Thursday, 2019-02-07

pabelanger	SpamapS: mordred: okay, thanks. I'll guess I'll try and figure out how to deal with the python version via ansible (for site-package)	00:02
*** dmsimard has quit IRC		00:25
*** sdake has quit IRC		00:37
*** sdake has joined #zuul		00:41
*** sdake has quit IRC		00:41
*** dmsimard has joined #zuul		00:57
*** sdake has joined #zuul		01:12
SpamapS	pabelanger: we could probably make the zuul CLI print it out	01:20
SpamapS	But as mordred says, maybe best is just to send everything to cherrypy	01:21
*** sdake has quit IRC		01:48
*** sdake has joined #zuul		01:50
*** manjeets has quit IRC		02:15
*** manjeets has joined #zuul		02:16
*** sdake has quit IRC		02:19
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/buildsets route https://review.openstack.org/630035	03:08
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add buildsets page https://review.openstack.org/630041	03:08
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/buildset/{uuid} route https://review.openstack.org/630078	03:10
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul-jobs master: add-build-sshkey: remove previously authorized build-sshkey https://review.openstack.org/632620	03:12
openstackgerrit	Tristan Cacqueray proposed openstack-infra/nodepool master: Implement zookeeper-auth https://review.openstack.org/619155	03:23
*** rlandy\|bbl is now known as rlandy		03:43
*** sdake has joined #zuul		03:43
*** sdake has quit IRC		03:44
*** rlandy has quit IRC		04:06
*** sdake has joined #zuul		04:10
*** sdake has quit IRC		05:18
*** chandankumar has joined #zuul		05:45
*** chandankumar is now known as chkumar\|ruck		05:46
*** swest has joined #zuul		06:21
*** swest has quit IRC		06:27
*** swest has joined #zuul		06:28
*** quiquell\|off is now known as quiquell\|rover		06:36
*** saneax has joined #zuul		06:37
quiquell\|rover	tobiash: thanks, didn't have much time to give youlove to it, just rebase love	06:37
quiquell\|rover	tobiash: if you have some time today maybe you can help me with it	06:39
tobiash	quiquell\|rover: if you want I could fix it later today or this evening	06:41
quiquell\|rover	I will put back .keep	06:42
tobiash	ok	06:42
quiquell\|rover	What I didn't figure out is	06:42
quiquell\|rover	How to use ansible zuul test case	06:43
quiquell\|rover	And hold node	06:43
quiquell\|rover	Hold build sorry	06:43
quiquell\|rover	Y call release in the unit test but build is still there	06:43
quiquell\|rover	I have to find why is that	06:44
quiquell\|rover	Maybe you can give me a clue on that	06:44
tobiash	quiquell\|rover: holding the builds with ansible test cases is not widely used atm	06:46
tobiash	I noticed that you have to call release for each playbook	06:46
tobiash	do you really need to hold the build in the test case?	06:46
quiquell\|rover	I need that to get the inventory	06:46
quiquell\|rover	If not it's vanished	06:46
quiquell\|rover	Will look into it	06:46
tobiash	you can also instruct it to keep the build dir	06:47
quiquell\|rover	Hummm	06:47
quiquell\|rover	That works for me	06:47
tobiash	look in test_v3 for that, I thing keep should be used somewhere in there	06:47
tobiash	or you can just put the change message into a file within a test playbook	06:48
*** chkumar\|ruck has quit IRC		06:48
tobiash	and assert within the playbook that the content is correct	06:48
*** chandankumar has joined #zuul		06:48
tobiash	that'll work too	06:48
*** chandankumar is now known as chkumar\|ruck		06:49
*** quiquell\|rover is now known as quique\|rover\|r--		06:53
quique\|rover\|r--	Thanks!! Will look at it	06:53
*** gtema has joined #zuul		06:54
*** pcaruana has joined #zuul		07:02
*** bjackman has joined #zuul		07:11
*** quique\|rover\|r-- is now known as quiquell\|rover		07:18
*** bjackman has quit IRC		07:21
*** bjackman has joined #zuul		07:23
*** quiquell\|rover is now known as quiquell\|rover\|b		07:33
*** quiquell\|rover\|b is now known as quique\|rover\|brb		07:33
*** quique\|rover\|brb is now known as quiquell\|rover		07:58
*** hashar has joined #zuul		08:04
*** gtema has quit IRC		08:08
*** themroc has joined #zuul		08:17
*** gtema has joined #zuul		08:36
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/buildsets route https://review.openstack.org/630035	08:39
*** jpena\|off is now known as jpena		08:45
*** zbr\|ssbarnea has joined #zuul		08:49
*** chkumar\|ruck has quit IRC		08:53
*** zbr has joined #zuul		09:11
*** zbr\|ssbarnea has quit IRC		09:12
*** saneax has quit IRC		09:15
*** panda\|off is now known as panda		09:17
quiquell\|rover	tobiash: Got it working thanks !!!	09:20
tobiash	:)	09:20
quiquell\|rover	Le me also add the poor .keep file	09:20
*** saneax has joined #zuul		09:22
openstackgerrit	Quique Llorente proposed openstack-infra/zuul master: Escape jinja2 stuff from inventory https://review.openstack.org/633930	09:22
openstackgerrit	Quique Llorente proposed openstack-infra/zuul master: Escape jinja2 stuff from inventory https://review.openstack.org/633930	09:22
quiquell\|rover	tobiash: ^ let's see now	09:23
quiquell\|rover	tobiash: do I have to add more test to that ?	09:23
quiquell\|rover	maybe trying to parse inventory with ansible	09:23
*** saneax has quit IRC		09:28
*** saneax has joined #zuul		09:29
*** bjackman_ has joined #zuul		09:31
*** bjackman has quit IRC		09:33
*** chandankumar has joined #zuul		09:34
tobiash	quiquell\|rover: commented	09:35
*** chandankumar is now known as chkumar\|ruck		09:35
quiquell\|rover	tobiash: thanks ! let's do it	09:36
*** zbr has quit IRC		09:40
*** zbr\|ssbarnea has joined #zuul		09:40
*** chandankumar has joined #zuul		09:50
*** bjackman_ has quit IRC		09:51
*** chkumar\|ruck has quit IRC		09:51
*** chandankumar is now known as chkumar\|ruck		09:51
*** bjackman_ has joined #zuul		09:57
*** zbr\|ssbarnea has quit IRC		10:04
*** zbr\|ssbarnea has joined #zuul		10:07
openstackgerrit	Quique Llorente proposed openstack-infra/zuul master: Escape jinja2 stuff from inventory https://review.openstack.org/633930	10:23
*** bjackman_ has quit IRC		10:29
*** bjackman_ has joined #zuul		10:29
openstackgerrit	Fabien Boucher proposed openstack-infra/zuul master: [WIP] - URLTrigger based on the timer trigger https://review.openstack.org/635241	10:57
*** fdegir has quit IRC		10:57
*** fdegir has joined #zuul		10:58
*** sshnaidm\|afk is now known as sshnaidm		11:17
*** chkumar\|ruck has quit IRC		11:29
*** chandankumar has joined #zuul		11:30
*** chandankumar is now known as chkumar\|ruck		11:30
*** rfolco is now known as rfolco_doctor		11:38
*** bjackman__ has joined #zuul		11:39
*** bjackman_ has quit IRC		11:41
openstackgerrit	Quique Llorente proposed openstack-infra/zuul master: Escape jinja2 stuff from inventory https://review.openstack.org/633930	11:47
quiquell\|rover	tobiash: ^ now is all covered I think	11:47
quiquell\|rover	tobiash: also the ansible expansion	11:47
*** electrofelix has joined #zuul		11:58
lennyb	Hi, I am running zuul2 and I see a lot of my jobs in 'queued' state. I have enough free nodes in Jenkins, so I don`t understand why job is not triggered. No errors in logs.	11:59
tobiash	lennyb: maybe you need to restart jenkins	12:00
tobiash	lennyb: that solved many problems ages ago ;)	12:00
tobiash	at least I had often similar problems back then and a jenkins restart solved these most of the time	12:01
*** electrofelix has quit IRC		12:04
*** swest has quit IRC		12:04
*** electrofelix has joined #zuul		12:05
*** hashar has quit IRC		12:10
tobiash	mordred: looking at my graphs it looks like that 634598 was good because of clean code but didn't solve the memleak on the executors :(	12:13
lennyb	tobiash: thanks, but it did not help.	12:15
tobiash	lennyb: hrm, maybe zuul lost its connection to jenkins	12:15
tobiash	lennyb: or maybe gearman is stuck	12:15
lennyb	gearman plugin passed test. it happens a lot, restarting zuul 'fixes' the issue, but I am loosing a lot of commits.	12:16
mordred	tobiash: :(	12:16
*** swest has joined #zuul		12:20
tobiash	mordred: that's the rss of our executor containers during the last 6 months: https://paste.pics/7a57a7ae4a3973198b41e4db5005724a	12:20
tobiash	mordred: at one point in time it started	12:20
tobiash	mordred: we switched from alpine to ubuntu at this time	12:20
tobiash	mordred: so maybe a memleak in python itself or a different java-like memory management in glibc based python	12:21
mordred	tobiash: so the leak correlates with the switch from alpine?	12:21
tobiash	yes	12:21
tobiash	exactly with the date when we rolled it out	12:22
mordred	you are using the python shipped by ubuntu in your containers, yes?	12:22
tobiash	yes	12:22
mordred	and before with alpine were you using the python:alpine images? or normal alpine with the alpine provided python?	12:22
tobiash	so could be either alpine vs ubuntu or py37 vs py36 as alpine was at 3.7 at that time afaik	12:22
tobiash	it was normal alpine	12:23
mordred	yeah. there's several things possible there	12:23
tobiash	maybe I should try py37 from universe to rule that out	12:23
mordred	could be patches to python applied by ubuntu, or libc differences, or python versions	12:23
mordred	yeah - I know that 3.6 introduced a new dict impl	12:23
mordred	so it's possible 3.7 contains fixes for it that are important for our heavy dict usage	12:23
tobiash	possibly	12:24
mordred	it'll be interesting to see if we see the same behavior when we start deploying from the python:slim debian-based containers with 3.7	12:24
mordred	tobiash: it also seems like your immediate baseline memory is higher even before it starts leaking too	12:25
mordred	but maybe that's just musl vs glibc	12:25
mordred	we're still running on 3.5 on xenial at the moment	12:26
tobiash	ah	12:27
mordred	http://cacti.openstack.org/cacti/graph.php?action=view&local_graph_id=64003&rra_id=all <-- there's memory graphs for one of our executors - doesn't look like we're seeing the same sorts of increases you are	12:28
tobiash	yes, that looks different	12:29
mordred	python version and libc version are the primary differences that I'd expect to be relevant	12:30
tobiash	but at least we're updating zuul faster than the executors could oom ;)	12:30
tobiash	yes	12:30
tobiash	so think I'll try py37 first	12:31
mordred	++ - that'll be a good data point	12:31
tobiash	it's available as a package in universe so should be relatively easy to use that	12:31
*** bjackman__ has quit IRC		12:32
SpamapS	tobiash: you should also consider trying jemalloc	12:33
SpamapS	https://zapier.com/engineering/celery-python-jemalloc/	12:34
mordred	SpamapS: you are awake at an absurdly early hour	12:35
SpamapS	mordred: tell me about it :-P	12:35
mordred	SpamapS: I have very recent memories of being awake at the same hour in my timezone	12:35
SpamapS	Got my 4 hours in :-P	12:35
mordred	me too!	12:36
tobiash	SpamapS: thanks, reading	12:36
*** bjackman has joined #zuul		12:38
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Perform per repo locking on the executor https://review.openstack.org/635495	12:40
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Optionally parallelize update threads https://review.openstack.org/635496	12:40
*** jpena is now known as jpena\|lunch		12:44
* SpamapS may try to snag another hour before the sun comes up		12:44
*** sdake has joined #zuul		12:46
*** sdake has quit IRC		12:51
*** sdake has joined #zuul		12:52
*** sshnaidm is now known as sshnaidm\|afk		12:52
*** rlandy has joined #zuul		13:04
*** sshnaidm\|afk is now known as sshnaidm		13:11
openstackgerrit	Monty Taylor proposed openstack-infra/zuul master: WIP Run python with jemalloc in containers https://review.openstack.org/635504	13:14
tobiash	mordred: lol, just thought about doing the same thing ^	13:14
mordred	tobiash, SpamapS: ^^ there's a patch inspired by that blogpost - completely untested, and might be a terrible idea	13:14
mordred	tobiash: :)	13:14
tobiash	mordred: the packaged versions of jemalloc are very old as it seems	13:15
tobiash	both on bionic and stretch	13:16
tobiash	3.6.0 is from early 2015 :-/	13:16
tobiash	so you might want to build it from source ;)	13:16
mordred	yah - although in that post even 3.5 seemed to have a significant impact on his swap usage	13:17
tobiash	yes	13:17
mordred	tobiash: totally. if it winds up being meaningful for zuul, I think building it from source in a builder image wouldn't be terrible	13:17
tobiash	++	13:17
tobiash	the question is who wants to try this in production ;)	13:18
mordred	what could possibly go wrong? :)	13:18
tobiash	mordred: but I had the same ENV trick in mind, so that would also affect/improve ansible memory usage	13:19
tobiash	I think I'll try that after the py37 experiment	13:19
pabelanger	SpamapS: Yah, in fact, that is what I am doing today. So, likely okay just having cherrypy serve it, and deal with it if / when becomes an issue	13:34
*** sdake has quit IRC		13:47
*** jpena\|lunch is now known as jpena		13:48
*** rfolco_doctor is now known as rfolco		13:58
openstackgerrit	Quique Llorente proposed openstack-infra/zuul master: Escape jinja2 stuff from inventory https://review.openstack.org/633930	13:59
quiquell\|rover	tobiash: ^ all good now	13:59
tobiash	quiquell\|rover: thanks, will look later	13:59
quiquell\|rover	cool thanks	13:59
*** quiquell\|rover is now known as quique\|rover\|eat		14:06
*** bjackman has quit IRC		14:23
*** irclogbot_3 has joined #zuul		14:31
*** bjackman has joined #zuul		14:33
*** gtema has quit IRC		14:35
*** sdake has joined #zuul		14:35
*** quique\|rover\|eat is now known as quiquell\|rover		14:38
*** bjackman has quit IRC		14:42
*** bjackman has joined #zuul		14:42
*** bjackman has quit IRC		14:48
*** sdake has quit IRC		14:54
*** ParsectiX has joined #zuul		14:59
*** sdake has joined #zuul		15:09
tobiash	mordred: according to my graphs the scheduler seems to be leaky too	15:15
tobiash	or it's really just java-like behavior...	15:16
*** quiquell\|rover is now known as quiquell\|off		15:27
*** gtema has joined #zuul		15:33
*** zbr has joined #zuul		15:35
*** swest has quit IRC		15:37
*** zbr\|ssbarnea has quit IRC		15:37
tobiash	mordred: -rwxr-xr-x. 1 root root 4.3M Feb 7 15:42 /usr/local/lib/libjemalloc.so.2	15:56
tobiash	4.3M for a malloc implementation	15:56
tobiash	impressive	15:56
tobiash	mordred: so now I've restarted one executor as reference, updated one to py37 and one to py37+jemalloc	15:58
tobiash	looking forward to the graphs tomorrow...	15:58
clarkb	tobiash: with the scheduler I think it is more that as it expands to load configs python can never really release that memory again	15:59
tobiash	hrm, that graph is continuously rising during the day and rising again the next day	16:01
tobiash	just like it wouldn't reuse that memory	16:01
clarkb	tobiash: http://cacti.openstack.org/cacti/graph.php?action=view&local_graph_id=64792&rra_id=all that one?	16:03
clarkb	it looks pretty stable	16:03
openstackgerrit	Fabien Boucher proposed openstack-infra/zuul master: Propose the URL driver to implement an URL change Require Filter https://review.openstack.org/635554	16:03
tobiash	yeah, maybe it stabilizes once it doesn't get more memory ;)	16:03
tobiash	hm, ok my executor has a limit of 4gb currently	16:05
tobiash	maybe it would stabilize around that level	16:05
*** pcaruana has quit IRC		16:21
*** themroc has quit IRC		16:22
*** chkumar\|ruck has quit IRC		16:38
*** chandankumar has joined #zuul		16:39
*** saneax has quit IRC		16:40
dmsimard	Is the zuul inventory file available during the runtime of a job ?	16:42
dmsimard	I know the Ansible vars are available, I mean the literal file :)	16:42
jkt	so, I'm playing with a pre-run playbook to basically call `git submodule update --init --recursive`, after fixing the repo URLs etc	16:43
jkt	I understand that I have to add all dependant projects into tenant config and job's required_project stanza	16:43
dmsimard	Ah, got it: {{ zuul.executor.log_root }}/zuul-info/inventory.yaml	16:44
jkt	my problem is that even that initial step where zuul-executor prepares these git repos takes 2.5 minutes on this VM which is allegedly already backed by SSDs	16:45
clarkb	dmsimard: ya a privileged play copies it to that location	16:45
clarkb	dmsimard: so the running job doesn't read that exact file (eg don't expect updates to it to reflect in the ansible runes)	16:45
openstackgerrit	Fabien Boucher proposed openstack-infra/zuul master: URLTrigger driver time based https://review.openstack.org/635567	16:48
corvus	dmsimard: https://zuul-ci.org/docs/zuul/user/jobs.html#var-zuul.executor.inventory_file	16:50
corvus	jkt: i think we've talked about this, but just in case -- is your executor's job_dir on the same filesystem as it's git_dir? https://zuul-ci.org/docs/zuul/admin/components.html#attr-executor.job_dir and https://zuul-ci.org/docs/zuul/admin/components.html#attr-executor.git_dir	16:53
jkt	corvus: we talked about this, but I don't remember that particular point	17:03
jkt	corvus: and yup, same fs	17:04
jkt	doh, nope	17:04
tobiash	jkt: not same fs is a real performance killer ;)	17:05
jkt	ok, actually, yes, this is all rootfs, so no tmpfs for /tmp	17:05
tobiash	jkt: also same mount point (if you're runnning containerized)?	17:05
jkt	tobiash: I am not using containers; this is on centos 7, with an xfs / and nothing mounted at /tmp	17:06
tobiash	ok	17:06
jkt	so both /var/lib/zuul/executor-git and /tmp should be rootfs	17:06
tobiash	jkt: maybe this could help: https://review.openstack.org/635496	17:06
jkt	tobiash: have you noticed that you guys come up with a solution to any of my problems just hours before I need one? :)	17:07
tobiash	:)	17:07
*** sdake has quit IRC		17:07
tobiash	jkt: how many repos does your job have?	17:07
jkt	about a zillion, well, actually, ~150	17:08
jkt	:(	17:08
tobiash	that change parallelizes the initial git fetch of all repos of the job	17:08
tobiash	ok, so then I'd expect quite some speedup in your case	17:08
jkt	the biggest offender are the Boost C++ libraries	17:09
jkt	their build system hasn't liked my attempts at pruning the dep tree at all	17:09
corvus	tobiash: left a question on that about whether we can eliminate the config option :)	17:09
jkt	also, their submodules point to ../relative/whatever.git instead of just ../relative/whatever	17:10
tobiash	corvus: fine for me, I just wanted to retain status quo with the config option	17:10
*** sdake has joined #zuul		17:10
jkt	this is what I have now, http://paste.openstack.org/show/744695/	17:11
tobiash	I guess we could start with 1*cpus?	17:11
corvus	tobiash: ah, yeah, i expect that it would be okay to improve things by default for people. that sounds good.	17:11
*** pwhalen has quit IRC		17:12
tobiash	corvus: I just need to think about how to get the correct number of cpus in my cgroups restricted depoyment	17:13
tobiash	multiprocessing will return 16, but the executor is restricted to 8	17:13
jkt	so, the numbers: 1min 21s for updating all repos in /var/lib/zuul/executor-git/ , which should be a no-op in this case because there are no changes	17:13
tobiash	but I have that same problem with the starting builds sensor anyway	17:14
jkt	30s for cloning to /tmp	17:14
tobiash	jkt: the executor doesn't know upfront if it's a noop, but I guess the parallelization could make this 1min 21s much smaller	17:14
jkt	10s for checking out the respective branches in there	17:14
tobiash	so yes, that sounds like the parallelization will help there quite a lot	17:15
jkt	sounds like I should build from git once again :)	17:16
jkt	does the REST API of zuul-web need that JS Build stack?	17:16
jkt	or is that just for the dashboard web app?	17:16
tobiash	zuul-web serves the dashboard webapp	17:17
tobiash	or do you offload it to apache?	17:18
jkt	I don't offload that, nope	17:18
jkt	I'm wondering about the /api/tenant/.../ etc	17:18
tobiash	the api works without, but is quite useless without the ui	17:19
jkt	ah, I would probably lose that console streamer as well, then	17:21
tobiash	yes	17:22
tobiash	and the status page	17:22
*** pwhalen has joined #zuul		17:23
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Optionally parallelize update threads https://review.openstack.org/635496	17:29
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Optionally parallelize update threads https://review.openstack.org/635496	17:30
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Parallelize update threads https://review.openstack.org/635496	17:31
openstackgerrit	Mohammed Naser proposed openstack-infra/nodepool master: docker: don't daemonize when starting images https://review.openstack.org/635584	17:39
*** jpena is now known as jpena\|off		17:59
*** jesusaur has quit IRC		18:07
*** gtema has quit IRC		18:11
tobiash	corvus, SpamapS: do we want to target the multi ansible spec for next week? I think I've addressed all comments so far.	18:19
SpamapS	tobiash: Where's that spec? It doesn't seem to have topic:multi-ansible	18:21
SpamapS	or did it merge?	18:21
tobiash	SpamapS: https://review.openstack.org/623927	18:22
tobiash	I'll set the topic	18:22
SpamapS	thanks, just couldn't find it ;)	18:23
tobiash	:)	18:23
corvus	tobiash, SpamapS: to be clear, i think the utility of having the executor run the install script on startup isn't for quick-start -- i agree, that should be at cointainer build-time. it's for the more traditional pip-install configuration. so that someone who does 'pip instal zuul' has it almost as easy as someone who does 'docker run zuul'	18:24
tobiash	corvus: I can clarify that in the spec	18:25
corvus	i mention it here because i think the three of us have been going back and forth on the spec :)	18:26
tobiash	ok :)	18:26
SpamapS	I see.	18:26
corvus	basically it makes "pip install zuul; zuul-executor" continue to work	18:27
SpamapS	A fair point, and a fine bridge for folks who aren't ready to containerize stuff.	18:27
corvus	i think we still get new users not using containers. though we've gotten a lot of quick-start users showing up.	18:29
SpamapS	Yeah, I see why it's a thing and I don't mind keeping that working for a while.	18:30
corvus	i could see dropping auto-install as a teaching method -- to make sure that people know that's what's going on. but it feels like maybe that may not be worth the additional friction for new users.	18:32
electrofelix	hughsaunders: are you still working on nodepool-agents plugin for jenkinsci to make use of nodepool? wondering if you're around to chat about some questions I have about making use of it (also asked in https://groups.google.com/d/msg/jenkinsci-dev/VA2i-_L350E/uVhO2xRLGQAJ)	18:34
tobiash	and probably even existing users	18:35
SpamapS	honestly	18:39
SpamapS	this feels almost major version-ish	18:39
SpamapS	It's more than a feature	18:39
corvus	no argument here	18:40
corvus	if folks think multi-ansible is v4, and zookeeper-everywhere is v5, that wfm. :)	18:40
corvus	tobiash: so yeah, i'll issue a last call for review on the spec monday with the aim to merge it by the end of the week if there are no major revisions required. sound good?	18:42
clarkb	the problem is wheels not running installation code right? so we somehow have to install portable virtualenvs (or something like that) into the wheel or have the wheel install (or maybe process start up) do the setup?	18:42
tobiash	corvus: sounds good :)	18:42
clarkb	I guess the easiest things is having the executor do it on first run	18:43
clarkb	and it can noop if it is already done for it	18:43
*** ParsectiX has quit IRC		18:44
tobiash	clarkb: yes, it's similarly described in the spec	18:46
clarkb	yup, just making sure I understand. Is the contention question around whether or not zuul should do the installation on startup? I don't really think there is a straightforward method that avoids that (other than requiring a multistep install process)	18:47
*** jesusaur has joined #zuul		18:52
*** sdake has quit IRC		18:58
tobiash	clarkb: we'll support both, manual installation (by calling something like zuul-manage-ansible) and on startup installation (for the lazy pip install use case)	19:01
*** remi_ness has joined #zuul		19:04
*** ParsectiX has joined #zuul		19:28
SpamapS	ugh, looks like my pbrx docker builds are failing now because of something that changed in alpine	19:29
openstackgerrit	Merged openstack-infra/zuul master: Update git connection logging https://review.openstack.org/635204	19:29
* SpamapS accelerates switch to dockerfile builds		19:29
*** saneax has joined #zuul		19:38
*** jesusaur has quit IRC		19:40
*** jesusaur has joined #zuul		19:41
*** sdake has joined #zuul		19:47
*** sdake has quit IRC		19:49
*** pwhalen has quit IRC		19:50
*** sdake has joined #zuul		19:51
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: docker: add state folder https://review.openstack.org/635618	19:52
*** sdake has quit IRC		19:53
*** sdake has joined #zuul		19:54
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: docker: start process in foreground https://review.openstack.org/635619	19:55
mordred	mnaser: ^^ lgtm ... for the state folder - should we mark that as a volume?	19:58
mnaser	mordred: it looks like most of what goes in the state folder is command control socket, pid files and things that aren't really as much of state	19:59
tobiash	mordred: I'm just asking myself how I could overlook the foreground thingy ^	19:59
mnaser	so i think it should live within the container (imho)	19:59
mordred	tobiash: yah - same here	19:59
mordred	mnaser: kk	19:59
tobiash	mordred: how did the quickstart then work? I'd expected if zuul daemonizes pid 1 exits and that should exit the container...	20:00
mordred	tobiash: maybe because we're using dumb-init it still works?	20:00
tobiash	ah, that's the reason	20:00
tobiash	dumb-init is pid1	20:00
mordred	mnaser: actually - at least on the scheduler, /var/lib/zuul contains the keys, which are precious and shoudl go on a volume	20:01
mnaser	tobiash, mordred quick start works because someone explicitly dropped the -d in the command in docker-compose	20:01
mnaser	mordred: ah that's true	20:01
mnaser	i mean tbh i'd feel that /var/lib/zuul/.ssh is the real thing to use in this case	20:02
mordred	mnaser: no - I mean the per-project encryption keys	20:02
mnaser	oh	20:02
mnaser	i was thinking ssh keys	20:02
mordred	mnaser: there's /var/lib/zuul/keys which have those	20:02
mnaser	in that case volume makes a lot of sense.. assuming 'volume' does a mkdir	20:03
tobiash	mnaser: then you could just completely drop the command in the docker-compose for zuul-web and executor	20:03
mordred	mnaser: I believe it does - I think it makes the mount point	20:03
mordred	tobiash: ++	20:03
mnaser	ok well i can revise the patch and update the quickstart	20:03
mordred	cool	20:03
tobiash	mnaser: yes, volume creates that dir	20:03
tobiash	mnaser: thanks	20:04
mordred	mnaser: yeah - thanks - great improvements	20:04
SpamapS	thank god for dumb-init eh? ;-)	20:04
tobiash	I'm using tini	20:05
tobiash	but that's basically doing the same	20:05
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: docker: start process in foreground https://review.openstack.org/635619	20:07
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: docker: add state folder https://review.openstack.org/635618	20:07
mnaser	mordred, tobiash ^ added depends-on on the nodepool change too	20:07
mordred	mnaser: ++	20:07
*** remi_ness has quit IRC		20:07
tobiash	mnaser: btw, depends-on with changeid is deprecated ;)	20:11
mnaser	tobiash: i know but i'm old school and lame	20:11
mnaser	:)	20:11
mnaser	another fun one	20:13
mnaser	zuul-fingergw tries to drop perms into user 'zuul'	20:13
tobiash	... which doesn't exist...	20:13
mnaser	http://paste.openstack.org/show/744710/	20:14
tobiash	mnaser: I think that should be made optional. e.g. when running in openshift fingergw would run on an unprovileged port with perms already dropped	20:15
clarkb	shouldn't the zuul user exist in the imges though?	20:15
corvus	i added the -d in the compose file, because the quick-start was made when we built pbrx containers which didn't use -d	20:16
corvus	the zuul user does not exist in the images	20:16
corvus	it runs as "root"	20:16
clarkb	shoul we create the zuul user?	20:17
tobiash	I don't think so	20:17
mnaser	but the root isn't a real root i guess inside a container	20:17
clarkb	mnaser: depends on whether or not you namespace users but ya	20:17
*** saneax has quit IRC		20:17
tobiash	it just makes things mode complicated if running e.g. in openshift	20:17
corvus	mordred has discussed possibly creating a zuul user. regardless of that, the immediate issue is that we have an overly aggressive default	20:17
corvus	i feel like i just spelled out how to fix this	20:18
corvus	let me dig up irc logs	20:18
corvus	http://eavesdrop.openstack.org/irclogs/%23zuul/%23zuul.2019-02-01.log.html#t2019-02-01T19:50:09	20:20
corvus	from 19:50 through 20:00	20:20
clarkb	the problem is that if you assume unprivileged ports then you need a proxy of some sort. If you don't assume privileged ports then you have to do something like the code currently does. Maybe key off the port value? also I should read ^	20:20
corvus	i don't see any of the described patches uploaded :(	20:21
corvus	dkehn: were you planning on pushing up the change to run fingergw in quick-start?	20:21
clarkb	ah yup I think the described fix would work	20:22
pabelanger	tobiash: what issues would use see with zuul user in openshift container?	20:22
dkehn	corvus: once I get it totally working	20:23
tobiash	pabelanger: openshift by default starts the process with a random uid and gid=0 which has no relationship to the passwd in the container. Further you cannot switch the user in this case.	20:23
tobiash	so if possible we should not make any assumptions on the users. If we can manage this the image will be generic enough to run anywhere	20:24
clarkb	do we also need to override the port for running in a container or will we assume privelege within the container network namespace for the current user?	20:24
clarkb	that assumption is likely safe given how many people use docker	20:24
tobiash	granted the executor needs privileges, but the others don't and should imho also work with default restrictions	20:24
tobiash	in openshift you need to run fingergw on an unprivileged port like 1079 and have the service dispatch from 79 to 1079	20:25
pabelanger	tobiash: ah, good to know. When I was trying to run docker nodepool from ansible, I ended up crafting the following systemd execstart: http://paste.openstack.org/show/744712/ passing -u flag, because docker image (pbxr) was root. This was the only way I could get volumes to properly work, as they had permissions of nodepool:nodepool (1001). Since then, I haven't really looped back to trying to run docker under	20:26
pabelanger	systemd	20:26
pabelanger	I always thought, if user inside container was nodepool, I could drop the -u flag	20:26
pabelanger	(but likely wrong)	20:27
*** sshnaidm is now known as sshnaidm\|off		20:29
tobiash	when working in openshift folders that need to be written by zuul need to be either mounted as a volune or chowned <foo>:0 and g+w if it's inside the container rootfs (a process has uid=random and gid=0 by default)	20:29
tobiash	ftr, more info on that topic is here: https://docs.okd.io/latest/creating_images/guidelines.html#openshift-specific-guidelines	20:31
*** sdake has quit IRC		20:31
tobiash	most important the chapter "Support Arbitrary User IDs"	20:31
*** sdake has joined #zuul		20:32
pabelanger	tobiash: yah, I don't believe I setup any specific docker volumes via docker, was only trying to bindmount directly to filesystem	20:33
tobiash	in the end a docker volume also just gets bind mounted into the filesystem	20:35
openstackgerrit	James E. Blair proposed openstack-infra/zuul master: Remove default user for fingergw https://review.openstack.org/635632	20:37
openstackgerrit	James E. Blair proposed openstack-infra/zuul master: Remove default zookeeper hosts https://review.openstack.org/635633	20:37
corvus	i think those should be in 3.7, so i set a WIP on the first, but we can go aheand and review/discuss them	20:38
mnaser	if you go with the github application route, how do you 'add' the ssh key to clone things (or does it clone using the api token or something?)	20:41
tobiash	mnaser: zuul doesn't use ssh in that case	20:42
mnaser	tobiash: ok so that option should technically be ignored when not using a webhook (perhaps i should push up a doc change)?	20:43
tobiash	mnaser: it gets per installation tokens on demand that expire every hour	20:43
mnaser	https://zuul-ci.org/docs/zuul/admin/drivers/github.html#attr-<github%20connection>.sshkey	20:43
mnaser	this one that is	20:43
tobiash	I wonder why there is even a ssh key	20:44
tobiash	because even with the api token method it should use that and https	20:44
mnaser	tobiash: the web hook thing says you need a user with the ssh key	20:44
mnaser	https://zuul-ci.org/docs/zuul/admin/drivers/github.html#web-hook	20:44
tobiash	have to re-read the source	20:44
pabelanger	is that the ssh key you define, if not using github app?	20:44
tobiash	yes	20:45
mnaser	so the docs should probably clarify that	20:45
mnaser	i guess	20:45
tobiash	mnaser: so rereading the code, yes when using api token you need the ssh key	20:46
tobiash	mnaser: but more important, when using app key a defined ssh key will break you	20:46
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: doc: clarify sshkey option usage in github connection https://review.openstack.org/635640	20:47
mnaser	tobiash: ^	20:47
mnaser	also mordred mind +w https://review.openstack.org/#/c/635584/ to unblock similar zuul change (i added a depends-on)	20:48
tobiash	mnaser: https://git.zuul-ci.org/cgit/zuul/tree/zuul/driver/github/githubconnection.py#n969	20:48
mnaser	yep thats what i noticed too	20:48
tobiash	if you declare an ssh key, it is taken regardless of the auth method	20:48
tobiash	and since you cannot attach an ssh key to an app this will break zuul	20:48
corvus	mnaser, tobiash: if you're embarking on the '-d' route, remember that has implications for logging	20:49
corvus	mordred: ^	20:49
tobiash	we probably should document/verify conflicting settings in the github driver	20:49
tobiash	corvus: which implications do you mean? I think I forgot them	20:50
corvus	mnaser, tobiash, mordred: tell me you've thought through the logging issue; otherwise maybe we ought to give those changes a little more thoughtL	20:50
mnaser	are we talking about docker implications or zuul implications	20:51
corvus	both	20:51
tobiash	corvus: do you mean the no-logging-on-invalid-log-config-problem?	20:51
corvus	tobiash: i mean the fact that "-d" doesn't just mean run-in-foreground	20:52
corvus	the "d" in "-d" stands for "debug"	20:52
mnaser	o	20:52
corvus	so that change is actually "run zuul in full debug mode, in the foreground"	20:52
mnaser	okay, that's a different story, i was under the impression it was foreground	20:52
corvus	it's both, because zuul was written before containers existed, and this option is as old as zuul :)	20:53
tobiash	hrm, we're running zuul in -d mode since the beginning :)	20:53
tobiash	but we're still running it in debug logging mode...	20:53
mnaser	https://github.com/openstack-infra/zuul/blob/485f1205a358c4c2297967ca70454d923b8c7b04/zuul/cmd/__init__.py#L141-L145	20:53
mnaser	L145 is where we go debug	20:54
corvus	i'm generally in favor of the change, but i'd like someone to assure me they've worked through the implications :)	20:54
mnaser	i feel like the right thing™ is to add a -f option	20:54
mnaser	having said that, i don't think i have time to do the small rewrite to add -f and make -d do -f + debug	20:56
mnaser	though it seem relatively trivial	20:56
pabelanger	I run -d with log_config setup in zuul.conf, and belive logging works correctly	20:56
tobiash	ah, we're running with log config: https://github.com/openstack-infra/zuul/blob/485f1205a358c4c2297967ca70454d923b8c7b04/zuul/cmd/__init__.py#L137	20:56
tobiash	so we need to think about what happens with no log config and -d	20:57
mnaser	you get debug logging to stdout (that's what i have right now)	20:57
tobiash	so judging from the code the only difference I see is debug vs non-debug logging	20:58
tobiash	I think I would have noticed other problems if there were any	21:00
tobiash	I know that e.g. signal handling and command socket work with -d	21:01
pabelanger	it also worked well under systemd, been using it for a while in local testing	21:01
tobiash	corvus: so the question is, is it ok to have debug logging in the container if no log config is configured?	21:01
corvus	tobiash: i think we'd probably want the normal (info i think) logging -- same as you'd get running a daemon with no logging config	21:03
corvus	so i think that means mnaser's suggestion of splitting the arg into f and d may be the best path	21:03
tobiash	ok, I'll push up a change that adds -f with info and leaves -d as it is (except the description)	21:03
corvus	then Dockerfile should use the foreground option only	21:07
tobiash	kk	21:17
tobiash	corvus: do we want to retain debug logging in the quick start?	21:20
tobiash	or switch this to info too?	21:20
corvus	tobiash: i could go either way, but maybe let's try info.	21:20
corvus	if we get a lot of people showing up with questions and we say "enable debug logging" maybe we switch :)	21:21
tobiash	... or improve logging	21:21
corvus	even better	21:21
tobiash	so I think it's even beneficial to use info. Then we get a better feeling if info is sufficient for finding problems.	21:22
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Add foreground option https://review.openstack.org/635649	21:25
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907	21:26
corvus	tobiash: i think the same situation applies in nodepool	21:28
tobiash	corvus: already on it	21:28
corvus	cool	21:28
corvus	i wiped 635584	21:29
*** sdake has quit IRC		21:29
openstackgerrit	Tobias Henkel proposed openstack-infra/nodepool master: docker: don't daemonize when starting images https://review.openstack.org/635584	21:33
clarkb	tobiash: my only concern was that side effecting self.args like that might not be safe, but we already use that method of setting nodaemon elsewhere so should be fine. +2	21:34
tobiash	clarkb: I had the same thoughts but this way was the way of least impact ;)	21:35
clarkb	tobiash: https://review.openstack.org/#/c/635584/2 comment on that though	21:36
openstackgerrit	Tobias Henkel proposed openstack-infra/nodepool master: docker: don't daemonize when starting images https://review.openstack.org/635584	21:36
*** sdake has joined #zuul		21:36
tobiash	clarkb: updated	21:37
clarkb	+2 thanks	21:37
tobiash	clarkb, corvus: not urgent, but it would be great if you could add 616306 (resource usage stats) to your review queue. I think that would be useful for the openstack deployment too	21:39
clarkb	ya I'll add it to my todo list	21:40
tobiash	thanks :)	21:46
*** sdake has quit IRC		21:51
*** sdake has joined #zuul		21:55
*** sdake has quit IRC		21:56
*** sdake has joined #zuul		21:57
openstackgerrit	Mohammed Naser proposed openstack-infra/zuul master: doc: fix sqlalchemy database url docs path https://review.openstack.org/635670	22:17
*** sdake has quit IRC		22:34
*** panda is now known as panda\|off		22:59
*** sdake has joined #zuul		23:23
*** ParsectiX has quit IRC		23:48
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add buildsets page https://review.openstack.org/630041	23:52
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add buildset page https://review.openstack.org/630079	23:53
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add /{tenant}/buildset/{uuid} route https://review.openstack.org/630078	23:53
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add buildset page https://review.openstack.org/630079	23:53

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!