19:01:01 <clarkb> #startmeeting infra 19:01:02 <openstack> Meeting started Tue Apr 7 19:01:01 2020 UTC and is due to finish in 60 minutes. The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:01:05 <openstack> The meeting name has been set to 'infra' 19:01:12 <clarkb> #link http://lists.opendev.org/pipermail/service-discuss/2020-April/000000.html Our Agenda 19:01:13 <zbr> o/ 19:01:20 <clarkb> #topic Announcements 19:01:46 <clarkb> For announcements the big one is the meeting is now here instead of #openstack-meeting. If you are in this cahnnel you already know that, but I had this up as a reminder to notify #openstack-meeting too 19:02:12 <clarkb> we've also got service-discuss@lists.opendev.org up and running. You should join that mailing list if you are interested in working on the services that comprose opendev 19:02:42 <clarkb> if you justwant important announcements service-announce@lists.opendev.org is a good option (and fungi has a change up to udpate that info on https://opendev.org with shiny links) 19:03:29 <fungi> though the site does at least currently mention the new mailing lists 19:03:37 <diablo_rojo> o/ 19:03:59 <fungi> so that's a start 19:04:16 <fungi> #link https://review.opendev.org/718188 Add IRC logs and ML subscribe links to opendev.org 19:04:23 <fungi> (for the change clarkb mentioned) 19:04:27 <clarkb> fungi: did infra-manual get updated too? 19:04:42 <fungi> there were no mentions of our ml in infra-manual as far as i could find 19:04:59 <fungi> which i think is likely a glaring omission, but at least did not warrant correcting 19:05:09 <corvus> o/ 19:05:27 <fungi> adding it would be a good idea though 19:05:27 <clarkb> fungi: I think there may be one or two occurences. I'll try to take a look after the meeting 19:05:42 <fungi> possible my git grep was wrong 19:06:03 <mordred> o/ 19:06:12 <corvus> so mordred will handle all of that then.. great! 19:06:21 <clarkb> works for me 19:06:25 <fungi> clarkb: i take that back, it turns up the setup.cfg 19:06:38 <fungi> which i noticed but figured was not worth correcting on its own 19:07:01 <clarkb> fungi: doc/source/index.rst and doc/source/creators.rst too looks like 19:07:07 <clarkb> #topic Priority Efforts 19:07:15 <clarkb> Lets dive right into the bulk of the meeting 19:07:23 <clarkb> #topic Update Config Management 19:07:43 <clarkb> mordred: you've been pushing most of this along the last little while. Would you like to summarize some of the updates to how we are config managementing now 19:07:58 <fungi> clarkb: oh! i searched for the e-mail address, yep, we have the hyperlink in there, will fix 19:08:37 <mordred> yes! so - there's this great stack everyone should review 19:08:50 <mordred> https://review.opendev.org/#/q/topic:infra-prod-zuul+status:open 19:09:12 <mordred> but we've made great progress on shifting things from running out of cron on bridge.openstack.org to being triggered by zuul 19:09:21 <mordred> for many things things means we can insta-run them on landing 19:09:48 <mordred> there are a few things where we have external deps (and in this case external also includes zuul) - where we still need to also run periodically 19:09:54 <mordred> so we added a new hourly pipeline to run those in 19:10:16 <mordred> the whole stack should be ready to go - it's just about landing things as we're comfortable 19:10:24 <mordred> as a note - logs are not being collected and published by default 19:10:42 <mordred> there is a flag for that and we should only set it on a per-job basis once we've verified that the logs don't contain secret infos 19:11:18 <mordred> I've also got a dockerized etherpad in progress, and a patch up for dockerized zuul 19:11:33 <clarkb> https://review.opendev.org/#/c/718161/ is a change I wrote to make that verification of logs easier (as well as finding historical lgso in the current setup) 19:11:42 <clarkb> basically it will curate the logs on bridge for you 19:12:07 <mordred> yah. end-goal should be that we don't have logs only on bridge- but it might take us a little bit to safely get tehre 19:12:25 <corvus> oh nice 19:13:23 <clarkb> one thing that I thought about yseterday when debugging gerrit weirdness is we are still not running containered gerrit yet are we? 19:13:25 <mordred> https://review.opendev.org/#/c/717620/ is the zuul patch fwiw - there is a blocker with that we'll need to figure out, which is using AFS from bubblewrap from inside docker 19:13:30 <clarkb> should we plan to make that restart happen soon? 19:13:33 <mordred> clarkb: no - we need to do a restart 19:13:35 <mordred> and yse 19:13:46 <mordred> basically just need a stop/start cycle 19:13:53 <mordred> so it shouldn't be a long downtime 19:14:01 <clarkb> maybe friday g=considering it is a holiday in many parts of the world? 19:14:07 <mordred> ++ 19:14:08 <clarkb> not sure where the g= came from 19:14:22 <mordred> google probably added it for you 19:14:46 <fungi> g++ 19:15:05 <fungi> (maybe gnu added it for you!) 19:15:51 <clarkb> alright anything else related to config management? 19:16:35 <mordred> I think that's it from me 19:17:07 <clarkb> #topic OpenDev 19:18:00 <clarkb> Now that we've started getting the forward looking comms channels stuff set up I/we (though I'm volunteering, help apprecaited if interested) need to start the ball rolling on project leadership formalization as well as building the advisory board 19:18:22 <clarkb> Today is supposed to be nice and sunny so I'll work on drafting some emails to the list to kick that off (I'll share them in etherpads) 19:18:35 <fungi> #link https://review.opendev.org/718193 Update contact info for OpenDev community 19:18:37 <clarkb> my picnic table should be well positioned for writing emails :) 19:18:53 <fungi> just to follow up on my terrible git grep skills earlier 19:19:04 <fungi> (infra-manual edits) 19:19:22 <clarkb> yup the other half of this is updating links and documents as necessary. If you find some old info please send up a patch or let someone know and we'll get a patch up 19:20:36 <clarkb> and more generally if you find documents that are out of date or could use a perspective shift let us know (doesn't have to be limited to the new comms channels) 19:20:53 <clarkb> the Get Started links on gitea are a good example of that turning out to be a positive chagne for everyone :) 19:21:45 <clarkb> fungi: did you want to talk about the authentication stuff now? 19:21:55 <fungi> oh, yeah probably good to revisit that 19:22:19 <fungi> mainly just thinking we're reaching the point where it warrants rekindling the sso efforts we've started multiple times in the past 19:22:28 <mordred> ++ 19:22:42 <fungi> revisiting some old ground, also seeing what might be new since the last time we looked 19:23:00 <fungi> i was going to hit knikolla up for a bit more detail on the thing morgan had started working on for keystone 19:23:33 <fungi> also i think i'm going to write a spec 19:23:50 <fungi> even though it may be premature with no actual software identified we can use 19:24:15 <fungi> we basically have no documentation i've been able to find anywhere of the discussions we've had previously about what it is we want out of an sso implementation 19:24:18 <clarkb> fungi: if it can identify specific use cases as well as what we need to transition from that would probably be helpful even without specific suggestions 19:24:19 <mordred> it's worth noting that since last we looked the governance of dex has changed - and we also run things in containers now (which I believe was one of our concerns with it before, it was sort of "run me in containers" centric) 19:25:02 <clarkb> mordred: there is also a newish thing called gluu that I ran across 19:25:07 <fungi> well, also some brief re-researching suggests we may want to consider options like completely dropping launchpad authentication 19:25:12 <mordred> I believe we'd have to implement an openid v1 provider for dex if we wanted to use it and continuing having launchpad be a login source - but it _is_ an SSO proxy project, so other than lack of openid v1 it does seem to understand our use case 19:25:26 <mordred> cool 19:25:39 * mordred is guessing we;ll have to add openidv1 support to _anything_ we wind 19:25:41 <mordred> find 19:25:54 <clarkb> mordred: or give up on openidv1 entirely 19:26:00 <fungi> it seems launchpad never moved beyond very early openid protocols, and none of the currently maintained identity solutions out there support the protocols it uses these days 19:26:46 <clarkb> launchpad implements some subsets of other things like saml and oauth but only for their internal usage apparently? I have no idea if that might provide us a stepping stone or not 19:26:56 <clarkb> but definitely interested to start writing all this down 19:27:01 <fungi> so yes, we should weigh whether a coordinated forklift of users with no clean migration from launchpad is more or less work than writing openid v1 support into whatever we end up deciding on 19:27:18 <mordred> agree 19:27:41 <fungi> that was the biggest sticking point i recall morgan running up against in his last attempt 19:28:06 <mordred> yeah - our existing login data being openid v1 from launchpad is challenging :) 19:28:07 <fungi> so keeping in mind that may simply be an unsatisfyable requirement and considering alternative options 19:28:11 <mordred> yup 19:28:40 <mordred> I don't think we need to keep launchpad as an ongoing auth source - but I do think we should be able to migrate and have people still able to log in to their gerrit account 19:29:02 <fungi> anyway, that's all i had, mostly just wanted to be sure folks think it's reasonable to whip up a spec to try and express what we want, even if we don't have more than a loose design plan so far 19:29:05 <mordred> ++ 19:29:07 <mordred> yes please 19:29:23 <mordred> clarkb: gluu also doesn't support openidv1 19:29:28 <clarkb> mordred: ya basically nothing does 19:29:48 <clarkb> once google killed it everyone seemed to stop supporting it 19:30:18 <corvus> it's pretty easy to add to anything written in python 19:30:22 <fungi> i've also heard rumors that some red hat employees don't want to interact with opendev services because it requires them to sign in with an ubuntu account, so providing more neutrally-branded options will hopefully satisfy some of those seemingly irrational objections 19:30:37 <mordred> clarkb: fwiw - dex does jwt (good for zuul) and gluu does UMA - so that's a thing we should consider too 19:31:12 <mordred> fungi: for the record, I am not motivated by sectarianism, and might be anti-motivated by that 19:31:14 <mordred> BUT 19:31:22 <mordred> I still think we need a better SSO story 19:31:32 <fungi> yes, which is my primary motivation 19:31:42 <corvus> at the very least, if there's a spec (or even a draft spec), you can just point them at that and say 'patches welcome' 19:31:44 <fungi> well, that and not being wholly dependent on a single identity provider we don't control 19:31:51 <mordred> yup 19:31:52 <fungi> corvus: yep, precisely 19:31:55 <clarkb> mordred: I believe UMA is a superset of jwt so it may all just work 19:31:59 <mordred> clarkb: cool 19:32:06 <clarkb> (if it comes down to a uma providing tool being preferable) 19:32:27 <mordred> oh - other differences - gluu is java, dex is go - neither is python 19:32:39 <fungi> corvus: in fact i wanted to pass along the "patches welcome" invitation along with a link to our plan, and then realized i couldn't find it written down anywhere 19:33:06 <clarkb> but ya I'm not super concerned about specific tools as much as "the tools in the space ahs changed lets reevaluate with some concrete use cases/requirements/goals" 19:33:14 <mordred> clarkb: ++ 19:33:15 <corvus> i think there was a (draft) spec, i'm not sure we ever approved it? 19:33:35 <fungi> corvus: maybe it got abandoned, i checked proposed specs and didn't see one 19:33:44 <fungi> also possible i'm blind 19:34:08 <fungi> if the old spec can be found i'm happy to resurrect/revise/whatever 19:34:16 <fungi> will go back and look again to be certain 19:35:00 <clarkb> thanks! 19:35:30 <corvus> it looks like ubuntu one uses oauth for the desktop portion of things 19:35:49 <corvus> i wonder if there might be something usable there? 19:35:53 <fungi> that sounds like it would have to be public-facing then 19:35:57 <clarkb> corvus: ya there is definitely some stuff to investigate there as option for migration 19:36:24 <clarkb> fungi: I believe its all public facing, but they don't do fully spec compliant implementations, they just do the subset they need for $usecase 19:36:26 <corvus> (or continued support for people who want to keep using that) 19:36:40 <clarkb> so if our use case can fit into that subset (and we can figure out how to integrate with launchpad with no docs) that may be viable 19:36:42 <mordred> maybe it's enough for a transition 19:36:43 <mordred> yeah 19:37:42 <fungi> also i just went back over open and abandoned specs and didn't find it. i thought i remembered an outline in a mailing list post (maybe from corvus) several years back, but my searching was insufficient to locate it 19:37:54 <fungi> might be remembering the old idp poc 19:37:54 <corvus> i thought mordred wrote it 19:37:59 <fungi> ahh, perhaps 19:38:00 <mordred> I think I might have sent the email 19:38:03 <mordred> but I also can't find it 19:38:05 <mordred> I remember writing it 19:38:19 <fungi> well, at this point it's likely easier to just redo from scratch 19:38:21 <fungi> enough has changed 19:38:32 <fungi> i'll see what i come up with 19:38:38 <mordred> yeah - I think the biggest benefit of finding it might have been the part where we describe the use case 19:39:14 <fungi> anyway, didn't want to suck up this much of the meeting 19:39:43 <clarkb> there wasn't much else on the agenda. Why don't we finish that up then can continue this discussion after if we have time 19:39:57 <clarkb> Does anyone else have OpenDev related items to bring up (that was all I had)? 19:41:27 <clarkb> #topic General Topics 19:41:36 <clarkb> Only one entry here, the wiki entry. 19:41:50 <clarkb> fungi: fwiw I am happy to remove it, but since we've been good at ignoring the wiki in the past I don't want to forget it if there is movement on it 19:42:09 <clarkb> I don't think there has been recent movement. Let me know if you think its useful to have the check ins or if we should remove this from the agenda 19:42:56 <fungi> there has not, i also am not sure it's useful to revisit weekly, but am unopposed 19:43:12 <fungi> maybe i or someone will take it as a cue to do something 19:43:55 <clarkb> k 19:44:00 <clarkb> #topic Open Discussion 19:44:16 <clarkb> feel free to discuss the authentication stuff more now. Or bring up other items 19:44:53 <fungi> i didn't really have anything else on that topic for now, but if folks had more suggestions i'm game 19:45:46 <ianw> i'm making some progress on removing pip-and-virtualenv 19:46:21 <ianw> basically going through zuul-jobs and figuring out where we've made assumptions that pip and virtualenv exist on the platform they're running on 19:47:36 <ianw> this has come to more of a head with latest fedora's and suse's dropping python2 support, making changes required in the pip-and-virtualenv element that would make it even crazier than it already is 19:47:37 <mordred> it's maybe worth mentioning there is a big pile of changes in zuul-jobs that just landed to rename things from install- to ensure- 19:48:02 <mordred> ianw: ++ 19:48:14 <fungi> good timing in that case! 19:48:22 <ianw> yep, ensure-* seems to fit what we do much better 19:50:51 <fungi> i feel like moving the meeting to our shiny new channel has also made it faster 19:51:06 <clarkb> fungi: there was also lots of fire fighting over the last week 19:51:09 <clarkb> or maybe it seemed that way 19:51:16 <fungi> no, there definitely was 19:51:41 <fungi> the past several weeks really 19:52:23 <clarkb> sounds like that may be it for the meeting? 19:52:31 <clarkb> I'll go ahead and call it a few minutes early. 19:52:33 <clarkb> THanks everyone! 19:52:35 <fungi> our first early finish in... ages 19:52:36 <clarkb> #endmeeting