| *** swalladge is now known as Guest1188 | 03:12 | |
| *** yadnesh|away is now known as yadnesh | 04:43 | |
| *** akekane is now known as abhishekk | 04:48 | |
| dpawlik | fungi: hey, I did not receive any email and in AWS console I don't see such option so probably I don't have permissions | 07:06 |
|---|---|---|
| dpawlik | fungi: I will check once again today, but I don't believe that I have such permissions | 07:06 |
| *** yadnesh is now known as yadnesh|afk | 07:46 | |
| *** jpena|off is now known as jpena | 08:41 | |
| *** yadnesh|afk is now known as yadnesh | 08:49 | |
| opendevreview | Jiri Podivin proposed openstack/project-config master: Releasing tripleo-ansible as PyPi deliverable https://review.opendev.org/c/openstack/project-config/+/866839 | 09:48 |
| *** dviroel|biab is now known as dviroel | 11:14 | |
| *** rlandy|out is now known as rlandy|rover | 11:14 | |
| *** yadnesh is now known as yadnesh|afk | 11:50 | |
| *** d34dh0r5| is now known as d34dh0r53 | 12:05 | |
| *** yadnesh|afk is now known as yadnesh | 12:34 | |
| *** frenzy_friday is now known as frenzy_friday|food | 13:09 | |
| *** akekane is now known as abhishekk | 13:56 | |
| *** dasm|off is now known as dasm | 14:43 | |
| *** frenzy_friday|food is now known as frenzy_friday | 15:34 | |
| clarkb | dpawlik: fungi: I think the issue is you need to validate the email verification and that necessarily goes to an address under the domain? | 15:57 |
| fungi | yeah, ttx and i are working to figure it out | 15:57 |
| dpawlik | ack | 15:58 |
| *** dviroel is now known as dviroel|lunch | 16:15 | |
| *** yadnesh is now known as yadnesh|away | 17:14 | |
| *** dviroel|lunch is now known as dviroel | 17:16 | |
| ade_lee | fungi, clarkb -- got a couple of wip patches up -- does this look about right? https://review.opendev.org/c/zuul/zuul-jobs/+/866881 and https://review.opendev.org/c/openstack/tempest/+/866882 ? | 17:17 |
| ade_lee | ah, I guess not :/ | 17:18 |
| ade_lee | fungi, so I have to define the base fips job in project_config? | 17:19 |
| fungi | ade_lee: the playbook which uses that secret will need to be in the same repository as the secret, yes | 17:21 |
| ade_lee | fungi, gotcha - so I just need a playbook in project-config that I invoke elsewhere | 17:22 |
| fungi | ade_lee: well, a job definition in project-config will use a playbook in project-config for one of its phases (presumably pre-run in this case) | 17:23 |
| fungi | but then you can inherit from that job in other projects | 17:23 |
| fungi | and add the remaining logic outside project-config that way | 17:23 |
| fungi | e.g. in openstack-zuul-jobs | 17:24 |
| ade_lee | ack | 17:24 |
| *** jpena is now known as jpena|off | 17:31 | |
| fungi | ade_lee: you presumably need just enough logic in the playbook to feed the token into the registration tool in ubuntu and clean up anywhere you may have temporarily written it in doing so | 17:33 |
| fungi | after that, the inheriting job can likely take over, updating package lists and installing packages, et cetera | 17:33 |
| fungi | however, you're not going to be able to rely on depends-on to try out the additions to project-config, that's going to have to be merged before zuul will allow it to be used by other jobs | 17:34 |
| fungi | for safety reasons | 17:35 |
| ade_lee | fungi, gotcha | 17:36 |
| ade_lee | fungi, I was just thinking of having the playbook invoke the enable-fips role with the changes I specified above - but I can just have it add the token, and then call the enable_fips role later sans token | 17:40 |
| ade_lee | as long as we're sure the token will be added first | 17:40 |
| fungi | ade_lee: yes, zuul playbook ordering for inheritance is onion layered, so if z inherits from y inherits from x then it will execute x:pre-run y:pre-run z:pre-reun z:run z:post-run y:post-run x:post-run in that order | 17:42 |
| fungi | i.e. the grandparent of your job will have its pre-run playbooks executed before the parent's pre-run playbooks which in turn come before the child's pre-run playbooks | 17:43 |
| ade_lee | fungi, ack ok | 17:43 |
| fungi | or nesting doll order if you like | 17:44 |
| fungi | and yeah, if you can avoid calling enable-fips in the project-config job then you'll have more flexibility with depends-on testing of the fips parts | 17:45 |
| fungi | basically try to do as little in config projects as possible, in order to maximize your ability to leverage speculative execution when trying out changes to the rest of the job | 17:46 |
| ade_lee | fungi, ok makes sense. I'm looking now for an appropriate job in project-config to modify/clone | 17:48 |
| ade_lee | fungi, I guess there isn't one really - we just need something super simple | 17:51 |
| fungi | ade_lee: maybe propose-translation-updates though it's a more complex example, it does i think use the secret in pre-run (most of the others are used in run or post-run) | 17:52 |
| fungi | er, update (singular) sorrt | 17:53 |
| ade_lee | fungi, ack | 17:53 |
| fungi | no, i guess it uses it in run too | 17:54 |
| fungi | dpawlik: clarkb: so the process seems to be that the root account owner is notified of the upcoming cert expiration, then they click a button to send a renewal approval request to one of the role addresses for the domain (i.e. the hostmaster address for openstack.org), and then someone with access to that inbox needs to click a link in the message which takes them to a webpage where | 17:58 |
| fungi | they can click an approval button | 17:58 |
| fungi | so the main thing we're looking into is how to widen the set of people who get notified about the impending expiration | 17:58 |
| fungi | and also possibly to be able to trigger issuing the approval request | 17:59 |
| clarkb | I see and that would be smething in the amazon account settings? | 18:00 |
| fungi | presumably, but they're designed as a sort of behavioral psych experiment to see who's smart enough to navigate the maze before their certs expire | 18:01 |
| zul | hey guys have you seen this error before? starlingx seems to be hammered by this now https://zuul.opendev.org/t/openstack/build/7f0bb87e68df44a2b905870daee48094 | 18:32 |
| clarkb | zul we updated our default nodeset to ubuntu jammy semi recently and python3.10's configparser is more particular about that aiui | 18:36 |
| clarkb | oh though that is in ansible itself via a zuul module. That is interesting | 18:36 |
| clarkb | oh but that module is simply parsing your tox config so its a side effect of the project too | 18:37 |
| clarkb | I think we need to identify the broken tox.ini file and fix it. | 18:39 |
| zul | i think starlingx is mostly busted right now | 18:39 |
| clarkb | what that module does is run `tox --showconfig` to get your configuration and then it parses that to find where the siblings are. Let me see what that looks like against starlingx/metal | 18:42 |
| clarkb | zul: https://pypi.org/project/tox/#history tox released 2 hours ago. Any chance this started within that time frame? | 18:43 |
| zul | possibly i was made aware of it like 5 minutes ago | 18:44 |
| clarkb | looks like others are broken too, not just starlingx which is why I'm beginning to suspect that | 18:44 |
| zul | we have our minversion set to 2.3 | 18:45 |
| zul | in starlingx/metal at least | 18:45 |
| fungi | note that's minversion not a maximum | 18:46 |
| fungi | makes sure users have a new enough tox to parse the config (and gives them a useful error if they don't) | 18:46 |
| zul | barbican seems to be hitting this as well | 18:47 |
| clarkb | zul: yes its widespread I think there is an issue between that ansible module which the tox jobs all use and the latest tox | 18:48 |
| clarkb | checking old tox and new tox output locally for starlingx/metal the output is different and testenv:docs isn't even present in the new config | 18:49 |
| clarkb | even though it is right there in the actual tox.ini file | 18:49 |
| fungi | https://codesearch.opendev.org/?q=whitelist_externals | 18:49 |
| fungi | support for that is removed in 4.0.0 according to the tox changelog, and seems to be heavily used by starlingx and others | 18:50 |
| fungi | https://tox.wiki/en/latest/changelog.html | 18:50 |
| clarkb | fungi: I don't think that is it | 18:51 |
| clarkb | it seems to comment unused values effectively ignoring them in the --showconfig output. Removing whitelist_externals did not fix the docs env | 18:52 |
| fungi | maybe not, but it's also going to need to be cleaned up | 18:52 |
| clarkb | but that does make me wonder if there is something we are doing in there that makes the testenv:docs env invalid so it doesn't show up | 18:52 |
| zul | its not just the testenv:docs thats failing apparently https://zuul.openstack.org/status#metal | 19:01 |
| clarkb | zul: ya my hunch is this has to do with coloring of output by default breaking parsing | 19:02 |
| clarkb | I'm working on a patch to test that | 19:02 |
| clarkb | zul: I think https://review.opendev.org/c/zuul/zuul-jobs/+/866926 will be self testing to see if that fixes at least some of this | 19:12 |
| frickler | seems allowlist_externals also became stricter, see e.g. https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/866927 | 19:18 |
| clarkb | zul: ok the color thing doesn't seem to help. I've pushed https://review.opendev.org/c/zuul/zuul-jobs/+/866928 to try and pin tox and stem the bleeding then we'll need to followup and figure out how to make tox v4 work | 19:19 |
| clarkb | or maybe we should all just switch to nox (that would make siblings very difficult I think) | 19:19 |
| zul | ack | 19:21 |
| zul | i guess we will need to recheck our jobs when this get merged? | 19:24 |
| fungi | yes | 19:25 |
| fungi | at least any that failed in the past two hours with that sort of error | 19:25 |
| clarkb | the other issue is ensure-tox in zuul-jobs looks for locally installed tox before installing the pinned version I just set. It appears that it doesn't find a locally installed tox on our test nodes, but if it does my pin will be undone and we may need to update images too | 19:25 |
| zul | ok cool | 19:26 |
| *** dviroel is now known as dviroel|brb | 20:14 | |
| clarkb | zul: I think things should be good now the pin has landed | 20:20 |
| zul | Yep I just did a recheck and it passed | 20:22 |
| fungi | awesome, thanks for confirming! | 20:22 |
| *** dviroel|brb is now known as dviroel|afk | 20:47 | |
| *** blarnath is now known as d34dh0r53 | 21:23 | |
| opendevreview | Jay Faulkner proposed openstack/project-config master: ironic-release group for releasing+maint of bugfix https://review.opendev.org/c/openstack/project-config/+/866937 | 21:29 |
| fungi | JayF: are the people in ironic-release also in ironic-stable-maint? because you're going to need to possibly be able to abandon open changes on branches before gerrit will allow you to delete them | 21:36 |
| JayF | fungi: I think ironic-stable-maint == ironic-core at this point | 21:37 |
| fungi | good enough | 21:37 |
| JayF | https://review.opendev.org/admin/groups/0c53b8f80897aa9e7cee7347e4710bd9b8bdfbd2,members | 21:37 |
| JayF | we probably need to edit that to delete the individual members | 21:38 |
| JayF | I'm fairly sure, for instance, that jroll should not have core on that anymore | 21:38 |
| fungi | i miss jroll | 21:40 |
| JayF | We all do :( | 21:40 |
| JayF | He's downstream at Stripe nowadays AIUI | 21:41 |
| opendevreview | Jay Faulkner proposed openstack/project-config master: ironic-release group for releasing+maint of bugfix https://review.opendev.org/c/openstack/project-config/+/866937 | 22:09 |
| *** dasm is now known as dasm|off | 22:11 | |
| *** rlandy|rover is now known as rlandy|out | 22:29 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!