-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956152: Update swagger-ui npm package https://review.opendev.org/c/zuul/zuul/+/956152 | 11:32 | |
@fajfer:reszka.org | did zuul-status plugin was ever present in review.opendev.org or it's turned off for zuul/zuul master | 11:48 |
---|---|---|
-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956152: Update swagger-ui npm package https://review.opendev.org/c/zuul/zuul/+/956152 | 12:00 | |
@fungicide:matrix.org | fajfer (@dfajfer:fsfe.org): no, we only use the zuul-results-summary plugin in opendev. you can find the current list of plugins for our gerrit container image here: https://opendev.org/opendev/system-config/src/branch/master/zuul.d/docker-images/gerrit.yaml#L72-L109 | 13:03 |
@fajfer:reszka.org | ohh, thank you:) | 13:03 |
@fajfer:reszka.org | this is a really nice way to manage plugins btw | 13:05 |
@fungicide:matrix.org | we get a lot of mileage out of zuul with our service container builds, since we can basically reuse our deployment ansible to create ephemeral test copies of all the interrelated systems on the fly and test them speculatively with new versions of gerrit or adjustments to our configuration | 13:11 |
@fungicide:matrix.org | including things like taking ui screenshots: https://zuul.opendev.org/t/openstack/build/dee8161f5c8f4d8ea9f9c5672eb4b35a/artifacts | 13:14 |
-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 13:30 | |
-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956152: Update swagger-ui npm package https://review.opendev.org/c/zuul/zuul/+/956152 | 13:37 | |
-@gerrit:opendev.org- Damian Fajfer proposed wip: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 14:25 | |
@keerthivasan_suresh:matrix.org | fungi: / Team, I am trying to expose the log url which is a git hub repo link in build output. | 14:57 |
I have added relevant ansible roles to push the logs into github repo and exposed the urls using zuul_return log url approach. | ||
It went fine and its updating the respective job logs urls properly. | ||
But PR comments in gerrit always shows zuul links instead of github url links. | ||
How do I fix this ? My zuul web server is not publicly exposed. | ||
In zuul.conf I see "root" param under "[web]", can I change this to my github url ? Am bit skeptical about this change - felt it might impact the Zuul web service ? | ||
I guess the build urls are based out of this root path, is there any other option/way to pass my github log urls ? | ||
@fungicide:matrix.org | Keerthivasan S (he/him): zuul isn't designed to report log urls because they lack the greater context for all the build and buildset metadata. instead we recommend running the zuul-web service(s) in a dmz or similar reachable network | 15:18 |
@fungicide:matrix.org | see https://zuul-ci.org/docs/zuul/latest/components.html for an overview of what intercommunication between zuul-web and other components looks like | 15:19 |
@keerthivasan_suresh:matrix.org | fungi: We have internal security constraints blocking us. apart from exposing zuul web service, any other options we've ? Please suggest | 15:27 |
@fungicide:matrix.org | i don't know of any other options, but maybe someone else here has ideas | 15:30 |
@sdodsley:matrix.org | I personally think that dropping the ability to change the log URL was a mistake - corporate security rules are very strict these days and exposing anything to the outside world is not looked at in a good light. | 15:31 |
@fungicide:matrix.org | out of curiosity, why choose zuul? needing to make build logs public while not being allowed to make the build results public seems like a contradictory set of requirements | 15:32 |
@sdodsley:matrix.org | This is for the OpenStack 3rd Party CI system | 15:32 |
@fungicide:matrix.org | seems like environments of that nature wouldn't ever want their job logs to be piblicly exposed | 15:32 |
@fungicide:matrix.org | s/piblicly/publicly/ | 15:32 |
@fungicide:matrix.org | well, openstack third-party ci systems can use whatever software you like that meets your corporate security requirements, doesn't have to be zuul (and in that particular case it seems like a bit of a mismatch to me) | 15:33 |
@sdodsley:matrix.org | well software factory was supposed to be the way to go to 3rd party, and that uses zuul | 15:34 |
@fungicide:matrix.org | as for workarounds, i've seen some people report success with getting permission to run an external http(s) reverse-proxy to the zuul-web service instead of directly exposing https on the server running the zuul-web process | 15:38 |
@fungicide:matrix.org | but every security policy is different | 15:39 |
@sdodsley:matrix.org | but does that require the zuul web service to be on its own server? | 15:41 |
@sdodsley:matrix.org | currently we have it as an all-in-1 platform | 15:41 |
@fungicide:matrix.org | not if using a reverse-proxy, but if you wanted to put the zuul-web process in a dmz network with limited access to the other components then yes i think that would imply not doing an all-in-one install | 15:43 |
@fungicide:matrix.org | when cases like this come up, i do wonder if the people applying these policies and objecting to exposing a web interface realize that the zuul executors in an openstack third-party ci system are running code built from completely untrusted patches submitted by random people on the internet... that seems way more risky to me, as someone with years doing information security for a living | 15:44 |
@sdodsley:matrix.org | lol - i don't disagree - security people have very blinkered view points | 15:44 |
@fungicide:matrix.org | in opendev, for example, we run test nodes and zuul-executor (and all other zuul services for that matter) in external hosting completely disconnected from any sensitive networks, with local firewalling on every single server controlling what protocols they're allowed to connect over | 15:48 |
@fungicide:matrix.org | because who knows what a proposed change might actually try to do in a test? | 15:48 |
@sdodsley:matrix.org | our ci is firewalled off from the corporate network, but security only wanted SSH out, not HTTP(s) in when talking to the outside world. | 15:50 |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 956119: Improve handling of unassigned ready nodes https://review.opendev.org/c/zuul/zuul/+/956119 | 17:34 | |
-@gerrit:opendev.org- Damian Fajfer proposed wip: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 17:40 | |
-@gerrit:opendev.org- Damian Fajfer proposed wip: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 17:52 | |
@jangutter:matrix.org | I've come to the conclusion that a lot of security theatre is less about security and more about buying insurance, betting on having good luck and salesmanship than preventing actual exploitation. There is a perception that something is "better" because it costs a lot of money, or it makes things more difficult, or it has "commercial support". Sometimes things get bad enough that something can disrupt it (see how letsencrypt razed a lot of the dubious ssl providers). It's very rare that quality is valued these days. | 18:03 |
@jangutter:matrix.org | It's delightfully easy to see what's going on in OpenInfra architecture - you don't need a lot of insider knowledge. That should give you an idea of how good the security choices are. | 18:07 |
@clarkb:matrix.org | `It's very rare that quality is valued these days.` the stovetop in my range has a burner that will only run in full on or full off mode right now. Got a service tech out with a new switch to fix it. The new switch does the exact same thing after letting out some magic smoke and arcing. I wish quality was something that was easier to select for | 18:07 |
@clarkb:matrix.org | it has been suggested that we turn things off at the breaker panel if we leave town as well. | 18:08 |
@fungicide:matrix.org | or when you go to sleep at night? | 18:09 |
@fungicide:matrix.org | yeah that's no good at all | 18:09 |
@jangutter:matrix.org | One observation I also have is that absolute best people to get commercial support from are the people who have their names in the git logs of the software you're using. If you can't check that easily (the source isn't available, or it's from another company), then you're settling for less. | 18:10 |
@jangutter:matrix.org | Clark: pulse width modulation on something that can literally burn down your house is a little too seat-of-the-pants for me. | 18:14 |
@clarkb:matrix.org | gas valves fail too though. Its all calculated risk vs comfort | 18:15 |
@jim:acmegating.com | Unsurprisingly, I agree about support! Also, it helps those of us in that position to continue to improve the software. :) | 18:15 |
@clarkb:matrix.org | I just wish that the calculated risk could take quality as a given but often that isn't the case. Oh well | 18:15 |
@jangutter:matrix.org | Well, I guess it's a calculated risk the manufacturer is willing to take. | 18:16 |
-@gerrit:opendev.org- Damian Fajfer proposed wip: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 19:01 | |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 956187: Reduce endpoint quota limit queries https://review.opendev.org/c/zuul/zuul/+/956187 | 19:10 | |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 956196: Fix test race in launcher test_jobs_executed https://review.opendev.org/c/zuul/zuul/+/956196 | 20:26 | |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 952727: Replace Ansible 8 with 11 https://review.opendev.org/c/zuul/zuul/+/952727 | 20:34 | |
-@gerrit:opendev.org- Clark Boylan proposed: [zuul/zuul] 945521: Add python3.13 unittest job https://review.opendev.org/c/zuul/zuul/+/945521 | 20:42 | |
@clarkb:matrix.org | guess which package got a release this week | 20:43 |
@clarkb:matrix.org | https://pypi.org/project/google-re2/#files there are py313 wheels now | 20:43 |
-@gerrit:opendev.org- Damian Fajfer marked as active: [zuul/zuul] 956167: Update React version to 4.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 20:44 | |
-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956202: Update React version to 18.2.0 https://review.opendev.org/c/zuul/zuul/+/956202 | 21:08 | |
@jim:acmegating.com | Clark: hooray! | 21:11 |
@clarkb:matrix.org | and so far the unittests seem to be passing | 21:32 |
-@gerrit:opendev.org- Damian Fajfer proposed: [zuul/zuul] 956167: Update React version to 17.0.0 https://review.opendev.org/c/zuul/zuul/+/956167 | 21:32 | |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 956187: Reduce endpoint quota limit queries https://review.opendev.org/c/zuul/zuul/+/956187 | 21:52 | |
@clarkb:matrix.org | https://review.opendev.org/c/zuul/zuul/+/945521 python 3.13 unittests succeed and dont take much longer despite the python compilation step | 22:33 |
@jim:acmegating.com | Clark: cool -- do you want to recheck that a few times (or maybe make a change to run it 10 times) to get a better baseline? | 22:52 |
@clarkb:matrix.org | corvus: sure, I'll get a ps up to run it 10 times tocheck | 22:55 |
-@gerrit:opendev.org- Clark Boylan proposed: [zuul/zuul] 945521: Add python3.13 unittest job https://review.opendev.org/c/zuul/zuul/+/945521 | 23:00 | |
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 956119: Improve handling of unassigned ready nodes https://review.opendev.org/c/zuul/zuul/+/956119 | 23:28 | |
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 956205: Web: handle null provider name on nodes https://review.opendev.org/c/zuul/zuul/+/956205 | 23:59 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!