Thursday, 2017-04-06

« Wednesday, 2017-04-05 Index Friday, 2017-04-07 »
openstackgerritMatthew Treinish proposed openstack-infra/nodepool master: Enabled sending MQTT messages for node events  https://review.openstack.org/45392200:08
openstackgerritMatthew Treinish proposed openstack-infra/nodepool master: Add mqtt module to enable pushing MQTT messages  https://review.openstack.org/45391500:08
openstackgerritMatthew Treinish proposed openstack-infra/nodepool master: Add support for sending MQTT messages on node events  https://review.openstack.org/45392200:18
*** harlowja has quit IRC00:39
*** guoguo has joined #zuul00:45
*** harlowja has joined #zuul01:26
*** harlowja has quit IRC01:26
*** jamielennox is now known as jamielennox|away02:05
*** jamielennox|away is now known as jamielennox02:19
openstackgerritJamie Lennox proposed openstack-infra/nodepool feature/zuulv3: Add username to build and upload information  https://review.openstack.org/45396803:43
openstackgerritJamie Lennox proposed openstack-infra/nodepool feature/zuulv3: Show message if node hold not found  https://review.openstack.org/45397104:07
jamielennoxjhesketh: do you know if nodepool v3 is supposed to have a wait period between job run and deletion as 2.5 did?04:11
jamielennoxjhesketh: a job runs and i can't place a hold on the node because i can't get the lock, but the instant the lock is available it is being deleted04:11
jamielennox(or maybe the lock is never deleted - either way i can hold it)04:12
jheskethjamielennox: don't know sorry04:24
jheskethjamielennox: I suspect though that the actual fix would be to not require a lock to put it into hold mode04:24
jheskethwhich may require some refactoring or a different zk model04:24
jamielennoxyea, i'm not sure, i mean everything locks because it needs to load json, manipulate, store string so i don't think you can just not lock04:25
jheskethperhaps something nodepool can check to see if anybody wanted to add a hold before deleting etc04:25
jheskethjamielennox: yeah I don't mean not lock, but inform nodepool somehow else04:26
jamielennoxjhesketh: that's ok i can check with others tomorrow - i wasn't sure if it was in your wheelhouse or not, but you're likely the only one here04:27
jheskethyeah sorry I can't help more04:28
openstackgerritJamie Lennox proposed openstack-infra/zuul feature/zuulv3: Quote ansible command and include config file  https://review.openstack.org/45397404:58
*** guoguo has quit IRC05:15
openstackgerritJamie Lennox proposed openstack-infra/zuul feature/zuulv3: Use username from node information if available  https://review.openstack.org/45398305:47
jamielennoxgs05:48
jamielennoxnope, not that window05:48
*** bhavik1 has joined #zuul05:59
jeblairjamielennox: https://storyboard.openstack.org/#!/story/200090506:01
jamielennoxjeblair: an auto-hold would be awesome, but in this case all i need is like 10 seconds between USED and DELETED06:03
jamielennoxjeblair: is in the auto-hold that was providing that in 2.5?06:03
jamielennoxs/is in/was it06:03
jeblairjamielennox: no, that was just compensation for jenkins delays.06:04
jeblairjamielennox: is the reason that you need those 10 seconds because you want to hold a node after a job fails?06:04
jamielennoxjeblair: right, i was running into what turned out to be https://review.openstack.org/#/c/453765/06:04
jamielennoxbad known hosts means ssh connection failures and couldn't connect06:05
jamielennoxi was trying to run that job manually to figure out why the failure, but there is no time between the used lock finishing and the watcher deleting it06:05
jamielennoxso yea, auto hold would be better, but i was prepped and was up+entering trying to put a hold on to stop the machine being deleted and there is never a point where the lock is free that i can set a hold marker06:07
jeblairjamielennox: yeah, i think the auto-hold feature will handle most of the use cases we have operationally.06:07
jeblairjamielennox: we may want to polish up the manual hold too, but we should probably do that properly in either nodepool or zuul.  i think we'd get tired of trying to hit that 10 second window.  :)06:08
jamielennoxjeblair: oh, absolutely 10 seconds is not a goal :)06:09
jamielennoxhaving given it only a few seconds thought i think you would have AUTO_HOLD as a distinct state from HOLD so that a user could transition a node from AUTO_HOLD->HOLD06:09
jamielennoxand that would solve the problem06:10
jeblairjamielennox: (we could consider adding a zuul command to hold a node for a job;  if we want to make it work in nodepool, we'll have to deal with the lock -- either get in line for the lock behind zuul and ahead of nodepool, or choose to ignore it, or add a hold flag for a node outside of the node record.)06:10
jeblairjamielennox: i don't think that state transition solves the problem, it's primarily one of locking.  zuul owns the node record as long as it's locked, so it's the only thing that can, currently make the hold decision during use.06:12
jamielennoxjeblair: well, if zuul set the AUTO_HOLD (or something better named) whilst it still had the lock and then released it would have the same HOLD effect on the nodepool deleter06:13
jeblairjamielennox: zuul should just set the state to hold in that case06:13
jeblair(that's the intent of https://storyboard.openstack.org/#!/story/2000905 )06:13
jamielennoxjeblair: the problem with that is if i have auto-hold = 3 nodepool-deleter can't distinguish between something i as a user want to hold for a long time vs the latest thing that failed in zuul06:14
jamielennoxas an admin i need a way to take it out of the delete-soon queue into the hold indefinitely queue06:14
jeblairjamielennox: if auto-hold for job foo is 3 and there are 3 held nodes for job foo, then zuul should not hold any more06:15
jeblair(that's also described in the story)06:15
jeblairthere's no delete-soon queue.  held nodes are always held indefinitely and need an admin to delete them.06:15
jeblairjamielennox: generally the workflow is: job foo is failing, i need to catch a node it failed on.  set auto-hold for foo.  come back later and see if we caught anything.  delete nodes + auto-hold configuration after problem is solved.06:17
jeblairjamielennox: (in zuulv3 of course "foo" could well be "base" and you'd get nodes for any failed job)06:18
jamielennoxjeblair: ok, i read that differently, i would think that it's cheap to always hold the last 2 failing job nodes, and then cycle out the oldest when a new failing job is caught06:18
jamielennoxso something that you can react to and grab, rather than something you need to set up auto-hold when you expect a problem06:19
jeblairjamielennox: at scale, you'd be racing the deletion, and the oldest 3 failures are usually as good as the newest 3.06:19
jeblairjamielennox: oh, you mean hold any job that fails always?06:19
jamielennoxjeblair: right, and that was why i was thinking of the AUTO_HOLD state06:19
jamielennoxjeblair: yes, up to X jobs06:20
jeblairjamielennox: jobs fail all the time, legitimately.  i think no matter what scale you operated at, small or large, you would require a substantial portion of your quota in order to hold all of the failed jobs long enough for you to react to decide you wanted to hold a node for actual investigation.06:21
jeblairjamielennox: we've found it quite convenient to just say "hold the next 3 failures for this job" after we've encountered a problem which can't be diagnosed except by logging into a node (which is relatively rare in the scheme of things).06:21
jamielennoxok, both ways can work and that is certainly cheaper, it's generally not hard to retrigger the job and catch the next machine instead of the last06:23
jeblairevery node counts :)06:24
jamielennoxi guess i was looking at it from the point of view of racing the deleter06:24
jeblairi'm too lazy06:24
jeblairjamielennox: anyway, it's past my bedtime.  good night!  :)06:25
jamielennoxjeblair: night - thanks for the explanation06:25
*** isaacb has joined #zuul06:39
*** hashar has joined #zuul07:31
*** isaacb has quit IRC07:58
*** bhavik1 has quit IRC08:10
*** SpamapS has quit IRC09:04
*** SpamapS has joined #zuul09:42
*** isaacb has joined #zuul10:03
*** isaacb has quit IRC11:41
*** isaacb has joined #zuul11:41
Shrewsjamielennox: yep, the manual hold thing is definitely suboptimal. i think we should actually delete the 'hold' command because of that, IMO11:44
Shrewsjeblair: how do you feel about deleting that command? the only other option i can think of is put a delay on USED nodes, that i don't particularly like11:46
jamielennoxShrews: i guess that's where i was going with my auto-hold idea, instead of a timer just hold the last X failed jobs11:59
jamielennoxbut i agree with jeblair that X is a hard thing to measure there because it will change drastically based on your scale11:59
jamielennoxShrews: i like the idea of a proper HOLD that an admin can request and actually play with something for a day or two that doesn't get counted in the auto-hold quota12:00
jamielennoxbut for simplicity now i don't care if we remove it and add it back when it makes sense12:00
mordredI could see manual hold maybe working if it's a zuul command - but it would have to be "hold the nodes for build {uuid}" - but then I'm not sure how that gets implemented locking wise or whatnot12:23
mordred09783112:23
mordredgah12:23
mordrednobody use that12:23
mordred:)12:23
Zarahunter212:30
*** isaacb_ has joined #zuul12:32
*** isaacb has quit IRC12:35
*** bhavik1 has joined #zuul13:09
*** isaacb__ has joined #zuul13:56
*** isaacb_ has quit IRC13:58
*** patrickeast has quit IRC14:13
*** patrickeast has joined #zuul14:16
*** bhavik1 has quit IRC14:18
jeblairjamielennox, Shrews, mordred: after further thought, i think having the hold command wait for the lock, while still not optimal, might be okay, and the best approach to take for now for manual hold, and worth a try.  i think it's the technically correct thing to do in the current design and easy to do.  any improvements would require more work.14:26
jeblairmordred: and yeah, having zuul do the hold is probably the next best/easiest thing to do.14:27
openstackgerritJames E. Blair proposed openstack-infra/nodepool feature/zuulv3: Wait for lock when performing manual hold  https://review.openstack.org/45421714:33
jeblairjamielennox, Shrews, mordred: ^ that's what i'm thinking for manual hold14:33
Shrewsjeblair: why not just block on the first call?14:36
jeblairShrews: i wanted a nice print, but only if necessary.  :)14:37
jeblairi don't feel strongly about that at all.  :)14:37
Shrewsi mean, it's going to print that 99.999999% of the time anyway14:38
jeblairthat's true.  maybe i should drop it.14:38
openstackgerritJames E. Blair proposed openstack-infra/nodepool feature/zuulv3: Wait for lock when performing manual hold  https://review.openstack.org/45421714:38
jeblairShrews: you convinced me14:38
*** isaacb__ has quit IRC14:42
*** isaacb__ has joined #zuul14:48
jeblairjamielennox: what are you going to do with https://review.openstack.org/445675 ?14:50
jeblairmordred: what's the eta on the lookup plugin?14:54
mordredjeblair: as soon as I'm done dealing with mirror breakages14:57
jeblairmordred: okay.  i'm going to shut zuulv3 down until then.14:58
mordredjeblair: kk14:59
jeblairShrews, pabelanger: +2 https://review.openstack.org/451470 with comments15:05
pabelangero/15:09
pabelangerjust catching up15:09
pabelangerIs the security issue, a know issue or is this new?15:14
pabelangerknown*15:14
jeblairpabelanger: for the lookup plugin issue.  i mean, we've been running with it for a week, accidentally.  next time we're going to be more careful about this.15:15
pabelangerk15:15
jeblairnext vulnerability like that, we'll stop zuul immediately and make sure everyone knows it's a high priority issue and nominate someone to lead fixing it as their sole focus.15:16
*** isaacb__ has quit IRC15:23
pabelanger++15:24
pabelangerShrews: mind a review on https://review.openstack.org/#/c/45004515:25
pabelangeradds opensuse as an image so we can test it for glean and diskimage-builder jobs15:25
Shrewspabelanger: trade you for reviews on my docs changes, starting with https://review.openstack.org/45369515:26
pabelangerShrews: ah, yes. happy too15:28
pabelangerheh, found an issue in tox-docs jobs, we don't render html, like jenkins user does15:31
pabelangerfixing15:31
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423615:35
mordredjeblair, pabelanger, Shrews: ^^ there is the beginning - I'm working through the rest of the lookup plugins now but thought I'd go ahead and push that up15:36
jeblairmordred: cool, i'll start reviewing15:36
openstackgerritMerged openstack-infra/nodepool master: Add opensuse 42.2 DIB testing  https://review.openstack.org/45004515:36
pabelangerack15:36
mordredjeblair: OH - lookup plugins are also what implement with_foo (in additoin to the lookup function)15:37
mordredjeblair: so "with_items" is implemented by the items lookup plugin15:37
mordred(so just disabling all of them would be bad - thus why we have to look at each one of them)15:37
jeblairmordred: wow, so this is more important and expansive than i thought :)15:38
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add trigger developer doc  https://review.openstack.org/45369515:38
mordredjeblair: I think I'd  like to have other folks take a pass through the list of lookup plugins too (github.com/ansible/ansible/lib/ansible/plugins/lookup)15:39
jeblairmordred: that 404s for me15:39
mordredsome are - well, some make network calls, like the dig module - which aren't strictly a security risk, but also are executing code on the executor that's doing something, so may be a judgement call15:40
mordredoh - sorry -that's not a link15:40
mordredhttps://github.com/ansible/ansible/tree/devel/lib/ansible/plugins/lookup would be the link version15:40
mordredI'm currently just scanning for ones that do local file access15:41
jeblairmordred: gotcha.  i can take a look.  hopefully some other folks too15:42
mordredbut like - dig seems fine-ish - consul_kv and etcd seem fine but also probably pointless since our users would not be able to set the host to use via config vars :)15:42
jeblairSpamapS, pabelanger, jlk: help requested ^ :)15:42
mordredactually ...15:42
mordredhttps://etherpad.openstack.org/p/zuul-ansible-lookup-plugins15:43
mordredmaybe we should note which are good/bad/maybe15:43
pabelangerjeblair: mordred: we should at least add a test to validate this too.15:46
mordredpabelanger: oh - definitely15:47
jeblairpabelanger: doesn't this have the same issues as the rest of the plugin validation?15:47
pabelangerjeblair: good question15:48
jeblairpabelanger: i assume it would be the same as https://storyboard.openstack.org/#!/story/200087815:48
pabelangerjeblair: yes, we should start to make the a higher priority, if possible15:49
jeblairpabelanger, mordred: oh, well, actually, we can do the file-based tests now.  i think we already have some.15:49
Shrewsmordred: why does read_csv() call run() and not the super's read_csv()?15:50
jeblairwe just can't test lookups which perform things on other hosts; i don't know if there is such a thing?15:50
pabelangerI think all looks are local IIRC15:50
pabelangerlookups*15:51
pabelangerOh, I think I see what you mean.15:51
Shrewsmordred: i think that's just a copy-pasta. if i'm wrong, i'll remove the -1 on that15:52
jeblairso yeah, i think we will probably be able to create tests now.15:53
mordredok - first pass on the list is done15:57
mordredShrews: nope - you're right - definite copy-pasta15:57
jeblairmordred: i've been thinking about env.  maybe let's just reject for now and think about it later if it's an issue.15:57
mordredjeblair: kk15:58
openstackgerritPaul Belanger proposed openstack-infra/zuul feature/zuulv3: Add upload-sphinx-draft role to tox-docs jobs  https://review.openstack.org/45424815:58
jeblairmordred: (we might decide to, instead, sanitize the zuul env, or add a whitelist or something.  i agree it's grey).15:58
mordredyah.15:58
* SpamapS reading16:00
jeblairmordred: i don't understand indexed_items.16:12
jeblairmordred: i don't know what the basedir setting does there.16:12
SpamapSso, I think we should probably just whitelist the lookup plugins we think test users would need, and remove all others.16:13
mordredjeblair: basedir there seems to be copypasta16:14
jeblairmordred: that's what i was thinking, which would make that okay, yeah?16:15
mordredjeblair: the indexed_items just does that crazy list manipulation16:15
mordredyah16:15
SpamapSwhich I think is what is being suggested?16:15
mordredSpamapS: unfortunately, we can't _actually_ whitelist16:15
mordredSpamapS: we have to explicitly disable each module16:15
mordredbut yes - the effective outcome of what you are saying is the plan16:15
SpamapSmordred: yeah.. we're back to that problem. :-P16:16
jeblairSpamapS: i think it's like the action plugins -- some of them are useful, say, looking up something from a file in the work area.  so those we will filter input.  the rest are either enable or disable.16:16
SpamapSmoar indirection16:16
mordredjeblair: yes. that16:16
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423616:16
mordredthis puts in a little bit more support (and fixes the copy-pasta Shrews found)16:16
SpamapSso when we say "BAD" on that etherpad.. that's "BAD, but might be filterable" ?16:17
mordredso hard-disabling a module should be a simple symlink16:17
mordredSpamapS: we should maybe differentiate16:17
mordredlet em go do that real quick16:17
SpamapSbecause like, first_found might be really useful for stuff in the work dir.16:17
mordredSpamapS: yup. I just updated the list with "FILTER" for things I think we can filter16:19
mordredthat does not include template, btw, because of how template is implemented - there's too much to easily override the parameter16:19
jeblairmordred: i don't see keyring.py.  what branch are you on?16:20
jeblairhrm, i see it in github.  i think my local git repo is fubar.16:20
jeblairmordred: okay, fixed.  but keyring is only in devel, not stable-2.216:22
mordredjeblair: cool - we're ahead16:22
mordredjeblair: once we can do ansible/zuul gating, I'd love to put in a test that makes sure we notice when new plugins hit upstream devel16:23
jeblair++16:23
SpamapSI kind of wonder if there's a way to make a plugin plugin.16:26
SpamapSthat just acts like a traffic cop for all plugins.16:26
mordredSpamapS: not currently16:27
mordredSpamapS: it has been discussed in the ansible core team16:27
jeblairSpamapS, mordred: the import stuff is weird enough that i'm not ready to say it would be impossible for us to do.  but if other folks have considered that...16:28
mordredyah, bcoca does not want to do something like it until they're confident it'll actually work (he's concerned about adding an insecure security feature)16:29
jeblairoh hey i didn't know about 'pass'.  that's neat.16:31
mordredpass is great16:32
mordredI mean, I haven't migrated to it from my gpg encrypted file of things personally yet16:32
mordredbut I plan to16:32
*** hashar has quit IRC16:34
SpamapSyeah pass does look nice16:35
SpamapSso, shelvefile is out, IMO16:35
mordred++16:35
jeblairagree16:35
SpamapSHonestly I've never seen a use of shelve that turned out well. ;)16:37
jeblairdns, dnstxt, and url all seem of a class -- they could be useful, but would also allow internal network access of some kind.16:37
SpamapSI don't understand the NET classification.16:38
SpamapSurl takes urls as arguments16:38
SpamapSso that seems like a BAD, not a NET16:38
jeblairSpamapS: it allows some form of network access16:38
SpamapSthe description at the top suggests NET is "you can't configure the host so it's maybe ok?"16:39
jeblairSpamapS: (it's an undecided flag, at the moment)16:39
SpamapSor something like that16:39
SpamapSkk16:39
jeblairSpamapS: i think we've flippled all of them to bad except these 3.16:39
jeblairheh flippled.16:39
jlkWill dig through these lookups16:40
SpamapSI actually think any that do net access should be in the BAD category. It's likely the executor has access to stuff that nodes won't, and some of that stuff may be useful in breaking out of containment.16:40
jeblairi think the thing with url is maybe there's a use case for "download this image and copy it to all the nodes".16:40
SpamapSThough DNS seems like at least a very small hole to poke through.16:41
SpamapSjeblair: yeah, case could be made for thoughtful filtering16:41
jlkIf you tell it to connect to a rogue DNS server, you could create a reverse tunnel16:41
jlkand by rogue, I mean not a real DNS server16:41
SpamapSjlk: indeed16:42
SpamapShave done that... :)16:42
SpamapSThe 1s latency is really awful tho ;)16:42
jlkThis effort is now whack-a-yak16:42
jeblairSpamapS: i think we can work around the url restriction with "have ansible download the url on one worker node, copy it back to executor workdir, then copy out to rest of the nodes".16:43
SpamapSjeblair: yeah I was just thinking that16:43
jeblairSpamapS: not ideal, but possible.  that's enough to make me happy with "block this for now and reconsider later if needed"16:43
SpamapSWait for user outrage to convince us to spend the time to carefully enable it.16:44
mordred++16:44
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423616:45
mordredk. that updates having linked all of our explicit BAD modules to _banned.py16:45
jeblairokay, i flipped the remaining nets to bad16:46
mordredcool16:46
jeblairi agree with all the annotations from spamaps; i'm not going to explicitly +1 them16:47
SpamapSLooks good. I'll feel even better with bwrap backstopping the effort. :)16:48
jeblairayup16:48
mordredjlk: "Return a file (needle) in the task's expected search path." ...16:49
mordredjlk: what is "the task's expected search path" - does that mean anything do you?16:49
jlkhuh, I recognize all those words, however in that arrangement, I have no idea what they mean.16:49
jlkwhich plugin?16:49
mordredI'm looking at filtering fileglob right now - but it calls a method called "find_file_in_search_path" in LookupBase16:50
mordredjlk: I mean, I figure I can just do the safe-file check on whatever is returned from that16:50
mordredbut I kinda want to understand what the heck it even is16:51
jlkprobably?16:51
jlkI wonder if it's looking locally, and doing role path shortcuts and such16:51
* SpamapS is now curious16:51
SpamapSansible_search_path or role_path16:52
mordredyah. role_path16:52
jeblairhttps://github.com/ansible/ansible/issues/14341#issuecomment-23455943116:52
SpamapSor '.'16:53
mordredok. cool16:53
SpamapSso yeah, you would need to filter the output16:53
jlkbut it looks like it could be overridden with ansible_search_path as a variable?16:53
jlkyeah, definitely filter.16:53
mordredyah - but that's still fine if we filter the results16:53
jeblairhttps://github.com/ansible/ansible/commit/3c39bb5633d0cbfa9cf22f9a4038296caef9c62216:54
mordredand it _should_ alow things to work properly for tihngs in roles, since we copy those into the workspae so they're in the "ok" path area16:54
SpamapSsince ansible_search_path=/ would let you search the whole FS16:54
mordredSpamapS: maybe we should also get crazy and filter ansible_search_path for acceptable paths?16:54
jlkwhat in the heck is a "shelvefile" ?16:54
SpamapSyes that seems like a valid thing to do16:54
SpamapSjlk: a database of pickled things16:55
jlkhuh16:55
SpamapSor "the worst idea ever"16:55
mordredyah16:55
SpamapStake your pick16:55
jlkhahah, yeah, like, how would one use that effectively?16:55
SpamapSIt's for writing python in 199816:55
mordredto be fair - jeblair and I used to hack on things that used the zodb - which was, in fact, an object database of pickled things16:55
SpamapSZope?16:56
mordredyah baby16:56
jlkdocs/docsite/rst/playbook_pahting.rst looks relevant16:56
SpamapSZOMGpe no16:56
jeblairpretty nifty, the zodb.16:56
mordredand also non-zope things that used the zodb16:56
SpamapSZope is one reason why launchpad is intractable. Though not zodb.16:56
mordredSpamapS: those who do not know Zope are condemned to reinvent it, poorly.16:57
SpamapSZope + Storm + Postgres is like.. wow.. we found the two best ways to make a monolithic nightmare16:57
mordredyah16:57
jlkNow we have 6 problems16:57
SpamapSand then added the best database for that too16:57
mordredwith custom index types16:57
SpamapShey you gotta sort those dpkg versions16:57
jeblairyah, an app like launchpad is not, i think, leveraging zope's strengths.16:57
mordredso they actually used postgres' functional index feature16:57
jlkjust stuff it all into a BerkeleyDB16:57
mordredwhich puts the computation right where it doesn't need to be - but I had MANY long arguments with lifeless about that back in the day16:58
mordredmy argument was "sure, but just don't have a single table with all of the packages that you want to sort and filter by version in debian version sort order"16:58
mordredsince you don't EVER need to sort multiple packages by single version - you should be able to just get the list of versions for a single package as opaque strings then sort _that_ app side16:59
mordredbut silly me - I'm just a database scalability consultant16:59
jlkSo I'm in a bit of a bind. My patch is failing upstream, generating an 87 meg log file. I can't get the tip of feature/zuulv3 to pass locally, so I have no good starting point from which to narrow down why things are failing in my patch tree :(17:08
jlkI guess I could wget the log file and trawl through it locally17:08
jeblairjlk: can you run one test locally?17:10
jlkYeah I can get subsets of tests to pass locally17:10
jlkjust not the entire suite17:10
jlkFAILED (id=6, failures=2 (-2), skips=28)17:11
jlka ton of skips (I don't know why) and the two failures are kind of vague.17:11
jlkoh wait, this wasn't on tip. My mistake. let me re-run on tip17:11
SpamapS28 is normal.17:13
SpamapSor around 28 I think17:14
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423617:14
SpamapSthose are just the @skip's17:14
mordredjeblair: would you re-look at that before I go further? specifically the additoins to _paths and their use17:14
mordredjeblair: I believe we should have those 2 types of fails we want to produce17:14
jeblairmordred: ack17:16
jeblairmordred: i'll be surprised if we use _fail_lookup more than once, but other than that nit, lgtm.17:20
mordredjeblair: actually, good point. I'll go ahead and clean that up in the next pass17:22
*** harlowja has joined #zuul17:23
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Simplify the log url  https://review.openstack.org/43802817:54
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Remove url_pattern config parameter  https://review.openstack.org/44716517:55
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Implement getSafeAttributes for other objects  https://review.openstack.org/45045917:56
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Make sql reporter score null when not set  https://review.openstack.org/45046017:56
SpamapS\o/ merging17:59
SpamapSjeblair: so, test_swift_instructions .. we can just remove that one, but we still need a "stdlib" post playbook that uses auth to load to swift, yes?18:05
jeblairSpamapS: yes, but i think we can defer that for a bit if desired.18:06
jeblair(defer creating the playbook)18:06
SpamapSright, sounds like it will happen naturally as we port infra jobs18:09
jeblairSpamapS: we aren't using that right now in infra, so from a bootstrap openstack-infra perspective, we can even defer it past that.  jhesketh may be using it for a third-party ci setup though (as may be others), so it would be nice to get something in place shortly after.18:11
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Change mutex to counting semaphore  https://review.openstack.org/44256318:12
SpamapSjeblair: ACK18:14
SpamapSjeblair: I think it may be a good idea to add a column to the board that is "after 3.0" or "after infra" or something like that.18:15
SpamapSjeblair: feels like there's a need to focus down to the "infra runs it" milestone18:15
jeblairSpamapS: agreed, we're starting to collect those tasks.18:16
SpamapSanother option is to make a new tag and move those things to that.18:18
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename tenant in updateConfigLayout  https://review.openstack.org/45428218:18
jeblairSpamapS: true.  we could start tagging by milestone.18:18
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename tenant in updateConfigLayout  https://review.openstack.org/45428218:21
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Consume interface_ip from nodepool node  https://review.openstack.org/44970618:21
SpamapSjeblair: I think I'll just ponder on these through next week since it's vacation time for both of us. We can maybe make a push for reorganization of tasks after that.18:21
jeblairSpamapS: sounds good18:22
SpamapSnow to see if I can get this test_timer_sshkey test to test something meaningful... :-P18:22
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423618:23
jeblairSpamapS: speaking of which .... i don't think we have a chair for the zuul meeting on monday.  do folks want to have it?  does someone want to chair?18:23
mordredokie. I think that'sall of them18:23
jeblairmordred: thx reviewing18:24
SpamapSThe only chair I'm going to be concerned with on Monday is Mammoth Chair Lift #2.18:26
jeblairjesusaur, mordred, Shrews, clarkb, jlk, pabelanger, jhesketh: SpamapS, fungi, and I are all out monday.  do any of you want a zuul meeting or should we skip?  (sorry i forgot to ask at this week's meeting)18:28
jesusaurI'm fine skipping it18:28
jesusaurSpamapS: oh, you're going to mammoth? I've been meaning to go back there, I used to go yearly when my family lived in LA18:29
Shrewsi'm out on monday? neat18:30
SpamapSjesusaur: Indeed... yearly pilgrimmage :)18:30
jeblairShrews: you were before the colon; i was addressing you so you got a highlight.  :)18:31
Shrewsoh, there's a colon18:31
mordredShrews: you miss parsed a : - check your lexer18:31
mordredjeblair: I'm fine skipping18:31
Shrewsjeblair: mordred: i prefer to skip it, even still18:31
jeblair...amongst the people out on monday are SpamapS, fungi, and I....18:31
Shrews(the colon, but skipping the meeting is fine, too)18:31
mordredShrews: I assume you'll be brunk by then anyway18:32
mordredalso, I noticed the misspelling before hitting enter but decided to keep it18:32
Shrewsmordred: brunk off my bass18:32
jeblairthere's an urban dictionary entry for brunk.18:32
* fungi would just as soon rather not know18:34
mordredjeblair: I prefer definition 318:34
mordred"I got so Brunk last night I let Juan give me the ol Mexican Rice."18:35
mordredthere's so much about that example sentence ...18:35
jlkOkay good news. Tip of zuulv3 passes tox locally18:36
jlkskips=3118:36
mordredWOOT!18:36
jlkIt's just my branch that won't pass :(18:40
jeblairmordred: missing 2 files by my count18:40
jeblairmordred: env and password18:40
mordredjeblair: oh - hey, lookie there18:41
jeblair(to be clear, my -1 was for that, not for the 'wishful thinking' comment i left inline) :)18:41
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423618:41
mordredjeblair: git add is my friend18:41
jeblairmordred: heh, it's never been mine :)18:42
jlkIs it your friend? Or is it just pretending to be your friend, while secretly sabotaging your work behind your back?18:42
mordredjeblair: yah. I agree with that wishful thinking comment18:42
mordredjlk: that. definitely that18:42
mordredI mean, I might could maybe make a PR to upstream to refactor the ones where we had to copy things because of sads18:43
jeblairmordred: env?18:43
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423618:43
mordredjeblair: yup. like jlk said. sabotaging my work18:44
jeblair+218:44
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Cleanup docs builds and error on warnings  https://review.openstack.org/45296418:50
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Cleanup docs builds and error on warnings  https://review.openstack.org/45296419:10
jlkFFFFffffff19:19
mordredjlk: I agree19:23
jlkOof, when you're least expecting it: # (c) 2013, seth vidal <skvidal@fedoraproject.org>19:24
*** openstack has joined #zuul19:48
mordredjlk: yah19:56
mordredjlk: also, re: your comment in the review - I totally agree - I want to actually add a job once we have your gh patches merged that double checks that nothing adds new plugins to ansible without us knowing about it19:58
*** harlowja has quit IRC20:03
jeblairSpamapS, Shrews: can you prioritize https://review.openstack.org/454236 please?  then we can merge it and restart zuul20:05
mordredjeblair, SpamapS, Shrews, jlk: fwiw, http://paste.openstack.org/show/605670/ is example output if that dir is enabled in lookup_plugins and I tried using with_env:20:14
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Clarify TriggerInterface documentation  https://review.openstack.org/45371320:22
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (1/2)  https://review.openstack.org/45336220:26
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (2/2)  https://review.openstack.org/45382120:26
SpamapSjeblair: certainly will look at it next20:31
*** SpamapS has quit IRC20:44
*** SpamapS has joined #zuul20:45
*** SpamapS has quit IRC20:45
*** SpamapS has joined #zuul20:46
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (1/2)  https://review.openstack.org/45336220:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Replace config/project repos with trusted/untrusted projects  https://review.openstack.org/45334720:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Fix constructor arguments to source  https://review.openstack.org/45110220:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add hostname to TriggerEvent  https://review.openstack.org/45234820:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (2/2)  https://review.openstack.org/45382120:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add canonical hostname to source object  https://review.openstack.org/45111020:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Fully qualify project configuration names  https://review.openstack.org/45197020:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add source to project and remove unused tenant attrs  https://review.openstack.org/45196920:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Pass source to project instantiations  https://review.openstack.org/45159620:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add a project index to Tenant  https://review.openstack.org/45159720:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove unused Tenant.getRepo method  https://review.openstack.org/45192920:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Use new tenant project index for config references  https://review.openstack.org/45192820:56
jeblairpabelanger, mordred, jhesketh: anyone want to volunteer to push some simple test-enable patches in?20:59
SpamapSmoar tests21:00
jeblairmordred: are you working on tests for your lookup blocks?21:01
*** harlowja has joined #zuul21:03
*** openstackgerrit has quit IRC21:07
*** notmorgan is now known as morgan21:08
jeblairharlowja: what do you think about the status of https://github.com/python-zk/kazoo/pull/419 ?21:15
jeblairi will single-core approve the tests with no logic changes21:20
harlowjai haven't been able to find the kazoo peoples :21:21
harlowja:(21:21
jeblairharlowja: it's looking increasing like it's you.  :|21:22
harlowja:/21:22
jeblaircongratulations21:22
harlowjawaaa waaa21:22
harlowjalol21:22
SpamapSThey all work on etcd now21:23
jlkoh this isn't good. I left tests running when I went to lunch, like 2 hours ago.21:23
jlkand they're still going :(21:23
SpamapSjlk: Perhaps there's something getting stuck. ;)21:23
pabelangerjeblair: I am not sure what 'simple test-enable patches21:25
pabelangerare21:25
jlktake a test that is @skip, make it work.21:25
pabelangerk21:26
jeblairpabelanger: they are not very complex patches to zuul which enable tests.21:26
pabelangerI can focus on that for tomorrow21:26
jeblairi was going to make a list, but it didn't seem anyone was around so i've just single-core approved them.21:26
jeblairpabelanger: are you working on tests for mordred's lookup plugin stuff?21:27
SpamapSthey're patches with Story: 200077321:27
pabelangerjeblair: not yet. I can see about adding something this evening21:28
jeblairpabelanger: was just a question.  i'm trying to figure out if anyone is working on it now.21:28
jeblairi've got a 'no' from you, and am waiting on a response from mordred.21:29
pabelangerokay, I'm happy to write up something, if we need it21:29
*** openstackgerrit has joined #zuul21:29
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Start blocking lookup plugins on insecure jobs  https://review.openstack.org/45423621:29
jeblairpabelanger: assuming mordred isn't working on it, i will probably do it now.21:30
adam_gis there a way to specify the ansible_ssh_user that gets used by an executor? i believe its configurable for the ansiblelaunchserver but dont see anything that allows it in executor/server.py21:30
jeblairadam_g: https://review.openstack.org/45398321:30
adam_gjeblair: ha, thanks21:30
jeblairpabelanger, mordred, clarkb, jhesketh: if one of you could +3 https://review.openstack.org/453303 that would be great.  it's almost trivial.21:32
jeblairpabelanger: i responded on https://review.openstack.org/45397421:35
jlkOh good, 3.8G of test output.21:36
jeblairharlowja: are you going to continue to wait for the other kazoo folks?21:37
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Re-enable test_queue_rate_limiting  https://review.openstack.org/45283521:37
jeblairharlowja: i'm about to take off for a week, but when i get back, maybe i should look at just copying that recipe into our local app for a while so we can start using it?21:39
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Re-enable test_queue_rate_limiting_dependent  https://review.openstack.org/45286421:39
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Re-enable remaining test_crd_check_* tests  https://review.openstack.org/45299621:39
mordredjeblair: I'm not this instant - but that's next on my list (I had to step afk for a little bit)21:46
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Quote ansible command and include config file  https://review.openstack.org/45397421:46
jeblairmordred: ok.  i have a few minutes now; do you want me to handle it or do you want to keep it?21:47
mordredjeblair: either way - I do not feel emotionally attached to doing it - but I also don't want to take time you could be using to do something more jeblair-ish21:49
jeblairmordred: i'll trade you for as many reviews on 451113 453303 448555 446275 454217 453802 453797 as you can muster :)21:52
harlowjajeblair unsure, probably not21:52
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (1/2)  https://review.openstack.org/45336221:53
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Replace config/project repos with trusted/untrusted projects  https://review.openstack.org/45334721:53
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Remove source from pipelines (2/2)  https://review.openstack.org/45382121:53
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Fully qualify project configuration names  https://review.openstack.org/45197021:53
*** openstack has joined #zuul22:04
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Use libyaml if possible  https://review.openstack.org/45111322:04
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Re-enable test_live_reconfiguration_del_project  https://review.openstack.org/45330322:05
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Make sure services are running for test-setup.sh  https://review.openstack.org/44855522:06
mordredjeblair: I just landed thefirst patch in the canonical hostnames series - but patch 2 has a jenkins sad22:28
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: Wait for lock when performing manual hold  https://review.openstack.org/45421722:29
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: Fix internal doc refs to renamed section  https://review.openstack.org/45380222:29
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: Start adding operational docs to zuulv3  https://review.openstack.org/45379722:30
jeblairmordred: pretty sure that's a racy test.  (but not very racy, it didn't hit any of the others). i rechecked.22:35
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Perform pre-launch merge checks  https://review.openstack.org/44627522:35
mordredjeblair: ok. cool. I'll keep going then22:37
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Fix constructor arguments to source  https://review.openstack.org/45110222:38
jeblairmordred: fyi, i got as far as verifying that a passwd lookup is blocked, but then the approach i chose to test more lookups has exposed an issue with dynamic reconfiguration, so i'm down the rabbit hole a bit.22:48
mordredjeblair: oh! well - maybe that wound up being a good thing22:50
mordredprobably a good rabbit hole22:50
mordredmmm. rabbit is tasty22:50
jeblairya22:50
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add canonical hostname to source object  https://review.openstack.org/45111022:55
jheskethMorning22:56
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: WIP fix dynamic reload  https://review.openstack.org/45439523:12
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: WIP test lookups  https://review.openstack.org/45439623:12
jeblairmordred, SpamapS: WIP to illustrate approach23:13
jeblairmordred: i think probably we don't need to test 'lookup' separate from 'with'.  would you agree?23:14
jeblairthe thing i'm not sure how to do is verify that we hit that actual exception, vs some template formatting error.23:18
jeblairfor the moment, i'm just reading the log output to make sure, but that's obviously something that would be good to automate so we don't regress.23:18
mordredjeblair: yah. I mean - it's in the text that shows up in the playbook output23:19
mordredso maybe when we get json output from playbooks, we can just parse that in the tests23:19
jeblairmordred: OH! i understand "list.py".  that's so that "with_list" works!23:20
jeblairmordred: because "with_foo" means foo is dynamically mapped to "lookup plugin named foo"23:20
mordredyes23:21
mordredfun right?23:21
Shrewsharlowja: so is kazoo abandoned then?23:26
harlowjaidk23:26
harlowjai'm still around, lol23:26
Shrewsshould we recode everything in Rust?23:26
harlowjasure23:26
harlowjalol23:26
ShrewsSpamapS will like that23:26
SpamapSYeesss23:29
harlowja:-P23:30
SpamapSjeblair: mordred we have the same problem in detecting the action plugin fail. I broke it in funny ways with bwrap that would be detected if we verified the text of the fail log23:31
mordredSpamapS: k. I'll prioritize the json logging bit next23:34
jlkmordred: yeah, but what's the point of 'with_list' ?  how is that different than with_items, handing it a list?23:34
mordredjlk: yes. it's literally the same thing23:35
mordredclass LookupModule(LookupBase):23:36
mordred    def run(self, terms, **kwargs):23:36
jlk... but why?23:36
mordred        return terms23:36
mordredthat's the entire module23:36
jlkright I looked at the code and scratched my head23:36
mordredright?23:36
mordredI mena- I totally agree23:36
mordredmaybe it's hysterical raisins23:36
jlkthem cheeky buggers.23:37
mordredjlk: the commit message says "lookup plugin that does no flattening"23:37
mordredjlk: does with_items maybe flatten things?23:38
jlkyes, those are words23:38
mordredhahahaha23:38
jlkno, there is a with_flatten for that23:38
mordredI literally lol'd23:38
jeblairmordred, SpamapS, jlk: i think some of these filters are too aggressive -- the 'ansible_search_path' includes things like the playbook directory.  so you can say "lookup this csvfile which i distribute alongside the playbook" (or presumably role as well?).  those will be outside the working directory for some repos, but not others.23:46
jeblairweirdly, it's going to be the trusted-repos which won't be able to have playbooks which lookup data in files within their own repo23:46
jeblairuntrusted playbooks will23:46
jeblair(because the untrusted playbooks are located within the working dir, trusted ones outside)23:46
jlkthat's... weird?23:46
jlkDoes the path filtering not allow it to look within?23:46
jlkOIC23:46
jlkso, trusted would have to include "." in the search path?23:47
jlkfor whatever the workdir is?23:47
jeblairjlk: that (hopefully) won't work because it will still fail our "only access files within the work dir" check -- that's the filtering we are adding to these plugins.23:47
jeblairat any rate, i'm happy to continue with this for now and fix later if needed, since we're failing closed (the safer option), so to speak.23:48
jlkI think I get what you're saying23:48
jlkTrusted playbooks live outside the workdir, and may want to load something lazily from within their path. OUr filtering prevents loading anything outside the workdir23:49
jlkI approve of that stance, wait until something NEEDS that functionality to open it up carefully.23:49
jeblairexactly23:49
jeblairit's actually better than that.  trusted playbooks don't run with the restricted configuration, so even that shouldn't be a problem23:50
jeblairhowever, if this extends to roles, we may have problems.23:51
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: WIP test lookups  https://review.openstack.org/45439623:53
jeblairmordred: ^ it's EOD for me; if you want to continue that early tomorrow before i get up, be my guest.  or anyone else who wants to continue it tonight.  i was just planning on adding at least one test for each lookup plugin.23:54
jlkjeblair: I believe it goes into roles, searching for templates/files within the roles path23:54
jlkWhat is "Alarm clock" ?23:55
jeblairjlk: yeah, so then "trusted role run by untrusted playbook" would be the edge case i'm worried about.  but our handling of that is currently wrong anyway; i need to fix it up.  i think i'll be able to reason about it after i do that (tomorrow or when i return from vacation)23:55
jeblairjlk: it's the signal mechanism that the hard test timeout fixture uses to kill the running job23:55
jeblairer23:55
jlkalright. Honestly I haven't run across a lot of these lookups in the field though.23:55
jeblair'running test'23:55
jeblairjlk: yeah, i'm not going to lose sleep over it :)23:56
jlkheh23:56
jlkI wonder if I need to tmpfs this.23:56
jeblairjlk: i do.23:57
jlkwhat was the commadn for that?23:57
jeblairjlk: i also tmpfs zookeeper23:57
jeblairjlk: set "ZUUL_TEST_ROOT=/path/to/tmpfs" env var23:57
jeblairjlk: or i think TMPDIR will just work too.23:58
jeblair(i haven't verified that)23:58
jlktmpfs zookeeper?  Is that fairly easy?23:58
jeblairjlk: yeah, i mount another tmpfs on /var/lib/zookeeper.  just put it in fstab.23:59
« Wednesday, 2017-04-05 Index Friday, 2017-04-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!