| *** dmellado has quit IRC | 00:03 | |
| *** dmellado has joined #zuul | 00:04 | |
| openstackgerrit | Ian Wienand proposed openstack-infra/zuul-sphinx master: Add type to role variables https://review.openstack.org/641168 | 00:14 |
|---|---|---|
| ianw | corvus: is there a reason zuul.items[X].ref isn't a thing, or is just something that hasn't been considered? | 00:19 |
| corvus | ianw: for what purpose? | 00:20 |
| corvus | ianw: a job should never directly access a ref | 00:20 |
| corvus | (it may not even be accessible to the job) | 00:21 |
| ianw | corvus: in this case, i was thinking that the zone roles clone a git url, taken from the variables. what is conceivable is that i could look up in items if the zone repo is in items, and pass the ref for the change to the git checkout | 00:22 |
| corvus | ianw: that may be inaccessible (it's perfectly legit for a zuul job not to be able to access the underlying change storage), but moreover, that wouldn't be a valid future state. if a job needs to use a future state, the only way to do that is using the repos on disk. | 00:23 |
| corvus | ianw: so if you wanted to do that, pass the ref to the file:// url on disk | 00:25 |
| ianw | corvus: yeah, i see what you're getting at. i think it might work for a wip change, just to validate, but it's not something you'd commit | 00:27 |
| *** sshnaidm is now known as sshnaidm|afk | 00:28 | |
| ianw | using the ref, i mean, wouldn't be something you commit. so i see the strong argument for it not being exposed | 00:29 |
| *** jesusaur has quit IRC | 00:30 | |
| corvus | ianw: yeah, there are options there, and, wearing my zuul hat, i won't favor any of them. but they are: 1) add the zone project to required-projects and always use the file:// url in the test. 2) inspect zuul.projects to see if the zone repo is present, if so, use the file:// url, otherwise, use the prod url. 3) do what you just suggested -- only use the file:// url in a speculative change. 4) don't do | 00:30 |
| corvus | anything :) | 00:30 |
| corvus | ianw: if you're only after a single speculative change to demonstrate something as a one-off, i think you can swap in a file url hard-coded pretty easily | 00:31 |
| corvus | ianw: if you wanted something more permanent, #1 or #2 would be reasonable designs. | 00:31 |
| corvus | ianw: putting on my opendev hat, i don't think 1 or 2 are worth investing time in for this particular job because the additional data validation we'd obtain would be very small. | 00:32 |
| ianw | agree, what i'm doing in adding this subdomain and the new update option is an outlier, so i think i can satisfy myself with some speculative testing | 00:34 |
| *** jesusaur has joined #zuul | 00:34 | |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/zuul master: web: switch jobs list to a tree view https://review.openstack.org/633437 | 00:58 |
| kmalloc | mhu: commented | 01:11 |
| kmalloc | mhu: i think you're pretty close to being on the mark. nothing too crazy added | 01:12 |
| kmalloc | mhu: s/added/seen. | 01:12 |
| corvus | tristanC: i think i just saw your bug in opendev: http://logs.openstack.org/05/640905/2/check/system-config-run-zuul-preview/f2e90b6/zuul-info/inventory.yaml | 01:25 |
| corvus | tristanC: 640901 is in there twice | 01:25 |
| corvus | tristanC: also, i think we need to reverse sort the artifacts, because the job ended up pushing an older image on top of a newer one | 01:26 |
| corvus | clarkb, mordred: ^ fyi latest patchets are now correctly showing a broken image on the change where it's supposed to be broken, but it's incorrectly using the broken image on the next change too because of that ordering problem. | 01:27 |
| corvus | tristanC: also, we made several changes to the opendev jobs today -- you may want to look again at opendev/base-jobs as well as https://review.openstack.org/640900 | 01:28 |
| *** sdake has quit IRC | 01:29 | |
| tristanC | corvus: hello, thanks for the update | 01:37 |
| tristanC | corvus: i think it would make sens to have job artifacts being passed to child job, similarly to other zuul_return data | 01:38 |
| tristanC | corvus: in our case, we want the rpm-build job output to be used by buildset child job (as well as item behind the queue to re-use what has been build ahead) | 01:39 |
| tristanC | corvus: e.g. replace http://git.zuul-ci.org/cgit/zuul-jobs/tree/roles/buildset-artifacts-location/tasks/main.yaml that by a zuul.artifacts | 01:43 |
| *** sdake has joined #zuul | 01:47 | |
| *** jhesketh has quit IRC | 01:57 | |
| *** jhesketh has joined #zuul | 01:59 | |
| *** bhavikdbavishi has joined #zuul | 02:02 | |
| *** sdake has quit IRC | 02:05 | |
| SpamapS | 2019-03-06 02:05:07,501 DEBUG nodepool.PoolWorker.dev-k8s-west-main: Active requests: [] | 02:05 |
| SpamapS | mmmmmmm... kubernetes driver | 02:05 |
| *** sdake has joined #zuul | 02:30 | |
| *** bhavikdbavishi has quit IRC | 02:39 | |
| *** sdake has quit IRC | 02:42 | |
| *** rlandy|bbl is now known as rlandy | 03:06 | |
| *** saneax has joined #zuul | 03:14 | |
| *** sdake has joined #zuul | 03:20 | |
| *** sdake has quit IRC | 03:23 | |
| *** bhavikdbavishi has joined #zuul | 03:24 | |
| *** sdake_ has joined #zuul | 03:25 | |
| *** bhavikdbavishi has quit IRC | 03:28 | |
| *** bhavikdbavishi has joined #zuul | 03:42 | |
| *** sdake_ has quit IRC | 03:58 | |
| *** rlandy has quit IRC | 04:12 | |
| *** hashar has joined #zuul | 04:30 | |
| *** sdake has joined #zuul | 04:32 | |
| *** sdake has quit IRC | 04:32 | |
| *** sdake has joined #zuul | 04:49 | |
| *** sdake has quit IRC | 04:49 | |
| *** bjackman has joined #zuul | 04:55 | |
| *** raukadah is now known as chandankumar | 04:56 | |
| *** bjackman has quit IRC | 05:02 | |
| *** bjackman has joined #zuul | 05:16 | |
| *** sdake has joined #zuul | 05:24 | |
| *** sdake has quit IRC | 05:24 | |
| *** ianychoi_ has joined #zuul | 05:24 | |
| *** sdake has joined #zuul | 05:26 | |
| *** sdake has quit IRC | 05:26 | |
| *** ianychoi has quit IRC | 05:28 | |
| *** sdake has joined #zuul | 05:31 | |
| *** sdake has joined #zuul | 05:32 | |
| *** sdake has quit IRC | 05:32 | |
| *** sdake has joined #zuul | 05:34 | |
| *** sdake has joined #zuul | 05:37 | |
| *** bjackman has quit IRC | 05:56 | |
| *** hashar has quit IRC | 06:30 | |
| *** hashar has joined #zuul | 06:46 | |
| *** bjackman has joined #zuul | 06:48 | |
| *** quiquell|off is now known as quiquell | 06:53 | |
| *** badboy has quit IRC | 07:18 | |
| *** badboy has joined #zuul | 07:18 | |
| mhu | kmalloc, thx! | 07:19 |
| *** bjackman has quit IRC | 07:31 | |
| *** bjackman has joined #zuul | 07:46 | |
| *** quiquell is now known as quiquell|brb | 07:50 | |
| *** gtema has joined #zuul | 08:09 | |
| *** badboy has quit IRC | 08:18 | |
| *** quiquell|brb is now known as quiquell | 08:28 | |
| *** pcaruana has joined #zuul | 08:29 | |
| *** badboy has joined #zuul | 08:41 | |
| *** jpena|off is now known as jpena | 08:55 | |
| *** bjackman has quit IRC | 09:17 | |
| openstackgerrit | Tristan Cacqueray proposed openstack-infra/nodepool master: Implement a Runc driver https://review.openstack.org/535556 | 09:22 |
| *** sshnaidm|afk has quit IRC | 09:26 | |
| *** bjackman has joined #zuul | 09:27 | |
| *** bjackman has quit IRC | 10:05 | |
| *** hashar has quit IRC | 10:38 | |
| *** electrofelix has joined #zuul | 10:49 | |
| *** sshnaidm|afk has joined #zuul | 10:54 | |
| *** sshnaidm|afk has quit IRC | 10:57 | |
| *** pcaruana has quit IRC | 11:04 | |
| *** panda|ruck|off is now known as panda|ruck|flu | 11:10 | |
| *** bhavikdbavishi has quit IRC | 11:16 | |
| *** bjackman has joined #zuul | 11:18 | |
| *** ianychoi_ is now known as ianychoi | 11:20 | |
| *** pcaruana has joined #zuul | 11:32 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: Proposed spec: tenant-scoped admin web API https://review.openstack.org/562321 | 11:45 |
| *** sshnaidm|afk has joined #zuul | 12:01 | |
| *** bhavikdbavishi has joined #zuul | 12:19 | |
| *** jpena is now known as jpena|lunch | 12:31 | |
| *** TheJulia_sick is now known as TheJulia | 13:05 | |
| *** rlandy has joined #zuul | 13:21 | |
| *** sshnaidm|afk is now known as sshnaidm | 13:32 | |
| *** jpena|lunch is now known as jpena | 13:34 | |
| *** bhavikdbavishi has quit IRC | 13:36 | |
| *** quiquell is now known as quiquell|lunch | 13:42 | |
| *** jamesmcarthur has joined #zuul | 13:45 | |
| *** gtema has quit IRC | 13:46 | |
| *** pcaruana has quit IRC | 13:51 | |
| *** sdake has quit IRC | 13:54 | |
| *** quiquell|lunch is now known as quiquell | 13:55 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907 | 13:55 |
| *** sdake has joined #zuul | 14:00 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197 | 14:01 |
| *** pcaruana has joined #zuul | 14:01 | |
| *** rfolco|pto is now known as rfolco|ruck | 14:02 | |
| *** gtema has joined #zuul | 14:08 | |
| *** sdake has quit IRC | 14:17 | |
| *** jamesmcarthur has quit IRC | 14:18 | |
| *** sdake has joined #zuul | 14:22 | |
| *** sdake has quit IRC | 14:24 | |
| *** jamesmcarthur has joined #zuul | 14:35 | |
| *** jamesmcarthur has quit IRC | 14:36 | |
| *** jamesmcarthur_ has joined #zuul | 14:36 | |
| bjackman | Does anyone know how what I need to make persistent in order for the secret encryption keys to persist when zuul containers are recreated? | 14:36 |
| pabelanger | you'll want to do it on the scheduler container, for /var/lib/zuul/keys (default) directory | 14:38 |
| *** sdake has joined #zuul | 14:39 | |
| bjackman | pabelanger, ah perfect, thanks! | 14:42 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197 | 14:43 |
| bjackman | Docker noobiness here - I'm guessing it won't be possible to persist that directory retroactively now that the container is already up? | 14:44 |
| bjackman | I guess worst case I can pull the contents out of the live container, manually create a volume with those contents, then restart it with that volume mounted | 14:44 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907 | 14:47 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197 | 14:47 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul CLI: allow access via REST https://review.openstack.org/636315 | 14:49 |
| *** sdake has quit IRC | 15:00 | |
| *** chandankumar is now known as chkumar|pto | 15:03 | |
| *** sdake has joined #zuul | 15:05 | |
| *** gtema has quit IRC | 15:11 | |
| mordred | bjackman: yeah - I believe that's likely what you want to do - I don't know of any way to retroactively make a container dir into a volume | 15:18 |
| *** quiquell is now known as quiquell|off | 15:21 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907 | 15:26 |
| pabelanger | corvus: mordred: tobiash: when you have a moment, do you mind looking at backscoll about pastebin I posted yesterday about a stuck job: http://eavesdrop.openstack.org/irclogs/%23zuul/%23zuul.2019-03-05.log.html#t2019-03-05T17:46:35 | 15:28 |
| *** pcaruana has quit IRC | 15:53 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197 | 15:56 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul CLI: allow access via REST https://review.openstack.org/636315 | 15:57 |
| pabelanger | do we have any outstanding issues that would prevent a zuul release this week? | 16:01 |
| electrofelix | Is it possible in zuulv3 to have a set of jobs defined centrally where a project must run one of them, but it's upto the project as to which one? use case is providing security scanners for python/go/etc, just require a project runs one of them | 16:03 |
| electrofelix | looking at use cases to justify upgrading | 16:03 |
| clarkb | pabelanger: the base64 commit message change is merged and openstack is running that commit for all zuul processes. My hunch is that that version is releasable based on openstack's lack of problems with it so far | 16:03 |
| clarkb | electrofelix: I don'tthink there is any annotation system that forces a project to run a subset of jobs | 16:04 |
| clarkb | electrofelix: I'd probably approach that via central config repo if it was a strong requirement | 16:04 |
| pabelanger | clarkb: great! | 16:05 |
| electrofelix | clarkb: so more likely to need a central job that checks what jobs are configured for a project and just error if missing one from a required set? | 16:05 |
| clarkb | electrofelix: ya that could be a test job on the central config, then any time central config updates check if your rule is met and fail if not | 16:06 |
| *** pcaruana has joined #zuul | 16:06 | |
| electrofelix | clarkb: thanks, there's always a way ;-) | 16:07 |
| clarkb | electrofelix: fwiw openstack has taken a more "trust the projects its their code anyway" approach and so far people seem to have stuck to the ruleset | 16:08 |
| electrofelix | clarkb: sometimes we have to do things that seem insane but are mandated anyway | 16:09 |
| *** sdake has quit IRC | 16:09 | |
| *** saneax has quit IRC | 16:12 | |
| *** sdake has joined #zuul | 16:14 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Add Authorization Rules configuration https://review.openstack.org/639855 | 16:14 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Add Authorization Rules configuration https://review.openstack.org/639855 | 16:39 |
| *** sdake has quit IRC | 16:48 | |
| *** sdake has joined #zuul | 16:49 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: WIP allow soft job dependencies https://review.openstack.org/641439 | 16:49 |
| *** pcaruana has quit IRC | 16:55 | |
| *** sdake has quit IRC | 16:56 | |
| SpamapS | Are there any roles in review or in zuul-jobs for making use of kubernetes namespace resources? | 16:57 |
| SpamapS | Just checking before I start writing them. | 16:57 |
| *** panda|ruck|flu is now known as panda|ruck|off | 16:57 | |
| clarkb | SpamapS: I'm not sure but searching for changes owned by tristanC is probably a good way to find them if so | 17:01 |
| SpamapS | clarkb: ty, I'll peek | 17:12 |
| *** rlandy is now known as rlandy|brb | 17:21 | |
| *** hashar has joined #zuul | 17:28 | |
| tobiash | pabelanger: sorry, was afk | 17:38 |
| *** rlandy|brb is now known as rlandy | 17:38 | |
| tobiash | pabelanger: looks like you had a network glitch when fetching an installation key from github (new installation?) | 17:39 |
| tobiash | pabelanger: we probably don't have a retry there | 17:39 |
| mugsie | tristanC: would you object to me taking over https://review.openstack.org/#/c/554432/ ? | 17:43 |
| pabelanger | tobiash: yes, poor network for executors, there was an outage during that window | 17:43 |
| mordred | mugsie: he's in asia timezone - but I am 100% certain he would not object | 17:45 |
| tobiash | pabelanger: I guess this would have saved you: https://review.openstack.org/590697 | 17:45 |
| mugsie | mordred: cool, I will start looking at it | 17:45 |
| tobiash | merged 4 weeks ago so maybe not in your release yet | 17:45 |
| tobiash | pabelanger: judging from your stack trace this seems like the correct fix | 17:46 |
| pabelanger | tobiash: ah, yes. I think you are right | 17:47 |
| pabelanger | will wait until next release to debug more | 17:47 |
| tobiash | pabelanger: yah, confirmed, not in latest release | 17:48 |
| clarkb | mugsie: mordred yup tristanC has said in the past that he does not have the ability to test that driver so would like someone that can to take over | 17:48 |
| mordred | mugsie: it's also quite old and the internal api has shifted quite a bit - so you might want to look at the ec2 driver as a starting point for thinking about it | 17:48 |
| mugsie | mordred: yeah, I did a rebase, and realised it was all changed :) | 17:48 |
| pabelanger | tobiash: ++ | 17:48 |
| *** jamesmcarthur_ has quit IRC | 17:50 | |
| *** jamesmcarthur has joined #zuul | 17:50 | |
| *** jamesmcarthur has quit IRC | 17:50 | |
| *** jamesmcarthur has joined #zuul | 17:51 | |
| mordred | mugsie: :) | 17:51 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Validate ansible installations on startup https://review.openstack.org/637418 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Make ansible version configurable https://review.openstack.org/637422 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Install ansible during executor startup if needed https://review.openstack.org/640644 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.6 https://review.openstack.org/631931 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Support ansible 2.7 https://review.openstack.org/631932 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Switch default ansible version to 2.7 https://review.openstack.org/637424 | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: zuul-stream-functional debugging https://review.openstack.org/640648 | 18:07 |
| SpamapS | mmmmmmmmmmm | 18:07 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: Test concurrent tox remote https://review.openstack.org/640654 | 18:07 |
| SpamapS | multi-ansible implementation makes me happy | 18:08 |
| tobiash | SpamapS: it's almost feature complete :) | 18:09 |
| tobiash | 2.7 has some problems left | 18:09 |
| *** hashar is now known as hasharAway | 18:13 | |
| SpamapS | Did we actually decide to drop the ansible-level restrictions btw? Or is that still just out there as an idea? | 18:14 |
| tobiash | SpamapS: there was no decision yet | 18:14 |
| SpamapS | That would certainly make your job easier. :) | 18:15 |
| clarkb | ansible-level restrictions? | 18:15 |
| pabelanger | tobiash: ansible-root path will come from zuul.conf? | 18:15 |
| corvus | clarkb: drop the in-tree ansible plugin overrides and rely entirely on bwrap | 18:16 |
| tobiash | pabelanger: yes, will be configurable | 18:16 |
| corvus | i owe us a mailing list message on the topic | 18:17 |
| tobiash | SpamapS: it's more the log streaming tests that behave a little bit different in 2.7 | 18:18 |
| corvus | we've just batted the idea around a bit in here so far | 18:18 |
| *** jpena is now known as jpena|off | 18:19 | |
| clarkb | mordred: re using the ansible operator code any concern that the ansible k8s module doesn't actually work with k8s currently (we had to override dependencies to make it work due to bugs in swagger python code generation) | 18:23 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Add foreground option https://review.openstack.org/635649 | 18:24 |
| clarkb | I wonder if it wouldn't be easier to support an operator that wasn't going through an extra layer of abstraction | 18:25 |
| pabelanger | clarkb: I kinda agree, there would be work to do on ansible-operator side too, if we went down that path. | 18:26 |
| mordred | clarkb: I mean - I think it would be hard for ansible-operator to exist if the k8s module didn't work - so I imagine perhaps whatever is in the base ansible-operator image they've likely got that part sorted out? | 18:26 |
| clarkb | mordred: ya they could be overriding dependencies like we had to do | 18:27 |
| mordred | but if there are bugs or places where it's not awesome yeah - we might need to work with the ansible-operator folks to improve it | 18:27 |
| clarkb | mordred: fwiw I expected that it would be odd for k8s module to not work but it totally doesn't work with the specified deps | 18:27 |
| mordred | clarkb: yeah. this is one of the 'nice' things about the baseline being an image - we just get the thing with all the deps in it | 18:28 |
| mordred | clarkb: the other alternatives are writing a ton of go code - or learning/adopting helm - both of which also have a decent amount of cost to them - I think I'd rather spend that extra cost makign teh ansible-operator work if needed :) | 18:28 |
| mordred | seems to align the most with other places we put energy into already | 18:29 |
| corvus | tbh, considering what an operator does, ansible sounds like it could be a good match :) | 18:29 |
| clarkb | (also in defense of ansible k8s module the bug was in python k8s module imported by openshift k8s module which specified the broken range) | 18:29 |
| pabelanger | I'm going to try their hello-world example today, see what all the fuss is about | 18:31 |
| pabelanger | I can't figure out if ansible-runner is running in the same container as the service or something else | 18:32 |
| clarkb | pabelanger: I think ansible runs separately and talks to the k8s api to provision the service containers | 18:32 |
| clarkb | pabelanger: if you didn't do it that way you'd end up having to have ansible in your service container images which would be weird | 18:32 |
| clarkb | then whenever k8s events happen your ansible is triggered whcih can change the state of your application (and ya I think writing small playbooks/roles is likely easier for that then boilerplate go) | 18:33 |
| mordred | basically there is a service, written in go, which exists in the base operator image that runs when you create teh operator | 18:33 |
| clarkb | (I just haven't seen that actualyl work in practice without working around bugs in about 3 layers of code) | 18:33 |
| mordred | that service listens for events from k8s and when it gets them it runs the playbook or role you have configured for it to run when it gets the appropriate event | 18:34 |
| mordred | the playbooks themselves then can take k8s api actions | 18:34 |
| pabelanger | okay, that is what I hoped | 18:34 |
| clarkb | https://github.com/openshift/openshift-restclient-python/blob/master/requirements.txt#L3 is still broken fwiw | 18:34 |
| clarkb | so they must fix that in their operator image | 18:34 |
| pabelanger | so, if one had a k8s / openshift, you could write ansible playbooks today to do something | 18:34 |
| pabelanger | then deal with moving into operator later | 18:35 |
| mordred | you define the watches in a yaml file: https://github.com/operator-framework/operator-sdk/blob/master/doc/ansible/user-guide.md#watches-file | 18:35 |
| mordred | then you can write roles that do things, liek this: https://github.com/operator-framework/operator-sdk/blob/master/doc/ansible/user-guide.md#defining-the-memcached-deployment | 18:36 |
| pabelanger | I think https://github.com/water-hole/ansible-operator is the base container | 18:36 |
| pabelanger | however, does list it as pre-alpha | 18:36 |
| clarkb | https://pypi.org/project/kubernetes/#history doesn't have a non beta fix yet though | 18:37 |
| clarkb | so can't blame openshift client much | 18:37 |
| mordred | the base image is https://quay.io/repository/operator-framework/ansible-operator | 18:38 |
| *** hasharAway is now known as hashar | 18:38 | |
| mordred | pabelanger: but yeah - you should be able to write ansible playbooks and run them manually against a k8s | 18:39 |
| corvus | tristanC: \o/ i finally made a test reproducer for the duplicate artifact error! | 18:39 |
| *** bjackman has quit IRC | 18:40 | |
| pabelanger | mordred: yah, minikube just finishing up now. will try shortly | 18:40 |
| mordred | corvus: \o/ | 18:40 |
| corvus | mordred, pabelanger: i'm *really* excited about what the gate testing is going to look like for this. cross-project dependencies with speculative images in buildset registries and full k8s deployments :) | 18:41 |
| pabelanger | corvus: yes, me too | 18:42 |
| clarkb | actually I wonder if their usage/testing of thati s all one shot containers that only run a single k8s task | 18:43 |
| clarkb | in that case your python threads wouldn't coalesce and exit but you wouldn't really notice because it did the thing you want | 18:43 |
| kmalloc | mhu: +1 looks good to me. i think it needs the maximum_validity_time, but you've covered most everything | 18:43 |
| *** dkehn has quit IRC | 18:48 | |
| *** jamesmcarthur has quit IRC | 18:50 | |
| *** jamesmcarthur has joined #zuul | 18:51 | |
| *** jamesmcarthur has quit IRC | 18:55 | |
| SpamapS | clarkb: big assumption: "they" test and use it. | 19:14 |
| mordred | SpamapS: if they don't - they're potentially about to meet some new friends. :) | 19:18 |
| SpamapS | vigorous friends | 19:18 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Fix test race with Watchdog thread still running https://review.openstack.org/641473 | 19:18 |
| mordred | rigorous vigorous friends | 19:19 |
| tobiash | corvus, mordred, clarkb: that should resolve a test race I observed in http://logs.openstack.org/18/637418/9/check/tox-py35/53ff413/testr_results.html.gz ^ | 19:19 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Run tox remote concurrent https://review.openstack.org/640654 | 19:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Support ansible 2.7 https://review.openstack.org/631932 | 19:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Switch default ansible version to 2.7 https://review.openstack.org/637424 | 19:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: zuul-stream-functional debugging https://review.openstack.org/640648 | 19:22 |
| corvus | tobiash: i like that pattern | 19:22 |
| tobiash | :) | 19:23 |
| clarkb | tobiash: do we have to set self.end to 0? looks like we only check it in self._run which happens after self.start() and self.start() sets it | 19:23 |
| tobiash | clarkb: it's just because otherwise it's not really a member variable and the warning in the ide was annoying | 19:23 |
| clarkb | silly IDEs | 19:24 |
| tobiash | well, I would agree with my IDE that it's a good habit to declare all members in _init_ | 19:25 |
| clarkb | ya its not a bad idea | 19:25 |
| SpamapS | Gets more important with type hinting. | 19:25 |
| *** rfolco|ruck has quit IRC | 19:26 | |
| *** electrofelix has quit IRC | 19:27 | |
| *** rfolco has joined #zuul | 19:27 | |
| SpamapS | Oh the little barber-pole thing on starting jobs is nice. It would be nice if the streaming page did something similar (if you click too soon, it just says "END OF STREAM" ) | 19:30 |
| *** tima has joined #zuul | 19:36 | |
| openstackgerrit | Merged openstack-infra/zuul master: Fix test race with Watchdog thread still running https://review.openstack.org/641473 | 20:10 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197 | 20:26 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul CLI: allow access via REST https://review.openstack.org/636315 | 20:26 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Add Authorization Rules configuration https://review.openstack.org/639855 | 20:27 |
| *** jamesmcarthur has joined #zuul | 20:30 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Web: plug the authorization engine https://review.openstack.org/640884 | 20:32 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Web: plug the authorization engine https://review.openstack.org/640884 | 20:37 |
| *** pwhalen has quit IRC | 20:37 | |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul Web: add /api/user/actions endpoint https://review.openstack.org/641099 | 20:38 |
| SpamapS | Hrm, so with the namespace label type.. I guess I still need a pod from which to run kubectl on said namespace. | 20:44 |
| clarkb | SpamapS: I thought the idea was to run it from the executor? | 20:45 |
| clarkb | you'll have to install things on the executor for that to work (as you noted in email earlier today) | 20:45 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Log exception on module failure with empty stdout https://review.openstack.org/640650 | 20:45 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul Web: add /api/user/actions endpoint https://review.openstack.org/641099 | 20:46 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Log exception on module failure with empty stdout https://review.openstack.org/640650 | 20:52 |
| SpamapS | clarkb: if I run it from the executor I need all the jobs to be trusted. | 20:53 |
| SpamapS | I want to let people run kubectl apply. | 20:53 |
| SpamapS | On the namespace they were just given. | 20:53 |
| *** fdegir has quit IRC | 20:53 | |
| SpamapS | I *think* the right way to do that is to copy up the .kube/config that zuul generates from the node info. | 20:53 |
| clarkb | ya I think in my example you'd have to use the k8s module | 20:54 |
| SpamapS | into a pod that has kubectl | 20:54 |
| clarkb | but you can still do the rough equivalent of kubectl apply | 20:54 |
| *** fdegir has joined #zuul | 20:54 | |
| SpamapS | k8s module is allowed on untrusted? | 20:56 |
| SpamapS | (that would totally work) | 20:56 |
| clarkb | yes I blieve it is. Its just python requests to the k8s api (or similar its a bunch of generate code by swagger) | 20:56 |
| clarkb | so there is no fork to worry about | 20:56 |
| clarkb | see my notes about how its broken though :( the fix is to install the beta release of 9.0 kubernetes package | 20:57 |
| pabelanger | so, I have minishift running on laptop, I ran into something with minikube, I tried loading zuul/zuul-web from dashboard and see this warning right away: Image zuul/zuul-merger runs as the root user which might not be permitted by your cluster administrator. | 20:57 |
| pabelanger | I guess that is becaue the user inside the container is root? | 20:57 |
| clarkb | pabelanger: and openshift wants to lock things down iirc | 20:58 |
| pabelanger | but the container or pod I guess, did start it seems | 20:58 |
| clarkb | tobiash: has to run a separte openshift with fewer restrictions than their main one iirc | 20:58 |
| pabelanger | yah, I'll have to read up on it | 20:58 |
| pabelanger | i think this came up before, but any reason for user inside container not to be root? | 20:59 |
| SpamapS | clarkb: trying k8s now | 20:59 |
| tobiash | pabelanger: because this is default in openshift because it's multi-tenant and being paranoid is probably important when doing multi-tenancy with containers | 21:00 |
| clarkb | pabelanger: I think I've asked before and iirc we couldn't come up with a good reason not to and you already get a root user? | 21:01 |
| clarkb | pabelanger: this might be a good erason not to (just to avoid people thinking we are doing bad things with thier images) | 21:01 |
| pabelanger | clarkb: yah, I don't know if it matters or not. I know there was some discussion a while back on interweb about running apps as non-root in container, but don't know if that did anything or not | 21:02 |
| pabelanger | but so far, this minishift seems to be running the pod okay | 21:03 |
| pabelanger | if I had a zuul.conf file, that is | 21:03 |
| *** zbr|ssbarnea has joined #zuul | 21:07 | |
| *** zbr has quit IRC | 21:10 | |
| pabelanger | tobiash: reading, it seems the root user in container might be something controlled by cluster admin? I see some posts on web to remove that requirement | 21:12 |
| tobiash | yes, that's possible | 21:12 |
| tobiash | and that's exactly the reason for us running a dedicated openshift (as an admin of a multi tenant openshift would never do that) | 21:13 |
| pabelanger | so, it isn't the fact the container is asking for privileged, running as root user in the container is an issue too? | 21:14 |
| tobiash | yes | 21:16 |
| clarkb | unless you do user namespacing which rhel doesn't do by default? | 21:17 |
| tobiash | root and privileged are two things in containers. You can be root without privileges in containers. But this is restricted in openshift too (probably due to possible kernel bugs) | 21:17 |
| tobiash | the user namespacing can help with the executor because with that bwrap doesn't need to be root or privileged | 21:18 |
| tobiash | but yes, that's disabled in rhel by default | 21:18 |
| pabelanger | maybe tomorrow I'll work on change to switch from root user in container and see if that makes minishift happier | 21:19 |
| clarkb | aiui that big runc vulnerability that just happened was not an issue if you used user namespacing | 21:20 |
| clarkb | (also not an issue for podman which your openshift might use? probably too early for that shift to have been made though) | 21:20 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Manage ansible installations within zuul https://review.openstack.org/631930 | 21:21 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Validate ansible installations on startup https://review.openstack.org/637418 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Make ansible version configurable https://review.openstack.org/637422 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Install ansible during executor startup if needed https://review.openstack.org/640644 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Support ansible 2.6 https://review.openstack.org/631931 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Run tox remote concurrent https://review.openstack.org/640654 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: WIP: Support ansible 2.7 https://review.openstack.org/631932 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: Switch default ansible version to 2.7 https://review.openstack.org/637424 | 21:22 |
| openstackgerrit | Tobias Henkel proposed openstack-infra/zuul master: DNM: zuul-stream-functional debugging https://review.openstack.org/640648 | 21:22 |
| openstackgerrit | Matthieu Huin proposed openstack-infra/zuul master: Proposed spec: tenant-scoped admin web API https://review.openstack.org/562321 | 21:22 |
| mhu | kmalloc, I've addressed your last comment, I think we're good to go! | 21:23 |
| kmalloc | cool! i can only +1, but let me re-+1 | 21:24 |
| *** jamesmcarthur has quit IRC | 21:24 | |
| *** jamesmcarthur has joined #zuul | 21:24 | |
| *** jamesmcarthur has quit IRC | 21:28 | |
| *** hashar has quit IRC | 21:39 | |
| tobiash | mordred: I just saw this awesome mail thread about zuul operator. I'll respond tomorrow. But I have to say that I also already thought about it and really like that idea :) | 21:50 |
| pabelanger | heh, need to update docker version. Seem fedora 29 version doesn't support multi-stage builds | 21:53 |
| SpamapS | There are some components that you just have to get upstream. :-P | 22:11 |
| SpamapS | pip, docker, etc. | 22:11 |
| mordred | ++ | 22:14 |
| *** pabelanger has quit IRC | 22:32 | |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Fix duplicate and reversed artifacts https://review.openstack.org/641508 | 22:46 |
| corvus | tristanC: ^ there's the bugfix | 22:47 |
| corvus | tristanC: i looked into extending provides/requires artifact collection for jobs within the same buildset. i don't think that's going to work because we would quickly end up with unresolvable loops. so i think if you want to collect artifacts from the same buildset, we should use the existing dependency relationships between jobs to do so. i think the end result is the same, it's just going to be a new | 22:59 |
| corvus | chunk of code to implement it. | 22:59 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Allow soft job dependencies https://review.openstack.org/641439 | 23:10 |
| corvus | clarkb, mordred, fungi: https://review.openstack.org/641508 is green and should fix the bug that's blocking the demonstration in https://review.openstack.org/640905 | 23:12 |
| fungi | looking | 23:12 |
| corvus | it's one of those 2 line fixes with 37 lines of commit message. | 23:13 |
| fungi | yeah, and a bunch of regression testing | 23:17 |
| fungi | very detailed commit message | 23:17 |
| corvus | figured we should get something for half a day's work :) | 23:17 |
| clarkb | corvus: is there ever a case that method would return false? | 23:20 |
| clarkb | seems like the side effects on data are what we really want (possible this is a canidate for furhter simplification in that case?) | 23:20 |
| corvus | clarkb: hrm. it seems like there should be, let me walk through it again | 23:21 |
| corvus | oh there they are, in lines 2282-2287 | 23:21 |
| clarkb | ah yup | 23:22 |
| corvus | oh, i think i may have found an error | 23:23 |
| *** rlandy is now known as rlandy|bbl | 23:24 | |
| corvus | i think we don't want to recurse up the (a) side. i think we always want to go up the (b) case. | 23:24 |
| corvus | because our change may have extra dependencies | 23:25 |
| openstackgerrit | James E. Blair proposed openstack-infra/zuul master: Fix duplicate and reversed artifacts https://review.openstack.org/641508 | 23:28 |
| corvus | clarkb, fungi: ^ i think that's a more correct solution | 23:29 |
| corvus | passes the relevant tests locally | 23:30 |
| mordred | corvus: that one has 8 lines of code instead of 4 - does that mean it's twice or half as good as the previous patch? | 23:32 |
| corvus | mordred: i like less than half of it half as well as it deserves. | 23:36 |
| fungi | and more than half of it half as well as it would like? | 23:37 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!