Tuesday, 2017-05-23

« Monday, 2017-05-22 Index Wednesday, 2017-05-24 »
rbergeronclarkb: ask mordred or shrews what happens when i eat seafood.... not sure tuna melts and gaggy are mutually exclusive00:13
rbergeron;)00:13
clarkboh right I recall something about fried fish bceause everything fried is awesome except not00:13
mordredclarkb: we thought "clearly fried calamari will be fine  - because fried - and also calamari isn't really seafood"00:14
mordredclarkb: not so much00:14
rbergeronusually giant tentacle chunks arent quite even calamari, are they?00:30
SpamapSI'm sure giant squid use those tentacles to capture small animals on dry land so, obviously, tentacle != Seafood00:54
*** jamielennox is now known as jamielennox|away01:54
*** adam_g has quit IRC03:07
*** adam_g has joined #zuul03:11
*** adam_g has quit IRC03:28
*** adam_g has joined #zuul03:31
*** adam_g has quit IRC03:43
*** adam_g has joined #zuul03:44
*** jamielennox|away is now known as jamielennox04:23
*** adam_g has quit IRC04:38
*** adam_g has joined #zuul04:41
*** jamielennox is now known as jamielennox|away05:11
*** jamielennox|away is now known as jamielennox05:51
*** isaacb has joined #zuul06:01
*** jamielennox is now known as jamielennox|away06:23
*** isaacb has quit IRC07:03
*** adam_g has quit IRC07:04
*** adam_g has joined #zuul07:04
*** hashar has joined #zuul07:19
*** DangerousDaren has joined #zuul07:21
*** clarkb has quit IRC07:30
*** clarkb has joined #zuul07:30
*** openstackgerrit has quit IRC08:18
*** bhavik1 has joined #zuul08:46
*** jasondotstar has quit IRC08:48
*** jasondotstar has joined #zuul08:51
*** bhavik1 has quit IRC09:08
*** hashar is now known as hasharAway09:42
*** Cibo_ has joined #zuul09:55
*** Cibo_ has quit IRC10:04
*** adam_g has quit IRC10:17
*** adam_g has joined #zuul10:18
*** jkilpatr has quit IRC10:40
*** smyers has quit IRC10:40
*** smyers has joined #zuul10:41
*** jkilpatr has joined #zuul10:57
*** adam_g has quit IRC11:01
*** adam_g has joined #zuul11:03
*** adam_g has quit IRC11:11
*** adam_g has joined #zuul11:12
*** GeppyZ has joined #zuul11:17
*** GeppyZ has left #zuul11:18
*** hasharAway is now known as hashar12:06
*** dkranz has quit IRC12:31
*** jamielennox|away is now known as jamielennox12:49
*** openstackgerrit has joined #zuul13:10
openstackgerritTobias Henkel proposed openstack-infra/zuul feature/zuulv3: Use ssh for git-upload-pack  https://review.openstack.org/43680213:10
openstackgerritTobias Henkel proposed openstack-infra/zuul feature/zuulv3: Use ssh for git-upload-pack  https://review.openstack.org/43680213:36
openstackgerritTobias Henkel proposed openstack-infra/zuul feature/zuulv3: Use ssh for git-upload-pack  https://review.openstack.org/43680213:43
*** rcarrillocruz has quit IRC13:55
openstackgerritMatthew Treinish proposed openstack-infra/zuul feature/zuulv3: Switch from testrepository to stestr  https://review.openstack.org/46607113:58
jeblairpabelanger, mordred: let me know when you're around to chat about ansible_log14:00
pabelangerjeblair: I have some time now14:00
*** dkranz has joined #zuul14:04
*** Cibo_ has joined #zuul14:13
*** rcarrillocruz has joined #zuul14:19
openstackgerritMatthew Treinish proposed openstack-infra/zuul feature/zuulv3: Switch from testrepository to stestr  https://review.openstack.org/46607114:26
pabelangerShrews: next question :) Is there any reason we don't have kazoo.client keep retrying connection attempts for zk?  http://paste.openstack.org/show/610461/14:27
mordredjeblair: morning! happy to talk about logs14:28
pabelangerseems we could use kazoo.retry.KazooRetry to keep retrying until a connection was made14:28
Shrewspabelanger: it should retry automatically.14:29
Shrewspabelanger: there may be a max retry policy we could adjust14:29
pabelangerShrews: yes, it retried x times and stopped14:29
pabelangerI'd be okay with it trying forever14:29
mordredShrews: I didn't add a unit test because you can't use mock on datetime.datetime (I did write one)14:30
jeblairmordred, pabelanger: yay we're all here!14:30
mordredShrews: oh - sorry, that was for other channel14:30
Shrewsmordred: no14:31
jeblairmordred, pabelanger: so pabelanger was noting that ansible_log is unreadable14:32
jeblairexample: http://zuulv3-dev.openstack.org/logs/473ba003bbb64297927e8b21641f5178/ansible_log.txt14:32
mordredoh - yah. that's  not great!14:32
jeblairi thought we had a thing so that we didn't dump the stdout as json thing, but instead streamed the console log from the worker into ansible_log line-by-line?14:33
Shrewsneat14:33
mordredah - that's not where the garbage is coming from14:34
mordredthe garbage is coming from us printing the "command" that was run14:34
mordredbut the command that was run was a long script block14:34
mordredso we should NOT print the command that was run14:34
jeblairmordred: i see some "changed" lines... isn't that the stdout-in-json thing?14:35
mordredor we should at the very least not print it if it's a script block14:35
mordredjeblair: right- that's the "task" reporting its results. so what it's saying is "I ran something (changed=True is always true for cmd tasks) and here is what I ran (cmd=)"14:35
mordredjeblair: for our cases, I do not believe we find that valuable14:36
jeblairmordred: oh, i see.  okay, though i think maybe we're printing both cmd and stdout?14:36
mordredjeblair: yes. we are14:37
mordredjeblair: so - two things to fix14:37
mordredin fact - I think maybe we should just not print result lines for cmd tasks14:37
jeblairhttp://paste.openstack.org/show/610464/14:37
mordredsince we log cmd tasks in our own way14:37
jeblairslightly reformattted json blob output ^14:37
jeblairmordred: there's some other stuff in there -- start, end, rc... can we keep those but elide the cmd, stdout, stderr stuff?14:39
mordredI dont thinkn we need any of them because of the way we log all cmd/shell tasks14:39
mordredwell - ok - maybe rc is useful14:39
mordredso - let's just log start, end and rc if it's a cmd/shell task14:39
mordreddelta is time elapsed too14:40
jeblairya, delta is really nice actually :)14:40
jeblairmordred: honestly, i'm not sure cmd is that bad?14:40
*** Cibo_ has quit IRC14:41
mordredjeblair: cmd will include the entire test of any script block passed14:41
jeblairlemme go find that playbook14:41
pabelangerYa, having both will be help for for debugging purposes14:42
jeblairhttp://git.openstack.org/cgit/openstack-infra/openstack-zuul-roles/tree/roles/openstack-info/tasks/main.yaml14:42
jeblairso i guess if we do that sort of thing, we'll end up with cmd blobs14:43
mordredjeblair: right. that's the content that's in the cmd parameter of that return dict14:43
jeblairmordred: i think you've convinced me.... after all, if we want to log that, we can 'set -x' it?14:43
mordredyah14:43
mordredso we need to add a v2_playbook_on_task_end method to zuul/ansible/callback/zuul_stream.py14:44
mordredthat strips things if it's a cmd output14:44
pabelangerya, set -x works for me14:45
jeblairmordred: is that plugin responsible for writing that data to the logs?  i thought there was a built-in callback plugin for that?14:46
mordredour zuul_stream callback plugin is a subclass of the default plugin14:46
mordredso the default plugin handles most of the things14:47
jeblairmordred: okay, so it is *the* output plugin, and it's performing all of the normal output plugin duties by inheritance, then also adding the streaming bits14:47
mordredyes14:47
jeblairgot it14:47
jeblairpabelanger: does that sound good to you?14:48
pabelangerjeblair: yes, works for me14:48
mordredk. I'm pushing that on to my stack real quick14:49
jeblairmordred, pabelanger: thanks!14:49
Shrewspabelanger: looks like *maybe* setting connection_retry={'max_tries': -1} in the KazooClient() object might do what you want there? just took a quick glance at the kazoo code though15:05
pabelangerShrews: yes, that is what I am going to test shortly15:05
jlkHello? Yes, it is morning.15:06
Shrewspabelanger: though the default seems to be None but i don't see immediately how that translates to anything15:06
Shrewsbut... meeting15:06
jlkjeblair: mordred: can one of you click the +w on the driver specific pipeline requirements change? I think we have enough votes.15:07
jeblairjlk: done15:08
jlkwoo. I'll be doing the rest of the rebase today (hopefully).15:08
openstackgerritPaul Belanger proposed openstack-infra/nodepool feature/zuulv3: Bump diskimage-builder dependency to 2.0.0  https://review.openstack.org/46728215:15
openstackgerritPaul Belanger proposed openstack-infra/nodepool feature/zuulv3: Bump diskimage-builder dependency to 2.0.0  https://review.openstack.org/46728215:15
Shrewssmyers: hi! dkranz said you were interested in nodepool things. welcome and feel free to ask any questions you may have about it here. :)15:25
smyerso/15:29
smyersI have a few questions, but right now I'm mainly interested in this "drivers" spec: https://review.openstack.org/#/c/461509/15:33
smyersI'm curious about how that might actually be implemented, especially with the openstack-centric provisioning currently going on. I'm also curious if it's expected to get merged. :)15:34
jeblairsmyers: yeah, i'll make it mergeable and put it on today's infra meeting agenda15:35
smyersIt looks like a great proposal, but...daunting.15:35
Shrewssmyers: I think the "how" is to be worked out by the folks implementing it. There are some others here (tristanC and tobiash maybe?) who I think are interested in that spec as well. Putting some heads together to work on a proposed API would be a good first step.15:37
*** DangerousDaren has quit IRC15:41
smyersOne question I have is if the version of nodepool that is being developed on the zuulv3 feature branch has an expected version. I'm tired of saying "The version of nodepool being developed on the zuulv3 feature branch".15:49
jeblairsmyers: i'd like to call it 3.0 to sync it with zuul.  though 1.0 is also an option :)15:49
Shrewsi vote for 42.015:50
jeblairsmyers: at any rate, if you say 'nodepool v3' we will definitely know what you're talking about.  (anything >=1 certainly means that branch)15:50
jeblairShrews: we should release 42.0 followed by 3.0.15:50
smyersYeah, I go back and forth between 1.0 and 3.0, and occasionally consider then disregard .5 because semver15:51
clarkbalso I don't think there is a single version. we've already released 0.4.0 off of code merged back into master from the zuulv3 branch15:51
pabelangerremote:   https://review.openstack.org/467300 Create zuul-base-jobs and zuul-jobs16:00
*** jkilpatr has quit IRC16:04
mordredjeblair, smyers, Shrews: in my brain part of the v3 effort is recognizing nodepool as a component of zuul ... if it wouldn't be even more disruptive, I'd suggest we rename the nodepool repo to 'zuul-nodepool'16:05
jeblairokay, nodepool drivers spec is green now and is on the infra agenda16:05
mordredjeblair: wot!16:05
mordredI mean "woot" - not "wot" as in "what???"16:05
jeblairmordred: wot you say??!?16:05
pabelangerShrews: So, have we documented how to decommission a nodepool-builder?16:06
pabelangerI guess we'd need different nodepool.yaml files for each server running16:07
pabelangerand stage removing images from the server we want to shutdown16:07
*** hashar is now known as hasharAway16:08
Shrewspabelanger: not that i'm aware of16:08
clarkbpabelanger: I think you can just turn off the service, wait two days (so images rotate out) then delete16:09
clarkbno need for config or anything16:09
pabelangerclarkb: I don't think so, because nb01 need to delete the images that are uploaded16:10
pabelangerif it is off, they linger16:10
Shrewspabelanger: wow, 467282 has all sorts of py35 fail16:11
pabelangerShrews: we still need to land topic:py3-nodepool patches16:11
clarkbpabelanger: yes would require a separate cleanup step16:11
Shrewspabelanger: ugh, i thought we had. guess i mixed it up with zuul16:12
pabelangerclarkb: ya, not sure I like the manual clean up16:13
pabelangerso16:13
pabelangerit would be cool if we could run nodepool image-build --builder=nb03.o.o fedora-25 and force the migration16:14
pabelangerthat should allow us to move images to a new builder16:14
clarkbthats what turning off the service gets you right? the images will move16:14
clarkbbecause 02 and 03 will build the necessary images and the ones for 01 will be marked delete (but won't actually delete because 01 isn't running)16:15
pabelangerforcing a rebuild will delete the originals hower16:15
pabelangerright16:15
pabelangerOr add image-delete --force to have another builder delete them16:16
pabelangerI'll shutdown for now16:16
clarkbI think I like ^ since it more closely matches what you actually need16:16
clarkb(which is easy cleanup)16:16
pabelangerk, I'll look at --force option in a bit16:16
clarkbor even image-prune --force (delete all images marked delete regardless of "ownership")16:17
pabelangerya16:18
clarkbre using configuration transitions to implement it, I think we should avoid that because we've seen how that causes confusion around cleanup in the past. Like removing a provider16:19
clarkbI expect that a "turn it off then clean it up" process will be more approachable? but maybe not16:19
*** jkilpatr has joined #zuul16:20
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Strip unneeded cmd, changed, stdout and stderr from results  https://review.openstack.org/46731016:29
mordredjeblair, pabelanger: ^^ that should fix the logs. I also left a note for a future improvement - but I need to jump on a call now so I left it for later16:30
jeblairmordred: cool, left a couple comments16:37
jeblairi've managed to catch the py3 repo leak issue locally once.  i don't think it's related to any github stuff -- i've seen it hit other tests too.  it's probably just the order testr is running them in.16:38
jlkwhew!16:39
jlkand boo16:39
clarkbjeblair: did you see my comemnt about trying to pry more debugging info out of gc on the change?16:41
jeblairclarkb: nope, i'll go look16:41
jeblairclarkb: ah good ideas16:42
jeblairclarkb: i had added a __del__ monkeypatch too, but i worry the log line i put in there is perhaps slowing things down enough for it to actually work; i haven't repro'd since then16:43
* SpamapS shakes head at weird lockup caused by ssh-agent patches :-P16:43
jeblairi'll undo that and try the gc ideas16:43
pabelangerclarkb: not sure if you seen: https://review.openstack.org/#/c/467282/ bumps DIB to 2.0.0 to get virtualenv logic out of nodepool16:43
clarkbpabelanger: I ahdn't, approved16:44
*** bhavik1 has joined #zuul16:47
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: Bump diskimage-builder dependency to 2.0.0  https://review.openstack.org/46728216:48
openstackgerritPaul Belanger proposed openstack-infra/nodepool feature/zuulv3: Fetch server console log if ssh connection fails  https://review.openstack.org/45249416:54
*** harlowja has joined #zuul16:56
pabelangerclarkb: we could port ^ to master also. I decided to do feature/zuulv3 because of recent config changes16:57
*** Cibo_ has joined #zuul16:59
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Temporarily(?) add some debug statements around git repo creation  https://review.openstack.org/46681017:04
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732417:05
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732517:05
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732617:05
* jeblair starts firing a zuul cannon at the problem17:06
*** bhavik1 has quit IRC17:16
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add default-branch property to projects  https://review.openstack.org/46733417:20
*** adam_g has quit IRC17:21
*** adam_g has joined #zuul17:22
*** tobiash_ has joined #zuul17:30
*** adam_g has quit IRC17:30
*** adam_g has joined #zuul17:31
jeblair8 out of 8 builds with the extra debugging passed, so it seems like it's very sensitive to timing.17:36
jeblairi'll disable automatic gc before we start the check17:36
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Temporarily(?) add some debug statements around git repo creation  https://review.openstack.org/46681017:38
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732417:38
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732517:38
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: DNM: py3 race test change  https://review.openstack.org/46732617:38
jlkjeblair: in gerritmodel, what's the purpose of deepcopying the required_approvals in order to tidy them?17:40
Shrewshrm, daemon lib doesn't seem to play nice with asyncio servers17:41
Shrewsthat makes me sad17:41
jlkI'm sure it's a basic thing that I'm ignorant to17:41
jlkoh, you copy them to a holder for printing them out17:42
jlkand then you manipulate the existing ones for machine reasons17:42
jeblairjlk: the tidy method modifies them in place, so i don't want to modify the passed-in argument17:42
jeblairjlk: and yes to the rest of that17:43
jlkthanks.17:43
jlkand what's the basic idea behind tidying them?17:44
jlkmaking the values real regex things, or time_to_seconds things?17:44
Shrewsmordred: i don't suppose in your autobahn explorations that you saw any examples of daemonizing a server, did you?17:46
Shrewsguess i'll try manual fork/pid stuff17:53
*** Cibo_ has quit IRC17:57
clarkbShrews: thats odd, daemon lib doesn't really touch threading?18:03
Shrewsclarkb: i don't think it has to do with threading18:03
clarkbShrews: is it closing some file descriptor it shouldnt?18:04
Shrewsthe asyncio event loop seems to not work correctly18:04
*** jkilpatr has quit IRC18:06
tobiash_Shrews, smyers, tristanC: the drivers spec is definitely something I would like to work on, but I don't think I have time for this next week. The two weeks after that I'm on vacation. So I think I could start working on that in about 3-4 weeks if nobody started this until then.18:06
*** jkilpatr has joined #zuul18:07
clarkbShrews: ya I'm guessing its closing some file that asyncio is opening to run the eventloop18:07
clarkbShrews: since daemonization includes closing all the fds18:07
clarkbShrews: you can whitelist fds with the daemon lib if you can find the fd18:08
SpamapSwow that was stupidity...18:10
SpamapSapparently if you save your SkyMiles # in your password manager with a space at the end.. delta.com started rejecting it yesterday18:10
SpamapSgreat coding folks!18:10
jeblairtobiash_: thanks, that helps with planning.18:12
jeblairjlk: yes to both of those -- basically compiling it ahead of time for quick evaluation later18:12
tobiash_jeblair: I saw in the logs that there was some discussion about the start-reporting on unmanaged projects (https://review.openstack.org/#/c/455711/)18:31
tobiash_jeblair: was there some consensus how to proceed with this topic?18:32
jlkjeblair: I spot something I see that may be logic counter to what the comment says, and I'd like you to check my thoughts on this.18:47
jlknope, I think I get it.18:49
*** adam_g has quit IRC18:57
jeblairtobiash_: i don't have a great solution to all of the issues.  i think your patch is an improvement and i'm leaning toward thinking we should merge it, and see if we can further improve things later.18:58
tobiash_jeblair: sounds reasonable18:59
*** adam_g has joined #zuul18:59
tobiash_did I hit the earliest point in time where zuul knows that there are jobs to run (at least that was my intention)?19:00
*** tobiash_ has quit IRC19:19
jeblairtobiash: i think so; i'll double check when i review more closely19:57
jeblairclarkb, jlk, SpamapS: with enough debugging to be useful, i can't get the py3 race to happen :(19:58
jeblairi'm starting to think we should just disable the leak check19:58
clarkbugh the best kind of bug19:59
jlkouch20:07
SpamapSdoesn't py3 offer _better_ cycle detection and thus it's supposed to clean up more things?20:12
SpamapSah unless the objects have __del__ methods20:14
SpamapSjeblair: it's entirely possible this is just a wild goose chase and there's a timing problem where the order of refcount decrementing of a git.Repo and its references in py3 means it simply can't be gc'd20:15
jeblairSpamapS: i think in py3 everything should be able to be gc'd, but yes, i think the order/timing here might be causing a delay.  there *is* a __del__ method which i think triggers the new behavior in pep 44220:19
SpamapSChanged in version 3.4: Following PEP 442, objects with a __del__() method don’t end up in gc.garbage anymore.20:19
SpamapSyerp20:19
jeblair(i'm genuinely surprised that disabling the gc before we perform our check somehow caused the bug to not appear though)20:20
jeblairi thought that would make it more reliably appear20:20
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add override-branch property to job repos  https://review.openstack.org/46737520:21
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename 'repos' job attribute to 'required-projects'  https://review.openstack.org/46737620:21
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename 'repos' job attribute to 'required-projects'  https://review.openstack.org/46737620:21
*** jkilpatr has quit IRC20:22
SpamapSjeblair: the mysteries of gc behavior have never sat well with me. *cough*rust*cough*20:22
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add override-branch property to job repos  https://review.openstack.org/46737520:29
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Rename 'repos' job attribute to 'required-projects'  https://review.openstack.org/46737620:29
*** harlowja_ has joined #zuul20:32
*** harlowja has quit IRC20:33
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add driver-specific pipeline requirements  https://review.openstack.org/46610520:37
SpamapSjlk: just to repeat over here.. it looks like bwrap may not work, even with a USER_NS capable kernel, from inside a container. :(20:44
SpamapSwhich is what I thought was one of the main awesome features of bwrap20:45
jeblairmordred: fyi ^20:46
SpamapSroot@4c49ba0b0b9a:/# ssh-agent /home/zuul/zuul/.tox/py27/bin/zuul-bwrap  ~/tmp/work_dir ~/tmp/ansible_dir /bin/bash20:46
SpamapSNo permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.20:46
jeblairSpamapS: do you think that's closer to "temporary bug" territory or "fundamental design problem"?20:46
SpamapSuserns_clone is == 1 and that command works fine on the host OS without being inside a docker container.20:46
SpamapSjeblair: I'm hoping it's a temporary impedence mismatch between docker and the kernel that just grew these capabilities.20:47
SpamapSbut I'm still reading.20:47
jeblairk20:47
SpamapSdocker does some lockdown, and it may just be standing in the way because it's new.20:47
jlkSpamapS: what if that outer container is a privileged container?20:47
SpamapS# strace -f /home/zuul/zuul/.tox/py27/bin/zuul-bwrap  ~/tmp/work_dir ~/tmp/ansible_dir /bin/bash20:48
SpamapSstrace: ptrace(PTRACE_TRACEME, ...): Operation not permitted20:48
SpamapSI can't strace to find out what call is even failing. :-/20:48
SpamapSjlk: that's exactly what I'm testing now20:48
jlkyeah that's what I would think to start with, that the capabilities extended to the process (container) is too minimal20:48
SpamapSof course, I was dumb, and did this without a Dockerfile, so having to build a new one :-P20:48
jlkalso sounds like we're on new and novel territory20:48
SpamapSjlk: question is, do people who like to run things in containers, think its ok to give zuul-executor a privileged container?20:48
jlkwell20:49
jlkprivileged is like a wide swath, it's possible we could discover and narrow down to the exact permission we need to give it20:49
jlkWe'd still run zuul as non-root inside the container20:49
jlkthe extra rights would matter if somebody breaks out of zuul and escalates to "root" inside the container20:50
SpamapSescalates out of ansible, and bubblewrap ;)20:51
SpamapSI'm more wondering like, if I'm using BlueMix's kubernetes.. are they going to be able to give me a privileged container?20:51
jlkwell20:51
jlkyes20:51
jlkah.20:51
jlkI have no idea20:51
jlkbut we need a privileged container for disk-image-builder anyway20:52
SpamapSdid you get that working?20:52
jlkyes20:53
SpamapSsweet20:53
jlkNot to the point of testing the booted image in openstack, but nodepool at least built the image and booted the VM20:53
SpamapSwow.. I just wrote a Dockerfile that worked on the second try :-P20:53
* SpamapS thinks maybe this Docker thing has legs20:54
jlkwhich was the blocking point for getting a noop job to "execute"20:54
jlkhahah20:54
jlkyeah, I've been really pleased with the utility of it20:54
SpamapSyay20:57
SpamapSzuul@74951e87609f:~$ ssh-agent /usr/local/bin/zuul-bwrap ~/tmp/work_dir ~/tmp/ansible_dir /bin/bash20:57
SpamapSbash-4.4$20:57
SpamapSso yeah, --privileged fixes it20:57
SpamapSjeblair: ^20:57
* SpamapS breathes sigh20:59
jeblairSpamapS: so the container version of "sudo make me a sandwich"20:59
SpamapSjeblair: indeed20:59
SpamapScan try every iteration of this https://docs.docker.com/engine/reference/run/#security-configuration21:00
SpamapSguessing seccomp is the culprit21:01
SpamapSand we just need to whitelist the ones bwrap needs to make21:01
SpamapSbut this is a bit rabbit hole-y at the moment21:01
* SpamapS has confirmed.. things work more or less the way they should21:01
SpamapSon zesty :)21:02
clarkbbeing able to create nested namespaces is something that has to be allowed iirc21:02
clarkbI wonder if its as simple as that?21:02
pabelangeris ssh-agent running bubblewrap in that example above?21:02
SpamapSclarkb: oh is there maybe a specific flag for that?21:02
SpamapSpabelanger: it is21:02
SpamapSzuul-bwrap picks up SSH_AUTH_SOCK from the environment21:03
SpamapSwhich I thought would be the most operator friendly thing for testing21:03
clarkbSpamapS: https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine21:03
clarkbalso I love that fqdn21:03
SpamapSsince you can start your own ssh-agent and load keys to test21:03
SpamapSclarkb: what's at fail.docker.com ? ;-)21:04
jlkthe whale21:05
*** harlowja_ has quit IRC21:05
SpamapSso, we can get the zesty kernel on xenial just by apt installing linux-image-extra-4.10.0-21-generic - Linux kernel extra modules for version 4.10.0 on 64 bit x86 SMP21:05
SpamapSok, I've confirmed that it's possible. Back to debugging ssh-agent code. :-P21:06
jlkhttps://vangogh.teespring.com/og_pic/2251813/2393336/front.jpg?v=2015-04-28-04-07&background-image=wood&effects=inner-glow21:06
SpamapSyeah they have a stupid robot now when it breaks21:08
*** harlowja has joined #zuul21:08
jlkquestion for the bike shed aficionados21:09
jlkwhen declaring a pipeline requirement for a github review state21:09
jlkwe've got, username, type (approved, comment, etc), newer-than, older-than, email, and "permission" or "permissions" (to indicate the review needs to be somebody with write access.21:10
jlkpossible values for permission(s) are ('write', 'read')21:10
jlkany preference on "permission" vs "permissions" ?21:10
SpamapSjlk: do they logical AND/OR together?21:21
SpamapSor is it an enum?21:21
SpamapSif enum, then permission. if logical, permissions21:21
jlkThey OR21:21
SpamapSthey OR but there's two? so mentioning both is like not mentioning any?21:22
*** dkranz has quit IRC21:23
jlkwell, if you have write, you implicitly have read21:23
jlka user submitting a review can have either read or write perms.21:24
jlkso if you want to allow reviews from _anybody_ you'd have to list both read and write perms.21:24
jlkotherwise we'd have to do weird things inside zuul to say if you mark read, also allow write?21:24
jlkactually. hrm.21:24
jlkYou _have_ to have read to leave a review21:25
jlkso maybe it only makes sense to have a single option for permission: write?21:25
jlkor some other way of expressing a boolean?21:25
jlkjeblair: what are your thoughts here?21:25
SpamapSjlk: if I say 'permission: read' wouldn't that imply writers too?21:35
jlkthat's what makes it odd21:36
jlkWhat I thikn I'm trying to account for is whether or not you want to require write access to trigger the pipeline21:37
SpamapSI think it makes sense. In that.. I understand that writers automatically get read. Only Unix does this explicitly ;)21:37
jlk+2 vs +121:37
jlkso you think that permission: should be an enum, that would accept either 'read' or 'write'.21:38
jlkand we document that people with write count for 'read'21:39
SpamapSjlk: it makes logical sense to me. I'd definitely like to hear counter arguments. :)21:43
*** jkilpatr has joined #zuul21:44
jeblair(incidentally, 'read' and 'read-write' might be good enum names to make that clear; not sure how divergent from github terminology that is though)21:44
jlkgithub has 'admin', 'write', 'read', 'none'21:47
jeblairjlk: generally (and if this isn't consistent, it might be nice to clean it up before 2.0), if something can take more than one value, we make the key plural (even if the value can be supplied as a singleton).  example: "branches: stable" "branches: [stable, master]" are both valid.  so, yeah, if enum, 'permission', if scalar_or_list, 'permissions'21:47
*** jroll has quit IRC21:47
jlkwe're mapping 'admin' and 'write' to just 'write'21:47
*** jroll has joined #zuul21:47
*** jroll has quit IRC21:49
jlkI suppose we could support read, write, and admin levels21:49
jlkthe enum would be one of those three21:49
jeblairso far, they seem like a strict hierarchy21:50
*** jroll has joined #zuul21:53
*** hasharAway has quit IRC22:11
*** Cibo_ has joined #zuul22:45
* SpamapS adds more debugs to try and find weird race in ssh agent code :-P22:53
*** tristanC has quit IRC23:17
*** adam_g has quit IRC23:32
*** adam_g has joined #zuul23:33
« Monday, 2017-05-22 Index Wednesday, 2017-05-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!