Wednesday, 2025-12-03

« Tuesday, 2025-12-02 Index Thursday, 2025-12-04 »
corvusi feel like that one is a toss up00:13
*** liuxie is now known as liushy02:00
opendevreviewIan Y. Choi proposed openstack/project-config master: Use prepare-weblate-client job & run Weblate scripts  https://review.opendev.org/c/openstack/project-config/+/96149905:19
opendevreviewMichal Nasiadka proposed opendev/zuul-providers master: Revert "arm64: Introduce semaphore for arm64 build jobs"  https://review.opendev.org/c/opendev/zuul-providers/+/96934205:48
opendevreviewMichal Nasiadka proposed opendev/zuul-providers master: nodepool-base: Add firewalld zuul-console rule  https://review.opendev.org/c/opendev/zuul-providers/+/96796205:50
mnasiadkaThe revert ^^ is no brainer I guess, and 967962 will fix lack of console streaming on Rocky OpenDev images08:55
opendevreviewPiotr Parczewski proposed zuul/zuul-jobs master: Fix missing package  https://review.opendev.org/c/zuul/zuul-jobs/+/96937210:43
opendevreviewSeongsoo Cho proposed openstack/project-config master: i18n: Add new Zuul job for Weblate migration testing  https://review.opendev.org/c/openstack/project-config/+/96149911:51
*** dhill is now known as Guest3279613:27
opendevreviewMerged zuul/zuul-jobs master: Remove python2-devel from bindep for Fedora  https://review.opendev.org/c/zuul/zuul-jobs/+/95425714:16
opendevreviewMerged opendev/zuul-providers master: Revert "arm64: Introduce semaphore for arm64 build jobs"  https://review.opendev.org/c/opendev/zuul-providers/+/96934214:35
fungiclarkb: https://review.opendev.org/921878 has a question addressed to you (i'd try to answer it myself, but i'm not sure i fully understand the implications of that choice)14:47
funginot urgent14:47
clarkbfungi: I think my response would be we should continue to do whatever the old zanata jobs do15:43
clarkb(I don't know what that is and would have to look it up)15:43
clarkbleft a quick message about that15:47
fungithanks, there's another depends-on change that was being held up by making a decision on that, which is how i spotted it15:47
mnasiadkaAny option for reviews on https://review.opendev.org/c/opendev/zuul-providers/+/967962 ? I’d happily accept working zuul_console streaming on Rocky :-)16:12
clarkbmnasiadka: hrm how does that work with centos stream then? In theory iptables rules are translated by $tool to nftables?16:13
clarkbmnasiadka: I don't want us to have to support 3 different firewall technolofies. Can we convince rocky to respect iptables instead?16:14
clarkblooking at our package map we should install iptables-services on family redhat16:15
clarkbhttps://reintech.io/blog/implementing-ip-address-blocking-iptables-rocky-linux-9 implies this should work but maybe we need to enable services?16:17
clarkb(as a side note we're probably finally approaching a state where we could convert to nftables across the board, but I'm not positive of that)16:18
mnasermnasiadka: fwiw would be nice to have this in the zuul_console module / task so in zuul-jobs so it just works(tm) like the other ones do (i guess)16:18
mnasiadkaclarkb: centos stream installed from centos-minimal element somehow gets iptables, rocky-container installs dnf Minimal group which includes firewalld16:18
mnasiadkaWe could probably uninstall firewalld in rocky image build16:20
mnasiadkamnaser: that’s another option I guess16:20
mnasiadkaclarkb: but I think sooner or later iptables is going to go - currently EL10 rather has a compatibility layer that iptables CLI creates nft rulesets16:22
clarkbmnasiadka: yes iptables is nftables compat layer for most modern distros now16:23
clarkbmnasiadka: I think the hope is that nftables support will be on all the platforms we build and then we can convert to it16:23
clarkbwhich may be the case once bionic goes away (and maybe bionic is new enough?)16:23
clarkbI do not think we should use firewalld at all for the same reason I don't think we should use ufw16:24
mnasiadkaActually just installing iptables might work in the rocky image - let me try16:24
clarkbthey are somewhat platform specific and different platforms choose different tools by default. Instead sticking to the kernel system like iptables/nftables is more portable16:24
clarkbmnasiadka: I think we already install iptables on rocky16:24
clarkbmnasiadka: but maybe we aren't enabling it16:24
mnasiadkaclarkb: yes, iptables-nft seems to be enabled, but somehow the rules created by nodepool-base are not getting applied16:26
mnasiadkaAh, it gets implemented in /etc/sysconfig16:27
mnasiadkaSo might be iptables systemd service is not enabled, let me check16:28
clarkbmnasiadka: zuul-providers/dib-elements/nodepool-base/post-install.d/20-iptables does appear to attempt to enable the service. But ya maybe that isn't working16:29
clarkbinfra-root I submitted an EMS support ticket via the website which you can now see quoted in their response to the infra root email address16:36
mnasiadkaclarkb: regarding https://review.opendev.org/c/zuul/zuul-jobs/+/966187 - I think it’s ready for review, tried to implement what is documented in zuul docs around mirrors16:41
clarkbmnasiadka: cool I'll try to take a look today (probably this afternoon at the earliest)16:44
mnasiadkaNo rush16:44
opendevreviewClark Boylan proposed opendev/system-config master: Improve opendev's matrix gerritbot repo list  https://review.opendev.org/c/opendev/system-config/+/96949716:49
mnasiadkaiptables.service on rocky is disabled, that explains things16:51
clarkbmnasiadka: so now we need to look at the build logs to see why zuul-providers/dib-elements/nodepool-base/post-install.d/20-iptables isn't enabling it as expected16:52
mnasiadkaWe might need to enable DIB_DEBUG_TRACE to get a meaningful output, I’ll try that out16:54
mnasiadkaWell, without debug I see that symlink was created in the logs16:58
mnasiadkaI mean in the build logs16:58
clarkbweird. Maybe a later element script disable its somehow?17:00
mnasiadkahttps://zuul.opendev.org/t/opendev/build/5c2e48fbbf1b4649853a788e4380970a/log/diskimage-rockylinux-10.log#746717:01
mnasiadkaThat’s nearly the last thing in the build, that would be somehow weird.17:01
clarkbmaybe firewalld has a rule that takes precedence and prevents it from starting? If that is the case we could disable firewalld maybe17:02
opendevreviewMichal Nasiadka proposed opendev/zuul-providers master: nodepool-base: Mask firewalld unit  https://review.opendev.org/c/opendev/zuul-providers/+/96796217:09
mnasiadkaclarkb: ^^ let’s see if that helps17:09
clarkbmnasiadka: does that work if the system doesn't have a firewalld service? I guess CI should tell us (a nice chnage from the old nodepool system)17:10
mnasiadkaclarkb: tested in a fresh rocky container and masking works even if there’s no such service, it just creates a link to /dev/null without checking if the service exists17:12
clarkbperfect17:12
fungifwiw, debian is dropping the iptables compatibility layer in forky, so in a couple of years we'll need to be using nftables directly17:36
clarkbit does look like bionic and bullseye do nftables so we can start converting things I think17:37
clarkbbut like I said I think we should do iptables -> nftables for portability reasons rather than iptables -> ufw + firewalld + nftables17:37
fungiyeah, i switched to installing a /etc/nftables.conf on my debian systems years ago17:40
clarkbsomeone should add it to our big todo list etherpad17:40
clarkbI'll do it after this meeting if no one beats me to it17:41
fungiconveniently, it's more human-friendly than iptables/chains, though my preference is still for openbsd pf when it comes to that17:41
clarkbubuntu security repos must be undergoing updates beacuse 969497 keeps hitting errors trying to fetch packages (those jobs use prod apt list configs which don't use our ci mirrors)17:53
clarkbI'll recheck it again in a bit to give the mirrors a chance to catch up17:53
clarkbI've updated the todo list with a note about nftables17:56
Matko[m]I'm not sure who to reach out about it. The openinfra 2025 playlist on youtube has a lot of duplicates: 2-5 times the same video: https://www.youtube.com/playlist?list=PLKqaoAnDyfgr91wN_12nwY321504Ctw1s17:58
clarkbMatko[m]: we can't fix that ourselves, but fungi and I should be able to get in contact with those who can. Thank you for the heads up17:59
Matko[m]clarkb: thanks =)18:00
clarkbI've let people on the foundation side know and hopefully it will get fixed soon (but haven't heard anything yet)18:01
clarkbMatko[m]: it is being looked into now18:12
clarkbI'm going to do another pass on gerrit upgrade testing shortly. This time with large h2 cache file removal included18:12
Matko[m]clarkb: thanks for the follow up. I already see the number of videos in the playlist decreasing.18:13
mnasiadkafungi: I miss times running firewalls using pf (on FreeBSD, but no difference) :-)18:25
clarkbapparently freebsd pf performance is much better than openbsd18:27
clarkbwhcih doesn't matter so much at gigabit speeds but as networks get faster people have writtne about needign to switch to freebsd to keep up18:27
fungimnasiadka: i used to build productized network security and acceleration appliances purely with openbsd (loved when they added their own load balancer service too, it's amazing), but i still run it at home to this day because it's so darned convenient18:30
fungiin particular, the fact that you can cluster and synchronize state table entries between active/active/... firewalls is still leaps beyond what you get from a lot of supposedly "enterprise" firewall solutions18:32
clarkbMatko[m]: cleanup should be complete now. Thanks again for the report18:35
mnasiadkaYup, used carp and pfsync in pre-2010 solutions ;)18:35
fungialso loved how they continued the fish theme with carp being their replacement for the (cisco-)patent-encumbered crrp protocol18:37
fungier, vrrp18:37
Matko[m]clarkb: :D18:38
fungiif memory serves, cisco had decided that rarp infringed on their vrrp patent, so carp had to redesign rarp in such a way that it skirted the patent18:39
fungithough i think the vrrp patent is long since expired18:39
fungiah no, too many beers ago. the internet says vrrp was a standard but cisco was claiming it infringed on their hsrp patent18:41
fungiregardless, yes it looks like their patent on hsrp expired 10 years ago now18:42
clarkbok gerrit upgrade with caches moved aside (we copy things like indexes aside too so I figured we can move the cache aside just in case) seems to have worked on the test node. I am able to see diffs and changes after the upgrade and don't observe any complaints from the service19:06
clarkbI do notice that we dont' actually seem to get the Blocked users ACL update as part of the upgrade seems to be specific to new site initialization19:07
clarkbthat is fine and I'm keeping the steps to check it in prod just in case. I think we can followup after the upgarde and add that acl at any time if we think being in sync with upstream on that is important but I don't think it affects the upgrade eitherway. Mostly we just want to know if it happens19:07
fungiwe can always adjust that post-upgrade so long as we know19:08
clarkbexactly19:08
clarkbcorvus in the upgrade document we also have a step to restart zuul schedulers to pick up the new gerrit version. Since we're upgrading on Sunday I expect eh weekly zuul upgrades to be complete by then. Should we manually restart schedulers this time given that? and just to double check only schedulers need a restart not web too right?19:08
clarkband now I'll run through the downgrade again. This time I will also move the caches aside and double check that doing so is ok in a downgrade scenario19:09
corvusclarkb: yes i think it's worth it, though i don't expect any changes, since i don't think we've conditioned anything on any recent gerrit versions.  i would do both schedulers and web for sanity/consistency.19:10
clarkbcool I'll update the notes to add web and indicate we should do that step this time19:11
fungimainly i think it's good to have zuul restarts baked into the process in case it conditions features on newer-than-we're-running gerrit in the future (however unlikely since we'll probably be the ones to discover the version requirements, of anyone)19:12
clarkbfungi: yup that is why its in there but we note that depending on timing we can sometimes let weekly restarts handle it19:13
clarkbin this case I think we're about as far from the next weekly restart as possible so worth doing manually19:13
fungibut still, we might discover that a zuul feature needs newer gerrit than we have, and bake in a version check to get us back to the old behavior until we upgrade, so still a distinct possibility19:13
clarkbdowngrade looks good with h2 cache removal as well19:20
clarkbI should note that the test node only has like 5 chagnes total and its caches are tiny but it is good that it loads them up anyway19:20
clarkbbut this all continues to look good to me even with the slightly modified process19:20
clarkbI'll look into staging some of the post upgrade tasks soon as well19:21
clarkbfungi: https://review.opendev.org/c/opendev/system-config/+/969497 addresses the matrix gerritbot issue you pointed out earlier today if you want to take a look19:50
clarkbI'm going to grab lunch now then probably pop out for a bike ride after19:57
opendevreviewEnzo Candotti proposed openstack/project-config master: Add SeaweedFS App to StarlingX  https://review.opendev.org/c/openstack/project-config/+/96952720:06
opendevreviewMerged opendev/system-config master: Improve opendev's matrix gerritbot repo list  https://review.opendev.org/c/opendev/system-config/+/96949721:57
« Tuesday, 2025-12-02 Index Thursday, 2025-12-04 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!