| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 827574: Add stats to web server https://review.opendev.org/c/zuul/zuul/+/827574 | 00:09 | |
| @jim:acmegating.com | thanks, i'll go back through all 3 changes and address the tests | 00:09 |
|---|---|---|
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 00:20 | |
| - [zuul/zuul] 827540: Explicitly close finger sockets in web https://review.opendev.org/c/zuul/zuul/+/827540 | ||
| - [zuul/zuul] 827564: Identify cherrypy requests in logs https://review.opendev.org/c/zuul/zuul/+/827564 | ||
| - [zuul/zuul] 827574: Add stats to web server https://review.opendev.org/c/zuul/zuul/+/827574 | ||
| -@gerrit:opendev.org- Ian Wienand proposed: [zuul/nodepool] 827577: Bump Openshift test to Fedora 35 https://review.opendev.org/c/zuul/nodepool/+/827577 | 00:23 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Alfredo Moralejo: [zuul/zuul-jobs] 826603: Add CentOS Stream 9 to configure-mirrors role https://review.opendev.org/c/zuul/zuul-jobs/+/826603 | 01:00 | |
| -@gerrit:opendev.org- Zuul merged on behalf of daniel.pawlik https://matrix.to/#/@dpawlik:matrix.org: [zuul/zuul-jobs] 827067: Change RDO train repository for Centos 8 stream https://review.opendev.org/c/zuul/zuul-jobs/+/827067 | 01:00 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 827574: Add stats to web server https://review.opendev.org/c/zuul/zuul/+/827574 | 01:14 | |
| @jim:acmegating.com | okay i think they should all pass now | 01:14 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 827574: Add stats to web server https://review.opendev.org/c/zuul/zuul/+/827574 | 01:30 | |
| -@gerrit:opendev.org- Ian Wienand proposed: | 05:39 | |
| - [zuul/zuul-jobs] 827588: ensure-sphinx: Use python3 https://review.opendev.org/c/zuul/zuul-jobs/+/827588 | ||
| - [zuul/zuul-jobs] 827589: ensure-virtualenv: Don't support on CentOS 9-stream https://review.opendev.org/c/zuul/zuul-jobs/+/827589 | ||
| @tobias-urdin:matrix.org | finally upgraded to zuul 5.0.0 - works great, just have one small issue, maybe it has something to do with us running Gerrit 3.5.0.1 - zuul_return with data.zuul.log_url doesn't make the URL clickable in Gerrit anymore, maybe I've missed something here? | 09:02 |
| @avass:vassast.org | Noticed that ready static nodes doesn't seem to show up in the zuul dashboard anymore. anyone know why? | 10:09 |
| @avass:vassast.org | Looks like the user_data check fails since that field is null for ready static nodes: | 10:35 |
| https://opendev.org/zuul/zuul/src/branch/master/zuul/web/__init__.py#L1187 | ||
| @avass:vassast.org | and I just found out about the metastatic driver... which doesn't show up in the published documentation :) | 10:52 |
| @ekapoun1:matrix.org | Hello, just wondering if there are any plans to implement some sort of secret anonymization in Zuul logs? Akin to Jenkins anonymizing credentials in logs with asterisks? | 11:04 |
| @tobias-urdin:matrix.org | ignore above, I forgot to set web.status_url | 11:09 |
| @avass:vassast.org | ekapoun1: I don't think there is any plan to implement that at the moment. But you could implement that quite easily yourself if you need it, all you need to do is to run a role before the log upload log to remove all secrets. | 11:48 |
| @avass:vassast.org | that doesn't cover the log stream however | 11:48 |
| @avass:vassast.org | Another way to do it is to implement your own ansible module and mark an input to the module with `no_log: true` which will make ansible filter the secret in the output | 11:50 |
| @avass:vassast.org | ekapoun1: for example: https://review.opendev.org/plugins/gitiles/zuul/zuul-jobs/+/refs/changes/08/764808/75/roles/zuul-cache-s3/library/zuul_cache_s3_urls.py#97 | 11:55 |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 827665: Only delete bundle items that aren't in ANY queue https://review.opendev.org/c/zuul/zuul/+/827665 | 13:47 | |
| -@gerrit:opendev.org- Rodion proposed: [zuul/zuul-jobs] 827682: Implement role https://review.opendev.org/c/zuul/zuul-jobs/+/827682 | 15:01 | |
| -@gerrit:opendev.org- Rodion proposed: [zuul/zuul-jobs] 827685: Implement ensure-foreleaser role https://review.opendev.org/c/zuul/zuul-jobs/+/827685 | 15:03 | |
| -@gerrit:opendev.org- Rodion proposed: [zuul/zuul-jobs] 827686: Implement ensure-goreleaser role https://review.opendev.org/c/zuul/zuul-jobs/+/827686 | 15:07 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 827665: Only delete bundle items that aren't in ANY queue https://review.opendev.org/c/zuul/zuul/+/827665 | 15:24 | |
| @avass:vassast.org | corvus: I think an old change of yours broke the node dashboard a bit: https://opendev.org/zuul/zuul/commit/aee6ef6f7f93c3c1dccd0576165d71ac1eecd13e :) | 16:05 |
| @avass:vassast.org | nodes in-use show up in the dashboard since `user_data` gets set here: https://opendev.org/zuul/zuul/src/commit/aee6ef6f7f93c3c1dccd0576165d71ac1eecd13e/zuul/nodepool.py#L330 | 16:06 |
| @avass:vassast.org | or is it intentional to only show held and in-use nodes? Since ready and building still show up in nodepools api | 16:07 |
| @clarkb:matrix.org | > <@avass:vassast.org> Another way to do it is to implement your own ansible module and mark an input to the module with `no_log: true` which will make ansible filter the secret in the output | 16:16 |
| I think relying on `no_log` is what we expect most users to do. Ansible does a lot of work to scrub inputs and outputs that are no_log'd. | ||
| @jim:acmegating.com | Albin Vass: i believe those changes reconcile the fact that zuul shows a tenant view of the world, so the node list shows nodes that are currently assigned to that tenant (and therefore avoids leaking information about other tenants) | 16:35 |
| @jim:acmegating.com | Albin Vass: i could see us altering that to also include (ready+no tenant) nodes, though that's still a small information leak | 16:36 |
| @jim:acmegating.com | it's worth considering at least. i certainly see the utility | 16:36 |
| @avass:vassast.org | corvus: yeah makes sense to only expose that info with nodepool in that case | 16:36 |
| @avass:vassast.org | not anything I need, just noticed changed behaviour that I'm used to :) | 16:37 |
| @fungicide:matrix.org | out of curiosity, does anyone happen to know how jenkins implements its aforementioned credential redaction feature? in particular, how does it know what should be redacted? is it pattern-based (looking for knows ways sensitive information can be presented in logs) or explicitly instructed as to which strings should be replaced? | 16:41 |
| @fungicide:matrix.org | * out of curiosity, does anyone happen to know how jenkins implements its aforementioned credential redaction feature? in particular, how does it know what should be redacted? is it pattern-based (looking for known ways sensitive information can be presented in logs) or explicitly instructed as to which strings should be replaced? | 16:41 |
| @clarkb:matrix.org | fungi: I believe it does it for the secrets it manages. So it explicitly looks for the strings it knows are secret and replaces them with *****'s | 16:42 |
| @fungicide:matrix.org | i have a related interest in intentional injection of mock-sensitive data in order to test software for things like credential leaks (set a known canary and then scan for its presence in logs or other outputs) | 16:43 |
| @clarkb:matrix.org | ansible ends up doing something very similar with the inputs and outputs of no_log tasks. Basically if you give something an input and no_log that action then the outputs get that input replaced with ****s | 16:44 |
| @fungicide:matrix.org | as far as replicating the jenkins feature, i suppose we could stream-edit the console logs too, the executor has access to the secrets allowed in a build and it could find them and substitute placeholders while proxying the finger socket | 16:45 |
| @jpew:matrix.org | Ya, Jenkins does a contex-less find/replace.... I've seen "simple" passwords accidently revealed because the string happened to be redacted elsewhere in the log :) | 16:45 |
| @jim:acmegating.com | jpew: doh! :) | 16:45 |
| @fungicide:matrix.org | oh, right! i remember a case of that being pointed out | 16:46 |
| @fungicide:matrix.org | yeah, that's a hilarious side-channel leak example | 16:46 |
| @fungicide:matrix.org | exploitable too... trigger a job which uses a secret where you can't access the secret but you can generate lots of output under your control, and then use the redaction as an oracle against your list of potential candidate strings | 16:53 |
| @fungicide:matrix.org | granted, in most cases that's probably an inefficient brute-force mechanism, but in some situations where the job workers may have privileged network access that might be faster than having the job try to brute-force connections | 16:55 |
| @fungicide:matrix.org | (don't try this at home, kids) | 16:57 |
| -@gerrit:opendev.org- Ian Wienand proposed: | 21:03 | |
| - [zuul/zuul-jobs] 827588: ensure-sphinx: Use python3 https://review.opendev.org/c/zuul/zuul-jobs/+/827588 | ||
| - [zuul/zuul-jobs] 827589: ensure-virtualenv: Don't support on CentOS 9-stream https://review.opendev.org/c/zuul/zuul-jobs/+/827589 | ||
| @clarkb:matrix.org | ianw: on 827588 any idea how centos-7 supports that change? SF third party ci passes indicating it does work on that platform. I guess maybe through the very late addition of python3 to centos-7? | 22:24 |
| @clarkb:matrix.org | Basically CI passes and is happy which is great. I'm just confused how it managed to do so on that platform :) | 22:24 |
| @iwienand:matrix.org | yeah python36 is standard there now | 22:25 |
| @iwienand:matrix.org | 827588 is a dependency only because it's the only thing that seems to use ensure-virtualenv by default | 22:26 |
| @iwienand:matrix.org | we could, i guess, install virtualenv with pip for 9-stream to implement ensure-virtualenv on that platform | 22:27 |
| @iwienand:matrix.org | but, since upstream don't want to package it, we just seem to be setting ourselves up for sadness, so if we can run without it, all the better imo | 22:27 |
| @clarkb:matrix.org | ++ I did leave comments on the centos 9 stream change though | 22:28 |
| @clarkb:matrix.org | I think a couple of the conditions may not be correct? | 22:28 |
| @iwienand:matrix.org | sigh, yes rushed a bit on that, thanks, let me look | 22:31 |
| @iwienand:matrix.org | are you supposed to use ansible_facts['fact'] now? | 22:38 |
| @clarkb:matrix.org | I haven o idea | 22:39 |
| -@gerrit:opendev.org- Ian Wienand proposed: [zuul/zuul-jobs] 827589: ensure-virtualenv: Don't support on CentOS 9-stream https://review.opendev.org/c/zuul/zuul-jobs/+/827589 | 22:41 | |
| @iwienand:matrix.org | hoepfully that's a more expressive way of wirting the conditionals | 22:42 |
| @clarkb:matrix.org | That looks better | 22:43 |
| -@gerrit:opendev.org- Zuul merged on behalf of Ian Wienand: [zuul/nodepool] 827577: Bump Openshift test to Fedora 35 https://review.opendev.org/c/zuul/nodepool/+/827577 | 23:18 | |
| -@gerrit:opendev.org- Zuul merged on behalf of Ian Wienand: [zuul/zuul-jobs] 827588: ensure-sphinx: Use python3 https://review.opendev.org/c/zuul/zuul-jobs/+/827588 | 23:22 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!