Friday, 2019-08-02

« Thursday, 2019-08-01 Index Saturday, 2019-08-03 »
*** diablo_rojo is now known as diablo_rojo__00:00
*** diablo_rojo__ is now known as diablo_rojo00:00
donnydclarkb: whenever you get a chance... it seems like the fedora28 image is flaky with ipv600:05
ianwthat's probably more my problem :)  in that it just doesn't come up properly?00:06
donnydyea, all of the rest of the images work fine, it would see that the fedora28 image does not. v4 works, v6 does not00:09
donnydi have to go tv for a while00:09
ianwhrm, so the f29 images work ok?00:10
ianwwe probably don't want to expend too much effort on f28 ... the only reason it's hung around is as a rhel8 analogue00:10
donnydyea00:10
donnydok, just thought i would put it out there00:10
* donnyd walks to tv and watches00:11
ianwcool, i'm trying to get f30 up , it's lowish priority which is why it's taken so long00:11
ianwttyl00:11
*** slaweq has joined #openstack-infra00:11
*** michael-beaver has quit IRC00:12
*** slaweq has quit IRC00:16
*** rosmaita has quit IRC00:18
*** diablo_rojo has quit IRC00:20
*** diablo_rojo has joined #openstack-infra00:21
*** rosmaita has joined #openstack-infra00:31
*** ianychoi has joined #openstack-infra00:34
*** rlandy is now known as rlandy|bbl00:35
*** betherly has joined #openstack-infra00:35
*** Lucas_Gray has quit IRC00:36
*** dchen has joined #openstack-infra00:37
*** betherly has quit IRC00:39
*** goldyfruit has joined #openstack-infra00:40
*** lseki has quit IRC00:53
*** betherly has joined #openstack-infra00:55
*** happyhemant has quit IRC00:59
*** betherly has quit IRC01:00
*** diablo_rojo has quit IRC01:18
*** betherly has joined #openstack-infra01:46
*** e0ne has joined #openstack-infra01:48
*** ramishra has joined #openstack-infra01:52
*** betherly has quit IRC01:52
*** e0ne has quit IRC01:52
*** bhavikdbavishi has joined #openstack-infra01:54
*** bhavikdbavishi1 has joined #openstack-infra01:57
*** jamesmcarthur has joined #openstack-infra01:58
*** jamesmcarthur has quit IRC01:58
*** jamesmcarthur has joined #openstack-infra01:58
*** bhavikdbavishi has quit IRC01:58
*** bhavikdbavishi1 is now known as bhavikdbavishi01:58
*** yamamoto has joined #openstack-infra02:03
openstackgerritDonny Davis proposed openstack/project-config master: FN can now support 100 nodes - turning up quota  https://review.opendev.org/67414902:07
*** rlandy|bbl is now known as rlandy02:07
*** apetrich has quit IRC02:08
*** slaweq has joined #openstack-infra02:11
*** slaweq has quit IRC02:16
*** rh-jelabarre has quit IRC02:21
*** rlandy has quit IRC02:29
*** ykarel|away has joined #openstack-infra02:32
*** yamamoto has quit IRC02:42
*** yamamoto has joined #openstack-infra02:43
*** ykarel|away has quit IRC02:46
*** n-saito has joined #openstack-infra02:48
*** bhavikdbavishi has quit IRC02:48
*** betherly has joined #openstack-infra02:59
*** betherly has quit IRC03:03
*** dpawlik has quit IRC03:04
*** betherly has joined #openstack-infra03:19
*** psachin has joined #openstack-infra03:21
*** betherly has quit IRC03:24
*** gyee has quit IRC03:26
*** bhavikdbavishi has joined #openstack-infra03:33
*** psachin has quit IRC03:36
*** betherly has joined #openstack-infra03:39
*** betherly has quit IRC03:45
*** armax has quit IRC03:45
*** armax has joined #openstack-infra03:46
*** jamesmcarthur has quit IRC03:46
*** armax has quit IRC03:46
*** jamesmcarthur has joined #openstack-infra03:46
*** betherly has joined #openstack-infra03:50
*** jamesmcarthur has quit IRC03:51
*** betherly has quit IRC03:55
*** yamamoto has quit IRC04:01
*** yamamoto has joined #openstack-infra04:02
*** auristor has quit IRC04:05
*** betherly has joined #openstack-infra04:11
*** slaweq has joined #openstack-infra04:11
*** auristor has joined #openstack-infra04:14
*** slaweq has quit IRC04:16
*** betherly has quit IRC04:16
*** jamesmcarthur has joined #openstack-infra04:16
*** betherly has joined #openstack-infra04:21
*** betherly has quit IRC04:26
openstackgerritMerged openstack/project-config master: FN can now support 100 nodes - turning up quota  https://review.opendev.org/67414904:27
*** e0ne has joined #openstack-infra04:30
*** whoami-rajat has joined #openstack-infra04:34
*** e0ne has quit IRC04:35
*** betherly has joined #openstack-infra04:41
*** betherly has quit IRC04:46
openstackgerritJan Kubovy proposed zuul/zuul master: Make tenant and pipeline optional in zuul-changes  https://review.opendev.org/67403404:51
*** jamesmcarthur has quit IRC04:53
*** diga has joined #openstack-infra04:54
*** tkajinam has quit IRC05:00
*** betherly has joined #openstack-infra05:02
*** tkajinam has joined #openstack-infra05:02
*** udesale has joined #openstack-infra05:07
*** betherly has quit IRC05:07
*** Lucas_Gray has joined #openstack-infra05:10
*** betherly has joined #openstack-infra05:18
*** odicha has joined #openstack-infra05:20
*** betherly has quit IRC05:22
*** markvoelker has joined #openstack-infra05:34
*** markvoelker has quit IRC05:39
*** kopecmartin|off is now known as kopecmartin05:45
*** tkajinam_ has joined #openstack-infra05:53
*** tkajinam has quit IRC05:55
*** iurygregory has quit IRC05:56
*** e0ne has joined #openstack-infra06:04
*** janki has joined #openstack-infra06:04
*** slaweq has joined #openstack-infra06:11
*** Lucas_Gray has quit IRC06:13
*** slaweq has quit IRC06:15
*** pgaxatte has joined #openstack-infra06:23
ianw#status log afs servers restarted without logging as kafs server currently out of rotation06:33
openstackstatusianw: finished logging06:33
*** apetrich has joined #openstack-infra06:34
*** janki has quit IRC06:34
*** janki has joined #openstack-infra06:35
openstackgerritIan Wienand proposed opendev/system-config master: AFS server restart and audit logging : helper script  https://review.opendev.org/67284706:38
*** jaosorior has joined #openstack-infra06:38
*** e0ne has quit IRC06:42
*** pkopec has joined #openstack-infra06:44
*** e0ne has joined #openstack-infra06:45
*** witek has joined #openstack-infra06:51
*** jhesketh has joined #openstack-infra06:54
*** rcernin has quit IRC06:58
*** ginopc has joined #openstack-infra06:58
*** slaweq has joined #openstack-infra07:05
openstackgerritIan Wienand proposed opendev/system-config master: kafs support  https://review.opendev.org/62397407:16
openstackgerritIan Wienand proposed opendev/system-config master: ubuntu-kernel: role to use Ubuntu mainline kernels  https://review.opendev.org/66505707:16
*** redrobot has quit IRC07:17
*** tesseract has joined #openstack-infra07:17
*** rascasoft has joined #openstack-infra07:29
*** iurygregory has joined #openstack-infra07:30
*** jpenag is now known as jpena07:31
*** e0ne has quit IRC07:31
openstackgerritMerged zuul/nodepool master: builder: Log all deletions of image upload records  https://review.opendev.org/67412607:32
openstackgerritIan Wienand proposed opendev/system-config master: ubuntu-kernel: role to use Ubuntu mainline kernels  https://review.opendev.org/66505707:37
openstackgerritIan Wienand proposed opendev/system-config master: kafs: allow to skip cachefilesd  https://review.opendev.org/67421507:37
*** janki has quit IRC07:43
*** gfidente has joined #openstack-infra07:45
*** ramishra has quit IRC07:46
*** jtomasek has joined #openstack-infra07:47
*** jtomasek has quit IRC07:48
*** tosky has joined #openstack-infra07:48
*** jtomasek has joined #openstack-infra07:50
*** lucasagomes has joined #openstack-infra07:52
*** ralonsoh has joined #openstack-infra08:10
*** dchen has quit IRC08:10
openstackgerritye proposed openstack/infra-manual master: Update bug status link.  https://review.opendev.org/67421808:12
*** iurygregory has quit IRC08:35
*** jtomasek has quit IRC08:40
*** apetrich has quit IRC08:49
*** Lucas_Gray has joined #openstack-infra08:51
*** smrcascao has joined #openstack-infra08:52
*** Goneri has joined #openstack-infra08:54
*** ramishra has joined #openstack-infra08:57
*** tkajinam_ has quit IRC09:01
*** e0ne has joined #openstack-infra09:03
*** jtomasek has joined #openstack-infra09:03
*** derekh has joined #openstack-infra09:06
*** markvoelker has joined #openstack-infra09:13
*** bhavikdbavishi has quit IRC09:13
openstackgerritMark Goddard proposed openstack/project-config master: Rename x/kayobe* to openstack/  https://review.opendev.org/66929809:29
*** electrofelix has joined #openstack-infra09:37
*** markvoelker has quit IRC09:46
*** ramishra has quit IRC09:48
*** ramishra has joined #openstack-infra09:48
*** Lucas_Gray has quit IRC09:49
*** Lucas_Gray has joined #openstack-infra09:51
*** ociuhandu has joined #openstack-infra09:54
*** Goneri has quit IRC09:56
*** yamamoto has quit IRC10:07
*** gfidente has quit IRC10:09
*** pkopec has quit IRC10:11
*** yamamoto has joined #openstack-infra10:13
*** priteau has joined #openstack-infra10:13
*** yamamoto has quit IRC10:15
*** yamamoto has joined #openstack-infra10:15
*** yamamoto has quit IRC10:21
*** yamamoto has joined #openstack-infra10:23
*** yamamoto has quit IRC10:23
*** yamamoto has joined #openstack-infra10:24
openstackgerritMatthieu Huin proposed zuul/zuul master: [WIP] Add OpenAPI description for enqueue, dequeue, autohold  https://review.opendev.org/67425710:25
*** yamamoto has quit IRC10:29
*** tdasilva has quit IRC10:33
*** hrw has joined #openstack-infra10:34
hrwmorning10:34
*** ociuhandu has quit IRC10:34
*** ociuhandu has joined #openstack-infra10:34
hrwhttps://review.opendev.org/#/c/668157/ got merged month ago and debian/buster is still mirrored without backports. also without updates.10:35
hrwhttp://mirror.london.linaro-london.openstack.org/debian/dists/ http://mirror.ord.rax.opendev.org/debian/dists/ should have buster-backports from that patch iirc...10:36
hrwhave to find also where to enable buster-updates10:36
*** ociuhandu has quit IRC10:36
*** ociuhandu has joined #openstack-infra10:37
*** pkopec has joined #openstack-infra10:44
*** apetrich has joined #openstack-infra10:45
*** iurygregory has joined #openstack-infra10:47
*** Goneri has joined #openstack-infra10:51
*** gfidente has joined #openstack-infra10:54
fricklerhrw: mirror.debian and mirror.fedora haven't updated in a month according to http://grafana.openstack.org/d/ACtl1JSmz/afs?orgId=1 , I didn't get to check what is happening there yet, maybe some other infra-root can step in later10:59
hrwfrickler: thanks10:59
*** ricolin has quit IRC11:00
*** ginopc has quit IRC11:04
*** yamamoto has joined #openstack-infra11:08
*** jaosorior has quit IRC11:08
*** yamamoto has quit IRC11:13
*** pkopec_ has joined #openstack-infra11:14
*** pkopec has quit IRC11:17
*** ccamacho has joined #openstack-infra11:18
*** tdasilva has joined #openstack-infra11:19
*** Wryhder has joined #openstack-infra11:23
*** Lucas_Gray has quit IRC11:23
openstackgerritAdam Spiers proposed openstack/project-config master: Make gerritbot notify #openstack-neutron IRC channel of stable reviews  https://review.opendev.org/67427311:24
*** Wryhder is now known as Lucas_Gray11:24
hrwfungi: ^^11:24
hrwfungi: or better way: can Debian mirrors get updates more often than once per month?11:25
*** zbr has quit IRC11:25
*** iurygregory has quit IRC11:31
*** iurygregory has joined #openstack-infra11:31
*** jpena is now known as jpena|lunch11:34
*** yamamoto has joined #openstack-infra11:35
*** ykarel|away has joined #openstack-infra11:36
*** kopecmartin is now known as kopecmartin|pto11:36
*** yamamoto has quit IRC11:36
*** guoqiao has joined #openstack-infra11:36
*** joeguo has quit IRC11:37
*** yamamoto has joined #openstack-infra11:43
*** takamatsu is now known as mauro|call11:44
*** yamamoto has quit IRC11:45
*** iurygregory has quit IRC11:47
*** iurygregory has joined #openstack-infra11:48
*** SotK__ has quit IRC11:51
*** Lucas_Gray has quit IRC11:51
*** guoqiao has quit IRC11:52
*** aedc has quit IRC11:54
*** rpittau|afk is now known as rpittau11:56
*** yamamoto has joined #openstack-infra11:57
*** yamamoto has quit IRC11:58
*** yamamoto has joined #openstack-infra11:59
*** markvoelker has joined #openstack-infra12:00
*** Lucas_Gray has joined #openstack-infra12:00
*** witek has quit IRC12:01
*** udesale has quit IRC12:02
*** udesale has joined #openstack-infra12:03
*** markvoelker has quit IRC12:03
*** markvoelker has joined #openstack-infra12:03
*** yamamoto has quit IRC12:03
*** markvoelker has quit IRC12:04
*** panda is now known as panda|lunch12:05
*** redrobot has joined #openstack-infra12:07
*** Lucas_Gray has quit IRC12:08
*** yamamoto has joined #openstack-infra12:09
*** pgaxatte has quit IRC12:12
*** yamamoto has quit IRC12:13
*** yamamoto has joined #openstack-infra12:13
*** markvoelker has joined #openstack-infra12:16
*** yamamoto has quit IRC12:18
*** rh-jelabarre has joined #openstack-infra12:22
*** ricolin has joined #openstack-infra12:23
*** ociuhandu has quit IRC12:24
*** rlandy has joined #openstack-infra12:25
*** dpawlik has joined #openstack-infra12:25
*** pgaxatte has joined #openstack-infra12:27
*** priteau has quit IRC12:28
openstackgerritMerged openstack/ptgbot master: Reset to OrderedDict on new day cleanup  https://review.opendev.org/67057712:35
*** zbr has joined #openstack-infra12:35
openstackgerritMerged openstack/ptgbot master: Clean up stale data presence on a #newday command  https://review.opendev.org/67057812:35
openstackgerritMerged openstack/ptgbot master: Add Python 3 Train unit tests  https://review.opendev.org/67075312:35
*** witek has joined #openstack-infra12:35
*** jpena|lunch is now known as jpena12:39
*** jamesmcarthur has joined #openstack-infra12:39
*** ykarel|away has quit IRC12:40
hrwjpena: can you help with debian mirroring?12:43
jpenahrw: I'm not an infra-root, so there's not a lot I can do to help, I'm afraid12:44
*** n-saito has quit IRC12:44
jpenadmsimard maybe? ^^12:44
hrwjpena: ok.12:44
hrwjpena: I lost track who is who ;(12:44
jpenano worries :D12:44
hrwusing Debian as a base for anything around openstack feels like asking for problems ;D12:45
*** yamamoto has joined #openstack-infra12:47
*** yamamoto has quit IRC12:49
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused API SIG meeting slot  https://review.opendev.org/67429912:51
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused openstack-chef meeting slot  https://review.opendev.org/67430012:52
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Designate meeting slot  https://review.opendev.org/67430112:53
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Dragonflow meeting slot  https://review.opendev.org/67430312:54
*** witek has quit IRC12:54
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Gluon meeting slot  https://review.opendev.org/67430412:54
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused LCOO WG meeting slot  https://review.opendev.org/67430512:55
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Mogan meeting slot  https://review.opendev.org/67430612:56
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Murano meeting slot  https://review.opendev.org/67430712:57
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused BGPVPN meeting slot  https://review.opendev.org/67430812:58
*** markvoelker has quit IRC12:58
*** markvoelker has joined #openstack-infra12:58
openstackgerritThierry Carrez proposed opendev/irc-meetings master: Free up unused Telco NFV ops meeting slot  https://review.opendev.org/67430912:59
*** rh-jelabarre has quit IRC13:00
*** yamamoto has joined #openstack-infra13:02
*** yamamoto has quit IRC13:02
*** yamamoto has joined #openstack-infra13:03
* smcginnis remembers debates about adding another meeting channel in order to fit them all13:03
*** sthussey has joined #openstack-infra13:04
*** ekultails has joined #openstack-infra13:06
*** panda|lunch is now known as panda13:06
AJaegersmcginnis: meetings can now happen in the project channel as well...13:08
*** yamamoto has quit IRC13:08
hrwwe that way in Kolla.13:08
hrws/we/we do/13:08
smcginnisAJaeger: Yeah, I'd say things have gotten a lot better since back then.13:09
*** priteau has joined #openstack-infra13:10
*** ociuhandu has joined #openstack-infra13:11
*** jcoufal has joined #openstack-infra13:11
*** ccamacho has quit IRC13:18
*** pkopec_ has quit IRC13:18
*** eharney has joined #openstack-infra13:19
*** mriedem has joined #openstack-infra13:21
*** happyhemant has joined #openstack-infra13:21
*** yamamoto has joined #openstack-infra13:22
*** markvoelker has quit IRC13:25
*** goldyfruit has quit IRC13:25
*** markvoelker has joined #openstack-infra13:25
*** goldyfruit has joined #openstack-infra13:25
*** dciabrin__ is now known as dciabrin13:31
*** aaronsheffield has joined #openstack-infra13:32
*** ramishra has quit IRC13:33
*** lseki has joined #openstack-infra13:36
*** pkopec has joined #openstack-infra13:39
*** jcoufal_ has joined #openstack-infra13:48
*** jcoufal has quit IRC13:48
*** pgaxatte has quit IRC13:54
*** rascasoft has quit IRC13:56
zbrianw: do you happen to be core on testinfra?13:57
*** rascasoft has joined #openstack-infra13:58
*** pgaxatte has joined #openstack-infra14:00
*** odicha has quit IRC14:02
*** ramishra has joined #openstack-infra14:03
*** jamesmcarthur has quit IRC14:10
fungifrickler: hrw: i know the debian mirror problem was that the buster mirroring was added without adding the buster signing key (and stretch had been added without the stretch signing key for that matter) and so at least buster-backports is now no longer being signed by the jessie signing key. we merged a change to replace the jessie signing key with those for stretch and buster, and i meant to check14:10
fungiback in on the mirrors to make sure that was working but then got sidetracked. likely i still missed something. will check shortly14:10
hrwfungi: thanks14:11
hrwfungi: we want to add Debian CI job in Kolla. so far it only goes into RETRY_LIMIT (which probably could get renamed to PRE_FAILURE or something)14:12
*** liuyulong has joined #openstack-infra14:15
fungiwell, pre-run playbook failures aren't the only way that a build might get retried14:16
fungiloss of network connection during other phases can also cause it14:16
hrwsure14:17
fungiand just because it was retried the maximum allowed number of times doesn't mean that it failed at the same place each time14:17
*** rh-jelabarre has joined #openstack-infra14:19
hrwfor this one it was same place but not related to CI itself but to Debian mirrors14:19
fungiis it complaining about outdated indices i guess?14:21
fungibut yeah, it looks like reprepro during its validation phase is not finding the keys we're trying to install14:23
openstackgerritMatthieu Huin proposed zuul/zuul master: Add OpenAPI description for enqueue, dequeue, autohold  https://review.opendev.org/67425714:23
hrwfungi: about missing buster-updates and buster-backports14:23
hrwhttps://logs.opendev.org/40/674240/4/check/kolla-build-debian-source/0f774cf/ara-report/result/80fae6d4-f9bf-4cdc-82ab-9bdd80e45d3f/14:24
*** jamesmcarthur has joined #openstack-infra14:24
*** electrofelix has quit IRC14:25
fungithere are no puppet errors about failing to install the stretch and buster archive signing keys though14:25
fungiso they must not be ending up where reprepro tries to find them (also not appearing in the output of `apt-key list`)14:25
fungi`gpg2 --list-keys` as root does show them though, so i think there's an assumption in the puppet module that reprepro is checking root's keychain rather than the system's secure apt trusted keys14:29
fungiwhich is not the case14:29
*** jamesmcarthur has quit IRC14:30
fungior the problem may be that we're specifying the ids of the master keys but the archives are signed by subkeys14:32
*** jamesmcarthur has joined #openstack-infra14:33
fungitesting now to see whether that's it, and will push up a patch momentarily if so14:34
fungihrm, nope14:34
fungior it's that we're not providing the subkeys to it at all14:35
*** dpawlik has quit IRC14:38
*** Lucas_Gray has joined #openstack-infra14:39
hrw"curl https://somewhere/key | apt-key add -" or sth like that14:41
*** pgaxatte has quit IRC14:43
*** michael-beaver has joined #openstack-infra14:47
*** pkopec has quit IRC14:48
*** goldyfruit has quit IRC14:50
*** ekultails has quit IRC14:53
*** iurygregory has quit IRC14:57
fungiwell, no. we directly puppet in the key material15:00
fungiwe take keys from https://ftp-master.debian.org/keys.html15:00
fungiand it does indeed appear that reprepro doesn't use the trust ring `apt-key add` would manage, for obvious reasons (that would be keys trusted to sign repositories for packages installed on the local system, not keys signing repositories you want to mirror on your system)15:01
fungianyway, i've narrowed it down to a mix of needed the release keys for some archives, the stable keys for others, and allowing subkeys on some of them15:01
*** diga has quit IRC15:02
funginot entirely straightforward but it seems to be working correctly with a manual run now and i'll push up a review with the correct pieces15:02
openstackgerritSorin Sbarnea proposed zuul/zuul-jobs master: WIP: add-build-sshkey: add centos/rhel-8 support  https://review.opendev.org/67409215:03
fungihrw: i'll let you know once the mirror update run completes for the debian mirrors15:05
fungiit may take an hour or so with the outstanding delta15:05
hrwfungi: thank you for that work15:05
*** kjackal has joined #openstack-infra15:05
clarkbthere is more than one key required?15:06
*** armax has joined #openstack-infra15:07
clarkbinfra-root have you had a chance to look at https://etherpad.openstack.org/p/debugging-gitea08-OOM yet? I'm curious to hear what other think about that15:07
*** Goneri has quit IRC15:07
*** ociuhandu has quit IRC15:09
*** ociuhandu has joined #openstack-infra15:09
*** liuyulong has quit IRC15:13
clarkbdouble checking gitea08 for OOM in the last 12 hours (there isn't any so not a daily occurence) there is a message from conntrack complaining that something is trying to speak gre to it15:15
clarkbI wonder if there are machines in vexxhost scanning for gre tunnels they can join?15:15
*** gfidente has quit IRC15:17
*** markvoelker has quit IRC15:18
*** markvoelker has joined #openstack-infra15:20
openstackgerritMerged zuul/zuul-jobs master: Don't compare to literal True/False  https://review.opendev.org/66769715:22
openstackgerritMerged zuul/zuul-jobs master: Add test-bindep job  https://review.opendev.org/67407815:22
*** mattw4 has joined #openstack-infra15:22
*** kjackal has quit IRC15:23
fungiclarkb: yeah, i haven't completely nailed down which is being used where (would need to systematically pick apart the detached signatures for all the package reopsitories/suites to map it out), and the description at https://ftp-master.debian.org/keys.html of how they're applied is unfortunately vague, but i have at least hit on a working set of keys15:24
clarkbaspiers: happy to talk about my findings furhter either here or on the mailing list (though #zuul likely isn't the correct venue)15:25
clarkbaspiers: unfortunately I don't expect eatmydata to help much in those two particular cases I've identified beacuse the problems are recurrent redundant tasks and lack of memory15:25
clarkbfungi: seems odd that debian would go from one jessie key working across multiple releases to need multiple keys for a single release?15:26
fungiwell, they didn't sign buster-backports with the jessie key15:26
fungi(also we're not mirroring jessie, it's the oldoldstable release now, so we ought to switch to newer keys anyway)15:27
clarkbI agree I'm just finding it weird that one key would work across jessie and stretch and then buster needs more than one key for one release?15:27
fungieach one is signed with multiple keys15:27
clarkbeg shouldn't there be one key that also works for buster15:28
fungiand i think the idea is that stretch needed to be signed by jessie's keys so that users could upgrade to stretch using the keys they already had under jessie15:28
fungiwhy the jessie key also worked for buster main suites i don't know15:28
clarkbright but why wouldn't the buster key work then?15:29
clarkbdid something change or did we just get that bit wrong?15:29
fungioh, it does work, it's just there are several of them15:29
fungiand they're not used ubiquitously15:29
openstackgerritMerged zuul/nodepool master: builder: Remove recency table logging  https://review.opendev.org/67412415:30
fungiso at the moment i've got it working with a mix of keys from the "archive keys" and the "stable keys" at https://ftp-master.debian.org/keys.html15:30
*** goldyfruit has joined #openstack-infra15:31
clarkbthe three buster keys listed there?15:32
*** eharney has quit IRC15:32
fungithough also they're multiple signatures in one file and modern gnupg can't handle that so it only ever verifies the first signature it finds (which is usually the one for the oldest key). i'm not sure if reprepro is using gnupg for its verification steps, but if so we may also still need to include the jessie keys as a result (because they're the first signatures in the files for stretch)15:32
fungionce the mirror is caught up i'll test taking it back out again, but i ended up adding it back initially to get things working15:33
*** factor has joined #openstack-infra15:33
fungioh, and also added complication is that for some suites they're using a signing subkey, so it took some work to map those back to determine which keys still needed to be added... and also reprepro needs you to explicitly say that verifying against subkeys is okay by adding a + at the end of the key id15:35
*** kjackal has joined #openstack-infra15:35
fungi(the subkey ids are not themselves listed at https://ftp-master.debian.org/keys.html )15:36
clarkbah so we'll have to modify the reprepro config a bit too15:37
mriedemclarkb: this will get n-api-meta running with memcache in gate jobs again https://review.opendev.org/#/c/674025/15:38
mriedemthe tempest change was reverted b/c it broke ironic standalone15:38
*** mattw4 has quit IRC15:38
clarkbmriedem: the previous cache change broke things too right?15:38
clarkbdo we know how/why?15:39
mriedemi only heard about the tempest change breaking ironic standalone since it didn't have nova15:39
mriedemthis i mean https://review.opendev.org/#/c/672715/15:39
mriedemreverted here https://review.opendev.org/#/c/673784/15:39
AJaegerand it failed since it tried to acces /etc/nova which did not exist...15:40
clarkbI see by referencing NOVA_CONF it assumed the file/dir existed15:40
clarkbbut now we push that into devstack when services are configured. Got it15:41
clarkbapproved15:41
rpiosoGood morning, ironicers!15:43
mriedemclarkb: thanks15:43
AJaegerrpioso: are you sure you're in the right channel? Or did I miss a joke?15:43
* rpioso realized he's in the wrong channel.15:43
AJaegerrpioso: good morning to you!15:43
rpiosoAJaeger: o/15:44
* rpioso also needs more caffeine. No joke!15:44
* AJaeger sends an espresso to rpioso15:44
*** piotrowskim has quit IRC15:44
*** jpena is now known as jpena|off15:45
rpiosoAJaeger: Thank you so much :-)15:45
openstackgerritLuigi Toscano proposed zuul/zuul-jobs master: fetch-subunit-output: collect additional subunits (2nd try)  https://review.opendev.org/67433415:46
*** goldyfruit has quit IRC15:48
*** tdasilva has quit IRC15:49
*** tdasilva has joined #openstack-infra15:49
corvusclarkb, fungi, mordred, AJaeger: i'd love to merge at least some of topic:zuul-swift today and start exercising that again15:51
AJaegercorvus: might take some time for me to review them today ... First glance: I liked the idea ;)15:52
*** tdasilva has quit IRC15:54
clarkbcorvus: question on https://review.opendev.org/#/c/674143/115:55
corvusmnaser: ^ if you have a second15:56
*** ociuhandu has quit IRC15:56
* mnaser looks at topic15:57
*** mattw4 has joined #openstack-infra15:57
openstackgerritMichael McCune proposed opendev/irc-meetings master: remove the early hours for api-sig  https://review.opendev.org/67433715:59
*** ociuhandu has joined #openstack-infra16:00
clarkbcorvus: and a note about CORS at https://review.opendev.org/#/c/674136/316:02
*** gyee has joined #openstack-infra16:06
*** lucasagomes has quit IRC16:06
openstackgerritAndreas Jaeger proposed openstack/project-config master: Remove in-tree jobs for neutron-classifier  https://review.opendev.org/67434016:06
AJaegercould I get some review for the change above, please? That allows to further update the in-tree config...16:07
*** tdasilva has joined #openstack-infra16:07
*** udesale has quit IRC16:07
*** jamesmcarthur has quit IRC16:08
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Add CORS support to upload-logs-swift  https://review.opendev.org/67434116:08
corvusclarkb: thanks, that was in the spec, but i forgot to add it :)16:08
*** yamamoto has quit IRC16:11
openstackgerritMerged opendev/base-jobs master: Add swift base test job  https://review.opendev.org/67414316:13
*** pcaruana has quit IRC16:14
*** yamamoto has joined #openstack-infra16:16
openstackgerritMerged opendev/irc-meetings master: remove the early hours for api-sig  https://review.opendev.org/67433716:16
fungihrw: see if things are working better for debian jobs now. the mirror update has completed successfully16:17
funginow to see if i can whittle down this list of keys some16:18
openstackgerritMerged zuul/zuul-jobs master: Support Rackspace in upload-logs-swift  https://review.opendev.org/67413616:18
*** yamamoto has quit IRC16:21
*** ociuhandu has quit IRC16:21
*** ociuhandu has joined #openstack-infra16:22
*** kjackal has quit IRC16:23
*** jbadiapa has quit IRC16:24
*** ociuhandu has quit IRC16:26
*** ociuhandu has joined #openstack-infra16:27
*** altlogbot_3 has quit IRC16:29
openstackgerritSorin Sbarnea proposed zuul/zuul-jobs master: Be consistent about spaces before and after vars  https://review.opendev.org/66769816:31
*** irclogbot_1 has quit IRC16:33
*** altlogbot_3 has joined #openstack-infra16:36
*** adriancz has quit IRC16:38
*** dtantsur is now known as dtantsur|afk16:39
*** smrcascao has quit IRC16:41
*** irclogbot_2 has joined #openstack-infra16:41
*** mattw4 has quit IRC16:42
*** mattw4 has joined #openstack-infra16:43
*** rpittau is now known as rpittau|afk16:46
openstackgerritMerged opendev/base-jobs master: Upload to a swift at random  https://review.opendev.org/67414416:47
*** mattw4 has quit IRC16:50
Shrewsclarkb: it seems openstacksdk on nb03 is at 0.27.0 but the other builders have upgraded to 0.32.0. I'm not sure what's different about that server16:52
Shrewsi wonder if someone manually downgraded it at some point so that it remains at the lowest version satisfied by requirements.txt16:52
clarkbShrews: I think pip will only update sdk if the requirement for it requires a change16:52
clarkbso if 0.27.0 is ok by the requirement it will stay put16:53
Shrewsclarkb: yeah, but it should be the same as the other builders16:53
Shrewsi don't understand how it would diverge16:53
clarkbI'm guessing that was a server we tested an sdk downgrade on to fix a problem16:53
clarkbthen sdk updated to fix the problem and we excluded the broken version the other nodes had installed16:54
Shrewshrm. i suppose i should manually upgrade it then16:54
clarkbthe exclusion meant the other servers upgraded but 0.27.0 was not excluded so remained fixed16:54
clarkbI seem to recall that happening with a bug in image uploads maybe?16:55
clarkb(the downgrade I mean)16:55
clarkbbut nl03 doesn't upload images16:55
*** ociuhandu has quit IRC16:57
Shrewsoh, hrm. a manual upgrade failed16:57
*** ociuhandu has joined #openstack-infra16:57
*** tesseract has quit IRC16:58
Shrewskubernetes 7.0.0 has requirement setuptools>=21.0.0, but you'll have setuptools 20.7.0 which is incompatible.16:58
openstackgerritMerged zuul/zuul-jobs master: Add CORS support to upload-logs-swift  https://review.opendev.org/67434116:59
*** Goneri has joined #openstack-infra16:59
openstackgerritSorin Sbarnea proposed zuul/zuul-jobs master: Make all lines less than 160 characters long  https://review.opendev.org/66769617:00
mordredinfra-root: I'm afk for the nxt couple of hours - will ping when I'm back on17:00
clarkbShrews: we should be ablt to pip install -U setuptools to fix that17:01
*** derekh has quit IRC17:01
clarkbI do not know why pip wouldn't update setuptools given that requirement17:01
clarkbShrews: also remember that it is pip3 that matters on those hosts17:02
Shrewsyep, i'm using pip317:02
*** ociuhandu has quit IRC17:02
clarkb(that is something I frequently forget then remember when pip freeze doesn't show what I expect)17:03
Shrewsbut i'm suddenly having major connectivity issues17:03
*** igordc has joined #openstack-infra17:03
openstackgerritMerged openstack/project-config master: Make gerritbot notify #openstack-neutron IRC channel of stable reviews  https://review.opendev.org/67427317:03
*** rosmaita has left #openstack-infra17:04
*** ricolin has quit IRC17:07
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435517:09
*** kjackal has joined #openstack-infra17:10
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435517:12
Shrewswow, nb03 is so different. now have issues uninstalling pyyaml, different versions of pip3, ...17:13
clarkboh this is nb0317:14
clarkbsorry I read it as nl03 initially17:14
clarkbthat is our arm64 builder so ya different17:15
AJaegerconfig-core, could you review https://review.opendev.org/674340 to remove some jobs that are in-tree now, please?17:15
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: DNM: test swift logs  https://review.opendev.org/67435817:15
clarkbShrews: I want to say it is still using puppet3 too beacuse puppet4 doesn't have arm64 packages17:15
fungiShrews: clarkb: `pip install -U ...` with recent versions of pip uses an upgrade strategy of "only-if-needed" by default meaning it won't upgrade dependencies unless the currently-installed version is less than the required version range allows. you need to add --upgrade-strategy=eager to get it to always upgrade to the latest versions of all dependencies if that's what you want (but be forewarned17:15
fungithat gets complicated if you're mixing distro packages and packages from pypi)17:16
openstackgerritJames E. Blair proposed zuul/zuul master: DNM: test swift logs  https://review.opendev.org/67435917:16
fungiso in a virtualenv/venv, eager is fine. if you're installing packages system-wide then pip will try to replace any deps which come from distro packages with newer versions from pypi17:17
Shrewsfungi: i think i'm just going to leave it on openstacksdk 0.27.0 for now17:17
fungiwhich is annoying if you're trying to maintain some deps via distro package management17:17
clarkbShrews: what version of sdk do we want? I'd like to take a look just to see what is going on17:18
fungiShrews: one option if we know we always want latest openstacksdk is to just install it explicitly rather than letting it get installed as a dependency17:18
Shrewsclarkb: latest.  0.32.017:18
Shrewsclarkb: fungi: any objections if i restart nb01 and nb02 now?17:18
fungino objections from me17:19
*** panda has quit IRC17:19
Shrewsi'm not so concerned about nb03 for the moment17:19
clarkbShrews: the yaml problem is the distutils vs pip fight17:19
clarkbthe solution there is to uninstall pyyaml via the system deps if possible17:19
*** dpawlik has joined #openstack-infra17:19
*** panda has joined #openstack-infra17:20
Shrewswell, i'll restart later. they both just started a dib build17:20
fungithe reason we install pyyaml via distro packages (or did anyway) was lack of a suitable wheel for it, which resulted in needing a full c build toolchain and headers for libyaml and such17:21
*** openstackgerrit has quit IRC17:22
fungiyeah, will still be a problem: https://pypi.org/project/PyYAML/#files17:22
clarkbfungi: I can't find evidence that we installed pyyaml from distro packages ourselves. Looks like cloud init depends on it17:22
clarkbfungi: and I think those are optional for installing pyyaml from source17:23
fungialso entirely probable if those images include cloud-init, yes17:23
clarkbif you don't have them you don't get bindings against libyaml17:23
*** gyee has quit IRC17:24
clarkbI know we attempt to uninstall cloud-init17:24
clarkbtrying to figure out if that is happening17:24
fungiwell, at least in the past it insisted on linking libyaml, but it detected at runtime if libyaml was available and wouldn't use the built c extensions if it wasn't17:24
*** mattw4 has joined #openstack-infra17:24
fungior so i thought17:25
clarkbwe remove cloud-init in launch node but don't have that as part of our 15 minute cron enforcement17:25
fungidid we add the cloud-init removal more recently than those systems were launched?17:26
fungii guess that would explain its presence17:26
clarkbya17:26
*** ociuhandu has joined #openstack-infra17:26
clarkbI think what we can do is uninstall cloud-init and python3-yaml, reboot to make sure host comes up with its networking properly, then reinstall sdk at the version you want17:27
fungii concur17:27
clarkbShrews: ^ that seem reasonable to you?17:27
clarkbif so I can do that17:28
Shrewssure17:28
*** priteau has quit IRC17:31
clarkbfungi: fwiw pyyaml intsalled fine with libyaml on the host but no -dev package17:31
fungigood!17:32
fungiand no glibc-dev or gcc?17:32
clarkbserver is rebooting now17:32
clarkbfungi: we install gcc on all our machines iirc17:33
clarkbgcc and libc-dev-bin are both installed17:33
fungiokay, so not a huge deal then that it still has to build the sdist17:34
*** dpawlik has quit IRC17:34
clarkb`python setup.py --with-libyaml install` is how you build with libyaml bindings17:35
clarkbso ya I think it may just be doing pure python as is17:36
clarkbwhich for our purposes should be fine17:36
*** gyee has joined #openstack-infra17:36
clarkbyou also have to explicitly import the C bound loader17:36
fungioh, perfect. that used to not be an option17:36
clarkbShrews: I think nb03 is all happy now17:38
Shrewsclarkb: awesome17:38
Shrewsi'll restart the other builders when they're less busy17:40
Shrews(the process, not the vm)17:40
clarkbsounds good17:40
*** eharney has joined #openstack-infra17:41
*** dpawlik has joined #openstack-infra17:41
*** rfolco|ruck has quit IRC17:42
*** jcoufal_ has quit IRC17:43
*** dpawlik has quit IRC17:45
clarkbcloudnull: out of curiousity were you able to further track down the docker hub 401 behavior (and why it might be cloud/region specific)?17:46
*** Lucas_Gray has quit IRC17:47
*** openstackgerrit has joined #openstack-infra17:47
openstackgerritJames E. Blair proposed zuul/zuul master: WIP: render console in js  https://review.opendev.org/67436817:47
*** goldyfruit has joined #openstack-infra17:47
*** ociuhandu has quit IRC17:49
*** ociuhandu has joined #openstack-infra17:50
*** ociuhandu has quit IRC17:50
openstackgerritJames E. Blair proposed zuul/zuul master: WIP: render console in js  https://review.opendev.org/67436817:50
*** ralonsoh has quit IRC17:51
*** ramishra has quit IRC17:52
openstackgerritJames E. Blair proposed opendev/base-jobs master: Fix base-test-swift post playbook reference  https://review.opendev.org/67437217:52
clarkbmriedem: thinking about the low e-r classification rate, any ideas on how we might get more involvement with that?17:52
corvusclarkb, fungi: can we speedy merge this simple fix:   https://review.opendev.org/67437217:52
clarkbMaybe we can convince the various bug deputies to make that a part of their bug management process?17:53
clarkbcorvus: done17:53
fungilooks fine to me too17:54
clarkbmaybe only neutron is doing bug deputy as a formal process17:54
*** georgk has quit IRC17:55
*** fdegir has quit IRC17:55
*** georgk has joined #openstack-infra17:56
*** fdegir has joined #openstack-infra17:56
clarkbhttps://logs.opendev.org/68/672568/6/check/networking-midonet-tempest-aio-ml2-centos-7/8ab0eb2/logs/devstacklog.txt#_2019-08-02_15_30_47_67917:56
clarkbslaweq: ^ do you know who might be interested in that job?17:57
clarkbjohnsom: rm_work any idea why octavia builds happily resolve the fortnebula mirror at https://logs.opendev.org/37/673337/5/check/octavia-v2-dsvm-py2-scenario-centos-7/4e3a8b2/job-output.txt#_2019-08-02_00_41_51_583215 but then fail to do so at https://logs.opendev.org/37/673337/5/check/octavia-v2-dsvm-py2-scenario-centos-7/4e3a8b2/job-output.txt#_2019-08-02_01_03_22_70141817:59
johnsomlooking18:00
*** jcoufal has joined #openstack-infra18:00
clarkbslaweq: remote:   https://review.opendev.org/674397 Stop running the centos-7 integration jobs. I pushed that to networking-midonet18:02
openstackgerritMerged opendev/base-jobs master: Fix base-test-swift post playbook reference  https://review.opendev.org/67437218:03
johnsomclarkb Are the instances not using unbound anymore? https://logs.opendev.org/37/673337/5/check/octavia-v2-dsvm-py2-scenario-centos-7/4e3a8b2/controller/logs/unbound_log.txt.gz18:04
clarkbjohnsom: they should be but we don't enable the logging by default for unbound iirc18:05
clarkbdoes devstack capture ps output still?18:05
clarkbshould be able to check that18:05
johnsomI don't think so18:06
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435518:06
johnsomThe "listener53" file shows an unbound process18:06
clarkbunbound by default doesn't log very verbosely18:06
*** diablo_rojo has joined #openstack-infra18:06
*** diablo_rojo has quit IRC18:07
*** diablo_rojo has joined #openstack-infra18:07
clarkbdonnyd: looks like you set | maxTotalInstances        |     0 | on fn cloud?18:08
johnsomTrue. I run it at home and bump the log level18:08
clarkbjohnsom: ^ we may have to wait for that to change to debug it further as no isntances can be booted there currently18:08
mriedemclarkb: last time i looked at uncategorized it seemed like a lot of unit test jobs18:08
fungiclarkb: does 0 not mean "unlimited" i guess?18:09
mriedemyeah neutron functional18:09
clarkbfungi: -1 is unlimited18:09
fungiahh18:09
clarkbfungi: 0 is zero18:09
clarkbjohnsom: fwiw https://logs.opendev.org/51/662351/22/check/tripleo-ci-centos-7-scenario009-multinode-oooq-container/a76bbd1/logs/undercloud/var/log/extra/logstash.txt#_2019-08-02_15_55_57 is doing similar on a different cloud that doesn't ipv618:10
clarkbjohnsom: so my initial suspicions that many it was related to ipv6 only cloud configs might not hold up18:10
donnydI'm fixing cinder18:10
*** goldyfruit has quit IRC18:10
clarkbdonnyd: ah18:10
logan-hello folks, if it is alright I'd like to re-enable the nodepool host aggregate on limestone so we can start scheduling there again. I have time over the next few days to monitor for job failures and disable/investigate further if things act up. sound alright?18:10
clarkblogan-: I'm ok with it18:11
donnydIt got very angry last night18:11
*** e0ne has quit IRC18:11
johnsomclarkb At that point we are not doing anything special, so I'm not sure it is unique to us, other than maybe installing some bindep later in the devstack than others.18:11
johnsomclarkb This seems a bit odd: https://logs.opendev.org/37/673337/5/check/octavia-v2-dsvm-py2-scenario-centos-7/4e3a8b2/controller/logs/syslog.txt.gz#_Aug_02_01_03_1618:11
clarkbjohnsom: I think iptables knows you didn't send out a request and therefore drops responses?18:13
clarkbthat could be another instance on the same network asking for a lease18:13
clarkbI don't think that is a problem aprticularly with iptables doing the right thing there18:13
johnsomAh, IN is eth0, so yeah, that is the right answer.18:14
*** jtomasek has quit IRC18:15
clarkblogan-: looks like max-servers is set to 50 currently so you will be controlling that via quotas?18:17
clarkblogan-: let me know if I can help18:17
clarkbmriedem: ya it is looking like a lot of functional and unittest failures18:17
logan-clarkb: yep I just don't have any hosts enabled for nodepools flavors, so im about to add the hosts back to the aggregate and it will start scheduling again18:17
clarkbin theory those unittests should never fail in the gate right?18:17
johnsomclarkb Yeah, I don't see why that would be happening. I think we would need to crank up the unbound logging to see why it is not able to resolve that hostname for curl.18:18
logan-clarkb: done now, we should see jobs go active there18:18
mriedemclarkb: unit tests can have races,18:19
clarkbmriedem: looks like some of the failures for unitests at least were caught by the bug in fetching subunit files role18:19
mriedemi opened two bugs, one for the sdk and one to nova for something i'm seeing in one of the nova functional failures - but likely only affects logstash indexing and subunit parsing18:19
johnsomclarkb I see they are using DNSSEC, I wonder if the unbound key file is out of date or the clocks are skewed18:19
clarkbjohnsom: does unbound enforce dnssec in our config? /me checks18:20
johnsomthey == us I guess18:20
*** goldyfruit has joined #openstack-infra18:20
mriedemclarkb: is that what this means?18:22
mriedemIOError: [Errno 13] Permission denied: '/opt/stack/logs/devstacklog.txt18:22
clarkbmriedem: the subunit thing is https://logs.opendev.org/87/673987/1/gate/cross-glance-py27/da79068/job-output.txt.gz#_2019-08-01_17_26_49_76261718:23
corvushttps://storage.gra1.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/logs_58/674358/1/check/zuul-jobs-tox-linters/75b39e6/18:23
mriedemidk what is causing that though18:23
corvushttps://287243e9f3400bfe63ce-8b938dd2076b97d235f21ad4df33ebf0.ssl.cf1.rackcdn.com/674358/1/check/tox-py27/5346bab/18:23
mriedemi only get 2 hits on this18:24
mriedemmessage:"cannot create" AND message:".subunit: Directory nonexistent" AND tags:"console"18:24
mriedemin 17 days18:24
mriedem*718:24
clarkbjohnsom: looks like yes our unbound config sets the trust anchor file18:24
clarkbcorvus: both seem to work for me and both are served via https18:25
*** diablo_rojo has quit IRC18:25
fungiclarkb: do we get the trust anchor file from somewhere else or are we embedding it directly and have neglected to refresh our copy?18:25
*** diablo_rojo has joined #openstack-infra18:26
mriedemthis seems legit in neutron functional within the last 24 hours18:26
mriedemmessage:"IOError: [Errno 13] Permission denied: '/opt/stack/logs/devstacklog.txt" AND tags:"console"18:26
mriedemslaweq: ^18:26
*** goldyfruit has quit IRC18:26
clarkbfungi: I think it may come from the distro package install. It lives at /var/lib/unbound/root.key on centos18:26
clarkbfungi: pretty sure we don't touch that18:26
corvusclarkb: there seem to be cors problems with both of those18:27
fungiokay, so yeah it's up to centos to keep that updated, as long as our images are fresh18:27
clarkbcorvus: I was just checking that, ya I don't see the cors headers in the responses18:27
clarkbcorvus: maybe we have to set it for every file upload and not just at the container level?18:28
corvushrm, i thought the docs said container; i'll dig into it after lunch18:28
*** ykarel|away has joined #openstack-infra18:29
mriedemoooo i bet this is what breaks neutron functional https://github.com/openstack/devstack/commit/352d58a7afd9e2261e639af78e4fb4c99d8f9f8118:29
fungimriedem: wow, that's over 4 years old18:31
mriedem"Fix setup-devstack-log-dir to create the logs directory with correct permissions in the first place."18:31
mriedemhttps://bugs.launchpad.net/devstack/+bug/183881118:33
openstackLaunchpad bug 1838811 in devstack "/opt/stack/devstack/tools/outfilter.py failing in neutron functional jobs since 8/2" [Undecided,New]18:33
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435518:35
donnydclarkb: it would seem that i need to turn down the max_concurrent_builds from the defaults... just too much for my one little cinder-volume server18:40
donnydand it seems to work, but now i am just trying to clean up the damage18:40
clarkbdonnyd: is this related to boot from volume?18:40
donnydbefore i bring it back online18:40
donnydyea18:40
donnydi have about 50 volumes stuck in detaching18:41
donnydthe other 300 removed just fine18:41
*** guimaluf has joined #openstack-infra18:41
fungiclarkb: i think i've confirmed that at least the reprepro version on xenial is unable to check against any other than the first signature in each Release.gpg file, so for the stretch repository we still need to use the jessie archive signing key (the stretch Release.gpg is signed first by that and secondly by the stretch stable release key). hopefully this improves on bionic when we get the mirroring18:49
fungimoved18:49
clarkbjohnsom: a bit more data from logstash, ubuntu xenial, bionic and centos 7 all seem to have that problem and it affects all clouds18:50
clarkbjohnsom: that makes me doubt the root key problem since we get that from the distros and it would be odd for them to all fail to update. However it could still be dnssec just broken a different way18:50
clarkbfungi: ok so we keep the old release keys and add the new ones basically18:51
clarkbjohnsom: oh wait there are a lot of hits for could not resolve host fake18:51
* clarkb cleans up and rechecks those assumption18:51
fungii was able to get it to work with a minimum of "VerifyRelease: 7638D0442B90D010|E0B11894F66AEC98+" (jessie archive signing key, and stretch archive signing key with subkey signatures allowed for the latter)18:51
fungibut yeah, we should likely include some other keys in there in preparation for when the jessie keys are retired18:52
clarkbjohnsom: ya if I exclude the could not resolve host fake messages then I'm left with three helm tests that failed toresolve a name served by k8s and the rest are all centos718:53
clarkbjohnsom: which puts centos 7 root key back into potential suspicion18:53
*** ykarel|away has quit IRC18:55
*** rfolco has joined #openstack-infra19:00
*** rfolco is now known as rfolco|ruck19:01
openstackgerritJeremy Stanley proposed opendev/system-config master: Re-add the Debian 8/jessie key to reprepro  https://review.opendev.org/67440619:05
fungihrw: clarkb: ^19:05
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435519:09
clarkbfungi: I may have tracked down part of the midonet issues. Both http://builds.midonet.org/misc/dists/stable/main/binary-all/Packages and ubuntu bionic universe provide libreswan of a version that works for midolman from http://builds.midonet.org/devstack/dists/unstable/main/binary-all/Packages is that sufficiently enough confusing to apt that it won't decide whcih version to install for you?19:11
clarkbhttps://logs.opendev.org/97/674397/1/check/networking-midonet-tempest-multinode-ml2-full/2758988/logs/devstacklog.txt.gz#_2019-08-02_18_23_59_061 is an example error19:12
clarkbnow I guess I should look at why the fedora mirror hasn't updated in a month19:12
*** portdirect has quit IRC19:13
fungithat's a surprising behavior, if correct19:13
*** portdirect has joined #openstack-infra19:13
*** e0ne has joined #openstack-infra19:13
clarkbcorvus: fungi ianw is http://paste.openstack.org/show/755346/ the sort of thing that happens if a vos release times out while we hold the lock? and if so how do we go about resolving that?19:14
openstackgerritMatt Riedemann proposed opendev/elastic-recheck master: Add query for devstack log file permissions bug 1838811  https://review.opendev.org/67440819:14
openstackbug 1838811 in devstack "/opt/stack/devstack/tools/outfilter.py failing in neutron functional jobs since 8/2" [Undecided,New] https://launchpad.net/bugs/183881119:14
*** kjackal has quit IRC19:14
fungiclarkb: i think the problem is deeper than what you can see in "midolman : Depends: libreswan (>= 3.14-1) but it is not going to be installed" (there is likely some other conflict which is causing "libreswan (>= 3.14-1)" to be unresolveable). i'll see if i can suss it out19:15
corvusclarkb: yes.  short version: make sure no transactions are still running, then manually remove the lock.19:15
clarkbfungi: I'm not sure it is super important their centos jobs don't work because the https cert for that repo expired19:16
corvusclarkb: i have to grab lunch, can support in more detail when i get back.19:16
clarkbcorvus: ok I'll start reading through manpages to do that then19:16
clarkbcorvus: k19:16
clarkbI'm thinking we want to disable the cron for that mirror. I'll hold the lock on mirror-update.opendev.org as a start19:17
fungiclarkb: in the past i have done something like `k5start -t -f /etc/afsadmin.keytab service/afsadmin -- vos unlock mirror.fedora` as root on mirror-update.o.o19:18
clarkbthe lockfile is held on mirror-update server so we shouldn't try and write to it. I'm assuming that we'll want to do a manual reelase as updates may have been large19:18
clarkb(so won't release that lockfile that crontab uses until everything is super happy19:18
clarkbfungi: looks like vos status should tell us if there are transactions or not19:19
fungiyeah, i would err on the side of assuming the cronjob will not complete the refresh in the allowed timeout19:19
clarkbfrom vos listvldb I see that the volume for the fedora mirror is served by afs01.dfw and afs02.dfw19:22
clarkbvos stats against those two volume servers shows no transactions currently running19:23
*** tdasilva has quit IRC19:23
clarkbI assume the next step is to run vos unlock mirror.fedora19:23
clarkbthen manually run the mirror update without the vos release, then run a vos release on the volume server with a -localauth19:23
clarkbI'll wait for corvus to finish lunchingand confirm19:23
clarkbfrom vos unlock manpage: "Do not user this command under normal circumstances."19:24
fungiyeah, i take that to mean "without confirming it's a stale lock"19:27
clarkbya I just like the warning and the typo19:27
openstackgerritMerged opendev/elastic-recheck master: Add query for devstack log file permissions bug 1838811  https://review.opendev.org/67440819:29
openstackbug 1838811 in neutron "/opt/stack/devstack/tools/outfilter.py failing in neutron functional jobs since 8/2" [Undecided,Confirmed] https://launchpad.net/bugs/183881119:29
corvusclarkb: that sounds right; i think you're clear to proceed19:31
clarkbcorvus: great thanks19:31
fungiso i suspect that something else is being installed in the midonet job which depends on an older version of libreswan19:31
*** tosky has quit IRC19:32
clarkbmirror.fedora has been unlocked. proceeding to run stuff on mirror-update to sync the mirror without doing a vos release. Then will run vos release -localauth in screen on afs01.dfw.openstack.org19:32
*** dciabrin_ has joined #openstack-infra19:32
clarkbwow that is a fairly complicated script. I guess I'll make a copy of it and remove the vos release19:33
fungiclarkb: i see that midonet job is also configured to get packages from http://archive.ubuntu.com/19:34
fungi2019-08-02 18:23:47.542 | Hit:13 http://archive.ubuntu.com/ubuntu bionic InRelease19:34
*** dciabrin has quit IRC19:34
fungiclarkb: oh! also the libreswan package on builds.midonet.org has an epoch in its version19:36
*** mgoddard has quit IRC19:37
fungiVersion: 1:3.14-119:37
*** dpawlik has joined #openstack-infra19:37
*** rtjure has quit IRC19:38
*** mgoddard has joined #openstack-infra19:38
fungiso i think what's happening is that version is being preferred (because it's higher than bionic's 3.23-4) but one or more of its dependencies can't be satisfied19:38
fungiprobably this worked on xenial and broke when we switched the default nodeset to bionic19:38
clarkbit is higher because the epoch says I win?19:38
fungiyes19:38
clarkbfungi: and ya I expect this broke when we switched to bionic19:39
fungi1:3.14-1 > 3.23-419:39
*** irclogbot_2 has quit IRC19:39
fungialso the log complains the vpp package isn't going to be installed19:40
clarkbya that one doesn't seem to be in ubuntu package mirrors but maybe it too has xenial deps?19:40
*** irclogbot_1 has joined #openstack-infra19:43
clarkbfungi: I'm not sure how important it is to debug I think it has been broken for a long time and I've pushed up changes to stop running those tests19:44
clarkbfungi: I had just noticed them popping up in e-r data and was making sure we weren't at fault and I'm afirly certain we are not19:44
fungiyeah, i think that's fine. looks like abandoned bitrot to me19:44
*** goldyfruit has joined #openstack-infra19:50
clarkbmy fedora rsync script hasn't output much after Everything/x86_64/os/Packages/n/ many Packages/o/ is huge19:52
*** kjackal has joined #openstack-infra19:53
clarkbhrm strace says it is selecting on a fd, I assume that means it is waiting for responses from the upstream19:53
openstackgerritJeff Liu proposed zuul/zuul-operator master: WIP: Add zuul-operator-functional-openshift job  https://review.opendev.org/67435519:54
clarkbwell there is a timeout. I will let it run that long and restart it if it gets killed19:54
*** slaweq has quit IRC19:55
donnydclarkb: FN is back in op20:00
*** whoami-rajat has quit IRC20:04
*** e0ne has quit IRC20:11
*** rh-jelabarre has quit IRC20:11
corvusclarkb: i have cors working in rax cdn now (each object needs the allow header set on it).  moving on to ovh next.20:11
*** diablo_rojo has quit IRC20:12
*** Lucas_Gray has joined #openstack-infra20:12
fungigonna go grab early dinner, back shortly20:14
clarkbthe fedora sync did end up timing out and then getting killed. I have restarted it20:17
clarkbI think the uh.edu mirror may not be online?20:19
*** dpawlik has quit IRC20:19
clarkbI can't hit it over http at least /me double checks they serve via http20:19
corvustimburke, mordred: i'm having trouble with cors in ovh; i've set "X-Container-Meta-Access-Control-Allow-Origin: *" on the container and verified that is returned on a HEAD.  because this script also is designed to work with rax, i'm also sending "Access-Control-Allow-Origin: *" when uploading each object.  but the objects don't have the allow-origin header when i fetch them.  do you happen to know20:25
corvusof any reason that might be?20:25
*** dciabrin_ has quit IRC20:26
clarkbcorvus: https://stackoverflow.com/questions/40182410/enable-permanently-cors-in-ovh-object-storage-openstack-swift20:27
clarkbcorvus: I doubt you are using the web dashboard but maybe that is what is happening?20:27
corvusclarkb: no web dashboard use; newly created container via api only20:27
*** kjackal has quit IRC20:28
corvusmnaser: ^ same question re vexxhost20:28
clarkbre math.uh.edu fedora mirror their mirror 1 does seem to be afk. their mirror 2 responds to http however we don't use the path that they advertise at https://admin.fedoraproject.org/mirrormanager/mirrors/Fedora/30/x86_64 for mirror 1. That means I'm not quite sure how to substitute in mirror 2?20:29
timburkecorvus, i wouldn't expect to be able to set CORS per-object; object-server will only store what's in allowed_headers: https://github.com/openstack/swift/blob/2.22.0/etc/object-server.conf-sample#L13520:29
clarkbcan I browse things via rsync://20:29
timburkei *was* expecting the per-container setting to work, though20:30
corvustimburke: yeah, apparently per-object is required for rax via cdn, and does work.  i'm assuming other providers would just ignore that20:30
mordredcorvus: not off the top of my head, no20:31
*** kjackal has joined #openstack-infra20:32
*** rtjure has joined #openstack-infra20:33
*** mriedem has quit IRC20:33
*** dciabrin_ has joined #openstack-infra20:34
donnydSo I figured out the root issue with FN the last couple days. Apparently there are limits on how fast cinder can move with an lvm/iscsi backend, and I had to cut down max_concurrent_builds to 2. Nova was requesting around 40 volumes to be built at the same time... Well for a normal shop this wouldn't be an issue, but my poor little cinder-volume nvme server was very unhappy about this workload20:35
clarkbdonnyd: we can adjust how quickly we make requests too, though not for oustanding build orders (its a global api rate limit in nodepool)20:36
corvusi tried two other things: adding x-object-meta-access-control-allow-origin to the object upload, and then removing all of the allow-origin headers from the object upload.  neither helps in ovh.20:36
clarkbok fedora-buffet is more stuff that fedora-enchilada and I believe the contents of fedora-buffet should be the same across all mirrors so I should be able to just change that hostname in theory20:36
donnydeh, I think this will fix the issue. It can still built 14 instances every 30 seconds20:37
donnydand that will go to 16 next week20:37
donnydso pretty close to the chunks nodepool already seems to ask for20:37
donnydjust need someone to pop open a can on the ci so I can be sure20:38
donnydbeen trying to simulate over here, and i could simulate the failure and the fix does in fact see to work just fine20:39
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Fix CORS in rackspace in upload-logs-swift  https://review.opendev.org/67442320:39
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Fix CORS in rackspace in upload-logs-swift  https://review.opendev.org/67442320:40
clarkbcorvus: does sdk automatically rewrite index_headers to have the X-Container-Meta- prefix?20:41
clarkbthen the other thing I noticed was case, but http headers are supposed to be case insensitive. Possibly bad software not honoring that requirement though20:41
*** markvoelker has quit IRC20:42
corvusclarkb: no rewriting should be happening20:42
corvusclarkb: (except possibly requests capitalizing the headers)20:43
corvusbut the things with the meta- prefix should have them, and the things without should not20:43
clarkbcorvus: it looks like sdk does actually add that prefix20:44
corvuswait what?20:45
clarkbbut it checks first to see if the header already has it before adding it20:45
clarkbopenstack/object_store/v1/_base.py is the code that does it then the resource types set their own _custom_metadata_prefix values20:46
corvusclarkb: which part of the upload script are you looking at?20:46
clarkbcorvus: I'm looking at line 501 of https://review.opendev.org/#/c/674423/2/roles/upload-logs-swift/library/zuul_swift_upload.py20:47
corvusclarkb: in theory that should have no effect on ovh20:47
corvusonly the container-level settings should matter20:48
clarkbya and update_container seems to bypass all of the header prefix logic (so they are passed through as stated there)20:49
corvusclarkb: regarding the other thing (even though it shouldn't matter for ovh) -- that's using create_object, which is the shade method; i don't think it should be going through the method you mentioned re headers?20:51
corvusbut i don't know how to follow the call stack there through all the proxy objects, etc20:51
*** markvoelker has joined #openstack-infra20:52
clarkbya me either20:53
clarkbcorvus: the shade method does it too but only on the metadata dict20:54
clarkbnot the kwargs20:54
corvusok, so we expect all the headers we're sending to be the literal values in the script20:54
clarkbyes, unless the shade method somehow calls the object_store set_metadata method. Which it looks like it doesn't (I think it ends up calling the put method directly instead)20:55
mordredcorvus: yes, I think so - but let me trace through it real quick20:56
*** markvoelker has quit IRC20:56
clarkbfwiw vexxhost is ceph and ovh is swift so it is curious we get the same behavior out of both of them around this20:57
mordredand rax is a very old version of swift20:57
corvusi've sent an email to romain at ovh20:59
clarkbI'm going to step out for a few but then when I get back I think I want to chagne the mirror we sync fedora from MIRROR=rsync://pubmirror1.math.uh.edu/fedora-buffet/fedora/linux to rsync://pubmirror2.math.uh.edu/fedora-buffet/fedora/linux21:00
clarkbif anyone knows of a reason to not do that please let me know21:00
*** yamamoto has joined #openstack-infra21:00
openstackgerritJames E. Blair proposed opendev/base-jobs master: Reduce the swift upload targets  https://review.opendev.org/67442421:01
corvusthat change makes me sad ^21:01
corvusclarkb, fungi, mordred: can you review https://review.opendev.org/674423 and https://review.opendev.org/67442421:02
openstackgerritMark Meyer proposed zuul/zuul master: Rework some bugs  https://review.opendev.org/67442521:02
mordredcorvus: {'headers': {'X-Container-Meta-Web-Index': 'index.html', 'X-Container-Meta-Access-Control-Allow-Origin': '*'}} - those headers are passed through unaltered21:02
mordred:q21:02
mordredgah21:02
*** Lucas_Gray has quit IRC21:03
mordredcorvus: OH!21:03
mordredcorvus: wait - no21:03
*** yamamoto has quit IRC21:05
mordredcorvus: I'm seeing what I think is a bug - let me verify but I think we may not need to do 67442421:06
corvusi'm deleting a bunch of old containers in rax from previous attempts at storing logs21:09
*** Lucas_Gray has joined #openstack-infra21:09
*** slaweq has joined #openstack-infra21:11
*** kjackal has quit IRC21:11
*** phalmos has joined #openstack-infra21:12
corvusthere are 17402 objects in the "images" container in dfw.  similar in ord and iad.  total space used is 43.36 TB21:12
corvusShrews: ^ there may be some more optimization we can do with nodepool/sdk in rackspace21:12
Shrewscorvus: what are those? images made by nodepool builder?21:14
corvusShrews: yep21:14
mordredcorvus, Shrews: they are the swift objects used in creating the images21:15
*** dciabrin_ has quit IRC21:15
mordredonce the image is imported successfully, they are no longer needed and can be deleted21:15
*** slaweq has quit IRC21:15
*** _erlon_ has joined #openstack-infra21:15
Shrewsoh, so something sdk leaves behind then21:16
clarkbcorvus: both changes lgtm but will let mordred confirm presence of bug before approving anything21:18
donnydfriday afternoons are no good for load testing21:18
mordredcorvus: the headers thing is definitely an SDK bug. I have a half-fix - half because if fixes the immediate bug but is, I'm pretty sure, incomplete21:19
donnydwith that I am pretty sure i have this thing dialed in, so I am going to punch out for the weekend21:19
corvusmordred: can you elaborate?21:19
corvus(i'm unsure what "headers thing" is)21:19
mordredoh - sorry - the lack fo the access-control headers being set on the objects even though you are setting them in your script21:20
corvusi was not aware that wasn't happening21:20
corvusi'm pretty sure rax cdn requires those to function, and it did not function before i added the header on the object upload, and then i added that header, and then it functioned.21:21
clarkbok I've switched to pubmirror2 and am rerunning fedora mirro script21:21
mordredok. that's even weirder21:21
corvusmordred: note that setting the access control header on objects is expected and required in rax, whereas other swifts should ignore that.21:22
corvusso depending on what you're testing against, you'll see different behavior there21:23
clarkbok we successfully rsynced against pubmirror2 going to run the vos release -localauth in screen on afs01.dfw.o.o21:24
mordredcorvus: yeah - I have no idea how anything is actually setting that header on rackspace for yhou21:26
corvusmordred: can you walk me through why you think there's a problem?21:27
mordredyes - but give me just a sec so I can fully collect my thoughts  here and not walk you down a dark alley21:27
*** EmilienM is now known as EmilienM|afk21:28
*** EmilienM|afk is now known as EmilienM21:28
corvusok.  just to start things off, we're talking about this header https://review.opendev.org/#/c/674423/2/roles/upload-logs-swift/library/zuul_swift_upload.py@581  going through this method https://review.opendev.org/#/c/674423/2/roles/upload-logs-swift/library/zuul_swift_upload.py@599  right?21:31
*** jcoufal_ has joined #openstack-infra21:31
*** jcoufal has quit IRC21:31
corvusmordred: also, any chance you could +3 https://review.opendev.org/674423 and https://review.opendev.org/674424 so they can work through while we dig in?21:31
*** rlandy has quit IRC21:31
mordredcorvus: done21:33
*** aedc has joined #openstack-infra21:34
openstackgerritClark Boylan proposed opendev/system-config master: Switch fedora mirroring to pubmirror2.math.uh.edu  https://review.opendev.org/67442821:37
openstackgerritClark Boylan proposed opendev/system-config master: Trim fedora mirror  https://review.opendev.org/67442921:37
clarkbinfra-root ^ changes related to getting fedora mirror working again21:38
clarkbthe second change is a cleanup not necessary for functionality21:38
mordredcorvus: yes. in local testing that header is not being set, and tracing through the code it makes sense that it's not being set - but you're saying you are seeing it set on things properly?21:38
corvusmordred: yep21:39
clarkbmordred: note that corvus us using teh shade methods not the proxy methods21:39
mordredyeah21:39
corvusmordred: and this is only expected to work on rax21:39
fungiback and catching up21:39
mordredOH FOR THE LOVE OF21:39
mordredclarkb: yes - I knew he was doing that and was debugging that - except that my test script wasn't because I'm dumb21:40
mordredcorvus: let's shelve that issue for now :)21:40
mordredthere IS an issue with the proxy layer, but we don't care about that for these purposes21:40
clarkbunless the shade layer goes through the proxy layer (which is difficult to trace)21:41
mordredcorvus: the other issue is that you are setting the headers on the container, and that isn't working to cause the cors headers to actually get sent21:41
openstackgerritMerged zuul/zuul-jobs master: Fix CORS in rackspace in upload-logs-swift  https://review.opendev.org/67442321:41
corvusmordred: okay, summary: script should work fine because it uses shade methods, the sdk/proxy equivalent might not work?21:41
openstackgerritMerged opendev/base-jobs master: Reduce the swift upload targets  https://review.opendev.org/67442421:42
mordredyes. and I want to fix the sdk/proxy layer, but that's irrelevant to the current question21:42
corvusmordred: and no, the only current issue is that neither ovh nor vexxhost appears to honor the x-container-meta-access-control-allow-origin setting.  afaict, i am setting it on the container correctly, and when i HEAD the container, i get the setting back, indicating that it was received and stored.21:43
corvussubsequent fetches of objects in the container, however, do not have an access-control-allow-origin header.21:44
mordredcorvus: ok. and it seems that sdk is also doing what we're asking there21:45
mordred*phew* - I thought there was more broken sdk-side than there is21:45
corvusi have an email out to romain, and an irc ping to mnaser21:45
mordredI mean, don't get me wrong, there's some broken things - and also I'm not happy that setting the headers isn't working ...21:45
corvusromain says he'll look monday21:45
mordredcorvus: reading swift docs, I agree that the things you are setting are the right thigns to set21:48
*** markvoelker has joined #openstack-infra21:48
corvuswhew21:48
clarkbthat stackoverflow article implies they have their own management around this stuff21:49
clarkbits possible the bug is entirely on their side I suppose21:49
corvusi wish we had more swifts21:49
mordredthere's also:21:50
mordred"In addition the the values set in container metadata, some cluster-wide values may also be configured using the strict_cors_mode, cors_allow_origin and cors_expose_headers in proxy-server.conf. See proxy-server.conf-sample for more information."21:50
mordredso there is apparently some server-side config that *might* be in play - I have no idea whether that's true or not21:50
corvuswe have 3, each of which is completely different, one isn't swift at all, another is a fork.  so it's impossible to triangulate any behavior differences.21:50
corvusa swift without cors is pretty useless to us21:51
corvuss/us//21:51
mordredcorvus: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/1.3/html/object_gateway_guide_for_red_hat_enterprise_linux/object_gateway_swift_api21:51
mordredcorvus: indicates that radosgw doesn't support cors21:51
corvusi guess mnaser is off the hook21:52
clarkbI can actually check that really quickly. one sec21:52
mordredmore importantly - https://github.com/ceph/ceph/blob/master/doc/radosgw/swift.rst21:52
mordredmaster of ceph says the same thing21:52
clarkbopenstack.org uses a bunch of resources hosted in vexxhost ceph/swift21:53
clarkband sure enough I don't see headers for cors21:53
clarkbso how does that work at all?21:54
clarkbis it because none of them are scripts?21:54
clarkbthey are all image objects21:54
mordredyeah - none of them are being requested by the javascript21:54
mordredthey're just, you know, image links21:55
clarkbbut ya sure enough no headers there21:55
corvushttps://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#What_requests_use_CORS21:55
corvusfonts is an interesting thing i wouldn't have guessed21:55
*** betherly has joined #openstack-infra21:55
corvusbecause, of course, licensing21:55
mordredcorvus: and setting arbitrary metadata on objects to be returned in headers only works for headers tarting with  x-meta-object right?21:55
corvusmordred: correct -- i did see that work on ... i think ovh?  because i set an x-meta-object-... header.  but of course, there is no such header that's useful to us21:56
corvusor, x-object-meta i think21:57
clarkbthe expiration value is sent as a header too21:57
mordredyeah21:57
mordredx-object-meta21:57
corvusyeah, timburke linked a list of allowed object headers earlier  https://github.com/openstack/swift/blob/2.22.0/etc/object-server.conf-sample#L13521:57
mordredcorvus, clarkb: wanna be even more annoyed?21:59
corvusmordred: it's not likely to make a difference at this point22:00
*** jcoufal_ has quit IRC22:01
*** betherly has quit IRC22:01
mordredcorvus, clarkb: cors IS supported in the ceph s3 gateway22:01
*** Lucas_Gray has quit IRC22:02
*** jistr has quit IRC22:02
* fungi groans22:03
corvusmordred: wow22:03
clarkbare the same containers/objects able to be manipulated by both apis or are they separate (we could maybe hate ourselves and set cors via that api if so)22:06
mordredclarkb: I do not know22:07
fungii don't know that there's any guarantee that the 23 compat api is exposed/enabled?22:07
clarkb" The S3 and Swift APIs share a common namespace, so you may write data with one API and retrieve it with the other."22:07
clarkbit is possible that would work22:07
fungier, s/23/s3/22:07
mordredvexxhost runs swift_s3 in their catalog22:07
fungiso seems possible at least22:07
mordredI don't know if that's the ceph s3 proxy or anything about it22:07
*** Lucas_Gray has joined #openstack-infra22:08
corvusare the public urls different?22:08
mordredno22:09
*** jistr has joined #openstack-infra22:09
mordredso conceivably you could try making s3 api requests to the swift endpoint, however that works22:09
mordred[{'endpoints': [{'region_id': 'ca-ymq-1', 'url': 'https://object-storage-ca-ymq-1.vexxhost.net', 'region': 'ca-ymq-1', 'interface': 'admin', 'id': '4f1fafb25e58421e91a2139dc0382c53'}, {'region_id': 'ca-ymq-1', 'url': 'https://object-storage-ca-ymq-1.vexxhost.net', 'region': 'ca-ymq-1', 'interface': 'internal', 'id': '5808ab12037f4ab49c37cba0ac9cd58e'}, {'region_id': 'ca-ymq-1', 'url':22:10
mordred'https://object-storage-ca-ymq-1.vexxhost.net', 'region': 'ca-ymq-1', 'interface': 'public', 'id': 'a680b7674b3b430c9f5e008f72f3dfe4'}], 'type': 's3', 'id': '13f4cf29c7394a7a801d8aeacca24378', 'name': 'swift_s3'}]22:10
mordredftr22:10
corvuszuul-jobs can/should have an upload-logs-s3 role.  is opendev willing to use it?22:11
*** slaweq has joined #openstack-infra22:11
clarkbcorvus: I worry that the swift proper clouds won't support it22:12
clarkb(I haven't checked if they run swifts3 or similar)22:12
clarkbso that might get ugly from a management perspective22:12
corvusclarkb: right, i wouldn't suggest using it on a cloud that supported swift22:12
corvusbut we could use upload-logs-swift on some clouds, upload-logs-s3 on others22:13
fungii don't have any objection to using a publicly-spec'ed api to talk to free and open source software22:13
clarkbcorvus: ya I think in that case it would probably be fine. It would suck to have to debug two sets of apis but its not like we don't already juggle more22:14
fungieven if that api happens to be primarily associated with a proprietary service, it's apparently implemented more widely22:14
*** slaweq has quit IRC22:15
*** armax has quit IRC22:16
clarkbfungi: mordred https://review.opendev.org/#/c/674428/ and its child would be good to review22:17
clarkbI probably won't release the fedora mirror lock until after that first one merges and applies22:17
clarkb(just to avoid wasted effort talking to down host22:17
*** jistr has quit IRC22:17
*** armax has joined #openstack-infra22:18
*** jistr has joined #openstack-infra22:19
clarkbalso not sure if we want to manaully run vos release after it deletes a bunch of data22:19
clarkbif so then the first run after merging the child should probably be manual too22:19
corvusi would recommend that22:19
mordredcorvus: I agree wtih the words clarkb and fungi said - I do not think it would be bad at this point to talk to a ceph using upload-logs-s322:20
clarkbcorvus: ok I'll definitely hold the lock then22:20
mordredand it would provide a somewhat convenient way for us to know that zuul's upload-logs-s3 works without having to actually upload logs to the aws s3 service22:20
*** eharney has quit IRC22:20
*** markvoelker has quit IRC22:21
corvusmordred: yeah, assuming it really is compatible :)22:21
corvusswift != swift, so i'm not going to bet that rados-swift_s3 == s3  :)22:21
mordredcorvus: indeed22:22
corvusSpamapS pushed this up long time ago: https://review.opendev.org/59993122:22
corvusonce you take out the index stuff, it's mostly just a single call to s3_sync22:22
corvusaside from index generation, the swift upload role does: threaded parallel upload, content-type setting, content-encoding and streaming gzip22:23
corvusit's conceivable that s3_sync does all of that and we can just use it22:23
corvusbut if it doesn't, then we may want to adopt the approach in the swift upload role22:23
mordredyeah. although it's also conceivable that s3_sync has no capabilities to be used against a non-amazon region - so we should check that22:24
corvustrue.  that would make a pretty compelling reason not to use it22:24
mordredyeah.22:25
*** goldyfruit has quit IRC22:25
*** pfallenop has quit IRC22:25
* mordred needs to go eat the dinner ... there is some sushi with his name on it22:25
fungithis is also probably seeds of useful feedback to the swift maintainers22:27
corvusfungi: well, i don't know that we have any swift feedback yet22:27
corvusovh runs swift, and isn't working.  next week we'll figure out if that's an ovh problem, a swift problem, or a corvus problem.22:28
fungifair, if rax is not really swift and vexxhost is definitely ceph reimplementing swift apis and ovh may be somehow intercepting calls...22:28
clarkbwe do however have ceph feedback22:28
corvusyep22:28
clarkb"please add cors support to swift api"22:28
fungiheh22:28
fungithat is true22:28
corvusi'm puzzled at how it could be less work to have written the table entry that says it's not supported than to actually support it.22:29
corvusthe implementation in swift itself is 4 lines.22:29
clarkbcorvus: also the s3 version of it is a bunch of xml so probably far more difficult to add support for22:29
cloudnullclarkb I have not been able to track down why we were seeing the 401 in the ovh region, however, I did put up a review to force our tools to reauth whenever they encounter a 401 - https://review.opendev.org/#/c/67409722:30
*** pfallenop has joined #openstack-infra22:32
timburkecorvus, it's a few more than that ;-) https://review.opendev.org/#/c/528106/ gives a decent idea of the scope of the feature22:32
timburkei should really revive https://review.opendev.org/#/c/533028/ at some point...22:32
clarkbhttps://github.com/ceph/ceph/blob/master/src/rgw/rgw_cors_s3.cc is the ceph s3 implementation22:35
corvustimburke: i get that i'm being naive here, but why is all that necessary?  browsers themselves implement cors evaluation, so why is simply returning the configured value in the header not sufficient?22:36
clarkbcorvus: I was just going to ask that, I didn't realized servers were enforcing cors22:36
timburkea large part of it is serving OPTIONS responses iirc. been a while since i thought much about it, honestly22:38
corvus(the 4 lines i was thinking of were 148--154 of cors.py, which, granted, are actually 5 lines after removing wrapping)22:38
openstackgerritMerged opendev/system-config master: Switch fedora mirroring to pubmirror2.math.uh.edu  https://review.opendev.org/67442822:43
clarkbw3c spec says that server side may elect to do the enforcement too22:43
corvusyeah was just reading https://www.w3.org/TR/cors22:43
clarkb"This extension enables server-side applications to enforce limitations (e.g. returning nothing) on the cross-origin requests that they are willing to service."22:43
timburkeallow-origin's actually a pretty small part of what swift needs to worry about. there's allow-method (in case you wanted the browser to be issuing PUTs, DELETEs, etc.), expose-headers (so you can see metadata), there's concerns about how browsers are going to cache whatever responses you're sending...22:44
clarkbtimburke: ya I was just surprised that you are enforcing too since typically I'ev seen that as the browser's job22:44
clarkbbut people may make requests from outside a browser too22:45
clarkband if the intent is to protect the content and not just to protect the dynamic execution environment within the browser than blocking at the server makes sense22:45
corvusclarkb: well... that might be able to be bypassed by simply sending an "Origin:" header.22:46
clarkbcorvus: if you can guess which origin is allowed (I agree it isn't the bset method of protecting the content)22:46
corvussomething that a browser can enforce is done correctly, but probably becomes ineffective outside of that environment22:47
clarkbit might also reduce total network bw22:47
clarkbwhich may be a major plus for swift users?22:47
clarkb(and maybe you can timing attack that string comparison to figure out an allowed origin)22:48
*** roman_g has quit IRC22:52
openstackgerritMerged opendev/system-config master: Trim fedora mirror  https://review.opendev.org/67442922:52
*** rascasoft has quit IRC23:00
*** rascasoft has joined #openstack-infra23:02
*** slaweq has joined #openstack-infra23:11
*** slaweq has quit IRC23:16
*** markvoelker has joined #openstack-infra23:20
*** _erlon_ has quit IRC23:25
*** betherly has joined #openstack-infra23:26
*** betherly has quit IRC23:31
*** sthussey has quit IRC23:43
*** roman_g has joined #openstack-infra23:46
*** betherly has joined #openstack-infra23:47
*** betherly has quit IRC23:51
*** markvoelker has quit IRC23:53
« Thursday, 2019-08-01 Index Saturday, 2019-08-03 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!