19:00:52 <fungi> #startmeeting infra 19:00:52 <opendevmeet> Meeting started Tue Dec 19 19:00:52 2023 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:52 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:00:52 <opendevmeet> The meeting name has been set to 'infra' 19:01:15 <fungi> #link https://wiki.openstack.org/wiki/Meetings/InfraTeamMeeting#Agenda_for_next_meeting Our Agenda 19:01:29 <fungi> #topic Announcements 19:02:37 <fungi> #info The OpenDev weekly meeting is cancelled for the next two weeks owing to lack of availability for many participants; we're skipping December 26 and January 2, resuming as usual on January 9. 19:03:06 <fungi> i'm also skipping the empty boilerplate topics 19:03:19 <fungi> #topic Upgrading Bionic servers to Focal/Jammy (clarkb) 19:03:30 <fungi> #link https://etherpad.opendev.org/p/opendev-bionic-server-upgrades 19:04:07 <tonyb> mirrors are done and need to be cleaned up 19:04:07 <fungi> there's a note here in the agenda about updating cnames and cleaning up old servers for mirror replacements 19:04:12 <fungi> yeah, that 19:04:18 <fungi> are there open changes for dns still? 19:04:35 <tonyb> I started doing this yesterday but wanted additional eyes as it's my first time 19:04:41 <fungi> or do we just need to delete servers/volumes? 19:04:48 <tonyb> no open changes ATM 19:04:53 <tonyb> that one 19:04:56 <fungi> what specifically do you want an extra pair of eyes on? happy to help 19:05:43 <tonyb> fungi: the server and volume deletes I understand the process 19:06:13 <fungi> i'm around to help after the meeting if you want, or you can pick another better time 19:06:28 <tonyb> fungi: after the meeting is good for me 19:07:13 <fungi> sounds good, thanks! 19:07:15 <tonyb> I've started looking at jvb and meetpad for upgrades 19:07:22 <fungi> that's a huge help 19:07:49 <tonyb> I'm thinking we'll bring up 3 new servers and then do a cname swiatch. 19:08:11 <fungi> that should be fine. there's not a lot of utilization on them at this time of year anyway 19:08:31 <fungi> #topic DIB bionic support (ianw) 19:08:34 <tonyb> I was considering a more complex process to growing the jvb pool but I think that way is uneeded 19:08:55 <fungi> i think this got covered last week. was there any followup we needed to do? 19:09:15 <fungi> seems like there was some work to fix the dib unit tests? 19:09:44 <fungi> i'm guessing this no longer needed to be on the agenda, just making sure 19:10:50 <fungi> #topic Python container updates (tonyb) 19:11:12 <fungi> zuul-operator seems to still need addressing 19:11:13 <tonyb> no updates this week 19:11:33 <fungi> no worries, just checking. thanks! 19:11:40 <fungi> Gitea 1.21.1 Upgrade (clarkb) 19:11:44 <fungi> er... 19:11:47 <fungi> #topic Gitea 1.21.1 Upgrade (clarkb 19:11:59 <tonyb> Yup I intend to update the roles to enhance container logging and then we'll have a good platform to understand the problem 19:12:32 <fungi> we were planning to do the gitea upgrade at the beginning of the week, but with lingering concerns after the haproxy incident over the weekend we decided to postpone 19:12:57 <tonyb> I think we're safe to remove the 2 LBs from emergency right? 19:13:18 <fungi> #link https://review.opendev.org/903805 Downgrade haproxy image from latest to lts 19:13:23 <fungi> that hasn't been approved yet 19:13:45 <fungi> so not until it merges at least 19:13:45 <tonyb> Ah 19:14:02 <fungi> but upgrading gitea isn't necessarily blocked on the lb being updated 19:14:20 <fungi> different system, separate software 19:14:47 <tonyb> Fair point 19:15:21 <fungi> anyway, with people also vacationing and/or ill this is probably still not a good time for a gitea upgrade. if the situation changes later in the week we can decide to do it then, i think 19:15:39 <tonyb> Okay 19:15:54 <fungi> #topic Updating Zuul's database server (clarkb) 19:16:26 <tonyb> I suspect there hasn't been much progress this week. 19:16:35 <fungi> i'm not sure where we ended up on this, there was research being done, but also an interest in temporarily dumping/importing on a replacement trove instance in the meantime 19:16:50 <fungi> we can revisit next year 19:17:03 <fungi> #topic Annual Report Season (clarkb) 19:17:13 <fungi> #link OpenDev's 2023 Annual Report Draft will live here: https://etherpad.opendev.org/p/2023-opendev-annual-report 19:17:45 <fungi> we need to get that to the foundation staff coordinator for the overall annual report by the end of the week, so we're about out of time for further edits if you wanted to check it over 19:18:11 <fungi> #topic EMS discontinuing legacy/consumer hosting plans (fungi) 19:19:04 <fungi> we received a notice last week that element matrix services (ems) who hosts our opendev.org matrix homeserver for us is changing their pricing and eliminating the low-end plan we had the foundation paying for 19:20:01 <fungi> the lowest "discounted" option they're offering us comes in at 10x what we've been paying, and has to be paid a year ahead in one lump sum 19:20:10 <fungi> (we were paying monthly before) 19:20:12 <tonyb> when? 19:20:29 <tonyb> does the plan need to be purchased 19:20:33 <fungi> we have until 2024-02-07 to upgrade to a business hosting plan or move elsewhere 19:20:43 <tonyb> phew 19:21:02 <fungi> so ~1.5 months to decide on and execute a course of action 19:21:10 <tonyb> not a lot of lead time but also some lead time 19:22:35 <corvus> is the foundation interested in upgrading? 19:22:43 <fungi> i've so far not heard anyone say they're keen to work on deploying a matrix homeserver in our infrastructure, and i looked at a few (4 i think?) other hosting options but they were either as expensive or problematic in various ways, and also we'd have to find time to export/import our configuration and switch dns resulting in some downtime 19:23:35 <fungi> i've talked to the people who hold the pursestrings on the foundation staff and it sounds like we could go ahead and buy a year of business service from ems since we do have several projects utilizing it at this point 19:24:01 <fungi> which would buy us more time to decide if we want to keep doing that or work on our own solution 19:24:02 <tonyb> A *very* quick looks implies that hosting our own server wouldn't be too bad. the hardest part will be the export/import and downtime 19:24:16 <frickler> another option might be dropping the homeserver and moving the rooms to matrix.org? 19:24:18 <tonyb> I suspect that StartlingX will be the "most impacted" 19:25:54 <frickler> I've tried running a homeserver privately some time ago but it was very opaque and not debugable 19:25:56 <fungi> maybe, but with as many channels as they have they're still not super active on them (i lurk in all their channels and they average a few messages a day tops) 19:26:19 <corvus> fungi: does the business plan support more than one hostname? the foundation may be able to eek out some more value if they can use the same plan to host internal comms. 19:28:32 <fungi> looking at https://element.io/pricing it's not clear to me how that's covered exactly 19:28:35 <fungi> maybe? 19:28:44 <corvus> ok. just a thought :) 19:28:55 <frickler> also, is that "discounted" option a special price or does that match the public pricing? 19:29:24 <fungi> the "discounted" rate they offered us to switch is basically the normal business cloud option on that page, but with a reduced minimum user count of 20 instead of 50 19:30:53 <fungi> anyway, mostly wanted to put this on the agenda so folks know it's coming and have some time to think about options 19:31:16 <fungi> we can discuss again in the next meeting which will be roughly a month before the deadline 19:31:31 <corvus> if the foundation is comfortable paying for it, i'd lean that direction 19:31:51 <fungi> yeah, i'm feeling similarly. i don't think any of us has a ton of free time for another project just now 19:32:00 <corvus> (i think there are good reasons to do so, including the value of the service provided compared to our time and materials cost of running it ourselves, and also supporting open source projects) 19:32:42 <fungi> agreed, and while it's 10x what we've been paying, there wasn't a lot of surprise at a us$1.2k/yr+tax price tag 19:33:10 <fungi> helps from a budget standpoint that it's due in the beginning of the year 19:33:33 <corvus> tbh i thought the original price was too way low for an org (i'm personally sad that it isn't an option for individuals any more though) 19:34:11 <fungi> yeah, we went with it mainly because they didn't have any open source community discounts, which we'd have otherwise opted for 19:34:22 <fungi> any other comments before we move to other topics? 19:35:03 <fungi> #topic Followup on 20231216 incident (frickler) 19:35:07 <fungi> you have the floor 19:35:27 <frickler> well I just collected some things that came to my mind on sunday 19:36:06 <frickler> first question: Do we want to pin external images like haproxy and only bump them after testing? (Not sure that would've helped for the current issue though) 19:36:52 <fungi> there's a similar question from corvus in 903805 about whether we want to make the switch from "latest" to "lts" permanent 19:37:15 <fungi> testing wouldn't have caught it though i don't thinl 19:37:36 <corvus> yeah, unlike gerrit/gitea where there's stuff to test, i don't think we're going to catch haproxy bugs in advance 19:37:39 <fungi> but maybe someone with a higher tolerance for the bleeding edge would have spotted it before latest became lts 19:38:11 <fungi> also it's not like we use recent/advanced features of haproxy 19:38:15 <corvus> for me, i think maybe permanently switching to tracking the lts tag is the right balance of auto-upgrade with hopefully low probability of breakage 19:38:35 <fungi> so i think the answer is "it depends, but we can be conservative on haproxy and similar components" 19:38:52 <frickler> are there other images we consume that could cause similar issues? 19:39:22 <frickler> and I'm fine with haproxy:lts as a middle ground for now 19:39:25 <fungi> i don't know off the top of my head, but if someone wants to `git grep :latest$` and do some digging, i'm happy to review a change 19:39:42 <frickler> ok, second thing: Use docker prune less aggressively for easier rollback? 19:39:54 <frickler> We do so for some services, like https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gitea/tasks/main.yaml#L71-L76, might want to duplicate for all containers? Bump the hold time to 7d? 19:40:05 <corvus> (also, honestly i think the fact that haproxy is usually rock solid is why it took us so long to diagnose it. normally checking restart times would be near the top of the list of things to check) 19:40:30 <fungi> fwiw, when i switched gitea-lb's compose file from latest to lts and did a pull, nothing was downloaded, the image was still in the cache 19:41:13 <frickler> so "docker prune" doesn't clear the cache? 19:41:32 <tonyb> IIRC it did download on zuul-lb 19:41:50 <corvus> i sort of wonder what we're trying to achieve there? resiliency against upstream retroactively changing a tag? or shortened download times? or ability to guess what versions we were running by inspecting the cache? 19:42:26 <frickler> being able to have a fast revert of an image upgrade by just checking "docker images" locally 19:42:47 <fungi> i guess the concern is that we're tracking lts, upstream moves lts to a broken image, and we've pruned the image that lts used to point to so we have to redownload it when we change the tag? 19:43:01 <frickler> also I don't think we are having disk space issues that make fast pruning essential 19:43:25 <corvus> if it's resiliency against changes, i agree that 7d is probably a good idea. otherwise, 1-3 days is probably okay... if we haven't cared enough to look after 3 days, we can probably check logs or dockerhub, etc... 19:43:27 <fungi> but also the download times are generally on the order of seconds, not minutes 19:44:05 <fungi> it might buy us a little time but it's far from the most significant proportion of any related outage 19:44:09 <frickler> the 3d is only in effect for gitea, most other images are pruned immediately after upgrading 19:44:23 <corvus> (we're probably going to revert to a tag, which, since we can download in a few seconds, means the local cache isn't super important) 19:45:17 <fungi> i'm basically +/-0 on adjusting image cache times. i agree that we can afford the additional storage, but want to make sure it doesn't grow without bound 19:45:29 <frickler> ok, so leave it at that for now 19:45:33 <frickler> next up: Add timestamps to zuul_reboot.log? 19:45:39 <frickler> https://opendev.org/opendev/system-config/src/branch/master/playbooks/service-bridge.yaml#L41-L55 Also this is running on Saturdays (weekday: 6), do we want to fix the comment or the dow? 19:45:40 <fungi> also having too many images cached makes it a pain to dig through when you're looking for a recent-ish obne 19:46:13 <fungi> is zuul_reboot.log a file? on bridge? 19:46:18 <frickler> yes 19:46:35 <frickler> the code above shows how it is generated 19:47:05 <fungi> aha, /var/log/ansible/zuul_reboot.log 19:47:21 <corvus> adding timestamps sounds good to me; i like the current time so i'd say change the comment 19:47:27 <fungi> i have no objection to adding timestamps 19:47:39 <fungi> to, well, anything really 19:47:41 <frickler> ok, so I'll look into that 19:47:48 <fungi> more time-based context is preferable to less 19:47:50 <fungi> thanks! 19:47:54 <frickler> final one: Do we want to document or implement a procedure for rolling back zuul upgrades? Or do we assume that issues can always be fixed in a forward going way? 19:48:26 <fungi> i think the challenge there is that "downgrading" may mean manually undoing database migrations 19:48:33 <frickler> like what would we have done if we hadn't found a fast fix for the timer issue? 19:48:45 <fungi> the details of which will differ from version to version 19:49:21 <fungi> frickler: if the solution hadn't been obvious i was going to propose a revert of the offending change and try to get that fast-tracked 19:49:44 <frickler> ok, what if no clear bad patch had been identied? 19:49:50 <frickler> identified 19:50:23 <frickler> anyway, we don't need to discuss this at length right now, more something to think about medium term 19:50:24 <fungi> for zuul we're in a special situation where several of us are maintainers, so we've generally been able to solve things like that quickly one way or another 19:50:39 <corvus> i agree with fungi, any downgrade procedure is dependent on the revisions in scope, so i don't think there's a generic process we can do 19:51:20 <fungi> it'll be an on-the-spot determination as to whether its less work to roll forward or try to unwind things 19:51:33 <frickler> ok, time's tight, so lets move to AFS? 19:51:40 <fungi> yep! 19:51:48 <fungi> #topic AFS quota issues (frickler) 19:52:10 <frickler> mirror.openeuler has reached its quota limit and the mirror job seems to be failing since two weeks. I'm also a bit worried that they seem do have doubled their volume over the last 12 months 19:52:14 <frickler> ubuntu mirrors are also getting close, but we might have another couple of months time there 19:52:17 <frickler> mirror.centos-stream seems to have a steep increase in the last two months and might also run into quota limits soon 19:52:20 <frickler> project.zuul with the latest releases is getting close to its tight limit of 1GB (sic), I suggest to simply double that 19:52:47 <frickler> the last one is easy I think. for openeuler instead of bumping the quota someone may want to look into cleanup options first? 19:53:05 <frickler> the others are more of something to keep an eye on 19:53:09 <fungi> broken openeuler mirrors that nobody brought to our attention would indicate they're not being used, but yes it's possible we can filter out some things like we do for centos 19:53:45 <fungi> i'll try to figure out based on git blame who added the openeuler mirror and see if they can propose improvements before lunar new year 19:53:57 <frickler> well they are being used in devstack, but being out of date for some weeks does not yet break jobs 19:54:03 <corvus> feel free to action me on the zuul thing if no one else wants to do it 19:54:05 <fungi> i agree just bumping the zuul quota is fine 19:54:56 <fungi> #action fungi Reach out to someone about cleaning up OpenEuler mirroring 19:55:13 <fungi> #action corvus Increase project.zuul AFS volume quota 19:55:25 <fungi> let's move to the last topic 19:55:34 <fungi> #topic Broken wheel build issues (frickler) 19:55:56 <fungi> centos8 wheel builds are the only ones that are thoroughly broken currently? 19:56:07 <fungi> i'm pleasantly surprised if so 19:56:08 <frickler> fungi: https://review.opendev.org/c/openstack/devstack/+/900143 is the last patch on devstack that a quick search showed me for openeuler 19:56:21 <frickler> I think centos9 too? 19:56:35 <fungi> oh, >+8 19:56:39 <fungi> >=8 19:56:42 <fungi> got it 19:57:19 <frickler> though depends on what you mean by thoroughly (8 months vs. just 1) 19:57:31 <fungi> how much centos testing is going on these days now that tripleo has basically closed up shop? 19:57:50 <fungi> wondering how much time we're saving by not rebuilding some stuff from sdist in centos jobs 19:58:20 <frickler> not sure, I think some usage is still there for special reqs like FIPS 19:58:40 <tonyb> yup FIPS still needs it. 19:58:54 <frickler> at least people are still enough concerned about devstack global_venv being broken on centos 19:58:55 <fungi> for 9 or 8 too? 19:59:09 <frickler> both I think 19:59:16 <tonyb> I can work with ade_lee to verify what *exactly* is needed and fix or prune as appropriate 19:59:37 <fungi> we can quite easily stop running the wheel build jobs, if the resources for running those every day is a concern 20:00:06 <fungi> i guess we can discuss options in #opendev since we're past the end of the hour 20:00:06 <frickler> the question is then do we want to keep the outdated builds or purge them too? 20:00:20 <fungi> keeping them doesn't hurt anything, i don't think 20:00:30 <fungi> it's just an extra index url for pypi 20:00:38 <fungi> and either the desired wheel is there or it's not 20:00:54 <fungi> and if it's not, the job grabs the sdist from pypi and builds it 20:00:54 <tonyb> and storage? 20:00:58 <frickler> it does mask build errors that can happen for people that do not have access to those wheels 20:01:19 <frickler> if the build was working 6 months ago but has broken since then 20:01:32 <frickler> but anyway, not urgent, we can also continue next year 20:01:36 <fungi> it's a good point, we considered that as a balance between using job resources continually building the same wheels over and over 20:01:59 <fungi> and projects forgetting to list the necessary requirements for building the wheels for things they depend on that lack them 20:02:13 <fungi> okay, let's continue in #opendev. thanks everyone! 20:02:18 <fungi> #endmeeting