Monday, 2019-03-11

*** jamesmcarthur has joined #zuul		01:41
*** jamesmcarthur has quit IRC		01:48
openstackgerrit	Tristan Cacqueray proposed openstack-infra/nodepool master: Implement an OpenShift Pod provider https://review.openstack.org/590335	01:52
*** ruffian_sheep has joined #zuul		02:08
ruffian_sheep	I meet some problem,I'm try to build a third party CI.Maybe someone had seen me many times lolool.I set the zuul like the layout.yaml. And the result changed after my serval times retry.I dont know what'is the problem.	02:17
ruffian_sheep	http://paste.openstack.org/show/747521/	02:17
ruffian_sheep	It's right at first and it turned to merge,then failed.	02:18
openstackgerrit	Tristan Cacqueray proposed openstack-infra/zuul master: web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907	02:32
tristanC	ruffian_sheep: is this zuul v2 ?	02:45
ruffian_sheep	yes	02:46
ruffian_sheep	tristanC:Is it have been abandoned?	02:46
tristanC	corvus: about the requires artifacts, how are we supposed to cope with a 404 URL, for example when logs are expired after purge?	02:47
tristanC	ruffian_sheep: it's no longer developped, there is no stable/v2 branch for example... Why not using the new v3 version?	02:48
ruffian_sheep	tristanC:Sad...The zuul v3 is more difficult for me ...I find two document to build the Third party ci.One used the zuul v2,link:https://docs.openstack.org/infra/openstackci/third_party_ci.html	02:55
ruffian_sheep	tristanC:The others is that :https://zuul-ci.org/docs/zuul/admin/zuul-from-scratch.html	02:57
ruffian_sheep	tristanC:The second uses the zuul v3,but it also had some problem I can solve....	02:58
ruffian_sheep	tristanC:The problem is that when i used the zuul v3.:http://paste.openstack.org/show/745241/	03:01
ruffian_sheep	tristanC:I can do the cmd by myself,but it cannot be used by the service.	03:01
*** bjackman has quit IRC		03:30
*** bjackman has joined #zuul		03:34
*** jamesmcarthur has joined #zuul		03:39
tristanC	ruffian_sheep: can you do ssh -i ~zuul/.ssh/id_rsa hjy@review.openstack.org -p 29418 ?	03:49
ruffian_sheep	tristanC:Yes,I can	03:51
tristanC	ruffian_sheep: you may want to participate in this spec: https://specs.openstack.org/openstack-infra/infra-specs/specs/zuulv3-3rd-party-ci.html	03:51
tristanC	ruffian_sheep: is the zuul user able to create directory in /var/lib/zuul/executor-git/review.openstack.org/openstack-dev/sandbox ?	03:52
tristanC	e.g., perhaps one of the directory is owned by root instead of zuul	03:53
ruffian_sheep	tristanC:0.0 But I can do the cmd to clone the repo	03:54
ruffian_sheep	tristanC:I have read the document you sent,Zuul-from-scratch.This is the link i just sent to you.	03:55
ruffian_sheep	tristanC:What is the meaning of able to create directory in /var/lib/zuul/executor-git/review.openstack.org/openstack-dev/sandbox ?	03:56
tristanC	ruffian_sheep: the paste you linked show a "Cmd('git') failed due to: exit code(-13)" which i think highlight a permission issue	04:01
tristanC	ruffian_sheep: make sure zuul can write in that directory, e.g. run "chown -R zuul:zuul ~zuul/executor-git"	04:02
*** jamesmcarthur has quit IRC		04:32
ruffian_sheep	tristanC:Thx dude,I will check it	05:45
openstackgerrit	Ian Wienand proposed openstack-infra/zuul-sphinx master: Add type to role variables https://review.openstack.org/641168	05:53
*** ianychoi has quit IRC		06:32
*** ianychoi has joined #zuul		06:32
*** ianychoi has quit IRC		06:35
*** ianychoi has joined #zuul		06:36
*** saneax has joined #zuul		06:45
*** pcaruana has joined #zuul		07:00
*** themroc has joined #zuul		07:17
openstackgerrit	Tristan Cacqueray proposed openstack-infra/nodepool master: Add python-path option to node https://review.openstack.org/637338	07:37
openstackgerrit	Tristan Cacqueray proposed openstack-infra/nodepool master: Implement an OpenShift Pod provider https://review.openstack.org/590335	07:37
openstackgerrit	Tristan Cacqueray proposed openstack-infra/nodepool master: Implement a Runc driver https://review.openstack.org/535556	07:41
*** badboy has joined #zuul		07:43
*** fbo__ has joined #zuul		08:10
*** fbo__ is now known as fbo		08:11
*** gouthamr has quit IRC		08:18
badboy	hi guyes	08:19
badboy	s/es/s/	08:19
badboy	is possible to define a job in zuul-config repo for a given project?	08:19
badboy	my goal is not to have any zuul related files in the repo	08:20
tobiash	badboy: yes, absolutely	08:20
*** dmellado has quit IRC		08:20
badboy	tobiash: could you share an example?	08:21
tobiash	just name the project in the project pipeline: https://zuul-ci.org/docs/zuul/user/config.html#attr-project.name	08:21
tobiash	or look into openstack-infra/project-config	08:21
badboy	tobiash: run: playbooks/puppet-tarball/run.yaml in this case the playbooks dir is located in the repo?	08:25
tobiash	badboy: the playbook must be in the repo where the job is defined	08:25
badboy	tobiash: that's exactly what I am trying to avoid	08:25
tobiash	badboy: so you also can have a shared untrusted repo with zuul jobs	08:26
tobiash	and attach those jobs to another project in a config repo	08:26
badboy	tobiash: I have three repos: repo1, repo2, zuul-config (trusted)	08:26
*** gtema has joined #zuul		08:26
badboy	I would like to have all the the playbooks and configs in the zuul-config repo	08:27
tobiash	badboy: that's unfortunate because then all jobs will be non-speculative	08:27
badboy	tobiash: could you elaborate on that?	08:27
tobiash	badboy: I might want to think about adding another zuul-untrusted-config repo and define the jobs there	08:27
tobiash	jobs defined in trusted repos are not self-testing but are changed only on merge	08:28
badboy	self-testing?	08:29
tobiash	so maybe you want to have repo1, repo2, zuul-untrusted-config (define jobs here), zuul-config (trusted, define projects here)	08:29
tobiash	badboy: jobs in untrusted repos are executed with the predicted future state of the change	08:29
tobiash	jobs in trusted repos are always executed with the current upstream state of the target branch	08:30
badboy	so basically, having job in the trusted repo is no good ;)	08:31
tobiash	badboy: correct, you should put as few jobs as possible into rtusted repos	08:32
badboy	for now I just want to have one job per repo	08:33
badboy	tobiash: one more thing regarding jobs, I have a few scripts that are invoked in the playbooks	08:34
badboy	tobiash: can I store them in zuul-untrusted-config repo as well?	08:34
tobiash	probably yes	08:36
SpamapS	it's a pretty common set up to have a zuul-config repo with your config and a few trusted base jobs to inherit from, and a local-zuul-jobs repo full of untrusted jobs.	08:37
SpamapS	That is how both of my significant zuulv3's have worked.	08:38
*** saneax has quit IRC		08:38
tobiash	++	08:39
badboy	SpamapS: so how do I define a job playbook in the project-config?	08:40
badboy	damn, lack o caffeine	08:40
badboy	nevermind that ;)	08:41
badboy	I have to grab a coffee	08:41
SpamapS	badboy: no worries, basically what you want is job content in untrusted, but project config that ties job content to project and pipeline, in trusted.	08:43
badboy	SpamapS: what about scripts? can I keep them in the untrusted repo?	08:47
*** mhu has joined #zuul		08:48
tobiash	badboy: you probably want to have the scripts in the same repo as the playbooks	08:50
*** zbr has joined #zuul		08:53
*** hashar has joined #zuul		08:54
*** jpena\|off is now known as jpena		08:56
*** saneax has joined #zuul		08:57
*** needssleep has quit IRC		09:01
[GNU]	if `encrypt_secret.py` can gets an 404... there is something wrong, right?	09:49
*** panda is now known as panda\|rover		09:50
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907	10:26
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197	10:26
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul CLI: allow access via REST https://review.openstack.org/636315	10:26
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Add Authorization Rules configuration https://review.openstack.org/639855	10:26
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Web: plug the authorization engine https://review.openstack.org/640884	10:26
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: Zuul Web: add /api/user/actions endpoint https://review.openstack.org/641099	10:27
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: authentication config: add optional token_expiry https://review.openstack.org/642408	10:27
*** electrofelix has joined #zuul		10:40
*** saneax has quit IRC		10:59
*** gouthamr has joined #zuul		10:59
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: web: add tenant and project scoped, JWT-protected actions https://review.openstack.org/576907	11:03
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Allow operator to generate auth tokens through the CLI https://review.openstack.org/636197	11:03
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Zuul CLI: allow access via REST https://review.openstack.org/636315	11:04
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Add Authorization Rules configuration https://review.openstack.org/639855	11:04
*** dmellado_ has joined #zuul		11:04
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: [WIP] Web: plug the authorization engine https://review.openstack.org/640884	11:04
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: Zuul Web: add /api/user/actions endpoint https://review.openstack.org/641099	11:04
*** dmellado_ is now known as dmellado		11:05
*** markwork has joined #zuul		11:08
markwork	Hey, I can't seem to find the source for the zuul/zuul container on DockerHub, where can I find the Dockerfile?	11:09
*** gtema has quit IRC		11:26
openstackgerrit	Jakub Bielecki proposed openstack-infra/zuul-preview master: add basic description into README.rst https://review.openstack.org/642428	11:41
openstackgerrit	Matthieu Huin proposed openstack-infra/zuul master: authentication config: add optional token_expiry https://review.openstack.org/642408	11:43
*** ruffian_sheep has quit IRC		11:46
*** saneax has joined #zuul		11:46
*** edmondsw has joined #zuul		11:47
bjackman	I'm confused about the project.merge-mode option. It has "merge", "merge-resolve" and "cherry-pick"	11:48
bjackman	But cherry-pick vs merge is orthoganal to the merge strategy	11:49
bjackman	Should there also be a "cherry-pick-resolve"?	11:49
*** gtema has joined #zuul		11:55
*** rlandy has joined #zuul		11:57
*** panda\|rover is now known as panda\|rover\|lunc		12:21
*** bjackman has quit IRC		12:22
*** bjackman has joined #zuul		12:32
*** hashar has quit IRC		12:43
*** hashar has joined #zuul		12:43
*** jamesmcarthur has joined #zuul		12:48
*** jpena is now known as jpena\|lunch		12:57
*** bjackman has quit IRC		12:59
*** bjackman has joined #zuul		13:14
*** panda\|rover\|lunc is now known as panda\|rover		13:23
*** ianychoi has quit IRC		13:28
*** ianychoi has joined #zuul		13:29
*** jamesmcarthur has quit IRC		13:30
*** jamesmcarthur has joined #zuul		13:31
*** jamesmcarthur has quit IRC		13:36
*** jamesmcarthur has joined #zuul		13:45
*** jamesmcarthur_ has joined #zuul		13:49
pabelanger	markwork: it should be in the root folder of https://git.zuul-ci.org/cgit/zuul/	13:51
*** jamesmcarthur has quit IRC		13:53
*** jpena\|lunch is now known as jpena		13:59
mordred	markwork: unfortunately there doens't seem to be any API for seting metadata on dockerhub - metadata about things only gets filled in if you use dockerhub to build images from a github repo	14:00
*** gtema has quit IRC		14:39
*** hashar has quit IRC		14:53
mhu	hello, can anybody tell me where the dockerfiles for opendevorg/python-base and opendevorg/python-builder are? I'd like to see what's on them	14:54
*** hashar has joined #zuul		14:54
pabelanger	mhu: http://git.openstack.org/cgit/openstack-infra/system-config/tree/docker for the moment	14:54
mhu	thanks pabelanger!	14:55
*** hashar has quit IRC		14:55
*** octainne has joined #zuul		15:11
pabelanger	I've noticed zuul web doesn't seem to work well, if the log that is stream is really long	15:16
pabelanger	I am unsure if chrome issue or something else	15:16
pabelanger	https://ansible-network.softwarefactory-project.io/zuul/stream/9f0ee3101f5846c6bbdc31be8bfbfe5a?logfile=console.log	15:17
pabelanger	for example	15:17
pabelanger	okay, firefox does seem a little faster	15:18
mordred	mhu: also, see my comment to markwork about dockerhub not having an API we can use to set metadata about where things like dockerfiles live	15:18
pabelanger	chrome will just die out	15:18
pabelanger	but it could also be poor network	15:19
mordred	mhu: which is my way of saying "sorry there aren't good links, there isn't really a way for us to set them"	15:21
mhu	mordred, it's okay, I was trying to understand what was done to set the images	15:23
mhu	I'd like to set up a compose file with my current JWT-related changes + keycloak for debug/Demo purposes	15:23
mordred	mhu: cool!	15:24
mhu	yeah, if I ever manage to do it!	15:25
*** hashar has joined #zuul		15:30
*** hashar has quit IRC		15:33
*** hashar has joined #zuul		15:33
*** hashar has quit IRC		15:37
*** hashar has joined #zuul		15:37
*** jamesmcarthur_ has quit IRC		15:38
*** jamesmcarthur has joined #zuul		15:38
*** jamesmcarthur has quit IRC		15:57
*** jamesmcarthur has joined #zuul		15:57
*** hashar has quit IRC		15:59
*** hashar has joined #zuul		15:59
*** jamesmcarthur has quit IRC		16:00
*** jamesmcarthur has joined #zuul		16:01
*** themroc has quit IRC		16:05
SpamapS	bjackman: It would actually make some sense to also have a cherry-pick-resolve, yes, but maybe it's just that nobody has asked for that?	16:14
pabelanger	ha, we've been running with out setting a post-timeout for more then 6 months, only today did we notice it.	16:18
pabelanger	(had a stuck job trying upload logs)	16:18
*** pcaruana has quit IRC		16:23
*** pcaruana has joined #zuul		16:23
*** octainne has quit IRC		16:34
*** daniel3 is now known as daniel2		16:39
openstackgerrit	Tobias Henkel proposed openstack-infra/zuul master: Prevent local code execution via the raw module https://review.openstack.org/642518	16:49
tobiash	corvus, mordred: ^	16:50
*** electrofelix has quit IRC		16:52
pabelanger	tobiash: nice find	17:03
*** gtema has joined #zuul		17:04
tobiash	pabelanger: yeah, found this accidentally during the multi-ansible work ;)	17:06
SpamapS	clarkb: I think I just hit the kubernetes bug you were talking about. 401 after the first operation. WHat were you saying was the remedy?	17:13
clarkb	SpamapS: install the python kubernetes lib at the 9.0 beta version	17:13
clarkb	SpamapS: be careful in that openshiftclient pins to version 8 so if you reinstall further up the dep chain you will revert back to broken	17:13
*** kklimonda_ has quit IRC		17:14
*** rfolco has joined #zuul		17:14
SpamapS	ah so just list it after openshift in the requirements?	17:14
*** kklimonda has joined #zuul		17:14
*** bjackman has quit IRC		17:15
*** rfolco\|ruck has quit IRC		17:16
clarkb	maybe? we did an out of band install	17:17
clarkb	I can never keep up with pips changes to how it resolves those conflicts	17:17
clarkb	but ya	17:17
openstackgerrit	Clint 'SpamapS' Byrum proposed openstack-infra/nodepool master: DNM: Pin to Kubernetes 9 beta until it releases https://review.openstack.org/642524	17:18
SpamapS	I use gerrit refs for patches whenever possible. :)	17:18
SpamapS	clarkb: for requirements.txt, it's not a dep solver. It literally just installs each one in series.	17:20
clarkb	SpamapS: yes but when it runs into conflicts it does things	17:21
SpamapS	nah, it just complains	17:21
clarkb	ya I think it may fail	17:21
SpamapS	"Hey you asked for this, but other packages will be broken."	17:21
SpamapS	I wonder if there's any way to solve it not with beta kubernetes driver.	17:22
clarkb	this behavior has changed many times in the last few yaers though	17:22
clarkb	(fwiw I filed the original pip bug "needs dep resolver". I kept up to date on this until I realized it would never be fixed and stopped paying attention)	17:22
clarkb	SpamapS: the issue is the previous kubernetes lib holds threads open	17:22
SpamapS	pipenv is the closest pip has come to having a depsolver	17:22
clarkb	SpamapS: so the wait for threads to close code never finishes and you end up waiting on timeouts iirc	17:23
SpamapS	and it does that by having an explicit lock file.	17:23
clarkb	it is also all generated code	17:23
SpamapS	clarkb: hm, the thing I see.. nodepool is able to make namespaces and pods when it first starts, but then not after a while.	17:23
SpamapS	sounds like it might be the same.	17:23
SpamapS	or not	17:23
clarkb	being generated code I doubt they'd take a fix to 8.0 that was hand rolled. And 9.0 beta is up just need them to release it and we can unpin openshiftclient	17:24
*** jamesmcarthur has quit IRC		17:40
*** jamesmcarthur has joined #zuul		17:41
openstackgerrit	Merged openstack-infra/zuul master: Prevent local code execution via the raw module https://review.openstack.org/642518	17:45
*** jamesmcarthur has quit IRC		17:45
fungi	corvus: mordred: okay to switch the story visibility for that ^ now?	17:47
fungi	tobiash: ^	17:47
tobiash	fungi: fine for me, the fix is merged :)	17:48
tobiash	corvus: or do you like to wait until it's in a release?	17:48
fungi	people reading random stories on storyboard are probably roughly as common as people reading commit messages in git (perhaps even less so)	17:49
clarkb	not getting email about those is the known issue with private stories right?	17:51
fungi	yep	17:51
daniel2	So every time an image to built it redownloads all the openstack repos which takes a long time. Is there a way to have it just reuse the same repos and not update them if no update is needed or something?	17:57
clarkb	daniel2: are you using openstacks elements for that? if so it should already cache them in the dib cache dir	17:58
daniel2	clarkb: using openstack-repos element for that, its downloading them to dib_cache but its still redownloading them every time an image is built.	17:59
*** gtema has quit IRC		17:59
clarkb	it shouldnt do a full download it should just update them	18:00
daniel2	maybe thats what I'm seeing then	18:01
fungi	it's supposed to just check whether there are any new commits at the origin and fetch those to the local clone	18:02
daniel2	you're right, it just says "updating cache"	18:10
openstackgerrit	David Shrewsbury proposed openstack-infra/zuul-preview master: WIP: Begin refactoring code for unit testing https://review.openstack.org/642245	18:13
*** jpena is now known as jpena\|off		18:13
daniel2	It still takes like 10-15 minutes to do just that	18:14
*** markwork has quit IRC		18:17
openstackgerrit	David Shrewsbury proposed openstack-infra/zuul-preview master: WIP: Begin refactoring code for unit testing https://review.openstack.org/642245	18:18
Shrews	fyi, ^^ is mostly just me experimenting/learning. not sure how much effort i'm going to continue to put into that for the time being	18:20
*** jamesmcarthur has joined #zuul		18:20
daniel2	Testing is overrated, it's always best to test your code in production :)	18:20
*** panda\|rover is now known as panda\|rover\|off		18:20
Shrews	daniel2: you subscribe to mordred's newsletter, i see :)	18:21
daniel2	Shrews: I just spent 5 years in the Software QA field, so my ideas of testing are morbid.	18:22
*** jamesmcarthur has quit IRC		18:26
openstackgerrit	Jeremy Stanley proposed openstack-infra/zuul-jobs master: [DNM] exercise base-test as parent in unittests https://review.openstack.org/642536	18:27
fungi	daniel2: yeah, even just checking the remote state for over a thousand git repos will take a while. for your own deployment you might be able to get away with stripping it down to just the repositories used by the jobs you expect to run	18:28
* fungi isn't sure what your goal is though		18:29
daniel2	fungi: Apparently we used to host a local copy with Gitlab, but I feel that would take forever to do. The main goal is because nodestack-base requires openstack-repos. Although I've started modifying the elements as needed. We are still on 0.5.0 and can't upgrade right now.	18:30
daniel2	It's been 3 weeks so far I've been working on this. It would had probably been faster if I upgraded, but I keep having to track down old files, old documentation, etc etc.	18:30
openstackgerrit	Jeremy Stanley proposed openstack-infra/zuul-jobs master: [DNM] exercise base-test as parent in unittests https://review.openstack.org/642536	18:36
openstackgerrit	Jeremy Stanley proposed openstack-infra/zuul-jobs master: [DNM] exercise base-test as parent in unittests https://review.openstack.org/642536	18:39
*** jamesmcarthur has joined #zuul		18:47
mnaser	i remember this being brought up in context of zuul dev where running gpg commands would autostart the gnupg agent	19:14
mordred	yup	19:15
mnaser	how did you workaround that?	19:15
* mnaser is trying to get a container of something and needs to import gpg keys for apt repo and getting weird warnings around process going up		19:15
mordred	mnaser: one sec - lemme get the cantrip for you	19:16
mordred	mnaser: ok - so weirdly, if you run "gpg-agent --daemon your command here" - it will run gpg without spawning a long-lived daemon process	19:17
* mnaser blinks		19:18
mordred	yeah	19:18
mordred	don't thnik about it too much	19:18
mnaser	o-ok	19:18
mnaser	works for me.	19:18
mordred	also don't ask too many questions about why it's so impossible to avoid spawning a daemon	19:18
*** saneax has quit IRC		19:23
pabelanger	apparently you can use mask to stop the gpg-agant daemon from even starting, but need to mask like 4 services: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850982#45	19:48
openstack	Debian bug 850982 in gnupg-agent "Add instructions to disable gpg-agent user service in README.Debian" [Normal,Fixed]	19:48
corvus	i'll tag 5ae25f004a32ea76558564612903cef917c3e5b9 as 3.6.1 sound good?	19:50
corvus	tobiash, mordred: ^	19:50
tobiash	corvus: ++	19:51
*** dkehn has joined #zuul		19:51
corvus	tobiash: do you want to write an announcement?	19:51
tobiash	yes I can, just a minute	19:52
mordred	corvus: ++	19:59
tobiash	corvus, mordred, fungi: how does that look like? https://etherpad.openstack.org/p/X3NlVoP2ZL	20:01
mordred	lgtm	20:01
tobiash	mordred: I shamelessly copied parts of your last security mail ;)	20:01
corvus	tobiash: ++	20:02
mordred	tobiash: that's the way I like to write emails :)	20:02
tobiash	me too :)	20:02
fungi	we should definitely switch the story to public before we send out an announcement referring to it	20:05
fungi	anyone mind if i go ahead and do that now?	20:06
corvus	fungi: ++	20:06
tobiash	oh I thought you did this already ;)	20:06
fungi	okay, story 2005037 is public now	20:06
tobiash	3.6.1 is on pypi now	20:07
pabelanger	upgrading now!	20:08
fungi	tobiash: your announcement looks great, thanks!	20:08
fungi	in the future we can take advantage of the its-storyboard plugin for gerrit by switching the story to public right before pushing the fix to gerrit, and including a corresponding task footer in the commit message	20:11
fungi	ideally the story itself doesn't disclose any more information than can be obtained by looking at the patch anyway	20:11
corvus	Shrews: what's the status of authenticated zookeeper connections?	20:16
corvus	looks like https://review.openstack.org/619155 is the answer to that	20:19
Shrews	corvus: not really familiar with zk auth myself but i can begin looking at that review for us and start digging into it	20:22
corvus	Shrews: cool -- i think we're going to need it for the "use zk instead of gearman" part of zuul v4 for sure ... and maybe sooner based on this email i'm writing right now :)	20:23
tobiash	mordred: re openstacksdk image download memory issue: neither jemalloc nor response.raw.read fixed the issue so we'll have to dig deeper	20:24
clarkb	corvus: Shrews you can use basicauth or kerberos iirc	20:29
clarkb	we probably only need basicauth as we don't need to partition readers and writers aggressively	20:29
mordred	tobiash: BOOO	20:32
pabelanger	Zuul version: 3.6.1 \o/	20:34
tobiash	mordred: maybe I find time to dig into that tomorrow	20:40
*** hashar has quit IRC		20:42
*** hashar has joined #zuul		20:45
*** jamesmcarthur has quit IRC		20:56
SpamapS	clarkb: unfortunately, kubernetes client 9.x.x beta doesn't work for namespaces in nodepool	21:13
SpamapS	http://paste.openstack.org/show/747576/	21:14
clarkb	SpamapS: bah	21:16
clarkb	you'd think it would be eaiser to maintain compat with generated code	21:16
clarkb	just generate all the versions	21:16
openstackgerrit	James E. Blair proposed openstack-infra/zuul-jobs master: Add no_log entries to skopeo copy commands https://review.openstack.org/642574	21:29
corvus	mordred, clarkb, fungi: ^ final cleanup for the buildset registry stuff	21:29
*** pcaruana has quit IRC		21:45
dmsimard	corvus: re - Ansible modules in Zuul: does upstream have an opinion on how we should be managing this at all ? I know that there is a notion of authorized modules in AWX but I'm not familiar with how it works under the hood.	21:51
corvus	dmsimard: plugins, not modules, are the main issue here	21:52
corvus	(though some of the work is custom plugins which then restrict what upstream modules are run)	21:52
corvus	dmsimard: but i'm not familiar with awx authorized modules, do you have a reference?	21:53
corvus	dmsimard: i think the tricky thing is that in many cases, our plugins allow use of certain modules but only if they have certain arguments	21:55
dmsimard	corvus: best reference I can find right now is https://docs.ansible.com/ansible-tower/latest/html/userguide/security.html#playbook-access-and-information-sharing (see the screenshot with a list of enabled modules)	21:57
dmsimard	corvus: I may be conflating definitions of modules and plugins -- action plugins are indeed not modules	22:00
corvus	dmsimard: though, at the end of the day, the thing we wanted to do was "don't allow certain tasks to run". "don't run these modules" is pretty close to that -- enough to make it worth looking into. :)	22:02
fungi	as i understand, even the licensing requirements for action modules and plugins differ	22:02
corvus	fungi: yes, though that isn't a concern in this case	22:02
corvus	(we're happy to carry gpl code)	22:02
fungi	sure, just noting they're quite distinct conceptually	22:02
dmsimard	in any case, I agree that it's not sustainable to "fork" every upstream plugin and I would look at how we might implement a single place where modules (or plugins) are either authorized to run or not based on configuration	22:04
dmsimard	They already have something somewhat similar with callback plugin whitelisting	22:04
corvus	dmsimard: that sounds reasonable -- but does that get us anything? we have no "policy" reasons not to run modules, only security reasons	22:05
corvus	and the security reasons suggest that we either need to filter based on argument, or blacklist almost everything	22:05
*** rfolco is now known as rfolco\|ruck\|off		22:06
dmsimard	yeah, filtering based on arguments makes it a bit more challenging. I'll do some research :)	22:08
*** josefwells has quit IRC		22:18
SpamapS	clarkb: I've never seen generated code work out. The shortcut always leads to a lack of engagement in the target language (see: mordred's libgearman driver ;)	22:27
openstackgerrit	Merged openstack-infra/zuul master: Increase timeout of test_plugins https://review.openstack.org/641803	22:30
openstackgerrit	Merged openstack-infra/zuul master: Fix test race in test_container_jobs https://review.openstack.org/641791	22:30
*** hashar has quit IRC		22:38
corvus	tobiash: i've reviewed the multi-ansible stack	22:42
mordred	SpamapS: I agree - I used to be a fan of the generated bindings approach and have since come to hold the opinion that it's a bad idea	22:48
*** threestrands has joined #zuul		22:50
clarkb	SpamapS: sure I didn't write the kubernetes module. I'm assuming someone from google runs the swagger generator on it	22:55
mrhillsman	before i go digging, is there a way to use [WIP] or [DNM] in the title to disable CI for a PR	23:04
mrhillsman	i mean is it possible out the box	23:04
corvus	mrhillsman: not out of the box. i expect that the gerrit or github triggers could be extended to support matching on commit messages.	23:08
corvus	mrhillsman: but i'm confused by that request. WIP and DNM changes are the ones i'm most interested in seeing CI results on.	23:08
mrhillsman	like a person knows it is not ready for testing cause they are still building it	23:09
mrhillsman	the job(s)	23:10
mrhillsman	someone is asking but i also could use it for that exact use case	23:10
corvus	mrhillsman: even when i know something is going to fail, i still don't always know all the ways it's going to fail. i get tons of useful information that way :)	23:10
mrhillsman	agreed	23:10
mrhillsman	but rather than holding up a resource for a failure i know will happen i would want to hold off	23:11
mrhillsman	cause i am still adding in stuff to the job definition	23:11
mrhillsman	additional tasks, roles, etc	23:12
SpamapS	simplicity buys a lot of resources.	23:12
mrhillsman	cause it is completely nothing right now	23:12
corvus	mrhillsman: sometimes when i'm building a new job, i'll comment out all the others from the in-tree .zuul.yaml	23:12
corvus	that's a special case where we can do something like that.	23:12
mrhillsman	so for a case where i or someone knows it does not make sense to trigger the ci would be good to add that	23:13
mrhillsman	i am sure other use cases could be thought up just wanted to check though	23:14
mrhillsman	appreciate it	23:14
*** threestrands has quit IRC		23:45
openstackgerrit	Merged openstack-infra/zuul-jobs master: Add no_log entries to skopeo copy commands https://review.openstack.org/642574	23:57

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!