Monday, 2019-10-28

« Sunday, 2019-10-27 Index Tuesday, 2019-10-29 »
*** rfolco|rover has joined #zuul00:32
*** panda has quit IRC01:15
*** panda has joined #zuul01:19
*** rfolco|rover has quit IRC01:30
*** jamesmcarthur has joined #zuul02:06
*** swest has quit IRC02:37
*** ianychoi__ has joined #zuul02:38
*** ianychoi_ has quit IRC02:41
*** swest has joined #zuul02:51
*** jamesmcarthur has quit IRC03:02
*** jamesmcarthur has joined #zuul03:03
*** jamesmcarthur has joined #zuul03:03
*** jamesmcarthur has quit IRC03:05
*** jamesmcarthur has joined #zuul03:06
*** jamesmcarthur has quit IRC03:11
*** jamesmcarthur has joined #zuul03:36
*** jamesmcarthur has quit IRC03:42
*** bhavikdbavishi has joined #zuul03:48
*** jamesmcarthur has joined #zuul04:16
*** jamesmcarthur has quit IRC04:20
*** panda has quit IRC04:34
*** panda has joined #zuul04:37
*** jamesmcarthur has joined #zuul04:48
*** jamesmcarthur has quit IRC04:53
*** sshnaidm_ has joined #zuul05:05
*** sshnaidm|off has quit IRC05:06
*** bolg has joined #zuul05:15
*** bhavikdbavishi has quit IRC05:29
*** jamesmcarthur has joined #zuul05:49
*** jamesmcarthur has quit IRC05:54
*** jamesmcarthur has joined #zuul06:10
*** panda has quit IRC06:41
*** panda has joined #zuul06:43
*** jamesmcarthur has quit IRC06:44
*** gtema has joined #zuul07:10
*** jamesmcarthur has joined #zuul07:47
*** jamesmcarthur has quit IRC07:51
*** gtema has quit IRC07:53
*** tosky has joined #zuul08:03
*** jpena|off is now known as jpena08:05
*** themroc has joined #zuul08:07
*** sshnaidm__ has joined #zuul08:27
*** sshnaidm_ has quit IRC08:27
*** hashar has joined #zuul08:35
*** panda has quit IRC08:45
*** panda has joined #zuul08:47
*** jamesmcarthur has joined #zuul08:48
*** jamesmcarthur has quit IRC08:53
*** jangutter has joined #zuul09:04
*** saneax has joined #zuul09:23
*** jamesmcarthur has joined #zuul09:24
*** jamesmcarthur has quit IRC09:28
*** sshnaidm__ is now known as sshnaidm09:43
*** dustinc is now known as dustinc_pto10:07
*** jamesmcarthur has joined #zuul10:24
*** saneax has quit IRC10:25
*** saneax has joined #zuul10:28
*** jamesmcarthur has quit IRC10:29
*** panda is now known as panda|pto10:33
*** tosky_ has joined #zuul11:08
*** tosky has quit IRC11:12
*** tosky_ is now known as tosky11:18
*** jangutter has quit IRC11:24
*** jamesmcarthur has joined #zuul11:25
*** jamesmcarthur has quit IRC11:30
*** jangutter has joined #zuul11:43
*** rfolco|rover has joined #zuul11:56
*** rfolco|rover is now known as rfolco|rucker11:58
*** rfolco|rucker is now known as rfolco|ruck11:58
*** jamesmcarthur has joined #zuul12:11
*** rlandy has joined #zuul12:13
*** jamesmcarthur has quit IRC12:29
*** jangutter has quit IRC12:43
*** jamesmcarthur has joined #zuul12:46
*** jpena is now known as jpena|lunch12:49
*** sanjayu_ has joined #zuul13:04
*** saneax has quit IRC13:07
*** sanjayu_ has quit IRC13:28
openstackgerritFelix Schmidt proposed zuul/zuul master: Make reporting asynchronous  https://review.opendev.org/69125313:34
openstackgerritDavid Shrewsbury proposed zuul/nodepool master: Take advantage of fetch-output  https://review.opendev.org/68947313:55
ShrewsI'm confused why that ^^ passes check but not gate13:55
*** themroc has quit IRC13:55
*** themroc has joined #zuul13:58
*** bolg has quit IRC14:03
*** themroc has quit IRC14:05
*** themr0c has joined #zuul14:05
*** jamesmcarthur has quit IRC14:06
*** jpena|lunch is now known as jpena14:08
*** ffloreth__ has joined #zuul14:23
*** themr0c has quit IRC14:25
*** raukadah is now known as chandankumar14:26
*** jamesmcarthur has joined #zuul14:28
*** jamesmcarthur has quit IRC14:34
openstackgerritMerged zuul/zuul-website master: Correct mistyped name in Tungsten Fabric case  https://review.opendev.org/69152214:36
*** jamesmcarthur has joined #zuul14:42
*** ffloreth__ has quit IRC15:13
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: WIP: Test buildset registry with k8s and docker  https://review.opendev.org/68928015:22
*** todun has joined #zuul15:43
tristanCShrews: it seems like the gate failure is unrelated to the fetch-output change, e.g. https://zuul.opendev.org/t/zuul/build/71466f70171a4e4ea88557d84b61ccfd/log/job-output.txt#32000-3200115:43
*** mattw4 has joined #zuul15:48
*** igordc has joined #zuul16:05
dmelladomnaser: o/ ping, around?16:05
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: WIP: Test buildset registry with k8s and docker  https://review.opendev.org/68928016:06
ShrewstristanC: no, it's related. see a few lines above that:    ls: cannot access '/home/zuul/zuul-output/logs/nodepool/builds/': No such file or directory16:06
Shrewsi just don't understand why that would sometimes succeed16:07
*** Goneri has joined #zuul16:07
dmelladoGoneri: o/16:08
dmelladoI was just pinging mnaser on the flavor sizes@vexxhost16:08
mnaserhi dmellado16:15
*** todun has quit IRC16:34
*** todun has joined #zuul16:35
openstackgerritJames E. Blair proposed zuul/zuul master: WIP: Don't add implicit role if plugin found  https://review.opendev.org/69171516:38
*** bhavikdbavishi has joined #zuul16:40
*** phildawson has quit IRC16:42
*** jamesmcarthur has quit IRC16:49
*** jpena is now known as jpena|off16:50
openstackgerritJames E. Blair proposed zuul/zuul master: Don't add implicit role if plugin found  https://review.opendev.org/69171516:59
tristanCShrews: oh indeed... so in check it does create the directory: https://zuul.opendev.org/t/zuul/build/d1413f987c4c41c2ad14721d125296d1/log/job-output.txt#29238-2924117:02
tristanCbut not in gate: https://zuul.opendev.org/t/zuul/build/71466f70171a4e4ea88557d84b61ccfd/log/job-output.txt#29243-2924517:02
tristanCit's as if the gate pipeline didn't picked the change17:04
*** hashar has quit IRC17:05
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: WIP: Test buildset registry with k8s and docker  https://review.opendev.org/68928017:08
*** Goneri has quit IRC17:14
*** Goneri has joined #zuul17:15
corvustristanC, clarkb: take a look at https://review.opendev.org/689280  - it passes!  :)  there's still at least one spot where we can get hit by a skopeo ipv6 error.  but it's really close.17:27
ShrewstristanC: the check log you pasted is with the newest patchset which I just pushed up this morning that makes sure that directory is created.17:29
Shrewsit's weird that sometimes that isn't needed, apparently   *shrugs*17:29
*** pcaruana has joined #zuul17:31
*** Goneri has quit IRC17:35
*** igordc has quit IRC17:43
*** Goneri has joined #zuul17:48
*** bhavikdbavishi has quit IRC18:13
*** pcaruana has quit IRC18:30
*** pcaruana has joined #zuul18:31
clarkbcorvus: left a couple of comments. What are the remaining ipv6 issues?18:44
corvusclarkb: there's a todo comment in the change for one of them, and i think a couple of the recent failures were ipv6 as well.18:46
clarkbI guess this isn't using socat?18:47
corvusi'm unclear about whether we can solve them with hostname entries, or if we need a second socat or what....18:47
clarkbfwiw I believe that things work if names resolve to ipv6 addrs18:47
clarkbwe didn't end up using that method in production because it required updating /etc/hosts within executor bwrap contexts and that got a little hacky18:48
corvusyeah, but i think the exector (or the fake executor) may be involved, and i think we used socat because we didn't want to make /etc/hosts changes on the executor?18:48
clarkbyup18:48
corvusthough -- did it work?18:48
clarkbyes I believe it worked18:48
corvusbut we just found it distasteful?18:48
clarkbwell I should rephrase I don't know if we could update /etc/hosts with the existing bwrap mount rules18:48
clarkbbut when tested without bwrap interferring docker push and pull seemd to work with /etc/host hancks18:49
corvusanyway, the action item is to dig into that at least enough to articulate the question properly :)18:49
*** openstackgerrit has quit IRC18:50
*** Goneri has quit IRC18:51
*** mordred has quit IRC18:52
*** todun_ has joined #zuul19:09
*** todun has quit IRC19:10
*** todun_ is now known as todun19:10
*** hashar has joined #zuul19:20
*** igordc has joined #zuul19:27
*** Goneri has joined #zuul19:40
*** hashar is now known as hasharAway19:47
*** todun has quit IRC19:50
*** ryanpetrello has joined #zuul19:51
*** todun has joined #zuul19:53
*** pcaruana has quit IRC20:02
*** hasharAway is now known as hashar20:07
*** todun has quit IRC20:14
*** mordred has joined #zuul20:43
*** jamesmcarthur has joined #zuul20:47
corvusclarkb: i *think* the only remaining ipv6 issue is that todo -- and the problem is basically this:  on the executor, we pull from the intermediate registry and push into the buildset registry with "skopeo copy docker://intermediate-registry/image docker://127.0.0.1:12345" where 127.0.0.1:12345 is a socat to the buildset registry.  but the buildset registry is now using the new jwt auth thing, and that20:50
corvusrequires putting in a URL (which points back to the registry) in the www-authenticate header.  afaict, it has to be a full url, it can't be relative.  and we can't use the host header to construct it dynamically because that doesn't tell us the socat port.  the role that starts the buildset registry shouldn't (or can't) know about the socat in order to pre-construct that as part of the config.  i do believe20:50
corvusthat using hostnames on the executor instead of socat would address this problem, and i'm not immediately coming up with other ideas.20:50
clarkbhow does it work in production? that is doesnt use token autg?20:52
clarkba layer 7 proxy could rewrite the header but that is a lot heavier than just socat20:53
*** tosky has quit IRC20:53
corvusclarkb: we're not using zuul-registry as a buildset registry in production yet (this is the change series that does that)20:53
clarkbright but we still do auth to the registry in production through skopeo amd socat20:55
corvus(we are using it in prod as an intermediate registry, but that has hostnames.  and likewise, we use hostnames for the "fake intermediate registry" in our testing (it's running on a fake executor, so it's less controversial to add an entry to /etc/hosts there, *and* it makes it behave more like prod).20:55
corvusclarkb: no, we only use skopeo for the buildset registry20:55
corvuser socat20:55
clarkbbut it authenticates to the buildset registry?20:55
clarkbis that authentication different?20:56
corvusyes, that's using the docker registry with basic auth20:56
clarkbif we put socat on a fixed port it would be maybe less problematic then we always 'localhost' to it but that is hacky and maybe more hacky than editing /etc/hosts20:58
corvusthat also imposes some requirements on the executors20:59
corvusi guess they both do -- either "you must have network port isolation between jobs" or "you must be able to write to /etc/hosts"21:00
corvusclarkb: *or* we write a tool to do what skopeo is doing here.21:01
corvusthis is one of those cases where if the tool just worked over v6, we would not have a problem.  and this is constrained to a couple of executor-only roles.  the choice of tool doesn't really impact anything about jobs that use it.21:01
clarkbya21:04
corvusmordred, tristanC: thoughts ^ ?21:05
mordredcorvus: reading21:07
clarkbto be clear the issue is that docker doesn't allow for [] or : in the host portion of their "urls" (you can use : to separate host and port but that is it) so you cannot use ipv6 literals in the url21:08
clarkbskopeo includes docker's lib for parsing these urls21:08
clarkband refuses to change according to a response on a bug we filed21:08
corvusoh hrm21:09
mordredmy first inclination is to just use hostnames21:09
corvusactually, even that might not solve the problem21:09
mordredit's a little bit of test node pollution- but it's unlikely to be pollution that would substantively change things for test workloads21:10
corvuser, let me revise that to: i am not certain that would solve the issue -- i'm not sure that we've tested that skopeo and docker can handle ipv6 literal auth urls (nevermind image names).  it seems plausible that they would (they probably use url handling libs for that).  but we should verify that first if we're going to go down that path.21:11
clarkbmordred: its not the test nodes it is the executor21:11
clarkbmordred: we do use hostnames on the test nodes already21:11
clarkbcorvus: oh good point21:11
mordredohhh. duh. yeah21:12
mordredcorvus: well, if we wrote a tool, it could just be part of zuul and would reduce the operator installation burden on the executors21:14
mordredotoh - that's more writing of things21:15
corvusmordred: it could, or we could put it in zuul-jobs, or we could make it standalone and pip install --user it in the jobs21:15
mordredyeah21:15
corvusi agree we shouldn't require the operator to install something21:15
mordredbut basically - we have many options that would be easier on the operator than them needing to install skopeo on the executors21:16
mordredhow hard of a tool do you think it would be to write? it gets to be pretty single-purpose I think, right?21:17
tristanCproviding a correct /etc/hosts per execution context would fix that issue? if it does, that seems like a reasonable thing to do21:18
corvushuh.  rfc2617 suggests that an relative path is okay.... i should verify that i've adequately tested that (vs docker just claiming to implement 2617 without having read it)21:18
corvusmordred: i think it would be simple.  i'd estimate the main methods to be < 100 lines of python.21:19
corvusokay, i did try a relative url, and this is what skopeo/moby returned: https://zuul.opendev.org/t/zuul/build/9dda450a63b54b05aebdbb002816983221:26
corvusshock bombshell: moby does not follow rfc2617 though it claims to21:27
corvusmaybe we can split brain this though21:28
mordredcorvus, tristanC: if we wanted to go /etc/hosts route, what if zuul just *always* provided /etc/hosts entries for all of the nodes in a job's nodeset? paused nodes would start to get weird ...21:28
clarkbmordred: I'm not sure how that helps with the exectuor?21:28
corvusmaybe if moby supports fully qualified ipv6 literal urls as auth urls, maybe we can tell docker to pull from "localhost:12345" which then tells moby to get an auth token from [literal]:900021:28
corvusi'm assuming mordred means to have the zuul executor add all the nodes to an overlaid /etc/hosts21:29
mordredclarkb: why not? if the executor bind-mounted in an /etc/hosts to the bubblewrap context21:29
mordredyeah21:29
clarkbI see21:29
corvusbasically doing something similar to what we'd do in the role, but systemically and less hacky21:29
corvusthat might open some attack vectors though21:29
corvus(request a nodeset with some name to trick a trusted playbook into sending creds to a test node or something)21:30
corvusyeah, i think that'd be a can of worms.  broadly speaking, i think that would mean "trusted playbooks can't trust dns"21:31
mordredyeah21:31
corvusshame.  it's really elegant.  :)21:31
mordredwell - what if part of the hostname was generated?21:32
corvusclarkb: there's no single way to construct an ipv4/ipv6 literal, right?  we have to switch (to know to add []) ?21:32
tristanCmordred: why would it get weird with paused nodes?21:32
mordredlike - if the hostname put in /etc/hosts was "{node-name}.{job-name}.zuul" or something21:32
corvusmordred: oh yeah, good point.  we do something similar with our in-job hostnames to make sure they never collide.21:33
clarkbcorvus: if you aren't specifying a port too you can avoid caring. It is the port specification that cauises problems because the : becomes ambiguous21:33
mordredyah21:33
clarkbbut in general ya if using a port you have to know. There is an ansible filter for this21:33
corvusclarkb: oh, do we have an example?21:34
mordredtristanC: other builds in the buildset would need the hostname of paused nodes in their /etc/hosts - but the executor usually doesn't have that information since it's just focused on the one build, so we'd have to pass some stuff along somewhere - probably not too terrible to do - just something we'd have to sort21:34
corvusclarkb: ipwrap? https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters_ipaddr.html#wrapping-ipv6-addresses-in-brackets21:36
clarkbcorvus: https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters_ipaddr.html yup21:36
*** openstackgerrit has joined #zuul21:37
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: WIP: test ipwrap  https://review.opendev.org/69175821:37
corvusclarkb: ^ does that look right?21:37
clarkbya21:38
corvusclarkb, mordred, tristanC: okay, let's see if that works, and if so, then great.  if not, we'll mull over the "hostnames or new tool" question some more21:38
mordred++21:39
*** EmilienM has quit IRC21:46
*** EmilienM has joined #zuul21:47
*** todun has joined #zuul21:52
*** jamesmcarthur has quit IRC22:28
*** mattw4 has quit IRC22:28
*** mattw4 has joined #zuul22:28
corvusclarkb, mordred, tristanC: i think that change worked!  https://zuul.opendev.org/t/zuul/build/db01a689f6624ad3a09bfff96eb7e709/console22:29
corvusin just a few, i'll rework that into the appropriate point in the stack, and then i think it'll be ready to merge22:30
mordredcorvus: oh cool!22:30
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Use zuul-registry as buildset registry  https://review.opendev.org/68923822:45
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Make the buildset registry port configurable  https://review.opendev.org/68924022:45
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Adjust buildset registry container name  https://review.opendev.org/69099222:45
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Don't sudo when saving container logs in registry test  https://review.opendev.org/69099322:45
openstackgerritJames E. Blair proposed zuul/zuul-jobs master: Test buildset registry with k8s and docker  https://review.opendev.org/68928022:46
*** hashar has quit IRC22:47
mordredcorvus: in https://review.opendev.org/#/c/690993 - do we put the zuul user into the docker group somewhere?23:14
*** mattw4 has quit IRC23:19
mordredI mean - it's working, so I guess we do :)23:20
openstackgerritMerged zuul/zuul-jobs master: Open iptables ports in registry test job  https://review.opendev.org/69042523:30
« Sunday, 2019-10-27 Index Tuesday, 2019-10-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!