Tuesday, 2023-03-21

« Thursday, 2023-03-16 Index Wednesday, 2023-03-29 »
clarkbmeeting time19:00
clarkb#startmeeting infra19:01
opendevmeetMeeting started Tue Mar 21 19:01:13 2023 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:01
opendevmeetThe meeting name has been set to 'infra'19:01
clarkb#link https://lists.opendev.org/archives/list/service-discuss@lists.opendev.org/thread/QH5SYKQ7JY6DF65R2NQQ7RTLONFQQIXR/ Our Agenda19:01
clarkb#topic Announcements19:01
clarkbOpenStack is doing a release this week (should happen early tomorrow relative to me)19:01
clarkbPlease refrain from updating base jobs or restarting zuul if we can avoid it19:02
fungithough we do have a release job configuration change to merge later today in support of that19:02
clarkbis that the gpg key update?19:02
fungi#link https://review.opendev.org/877552 Temporarily remove release docs semaphores19:02
clarkboh that one19:03
fungii'm un-wipping it now19:03
clarkbwe don't need the gpg key update to be clear? that happens after the release?19:03
fungiafter, yes. i've set that up for monday19:03
clarkbcool19:03
clarkbAnd next week is the ptg. Similar story around avoiding making changes but to a different set of tools. Etherpad and meetpad in particular for the PTG19:04
clarkbI suspect at least some of us will be participating in he PTG as well so we may want to skip next week's meeting. But I'll wait for more of the schedule to congeal as I'm not sure yet if it poses a problem19:05
fungiour usual meeting time is during the break19:06
fungijust to be clear19:06
clarkbyes, but if you've spent 4 hours in meetings ou may need a break19:06
clarkbI know I would :)19:06
fungiyes, i likely will do ;)19:06
clarkb#topic Topics19:06
clarkb#topic Docker Free Team Organization Shutdown19:07
clarkblast week docker announced that the free team organization setup we rely on for our docker images is going away on April 1419:07
clarkbWe had a meeting on thursday to discuss options and create a plan to move forward. Where we ended up was to move our container images to quay.io19:07
clarkb#link https://etherpad.opendev.org/p/MJTzrNTDMFyEUxi1ReSo Notes on the situation and planning19:07
clarkbWe've taken some decent notes through the whole thing which can be found there19:08
clarkb#link https://quay.io/organization/opendevorg Will become the new home for opendev images19:08
clarkbI've created a new org on quay and I think all infra-root but frickler have been added? Happy to add frickler when notified of an account name19:08
clarkbThere are also some job/role updates that we need to make this move happen19:08
clarkb#link https://review.opendev.org/c/zuul/zuul-jobs/+/877834 Role to precreate public images on quay.io19:09
clarkbIf you simply push to quay.io you end up with a private repo by default. The way around this is to precreate the repo which this role does (or you can switch it to public after pushing with the private default)19:09
clarkb#link https://review.opendev.org/c/zuul/zuul-jobs/+/838919/ Updates to container roles to make them replace docker roles for quay.io19:09
clarkband this stack of changes updates the generic container roles to add functionality that was in he docker roles that we need19:09
clarkbcorvus: and to be clear the reason we can't use the docker roles is they have hardcoded docker hub as the only destination?19:10
clarkbcorvus: after reviewing this stack I wondered why we couldn't just tell the docker roles to talk somewhere else19:10
corvusyes, they are designed specifically for docker hub19:10
clarkbthanks, that helps19:10
corvusmostly the promote role uses docker specific apis19:10
clarkbon the whole I think we've got a reasonable plan and there is progress. Reviews and help are welcome19:11
clarkbOn top of those changes we'll need to update our jobs themselves to make use of the updated roles19:11
corvusthe other roles are supposed to be pretty similar, just with a few minor assumptions removed and defaults changed19:11
corvushowever19:11
corvusthe build-container-image role does not appear to have any support for multi-arch builds19:11
corvusis there anyone interested in multi-arch support who is willing to look into bring build-container-image up to par?19:12
clarkbcorvus: the main use of that today in our world is nodepool-builder right?19:12
clarkbI think opendev and zuul don't multiarch anywhere else.19:12
corvusi think so; but is there base image support to facilitate that?19:13
fungiwhich role are we building our multi-arch containers with currently?19:13
corvusfungi: build-docker-image19:13
clarkbcorvus: oh yes, the base images are also built for arm64 and x86_6419:13
clarkbI should be able to take a look at that if no one else is interested. I've poked at our base images and the multi arch stuff in the past19:13
ianwi'll have to context switch it all back in, reviewing those changes should help with that, but i can probably take a look at it19:14
clarkbianw: oh cool. and ya I would have to context swithc it in. buildx and manifests and all that19:14
fungiokay, so we'd need to port the multi-arch bits from build-docker-image to build-container-image sounds like19:14
ianw++ i'm sure we can figure something out19:14
corvusthanks; i'm willing to pitch in to help, but it's too much for me alone right now.19:14
fungithanks for calling it out, i wouldn't have thought to check19:15
clarkbfwiw I think some of the reason this was missing is buildah didn't support multiarch buidls until more recently19:15
clarkbhowever, you can run docker with the container roles too (and in fact I think that is what opendev at least should do for max compatibility for now)19:15
clarkbI think changing to buildah is a possibility but something we shouldn't worry about now19:15
fungibuildah is a non-docker-specific buildx replacement?19:15
corvusagreed re using "docker" with the "container" roles19:15
clarkbfungi: buildah is the podman image builder. docker does both the container runtime and image building via one interface but podman and buildah split it out19:15
corvusthey both use buildkit as the underlying implementation for the new stuff though, so convergence is hopefully possible19:16
clarkbok cool ianw I'll probably try to look at this late today/early tomorrow for me19:17
clarkbanything else related to the container registry move?19:17
corvusi've completed work on a redirection system for zuul19:17
fungithat was an awesome idea, btw19:18
corvusso i will propose that zuul use "registry.zuul-ci.org/..." as the canonical locations for images19:18
corvusit's a pretty easy option for any other domains that want to do something similar19:18
clarkbya we should probably do similar for opendev.org.19:19
ianwit's probably worth advertising it somehow?19:19
clarkbianw: advertising that redirects work?19:20
corvusianw: can you elaborate?19:20
corvusoh that it's a thing that other projects can do?19:20
corvuslike registry.kolla could be a thing if they wanted?19:20
fungilike a blog post about the design or something?19:20
ianwyeah, particularly like openstack projects might want to consolidate, etc.19:20
corvusokay i can write something up19:21
corvusmaybe send it to the service-discuss list...19:21
ianwyes, i already saw one similar blog post rise to the top of HN and i think they got it wrong too (might not have worked with podman)19:21
corvusand then copy or link other lists to that?19:21
corvusi suppose i could write an actual blog post19:21
fungifor kolla specifically, it sounded like they were already deploying to multiple registries and were just planning to drop dockerhub, but there are potentally projects even outside opendev that could benefit from seeing that the idea is simple and works19:21
fungis/deploying/publishing/19:22
clarkbya its not something people may realize is possible so getting the word out could be useful19:22
ianwyep, just think it would to get the word out that it's a thing you can do, and here's an example19:22
corvusi think there's 2 audiences: how to do this in general; and how to do this in opendev19:23
corvusfor the latter, a pointer to code/changes might be in order19:23
corvus#action corvus write up blog post/email/something to share registry redirect idea/configuration19:23
clarkb++19:24
fungiprobably solveable by just linking the opendev examples in the general writeup, but yeah i agree it may be two audiences for one post even19:24
corvusif we're happy with the idea for opendev, i can try to make a clean series of changes for that19:24
corvus(since the git history for zuul is not clear due to experimentation)19:24
clarkbcorvus: I think I like the idea since it should reduce some over the necessary changes if we do this again19:24
corvusk.  expect that later this week :)19:25
fungiyes, also if we're going that route we should do it before we switch registries, in order to save ourselves additional patches to review19:25
clarkbexactly this is the best opportunity for doing it19:25
* fungi prepares for docker inc to break the official docker client's ability to follow redirects19:26
clarkbok lets move on as we're almost half out of time and only one topic in. THank you everyone who has helped push this along. Its going to be a bit of work and won't happen overnight but we're making progress19:26
fungiyes, thanks!19:27
clarkb#topic Bastion Host Updates19:27
clarkbI mostly wanted to call out that fungi had to boot the old bastion briefly to grab some gpg data off of it. Now is a great time to brainstorm if anything else needs moving19:27
clarkbI suspect that given how long its been and we've only run into this one issue that there isn't. But the sooner we address anything else missing the better19:27
fungiyeah, it's not still booted, was only up for a few minutes, but we should be very sure before we delete the server so that we don't need to restore from backups later19:28
ianw++ the other thing is, if we do want to go down the path of distributed backups of this (reviews welcome :) then we need a list of things to backup as well.  so thinking about what to grab can be codified into that list19:28
clarkbianw: that is a great idea19:28
fungi /root ;)19:28
clarkband /etc/ansible19:28
ianwfungi: did you say it was ~gb though?19:29
fungii don't think it needs to be. there was a metric ton of ansible tempfiles in there19:29
ianwas long as nobody puts anything in /root that isn't critical to backup, that can work, but i also thing huge backups will be hard to deal with19:29
fungii just copied it all because i didn't want to have to wade through it while i was in a hurry to do key generation stuff19:29
clarkbhrm I bet the new server has tempfiles for ansible too though19:30
clarkbbecause ansible runnign as root19:30
clarkbsomething to look at I guess19:30
fungiyeah. i was being glib. specifically /root/signing.gnupg19:30
fungiand /root/certs19:30
fungiand /root/passwords19:31
ianwfair enough, i think i didn't copy the whole thing as sort of a counter-point to that, trying to just keep the important bits19:31
ianwthe idea with the distributed backups is all that will go in a ansible variable; it could be either checked in, or in /etc/ansible19:31
fungia copy of the /root from old bridge can be found in /root/old-bridge-root-homedir.tar.xz for now, until we decide to toss it19:32
ianw(i was thinking /etc/ansible, to make it less inspectable, but open to ideas)19:32
clarkbianw: as far as landing the backups goes we're mostly waiting on reviews?19:32
fungii remember saying i was going to review those changes and then not doing so19:33
clarkbanything else bridge related?19:34
ianwnot this week19:34
clarkb#topic Mailman 319:34
clarkbfungi: anything new with mailman 3 domain management stuff?19:35
funginegatory, sorry19:35
clarkb#topic Gerrit Updates19:35
clarkbianw: looks like the last submit-requirements and copyConditions change (the one for testing it in system-config-run-review-*) landed19:36
clarkbianw: the conversion process should be largely done at this point?19:36
ianwyes; i've spent some time updating19:36
ianw#link https://etherpad.opendev.org/p/gerrit-upgrade-3.719:36
ianwfor that, and other issues19:36
ianwwe just merged a change to rebuild images from 3.7-stable, so i plan to bring up a test host with that19:37
clarkbya the other thing was the 3.7.1 bug19:37
ianwthat could likely be our production image.  if there's another release before our upgrade, we can rebuild at that 19:37
clarkbsounds good19:37
clarkbin particular the bug we rebuilt to grab a fix for has to do with navigating related chnges in the ui19:38
clarkbsomething I know I do so good to have fixed19:38
ianwit would be worth going through the "DONE" tags on that page just to double check people agree with my conclusions about various issues19:38
clarkbI'll try to review that today19:38
clarkbthis upgrade is very similar to prior upgrades except that we must take a logner downtime for offline reindexing19:39
clarkbfor whatever reason they apparently didn't support online reindexing for this one19:39
clarkb#topic Project renames19:40
clarkbrelated to the gerrit upgrade is the plan for project renames19:40
clarkbwe've decided to do both one after the other on April 6 starting at 22:00 UTC19:41
clarkbfungi: other than better understanding our infra-project-manage-projects job sequencing when we've got old state in the earlier chagnes the other open question I've got is if we need to have any more care around openstack gettingthe xstatic library19:41
fungifwiw, i did an online reindex recently trying to run down a problem that turned out to be unrelated to indexing, but it only took a few hours to complete19:41
clarkbfungi: should we maybe bring that up in the tc meeting tomorrow?19:42
fungixstatic-angular-fileupload?19:42
clarkb"are you ok with this and does it create any conflict with moin moin?"19:42
clarkbfungi: yes19:42
fungilooks like it's got some shared authorship, yeah19:44
fungiworth bringing up19:44
fungihomepage link for it on pypi goes to https://github.com/danialfarid/ng-file-upload19:44
clarkbok I'll try to be there tomorrow morning (shouldn't be an issue other than being a few minutes late for a school run)19:44
fungilast touched a little over 4 years ago there19:45
clarkb#topic Updating old servers19:46
clarkbThe docker situation has distracted me from this. Which is mostly fine since I was going to hold off on gitea and etherpad work until later (can finalize gitea situation end of this week early next week and do etherpad after the ptg)19:46
clarkbianw: was there anything new with the nameserver planning?19:46
ianwno, i've also been distracted.  there are some preparatory changes to merge, then i need to finish the checklist for switching and we can review.  parallel i can start new servers 19:47
clarkbok ping me if I can help. I think I've reviewed changes though19:48
clarkb#topic AFS disk utilization19:48
clarkbNothing really new here. I've left it on the agenda as a reminder it is something we need to keep an eye on. We do seem to have stablized near 10% free on the main server19:48
clarkband eventually fedora 36 should get cleaned up relieving some pressure just in time for new debian :)19:48
ianwyep i'll try to get 37 builds going soon19:49
clarkb#topic Gitea 1.1919:50
clarkbOver the weekend gitea released 1.19.0. I had already pushed a chagne to sanity check 1.19.0-rc1 and there were minimal updates necessary to get 1.19.0 going19:50
clarkbthat said I think we should hold off until we've stabilized the gitea replacements19:50
clarkbwhich is also planned for after the openstack release19:50
clarkb#link https://review.opendev.org/c/opendev/system-config/+/877541 Upgrade opendev.org to 1.19.019:51
clarkbthis release adds an actions runner system which is disabled by default. I have explicitly disabled it in this change to avoid that default changing on us later since we've got zuul19:51
clarkbOtherwise the update seems pretty straightforward. THe commit message in that change tries to highlight all of the breaking changes from the release notes with my own notes on how/why things do or don't affect us19:52
clarkbinterestingly there were html template updates between 1.19.0-rc1 and 1.19.0. I'm not sure that has happened before19:52
clarkba good reminder for us to double check that between releases though19:52
clarkb#topic Quo vadis Storyboard19:53
clarkblast week frickler pointed out that there may be storyboard discussions at the ptg next week. In #opendev I mentioned that I think we should continue to encourage any projects migrating off of storyboard to collaborate to avoid duplicate effort on tooling/process19:53
fungiso i guess keep an ear to the ground for projects bringing this up at the ptg and encourage them to weigh in on the opendev discussion?19:54
clarkbfungi: yup and/or maybe push them towards each other and have shared discussion at the ptg too?19:54
fungisounds good19:54
clarkbI'm also happy to jump into those sessions if people notify me19:54
fungiyeah, one up-side to vptg, easy to drop from one call and jump into another (faster than running across the hall, much less to an adjacent building)19:55
clarkbI also mentioend that I think longer term we (opendev) should think about sunsetting storyboard due to our lack of maintenance for the server and service19:55
clarkbone good idea that came out of me mentioning that is we could try to make some sort of read only copy of the content and host that hopefully with much simpler hosting demands19:55
clarkbbut I also poitned out that I'm not the lone decision maker and welcomed feedback on that idea. Consider this an official reuqest for feedback from this group19:56
clarkb#topic Open Discussion19:57
clarkbWe've got ~3 minutes for anything else19:57
fungihaving a search engine friendly view of the content instead of just browser-side rendering was, ironically, one of the wishlist items for further sb development19:57
ianw#link https://review.opendev.org/c/opendev/system-config/+/87773519:57
ianwis one to split out the ssh server setup 19:57
ianwfrom base.  i'd like to try running that against the linaro cloud to make sure the root login auth, etc. are setup right19:58
clarkbwe can also potentially extend that to inmotion19:58
clarkbbut I Thin kstarting with linaro is great19:58
ianwthe prod job we added is working; but i did have to manually allow the zuul login19:58
ianw(which is ok, that's setup by the launch node usually, which obviously didn't run)19:59
clarkbianw: its not zuul but bridge right?19:59
clarkbI mean zuul via bridge19:59
clarkbnot direct19:59
ianwyeah, basically allowing root logins from bridge.  but that config will be deployed with the ssh role, so if we change bridge again it will be ok20:00
fungispeaking of linaro, i think we had a good justification to add them to the donor logos on https://opendev.org/20:00
fungianybody know who we should reach out to about that?20:01
fungikevinz?20:01
clarkbfungi: yes kevinz is who I would start with20:01
fungik20:01
clarkband we are over time20:01
fungithanks clarkb20:01
fungi!20:01
ianwor perhaps ... sorry i'm blanking on the name ... but the person we sent the usage blurb to20:01
fungiianw: good call20:01
clarkbthank you everyone! feel free to continue discussion in #opendev or on the mailing list. But I don't need to keep you in here any longer20:01
fungiworks on arm person20:01
clarkb#endmeeting20:02
opendevmeetMeeting ended Tue Mar 21 20:02:11 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:02
opendevmeetMinutes:        https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-21-19.01.html20:02
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-21-19.01.txt20:02
opendevmeetLog:            https://meetings.opendev.org/meetings/infra/2023/infra.2023-03-21-19.01.log.html20:02
« Thursday, 2023-03-16 Index Wednesday, 2023-03-29 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!