| *** sdake has quit IRC | 00:00 | |
| *** AJaeger has quit IRC | 00:42 | |
| *** AJaeger has joined #zuul | 00:56 | |
| *** bhavikdbavishi has quit IRC | 01:32 | |
| *** rfolco has quit IRC | 01:59 | |
| *** rfolco has joined #zuul | 01:59 | |
| *** sdake has joined #zuul | 02:17 | |
| *** sdake has quit IRC | 02:19 | |
| *** sdake has joined #zuul | 02:22 | |
| *** bhavikdbavishi has joined #zuul | 02:45 | |
| *** sdake has quit IRC | 02:46 | |
| *** swest has quit IRC | 02:49 | |
| *** bhavikdbavishi has quit IRC | 02:59 | |
| *** swest has joined #zuul | 03:05 | |
| *** bhavikdbavishi has joined #zuul | 04:16 | |
| *** bhavikdbavishi has quit IRC | 04:30 | |
| *** bhavikdbavishi has joined #zuul | 04:48 | |
| *** zbr has joined #zuul | 05:03 | |
| *** zbr|ssbarnea has quit IRC | 05:04 | |
| *** bhavikdbavishi has quit IRC | 05:26 | |
| SpamapS | hrm, after upgrading I'm getting this and not sure what it means.. | 06:01 |
|---|---|---|
| SpamapS | Exception: Project GoodMoney/tech is not allowed to run job gmapi-post | 06:01 |
| SpamapS | guessing that's the CVE protection | 06:06 |
| SpamapS | and I need to do something explicit with that job. Hrm. | 06:06 |
| SpamapS | weird though, because the job is only defined *in GoodMoney/tech* | 06:07 |
| SpamapS | ah I think it's the parent | 06:10 |
| *** chkumar|out is now known as chandankumar | 07:27 | |
| tobiash | SpamapS: do you think it would be useful to support ec2 spot instances in nodepool? | 07:43 |
| *** bhavikdbavishi has joined #zuul | 09:48 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Manage ansible installations https://review.openstack.org/631930 | 10:06 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Symlink ansible plugins https://review.openstack.org/636022 | 10:06 |
| *** sdake has joined #zuul | 10:37 | |
| *** sdake has quit IRC | 10:39 | |
| *** sdake has joined #zuul | 10:44 | |
| *** bhavikdbavishi has quit IRC | 10:53 | |
| *** sdake has quit IRC | 11:00 | |
| *** sdake has joined #zuul | 11:01 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: multi ansible dockerfile https://review.openstack.org/636043 | 11:12 |
| *** sdake has quit IRC | 11:24 | |
| *** sdake has joined #zuul | 11:26 | |
| *** sdake has quit IRC | 11:30 | |
| *** sdake has joined #zuul | 11:30 | |
| *** bhavikdbavishi has joined #zuul | 11:48 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Manage ansible installations https://review.openstack.org/631930 | 11:50 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Symlink ansible plugins https://review.openstack.org/636022 | 11:50 |
| *** bhavikdbavishi has quit IRC | 13:19 | |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: Fix multi-ansible quickstart https://review.openstack.org/636059 | 13:52 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Manage ansible installations https://review.openstack.org/631930 | 14:17 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Symlink ansible plugins https://review.openstack.org/636022 | 14:17 |
| *** Miouge- has quit IRC | 15:26 | |
| SpamapS | tobiash: yes I definitely think spot instances makes a lot of sense. | 16:20 |
| SpamapS | tobiash: actually reserved instances makes sense in some contexts too, like if you expect to be running tests constantly. | 16:23 |
| SpamapS | So, if somebody has some time.. I'd like to figure out why a job defined in a project is not allowed to be run *by that project*. | 16:25 |
| SpamapS | Exception: Project GoodMoney/tech is not allowed to run job gmapi-post | 16:26 |
| SpamapS | The job uses secrets from the same project. | 16:26 |
| tobiash | SpamapS: sounds weird, maybe a side effect of the last security fix? | 17:58 |
| tobiash | SpamapS: is the secret on that job or on a parent job? | 17:59 |
| Shrews | tobiash: oh, ok. yeah, i misunderstood the symlinking bit. thx for setting me straight | 18:19 |
| tobiash | Shrews: thanks for reviewing :) | 18:35 |
| SpamapS | tobiash: the secret is defined in GoodMoney/tech and is attached on gmapi-post itself. | 18:43 |
| SpamapS | There are two variants of the job, one for master, one for a branch named prod. | 18:44 |
| tobiash | SpamapS: https://review.openstack.org/#/c/632566/2/zuul/configloader.py | 18:45 |
| tobiash | maybe it should have been the canonical name | 18:45 |
| tobiash | in line 672 | 18:45 |
| tobiash | hrm, no project.name looks correct | 18:48 |
| AJaeger | SpamapS: do you have the config to check for that repo? | 18:48 |
| SpamapS | AJaeger: I'm not sure what you mean. | 18:49 |
| AJaeger | SpamapS: you talk about problems for GoodMoney/tech with gmapi-post - what's the job definition for it? | 18:49 |
| AJaeger | Do other jobs defined in that repo run or is it that the only defined job? | 18:49 |
| AJaeger | SpamapS: I don't know whether I can help - but without the config I have no idea... | 18:50 |
| SpamapS | AJaeger: Yes jobs run in check/gate, but so far no post jobs have run since upgrading from 3.3.1 to latest master. | 18:51 |
| SpamapS | http://paste.openstack.org/show/744805/ is the pipeline | 18:52 |
| SpamapS | http://paste.openstack.org/show/744806/ is the job definition (two variants as you see) | 18:54 |
| tobiash | SpamapS: does the parent have a secret too? | 18:55 |
| AJaeger | SpamapS: has the parent job with-ecr-credentials credentials as well? | 18:55 |
| tobiash | in an untrusted repo? | 18:55 |
| tobiash | SpamapS: if the parent has a secret and is in an untrusted too it would be the only allowed-project | 18:56 |
| tobiash | that could explain what you're seeing | 18:56 |
| SpamapS | https://github.com/GoodMoney/goodmoney-zuul-jobs/blob/master/.zuul.d/project.yaml#L6-L11 is where with-ecr-credentials is defined (that repo is not private) | 18:57 |
| SpamapS | tobiash: ah, so with-ecr-credentials is the one that isn't allowed to run in tech | 18:57 |
| tobiash | SpamapS: yes | 18:57 |
| SpamapS | kk, that makes sense | 18:57 |
| tobiash | you'd need to move this into a trusted repo probably | 18:57 |
| tobiash | we had a similar case last week | 18:58 |
| SpamapS | I've thought about doing that since goodmoney-zuul-jobs is supposed to be open source stuff | 18:58 |
| SpamapS | tobiash: I wonder if we can improve that error message to point at the real culprit. :-P | 19:01 |
| tobiash | we probably should add the list of allowed problems to that message ;) | 19:02 |
| SpamapS | yeah that would do it | 19:03 |
| SpamapS | heh, moving a job is hard | 19:36 |
| SpamapS | you have to create a new, versioned one, change all references, then remove the old one and rename the new one. | 19:36 |
| SpamapS | Unless you happen to be moving into a shadowing repo | 19:36 |
| SpamapS | I have to say... zuul is great for CI, but I'm more and more convinced it's just too complicated for production deploying. | 20:14 |
| * SpamapS will be trying out AWX to run post-merge deploys :-P | 20:14 | |
| SpamapS | I wonder if we could simplify object renames by adding a replaces: attribute | 20:26 |
| SpamapS | and maybe even require a replaced-by: on the other side. That way you can just land the replaced-by: first, basically gaining consent from the owners of the old object | 20:26 |
| SpamapS | tobiash: thanks for the tip, that did work | 21:12 |
| SpamapS | but zomg was moving the job hard | 21:12 |
| SpamapS | probably would have been simpler to temporarily set up shadowing | 21:12 |
| SpamapS | Took many phases: P1, make new job in trusted repo, P2, change refs to new job name, P3, remove old job, P4, make new job named after old job, but continue to have alias to new job name, P5 revert all of the ref changes, P6 remove the "new job name" alias. | 21:14 |
| mnaser | eh | 23:05 |
| mnaser | bindep doesnt seem to run apt-get update before installing stuff | 23:06 |
| mnaser | resulting in -- No package matching 'build-essential' is available | 23:06 |
| mnaser | if i ssh into a worker node, installing the package gives "E: Package 'build-essential' has no installation candidate" until i run an apt-get update | 23:06 |
| mnaser | is there anything that i'm missing in my elements which should run an apt-get update in the image? | 23:06 |
| mnaser | DIB_DISABLE_APT_CLEANUP | 23:10 |
| clarkb | bindep doesnt really manage your paclage manager | 23:18 |
| clarkb | its job is to list missing packages and not much else | 23:19 |
| mnaser | clarkb: yeah but it looks like the nodepool published image for some reason is missing something.. so it requires running `apt-get update` first before it can install anything | 23:21 |
| mnaser | and im wondering if this is just a missing element in my images or what's causing it to be in that sitaution | 23:21 |
| mnaser | https://www.irccloud.com/pastebin/Ad4hAhEn/ | 23:34 |
| mnaser | oh, all of /var/apt is missing, interesting | 23:35 |
| mnaser | ugh, nevermind, it's /var/lib/apt, and it's there, i'll try to dig more but if anyone has a clue.. | 23:35 |
| mnaser | http://logs.openstack.org/13/635913/1/check/openstack-tox-pep8/0ef3c50/job-output.txt.gz#_2019-02-08_18_47_10_057762 | 23:38 |
| mnaser | ok, that runs upstream which gets the update.. | 23:38 |
| *** goern has quit IRC | 23:47 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!