opendevreview | Merged openstack/diskimage-builder master: Revert "Fallback to persistent netifs names with systemd" https://review.opendev.org/c/openstack/diskimage-builder/+/838863 | 00:26 |
---|---|---|
ianw | clarkb: if you have a sec for https://review.opendev.org/c/openstack/diskimage-builder/+/839307 as well, it's just a little bash thing that i noticed in a test once. it feels racy, i'm surprised we haven't hit it before. or maybe we do and just put it down to gate instability and recheck | 06:48 |
rpittau | ianw, clarkb, I rebased the bifrost test to check after the merge, but it was green before, so I do not expect surprises | 07:02 |
ianw | rpittau: thanks for that. opendev has a need for a release to fix the centos 7 builds, if no objections probably will do tomorrow .au time | 07:03 |
opendevreview | Jeremy Stanley proposed openstack/diskimage-builder master: yum-minimal: workaround missing $releasedir variable https://review.opendev.org/c/openstack/diskimage-builder/+/839840 | 15:48 |
opendevreview | Jeremy Stanley proposed openstack/diskimage-builder master: Temporarily stop running OpenSUSE functtests https://review.opendev.org/c/openstack/diskimage-builder/+/840328 | 15:48 |
opendevreview | Jeremy Stanley proposed openstack/diskimage-builder master: Revert "Temporarily stop running OpenSUSE functtests" https://review.opendev.org/c/openstack/diskimage-builder/+/840329 | 15:48 |
opendevreview | Neil Hanlon proposed openstack/diskimage-builder master: Ensure passwd is installed on RH and derivatives https://review.opendev.org/c/openstack/diskimage-builder/+/840352 | 16:06 |
opendevreview | Merged openstack/diskimage-builder master: Temporarily stop running OpenSUSE functtests https://review.opendev.org/c/openstack/diskimage-builder/+/840328 | 18:57 |
clarkb | ianw: I went ahead and approved https://review.opendev.org/c/openstack/diskimage-builder/+/839307 | 19:37 |
ianw | thanks | 19:38 |
opendevreview | Merged openstack/diskimage-builder master: yum-minimal: workaround missing $releasedir variable https://review.opendev.org/c/openstack/diskimage-builder/+/839840 | 19:52 |
ianw | i'm thinking about how we could push this openafs update to the ppa from zuul, rather than manual updates | 19:55 |
ianw | i could put the debian/* directory in openstack-zuul-jobs (near where we have the rpm build jobs) or system-config, or a new project? | 19:55 |
ianw | it would then "just" need to run a debuild -S -sa and upload the results via dput, the trick will be getting a key on there that the ppa trusts to sign it | 19:57 |
ianw | actually first grab defined upstream source, make orig.tar.gz, then put our /debian in it, then run debuild | 19:58 |
fungi | you could use the same mechanism we use to put a signing key on release job nodes | 19:58 |
ianw | that's approximately what i do manually | 19:58 |
fungi | i mean as far as automating it via zuul | 19:58 |
ianw | yeah, that's handy, it will have figured out the magic of getting a key from secret->gpg | 19:59 |
fungi | right, the short answer is that we export (just) the signing subkey as a keyring file and then encode that as a zuul secret to supply to the job | 19:59 |
fungi | then when the job runs, a task splats that back onto the filesystem where gnupg expects to find it | 20:00 |
ianw | presumably that's just the default key, and ergo if it has no password debuild would just happily sign the changes file? | 20:01 |
fungi | yes | 20:01 |
fungi | though you can also override it with a specific key id, keyring path, et cetera if you like, it shouldn't really be necessary in a ci job | 20:01 |
ianw | do you think it's worth starting a new repo, or just put it in openstack-zuul-jobs somehow? | 20:02 |
fungi | by "it" you mean the secrey? (we store the openstack release signing key in openstack/project-config) | 20:04 |
fungi | er, secret | 20:04 |
ianw | i mean the whole /debian/* tree to build from really | 20:04 |
ianw | and the job content, and i guess the secret | 20:04 |
fungi | it could be a files subtree under a role | 20:04 |
fungi | ansible can copy a directory, right? | 20:05 |
ianw | yeah it probably makes sense | 20:05 |
ianw | do you know off-hand how to regenerate *just* a changes file? | 20:05 |
fungi | i mean, if you want to go the debian's debian route, it would be to create a separate git repository for the debian subtree and then use git-buildpackage to import the upstream source... | 20:06 |
fungi | the changes file is part of the build output, so i'm not sure how you would generate just the changes file without building | 20:06 |
fungi | building the source package, i mean | 20:06 |
fungi | presumably this is for source-only uploading to the ppa builder | 20:06 |
ianw | yeah, i'm wondering if we can just re-sign it | 20:07 |
ianw | so the gate builds it, and then we pull the artifact in a promote job, and sign it with the "real" key and upload | 20:07 |
fungi | oh, if there's an existing changes file and you want to change or add a signature, you could just use gpg to do that directly i think | 20:07 |
ianw | it would have to replace the signature, i guess | 20:10 |
fungi | i think multi-signature is possible, but i can't think of a benefit that would provide us in this context | 20:11 |
ianw | if you run a .changes file through "gpg --decrypt --output <file>" i guess that gives us the original, then we can resign it | 20:14 |
clarkb | ianw: what would be the original source pacakge in that context? The one from debian ( Ithink that is what we had been using previously) | 20:15 |
ianw | clarkb: it could be, but i'd probably have the script download and repackage the upstream source | 20:16 |
clarkb | ah | 20:16 |
clarkb | would there be a changes file in that case? | 20:16 |
ianw | that way it's fairly clear what we're building | 20:16 |
ianw | the changes i mean the thing that debuild spits out, that has the list of files to build and their checksums | 20:17 |
ianw | dput then grabs the source files and that .changes file and uploads to launchpad, that then checks everything matches up with a trusted signature and builds | 20:18 |
clarkb | right I guess I'm just confused why would would need to decrypt/unsign that file if you are generating it with the key you want? But also I'm probably missing something obvious | 20:19 |
fungi | sounds like the idea is to not use the upload key in the source package build job, but then have a separate job (re)sign and upload the resulting artifact | 20:20 |
clarkb | ah | 20:21 |
ianw | yeah i think it makes most sense to have a promote step? i'm open to ideas | 20:22 |
clarkb | that was the part I was missing and ya that would make it similar to some of the other artifact publishign we do | 20:23 |
ianw | if we're building the source, we're only a very small way away from just using pbuilder or something to make our own binary packages | 20:23 |
ianw | although launchpad still gives us easier multi-arch builds which we need | 20:24 |
ianw | oh i thought we were in #opendev, heh, this isn't really dib related | 20:25 |
fungi | i was starting to wonder | 20:26 |
fungi | that also changes the tone, if we're signing something for opendev instead of for openstack | 20:26 |
opendevreview | Merged openstack/diskimage-builder master: centos: avoid head pipe failure https://review.opendev.org/c/openstack/diskimage-builder/+/839307 | 21:04 |
ianw | a055b59f8da71cf59d903e25de7fd2b6441026f3 is what i'm thinking for 3.21.0 | 22:10 |
clarkb | ianw: ya that lgtm | 22:44 |
clarkb | ianw: side note I think fungi thought 3.20.2 may have been tagged not on a merge commit so was actually further back in history than intended? godo to double check we'vegot a tip commit | 22:44 |
opendevreview | Clark Boylan proposed openstack/diskimage-builder master: Add Jammy functesting to dib https://review.opendev.org/c/openstack/diskimage-builder/+/840391 | 22:55 |
clarkb | ianw: ^ something like that for jammy functesting? | 22:55 |
opendevreview | Merged openstack/diskimage-builder master: containerfile: update test to jammy https://review.opendev.org/c/openstack/diskimage-builder/+/838981 | 22:56 |
clarkb | oh heh I was updating to do that in my change and didn't ralize there was already a change for it :) I'll rebase | 22:57 |
opendevreview | Clark Boylan proposed openstack/diskimage-builder master: Add Jammy functesting to dib https://review.opendev.org/c/openstack/diskimage-builder/+/840391 | 22:58 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!