Thursday, 2023-03-30

« Wednesday, 2023-03-29 Index Friday, 2023-03-31 »
-@gerrit:opendev.org- Ian Wienand proposed:00:05
- [zuul/zuul-jobs] 879009: container-build : add container_promote_method flag https://review.opendev.org/c/zuul/zuul-jobs/+/879009
- [zuul/zuul-jobs] 878614: remove-registry-tag: role to delete tags from registry https://review.opendev.org/c/zuul/zuul-jobs/+/878614
- [zuul/zuul-jobs] 878740: promote-container-image: use generic tag removal role https://review.opendev.org/c/zuul/zuul-jobs/+/878740
- [zuul/zuul-jobs] 878810: remove-registry-tag: update docker age match https://review.opendev.org/c/zuul/zuul-jobs/+/878810
@clarkb:matrix.orgianw: ok I'll take a look tomorrow after ptg things00:08
@clarkb:matrix.orgthank you for putting that all together00:08
@iwienand:matrix.orgthanks for the input!00:10
@iwienand:matrix.orgonce we clear this out there's got to be a good blog post in here about how zuul abstracts all this out, so when your upstream container registry changes the rules on you, you're not stuck 00:11
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 875263: Fix prune-database command https://review.opendev.org/c/zuul/zuul/+/87526300:12
@iwienand:matrix.orgon a different topic; i noticed encrypting with openssl 3 warned about rsautl being deprecated, leading me to convert it to pkeyutl in -> https://review.opendev.org/c/zuul/zuul-client/+/87880900:16
@iwienand:matrix.orgbut that also got me looking at the other side, it seems that rsautl not just defaulted to using sha-1 in the oaep padding, but only allowed that00:17
@iwienand:matrix.orgso i feel like we're pretty much tied to that?  https://opendev.org/zuul/zuul/src/branch/master/zuul/lib/encryption.py#L11100:17
@iwienand:matrix.orgso my wondering is if this will present a fips issue?00:18
@iwienand:matrix.orgi guess we could do something like "!encrypted/pkcs1-oaep-sha256" as the yaml type?  i didn't quite get to the bottom if that's an important mime type or what00:19
@clarkb:matrix.orgI suspect you would need a new type00:26
@jjbeckman:matrix.org> <@clarkb:matrix.org> I think you may need to use a proxy of some sort that can authenticate/filter access. But I've never had to do that so I'm not sure01:17
Hi Clark. Thank you for confirming that this mechanism isn't built in to the role itself. I guess the IP white listing feature built in to the Azure Blob Service should suffice for now.
@jim:acmegating.comjjbeckman: the storage is accessed directly from client web browsers, not via zuul-web, so keep that in mind when setting up access controls.01:39
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 875263: Fix prune-database command https://review.opendev.org/c/zuul/zuul/+/87526301:50
@jjbeckman:matrix.org> <@jim:acmegating.com> jjbeckman: the storage is accessed directly from client web browsers, not via zuul-web, so keep that in mind when setting up access controls.06:19
Got it. Advice much appreciated.
-@gerrit:opendev.org- Tim Beermann proposed: [zuul/zuul] 845124: github: added workflow_dispatch trigger https://review.opendev.org/c/zuul/zuul/+/84512408:17
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed on behalf of Clément Mondion: [zuul/zuul] 767691: [api][cors] Add CORS configuration https://review.opendev.org/c/zuul/zuul/+/76769108:43
@mhuin:matrix.org> <@clarkb:matrix.org> with all that zuul testing sorted out my local python3.10 without x86_640v3 takes ~1851 seconds on 5 cpus and python 3.11 with x86_64-v3 takes ~1659 seconds09:00
Oh btw python3.11 is now packaged for centos 9 stream, so we can use this base for our containers until it hits UBI (RHEL based) - re: the zuul-discuss thread about moving to 3.11
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed on behalf of Clément Mondion: [zuul/zuul] 767691: [api][cors] Add CORS configuration https://review.opendev.org/c/zuul/zuul/+/76769109:43
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed on behalf of Clément Mondion: [zuul/zuul] 767691: [api][cors] Add CORS configuration https://review.opendev.org/c/zuul/zuul/+/76769109:46
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed on behalf of Clément Mondion: [zuul/zuul] 767691: [api][cors] Add CORS configuration https://review.opendev.org/c/zuul/zuul/+/76769110:54
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/nodepool] 878679: Catch and log for NotEmptyError https://review.opendev.org/c/zuul/nodepool/+/87867912:29
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/nodepool] 878679: Catch and log for NotEmptyError https://review.opendev.org/c/zuul/nodepool/+/87867912:37
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed: [zuul/zuul] 803209: CORS: support regular expressions in allowed origins https://review.opendev.org/c/zuul/zuul/+/80320913:23
@fungicide:matrix.org> <@mhuin:matrix.org> Oh btw python3.11 is now packaged for centos 9 stream, so we can use this base for our containers until it hits UBI (RHEL based) - re: the zuul-discuss thread about moving to 3.1113:31
it's also the default python3 for debian bookworm, now in hard freeze since a few weeks
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed on behalf of Clément Mondion: [zuul/zuul] 767691: [api][cors] Add CORS configuration https://review.opendev.org/c/zuul/zuul/+/76769114:43
-@gerrit:opendev.org- Matthieu Huin https://matrix.to/#/@mhuin:matrix.org proposed: [zuul/zuul] 803209: CORS: support regular expressions in allowed origins https://review.opendev.org/c/zuul/zuul/+/80320914:47
@clarkb:matrix.org> <@fungicide:matrix.org> it's also the default python3 for debian bookworm, now in hard freeze since a few weeks14:59
To be clear Zuul's current container images are already python 3.11 and we run unittests on 3.11 as the upper bound. We base those images on debian bullseye but use the compiled python to get newer versions than are available by default on that debian version.
@mhuin:matrix.org> <@clarkb:matrix.org> To be clear Zuul's current container images are already python 3.11 and we run unittests on 3.11 as the upper bound. We base those images on debian bullseye but use the compiled python to get newer versions than are available by default on that debian version.15:03
Do you have any means of verifying the compiled python plays nice with the underlying OS? There may be missing or mismatched dependencies causing python to be broken. Basically it's the packagers' job (deb or rpm) to ensure that for you
@clarkb:matrix.org> <@mhuin:matrix.org> Do you have any means of verifying the compiled python plays nice with the underlying OS? There may be missing or mismatched dependencies causing python to be broken. Basically it's the packagers' job (deb or rpm) to ensure that for you15:04
we rely on the offcial python docker image builds to sort that out for us. But its been working for years just fine and I think fungi does similar on his debian machines locally too
@mhuin:matrix.orgwhich is why over there we prefer to wait for official support of 3.1115:04
@clarkb:matrix.orgwe also test the images across a number of projects not just with zuul and ya its been fine15:04
@mhuin:matrix.orgoh ok, probably safe to assume the python maintainers know what they're doing15:04
@mhuin:matrix.org * which is why over there we prefer to wait for official support of 3.11 (as in officially packaged for the OS)15:05
@clarkb:matrix.orgthere was one thing that came up with their arm builds that ianw suggested a fix for upstream and they fixed it. Had to do with linker path lookups or something15:05
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 879063: Handle zuul.yaml files with only comments https://review.opendev.org/c/zuul/zuul/+/87906316:40
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 878725: Check Gerrit submit requirements https://review.opendev.org/c/zuul/zuul/+/87872516:59
@iwienand:matrix.org> <@clarkb:matrix.org> there was one thing that came up with their arm builds that ianw suggested a fix for upstream and they fixed it. Had to do with linker path lookups or something19:40
yep the built python was finding the system python .so, and confusion of dist-package/site-packages ensued : https://github.com/docker-library/python/issues/784
@clarkb:matrix.orgianw: corvus and I haev reviewed the container stack. I didn't approve the first two changes despite them having tw o +2's ebcause I am not sure if we want ot land that whole stack in a short period of time20:10
-@gerrit:opendev.org- Tobias Urdin proposed: [zuul/zuul] 877587: web: add dark mode and theme selection https://review.opendev.org/c/zuul/zuul/+/87758720:10
@iwienand:matrix.org> <@clarkb:matrix.org> ianw: corvus and I haev reviewed the container stack. I didn't approve the first two changes despite them having tw o +2's ebcause I am not sure if we want ot land that whole stack in a short period of time20:39
thanks, i think i just have to slightly rework the upload role and comments
@iwienand:matrix.orgcorvus: on the upload role; one thing I think upload has to distinguish is if it is a speculative upload as part of promote pipeline -- and so use change_XXX_ prefix on it, or is it a tag/release pipline upload -- in that case using the regular tag name?23:09
@iwienand:matrix.orgbasically the equivalent of upload_docker_image_promote https://opendev.org/zuul/zuul-jobs/raw/branch/master/roles/upload-docker-image/README.rst23:18
@iwienand:matrix.orghrm, i think i see.  it would make more sense for the promote role to have a equivalent to "upload_container_image_promote" i think23:21
« Wednesday, 2023-03-29 Index Friday, 2023-03-31 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!