Wednesday, 2017-07-12

« Tuesday, 2017-07-11 Index Thursday, 2017-07-13 »
jeblairjamielennox: i proposed a followup to your ssh fix which merged: https://review.openstack.org/48273500:11
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add docs for web server component  https://review.openstack.org/48263000:13
jamielennoxjeblair: cool, yea that makes sense just starting it where everything else is started00:14
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add link to Zuul v3 docs to the README  https://review.openstack.org/48234900:14
jamielennoxi wasn't sure why ssh was started outside of the main job00:14
jeblairjamielennox: yeah, i don't know of a reason.  but if there is one, we should totally put it back with a note.  :)00:15
jeblairSpamapS: ^00:15
jamielennoxadding that finish_job seems strange, i would have expected that to be run there somewhere already00:15
jeblairjamielennox: oh, we should probably add a note to the run method saying "hey, put stuff in execute because of the handler + finishjob"00:16
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Fix ZuulWeb() invocation  https://review.openstack.org/48232100:19
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Use package module to install bindep packages  https://review.openstack.org/48258400:29
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Simplify bindep logic removing fallback support  https://review.openstack.org/48265000:29
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Move ssh-agent cleanup into existing exception handler  https://review.openstack.org/48273500:30
* SpamapS looks00:50
SpamapSjeblair: not sure I understand the ^ :-P00:51
*** dkranz has quit IRC00:51
jamielennoxSpamapS: i think because you added the ssh-agent stuff, is there a reason the setup exists outside the thread00:54
SpamapSjamielennox: so that you can get the pid of the ssh-agent in the main thread and kill it whether the thread returns or not? I'm kind of guessing.00:56
jamielennoxSpamapS: yea, i think it's just something that got put there rather than a specific reason for it00:57
jamielennoxthere's a finally handler on the thread loop that should be able to do the cleanup00:57
openstackgerritJamie Lennox proposed openstack-infra/zuul feature/zuulv3: Remove isJobRegistered  https://review.openstack.org/48275501:00
SpamapSjamielennox: ehhh.. finally doesn't happen if the thread is blocking ;)01:09
jamielennoxin this case it's a failure cleanup thing so i don't know if we'd want to do anything if the thread is still active01:10
jamielennoxbut anyway have a look at https://review.openstack.org/482735 and see if it's an issue01:10
SpamapSThreads will still be active if they get stuck on a blocking syscall. It's part of the hazard of threads.01:17
SpamapSBut we don't want to just sit and wait for SIGKILL if we can avoid that.01:17
SpamapS01:36
jamielennoxwhere is the base job for openstack coming from atm?01:51
jamielennoxdid you ever figure out how to rsync logs out of the executor? this seems to be harder if there is going to be run inside bwrap with only the job ssh key01:52
jamielennoxoh, nvm its still in project-config01:55
mordredjamielennox: yah - it's in project-config - althought the plan is to move it to zuul-jobs02:14
mordredjamielennox: and yah - we've got our rsync-ing logs currently - working great!02:14
mordredjamielennox: the "add_host" is the thing in there that makes it need to be defined in a trusted repo02:15
jamielennoxmordred: it seems like it just copies them into /srv/static/logs ?03:43
*** isaacb has joined #zuul06:25
*** isaacb_ has joined #zuul06:32
*** isaacb has quit IRC06:33
*** openstackgerrit has quit IRC06:48
*** isaacb_ has quit IRC07:31
*** MaciekW has joined #zuul08:11
MaciekWHello, how can I abort/stop already running zuul jobs? I am using zuul 2.5.2. I found a script at https://github.com/zaro0508/gearman-plugin-client/blob/master/gear_client.py but it doesn't stop the jobs08:14
tobiashMaciekW: I know of the following possibilities: 1. abort in jenkins, or 2. Abandon/rebase the change triggers abort/abort+reenqueue08:31
MaciekWtobiash: but unfortunately the problem refers to post jobs - we have many hanging post jobs at zuul queue - on zuul status page they are present but jenkins jobs have already finished08:39
MaciekWtobiash: we don't know why this happens08:39
tobiashMaciekW: I think in this case you would need to restart gearman or zuul (at least I did in such cases)08:40
*** openstackgerrit has joined #zuul08:53
openstackgerritTobias Henkel proposed openstack-infra/zuul master: Case sensitive label matching  https://review.openstack.org/48285608:53
MaciekWtobiash: If I will restart gearman on particular jenkins host all jobs will be restarted right?08:53
MaciekWtobiash: I mean all jobs handled by this particular jenkins host08:54
tobiashMaciekW: I don't think so08:54
tobiashMaciekW: you should do this in a time slot where no otehr jobs are running (or retrigger them manually afterwards)08:55
tobiashMaciekW: (when restarting gearman server and/or zuul)08:56
tobiashMaciekW: when restarting jenkins only the behavior depends on how you did restart it08:56
MaciekWtobiash: I meant to restart only gearman plugin on jenkins, maybe it will send some signal to gearman daemon/zuul08:58
tobiashMaciekW: you also should do this only if no important jobs are running on this jenkins08:58
tobiashMaciekW: I don't know how zuul handles this case but it can be that these jobs are marked as failed then08:59
tobiashjeblair, mordred, clarkb: backported to master: https://review.openstack.org/#/c/482856/09:01
MaciekWtobiash: ok, I will try it, however it would be great to have a scirpt that can abort signle zuul/gearman job without affecting others09:02
tobiashMaciekW: zuul 2 will be superseeded by zuulv3 later this year which works pretty different then (not sure if that already exists for v3)09:04
MaciekWtobiash: ok, thanks for info09:05
mordredjamielennox: +3'd https://review.openstack.org/#/c/482755 but with note09:14
*** isaacb has joined #zuul09:17
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: Add support for custom ssh port  https://review.openstack.org/46875209:22
openstackgerritMerged openstack-infra/nodepool feature/zuulv3: EOL ubuntu-precise for dsvm job  https://review.openstack.org/48261309:24
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Remove isJobRegistered  https://review.openstack.org/48275509:25
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add job dependencies to status.json  https://review.openstack.org/48206109:37
*** isaacb has quit IRC10:06
*** isaacb has joined #zuul10:09
*** isaacb has quit IRC10:10
*** isaacb has joined #zuul10:12
*** isaacb has quit IRC10:18
openstackgerritJamie Lennox proposed openstack-infra/zuul feature/zuulv3: Remove function_cache variables from executor client  https://review.openstack.org/48289010:22
mordredjamielennox: thanks!10:40
pabelangermorning10:43
*** xinliang has quit IRC10:48
*** xinliang has joined #zuul11:01
mordredmorning pabelanger !11:03
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Avoid using apt-add-repository  https://review.openstack.org/48268311:03
*** jkilpatr has quit IRC11:06
openstackgerritPaul Belanger proposed openstack-infra/nodepool feature/zuulv3: Add support to test fedora-26  https://review.openstack.org/48256811:07
pabelangermordred: I seen you abandoned the configure-mirror in zuul-jobs, does that mean we are just using openstack-zuul-jobs now for it?11:07
mordredpabelanger: yah - you already added it there, right?11:10
mordredpabelanger: oh - crappit11:11
pabelangermordred: https://review.openstack.org/#/c/473845/11:11
mordredpabelanger: sorry - I was too tired :)11:11
pabelangerstill need to land it in openstack-zuul-jobs if we want it there11:11
mordredno - my brain thought we'd already landed it11:11
mordredand I thought that was the leftover patch :)11:11
pabelangerAh11:11
mordredpabelanger: just restored11:11
pabelangerack11:12
mordredthanks for the catch11:12
mordredlet's get that landed :)11:12
pabelanger++11:12
pabelangermordred: https://review.openstack.org/#/c/482655/ should be an easy review for zuul-jobs11:20
pabelangeradd verify_host for synchronize commands, since we have known_hosts setup11:21
*** isaacb has joined #zuul11:25
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Remove default value for mirror_host  https://review.openstack.org/48291511:26
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Replace hand-written slug with ansible_managed  https://review.openstack.org/48291611:26
*** isaacb has quit IRC11:28
openstackgerritMonty Taylor proposed openstack-infra/zuul-jobs master: Remove openstack-doc-build from zuul-jobs  https://review.openstack.org/48292111:29
openstackgerritMerged openstack-infra/zuul-jobs master: Enable verify_host for synchronize  https://review.openstack.org/48265511:32
openstackgerritMerged openstack-infra/zuul-jobs master: Remove openstack-doc-build from zuul-jobs  https://review.openstack.org/48292111:36
*** jkilpatr has joined #zuul11:42
*** isaacb has joined #zuul11:51
*** isaacb has quit IRC12:00
*** isaacb has joined #zuul12:01
tobiashmordred: is there a common expectation here about the naming of the ansible template files (regarding the .j2 postfix)12:09
tobiashmordred: I personally don't use the .j2 postfix in my ansible projects as this makes syntax highlighting in editors much better (and all files in <role>/templates would anyway have this suffix)12:10
openstackgerritPaul Belanger proposed openstack-infra/nodepool master: Support fedora-26 for nodepool dsvm job  https://review.openstack.org/48294212:14
pabelangertobiash: Ya, I tend to use .j2 for templates myself. Only to help identify them more12:17
pabelangerI know some other roles I use tend to do that too12:18
pabelangerbut .j2 is optional12:18
tobiashpabelanger: ok, I'm flexible in this regard (personally I don't use .j2 because it breaks syntax highlighting and has no real information benefit for me)12:20
pabelangertobiash: also note, .j2 is listed in most ansible example for documentation: https://docs.ansible.com/ansible/playbooks_lookups.html I say most, because there are times where they do omit it12:22
pabelangerI also find it a little eaiser when looking at playbooks, anything that ends with .j2 tends to live in template folder when searching for things12:23
tobiashyeah, that's true12:27
mordredtobiash, pabelanger: I don't have an opinion one way or the other, actually - whatever everyone else thinks is a good idea12:28
tobiashmordred, pabelanger: we just should do it consistent so best to follow pabelanger in this regard12:30
mordredkk12:30
*** olaph has quit IRC12:40
*** persia__ has joined #zuul12:40
*** rfolco has quit IRC12:41
*** persia has quit IRC12:41
*** fbouliane has quit IRC12:41
*** fbouliane has joined #zuul12:42
*** rfolco has joined #zuul12:42
*** MaciekW has quit IRC12:50
tobiashmordred, jeblair: what do you think about the ability to restrict some connections to certain tenants?12:51
tobiashmordred, jeblair: I'd have a use case for separating more confidential repos from the rest with different connections, users, etc.12:52
tobiashmordred, jeblair: ah, I think that would also work today already as jobs only can request repos from its own tenants right?12:54
mordredtobiash: yes - that is correct12:55
mordredtobiash: now - it's worth pointing out that there may still be some holes in tenant confidentiality ...12:56
*** xinliang has quit IRC12:56
mordredfor instance, we do not have any way to restrict a user from streaming the build log for a job in another tenant currently12:56
*** xinliang has joined #zuul12:57
mordredtobiash: so depending on HOW confidential the repos are you may want to be careful - but also figuring out what use cases you have for the restrictions would be good12:57
tobiashmordred: yeah as the console streaming endpoint is not tenant separated12:57
mordredtobiash: although it's an obscurity thing - you can restrict status.json output by tenant (or, you can filter it by tenant and you can put web-server protections on the restricted tenant's status)12:58
tobiashmordred: yeah I was told that it is that super confidential that they even want volume encryption in the inhouse hosted scm12:58
mordredtobiash: so a user would have to guess the uuid of a build for the restricted jobs12:58
*** dkranz has joined #zuul12:59
openstackgerritDavid Shrewsbury proposed openstack-infra/zuul feature/zuulv3: Cleanup components doc  https://review.openstack.org/48263612:59
tobiashmordred: thinking about that it would be probably a good idea to just have a separate deployment for that12:59
mordredtobiash: I would love for our isolation to be able to handle that - I believe the in-zuul restrictions (other than console-log) are pretty solid - and the other places that are per-tenant are actually in job config - things like log publishing13:00
mordredtobiash: so doing an audit of places where info might leak would be worthwhile- perhaps we should tenant-isolate console-stream so that you could similarly lock it down in apache13:00
tobiashmordred: so maybe it makes sense to supply a streaming endpoint per tenant?13:00
mordredyah13:00
mordredthat would be consistent with the other endpoints too13:00
mordredShrews: ^^ making more work for you13:01
Shrewsjoy13:02
mordredShrews: so - there's a thing with the endpoints in the old webap13:05
mordredShrews: that they support being prefixed with tenant name13:05
mordredShrews: I think the suggestoin would be to add the same thing to console-stream13:06
mordredShrews: so that you'd have /openstack/console-stream - and the 'openstack' part would be passed in as a parameter to the handler13:07
mordredShrews: (you can put variables in aiohttp routes for this kind of thing)13:07
mordredShrews: then, in the apache proxy impl we do, we'll point zuulv3.openstack.org/console-stream to 127.0.0.1/openstack/console-stream13:08
mordred(that's actually what we're doing for the status page today)13:08
mordredShrews: the follow up question would be - when you do the gearman call to get the log information for the given buildid - can you verify that the build matches the tenant from the url13:08
Shrewsmordred: yup13:09
Shrews1 sec13:09
Shrewsmordred: https://github.com/openstack-infra/zuul/blob/feature/zuulv3/zuul/rpclistener.py#L18513:10
Shrewsso we'd have to pass the tenant in along with the uuid13:10
Shrews(assuming that sched.abide.tenants.values() contains the tenant name)13:11
mordredShrews: yes13:12
Shrewsmordred: but rather than backtrack and change all the things, i'd rather finish the static page serving first. Then go back and add tenant support across the board.13:13
mordredShrews: ++13:13
mordredShrews: fwiw, app.add_route('GET', '/{tenant}/console-stream') and then request.match_info.get('tenant') in _handleWebsocket13:16
mordredis the magic cantrip13:16
Shrewsmordred: you know, we don't have any sort of protection at the finger protocol level13:18
Shrewsmordred: if they know the uuid and executor, anyone can stream any log13:19
tobiashShrews: that doesn't need to be published to the outside world13:19
Shrewstobiash: mordred wants the finger uri displayed13:19
*** isaacb has quit IRC13:19
Shrewswhich i think is valid. we have the finger protocol in place for people to use, if they wish13:20
tobiashShrews: we maybe should make it configurable which urls we want to display13:20
Shrewssecurity through obscurity is not really secure13:22
tobiashShrews: well in my deployment the executors are not directly accessible from outside so the finger urls wouldn't work anyway for me13:23
tobiashbut sure, hiding the finger url doesn't make sense if the executors are public13:24
*** isaacb has joined #zuul13:28
Shrewsoh neat, my docs change caused tox-py35 to fail many tests13:28
ShrewsSo, this whole tenant url thing has to be only about filtering, not security, because we just don't have the mechanisms in place to do that (and I think would be a much bigger change). If that's ok, then I can proceed with mordred's suggestions. If it is about security, we need a lot more thought put into it.13:32
SpamapSShrews: I think finger should probably be firewalled if we're saying "if you want security on logs, -> webserver security"13:34
SpamapSIt would make a lot of sense to make the log streaming URL have a tenant component so that webserver security fronting makes sense.13:34
SpamapSso much sense :-P13:34
tobiashShrews: I'm not sure if I miss something but I think a combination of tenant filtering and handling the authorization/authentication path based outside would be a good combination13:35
* tobiash is too slow on typing ;)13:35
fungiright, multi-tenant finger just isn't going to be secure on its own13:36
fungias there's no authentication in the protocol13:36
fungiat least not secure from a privacy perspective13:36
fungibut also, it's not encrypted, so any privacy layers there would be illusory anyway13:37
ShrewsSpamapS: right, you need to do the webserver security stuff. but we also have to point out to users that steps need to be taken by the admin to effectively disable the finger protocol access13:37
mordredSpamapS, Shrews, fungi: yes - it's just about filtering - security at this point is up to a deployer at the apache/firewall level13:38
mordredwhich is one of the reasons to root the url endpointswith /{tenant} - to make it easy for a deployer to proxy or not proxy to a given sub-url range13:38
pabelangerwss for websockets could be a thing in apache / nginx13:39
Shrewsmordred: cool, filtering is easy.13:39
fungialso, probably best not to refer to that aspect as "security" but rather "privacy"13:39
mordredfor instance, we do this: https://github.com/openstack-infra/system-config/blob/master/manifests/site.pp#L122613:40
Shrewsfungi: yes, privacy is mo betta13:40
mordredin infra - which makes zuulv3.openstack.org/status return 127.0.0.1/openstack/status - so there's no path for a user to override that13:40
fungipublic finger should be plenty "secure" as long as it does what it's designed for and only what it's designed for. it may not be "private" but that's a separate issue13:40
mordredfungi: ++13:40
pabelangerfungi: ++13:40
tobiash++13:41
mordredfungi, Shrews: when we get the finger multiplexor - maybe we can add a deployment option to restrict it by tenant - so similar to the apache config a deployer could run a finger gateway for a specific tenant on a given host13:41
mordredso that we can empower deployers who wan to expose finger but also want private tenants to run a finger daemon on like "finger.openstack.org" that would only proxy finger requests for the openstack tenant13:42
mordredbut that's future thinking - for now blocking finger and doing webserver url limiting is the correct choice for folks who need privacy13:42
mordredwe may want to add a note about that to the docs too :)13:43
fungiyes, a proxy could implement that13:43
Shrewsmordred: i was thinking we could have finger uuid:tenant:logfile@zuul-web.o.o since the logic is pretty much already in place in that thing13:43
Shrewserm, port would be an issue. nm13:44
fungior the interface itself could do complex things like only allow queries for specific tenants on specific sockets/interfaces and then actual privacy could be added at the network layer13:44
fungiif we wanted to have that possible via raw finger protocol13:44
fungibut it would be complicated to implement13:44
mordredfungi: right- that's why I was thinking just allow peope to run more than one daemon if we get to the point where we want to do htat13:47
mordredI think getting the tenant stuff in the urls for now is the more pressing and more likely to be used thing13:48
fungifull agreement13:48
mordredI suppose we could also just make a tenant white/black list for the finger daemon and have it refuse to stream logs for builds that are associated with tenants on the blacklist - or only to serve them for tenants on the whitelist13:48
mordredthat shouldn't be terrible - the finger daemon already has to look up information about the build- verifying the build's tenant is 'ok' to stream should be not-terribly hard13:49
fungithat would probably be reasonably trivial for someone to implement if they need it, yes13:49
mordredyah13:49
mordredfungi: well - thining about us - I know we want to provide finger - but also wold love to use tenant isolation perhaps to deal with security patches better - so it might be a simple way to allow us to configure our finger service to only serve logs for the openstack tenant13:50
fungimordred: i can see how it might fit into an overall design for testing embargoed vulnerability fixes, but that bit of the solution is probably one of the easier parts when looking at the whole of what we would need for private review and testing14:06
fungigranted, some of the distributed/synchronized design for upcoming gerrit releases may solve the harder parts14:07
mordredfungi: ++14:07
fungi(of running a separate private gerrit which has up to date copies of things in your public gerrit)14:07
openstackgerritTobias Henkel proposed openstack-infra/zuul feature/zuulv3: Correct run job parameter documentation  https://review.openstack.org/48297714:15
*** mnaser has joined #zuul14:35
mnaserwould zuulv3 be okay for use for simple periodic jobs (no gerrit use or anything of that type)14:36
fungior rather, what significant bits are missing to support that use case?14:41
pabelangertoday we only have a single pipeline (check) on zuulv3.o.o. So atm, it is untested14:43
jeblairmnaser: yes, it should be fine.  i believe those unit tests are re-enabled at this point.  though we may still have some things to change about it before we release.  i need to give it a once over.14:46
*** isaacb has quit IRC14:54
*** isaacb has joined #zuul15:16
pabelangermordred: left comment on 48291515:31
*** gundalow has left #zuul15:34
pabelangermordred: jeblair: So, I am a little lost on what I should be working on for zuulv3 playbooks. I'm looking at the migration plan step 1 right now and trying to determine if tox jobs are done now or if we should increase coverage for other tox things out side of zuul tox.ini15:38
jeblairpabelanger: i think mordred's got a better handle on that, so i'll defer to him when he gets back.  but i do see some changes you can maybe review/merge: 482593 and 2 children, and 482584 and one child15:40
pabelangerjeblair: ya, 482593 is the latest patchset I've uploaded, didn't want to self-approve on that. will dig into 48258415:43
mordredpabelanger: sorry - was looking away for a second15:44
mordredpabelanger: there are still 3 of the tox roles thathave the jenkins script text copied in (run-cover, run-tarball and tox itself)15:45
mordredpabelanger: I think we should iterate through making those not be giant shell blobs - which may take a little care and attention to figure out the right decomposition15:46
mordredpabelanger: but we should be able to do it small bit at a time so we don't have to rewrite the whole thing15:46
pabelangermordred: sure15:48
pabelangermordred: also, it looks like validate-host is now how we collect host information for jobs, but today it nolonger is outputted to console stream, was that intentional?15:49
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Fix race in test_shadow  https://review.openstack.org/48301615:51
jeblaireasy +3 ^15:51
*** isaacb has quit IRC16:07
SpamapSjeblair: trivial +3'd :)16:09
SpamapSnow if we can just keep it from exploding16:10
mordredjeblair, pabelanger: http://logs.openstack.org/15/482915/1/check/23951a5/job-output.txt is recent and os_loganalyze did not html it - http://logs.openstack.org/14/481014/5/check/9ce8405/job-output.txt.gz is from last week and is from a random example I tried - and it did16:15
mordredwhat's the difference / why is os_loganalyze not html-ifying http://logs.openstack.org/15/482915/1/check/23951a5/job-output.txt ?16:16
mordredpabelanger: yes! it now goes to a nice file so it's readable16:17
pabelangermordred: ack, will take some adjustments16:17
pabelangermordred: jeblair: also, I am finding our current job-output.txt format very hard to read. Basically a large blob of text for me, what are your thoughts on making it more inline with: http://logs.openstack.org/89/481589/1/check/gate-windmill-deploy-fedora-25-nv/493e687/console.html.gz. Include line breaks between tasks, json pretty printing16:19
pabelangermordred: not sure about os_loganalyze, but can look into it.  Does it know about job-output.txt?16:19
clarkbpabelanger: mordred it has a whitelist of files that it can htmlify16:20
mordredoh - thefile needs to be gzipped16:20
pabelangerya, that is what I am looking for right now16:20
mordred  RewriteRule ^/(.*\.txt\.gz)$ /htmlify/$1 [QSA,L,PT,NS]16:20
pabelangerah16:20
mordredpabelanger: I agree that other thing is more readable for sure16:21
mordredpabelanger: I was just about to do a couple of patches in zuul_stream - why don't I take a stab at that16:21
clarkbyou will alao need to whitelist it to get it htmlified16:21
pabelangermordred: what is the best way to test the callback_plugin? Do you just run it locally against a simple playbook?16:22
mordredpabelanger: yah16:22
mordredclarkb: nah - it seemed to to job-output.txt.gz from last week just fine - I tihnk the main key is missing .gz ending16:23
clarkbwhitelist may just be for log severity mqgic16:24
mordredyah16:24
pabelangermordred: ack16:27
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Add job's project as implicit role project  https://review.openstack.org/48272617:07
Shrewsjlk: attempting to get a zuul-web container running in z8s. it seems to be running, but can't seem to get traffic through to it. changes are http://paste.openstack.org/show/615190/17:12
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Pass result data back from ansible  https://review.openstack.org/47944217:13
openstackgerritJames E. Blair proposed openstack-infra/zuul feature/zuulv3: Support relative urls in success-url  https://review.openstack.org/48134217:13
jeblairthose were already approved; i'm self re-approving because that's just a merge conflict fix17:15
Shrewsjlk: oh, i think it is getting through. zuul-web just seems to be immediately disconnecting for some reason17:16
Shrewshrm17:16
pabelangermordred: was there a specific reason we didn't use ANSIBLE_LOG_PATH to setup job-output.txt location, over ZUUL_JOB_OUTPUT_FILE logic?17:18
pabelangermordred: the reason I ask, it is looks like utils.display in ansible will setup a logger for use by default, if we use ANSIBLE_LOG_PATH17:19
Shrewsjlk: aha. have to use 0.0.0.0, not 127.0.0.1, in the zuul.conf17:25
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add spacing lines and formatting to result dicts  https://review.openstack.org/48304217:27
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add play recap back in to the end of plays  https://review.openstack.org/48304317:27
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Log execution phase and include information  https://review.openstack.org/48304417:27
jeblairpabelanger: i believe the logger ansible sets up is unsuitable for us17:27
mordredpabelanger: yes ^^ that17:27
mordredI have talked with toshio about doing work upstream to fix the use of logger there17:28
jeblairthe formatting and information it provides is different than what we want, and we can't change it17:28
mordredand he's open to fixes - so at some point in the future we can overhaul how that works which will be nice17:28
mordredpabelanger, jeblair: ^^ that stack includes a thing pabelanger asked for , a thing jeblair asked for and a thing I wanted to do17:29
jeblair(i mean, it's python logging, so maybe we could change it if we put on our crazypants and really dug into the api)17:29
*** amoralej has joined #zuul17:29
mordredyah. that seemed super unfun17:29
jeblairmordred: you're pleasing everyone!17:29
dmsimardHello Zuulers, we were wondering if it'd make sense to pull zuul-cloner out of zuul ? We end up needing to install Zuul (and all of it's dependencies) on nodepool VMs that only require zuul-cloner.17:30
mordredhttp://paste.openstack.org/show/615191/ is example output - oh - you know what - I need to make a change in that real quick17:30
*** dpawar has joined #zuul17:30
mordreddmsimard: zuul-cloner goes away in v3 - so that problem will resolve itself in the not-too-distant future17:30
dmsimardmordred: oh yeah ? I didn't know.17:31
amoralejmordred, is it replaced by something different?17:31
mordreddmsimard: in v3 we push the repos in a properly prepared state onto the build nodes17:31
dmsimardmordred: executor node will send the patchset to the nodepool VM or saomething ?%17:31
dmsimardahhhh17:31
jeblairdmsimard: zuul magically puts all of your repos on disk for you with all the changes applied to the correct branches before starting the job17:31
mordreddmsimard: so in v3 everything just works magically exactly as you'd want17:31
dmsimardI can see the word "magically" being used often here :)17:31
mordred:)17:31
jeblairmordred: magic jinx17:31
amoralejmagically means we need some software installed on it?17:32
mordredamoralej: ssh17:32
amoralejnice17:32
mordredamoralej: which you have to have for zuul to run jobs on it anyway :)17:32
dmsimardamoralej: no -- in zuul v3 the zuul executor node (kinda like jenkins master) sends the data to the build node (nodepool vm)17:32
jeblairzuul will push the repos onto the test nodes at the start of the job17:32
amoralejyeah, that's not a problem for sure17:32
pabelangerhttp://git.openstack.org/cgit/openstack-infra/openstack-zuul-roles/tree/roles/prepare-workspace/tasks/main.yaml FYI17:32
pabelangeroh, that should be using verify_hosts too17:33
pabelangerwill patch :)17:33
amoralejpabelanger, when using zuulv2, any trick to install it in nodepool nodes in venv to not interfere with other requirements?17:33
jeblairdmsimard, amoralej: minimizing the requirements on the test nodes is a goal for us for v3.  and so far, we've been able to do that.17:34
mordredamoralej: in v2 I believe that's what we do - when we buld out images we make a zuul-cloner venv and then we call that from our jobs17:34
dmsimardamoralej: upstream nodepool elements already do that17:34
jeblairamoralej: yes, in openstack we have a dib element that installs it in a virtualenv.17:34
pabelangeramoralej: nope, we do that today in our jobs. virtualenv zuul-env; zuul-env/bin/pip install zuul17:34
dmsimardamoralej: it's our fault due to how we set up the image17:34
amoralejok, cool17:35
pabelangerdmsimard: amoralej: centos-7 DIB will have /usr/zuul-env by default17:35
jeblairmordred: you sure you want yaml vs pretty-printed json?  i know this is for humans, though pretty-printed json is maybe closer to the minimal change to ansible output, but still readable by humans...17:36
amoralejnice, we'll investigate to use it for our images17:36
amoralejthanks17:36
jeblairmordred: (i'm okay trying it -- i just want to make sure when we diverge from the native ansible experience (TM) we do so for good reason :)17:37
*** adam_g has quit IRC17:39
*** adam_g has joined #zuul17:41
openstackgerritPaul Belanger proposed openstack-infra/zuul feature/zuulv3: Add new line between zuul_stream messages  https://review.openstack.org/48304817:41
pabelangermordred: ^ trival change, adds some new lines to our output between tasks / plays17:42
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add play recap back in to the end of plays  https://review.openstack.org/48304317:42
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add spacing lines and formatting to result dicts  https://review.openstack.org/48304217:42
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Log execution phase and include information  https://review.openstack.org/48304417:42
pabelangerwill results in http://logs.openstack.org/89/481589/1/check/gate-windmill-deploy-fedora-25-nv/493e687/console.html.gz for white spacing17:42
mordredpabelanger: sorry man - that was the stack I was just writing17:42
mordredoh - you did zul_stream17:43
pabelangermordred: :)17:43
mordrednod - yah - I'd rather not do the \n there - because that'll wind up putting a \n between every line of stdout output we get from shell tasks17:43
pabelangerack17:43
pabelangermordred: lets go with your approach then17:44
mordredjeblair: I could go either way re: yaml v json - easy to swap it in either direction17:45
jeblairmordred: i'm +2 on the stack.  let's see what it looks like, and we can compare it to the windmill output after it runs.17:47
pabelangersame, also +2 looking forward to output17:47
mordred\o/17:49
pabelangerHmm, just testing locally, getting a warning17:49
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Fix race in test_shadow  https://review.openstack.org/48301617:49
mordred(at some point that file needs a good refactoring - but I've been holding off on doing that for now because we have otherthings on our plate)17:50
jeblairthis is interesting:  all of the zuulv3 jobs for that change hit retry_limit17:51
mordredoh - interesting17:51
jeblairhttp://logs.openstack.org/16/483016/1/check/8f1a044/job-output.txt17:51
jeblairsample17:51
mordredjeblair: I pulled hte +A real quick17:51
jeblairmordred: sorry, i meant the merged one -- 17:49 < openstackgerrit> Merged openstack-infra/zuul feature/zuulv3: Fix race in test_shadow  https://review.openstack.org/48301617:52
jeblairmordred: is it happening on others too?17:52
jeblair(it wouldn't surprise me)17:52
mordredjeblair: we went staight from pre to post in the ones I just pushed up17:52
jeblairmordred: yeah, that's sort of what that log looks like too17:53
pabelangermordred: change 483042 to -1, with comment17:53
jeblair2017-07-12 17:21:54.162530 | ubuntu-xenial | Get:35 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 openjdk-8-jre-headless amd64 8u131-b11-0ubuntu1.16.04.2 [27.0 MB]17:53
jeblair2017-07-12 17:31:21.579914 | PLAY [/tmp/8f1a04439a58497c800260b9b6740581/ansible/post_playbook_0/git.openstack.org/openstack-infra/zuul-jobs/playbooks/tox/post : all]17:53
jeblairnote the timestamps there17:53
mordredwell - timestamp skew can be a thing17:53
jeblairmordred: ?17:53
mordredwe report timestamps of the remote host for stdout outout and timestamp fromthe executor for play banners17:54
jeblairmordred: ah ok17:54
jeblair2017-07-12 17:31:24.926275 | ubuntu-xenial | ok: Results: => {"changed": false, "examined": 0, "files": [], "matched": 0, "msg": "src/git.openstack.org/openstack-infra/zuul/.tox was skipped as it does not seem to be a valid directory or it cannot be accessed\n"}17:54
mordredyah - that's in the "collect logs" postplaybook17:54
jeblairmordred: ^ that's the next line.  that's from the host, so it certainly is 10 minutes after the last line from the previous play17:54
mordrednod17:54
mordredso we're losing something somwhere17:55
jeblairdigging in executor log17:55
mordredkk. I have to run to an appointment - back in a bit ... sad I don't get to dig with you17:55
pabelangerhttp://paste.openstack.org/show/615196/ as the warnings I can getting with the stack from mordred17:55
pabelangermaybe related17:55
pabelangerleft comment about unexpected keyword17:56
mordredpabelanger: ou have to pass in a few thigns17:56
jeblairtimed out during bindep: http://paste.openstack.org/show/615197/17:56
mordredpabelanger: rm foo.out && ZUUL_JOB_OUTPUT_FILE=foo.out ansible-playbook test.yaml -e zuul_execution_phase=pre -e zuul_execution_phase_count=1 && cat foo.out17:56
mordredpabelanger: is how I tested that17:56
pabelangermordred: k, let me try again17:57
pabelangermordred: same warnings :(17:58
mordredpabelanger: it's on my todo list to make a "run this playbook like zuul would" tool17:58
mordredjeblair: we have not yet landed the bindep rework patches, so nothing new realy should have changed there17:58
jeblairmordred: i'm thinking it's just a really slow node?17:58
pabelangerjeblair: mordred: we should land configure-mirror patch, so we are using AFS17:58
pabelangerright now we are hitting upstream ubuntu17:59
jeblairpabelanger: please do.  :)17:59
pabelangerk, I'll +3 https://review.openstack.org/#/c/473845/ unless somebody else wants to review17:59
pabelangersorry18:00
pabelangerhttps://review.openstack.org/#/c/482593/18:00
mordredah. yes. mirror18:00
jeblairpabelanger: yes, that and its child18:00
pabelangerk, approving now18:01
openstackgerritMerged openstack-infra/zuul-jobs master: Create configure-mirrors role  https://review.openstack.org/48259318:01
openstackgerritMerged openstack-infra/zuul-jobs master: Remove default value for mirror_host  https://review.openstack.org/48291518:01
openstackgerritMerged openstack-infra/zuul-jobs master: Replace hand-written slug with ansible_managed  https://review.openstack.org/48291618:01
*** dpawar has quit IRC18:15
pabelangermordred: it looks like yaml.safe_dump is causing some problems with my local test18:28
pabelangermordred: I am using the debug task18:29
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Pass result data back from ansible  https://review.openstack.org/47944218:40
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Add some indexes to allow efficient dashboard sql  https://review.openstack.org/48161419:14
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Remove function_cache variables from executor client  https://review.openstack.org/48289019:14
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Cleanup components doc  https://review.openstack.org/48263619:15
*** harlowja has quit IRC19:17
openstackgerritTobias Henkel proposed openstack-infra/zuul feature/zuulv3: Correct run job parameter documentation  https://review.openstack.org/48297719:34
*** amoralej is now known as amoralej|off19:35
*** harlowja has joined #zuul20:02
mordredjeblair, pabelanger: ya'll learn anything about v3 while I was away? seems it was mostly looking at why the actual gate was slow20:02
pabelangermordred: just safe_dump comment from above on your zuul_stream changes. But ya, working on bring online 2 more zuul-launcher nodes to help with some scale issues20:03
jeblairmordred: i finished https://review.openstack.org/482726 and the unit tests have shown a problem i don't have a good solution to20:04
mordredjeblair: awesome20:04
mordredpabelanger: neat - so - safe_dump + debug == sad?20:04
jeblairmordred: basically -- if we have an implicit role for a job, how does that interact with inheritance and variance?20:05
mordredpabelanger: aha! I have reproduced - neat20:05
mordredjeblair: oh ... my20:05
pabelangermordred: ya, looks that way20:06
mordredpabelanger: cool. looking now20:06
jeblairmordred: i'm thinking that just shelving the idea may be a good option.  the burden to explicitly add ones own repo to supply roles may not be worth the extra complexity after all.20:06
jeblairmordred: i'll continue to mull it over in the background, but i'm going to move onto another foreground task right now.20:10
jeblairprobably the 'run playbooks with only roles defined up to that point' idea.20:12
*** jkilpatr has quit IRC20:25
jeblairmordred: a possible resolution may be to mirror the behavior of the implied run attribute (which does not get set in a project-pipeline variant).  there's some... machinery... around that though.20:25
mordredjeblair: it seems like a good idea to put it on the backburner and see if the subconscious comes up with anything20:29
mordredpabelanger, jeblair: ok - SO - I think we're going to want to go json instead of yaml for the printing :)20:29
jeblairmordred: ok.  what's the problem?20:30
mordreddebug, which is one of the more important things to be able to print, has AnsibleBaseYAMLObject's in it20:30
jeblairmordred: that can be marshalled to json?20:31
mordrednow - i'm sure there's a way to completely and accurately translate them such that yaml views them as a dict and not an object (I tried copying stuff - but various keys are AnsibleUnicode which are AnsibleBaseYAMLObject20:31
mordredjeblair: it can - they ARE a dict20:31
mordredjeblair: but yaml is too smart20:31
jeblairmordred: gotcha20:31
mordredso since it was a question originally anyway, and pabelanger's original version was json20:32
jeblairmordred: yeah, it's probably a matter of setting custom representers or something, which seems like too much effort for this.20:32
mordredwhy fight it20:32
mordredjeblair: ++ exactly20:32
pabelanger++20:32
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add play recap back in to the end of plays  https://review.openstack.org/48304320:36
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Add spacing lines and formatting to result dicts  https://review.openstack.org/48304220:36
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Log execution phase and include information  https://review.openstack.org/48304420:36
jeblairmordred, pabelanger, jlk: currently, we accumulate roles through the whole inheritance hierarchy, and then run all playbooks (pre, run, post) with all of those roles added.  mordred requested that we do so only with the roles defined up to the point of playbook definition.  iow, the pre-playbooks that a job inherits from the base job will only run with the roles that were defined on the base job.  but the main playbook would run with a superset ...20:39
jeblair... of those since it was defined further down the inheritance hierarchy.20:39
jeblairmordred, pabelanger, jlk: my question is this:20:39
jeblairmordred, pabelanger, jlk: should the main playbook run with the roles defined at the point that the main playbook was defined, or should you be able to inherit from a job which defines a playbook, and have the child add roles without defining its own playbook.  essentially, this would only be useful to override a previously defined role in the main job playbook.20:41
jeblairer, i forgot the question mark, but you get the idea.20:41
*** jkilpatr has joined #zuul20:41
jeblairi lean toward saying that we should use the role list from the final job, because otherwise, what's the point of adding to the roles there?  it'd be like we're ignoring configuration from the user.20:42
jeblairit just makes the rules for the main playbook a little bit more different than the rules for pre and post playbooks.20:42
mordredjeblair: yah20:43
jeblair(i can mock up an example if any of that isn't clear)20:43
mordredjeblair: so ... I buy your argument that we should execute the playbook for a job with the roles defined up through the job, not just up through where the playbook is defined20:44
pabelangerjeblair: yes, I think a mock would help me20:44
jeblairpabelanger: https://etherpad.openstack.org/p/b7TQRK74ka20:44
mordredjeblair: I think my only reluctance would be that it's maybe complex in service of a thing that may not be super frequent?20:45
jlkholy backscroll20:46
jeblairmordred: as long as we're doing playbook context roles at all, the difference in implementation between option A (main playbook has final role list) and option B (main playbook has role list from when it was defined) is small i think.20:50
jeblairpabelanger: mackup completed.  does that make sense?20:50
pabelangerjeblair: okay, now I see what you are saying about option b.  my-unittests-roles, when would they actually be used then?20:50
jeblairpabelanger: never20:50
jeblairpabelanger: it sounds pretty ridiculous when put like that doesn't it?20:50
pabelangerya20:50
pabelanger:)20:50
jeblairpabelanger: the only reason i can see to do option B is so that we can write "playbooks always run with the roles path that the job had at the point in the inheritance hierarchy where the playbook was specified" in the docs.20:51
pabelangerso, with that in mind, option A does make the most sense. But B would be nice if we wanted to block jobs from having roles for some reason20:52
jeblairpabelanger: as opposed to option A, which would be "pre and post playbooks run with the roles path that the job had at the point where they were specified; the main playbook will run with the final roles path of the job."20:52
pabelangerright20:53
mordredjeblair: yah - but pre and post playbooks are already different, becaue they onion rather than override20:53
mordredso I think that's fine20:53
jeblairi think one of the main concerns we want to address is that we don't allow people to hijack jobs by substituting malicious roles.20:57
jeblairbecause most of this is in service of reversing the role order so that you (a) can override roles, but (b) it's safe20:57
jeblairso option A lets people override roles for the main playbook of a job.20:58
jeblairif that job was defined in a trusted repo, then it could alter the behavior of the trusted job.20:58
jeblairwe have some protections against that -- if the job has secrets, it's automatically marked final, which means that adding new roles is disallowed.20:59
pabelangeranother thing I keep thinking about to is how something like requirements.yaml file for ansible-galaxy might complicate some of this.  Assuming an existing deployment has already built up their requirements file for roles.  Did we ever decide to have zuulv3 support installing roles from it?20:59
jeblairpabelanger: we decided not to do anything with that for now.21:00
pabelangerjeblair: ack. As for the current topic, I'll defer to both you and mordred on the best approach, but agree that option B doesn't seem to make sense from a configuration POV and potentially confusing to explain to end users why their role wasn't picked up21:03
openstackgerritMonty Taylor proposed openstack-infra/zuul feature/zuulv3: Log execution phase and include information  https://review.openstack.org/48304421:03
jeblairmordred, pabelanger, jlk: so is the 'final' attribute sufficient protection here?  should we expect people to know that a playbook defined in a trusted repo could have its behavior altered by a child job unless it's marked as final?  this is a little hard to reason about because i don't have any examples at hand of a job we would want to have that would be affected by this (in a trusted repo without secrets)21:04
jeblairthat's starting to make me look at option B somewhat more favorably.21:04
jlkThe behavior would be altered because a role would be replaced further down the stack?21:05
Shrewsjlk: ohai! i haz question21:05
jeblairjlk: yes, the proposal is to have child jobs add new roles to the front of the role path so they'd have precedence.21:05
jlkhrm. Is there a pattern you're trying to replicate?21:06
jeblairjlk: (that's mostly desired so that as we build up inheritance chains, roles from parent jobs don't end up messing up child jobs)21:06
jeblairjlk: not that i'm aware of.  :)21:07
Shrewsjlk: Dockerfile-zuul-fedora installs zuul from github, but we mount ZUUL_SRC in the container and the container somehow uses that instead. Where is the bit of magic that makes that happen? It eludes me...21:08
jlkShrews: pip install -e21:09
mordredjlk: yah - it's mostly that when writing a job in a repo and making a role in that repo - it was then weird to have a role defined in a base job be the one that ansible found21:09
jlk( I recently learned of that magic myself. It creates an egg link back to the source dir, so you can modify the source dir and restart the app without having to re-install to get your changes )21:09
Shrewsjlk: where are you modifying the link?21:10
jlkpip install -e MAKEs the link21:10
Shrewsjlk: right, and that *should* point to the github checkout, yes?21:10
jlkShrews: it points to the github checkout, which is in /zuul/21:11
jlkthe devel.yaml file will mount your local filesystem checkout of zuul on top of that inside the container so that it masks the content put there during the build phase21:12
pabelangermordred: does that exist today some place in our setup? Curious to look at it more21:12
jlkmordred: so the base problem here is that there is role name collision.21:13
jeblairpabelanger: well, it did at least temporarily when we were moving things around21:13
jlkand "first found" was winning21:13
jeblairjlk: yes21:13
jeblairi'm going to tell a little white lie now:21:14
Shrewsjlk: oh, so the 'git clone' from the Dockerfile is happening at the / level.21:14
mordredjlk: yes - and first found was the opposite of my expectations21:14
Shrewsthat may have been the piece i was missing21:14
jeblairthe current behavior is that the jobs run all of their playbooks with all of the roles accumulated through the entire hierarchy, and the roles are in the order the appear in that hierarchy, meaning that the base roles came before the later job roles.21:15
mordredjlk: since I was hacking on a playbook and a role in my local repo and had no idea there was a rle named something else used for a different playbook defined in a base job21:15
*** lennyb has quit IRC21:15
jeblair*(the white lie is that *actually* our roles come from an unordered set so it's random.  but it mostly ends up that way, and if we decide to stick with the status quo, we would at least fix it so it behaved deterministically like that.  so let's call that the current state)21:15
mordredfair :)21:16
pabelangerah :)21:16
jeblairso yeah, morded was correctly surprised that he wasn't able to use the role his job was expecting.  i think pushing roles onto the stack so that child job roles are found first will be least surprising to users.21:17
jlkthat does seem least surprising21:17
mordred++21:17
jeblairhowever, in order to make that change, we also need to make it so that users can't hijack playbooks by supplying malicious roles.21:17
* SpamapS grumbles about namespaces21:17
SpamapSFeels like we're repeating PHP history here21:17
jlkI'm unclear on how surprising it would be to have a playbook in my repo call a role (that I forgot to add) and it picks up a role from some other (random) repository21:18
jlkfeels, icky to me21:18
SpamapSYeah21:18
SpamapSI kind of want explicit composition somehow21:19
SpamapSimport zuul_roles21:19
jlkDo we have any immediate use cases for inheriting roles themselves?21:20
jlkthe role, not a job21:20
jeblairjlk: well, it's a repository in the inheritance chain for your job; so in practice, either a role repository *related* to your job (eg, devstack-gate roles), or something the site admin thought should be available to all jobs.  of course, that probably includes zuul-jobs, so there will be quite a few roles there.21:20
jlklike, defining a new playbook but expecting to use roles from somewhere else, not in the way that Ansible already does it?21:20
mordredjlk: ifyou want to make a job that runs tox on a specific environment21:22
mordredjlk: you can inherit from the tox job21:22
mordredjlk: and that'll get everything se tup for you in pre-playbooks21:23
jeblairjlk: yes -- if i were defining a new simple job, i would expect to simply inherit from base and have all of the standard site roles available.  similarly, a variant on the devstack job.  or mordred's example.21:23
mordredbut then you might want to make a new run playbook - and expect to be able to use the tox role that the tox job used same as the tox job does since you inherited from the tox job21:23
pabelangerbase/pre job also works like that today. add-build-sshkey is located in openstack-zuul-roles21:23
jlkbut why invent a new way to get at these roles?21:23
mordredjlk: what do you mean?21:24
jlkAnsible already has a way to share roles21:24
mordredjlk: wrong context21:24
mordredjlk: we need zuul to be able to put speculative versions of roles in place on the executor21:24
jeblairjlk: that, and this is the way we set roles_path in ansible.cfg.21:24
mordredso that one can propose a change to a role that is part of a job definition and have the job execute with it correctly in place21:24
mordredso - if you just want a galaxy role and you don't need speculative execution - you just add it to the job's roles list and you're good to go21:25
jlkthis is... complicated.21:27
*** lennyb has joined #zuul21:27
pabelangerYa, it is a tricky question. If you were to run ansible-playbook mutliple time on your local system against multiple playbooks, would you dump all the role for all playbooks it a directory, or make updates to the role path between runs21:27
jeblairfor more background, skip to "Because the content of roles" in http://specs.openstack.org/openstack-infra/infra-specs/specs/zuulv3.html#ansible21:27
mordredso - to be clear - I belive this is mostly going to come up for us and not for 'normal' users21:28
mordredI expect 'normal' users to have playbooks and rles in their one repo and possibly some galaxy roles if they need those - and I _don't_ expect it to be frequent that a normal dev is going to be trying to do complex things with ansible AND the zuul job inheritance structure21:29
mordredbut for those of us working on base jobs and re-sharable jobs and running zuuls, this construct is going to be much more frequent because we're down in the muck of designing jobs for composition and reuse21:30
jeblairyes, this should be invisible.  the reason we're talking about it is because it momentarily wasn't.  :)21:30
mordredyup. we _want_ theuser to be explicit about the roles they want to use - we just want them to actually get those roles when they are :)21:31
pabelangerwe could also better namespace our roles, such as repo.rolename in our playbooks. eg: zuul-jobs.bindep to help people looking at jobs better understand where a role is coming from.21:32
*** dkranz has quit IRC21:32
mordredpabelanger: yah - I think we could certainly actually have our use in our base jobs adopt a stricter and cleaner approach lke that21:34
mordredpabelanger: and that's likely not a terrible idea21:34
jeblairyeah, that seems like a good idea.  i'm not sure we should have zuul require or enforce that, since ansible doesn't.  but we can certainly set up our roles that way.21:35
mordredjeblair: ++21:36
mordredjeblair: I do not think we sould have zuul require or enforce that - but I think we should choose to do that ourselves21:36
pabelangeragree21:37
jeblairback to the question i posed -- i'm now leaning toward option B because i think it's safer.  while it's true that the final attribute gets us a lot of safety, i'm starting to view things as basically roles go hand-in-hand with the playbook content.  so it would be surprising for someone who authored a job in a trusted repo to have that job run with different roles than they specified (even if the job had no secrets)21:39
jeblairi think i'm going to proceed with that for now.  it should be easy to change if we don't like it.21:40
jlkis option B defined somewhere? I haven't read all 400 lines of scrollback :D21:41
jeblairjlk: yeah, i made a mockup here: https://etherpad.openstack.org/p/b7TQRK74ka21:41
pabelangerya, I am also a little confused on 'final' attribute myself21:41
mordredI think option b is more in line with an expectation that things be explicit21:43
jeblairpabelanger: 'final' means nothing which can affect what actually gets executed by a job can be changed by a variant of that job.  (we might also apply it to inheritance, but we haven't yet).21:43
mordreddoing a feels like we're inventing a whole new method of executing ansible, which isn't our intent21:43
jeblairpabelanger: for example the pypi-upload job will be a final job.  anyone can run it and add it to their own project and specify under what circumstances it should run, but they can't change what it does.21:44
mordredwhereas b is basically "I have a playbook and some roles, please to run the playbook with the roles"21:44
mordredlong story short- I agree, I think B is the better choice21:44
pabelangerjeblair: understood, by looking the etherpad, is my-unittests the final job in this context?21:45
jeblairpabelanger: none of these jobs are final21:46
pabelangerokay, I am still slightly confused, but that is okay. I'll hold out for the patchset and look again21:47
mordredI think B basicaly says that doing the my-unittests job like that is essentially a silly thing21:47
jeblairyeah, the only reason to write that job would be to further inherit from it.21:48
mordredthat unittests is a playbook defined in the unittests job and where it was defined it said "use unittests-roles"21:48
mordredand if someone wants to make a my-unittests that uses their own roles, they can do that - they just need to also define a playbook that does so21:49
jeblairmordred: yep21:49
mordredand then they'll be in a position of "I defined a playbook and some roles and used them" and nothing is extra magic21:49
mordredactually - lemme add that real quick ...21:49
pabelangerokay, I think I am understand more now. my-unittests is missing the run section21:50
* jlk watches the pad get updated21:51
pabelangermordred: line 18 would be valid right?21:51
mordredpabelanger: sorry - which line?21:52
pabelangermordred: job on line 18, that to me is valid today21:52
* mordred thinks this is fun - and have become convinced that my-unittests is just a bad idea and not supporting it is correct21:53
pabelangerline 13, I haven't see before21:53
pabelangerand not sure we are using it21:53
mordredpabelanger: yes - job on line 18 is supported and what we want21:53
mordredexactly21:53
pabelangerya, okay now I understand21:53
mordredit's a theoretical possibility- and I think we've discovered that it's not a good theoretical possibility21:53
jeblairjob on line 13 is silly, but it's the crux of the question -- what do we do for that case.  :)21:53
mordredyup21:53
pabelangerjeblair: ya, I am having a hard time thinking of why we'd want to do that21:54
pabelangerover what mordred just did on line 1821:54
jeblairthis will cause us to have per-playbook ansible config files, rather than just two (untrusted/trusted).21:55
jeblairthat's actually going to be the bulk of the change.  the model/config stuff is easy.  :)21:55
mordredjeblair: ++21:55
pabelangerjeblair: ya, I actually think I like that better21:56
pabelanger++21:56
jlkyeah I like the chunk on 18 better. Less magic21:58
mordred++21:58
jlkYou get the roles from the parent, and you can use your localized playbook to alter how those roles behave.21:59
pabelangerYa, I am kinda surprised that run isn't a required attribute for our jobs21:59
jlkwhich you should be able to do speculatively, right?21:59
mordredjlk: yup!21:59
jlkhyperagreement!21:59
mordredpabelanger: well - it can't be - because of base jobs - but I hear you21:59
jeblairpabelanger: the 'my-unittests' job without the roles attribute but with, say, a vars attribute makes perfect sense.  in fact, you've written such a job.  but it still doesn't have 'run' because it doesn't need it.22:02
pabelangerYa, that is true22:03
jlkFYI I'm out for two weeks on vaca starting Monday22:26
openstackgerritMerged openstack-infra/zuul feature/zuulv3: Correct run job parameter documentation  https://review.openstack.org/48297722:28
pabelangerjlk: enjoy!22:32
jlkI plan to. 9 days of beach fun on Kauai22:33
mordredjlk: sounds lovely! I was there in December and had a great time22:36
jlkcool! My mother lived there during the 90s and I spent 4 summers there with her. Was good times. None of my family has been.22:37
jamielennoxShrews, others: i had this patch for nodepool to remove the secure file default cause if the file doesn't exist it crashes: https://review.openstack.org/#/c/480310/23:01
jamielennoxi was going to just remove the whole concept of a secure file because it's unused, but there's a few lines in the doc that imply it's coming back23:01
jamielennoxthoughts?23:01
pabelangerYa, I think we want it for zookeeper auth23:01
pabelangerwhich we haven't added it23:02
jeblairi'm thinking we should move all the config which isn't providers or images into the other file (and probably rename it)23:03
jeblairthat gives it the same sort of site-administration vs content split we have with zuul23:04
jamielennoxso i saw a proposal for a conf.d, wouldn't supporting that allow you to split secure/config without specifying exactly the two files23:04
SpamapSjlk: zomg I love Kauai23:04
jlkWe'll be staying on Poipu beach. Kiahuna Plantation Resort.23:05
SpamapSTahiti Nui in Hanalei for karaoke.. it's mostly local people. :-D23:05
jeblairjamielennox: maybe so?23:05
SpamapSjlk: that's where I stayed, but in a rented house.23:06
jlkoh, I don't do karaoke :(23:06
SpamapSsaright bra23:06
SpamapSAlso I can't remember the name of the cheesy * 10 luau I went to.. but it was ermahgerd goodbad.23:07
jlkthat sounds great!23:09
jamielennoxi am a fan though of splitting the provider/images type config away from the zookeeper and dir related stuff23:09
SpamapSSmith Family Garden Luau23:10
SpamapSthat one23:10
jamielennoxas i can see wanting that info in a more publc project-config style repo than just the straight up config options23:11
jlkSpamapS: you had me at "open bar"23:12
jamielennox(can always make that work now, but as a recommended deployment style)23:12
« Tuesday, 2017-07-11 Index Thursday, 2017-07-13 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!