| rcarrillocruz | nhicher , mhu : heya, around to +3 https://softwarefactory-project.io/r/#/c/13451/1/resources/tenant-ansible.yaml ? | 00:27 |
|---|---|---|
| rcarrillocruz | or tristanC , not sure if you are starting now | 00:27 |
| pabelanger | rcarrillocruz: +3 | 00:37 |
| rcarrillocruz | OH WAIT | 00:38 |
| rcarrillocruz | you are core | 00:38 |
| rcarrillocruz | i thought you were not | 00:38 |
| rcarrillocruz | thx ! | 00:38 |
| pabelanger | yah, think 2 weeks now | 00:38 |
| tristanC | gundalow: pabelanger: i've updated the etherpad about the ansible tenant | 01:29 |
| tristanC | ( https://etherpad.openstack.org/p/gundalow ) | 02:20 |
| *** nijaba has quit IRC | 04:27 | |
| *** nijaba has joined #softwarefactory | 04:30 | |
| *** jpena|off is now known as jpena | 07:40 | |
| *** chmouel has joined #softwarefactory | 07:58 | |
| rcarrillocruz | tristanC: can you please drop my GH keys on 0000110231? it's on hold | 08:53 |
| rcarrillocruz | tristanC: as for the ansible tenant, ansible-network is a different team from ansible core. We don't release ansible-network stuff as part of ansible release train. And creating the ansible tenant was not as one of the use cases to CI Galaxy, we simply created a repo called chouse-test to show them how it works | 08:55 |
| rcarrillocruz | different teams | 08:55 |
| rcarrillocruz | different way of doing things | 08:55 |
| rcarrillocruz | different release trains | 08:55 |
| rcarrillocruz | now, if you say the issue is technical or maintenance, as for having two tenants require more resources from SF perpespcetive that's fair | 08:56 |
| rcarrillocruz | but ideally we would like to manage it with two tenants (at least me) | 08:56 |
| rcarrillocruz | if not possible, then let's discuss to rename the tenant to ansible-network and merge the two project configs into ansible-network/zuul-config, cos right now it's a mess to follow | 08:57 |
| rcarrillocruz | and well... my team is ansible-network, is just we still have modules under ansible/ansible | 08:59 |
| tristanC | rcarrillocruz: you should now have acess to zuul-worker@38.145.32.110 | 09:01 |
| rcarrillocruz | sweet thx | 09:01 |
| rcarrillocruz | i don't know why ansible-playbook within dib node freezes | 09:01 |
| tristanC | rcarrillocruz: similarly to the openstack tenant in zuul.openstack.org, multiple core team with differente release train can co-exist in a single tenant | 09:05 |
| tristanC | agreed it's hard to follow, but perhaps readmes and a document to describe how things work would be enough? | 09:07 |
| rcarrillocruz | well, thing is we don't want to document, we want to have things that below to place FOO to tenant FOO | 09:08 |
| rcarrillocruz | what's the pushback? | 09:08 |
| rcarrillocruz | infra related? | 09:08 |
| tristanC | we could work around the infra tasks and extra maintainance, my concern is that there was 2 tenants initially | 09:09 |
| tristanC | then we merged them, and now you want to split them again | 09:09 |
| tristanC | thus i'd like to make sure we won't have to merge them again in the future... | 09:09 |
| rcarrillocruz | yeah, because have seen it's not great to maintain moving forward | 09:09 |
| rcarrillocruz | i see | 09:09 |
| rcarrillocruz | so i ask you something | 09:10 |
| rcarrillocruz | is it possible to have one trusted project to handle two GH orgs | 09:10 |
| tristanC | sure, that is also possible | 09:10 |
| rcarrillocruz | like, ansible-network/zuul-config managing ansible/ansible and ansible-network/* | 09:10 |
| rcarrillocruz | ok, would it be a whole lot of work to rename current tenant to ansible-network and the DNS of the portal we get as ansible-network | 09:11 |
| rcarrillocruz | cos what it bugs me is having two trusted projects really | 09:11 |
| rcarrillocruz | if in the end we have one tenant | 09:11 |
| rcarrillocruz | 1-1 is ok, 2 to 1 is confusing | 09:11 |
| rcarrillocruz | and i don'tw ant someone accidentally putting a secret managed by our team on ansible/ansible | 09:12 |
| rcarrillocruz | cos well, we have different secrets/accounts on my team compared to ansible/ansible | 09:12 |
| tristanC | rcarrillocruz: what if we write in bold that a-n/z-c is only to be used for a-n jobs that needs secret, and keep everything else in a/z-c? | 09:12 |
| rcarrillocruz | nope | 09:14 |
| rcarrillocruz | i don't want a trusted project in ansible | 09:14 |
| rcarrillocruz | that's what we have now | 09:14 |
| rcarrillocruz | i'd like ansible/ansible to just have a .zuul.yaml | 09:14 |
| rcarrillocruz | and consume ansible-network/ansible-zuul-jobs | 09:14 |
| rcarrillocruz | which may inherit ansible-network/zuul-config | 09:15 |
| tristanC | rcarrillocruz: can you please document what you want in the etherpad | 09:16 |
| rcarrillocruz | sure | 09:17 |
| rcarrillocruz | tristanC: i'm seeing issues on our zuul-config jobs | 09:18 |
| rcarrillocruz | https://github.com/ansible-network/zuul-config/pull/42 | 09:18 |
| rcarrillocruz | however | 09:18 |
| rcarrillocruz | https://github.com/ansible-network/cloud_vpn_aws_vpn_provider | 09:18 |
| rcarrillocruz | unless letters are dancing on my glasses | 09:18 |
| rcarrillocruz | oh wait | 09:19 |
| rcarrillocruz | maybe i fat fingered the tenant untrusted projects | 09:19 |
| * rcarrillocruz goes check | 09:19 | |
| tristanC | then we'll create infra task if needed, but first, please, let's get everyone on-board | 09:20 |
| rcarrillocruz | hmm | 09:21 |
| rcarrillocruz | no... | 09:21 |
| rcarrillocruz | https://softwarefactory-project.io/r/#/c/13451/ | 09:21 |
| rcarrillocruz | cloud_vpn_aws_vpn_provider was added yesterday | 09:21 |
| *** sshnaidm|off is now known as sshnaidm | 09:21 | |
| rcarrillocruz | any hint ? | 09:22 |
| tristanC | it's not in the list https://ansible.softwarefactory-project.io/zuul/projects.html | 09:22 |
| rcarrillocruz | yeah, but i added them on the tenant, per ^ change | 09:23 |
| rcarrillocruz | seems like it's not been applied? | 09:23 |
| tristanC | the change got applied, but zuul didn't fully reload the tenant, perhaps because of "errors detected during ansible tenant configuration re-loading" | 09:30 |
| tristanC | i'll issue a manual reload now to check | 09:31 |
| rcarrillocruz | oki, thx | 09:31 |
| tristanC | well, zuul doesn't tell why it doesn't add the project. could it be because they are missing GH app? | 09:36 |
| rcarrillocruz | missing app? what you mean | 09:38 |
| rcarrillocruz | they are repos hosted under ansible-network | 09:39 |
| tristanC | is the app installed on those new projects? | 09:39 |
| rcarrillocruz | just like cloud_vpn, which is managed by zuul just fine | 09:39 |
| rcarrillocruz | the gets attached in an org basis | 09:40 |
| rcarrillocruz | they get i mean | 09:48 |
| tristanC | in scheduler.log, zuul do the merger:cat job for the new project, but they silently not get added to the project list... | 09:53 |
| rcarrillocruz | :/ | 09:59 |
| rcarrillocruz | anything you want me to try on my side | 10:05 |
| * tristanC reading configloader source to see how this can happens... | 10:06 | |
| gundalow | rcarrillocruz: got branch protections enabled? | 10:13 |
| *** chmouel has quit IRC | 10:13 | |
| gundalow | See the RST in network community | 10:13 |
| * gundalow finds link | 10:13 | |
| rcarrillocruz | i didn't do anything on those repos as for branch protections | 10:13 |
| gundalow | https://github.com/ansible/community/blob/master/group-network/roles_development_process.rst#new-role | 10:14 |
| gundalow | rcarrillocruz: above is the process I've been using | 10:14 |
| rcarrillocruz | i don't think they are related tho, zuul is not reloading the tenant | 10:14 |
| tristanC | rcarrillocruz: zuul is reloading the tenant, it's just not registering the new projects | 10:16 |
| tristanC | branch project shouldn't matter as the projects doesn't use the exclude-unprotected-branches option | 10:16 |
| rcarrillocruz | yeah, i mean, the whole process is not being done | 10:17 |
| gundalow | rcarrillocruz: just reading earlier discussions regarding single/multiple tenants. Once of the requirements from mattclay and myself is as much as possible of the configuration of hat is used to define how we test ansible/ansible needs to be branched (ie product, integration tests and test framework/zuul) must be in the same branch. Think back to before we had branched config for DCI | 10:19 |
| gundalow | So ansible/ansible MUST Not require anything from out the Ansible repo. And I believe the only thing we need outside of ansible/ansible is a tiny bit of trusted job configuration | 10:20 |
| gundalow | The GitHub app is installed for ansible-network/* | 10:21 |
| gundalow | Just catching up on discussion, apologies if I'm going through stuff that you've since worked though | 10:22 |
| rcarrillocruz | the whole one tenant vs two tenants is unrelated to branching , the branching is done in the repos | 10:24 |
| rcarrillocruz | is about having a single place to maintain jobs and look at things | 10:24 |
| rcarrillocruz | sigh, was hoping to release cloud_vpn after i splitted the provisioners/providers repos | 10:25 |
| *** chmouel has joined #softwarefactory | 10:48 | |
| tristanC | rcarrillocruz: ok, found the issue, projects are loaded now | 10:48 |
| rcarrillocruz | weeee | 10:49 |
| rcarrillocruz | thx mate | 10:49 |
| * rcarrillocruz onto refactor tests, now that cloud_vpn is splitted aprt | 10:49 | |
| gundalow | tristanC: ace, what was the issue? | 10:49 |
| gundalow | rcarrillocruz: that doc I linked to has release procedure in for roles. Feedback welcome | 10:50 |
| tristanC | gundalow: the fix is https://softwarefactory-project.io/r/13464 rdo: remove duplicate tripleo-ci definition | 10:50 |
| rcarrillocruz | gundalow: write a release job :P | 10:50 |
| tristanC | the scheduler reconfiguration was raising an exception later down the reload process, right before making the new configuration effective | 10:50 |
| rcarrillocruz | jokes apart, i'm on making sure the tsts work now that provisioners/providers are outside cloud_vpn, will do then look at it | 10:51 |
| gundalow | Regarding branching & most ansible/* not depending on other things, this was the bit I was discussing | 10:52 |
| gundalow | 05:14 <rcarrillocruz> i don't want a trusted project in ansible | 10:52 |
| gundalow | 05:14 <rcarrillocruz> i'd like ansible/ansible to just have a .zuul.yaml | 10:52 |
| gundalow | 05:14 <rcarrillocruz> and consume ansible-network/ansible-zuul-jobs | 10:52 |
| *** chmouel has quit IRC | 10:52 | |
| gundalow | Anyways, back tomorrow so we can sync up then. Just killing time in airport at the moment | 10:52 |
| rcarrillocruz | gundalow: they will always depend on something, cos jobs depend on base jobs which are in trusted repos | 10:52 |
| rcarrillocruz | and ansible/ansible is not a trusted repo | 10:53 |
| rcarrillocruz | and that is unrelated to branching btw, the branching is put on the jobs repos | 10:53 |
| rcarrillocruz | if you add a .zuul.yaml on ansible/ansible | 10:53 |
| rcarrillocruz | that has a list of the jobs that are triggered for that repo | 10:53 |
| rcarrillocruz | those jobs are defined on either a trusted repo | 10:54 |
| rcarrillocruz | or untrusted repo | 10:54 |
| rcarrillocruz | you could have untrusted jobs defined on ansible/ansible as well, but again, they will depend on base jobs that are on trusted repos | 10:54 |
| gundalow | Sounded like you suggested gh/ansible should depend on network-engine | 10:54 |
| gundalow | Currently have https://github.com/ansible/zuul-config | 10:55 |
| rcarrillocruz | network-engine? | 10:55 |
| gundalow | & fork of Ansible https://github.com/ansible/zuul-test-repo/pull/4 | 10:55 |
| rcarrillocruz | network-engine is not a trusted repo, it doesn't contain jobs | 10:55 |
| gundalow | Sorry, I meant ansible-network | 10:56 |
| gundalow | Anyways, glad you've got Zuul working so will leave you to do the release | 10:56 |
| gundalow | Can discuss tomorrow | 10:56 |
| rcarrillocruz | yes, that we have base jobs in one location, ansible-network/zuul-config | 10:56 |
| rcarrillocruz | we have two locations now | 10:56 |
| rcarrillocruz | that's bad | 10:56 |
| rcarrillocruz | we had a failure due to disparing base jobs around in jobs | 10:57 |
| rcarrillocruz | we should have one trusted repo, with one set of base jobs and secrets | 10:57 |
| rcarrillocruz | and since we are ansible-network | 10:57 |
| rcarrillocruz | we should consolidate on ansible-network/zuul-config | 10:57 |
| rcarrillocruz | and remove ansible/zuul-config | 10:57 |
| *** jpena is now known as jpena|lunch | 11:10 | |
| *** chmouel has joined #softwarefactory | 11:49 | |
| *** jpena|lunch is now known as jpena | 12:18 | |
| *** ssbarnea is now known as ssbarnea|ruck | 12:35 | |
| mnaser | sorry to ping about this again.. is there a way to only allow registered users to talk to gerrit (disallow anonymous)? | 12:41 |
| tristanC | mnaser: it should be the "authenticated_only" in the sfconfig.yaml network section | 13:07 |
| mnaser | tristanC: i did that, but you can still git clone via http as a registered user | 13:07 |
| tristanC | oh i see, gerrit direct access are still enabled for anon | 13:09 |
| mnaser | tristanC: yeah, and i dont see anything in ACLs to disable anonymous users read access | 13:10 |
| mnaser | unless anon users == registered users with cauth | 13:10 |
| *** chmouel has quit IRC | 13:11 | |
| tristanC | the parent project config is accessible here: /var/lib/software-factory/git/All-projects/project.config | 13:12 |
| tristanC | removing read access doesn't seems enough though | 13:12 |
| mnaser | tristanC: removing "read = group Anonymous Users" from "[access "refs/*"]" wasnt enough? | 13:14 |
| mnaser | i was thinking of adding another group and parenting it to it (dunno if sf resources.yaml allows that) | 13:15 |
| tristanC | mnaser: testing atm, i'm affraid the "authenticated_only" option is under tested and may need more work to be effective | 13:15 |
| mnaser | tristanC: yeah no worries, i mean you need to know the exact path in order to be able to clone, but yeah | 13:15 |
| sfbender | Tristan de Cacqueray created software-factory/sf-config master: gateway: authorize cauth to call managesf when authenticated_only is set to True https://softwarefactory-project.io/r/13467 | 13:20 |
| tristanC | mnaser: removing the read access on "refs/*" from the ui worked though, i'm looking for a way to automate that | 13:21 |
| tristanC | mnaser: also, i had the same bug regarding cauth json error, it should be fixed by https://softwarefactory-project.io/r/13467 | 13:22 |
| mnaser | tristanC: cool, yeah the refs/* is how i fixed it before, i dunno if gerrit acl's allow 'explicit deny' | 13:22 |
| tristanC | mnaser: not sure, but we should be able to force it in this task: https://softwarefactory-project.io/cgit/software-factory/sf-config/tree/ansible/roles/sf-gerrit/tasks/setup_acl.yml | 13:23 |
| mnaser | i think maybe inside my project resources.yaml i can do read = deny group Anonymous User | 13:24 |
| mnaser | i think that might allow me to do per-project denial | 13:24 |
| mnaser | i have to test it | 13:24 |
| sfbender | Tristan de Cacqueray created software-factory/sf-config master: gerrit: disable Anonymous Users when using authenticated_only https://softwarefactory-project.io/r/13468 | 13:34 |
| tristanC | mnaser: ^ should work for all projects | 13:34 |
| tristanC | oh wait no, we currently need anon access to the config for config-update | 13:35 |
| tristanC | that's another part we need to change to push config repo content to services' instance instead of pulling from gerrit | 13:36 |
| sfbender | Tristan de Cacqueray created logreduce master: Add React web interface https://softwarefactory-project.io/r/13469 | 13:45 |
| pabelanger | tristanC: https://softwarefactory-project.io/r/13414/ was a week old, and fixed duplicate tripleo-ci. Just nobody reviewed it :( | 14:23 |
| tristanC | pabelanger: arg, missed that. feel free to self-merge such fix next time. | 14:36 |
| sfbender | Jakub Ružička created rdopkg master: info: fix `rdopkg info -l LOCAL` and add tests https://softwarefactory-project.io/r/13472 | 14:50 |
| sfbender | Merged graffiti master: Add support for separated_buildreqs releases in list commands https://softwarefactory-project.io/r/13450 | 14:51 |
| sfbender | Merged rdopkg master: info: fix `rdopkg info -l LOCAL` and add tests https://softwarefactory-project.io/r/13472 | 15:23 |
| *** jpena is now known as jpena|off | 16:19 | |
| rcarrillocruz | gundalow: i just realized with have lots of duplicate jobs in ansible-network-zuul-jobs from sf-jobs | 16:25 |
| rcarrillocruz | we need to do quite a cleanup | 16:25 |
| rcarrillocruz | can i please get reviews for https://softwarefactory-project.io/r/#/c/13473/ | 16:28 |
| rcarrillocruz | linters job is failing on a PR i pushed that added an RST, as dib-fedora-27 does not have it | 16:28 |
| pabelanger | gundalow: rcarrillocruz: I've proposed https://github.com/ansible-network/ansible-zuul-jobs/pull/32 to remove the duplication | 16:30 |
| rcarrillocruz | yup | 16:30 |
| pabelanger | lets see if zuul is okay with patch | 16:31 |
| pabelanger | I'd also like to make that repo gating once we figure out tenant configuration | 16:32 |
| nhicher | pabelanger: we don't have flavors with disk_size on vexxhost (only cpu, and ram), mnaser proposes to use boot-from-volume for tripleo-ci jobs, do you think it will be an issue ? I don't see boot-from-volume option in upstream project-config | 17:59 |
| pabelanger | nhicher: should be fine, vexxhost ceph is pretty good | 17:59 |
| pabelanger | nhicher: https://zuul-ci.org/docs/nodepool/configuration.html#pool-labels | 18:00 |
| pabelanger | boot-from-volume is label setting | 18:00 |
| pabelanger | also likely want volume-size | 18:00 |
| nhicher | pabelanger: yes, mnaser shared https://www.irccloud.com/pastebin/1FSqjT5g | 18:00 |
| pabelanger | yup, looks right | 18:00 |
| nhicher | pabelanger: I will prepare the cloud.yaml file and prepare the review to add the provider | 18:01 |
| nhicher | pabelanger: thanks | 18:01 |
| pabelanger | sure | 18:02 |
| *** mnaser has quit IRC | 18:42 | |
| *** mnaser has joined #softwarefactory | 19:07 | |
| *** chouseknecht has quit IRC | 19:33 | |
| *** trishnag has quit IRC | 19:48 | |
| *** trishnag has joined #softwarefactory | 20:00 | |
| *** sshnaidm is now known as sshnaidm|afk | 21:51 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!