| -@gerrit:opendev.org- Ian Wienand proposed: [zuul/nodepool] 849273: [wip] Dockerfile: move into separate group when running under cgroupsv2 https://review.opendev.org/c/zuul/nodepool/+/849273 | 00:13 | |
| @tony.breeds:matrix.org | Asking more random questions. in an internal zuul which uses containers not VMs in side the container zuul is mapped to uid=0:gid=0 which seems strange to me. | 07:55 |
|---|---|---|
| @tony.breeds:matrix.org | Before I undertake to fix that I wanted to check that there isn't anything special about conatiners vs VMs that needs that mapping | 07:56 |
| @fungicide:matrix.org | > <@tony.breeds:matrix.org> Asking more random questions. in an internal zuul which uses containers not VMs in side the container zuul is mapped to uid=0:gid=0 which seems strange to me. | 13:05 |
| this is containers with the zuul services in them, or zuul running jobs which do things in containers as job nodes (via the nodepool kubernetes driver or similar)? | ||
| @fungicide:matrix.org | if the former, in the opedev collaboratory's deployment we use the official zuul container images from dockerhub according to https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/zuul-scheduler/files/docker-compose.yaml and the /etc/passwd inside our running scheduler container looks like ``zuul:x:10001:10001:Zuul Daemon:/var/lib/zuul:/bin/sh`` (and /etc/group is similar ``zuul:x:10001:``) | 13:11 |
| @fungicide:matrix.org | tony.breeds: looks like that's baked into the official zuul service containers at build time here: https://opendev.org/zuul/zuul/src/branch/master/Dockerfile#L57 | 13:14 |
| @fungicide:matrix.org | given that, i'm going to surmise that either you're using custom-built service container images, or you mean that you're using some container-oriented nodepool driver | 13:21 |
| @jpew:matrix.org | Is there a plan for the timing of the next nodepool/zuul release? | 14:02 |
| @clarkb:matrix.org | > <@jpew:matrix.org> Is there a plan for the timing of the next nodepool/zuul release? | 14:11 |
| I think the changes corvus wanted to include all merged last week and OpenDev should be running them as of ~yesterday. My hunch is releases will be made this week if OpenDev shows there aren't major problems | ||
| @jpew:matrix.org | Clark: Ah; any chance of getting a few other changes in before the release? | 14:12 |
| @jpew:matrix.org | (Already in Gerrit, just waiting) | 14:12 |
| @clarkb:matrix.org | Maybe? OpenDev is doing automated rollouts each weekend, but we could also do a manual one to check other changes | 14:13 |
| @jpew:matrix.org | At a minimum: https://review.opendev.org/c/zuul/zuul/+/850685 is documentation only. https://review.opendev.org/c/zuul/zuul/+/851550 and https://review.opendev.org/c/zuul/nodepool/+/844467 would be nice for us, but I get if you want to stabilize... maybe they could go in early after the release? | 14:15 |
| @clarkb:matrix.org | I can take a look after some breakfast | 14:19 |
| @jpew:matrix.org | Clark: Thanks! | 14:19 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 20:05 | |
| - [zuul/zuul] 850109: Add tests for zuul-client job-graph https://review.opendev.org/c/zuul/zuul/+/850109 | ||
| - [zuul/zuul] 850111: Add test for zuul-client freeze-job https://review.opendev.org/c/zuul/zuul/+/850111 | ||
| - [zuul/zuul] 851107: Add job graph support to web UI https://review.opendev.org/c/zuul/zuul/+/851107 | ||
| - [zuul/zuul] 851268: Add freeze job to web UI https://review.opendev.org/c/zuul/zuul/+/851268 | ||
| - [zuul/zuul] 851604: Use internal links in job graph display https://review.opendev.org/c/zuul/zuul/+/851604 | ||
| @tony.breeds:matrix.org | > <@fungicide:matrix.org> given that, i'm going to surmise that either you're using custom-built service container images, or you mean that you're using some container-oriented nodepool driver | 21:38 |
| Sorry my question was terribly vague. I meant we're using containers via the kubernetes nodepool driver. To run jobs and inside those containers zuul is uid/gid zero. | ||
| So I'm wondering, it's there anything special about using containers instead of VMs that requires such permissions. | ||
| @tony.breeds:matrix.org | It's entirely possible that we rely on that internally but that's entirely different | 21:39 |
| @clarkb:matrix.org | I think that is a deployment question, not necessarily one zuul can asnwer. For example I know tristanC makes use of a lot of unprivileged containers that can't install packages. But other users may want to be able to do that. | 21:47 |
| @tony.breeds:matrix.org | Right so we may benefit from it but it isn't strictly required. | 21:54 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!