| -@gerrit:opendev.org- Elod Illes proposed: [opendev/subunit2sql] 974813: Remove openstack-python3-train-jobs https://review.opendev.org/c/opendev/subunit2sql/+/974813 | 09:14 | |
| @fungicide:matrix.org | https://review.opendev.org/c/opendev/subunit2sql/+/974813 got me wondering if we should just close down that project. i don't think anything of ours has used it since we tore down the old openstack-health service years ago | 14:21 |
|---|---|---|
| @fungicide:matrix.org | at the very least, we could remove it from the tenant config(s) | 14:22 |
| @clarkb:matrix.org | fungi: yes, I think we can probably drop it from zuul's tenant config at least | 14:48 |
| @clarkb:matrix.org | also I don't see any complaints from paste about backups this morning. I'll have to take a closer look after the board meeting. I think we want to double check that we actually backed up the sql contents properly | 14:49 |
| @fungicide:matrix.org | `2026-01-27T05:26:01.603720+00:00 paste02 CRON[2625887]: (root) CMD (/usr/local/bin/borg-backup backup02.ca-ymq-1.vexxhost.opendev.org 2>> /var/log/borg-backup-backup02.ca-ymq-1.vexxhost.opendev.org.log)` | 15:08 |
| @fungicide:matrix.org | so it definitely ran the script | 15:08 |
| @fungicide:matrix.org | and '/etc/borg-streams/mariadb' does point to `-h 127.0.0.1` now | 15:11 |
| @clarkb:matrix.org | yup I checked the contents of that file yseterday too to ensure the deployment did what I expected. This is all a good sign but ideally we look in borg and check that we didn't do a null backup successfully (or similar) | 15:12 |
| @fungicide:matrix.org | https://docs.opendev.org/opendev/system-config/latest/sysadmin.html#restore-from-backup implies the mysqldump stream will just appear as a normal file in the fuse fs? | 15:15 |
| @clarkb:matrix.org | fungi: yup it should | 15:15 |
| @fungicide:matrix.org | `2.9G /opt/backups/paste02-mariadb-2026-01-27T05:26:28/mariadb` | 15:18 |
| @clarkb:matrix.org | cool that implies we actually did a backup. head/tail can probably confirm content is correct too? | 15:18 |
| @clarkb:matrix.org | anyway 2.9GB is big enough that I double we faile | 15:18 |
| @clarkb:matrix.org | * anyway 2.9GB is big enough that I double we failed | 15:19 |
| @fungicide:matrix.org | i'm trying to get a linecount from it first, but yeah | 15:19 |
| @clarkb:matrix.org | * anyway 2.9GB is big enough that I doubt we failed | 15:19 |
| @fungicide:matrix.org | 955002 lines | 15:19 |
| @fungicide:matrix.org | `-- Host: 127.0.0.1 Database:` | 15:20 |
| @fungicide:matrix.org | `-- Dump completed on 2026-01-27 5:28:06` | 15:20 |
| @fungicide:matrix.org | looks complete | 15:20 |
| @fungicide:matrix.org | i'm going to umount it if there's nothing else you want checked, but i'm satisfied | 15:20 |
| @clarkb:matrix.org | I think that looks good. I just checked and we backup all databases on that host so no specific database should be lsited there | 15:21 |
| @fungicide:matrix.org | yeah, i was more interested in it confirming we backed up over loopback rather than unix socket | 15:22 |
| @clarkb:matrix.org | ++ | 15:22 |
| @fungicide:matrix.org | okay, umounted on paste02 now | 15:23 |
| @fungicide:matrix.org | i guess we should be okay to roll this out to the rest of our servers | 15:24 |
| @clarkb:matrix.org | I dropped my WIP vote on https://review.opendev.org/c/opendev/system-config/+/973541/ | 15:29 |
| @scott.little:matrix.org | ok, I think I found you :) | 16:06 |
| @fungicide:matrix.org | you did! | 16:06 |
| @fungicide:matrix.org | we moved a week ago, so people are still finding out/trickling in | 16:07 |
| @clarkb:matrix.org | to followup from the old IRC channel: the discussion/question is can Gerrit acls be configured so that a specific group of people has permissions to push merge commits to a specific branch | 16:10 |
| @scott.little:matrix.org | so to rehash ... the goal is to allow a few core developers to have the permission to push merge commits into branch starlingx/portable-dc if they are a member of new group portable-dc-release. I do NOT want to grant the new group the ability to push merge commits to any other branch. I also do not want to take away any rights people already have on branch starlingx/portable-dc | 16:10 |
| @clarkb:matrix.org | yup so the solution would be to add a gerrit acl block for that branch specifically that adds push merge commit perms for the new group. Everyone else will continue to have their normal permissions on that branch | 16:11 |
| @scott.little:matrix.org | my tentative solution is to add to project-config/gerrit/acls/starlingx/<project>.config the lines ... [access "refs/for/refs/starlingx/portable-dc"] | 16:12 |
| pushMerge = group portable-dc-release | ||
| @clarkb:matrix.org | yes I think that should do what you described in english above. | 16:12 |
| @clarkb:matrix.org | note that does not allow the group to push merges from that branch into other branches. Only from other branches into the portable-dc branch | 16:13 |
| @scott.little:matrix.org | yes, that's exactly what I want | 16:13 |
| @clarkb:matrix.org | gerrit permissions are target ref/branch based. I don't think you can filter by the source only by who is performing the action | 16:13 |
| @clarkb:matrix.org | cool just wanted to double check on that | 16:14 |
| @fungicide:matrix.org | https://opendev.org/openstack/project-config/src/commit/6ca2edb/gerrit/acls/openstack/oslo.messaging.config#L7-L8 is almost an example of that | 16:14 |
| @scott.little:matrix.org | is there any testing we can do on this before deployment ? | 16:14 |
| @fungicide:matrix.org | it limits pushing merge commits to only feature branches and not normal branches | 16:14 |
| @fungicide:matrix.org | in essence, oslo-messaging-core can merge into any feature/* branch, but only oslo-release can merge into other branches (allowing them to merge the feature branches back to master) | 16:15 |
| @scott.little:matrix.org | and group portable-dc-release will be created with me as first core? I'll add the others | 16:16 |
| @fungicide:matrix.org | scott.little: it'll be created empty, but then i or one of our other sysadmins will add you as the initial member | 16:17 |
| -@gerrit:opendev.org- Scott Little proposed: [openstack/project-config] 974898: git group portable-dc-release power to merge into branch f/portable-dc https://review.opendev.org/c/openstack/project-config/+/974898 | 16:33 | |
| @scott.little:matrix.org | https://review.opendev.org/c/openstack/project-config/+/974898 ... and the correct branch is f/portable-dc | 16:33 |
| @clarkb:matrix.org | +2 that looks like what I would expect. fungi can double check | 16:36 |
| @fungicide:matrix.org | i think the acl linter is going to complain about indenting with spaces instead of hard tabs | 16:36 |
| @clarkb:matrix.org | ah ya it normalizes things then any diff is considered a failure | 16:36 |
| @clarkb:matrix.org | (because gerrit normalizes things and it is easier to compare if gerrit and project-config are in sync this way) | 16:37 |
| -@gerrit:opendev.org- Scott Little proposed: [openstack/project-config] 974898: git group portable-dc-release power to merge into branch f/portable-dc https://review.opendev.org/c/openstack/project-config/+/974898 | 16:40 | |
| @scott.little:matrix.org | fixed spaces -> tab | 16:40 |
| @scott.little:matrix.org | hmm perhaps i should have called the group starlingx-portable-dc-release | 16:47 |
| @fungicide:matrix.org | i can un-approve before it merges if you want to change that | 16:47 |
| @scott.little:matrix.org | please do | 16:48 |
| @fungicide:matrix.org | done | 16:48 |
| -@gerrit:opendev.org- Scott Little proposed: [openstack/project-config] 974898: git group portable-dc-release power to merge into branch f/portable-dc https://review.opendev.org/c/openstack/project-config/+/974898 | 16:49 | |
| @scott.little:matrix.org | done. love sed | 16:49 |
| -@gerrit:opendev.org- Zuul merged on behalf of Scott Little: [openstack/project-config] 974898: git group portable-dc-release power to merge into branch f/portable-dc https://review.opendev.org/c/openstack/project-config/+/974898 | 17:06 | |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 974933: Add modsecurity waf rules to lists.opendev.org https://review.opendev.org/c/opendev/system-config/+/974933 | 19:48 | |
| @fungicide:matrix.org | as mentioned in the meeting ^ | 19:48 |
| -@gerrit:opendev.org- Clark Boylan proposed: [opendev/system-config] 974934: Upgrade etherpad to 2.6.1 https://review.opendev.org/c/opendev/system-config/+/974934 | 19:52 | |
| @clarkb:matrix.org | also mentioned in the meeting ^ I'll work out holding a node if that builds and tests cleanly after lunch | 19:52 |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed wip: [opendev/system-config] 974942: Inject docs honeypot URL into body comment https://review.opendev.org/c/opendev/system-config/+/974942 | 20:44 | |
| @fungicide:matrix.org | that's ^ more of a poc at the moment | 20:46 |
| @fungicide:matrix.org | we have a few options for inline altering content, a more general one would probably be mod_proxy but it comes with additional side-effects | 20:47 |
| @fungicide:matrix.org | i toyed around with the idea of sticking an empty `<a href...` in the body or a `<link...` in the head, but as i dug into browser preloading/prefetching behaviors i couldn't find a clear way to signal that it shouldn't be fetched (rel=nofollow isn't relevant for them apparently, and doesn't even prevent modern search index crawlers from actually following, merely reduces their significance) | 20:50 |
| @clarkb:matrix.org | I was going to say we keep the same deny rule but it looks like you're relying on that then stuffing the link in a comment | 20:53 |
| @clarkb:matrix.org | That seems like something worth trying at least | 20:53 |
| @clarkb:matrix.org | fungi: is it addoutputfilterbytype? That is what Google gives me not sure if addoutputfilter is equivalent as an alias? | 20:55 |
| @fungicide:matrix.org | https://httpd.apache.org/docs/trunk/mod/mod_sed.html is what i was going by | 20:56 |
| @clarkb:matrix.org | Oh mod sed not mod filter | 20:57 |
| @fungicide:matrix.org | also i realize that's the apache 2.5 docs, i double-checked and 2.4 is the same | 20:58 |
| @fungicide:matrix.org | mod_filter seemed more complex and needed to call out to an external executable | 20:59 |
| @fungicide:matrix.org | but like i said, there are multiple options | 20:59 |
| @clarkb:matrix.org | Ya I think if this works it is fine. Our testing should have decent coverage of it too | 21:00 |
| @fungicide:matrix.org | the main problem with this implementation is it only works for serving static html files, but as that's most of what's on static.o.o it makes for an okay poc i think | 21:01 |
| @fungicide:matrix.org | then again, the other major case we have is mod_proxy fronted services, so in theory we could just have an implementation specific for that model as well since i think it has a similar feature available | 21:02 |
| @clarkb:matrix.org | Ya hopefully this gives us more data on what a sufficient lure is | 21:03 |
| @fungicide:matrix.org | i was imagining that apache had a more generic solution for this sort of thing, like it does for http headers, but i guess performance optimizations mean that there's not a singular chokepoint all the html flows through | 21:06 |
| @fungicide:matrix.org | but also yes, what i'm mainly interested in seeing is whether a raw url inside an html comment is sufficient enticement to bait the bots, or just gets ignored | 21:08 |
| -@gerrit:opendev.org- Clark Boylan proposed: [opendev/system-config] 840972: DNM force etherpad failure to hold node https://review.opendev.org/c/opendev/system-config/+/840972 | 21:16 | |
| @clarkb:matrix.org | I've put an autohold in place for ^ and deleted the old 2.6.0 autohold | 21:17 |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 974933: Add modsecurity waf rules to lists.opendev.org https://review.opendev.org/c/opendev/system-config/+/974933 | 21:30 | |
| @clarkb:matrix.org | I'm going to pop out for a bike ride. When I get back I'll look into testing that held etherpad node | 21:35 |
| @fungicide:matrix.org | enjoy! i'm envious of having good going-out weather, looks like we're expecting more bitter cold and snow through the weekend | 21:36 |
| @clarkb:matrix.org | Good is overselling it. It is dry and not quite cold enough for snow. But I expect to be cold | 21:38 |
| @clarkb:matrix.org | Last week the lake/pond nearby had half frozen over when I went by. | 21:40 |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed wip: [opendev/system-config] 974942: Inject docs honeypot URL into body comment https://review.opendev.org/c/opendev/system-config/+/974942 | 21:40 | |
| @fungicide:matrix.org | it did at least barely climb above freezing this afternoon for a few hours and we got a reprieve from precipitation | 21:41 |
| -@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed wip: [opendev/system-config] 974942: Inject docs honeypot URL into body comment https://review.opendev.org/c/opendev/system-config/+/974942 | 22:55 | |
| @jim:acmegating.com | I'd like to bring this zuul change to the attention of this group: https://review.opendev.org/974974 -- it removes the automatic image build in zuul (because it turns out there are some edge cases where that's problematic) and it's based on what we've learned in practice with zuul-launcher: all of our image builds are actually built via the gate or periodic pipelines, almost never the dedicated image build pipeline (which is the one that responds to the automatic image builds). | 23:46 |
| In short, I don't think there's any practical change for opendev, but I wanted to bring it up here in case I missed something. | ||
| @clarkb:matrix.org | corvus: in the case of a new image we would get images built beacuse we're adding the image right? I think that covers the trivial case of missing image that needs to be built | 23:55 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!