushed it as a separate change and will wip the old one for now15:18
clarkbsounds good15:18
fungiif that one works, i'll just update all the acls and our docs asap15:20
clarkband I can send email to the gerrit list asking about it. That wasn't in the breaking changes list :)15:20
*** ysandeep is now known as ysandeep|out15:23
clarkbI asked quickly on their slack in case anyone recognizes this and can provide advice15:26
clarkbfungi: you may also want to fetch refs/meta/config for bindep as admin after that update applies to be extra sure it updated as we expect15:29
fungii plan to make sure it actually applies15:30
fungii went ahead and fetched it now for a baseline, and it's still pushSignedTag, so it's not being silently translated by gerrit on push i don't think15:33
clarkbfungi: ya looking at the code any translation that may be happening seems to happen internally. And I'm wondering if they stopped doing that somewhere15:33
opendevreviewMerged openstack/project-config master: Update Gerrit IP addresses in SSH key secrets  https://review.opendev.org/c/openstack/project-config/+/82629415:34
*** dviroel is now known as dviroel|lunch15:37
clarkbI think merging ^ caused a reconfiguration slowing us down :)15:39
opendevreviewMerged openstack/project-config master: Update bindep ACL to use new createSignedTag perm  https://review.opendev.org/c/openstack/project-config/+/82630915:39
yoctozeptohi! long time no see; would it be possible to add this button to opendev's gerrit? https://gerrit-review.googlesource.com/Documentation/images/user-review-ui-change-screen-quick-approve.png15:42
yoctozepto(cc priteau)15:43
clarkbyoctozepto: I think it is already there. Sort of15:43
clarkbI get a workflow+1 button15:44
yoctozeptoclarkb: only W+115:44
clarkbya I suspect it is related to what is necessary to make things submittable15:44
clarkbso gerrit is being "smart" and saying the last vote needed is W+1 and shows you that button15:44
yoctozeptomakes sense15:44
clarkbon upstream gerrit they only have CR+215:44
clarkbso they are equivalent behaviors due to gerrit's smartness15:44
yoctozeptook, I get it, thanks15:45
priteauI see, thanks15:46
clarkbyoctozepto: I think you can test this by adding a W+1 and not a CR+215:46
clarkbthen see if CR+2 shows up15:46
yoctozeptoclarkb: yeah, I have independently thought about that and it shows CR+2 indeed15:46
yoctozeptoit somehow cannot show both :D15:47
clarkbya its a short cut for showing you specifically what is necessary to submit15:47
clarkbso it only shows up when all other votes are done15:47
fungiV+2 is also required though, right?15:48
clarkbfungi: gerrit knows Verified is special15:48
fungi(and only zuul has permission to add that)15:48
clarkbbut yes15:48
clarkbfungi: the deploy job completed. Checking if zuul says it was a success15:48
clarkbyup was a success according to zuul. I think you can refetch the acl now and check it15:49
clarkb(I don't have keys in place yet)15:49
fungirefs/meta/config has createSignedTag = group bindep-release now15:49
fungiand yeah, i saw the e-mail from gerrit about the successful deploy so was already pulling that15:50
fungi"remote: You need 'Create Tag' rights to push a normal tag."15:52
fungiwell, it was worth a try. updating the other workaorund now15:52
*** sshnaidm|afk is now known as sshnaidm15:55
opendevreviewJeremy Stanley proposed openstack/project-config master: Grant Create Annotated Tag perms on bindep  https://review.opendev.org/c/openstack/project-config/+/82630515:56
clarkbcan you remove the WIP on that? I'll apprive it15:56
fungioh, yep. i want to make one update to it anyway15:57
opendevreviewJeremy Stanley proposed openstack/project-config master: Grant Create Annotated Tag perms on bindep  https://review.opendev.org/c/openstack/project-config/+/82630515:57
clarkbah yup removing the pushTag option15:58
fungiit's readied now15:58
clarkbShould we send a note to service-announce so that more than openstack is aware of this?16:00
clarkbI can do that if you think that is worthwhile.16:00
fungionce we see if this works, yes i was planning to16:01
clarkbah ok sounds good16:01
fungianother thought, has gerrit possibly added a feature for tracking signing keys (for authorizing pushing signed commits as well as tags)?16:01
fungimaybe if it doesn't recognize the key that made the signature as authorized it falls back to treating it as unsigned?16:01
clarkbthey do have features for maintaining a keychain to show if signed objects are verified but pretty sure none of that impacts your ability to push16:01
clarkbjust whether or not it is validated by the keychain after16:02
clarkbwe set enableSignedPush explicitly to false16:03
clarkbit really shouldn't be that. If it is that then this is a pretty big gerrit bug16:04
fungiwe can certainly test that next16:05
fungialso why are we setting enableSignedPush to false? that seems like something we wouldn't want to reject16:05
fungioh, also signed pushes != signed commits16:05
clarkbfungi: because of this problem that you describe16:05
clarkbenabled signed pushes means every signed object needs to be validated by the gerrit keychain16:05
fungioh, got it16:06
clarkbits a validation thing. You can still push signed with it set to false16:06
fungiwell, presumably that the push operations need to be signed, not the git objects16:06
fungisigning push operations is separate from signing commits (you can do either or both)16:06
clarkbwell hwoever git does it. If you set that to true gerrit will validate against its keychain in all-users16:06
clarkbwe don't want that16:06
fungii think we do allow signed commits to be pushed16:07
fungibut i guess by unsigned push operations16:07
clarkbyes people like mtreinish have pushed signed commits for a long time iirc16:08
fungithe reason signed push was added to git was that just because a commit is signed, that doesn't mean pushing it to the remote was authorized by the signer16:08
clarkblooking at the code I don't think it is a key validation problem.16:08
clarkbThere is a case statement with createSignedTag handled first then createTag16:09
clarkbI suspect a regression where it doesn't see it as a signed tag for whatever reason so falls into the regular tag perm checking16:09
fungias do i16:09
fungiand most people just allow both so haven't noticed16:09
fungiand wmf hasn't upgraded to 3.4 yet16:10
clarkbhttps://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.4/java/com/google/gerrit/server/permissions/RefControl.java#547 is what we're hitting and not the block above16:13
fungiand that changed since 3.3? or how it's being called into changhed?16:15
clarkbthe check method doesn't seem different. I expect a delta in the caller somewhere16:15
clarkb826305 doesn't seem to eb gating despite getting a +1?16:20
clarkbmaybe I need to be more patient with zuul16:21
funginote that the status page displays per-pipeline event/result queues now16:23
fungiseparate from the general queues16:23
clarkbhttps://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.3/java/com/google/gerrit/server/project/CreateRefControl.java#105 and https://gerrit.googlesource.com/gerrit/+/refs/heads/stable-3.4/java/com/google/gerrit/server/project/CreateRefControl.java#105 are the same16:23
clarkbbut maybe getFullMessage() isn't returnign the same data now?16:24
fungiit's gating now16:25
clarkblooking at that code I half expect your fix to work since we're falling through and failing the check. We're just failing the wrong unexpected check. Explicitly setting that check to pass as your change should do should hopefully make it work. Then we can send mail to the gerrit mailing list and take it from there16:27
fungiassuming it works, should we push a temporary mass acl update?16:30
clarkbI guess?16:31
clarkbI dunno16:31
fungiif so, i'll get it underway before sending to the announce list16:31
clarkbThe concern would be that people could push insigned commits. I guess I'm ok with that16:32
clarkbwe can warn them to be sure they continue to sign as the platform won't prevent them from forgetting to16:32
fungiright, i'd basically plan to revert it asap16:33
opendevreviewMerged openstack/project-config master: Grant Create Annotated Tag perms on bindep  https://review.opendev.org/c/openstack/project-config/+/82630516:33
clarkbI think I found it16:36
clarkblet me see if I can get a link to the commit in jgit16:36
*** dviroel|lunch is now known as dviroel16:38
clarkbthe tests in there pretty clearly show the signature isn't in the results of getFullMessage() anymore16:39
clarkbI'm trying to figure out which version of jgit is used now16:39
clarkbya that commit is in the 3.4 jgit submodule checkout and not in 3.3's16:40
clarkbnow I'm basically 99.9% sure :)16:40
clarkbI might even be able to fix this if I can figure out how to get the signature from jgit16:41
fungiyou have to get the full message16:41
fungiit's literally embedded in the end of the tag message16:41
fungithe annotation16:41
clarkbfungi: ya but jgit getFullMessage() doesn't include it16:41
clarkbthats what the commit I linked above does16:41
clarkbanyway I think we can temporarily add the extra permission then work to fix this upstream in gerrit since I'm prety sure I identified the issue now16:42
clarkbya I see hwo to do it16:44
*** marios is now known as marios|out16:50
clarkbfungi: looks like deploy for bindep is done I guess you can test that now?16:53
corvusclarkb: fungi any outstanding zuul questions from yesterday?  sorry i'm declaring backscroll bankruptcy...16:53
clarkbcorvus: nope. Only issue is a gerrit issue which we think we just ran down16:54
clarkbI'm working on an issue and a fix for upstream16:54
clarkband fungi is testing a workaround 16:54
clarkbcorvus: there is an impact to zuul though. Until we know the workaround works and apply it to zuul you won't be able to push zuul tags16:54
corvusyeah, was just reading back; makes sense16:55
fungicreateTag = group bindep-release is now definitely in there from gerrit's perspective, so testing again16:56
fungi * [new tag]         2.10.2 -> 2.10.216:56
fungithat seems to have solved it16:56
fungiso next question, do we push this workaround to everyone's acls and plan to revert it once we can update to a fixed gerrit?16:57
clarkbI'll get the issue filed momentarily. push the fix upstream, then we can also do a local patch with our ci builds and test there16:57
corvustldr workaround is allow pushing unsigned tags because signed tags appear to be unsigned, and tell ppl to be real careful?16:57
clarkbcorvus: yes16:57
fungicorvus: precisely16:57
clarkbfungi: I think we can16:57
clarkbsince I'd prefer we not deploy a forked gerrit. I'm ok with using local patched gerrit to test thigns but best to not fork imo16:57
fungii'll start putting together the bulk change in that case. we should take this opportunity to also switch to the non-deprecated tag pushing access names16:58
corvusfwiw, no current plans for zuul releases this week; but yes next week.16:58
fungii know starlingx is on the eve of a major release as well16:58
clarkbhttps://bugs.chromium.org/p/gerrit/issues/detail?id=15616 issue filed16:58
clarkbworking on a aptch for upstream next. Then will also push a change to test our thing locally16:59
fungii'm putting together the sed syntax this requires. will need backrefs16:59
clarkbthe new bindep made it to pypi a couple minutes ago17:07
clarkbI'm going to find some breakfast now and will get our local build for testing pushed up afterwards17:08
opendevreviewJeremy Stanley proposed openstack/project-config master: Work around signed tag regression from Gerrit 3.4  https://review.opendev.org/c/openstack/project-config/+/82633417:15
opendevreviewJeremy Stanley proposed openstack/project-config master: Remove unsigned tagging permission from projects  https://review.opendev.org/c/openstack/project-config/+/82633517:15
fungiclarkb: corvus: ^17:16
fungii'll wip 826335 but it's there so we don't forget to unwind this at the earliest opportunity17:16
clarkbhrm I wonder if our job will timeout trying to apply all those updates17:16
clarkbdo we want to find out the hard way or update in blocks?17:16
clarkbalso shouldn't openstack configs not include it at all?17:17
fungimanage-projects is idempotent, so if applying fails we can just rerun manually17:17
fungiclarkb: not all openstack namespace repos are released by the release team17:17
fungiif you look at which acls are updating in that namespace, you'll see it's mainly repos managed by sigs17:19
fungii'll start working on an announcement next17:20
fungibut need to grab a cup of tea and switch computers now that the board meeting has wrapped17:20
clarkbI've reviewed the first 10% of the change and it looks good so far. But I really need to eat so will come back to this17:20
clarkbya same here was early morning and i need to go take some feel human steps :)17:20
opendevreviewClark Boylan proposed opendev/system-config master: DNM Testing fix for pushing signed gerrit tags  https://review.opendev.org/c/opendev/system-config/+/82634117:34
*** jpena is now known as jpena|off17:34
fungiclarkb: frickler: corvus: proposed announcement is here: https://etherpad.opendev.org/p/qIWue_aVGRXzGEaZCxkD17:35
fungifeel free to edit17:35
clarkbfungi: I made a couple of changes17:36
clarkbfeel free to revert them. I think the message loosk good17:36
fungilooks like the bulk acl edit needs some fixups for alpha reordering in acls which had additional stuff in the same blocks17:37
fricklerI'm fine with the announcement text, too, I'd just suggest to also send it to openstack-discuss17:40
fungii was planning to separately follow up to openstack-discuss on the ongoing thread we've been using there17:41
fungias well as alert the denizens of #openstack-release17:42
fricklerah, that's fine, too. /me didn't check mails for two hours. also great that you could work this all out already17:42
opendevreviewJeremy Stanley proposed openstack/project-config master: Work around signed tag regression from Gerrit 3.4  https://review.opendev.org/c/openstack/project-config/+/82633417:43
opendevreviewJeremy Stanley proposed openstack/project-config master: Remove unsigned tagging permission from projects  https://review.opendev.org/c/openstack/project-config/+/82633517:43
fungithose should hopefully pass our normalization checks this time17:43
clarkbI've got an autohold in plce for the system-config-run-review3.4 job that 826341 has triggered. We should be able to locally push a signed git tag there confirming the fix17:44
clarkbMight take some time as we'll have to update the acls and create a gpg key. Maybe I should've tried to do more of this directly in the CI system. Too many things today though17:44
*** amoralej is now known as amoralej|off17:44
fungibtw, if ever there was a time i appreciated our forced normalization for acl files, it's now. rather than being a total mess, these bulk updates were barely more than a simple sed -i17:44
fungii'll work on the documentation updates for the new createSignedTag syntax while i'm waiting for those to gate17:47
clarkbfungi: I'm super deep into the first change but does the revert keep the new create directives over push?17:58
clarkbI assume so since it says remove unsiged tag permission not revert17:58
clarkbI've gotten through to the first x/ repo and no issues jump out at me. I'll keep reviewing18:03
fungiyeah, the revert isn't a git revert, just a sed -i to remove the createTag lines18:04
fungiand go back to disallowing them in our linter18:04
fungilooks like they're passing tests now18:09
fungionce we confirm successful deployment and/or manually run manage-projects, i'll send the announcement18:09
clarkbI've +2'd the first change after looking at all the files (quickly but I opened them and tried to check the group stayed the same and the new directitves were the ones we want)18:13
clarkbnot sure if frickler intends on reviewing but we can probably approve now?18:13
clarkbcorvus: ^ you might be interested since zuul is affected too18:13
mtreinishfungi, clarkb: yeah I've been pushing signed commits for a long time.18:19
fungithanks for confirming!18:19
mtreinishfor example: https://opendev.org/opendev/subunit2sql/commit/35793871f3c7ac21f078218f86f9a5f89c4fa56f18:20
fungiyeah, we've observed it does interesting things to the gitea webui18:20
corvusfungi: clarkb both lgtm18:21
fungispecifically the "No known key found for this signature in database" message displayed under the committer there18:21
funginice that it does display the gpg key id though18:21
fungiso someone can check it themselves18:21
mtreinishyeah, I just assumed that was because gitea had it's own key database and I hadn't submitted to it. But I think we talked about that a while ago and it was for something else18:21
mtreinishon github it behaves a bit differently. You upload your own public key and then it puts a little 'verified' tag on commits. Like: https://github.com/mtreinish/stestr/commit/4c219d02fd857a8a1645940d5a792d1e9a5224bf18:23
mtreinishand if you haven't uploaded your pubkey it says 'unverified'18:23
fungii think current gitea basically does the same, but yeah because our gitea doesn't have accounts it's not possible to map those18:24
clarkb158.69.73.149 should be our held gerrit with my patch applied18:40
clarkbWill work on testing with that after meetings and lunch18:40
fungii theory, pushing a tag is something we could add to our testinfra too18:53
clarkbyup and I think we should18:53
clarkbbut I looked at the code for it and tehre is a bit that would need to happen. I think quicker for now to confirm it works, then work on adding that after18:53
clarkbUnless you think I should just go ahead and start iteratign on it with CI?18:54
funginah, testing a held node for now is a good quick check that we're on teh right track18:54
fungii have a feeling most of the work on the testinfra would be key generation18:54
clarkbThe rtt for those jobs is a bit long so working through it first should hopefully limit the number of cycles too18:55
opendevreviewJeremy Stanley proposed opendev/infra-manual master: Update recommended ACL for createSignedTag keyword  https://review.opendev.org/c/opendev/infra-manual/+/82635818:57
opendevreviewMerged openstack/project-config master: Work around signed tag regression from Gerrit 3.4  https://review.opendev.org/c/openstack/project-config/+/82633418:58
clarkbany idea why zuul didn't gate https://review.opendev.org/c/opendev/system-config/+/826156 ?18:59
clarkboh I bet it reported back when gerrit was down because i pushed that before the downtime19:00
fungii'll keep tabs on the 826334 deployment19:00
clarkbya that makes sense19:00
clarkbfungi: thanks. I need to go run the meeting now19:00
fungiBuild succeeded (deploy pipeline).19:24
fungii'll do some spot-checks from near the end of the list19:24
fungiyeah, projects like zuul/zuul have it now19:26
fungiso i'll send out the announcement19:27
fungiokay, announcement is out19:39
clarkbEmail sent to repo discuss19:46
clarkbfungi: any idea why git tag -s woudl fail on the test machine after I did a gpg --full-generate-key and made a dummy test key?19:55
clarkbthere is a gpg agent running too19:55
clarkboh I think maybe it is looking for a key for a specific name and email19:58
clarkband I didn't generate my key that way19:58
clarkbI need to eat lunch and will look into this after19:58
fungiyeah, see git-tag(1) manpage: "By default, git tag in sign-with-default mode (-s) will use your committer identity (of the form Your Name <your@email.address>) to find a key."20:02
fungithere are cli and config options to work around that, whatever's most convenient for you20:02
clarkbI found GIT_TRACE=1 which gives me the output of the gpg command. Previously it was failing beacuse the identity was wrong. I set -u on git tag to the key id and I still get the git tag failure. Running the gpg command output when setting -u doesn't error though20:16
clarkbit just waits for data I think20:16
clarkbI expected a prompt to give my passphrase though and I'm not getting that20:17
clarkblet me try killing the gpg-agent20:17
clarkbya I'm completely lost I have no idea what is going on now. I overrode the gpg-agent pinentry program to the curses one because I'm not getting prompted at all for a passphrase20:27
clarkbBut that doesn't help anything20:27
clarkbfungi: any cahnce you can take a look? and /root/test-tagging/test-project is where I'm trying to tag a commit (the initial one that has .gitreview in it)20:30
clarkbOnce tagged my plan was to push it to gerrit with the acls removed to see gerrit say I need the createSignedTag acl and then add acl back in and have it succeed hopefully. But I can't figure out tagging at all20:30
fungiclarkb: i do this: env DISPLAY="" GPG_TTY=$(tty) git tag -s ...20:33
clarkbwow that worked. Why is this so impossible to work out of the box20:34
fungignupg wants desperately to not trust your terminal unless it has no other choice20:34
clarkbI mean it seems to have completely failed here20:35
fungiyeah, it may have thought it was x-hosting pinentry-gtk2 to your desktop or something20:35
fungiabsurd, i know20:35
clarkbok after removing all the config to allow tag pushing I get  ! [remote rejected] 0.0.1 -> 0.0.1 (prohibited by Gerrit: not permitted: create signed tag)20:39
clarkbNow I will just add createSignedTag back and see if it works20:39
clarkb * [new tag]         0.0.1 -> 0.0.120:40
clarkbI think that means my fix works20:40
clarkbI've posted those results to the change upstream. I guess now we wait :/20:44
clarkbI'll leave the instance held in case anyone else wants to test or if upstream asks for more info20:46
clarkbfungi: were you going to followup on the openstack-discuss thread on this too ?20:48
clarkbI guess I should try testing pushing of a normal tag20:49
clarkband make sure it doesn't get detected as a signed tag?20:49
clarkb ! [remote rejected] 0.0.2 -> 0.0.2 (prohibited by Gerrit: not permitted: create) seems to work20:50
fungioh, right following up now20:54
clarkbnow to review the removal of createTag change for when this is working upstream again20:56
clarkbfungi: the followup change lgtm. I guess we really are just waiting for upstream now21:11
fungialso there was some movement on our other gerrit bug about the gitweb config21:19
*** dviroel is now known as dviroel|afk21:38
*** rlandy|ruck is now known as rlandy|out23:48

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!