Thursday, 2020-06-25

« Wednesday, 2020-06-24 Index Friday, 2020-06-26 »
*** rfolco has quit IRC00:53
*** swest has quit IRC01:18
*** swest has joined #zuul01:32
*** cloudnull has joined #zuul01:42
*** rlandy|ruck|bbl is now known as rlandy|ruck02:01
*** rlandy|ruck has quit IRC02:12
*** hamalq has quit IRC02:51
*** hamalq has joined #zuul02:53
*** hamalq has quit IRC02:58
*** bhavikdbavishi has joined #zuul03:28
*** bhavikdbavishi1 has joined #zuul03:33
*** bhavikdbavishi has quit IRC03:35
*** bhavikdbavishi1 is now known as bhavikdbavishi03:35
*** hamalq has joined #zuul04:21
*** hamalq has quit IRC04:21
*** evrardjp has quit IRC04:34
*** evrardjp has joined #zuul04:34
*** hamalq has joined #zuul04:38
*** hamalq has quit IRC04:43
*** ysandeep|away is now known as ysandeep04:43
*** sgw has quit IRC04:57
*** hamalq has joined #zuul05:10
*** hamalq has quit IRC05:15
*** reiterative has quit IRC05:42
*** reiterative has joined #zuul05:43
*** ysandeep is now known as ysandeep|afk05:48
*** marios has joined #zuul05:49
*** hamalq has joined #zuul05:51
*** saneax has joined #zuul05:55
*** hamalq has quit IRC05:56
*** bhavikdbavishi has quit IRC06:10
*** cloudnull has quit IRC06:14
*** rpittau|afk is now known as rpittau06:20
*** bhavikdbavishi has joined #zuul06:22
*** cloudnull has joined #zuul06:27
*** hamalq has joined #zuul06:27
*** hamalq has quit IRC06:32
*** ysandeep|afk is now known as ysandeep06:44
*** jcapitao has joined #zuul06:46
*** hamalq has joined #zuul06:52
*** hamalq has quit IRC06:58
*** hashar has joined #zuul06:59
*** sgw1 has quit IRC07:22
*** bhavikdbavishi has quit IRC07:22
*** hamalq has joined #zuul07:36
*** hamalq has quit IRC07:41
*** tosky has joined #zuul07:42
*** bhavikdbavishi has joined #zuul07:47
*** nils has joined #zuul07:53
*** hamalq has joined #zuul07:55
*** jpena|off is now known as jpena07:58
*** hamalq has quit IRC08:00
*** hamalq has joined #zuul08:16
*** hashar has quit IRC08:16
*** corvus has quit IRC08:17
*** bhavikdbavishi1 has joined #zuul08:20
*** hamalq has quit IRC08:21
*** bhavikdbavishi has quit IRC08:22
*** bhavikdbavishi1 is now known as bhavikdbavishi08:22
*** hashar has joined #zuul08:22
*** hamalq has joined #zuul08:25
*** hamalq_ has joined #zuul08:27
*** corvus has joined #zuul08:30
*** hamalq has quit IRC08:30
*** hamalq_ has quit IRC08:31
*** bhavikdbavishi1 has joined #zuul08:31
*** bhavikdbavishi has quit IRC08:33
*** bhavikdbavishi1 is now known as bhavikdbavishi08:33
mhuhey there, ez-pz patch to review, documenting cURL examples of using the tenant-scoped admin REST API: https://review.opendev.org/#/c/727785/08:34
*** armstrongs has joined #zuul09:29
*** ysandeep is now known as ysandeep|afk09:39
*** dennis_effa has joined #zuul09:41
*** bhagyashris is now known as bhagyashris|afk09:55
*** hamalq has joined #zuul09:57
*** hashar has quit IRC09:57
*** hamalq has quit IRC10:01
*** bhavikdbavishi has quit IRC10:02
*** ysandeep|afk is now known as ysandeep10:05
*** hamalq has joined #zuul10:13
*** hamalq has quit IRC10:17
*** rpittau is now known as rpittau|bbl10:20
*** bhagyashris|afk is now known as bhagyashris11:00
*** jcapitao is now known as jcapitao_lunch11:01
*** ysandeep is now known as ysandeep|break11:17
*** holser has quit IRC11:22
*** harrymichal has joined #zuul11:26
*** bhavikdbavishi has joined #zuul11:26
*** jpena is now known as jpena|lunch11:37
*** bhavikdbavishi has quit IRC11:41
*** bhavikdbavishi has joined #zuul11:42
*** bhavikdbavishi1 has joined #zuul11:45
avasschecking if anyone has time to review a nodepool change that adds support for attaching instance profiles for ec2 instances: https://review.opendev.org/#/c/734774/11:45
*** bhavikdbavishi has quit IRC11:46
*** bhavikdbavishi1 is now known as bhavikdbavishi11:46
avassI've tested it by running nodepool from that change so it works, but sadly the moto test framework doesn't support attaching instance profiles yet11:47
*** ysandeep|break is now known as ysandeep11:47
*** dpawlik6 has quit IRC11:54
*** rlandy has joined #zuul12:13
*** rlandy is now known as rlandy|ruck12:13
*** dpawlik6 has joined #zuul12:19
*** rfolco has joined #zuul12:21
*** hashar has joined #zuul12:22
*** bhavikdbavishi has quit IRC12:24
*** harrymichal has quit IRC12:30
*** harrymichal has joined #zuul12:31
*** jcapitao_lunch is now known as jcapitao12:33
*** harrymichal has quit IRC12:40
*** harrymichal has joined #zuul12:41
*** jpena|lunch is now known as jpena12:42
*** rpittau|bbl is now known as rpittau12:42
*** harrymichal has quit IRC12:56
*** harrymichal has joined #zuul12:57
*** marios is now known as marios|call12:59
*** holser has joined #zuul12:59
openstackgerritFelix Edel proposed zuul/zuul master: Introduce Patternfly 4  https://review.opendev.org/73622513:12
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Update "fetching info ..." animation using empty state pattern  https://review.opendev.org/73801013:12
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Update buildset result page (new layout and styling)  https://review.opendev.org/73801113:12
*** felixedel has joined #zuul13:12
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Update "fetching info ..." animation using empty state pattern  https://review.opendev.org/73801013:14
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Update buildset result page (new layout and styling)  https://review.opendev.org/73801113:14
*** hashar has quit IRC13:16
*** tumble has joined #zuul13:17
openstackgerritSimon Westphahl proposed zuul/nodepool master: wip: reproduce lock race w/ deleteUpload  https://review.opendev.org/73801313:20
*** holser has quit IRC13:20
*** holser has joined #zuul13:21
*** harrymichal has quit IRC13:36
*** harrymichal has joined #zuul13:37
*** dpawlik6 is now known as dpawlik-213:48
*** dpawlik-2 is now known as danpawlik13:48
*** sgw has joined #zuul13:52
*** marios|call is now known as marios13:53
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Update buildset result page (new layout and styling)  https://review.opendev.org/73801113:59
openstackgerritFelix Edel proposed zuul/zuul master: PF4: Add new Zuul logo with text  https://review.opendev.org/73803313:59
*** harrymichal has quit IRC14:01
*** harrymichal has joined #zuul14:02
felixedelzuul-maint: I've proposed some new Patternfly 4 changes https://review.opendev.org/#/q/topic:patternfly-4+(status:open+OR+status:merged) to update the spinner animation on initial page load and the buildset result page. Both with a new layout and design. I hope you like it. As I'm on vacation next week I will continue with PF4 the week after. It14:05
felixedelwould be cool if you could review those changes until then and provide me some feedback :)14:05
*** sgw1 has joined #zuul14:09
*** harrymichal has quit IRC14:11
*** harrymichal has joined #zuul14:12
*** felixedel has quit IRC14:18
*** bhavikdbavishi has joined #zuul14:23
*** bhavikdbavishi1 has joined #zuul14:26
*** bhavikdbavishi has quit IRC14:28
*** bhavikdbavishi1 is now known as bhavikdbavishi14:28
*** ysandeep is now known as ysandeep|away14:29
*** jamesmcarthur has joined #zuul14:32
openstackgerritMerged zuul/zuul-jobs master: upload-git-mirror: check after mirror operation  https://review.opendev.org/73753314:32
*** jamesmcarthur has quit IRC14:32
*** jamesmcarthur has joined #zuul14:33
*** harrymichal has quit IRC14:41
*** harrymichal has joined #zuul14:42
*** holser has quit IRC14:44
*** bhavikdbavishi has quit IRC15:06
*** harrymichal has quit IRC15:16
*** harrymichal has joined #zuul15:17
*** bhagyashris is now known as bhagyashris|afk15:19
*** bhavikdbavishi has joined #zuul15:25
*** harrymichal has quit IRC15:26
*** harrymichal has joined #zuul15:27
*** bhavikdbavishi has quit IRC15:29
*** masterpe has joined #zuul15:30
*** harrymichal has quit IRC15:36
*** harrymichal has joined #zuul15:37
*** harrymichal has quit IRC15:37
*** harrymichal has joined #zuul15:37
*** bhavikdbavishi has joined #zuul15:47
*** bhavikdbavishi has quit IRC15:52
*** hamalq has joined #zuul15:55
*** harrymichal has quit IRC15:57
*** harrymichal has joined #zuul15:57
*** jcapitao has quit IRC16:00
*** hamalq has quit IRC16:01
*** hamalq has joined #zuul16:01
*** hamalq_ has joined #zuul16:03
*** nils has quit IRC16:05
*** hamalq has quit IRC16:06
*** marios is now known as marios|out16:06
*** rpittau is now known as rpittau|afk16:11
clarkbmordred: I'm doing the community update tonight. Anything specific worth calling out after this morning's edition? maybe there were good questions or ?16:13
*** hashar has joined #zuul16:14
*** armstrongs has quit IRC16:17
mordredclarkb: nope - it was straightforward and no questions for us16:19
mordredclarkb: the primary question that came up was more openstack related and was about 3pci migration to v316:19
*** harrymichal has quit IRC16:22
*** harrymichal has joined #zuul16:22
*** tumble has quit IRC16:26
corvusgmann and rpioso chatted a bit about that16:31
gmanncorvus: yeah, let me find the spec link it is on my different laptop.16:32
gmannhe need help on this  - https://opendev.org/opendev/infra-specs/src/branch/master/specs/zuulv3-3rd-party-ci.rst16:36
gmannand after that tosky  can help on job migration part16:37
*** harrymichal has quit IRC16:42
*** harrymichal has joined #zuul16:42
*** harrymichal has quit IRC16:47
*** harrymichal has joined #zuul16:47
*** holser has joined #zuul16:54
*** harrymichal has quit IRC16:57
*** harrymichal has joined #zuul16:57
*** holser has quit IRC17:02
*** bhavikdbavishi has joined #zuul17:04
*** holser has joined #zuul17:06
*** mgoddard has quit IRC17:18
*** marios|out has quit IRC17:19
*** harrymichal has quit IRC17:21
*** harrymichal has joined #zuul17:22
*** mgoddard has joined #zuul17:23
*** jpena is now known as jpena|off17:28
corvusmordred, avass: sorry i got distracted yesterday; i'd like to resume work on the buildx stuff.  yesterday, avass mentioned that we could build oci tarballs with buildx and therefore may not need a registry (we could pull the tarball into the local image cache).  mordred -- did you look into whether that would work with the manifest images needed for multiarch?17:31
mordredcorvus: I did not - although I have vague cloudy memories of that not working either17:32
mordredbut - I don't have specific memories of it not working17:32
mordredcorvus: I think perhaps importing oci tarballs into docker is weird? and we'd need skopeo to do that?17:33
corvusmordred: do you have a buildx build env handy?17:35
corvus19:38 < avass> corvus: looks like you can do '--output type=oci,dest=<file>'17:36
corvusmordred: maybe we can run that real quick and check?  i never got the cross-platform stuff running locally so it's not easy for me17:36
*** harrymichal has quit IRC17:37
openstackgerritMatthieu Huin proposed zuul/zuul master: Web UI: add i18n support, french translations  https://review.opendev.org/73729017:37
*** harrymichal has joined #zuul17:37
mordredcorvus: 104.130.135.78 is still there17:38
mordredhrm. maybe that's not the right serve r...17:39
mordredcorvus: nope - nevermind. I do not have that environment available anymore17:39
mordredcorvus: maybe I should spin up another test env for us17:40
corvusmordred: ok thanks17:40
mnaseri have a really interesting problem.  we use zuul's speculative image builds to build images for services (in this case, openstack services + one for an openstack operator).  the challenge i'm having is that if i build images only if they change and always use 'latest' in my environment, latest might not always mean the same thing and it's possible that in autoscaling, k8s would end up with a mix of newer and older images17:43
mordredcorvus: booting a new test server17:44
mnaserwould it make sense to add some custom code that determines the pbr tag and tag the images that way?  that does also means that i would sort of have to build an image every single time too?17:44
mnaserit sounds to me like "i need to build a bunch of images that all need to work together with a long-lived tag" is something that zuul users might benefit from?17:44
corvusmnaser: can you upgrade your deployment when an image builds so latest does mean latest?17:45
corvusmnaser: are we talking pre-release or releases?17:45
mnasercorvus: that's kinda been the challenge, because if the deployment hasn't updated yet, autoscaling events will pick up newer images which makes for a sad time17:46
mnaserand i mean technically i'm trying to build things in a way so that it doesn't depend on the user ensuring their deployment is updated anytime the upstream repo changes17:46
mordredmnaser: I'm getting a sandwich - but will ponder this use case in my brain while doing so17:47
mnasercorvus: we don't currently release anything, it's all cd'd, i was thinking of using pbr's own self-versioning to gather a tag17:47
mnasermordred: bon appetit!17:47
corvusmnaser: i'm unclear about the goal.  my personal preference for deployment is continuous deployment of the latest code that has merged, because i have confidence that it works because of gating.  so i want everything to be running latest always, which means kicking the deployment when new 'latest' images are built.17:47
corvusmnaser: but you're talking about tags, which are based on releases...17:48
mnasersorry, i should clarify 'docker image tags'17:48
corvusright, i would expect docker image tags to match git repo tags, which are usually releases, in the pbr world at least17:48
mnaseri'm thinking the 1.0.0git543858 type of pbr thing17:49
corvusoh, a pre-release version17:49
fungimnaser: and the assumption is that you would never rebuild the image when code (say dependencies maybe) of the primary software being packaged in the image changes without that software itself changing?17:49
corvusmnaser: that tag is only going to be for that one image, and constantly changing17:49
mnaserfungi: at the moment, yes, that's the assumption.  i could also be wrong in all of this and taking a different direction may be a better approach17:50
corvusthat may not really be any different than pinning to a sha25617:50
mnasercorvus: right, but at least i can use pbr inside my operator and get the 'version of the operator' and start the services with the tag matching the version of the operator17:50
corvusmnaser: but the operator version will have a different git sha than each of the services17:51
openstackgerritMatthieu Huin proposed zuul/zuul master: Web UI: add i18n support, french translations  https://review.opendev.org/73729017:51
mnaserbut then i would either have to rebuild all the images every single time (not cool), or in the promote pipeline, promote the ones that were built, and 'fake-promote' the ones that weren't built17:51
mnasersigh but i just realized then now i cant do speculative testing inside zuul because the tag i'm trying to test doesn't exist17:51
mnaserthe super annoying inefficent way seems to be 'build all images all the time' but that just doesn't seem like a good use of computer time17:52
corvusmnaser: i'm sorry i'm still confused about something;  it seems like "i'm trying to build things in a way so that it doesn't depend on the user ensuring their deployment is updated anytime the upstream repo changes" is incompatible with wanting to continuously deploy17:53
mnasercorvus: that's fair.  i guess i'm trying to 'make every commit deployable'17:55
mnaserand perhaps that's not necessarily continuously deploying.17:55
corvusgating will make every commit deployable... but maybe you're getting at the problem of wanting to know the state of the entire set of images for each gated test17:56
corvusmnaser: like what we do with the openstack/openstack repo for git commits?17:56
corvusbasically, if you look at the integrated gate pipeline as a linear timeline, getting the complete state of the system for each point in that timeline?17:57
mnasercorvus: i think that's what i'm struggling to describe, correct17:57
mnaserso that ideally i can just revert to a previously-pinned tag and the system would also use the older images17:58
fungithis sounds like a case for a ledger17:58
corvusokay -- if, hypothetically we had that for docker images as we do for git repos, how would you tell k8s to deploy them?  would you have the operator update service descriptions to point to that?17:58
mnaserso instead of running vexxhost/openstack-operator:latest cause something broke, i switch to vexxhost/openstack-operator:some-sha .. and then when it starts, it will update all the k8s manifests to use whatever some-sha was teste dwith17:59
corvusmnaser: okay, i think i fully understand now.  :)17:59
fungior some similar timestamping service so that you know what the full set looked like for any given point in time, and the sequence of changes which occurred to the set when17:59
mnaserfungi: yeah, something pretty much similar to that, because sometimes a git revert and wait for pipeline is a very time expensive operation18:00
corvusmnaser: if you want the openstack operator to do this, you could potentially build the openstack operator on every commit, and burn the sha256s of all the images into it18:00
corvusmnaser: so the operator itself would be fungi's ledger18:00
fungiif a list of image shas were recorded in a git repository, that would give you the properties you describe (though at the expense of needing to create tooling around picking the point in the revision history containing the set of checksums you're wanting to reset to)18:00
corvusmnaser: and as long as you're doing that in gate, and using gate/promote for images, then you know that the sha256s of the images used in the gate test are going to be the ones published18:01
fungiand yeah, if the operator contained a list of checksums, and was maintained in a git repository, i guess that answers the consumer tooling part18:01
mnasercorvus: so the "build operator on every commit" already happens right now, the burn the sha256 is where it might get tricky i think.. or maybe not, because i will splice that into the docker image build, not the code itself18:02
mnaserso its not like that needs to end up being committed to the git repo18:02
corvusfungi: well, i wasn't thinking the checksums would be in the git repo, but rather, the operator image build job would run on every commit to the whole system, so if there's a nova commit, we build the nova image, then start building the operator image, and as part of that process, we ask docker what the nova sha256 is, and include that in the operator build process.18:03
corvusyeah, i think mnaser and i just said the same thing18:03
mnaserand then dropping the 'cleanup code' inside promote.. or at least spacing it out to leave some headway for reverts18:03
corvusmnaser: right -- so there's a tag so the sha doesn't get orphaned18:04
fungicorvus: oh, sure if the checksums are baked into the operator image and it has sequence numbers/timestamps/something that could also work, for sure18:04
fungiso you know you're broken at operator image #12345 you can just say to roll back to operator image #1234418:05
corvusyep, and each of those has the sha256s of the images it was tested with.18:05
corvusmnaser: i think that's a good solution; i think a slightly more explicit solution would be your idea of re-tagging images (you described it as 're-promoting' or 'fake promoting' or something like that)18:06
mnaserand i think that might be easier than the whole burn-in stuff because all i need to do is $current_version and then point images at $current_version18:07
mnaserand i think all i need to touch in this scenario is the promote job18:08
corvusmnaser: i think that would be effectively the same thing, except a little more work since you'd need to do more registry interactions, but in exchange, you'd get more explicitness/visibility.18:08
mnaserwell i could just _always_ run the promote jobs all the time, and they would promote 'latest' and '$current_version'18:08
avasscorvus, mordred: 158.69.68.12 is still up, reading through the scrollback to catch up18:09
mnaseri guess the only caveat is make sure that don't fail if review-xxx exists18:09
mnasers/exists/does not exist/18:09
mnaserjust take latest and retag it with $current_version18:09
avasscorvus, mordred: the last patchset is working though, should we merge it and try retriggering the nodepool release and clean it up a bit in a follow-up change?18:10
corvusmnaser: i think there are two options there: you could tag every image with a pbr tag, then just use that instead of the sha256 (ie, you lookup that tag and use that instead of the sha256); or you could name the tested-set and tag everything with that name.  for example, you could tag everything with the pbr pre-release tag of the operator.18:10
corvusavass: oh cool, that's probably the priority yes :)18:11
mnasercorvus: well in my case, the images and operator code is all in the same repo, so technically the 'pbr version' will naturally be identical18:11
corvusmnaser: oh because you're building nova images out of your operator repo?18:11
mnasercorvus: yeah... for now18:11
fungithe up side to using pbresque autoversions is that it makes an attempt at providing some sense of serial ordering, though ultimately that's not 100% possible since the source of information is has to work from is nonlinear18:12
avasscorvus: it does pull from the buildset-registry explicitly in build-docker-image now for buildx though, I'm not sure why it didn't work as it should18:12
mnaseri think for a future state where images are provided by openstack upstream, the 'burn-in' option is the best one18:12
corvusmnaser: okay, yeah, i was imagining otherwise, but maybe it's better to keep imagining that so if nova builds its own images in the future, this works with it.18:12
mnaseryeeep18:12
corvusavass: and yeah, i'd still like to remove the buildset registry requirement from the role, since that's a trap for users to fall into18:13
mnaserprobably a simple python script to interact with docker and get the sha's and generate a manifest inside docker build18:13
corvusavass: so let's see about landing your change, then either doing oci tarball or internal temporary registry18:13
avasscorvus: ah yeah, then that part doesn't really matter too much since we want to remove the buildset-registry requirement completely18:13
avassyeah18:13
corvusavass: left a debug thing in, otherwise lgtm18:15
avasscorvus: oh yep18:15
openstackgerritAlbin Vass proposed zuul/zuul-jobs master: Test multiarch release builds  https://review.opendev.org/73731518:16
avassdone18:16
*** harrymichal has quit IRC18:17
*** harrymichal has joined #zuul18:17
*** bhavikdbavishi has quit IRC18:18
*** harrymichal has quit IRC18:22
*** harrymichal has joined #zuul18:22
*** Open10K8S has quit IRC18:24
*** Open10K8S has joined #zuul18:25
mordredcorvus: 198.101.251.60 is booted and latest docker is installed18:37
mordredcorvus: in case we need a place to poke18:37
corvusmordred: yeah, i think this is the status: can you review https://review.opendev.org/737315 ? if that's good, we can re-run the nodepool tags; then i think we should poke at image tarballs, and either move to that, or if it doesn't work, move to an internal temporary registry18:38
avassmordred: running skopeo inspect --raw shows two manifests with arch arm64 and i386 after building those platform and outputting an oci archive18:40
mordredcorvus, avass: yeah. I think that's good18:42
mordredavass: cool - so exporting to an oci tarball gets us a thing that at least skopeo knows how to deal with18:42
mordredor, rather, at least has the manifests18:42
mordredavass: hrm. here's a question - does the oci archive have the full contents of both arch? or is it just a tarball with the manifests in it18:43
mordredthat refer to images that may not exist anywhere but inside the buildx context? (wondering if we have to do additional exports or something)18:43
avassmordred: I was able to upload it with 'skopeo copy --all oci-archive:oci docker://158.69.68.12:5000/testarch'18:44
avassand there are blobs in the oci archive18:45
mordredavass: neat!18:45
corvuscool -- can we do this without skopeo?18:46
avassgonna go get some food, I'll be back in ~30min18:46
corvuswe might also try the 'tar' output format18:47
*** dennis_effa has quit IRC18:58
avasscorvus, mordred: right docker doesn't do ipv6, should we just reverify that and fix that later?19:25
corvushrm, i think not -- we're going to have lots of issues with this if we do19:26
corvuslet's plow on with not using the buildset registry19:27
corvusavass: i've logged into 158.69.68.12.  what was your command to build the image?  i'd like to try various formats19:28
avassthat's the fake publication registry that is failing though, so we need the same fix that buildx uses for the buildset-registry now19:28
corvusavass: can you just use 'localhost' ?19:28
avasscorvus: no since that would be localhost inside the buildx container19:29
avassi think19:29
avassI believe i tried it19:29
avasscorvus: 'DOCKER_CLI_EXPERIMENTAL=enabled docker buildx build . --tag 158.69.68.12:5000/test --platform=arm64,i386 --output type=oci,dest=oci'19:29
avasscorvus: but it's in the history for the zuul user19:30
corvusavass: thanks :)19:30
corvusdoes the local docker image cache even have support for images of a different arch?19:34
avasscorvus: I'm not sure, I tried importing it but it shows up as 'Architecture: amd64'19:35
corvuslike, can i 'docker pull' the arm64 nodepool image from dockerhub?19:35
corvusavass: yeah i see that too19:35
corvusso i wonder if it only imported the one arch19:35
avasscorvus: I enabled experimental docker daemon support, so you can import the platforms with '--platform 386' or something like that19:36
avassor you should be able to19:36
avassbut it still shows up as amd6419:36
avassmordred: why do we push to the buildset-registry, pull it, retag it, then push it again anyway?19:38
avassmordred: shouldn't it be enough to keep it in the buildx cache and push it later in upload-docker-image19:38
avass?19:38
avassif we can do that we won't need to do the docker push,pull,push dance or skopeo19:39
avassor output an oci image archive19:39
corvusavass: the 'docker manifest' command only interacts with a registry; that seems to support the idea that the local image cache can't handle multi-arch19:41
*** harrymichal has quit IRC19:42
*** harrymichal has joined #zuul19:42
avasscorvus: so the 'docker pull' in build-docker-image for buildx might not do what we want, and could be the reason for the arch mixup clarkb explained yesterday19:43
avassI'm guessing19:43
*** harrymichal has quit IRC19:43
*** harrymichal has joined #zuul19:44
avassmordred: is it because buildx doesn't care about the buildset-registry mirror?19:44
corvusavass: the oci image export is the test-playbook which is supposed to be based on debian, right?19:48
avasscorvus: the oci image export isn't used in the test-playbook19:49
corvusdocker image import --platform amd64 oci test-amd64; docker run --rm -it test-amd64 /bin/sh19:49
corvusavass: i did that ^19:49
corvusand got this: docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory": unknown.19:49
corvusso i'm wondering if that export is valid19:50
avasscorvus: how did you build the image?19:50
corvusavass: i didn't; that's your oci export (i think)19:50
corvusin /home/zuul/src/opendev.org/zuul/zuul-jobs/test-playbooks/container/docker on the held node19:50
avasscorvus: that's only i386 and arm64, so I guess that's why19:51
corvusi386 and not amd64?19:51
corvusi s/amd64/i386/ and got the same result19:51
avasscorvus: I think I built it when checking what happens if you import a non amd64 image19:51
avasscorvus: hmm, what happens if you rebuild the image for amd64?19:52
corvusoh, so i should probably rebuild with amd64,arm6419:52
avassyeah19:52
corvuswill do19:52
mordredcorvus, avass: I could definitely see local registry not supporting multi-arch being related to our multi-arch weirdness19:53
corvusmordred: local cache you mean?19:54
mordred(sorry - I got waylaid AFK and am just catching up)19:54
mordredcorvus: yeah19:54
corvusavass: still no joy19:54
avassand what if it's built for amd64 only?19:54
corvusavass, mordred: i started a screen session on 158.69.68.12 if you care to join19:55
corvusrun 'screen -x' as root19:55
avasslooking :)19:56
corvussame result19:56
avassI wonder what's going on with the oci export then19:57
*** olaph has quit IRC19:57
corvusmaybe we can try the tar export19:59
avasscorvus: I believe you can also do --output=<dir>19:59
*** hashar has quit IRC19:59
corvusoh that's what that does19:59
corvusthat's not what we want20:00
corvus(tar output makes a tarball of the resulting filesystem; it's not image layers/blobs/manifests/etc)20:00
mordredyah -that's def not what we want20:00
corvusand output=dir is the same thing but extracted; not a tarball20:01
avassyep20:02
mordredso - still catching up - skopeo copy worked, but is skopeo, right? so the current thing is "is there a docker incantation that will work with these oci images" yeah?20:04
corvusmordred: skopeo also hit the ipv6 issue, which means we need to duplicate even more infrastructure for testing.  and yes, that's the current question.20:05
avassmordred: yeah, and if we can keep the images in the buildx cache until we want to upload them somewhere that would be the best, no?20:05
mordredkk. I think I'm up to speed20:05
mordredavass: WELL - sort of20:05
corvusand if that fails, we'll look into the temp registry idea20:05
mordredif all we're doing is buiolding and uploading, yes20:05
avassah, I guess it wouldn't work if you actually want to test something :)20:06
mordredbut if the job expects to build the image and then use the image in some way on the same vm, we'd need it in local cache20:06
mordredyeah. it will work if tests happen on different vms20:06
avassbut we don't really need buildx for building an image for the system we're on, so can we do some dumb logic around that?20:07
avassbecause we won't actually be able to run the images build for the other arches right?20:08
corvus(back to the oci image import issue -- inspecting the filesystem export, it looks like we have binaries for the right arch, so i don't know why docker run is failing)20:09
avasscorvus: maybe it's importing the wrong image?20:09
avassor did you build it for amd64 only?20:09
corvusavass: i built it for amd64 only20:09
corvuslet me try omitting the platform args entirely20:10
corvusnope20:11
mordredcorvus: is it importing the oci tarball as a root filesystem and not an oci tarball?20:11
avassoh strange20:11
corvusmordred: yes i think so20:11
mordredcorvus: that is not very helpful20:11
corvusi'd just like to point out that help message is nonsensical and incorrect20:13
avasscorvus: yes I got very confused about that message hah20:13
*** harrymichal has quit IRC20:13
corvuswow finally20:13
*** harrymichal has joined #zuul20:14
avassoh so, load works but not import20:14
corvusso we can export a single-arch oci tarball and 'docker image load' it.20:14
corvusnow maybe let's see what happens with multi-arch20:14
corvusit refuses to load a multi-arch oci image export20:15
corvusone more thing i want to try20:16
avassthat should not work right?20:17
corvusi think i just did an oci export of the arm64 image, imported it, and ran it on an amd64 host; i would not expect that to work, but maybe it works as a side effect of the binfmt_ stuff we do to make the cross-arch build work in the first place?20:17
corvusroot     16275  0.6  0.0 123416  6256 pts/0    Ssl+ 20:16   0:00 /usr/bin/qemu-aarch64 /bin/dash20:17
corvusyep20:17
corvusthat's what's going on there20:17
corvusso i'm running an emulated arm64 dash shell20:18
mordredyeah20:18
avassoh, so we need to build one arch at a time, load it to docker and then push it20:18
corvusi think that means that what we can do is export the arch-specific images from buildx one at a time and import one or more of them into the local cache20:18
mordredwhich is how we'll eventually be able to run these (in theory) on an amd64 nodepool-builder20:18
corvusif we import them all into the cache, does that mean we can use the docker manifest command to do the final push?20:19
avassthere's a registry running on that machine so you can test it :)20:20
corvusroot     16543  5.3  0.0   2396   836 pts/0    Ss+  20:20   0:00 /bin/dash20:21
mordredcool. so that's a mechanism to build each arch one at a time20:21
corvusno qemu that time20:21
mordredand get them into local cache20:21
corvusmordred: yep20:21
corvus"docker manifest create MANIFEST_LIST MANIFEST [MANIFEST...]"20:21
corvusi just see "docker docker manifest manifest"  :)20:22
mordredcorvus: yeah ... one sec - I have example20:22
mordredcorvus: docker manifest create toolboc/azure-iot-edge-device-container:latest \20:22
mordred--amend toolboc/azure-iot-edge-device-container:x64-latest \20:22
mordred--amend toolboc/azure-iot-edge-device-container:arm32-latest \20:22
mordred--amend toolboc/azure-iot-edge-device-container:aarch64-latest20:22
mordredcorvus: there's a really. nice side effect to this - we could also have this same system push manifests - as well as per-arch tags individually (in case it's helpful to have a per-arch tag for specifying in a run command)20:23
corvusdo the component images need to already be in the registry?20:23
corvus(ftr, i'm going to try some commands i don't expect to work :)20:24
*** harrymichal has quit IRC20:24
mordredkk20:24
mordredhttps://dev.to/toolboc/publish-multi-arch-docker-images-to-a-single-repo-with-docker-manifests-329n20:24
mordredis what I was reading20:24
corvusavass: what's the local registry? :5000?20:24
avasscorvus: yup20:25
avasscorvus: localhost:5000 should work20:25
avasscorvus: might need to login with user: zuul, password: testpassword20:25
corvusokay, that worked20:27
avassnice :)20:28
corvushuh, docker pull localhost:5000/test-manifest20:28
corvusthat should work right?20:28
avassI guess so?20:29
*** harrymichal has joined #zuul20:33
corvusohh20:35
corvusi think there are more steps20:35
avasscorvus: yeah test-manifest doesn't exist, I'm testing with curl locally :)20:35
avasscorvus: against that registry that is20:35
corvusi think it's an ssl cert mismatch20:37
avasscorvus: ah right, it might be installed for ansible_host and not localhost, check /etc/docker/certs.d/20:38
corvusyay!20:39
avass(it's also installed as a system certificate so that's why it might have worked for some commands)20:39
avassbut yep, looks like we can drop the buildset-registry requirement :)20:40
corvuscool, let me try to sketch this out real quick, and i'll get it in an etherpad for us to look at20:40
*** harrymichal has quit IRC20:47
*** harrymichal has joined #zuul20:48
*** harrymichal has quit IRC20:54
*** saneax has quit IRC21:02
corvusmordred: i think i see a bug in the buildx task list -- this task pulls but doesn't have the buildset registry in the image id: https://opendev.org/zuul/zuul-jobs/src/branch/master/roles/build-docker-image/tasks/buildx.yaml#L5721:06
avasscorvus: yes that's part of my change21:06
corvusavass: ha :)21:06
avass:)21:06
corvusabove we would have built and tagged "zuul-jobs.buildset_registry/nodepool:latest" and then we would have pulled "nodepool:latest"21:07
corvusso we're very likely pulling an upstream image21:07
avasscorvus: ah! that's why it didn't work for my test, because it shouldn't work :)21:07
corvusi'm almost done writing this up21:08
*** harrymichal has joined #zuul21:14
corvusavass, mordred: https://etherpad.opendev.org/p/build-docker-image-role21:17
mordredcorvus: so many words!21:17
corvuswell, it's pseudo code for what i think the roles need to do21:17
mordredyeah21:17
mordredI think it's great21:17
corvusi put 2 approaches in there; one using the oci exports, and the other using a temporary registry21:18
mordredcorvus: so - for the things mentioning tag, that's relaly "for each tag" yeah?21:18
corvusbasically, the temp registry is what we're doing now, but relying on that instead of the buildset registry21:18
corvusyep21:18
mordred(I think it's ok to elide that for readability)21:18
corvusi also omitted all the wacky change_{changeid} tag stuff too for the same reason21:19
mordredcorvus: so - in the oci export approach we wind up with foo:latest (a manifest) and foo:latest-amd64 and foo:latest-arm6421:19
corvuscorrect, i think that's the big observable difference between the approaches21:19
mordredyeah. I actually really like that as a thing21:19
corvusthe other one obviously being that we'll be running a docker container with a registry on localhost21:19
mordredbecause it allows for explicit targetting of an arch with simple docker runs just with a tag21:20
corvusi kinda prefer the temp registry because it doesn't have the extra tags :)21:20
mordredfwiw - I think we'll want extra tags for nodepool - but we could just do them explicitly21:20
corvuscause 'docker run' should just dtrt, right?  like, why would you want to 'docker run nodepool-arm64'?21:20
corvusk maybe that's the pice i'm missing21:21
mordredso that you can run an arm64 nodepool-builder on an amd64 host21:21
mordredto build arm dib images without running nodepool-builder itself on an arm host21:21
corvusohh21:21
mordredwhich will be brilliant21:21
avassyeah that sounds good21:21
corvusyeah, i recall now we discussed that emulating arm for our dib builders in production was an acceptable cost (esp compared to trying to keep an arm builder running long term)21:22
mordred++21:22
corvusmordred: and there's no way to say "docker run --platform=arm64 nodepool" ?21:22
mordredcorvus: not to my knowledge at the moment21:23
mordredI believe the podman folks may have added on21:23
mordredone21:23
mordredor are working on one21:23
corvusyeah, i'd be surprised if there were for docker, but just thought i'd check21:23
avassmordred, corvus: there is, but only for experimental docker features21:23
corvusoh neat21:23
corvusexperimental is fine21:23
mordredyeah - if that's a thing, then I'm more ok with the temp registry approach21:23
corvusyeah https://docs.docker.com/engine/reference/commandline/run/ --platform21:24
mordredsweet21:24
*** dennis_effa has joined #zuul21:24
corvusi'm trying it out now21:24
avassand docker manifest needed to image to already exist in the publication registry right?21:25
corvusavass: sorry, having trouble parsing that question21:25
avassreplace the first 'to' with 'the' :)21:25
corvusavass: yes21:26
corvusi wonder how we find out what docker api level we have21:26
corvusdocker version.  we have 1.40 so this should work21:26
mordredI agree21:27
corvushowever when i run "docker run --platform=arm64 --rm -it 158.69.68.12:5000/test-manifest /bin/dash" i don't see qemu21:27
avasscorvus: I enabled experimental on that machine, so we'd have to add that to ensure-docker21:27
corvusalso it accetped --platform=arm64aeu without error :/21:28
avassor some other role that enabled experimental features21:28
mordredcorvus: run unmame -a21:28
mordredyeah. not so much21:28
mordredcorvus: platform linux/arm64?21:28
corvushrm -- given that the local image cache doesn't support multi-platform (image manifests) how could this even work?21:29
mordredoh - good point21:29
corvusoh, i'm suspecting this may be passed through to pull21:30
mordredoh!21:31
corvusat least, based on some text in captain Illig's blog: https://www.paraesthesia.com/archive/2019/06/12/windows-and-linux-docker-containers-side-by-side/21:31
corvus"If you forget to specify the --platform flag, it will default to Windows unless you’ve already downloaded the container image"  makes me think that21:31
corvusbingo21:32
mordredcorvus: can you pull both platforms into the same cache?21:32
corvusmordred: i can't think of a way to do that21:33
mordredthat would be less cool for having a single nodepool that invoked dib as docker run --platform= zuul/nodepool-builder disk-image-create21:33
mordredbut21:34
corvusmordred: "docker pull --platform=arm64,amd64 158.69.68.12:5000/test-manifest" is the best i could come up with, and it rejected that.21:34
mordredmaybe shrug21:34
avassdifferent tags would solve that wouldn't it :)21:34
corvusyeah, i think the idea we're exploring is whether they are necessary21:34
mordredyeah - different tags definitely work - but have the downside of being ugly and not taking advantage of the honestly nice stuff21:34
mordredin manifests21:34
avassah yeah21:35
corvus(because my eyes glaze over after seeing a list of about 4 tags, so i think they aren't very user friendly, but can live with them if they are important)21:35
corvusmordred said better words21:35
corvusmordred: oh are you thinking of docker-in-docker for nodepool dib?21:36
mordredcorvus: we _could_21:36
mordredcorvus: not sure which is the best21:36
mordredbut if we just do it in the nodepool.yaml21:36
corvus(i mean, we run bwrap in docker, it's not crazy :)21:36
mordredthen we can tie a given arch to a given image21:36
mordredand all of teh builders can be identical21:36
mordredrather than needing a builder for arm - whether that's one running arm or amd21:37
mordrednow - I haven't found the cantrip for docker-in-docker with containerd21:37
corvushave we explored the idea of a standalone dib docker image?21:37
mordredbecuase /var/run/docker.sock isnt' the sock yet21:37
mordredcorvus: I think we should make one if we go down this road21:37
mordredbut - it's not like using the nodepool-builder image would be onerous -it'll already be in the local cache21:38
mordredso it's not any more bytes21:38
corvusagreed, but in the long run, way simpler nodepool image, and generally useful dib image.21:39
mordredeven thugh docker run -v/var/run/docker.socker:/var/run/docker.sock zuul/nodepool-builder docker run zuul/nodepool-builder disk-image-create21:39
mordredIS21:39
corvus(if we made nodepool's dependency on dib be entirely run-time binary via docker or other system installation)21:39
mordredsilly21:39
corvusanyway, popping up the stack...21:40
mordred(actually - I think iirc - I was thinking podman21:40
mordredso in nodepool.yaml it would be podman run zuul/nodepool-builder disk-image-create ... beause you can skip the "pass in the docker sock" that way21:40
mordredbut21:40
mordredwe can come back to that21:40
corvusa single builder that runs multiple docker containers to do dib building is going to either need explicit tags, or some special prep21:41
mordredyeah21:42
corvuslike "docker pull --platform A; docker tag; docker rm; docker pull --platform B"  -- iow, making the explicit tags on the consumer side21:42
mordrednod - good point21:42
mordredthat wouldn't be impossible to do21:42
corvusi wish dockerhub had invisible tags21:43
corvushow do they sort?21:44
corvusmost recent by default21:45
mordredI think a lot of people publish readmes with lists of tags21:46
mordredbecause many projects have a BAJILLION tags21:46
mordredcorvus: didn't you say you'd found a dockerhub api for pushing readme content?21:46
corvusso we'll end up with 9 tags for every release, instead of 321:47
corvusmordred: yeah, i think it's possible21:47
avass9 tags?21:47
corvusi pasted them in the etherpad (line 27)21:47
avasstechnically 1021:48
corvusi mean 9 for each release21:48
corvusso there will be 9 more for the 'latest' cohort21:48
corvuser21:48
corvus3 more sorry21:48
corvusso 3 for latest, then 9 for each release21:48
avassah yeah because the latest needs arch specific tags as well21:49
avassbrb21:50
avassis the manifests list just a pointer to the other manifests or are they new copies of the manifests?21:54
corvuspointer21:55
avassif so there could ne latest-<arch> and the releases are manifests21:55
avassah21:55
avasssorry, getting late. "there could ne latest-<arch> and the releases are just tags" 3,3.19,3.19.0 etc but that won't work then21:56
corvusi may have misinterpreted the question21:56
corvusmanifest lists are lists of shas, where each sha is a manifest for that platform21:56
avassI may have phrased it in an ambigious way I see what you mean21:56
corvusa manifest list doesn't require a tag either way21:56
avassyes21:56
corvus(it's just the 'manifest create' program does require tags already exist -- or... i gues technically we didn't try feeding it shas, that could work)21:57
avassso there's no actual need for 3-<arch>, just latest-<arch> and the tags can be created from those21:57
corvuswell, i think if we're going to offer latest-arch as being available for end-users, we should do that for the releases too21:58
*** harrymichal has quit IRC21:58
*** harrymichal has joined #zuul21:59
corvusit seems like not having -arch tags is generally fine, except that it makes running cross-arch builders slightly more complicated.  so i think the question for us is whether we should serve that use case by having explicit arch tags, or just some instructions saying "you can run cross-arch builders, but you'll need to run some extra docker pull commands to get all the necessary arch images first"21:59
corvushaving said that, i bet doing that in k8s would be hard22:00
corvusthough i imagine that getting k8s to do binfmt qemu emulation would also be hard, so maybe that's not worth worrying about22:01
avassit could also be a good reason to not make it harder22:02
avassit's way too late for me to stay up, I'll check in tomorrow :)22:03
corvusi'm guessing that if you're okay with installing the binfmt extensions to make it work, you can probably docker pull onto the k8s nodes too...22:04
corvusavass: thanks for your help!  i think we understand this now :)22:04
avasscorvus: no problem, it's been fun :)22:04
mordredcorvus: yeah - I imagine it just works in k8s22:07
*** harrymichal has quit IRC22:08
*** harrymichal has joined #zuul22:09
mordredcorvus: I mean - it's also worth noting that we could do the temp registry (no arch tags) version - and then just list an additional docker image in docker_images for nodepool_builder which is latest-arm64 with only arm64 in its arch list22:09
mordredso we could still use the system just in our job config to make explicitly tagged per-arch images22:09
corvusyeah, it's probably easier to expand the temp registry system to explicitly do arch tags than the other way around22:09
corvus(i bet we could do the other way around, but may involve deleting tags from dockerhub)22:10
mordredyeah22:10
corvusso maybe tomorrow we should start on the temp registry idea, and evaluate whether we want explicit nodepool tags separately later.22:11
corvus(and maybe the way we do that is to try it without explicit arch tags, and see how onerous it is?)22:11
mordredcorvus: ++22:11
mordredcorvus: well - for us in opendev I'm certain it'll be easy22:11
mordredbecause we can totally do the pull-and-retag thing in ansible22:12
mordredwithout really even blinking an eye22:12
corvuswe could always document what we come up with, let people know about it, and ask folks to let us know if they want to do that but its awkward in their environment22:12
mordredyeah22:12
openstackgerritMonty Taylor proposed zuul/zuul master: Add krb5-user to bindep for the images  https://review.opendev.org/73811922:15
mordredcorvus: ^^ also, lest we forget about that22:15
corvushopefully we can try that again tomorrow22:16
mordredcorvus: I hope so!22:18
*** rlandy|ruck is now known as rlandy|ruck|bbl22:25
*** tosky has quit IRC22:40
*** harrymichal has quit IRC22:48
*** harrymichal has joined #zuul22:49
*** harrymichal has quit IRC23:03
*** harrymichal has joined #zuul23:04
*** jamesmcarthur has quit IRC23:10
mordredcorvus: uhm - https://zuul.opendev.org/t/zuul/build/35152121198a4519a03b23bc0e41b9d923:13
mordredcorvus: that's for https://review.opendev.org/#/c/738119/23:13
mordredcorvus: oh - that's a misleading error23:14
mordredfix coming23:14
openstackgerritMonty Taylor proposed zuul/zuul master: Add krb5-user to bindep for the images  https://review.opendev.org/73811923:17
corvus++23:19
openstackgerritMonty Taylor proposed zuul/zuul master: Remove noninteractive flag from Dockerfile  https://review.opendev.org/73812223:20
mordredcorvus: also fixed it in the python-builder image23:20
mordredsince - you know - that's just how that shoudl work there23:20
*** dennis_effa has quit IRC23:44
*** cloudnull has quit IRC23:57
*** cloudnull has joined #zuul23:58
« Wednesday, 2020-06-24 Index Friday, 2020-06-26 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!