| opendevreview | Ian Wienand proposed openstack/project-config master: Add CentOS 8 Stream wheel publish jobs https://review.opendev.org/c/openstack/project-config/+/803411 | 02:06 |
|---|---|---|
| opendevreview | Ian Wienand proposed openstack/project-config master: Add CentOS 8 Stream wheel publish jobs https://review.opendev.org/c/openstack/project-config/+/803411 | 02:07 |
| opendevreview | Ian Wienand proposed openstack/project-config master: Add CentOS 8 Stream wheel publish jobs https://review.opendev.org/c/openstack/project-config/+/803411 | 03:33 |
| *** ykarel|away is now known as ykarel | 05:08 | |
| *** jpena|off is now known as jpena | 07:01 | |
| *** rpittau|afk is now known as rpittau | 07:13 | |
| *** ykarel is now known as ykarel|lunch | 08:43 | |
| *** ykarel|lunch is now known as ykarel | 09:23 | |
| opendevreview | Merged openstack/openstack-zuul-jobs master: Add CentOS 8 Stream wheel builds https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/802988 | 09:57 |
| *** jcapitao is now known as jcapitao_lunch | 11:11 | |
| *** jpena is now known as jpena|lunch | 11:26 | |
| *** rlandy is now known as rlandy|ruck | 11:49 | |
| *** jpena|lunch is now known as jpena | 12:32 | |
| *** rlandy|ruck is now known as rlandy | 12:34 | |
| *** jcapitao_lunch is now known as jcapitao | 12:42 | |
| opendevreview | Sorin Sbârnea proposed openstack/project-config master: Allow elastic-recheck cores to create branches https://review.opendev.org/c/openstack/project-config/+/803473 | 13:15 |
| zbr | if someone can review ^ it would be great. we want to create an rdo branch for elastic-recheck. | 13:22 |
| fungi | zbr: yeah, i'm looking into the check failure for it now | 13:34 |
| fungi | it looks like we need to reintroduce a copy of acls/x/tap-as-a-service.config | 13:35 |
| fungi | fallout from the rename maintenance over the weekend | 13:35 |
| fungi | i'll push that up straight away | 13:35 |
| frenzy_friday | Hey, does anyone how logs are pulled/pushed from zuul to logstash? | 13:39 |
| frenzy_friday | I can see the role which collects the logs and uploads it to swift in ansible-collect-logs repo. But how is it sent to logstash? | 13:40 |
| opendevreview | Jeremy Stanley proposed openstack/project-config master: Reintroduce x/tap-as-a-service shared ACL https://review.opendev.org/c/openstack/project-config/+/803480 | 13:41 |
| fungi | zbr: ^ that should fix the failure | 13:41 |
| fungi | frenzy_friday: you've seen the architecture document for it, right? https://docs.opendev.org/opendev/system-config/latest/logstash.html | 13:43 |
| frenzy_friday | fungi, thanks, lemme check it | 13:44 |
| fungi | i have to refresh my memory on how all that works too, but looks like https://docs.opendev.org/opendev/system-config/latest/logstash.html calls the submit-logstash-jobs role on the executor at the end of all jobs (because it's in the post-run phase for the base job inherited by all our jobs) | 13:45 |
| fungi | er, sorry, that second link was supposed to be https://opendev.org/opendev/base-jobs/src/branch/master/playbooks/base/post-logs.yaml | 13:45 |
| fungi | config-core: can i get a priority review on https://review.opendev.org/803480 to fix our project-config-gerrit job? it's apparently been broken since after the rename last weekend | 13:57 |
| zbr | fungi: out of curiousity: did you ever had any problems with abuse of logstash instance? what kind of measures against abuse are in place? asking this because rdo logstash instance is behind authentication now, and I would like to convince them to make access open. auth makes testing a real issue. | 14:31 |
| fungi | zbr: none to my knowledge, though we do filter api access fairly aggressively with apache configuration | 14:33 |
| zbr | thanks, i guess the same approach should also work for rdo too. | 14:36 |
| fungi | zbr: specifically, it's the elasticsearch api we filter requests for, looks like: https://opendev.org/opendev/puppet-logstash/src/branch/master/templates/kibana.vhost.erb#L17 | 14:37 |
| zbr | and i suppose we could even require a special http header in order to avoid undesired random bots from accesing the server, but still keeping it accesible for our tools, like elastic-recheck. | 14:37 |
| fungi | yeah, we do some user agent filtering in our gitea frontend if you want an example of that | 14:39 |
| fungi | but you could also just use a magic header string of course | 14:39 |
| clarkb | zbr: fungi: yes we spent a lot of time figuring out how to let through just enough RO access to elasticsearch and firewalled everything off | 14:46 |
| clarkb | this is one of the reasons why simply upgrading is not simple because newer kibana expects RW access and you cannot give that safely | 14:47 |
| clarkb | fungi: I've approved the config fix | 14:48 |
| clarkb | we are ok with RO access because we only store publicly available data in there anyway | 14:51 |
| clarkb | but you are correct that RW is dangerous as it can be easily abused | 14:51 |
| opendevreview | Merged openstack/project-config master: Reintroduce x/tap-as-a-service shared ACL https://review.opendev.org/c/openstack/project-config/+/803480 | 15:00 |
| *** jpena is now known as jpena|off | 15:05 | |
| *** ykarel is now known as ykarel|away | 15:33 | |
| *** rpittau is now known as rpittau|afk | 16:14 | |
| opendevreview | Merged openstack/project-config master: Allow kolla cores to edit kolla hashtags https://review.opendev.org/c/openstack/project-config/+/802744 | 16:17 |
| fungi | yoctozepto: ^ that's deployed now | 17:05 |
| yoctozepto | fungi: thanks! looks worky! | 17:06 |
| fungi | good, good | 17:07 |
| zbr | fungi: thanks | 17:14 |
| zbr | i guess we do not happen to have a hidden ubuntu 20.10 nodeset available. I am asking because our current default nodeset 20.04 focal still does not have podman included, and ensure-podman is neither testing or compatible with focal. | 17:16 |
| zbr | the problem is related to `openstack-tox-molecule` which needs both docker and podman, but w/ default nodeset it cannot really run ensure-podman. For example if we would use centos-8 nodeset both would work. | 17:17 |
| fungi | we don't have any ubuntu nodesets other than lts versions (16.04, 18.04, 20.04) because the interim releases have fairly short support lifetimes and are a lot of additional work and resources to maintain | 17:19 |
| fungi | would a debian-bullseye node work? | 17:19 |
| zbr | good question, i need to check, probably it should. | 17:20 |
| zbr | in fact, ensure-podman supports only 3 platforms now, but some may be very easy to fix, if they already have the package available. | 17:21 |
| zbr | more problematic is for those that need ppa or other tricks. | 17:21 |
| fungi | yeah, i was just reviewing https://review.opendev.org/803413 for it and noticed we're not testing it on focal yet | 17:22 |
| zbr | i will look tomorrow into these and see which path proves less problematic. | 17:22 |
| *** ricolin_ is now known as ricolin | 18:02 | |
| *** timburke_ is now known as timburke | 20:57 | |
| opendevreview | Ian Wienand proposed openstack/project-config master: Add CentOS 8 Stream wheel publish jobs https://review.opendev.org/c/openstack/project-config/+/803411 | 22:20 |
| *** rlandy is now known as rlandy|bbl | 22:26 | |
| ianw | jrosser / noonedeadpunk : any thoughts on https://review.opendev.org/c/openstack/openstack-ansible/+/803405 https://review.opendev.org/c/openstack/openstack-ansible/+/803404 to remove debian-stable usage on openstack-ansible? | 22:31 |
| ianw | one complication is that tox pep8 seems broken on train | 22:31 |
| opendevreview | Clark Boylan proposed openstack/project-config master: Rename x/tap-as-a-service to openstack/tap-as-a-service https://review.opendev.org/c/openstack/project-config/+/803524 | 23:01 |
| opendevreview | Merged openstack/project-config master: Rename x/tap-as-a-service to openstack/tap-as-a-service https://review.opendev.org/c/openstack/project-config/+/803524 | 23:17 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!