| ianw | Wed Nov 3 23:45:55 UTC 2021 Pruning /opt/backups/borg-wiki-update-test/backup archive wiki-upgrade-test-filesystem | 00:00 |
|---|---|---|
| ianw | Wed Nov 3 23:52:35 UTC 2021 Pruning /opt/backups/borg-wiki-update-test/backup archive wiki-upgrade-test-mysql | 00:00 |
| ianw | i.e., it ignored the .checkpoint archive, and found "wiki-upgrade-test-filesystem" and "wiki-upgrade-test-mysql" to prune | 00:00 |
| ianw | as expected | 00:00 |
| fungi | awesome, thanks | 00:04 |
| *** frenzy_friday is now known as frenzyfriday|sick | 04:17 | |
| opendevreview | Ian Wienand proposed opendev/system-config master: gerrit: update theme to javascript plugin https://review.opendev.org/c/opendev/system-config/+/816618 | 06:05 |
| ianw | clarkb/fungi: https://104.130.132.119 has ^ applied, although on gerrit 3.4 | 06:11 |
| ianw | #status log fedora 35 mirror finished syncing. fedora 33 removed | 06:12 |
| opendevstatus | ianw: finished logging | 06:12 |
| opendevreview | Ian Wienand proposed opendev/system-config master: gerrit: update theme to javascript plugin https://review.opendev.org/c/opendev/system-config/+/816618 | 07:45 |
| *** gibi_pto_back_thu is now known as gibi | 07:56 | |
| *** lbragstad4 is now known as lbragstad | 10:33 | |
| *** lbragstad1 is now known as lbragstad | 10:43 | |
| *** lbragstad7 is now known as lbragstad | 11:07 | |
| *** dviroel|rover|out is now known as dviroel|rover | 11:12 | |
| *** dpawlik2 is now known as dpawlik | 11:47 | |
| *** dpawlik1 is now known as dpawlik | 12:16 | |
| opendevreview | Andre Aranha proposed zuul/zuul-jobs master: Add fips version of jobs needed for OpenStack https://review.opendev.org/c/zuul/zuul-jobs/+/816385 | 14:56 |
| *** artom_ is now known as artom | 15:02 | |
| *** dviroel|rover is now known as dviroel|lunch|appt|afk | 15:03 | |
| clarkb | ianw as noted in https://review.opendev.org/c/opendev/system-config/+/816618 the change on 3.4 looks good to me in firefox on my desktop and mobile chrome on the phone. If a dark theme user (fungi?) can maybe check that theme looks ccorect to them we should be able to land this and restart 3.3 on it? | 15:44 |
| fungi | yeah, i should be able to take a look after my current meetings wrap up | 15:45 |
| clarkb | fungi: you might have to login to that held gerrit using the test credentials in order to toggle the default. I'm not sure how to force a dark theme load otherwise though I suppose it might be a flag on the url? | 15:48 |
| fungi | probably need to be logged in, yeah | 15:49 |
| *** marios is now known as marios|out | 16:42 | |
| *** dviroel|lunch|appt|afk is now known as dviroel|rover | 17:20 | |
| *** jpena|off is now known as jpena | 17:49 | |
| *** jpena is now known as jpena|off | 18:10 | |
| fungi | clarkb: ianw: i notice the last patchset for 816618 was uploaded ~1.5 hours after the mention of deployment to 104.130.132.119, i guess the dockerfile line changed in patchset 2 is immaterial to what's on that server? | 18:26 |
| clarkb | fungi: my hunch is that ianw may have manually updated the js file on the held node | 18:28 |
| clarkb | but confirming that would be a good thing (since we know the html doesn't work on gerrit 3.4 ps1 wouldn't have worked out of the box and would have needed manual intervention) | 18:28 |
| fungi | also testing the dark theme was easy, since login there is unauthenticated (i picked the "zuul" acccount to become) | 18:28 |
| fungi | the zuul summary plugin still seems to work fine on it, btw | 18:30 |
| fungi | yeah, totally lgtm | 18:30 |
| fungi | should that change be wip until we upgrade, or will it also work on 3.3? | 18:33 |
| clarkb | it should also work on 3.3 and the screenshots on that patchset seem to show that | 18:34 |
| clarkb | I think we should go ahead and land it on 3.3 then we're set for the upgrade to 3.4. But we can confirm with ianw how the file got in place on the held node | 18:34 |
| fungi | ahh, yeah for the system-config-run-review-3.3 build | 18:34 |
| clarkb | yup that one | 18:34 |
| opendevreview | Clark Boylan proposed opendev/bindep master: Try out PBR pep 517 support https://review.opendev.org/c/opendev/bindep/+/816741 | 18:47 |
| clarkb | I actually think bindep is probably a bad choice to start pep 517 stuff on simply because we want it to run on as many platforms as possible. But I think bindep being a self contained utility that is tested on a lot of platforms makes it a good candidate for testing it | 18:48 |
| fungi | we likely want to make sure bindep can work with both setup.py and pyproject.toml | 18:50 |
| clarkb | good point we can add the setup.py back in once the first round of testing without it is done. I'm mostly abusing the fact that bindep runs tests on all the things which is good forcoverage :) | 18:58 |
| clarkb | and everything failed rip | 18:58 |
| clarkb | seems that bindep produced no output so maybe we aren't installing things properly. I'm really glad that I removed PBRs dog fooding of this stuff now :) | 18:59 |
| clarkb | ya there is no bindep binary in the installation so something isn't working. Yay for babysteps. Not sure I'll be able to dig into this further today | 19:00 |
| opendevreview | Merged opendev/system-config master: gerrit: update theme to javascript plugin https://review.opendev.org/c/opendev/system-config/+/816618 | 19:54 |
| ianw | yeah, sorry, the file on the held node was the result of me hand-editing it | 20:04 |
| fungi | cool, thanks for confirming | 20:05 |
| clarkb | I guess we should plan a restart today to make sure 3.3 is happy with it in production | 20:10 |
| ianw | i can also do it on monday if we like, usually very quiet then | 20:11 |
| clarkb | I think its probably fine today. It has been a quiet week | 20:11 |
| ianw | i've just noticed navigating as a logged in user, it appears gerrit is nto talking to mariadb | 20:11 |
| ianw | [Warning] Access denied for user 'gerrit'@'127.0.0.1' (using password: YES) | 20:11 |
| ianw | which is weird | 20:12 |
| clarkb | in production? | 20:12 |
| ianw | no, sorry, on that test node | 20:12 |
| clarkb | I just checked a prod change and was able to mark a file reviewed then mark it unreviewed. Ah ok | 20:12 |
| clarkb | ianw: I wonder if we need to update our java driver for mariadb for 3.4? | 20:12 |
| ianw | i guess it is talking, because it's getting login rejections | 20:13 |
| ianw | i'll have to page back in how it sets up | 20:13 |
| ianw | i feel like it's just a docker env with a user/pass | 20:13 |
| clarkb | yes I think the docker compose side configures the database and user/pass for mariadb then we set it in our gerrit etc/secure.conf | 20:13 |
| fungi | i noticed the same error when i "authenticated" as the zuul account on that test instance | 20:13 |
| clarkb | this is good, testing is finding problems. The best kidn of successful failures | 20:14 |
| ianw | https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gerrit/templates/docker-compose.yaml.j2#L6 | 20:14 |
| fungi | i should have called it out, but thought it was a nuance of nobody having logged into the account to create any entries for it | 20:15 |
| ianw | docker-compose has those values filled out | 20:15 |
| clarkb | ianw: and then on the gerrit side: https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gerrit/templates/secure.config.j2 | 20:15 |
| ianw | that all matches | 20:17 |
| ianw | i guess the container must not have setup the user ... | 20:17 |
| ianw | db container | 20:17 |
| clarkb | ianw: I think it does log that stuff when it starts up. You can also try to connect with those credentials using the mysql client in the container | 20:17 |
| fungi | is mariadb even running? | 20:17 |
| ianw | it is, i'm just looking at the logs now | 20:18 |
| ianw | InnoDB: Cannot open '/var/lib/mysql/ib_buffer_pool.incomplete' for writing: Permission denied | 20:19 |
| ianw | InnoDB: The error means mysqld does not have the access rights to the directory. | 20:19 |
| clarkb | I wonder if that has to do with mounting it under /home/gerrit2 so it isn't root owned? | 20:20 |
| ianw | /home/gerrit2/reviewdb/ also appears to be populated with db files, so ... weird | 20:21 |
| opendevreview | Merged openstack/project-config master: kolla-cli: enter retirement https://review.opendev.org/c/openstack/project-config/+/814597 | 20:23 |
| fungi | in production, mysqld is running as the systemd-coredump user (999) | 20:24 |
| fungi | so the db files are owned by that account | 20:24 |
| fungi | as is the /home/gerrit2/reviewdb directory | 20:24 |
| clarkb | fungi: same on the test node | 20:25 |
| fungi | interesting that we don't tell it to run as the gerrit user | 20:25 |
| clarkb | I think we're just using the default in the image which apparently is 999 | 20:26 |
| clarkb | it isn't clear to me why there would be a permissions issue in this case | 20:26 |
| clarkb | its a bit odd and probably worth making a plan to change, but that dir is owned by the user running mysqld and should be able to write to the dir | 20:27 |
| ianw | i can't connect as root either | 20:28 |
| clarkb | https://github.com/MariaDB/mariadb-docker/issues/181 | 20:33 |
| clarkb | slightly different issue, but I wonder if this is a buggy container image? | 20:34 |
| clarkb | hrm the tag last updated 20 days ago and production was fine with a recent pull and down up | 20:35 |
| clarkb | https://zuul.opendev.org/t/openstack/build/19739c5c5b054091b698b26ac33fd426/log/review99.opendev.org/containers/docker-mariadb.log is a build from a while back that seems to exhibit this issue too | 20:39 |
| clarkb | so not a new problem | 20:39 |
| clarkb | prod logs the same thing about perms denied so I don't think that is the issue | 20:40 |
| clarkb | ianw: I think the segfault is the problem | 20:42 |
| fungi | a web search for "ib_buffer_pool.incomplete" turns up people complaining about permission errors all over the place, btw | 20:44 |
| ianw | interesting; there is not a segfault on the held node | 20:44 |
| clarkb | ianw: oh huh there was in my example above | 20:44 |
| clarkb | in prod it complains about permissions on shutdown but not startup it seems | 20:44 |
| clarkb | maybe it is the same issue but matters when you hit it | 20:44 |
| ianw | https://github.com/MariaDB/mariadb-docker/tree/master/10.4 is what we're using | 20:45 |
| ianw | possibly this things they've done to support MARIADB_USER and MYSQL_USER has got something wrong | 20:48 |
| ianw | i see https://github.com/MariaDB/mariadb-docker/blob/master/10.4/docker-entrypoint.sh#L363 | 20:52 |
| ianw | but then it's like it never ran the setup @ https://github.com/MariaDB/mariadb-docker/blob/master/10.4/docker-entrypoint.sh#L369 | 20:53 |
| clarkb | ya I just ran a hacked up version of that docker compose entry on my local machine and it clearly logs creating the database and adding a user and giving that user perms on the db | 20:53 |
| clarkb | that doesn't seem to happen in the logs on our test machines | 20:53 |
| ianw | DATABASE_ALREADY_EXISTS is set if the db dir has a "mysql" directory | 20:55 |
| fungi | ahh, so that it won't clobber an existing db | 20:56 |
| clarkb | we do create /home/gerrit2/reviewdb but not /home/gerrit2/reviewdb/mysql from what I see. I | 20:58 |
| clarkb | er I precreated this dir for me locally in testing and chowned it to root:root and it simply chowned it to uid 999 | 20:58 |
| clarkb | and started up successfully here on my local machine so that wasn't it | 20:58 |
| ianw | yep, that's what it does : https://github.com/MariaDB/mariadb-docker/blob/master/10.4/docker-entrypoint.sh#L156 | 20:59 |
| ianw | https://zuul.opendev.org/t/openstack/build/20e285d9ea8d426ca2bc4affc57c7eee/log/review99.opendev.org/containers/docker-mariadb.log#55 | 21:03 |
| ianw | Oct 29 07:27:11 review99 docker-mariadb[10226]: 2021-10-29 07:27:11+00:00 [ERROR] [Entrypoint]: Unable to start server. | 21:03 |
| ianw | i think what happens here is that it tries to do this "temporary" server that fails to start, but does enough to create the db dirs | 21:03 |
| ianw | then, it restarts itself, the entrypoint script now ignores any setup steps, and we have an unconfigured db | 21:04 |
| clarkb | ya and then once the temporary db is up it uses that to create the users but we never get that far | 21:04 |
| clarkb | ianw: oh ya that makes sense from what I'm seeing | 21:04 |
| clarkb | is it possibly some clash with ulimits or similar on that uid? | 21:05 |
| ianw | maybe ... no other errors appear to be logged | 21:09 |
| ianw | i'm going to move the directory and see if i can replicate it with a restart | 21:10 |
| opendevreview | Clark Boylan proposed opendev/system-config master: DNM Set a uid/gid for gerrit mariadb to run as. https://review.opendev.org/c/opendev/system-config/+/816749 | 21:12 |
| ianw | 2021-11-04 21:11:55+00:00 [Note] [Entrypoint]: Creating database accountPatchReviewDb | 21:12 |
| ianw | 2021-11-04 21:11:55+00:00 [Note] [Entrypoint]: Creating user gerrit | 21:12 |
| clarkb | That is another idea ^ | 21:12 |
| ianw | of course, it all "just works" ... | 21:12 |
| clarkb | ianw: I wonder if we are not changing permissions early enough | 21:12 |
| clarkb | So when it goes to write the first time it is still owned by root maybe? | 21:13 |
| ianw | https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_20e/815933/1/check/system-config-run-review-3.4/20e285d/bridge.openstack.org/ara-report/results/333.html | 21:14 |
| ianw | gerrit : Setup reviewdb directory for mariadb | 21:14 |
| ianw | - "owner": 999, | 21:14 |
| ianw | + "owner": 0, | 21:14 |
| ianw | this implies the directory was already there, and owned by 999? | 21:15 |
| clarkb | yes | 21:15 |
| clarkb | and then our ansible that says make it owned by root flipped it back? | 21:15 |
| ianw | the steps before that are using docker-compose to run gerrit init | 21:15 |
| fungi | that'd explain the permissions error | 21:15 |
| ianw | i bet we're starting mariadb before we think we are | 21:16 |
| clarkb | ianw: we do the docker compose up then set the perms to root | 21:16 |
| clarkb | its a race between mariadb starting and the ansible setting it back again | 21:17 |
| clarkb | I think we can simply drop the task to set perms for that | 21:17 |
| ianw | yep | 21:17 |
| clarkb | (then longer term plan to maybe make it owned by gerrit as in my change? and do similar for the other services?) | 21:17 |
| clarkb | ianw: in the etherpad case we ensure the dir exists for mysql state but down chown it with ansible | 21:18 |
| clarkb | so maybe we keep the task but remove the ownership details | 21:18 |
| clarkb | ianw: you want to write that change or should I? | 21:19 |
| opendevreview | Ian Wienand proposed opendev/system-config master: gerrit: setup mariadb directories before starting gerrit https://review.opendev.org/c/opendev/system-config/+/816750 | 21:19 |
| ianw | i think we just move it before the start? | 21:19 |
| clarkb | ianw: well we'll continue to flip it then | 21:19 |
| clarkb | because mysql will switch it to 999 when it starts then the next ansible run will switch it back to root | 21:20 |
| ianw | oh, right, of course | 21:20 |
| clarkb | I think it is ok to ensure the dir exists but maybe drop the other stuff (etherpad works this way) | 21:20 |
| fungi | and maybe insert a comment so someone doesn't come along later and "fix" it by adding explicit (incorrect) permissions | 21:21 |
| fungi | er, s/permissions/ownership/ | 21:21 |
| clarkb | looks like gitea and refstack don't do any ansible management. etherpad only ensures it is a dir and exists. refstack is like gerrit and needs fixing | 21:22 |
| clarkb | Longer term we should try and fix these to run mariadb with a non conflicting user | 21:23 |
| fungi | and/or in a more distinct directory | 21:23 |
| fungi | having mysqld mapping a subdirectory of the homedir for a different user is a bit confusing | 21:24 |
| clarkb | the process for that is probably annoying: put server(s) in emergency file, do a db backup just incase, stop mariadb, chown files to the correct owner, start services, land change to manage that user and set the user in the docker-compose, then remove from emergency | 21:24 |
| clarkb | fungi: it is that way because of the volume | 21:24 |
| fungi | but i'm holding out hope gerrit will eventually drop that feature or the db | 21:25 |
| clarkb | I'd personally prefer to have one volume over multiple even though that is confusing. The path doesn't have anything to do with the issue here though it would affect any other path | 21:25 |
| fungi | yeah, long term mounting /srv on a cinder volume and then having /srv/gerrit and /srv/mariadb or similar would make sense if we want them using separate accounts | 21:25 |
| clarkb | fungi: I'm not suggesting separate accounts | 21:26 |
| fungi | well, it's currently separate accounts | 21:26 |
| clarkb | I'm suggesting the opposite | 21:26 |
| clarkb | yes I know. I'm saying we should make a plan to stop doing that | 21:26 |
| clarkb | and have it run under 3000:3000 | 21:26 |
| clarkb | (and then do similar with etherpad, gitea, refstack, and lodgeit | 21:27 |
| opendevreview | Ian Wienand proposed opendev/system-config master: gerrit: don't chown mariadb container directory https://review.opendev.org/c/opendev/system-config/+/816750 | 21:27 |
| ianw | this probably (hopefully) explains the segfault too -- something not handling bits of the db being re-owned | 21:27 |
| fungi | yes, i'm saying if we're going to tell mariadb to write in the gerrit user's homedir then we should make mariadb run as the same user as gerrit, otherwise if we think it's safer to use separate accounts then they should use distinct directory subtrees of a root-owned path | 21:27 |
| clarkb | I don't think there is any real reason to have separate accounts. I think this was just copied over from say gitea/etherpad/etc and we didn't realize what was happening under the hood | 21:28 |
| clarkb | the data in the db for gerrit particularly isn't privileged and the users for each of these services already have access to the database as well and the database is per service and not shared so no concern about leaking | 21:28 |
| ianw | the reason for putting it in gerrits homedir is just that we mount that to a volume directly in production, so i wanted to keep all the data on the same volume | 21:28 |
| ianw | oh, i see fungi you said that -- we should mount the homedirs separately on one volume | 21:29 |
| fungi | i agree, we'd ideally like to be able to stop having that db entirely, it contains nothing sensitive and we don't even care that much if it's persistent, and it's only exposed over the loopback interface/unix sockets, so there's no real security benefit to separating it | 21:29 |
| ianw | that could definitely be done, it would be much easier to deal with next time we move servers though :) | 21:30 |
| clarkb | looking at etherpad they set the uid to 5001 apparently | 21:30 |
| clarkb | so we've got a nodejs as uid 5001 and a mariadb as 999 there | 21:30 |
| clarkb | ianw: I think refstack has the same issue as gerrit too btw | 21:30 |
| fungi | part of the concern is that ubuntu already assigns user 999 | 21:31 |
| fungi | so technically it's a security risk the way it is | 21:31 |
| clarkb | yes I think that is the major concern | 21:31 |
| clarkb | and why I suggested we make a plan to fix it for all services | 21:31 |
| clarkb | but again it will be involved and each service will be slightly different | 21:32 |
| ianw | ok, sorry i really have to do school run, bib | 21:32 |
| clarkb | ianw: yup | 21:32 |
| clarkb | I think what we should do is fix the flapping that the ansible does today as that is a risk for service uptime | 21:32 |
| clarkb | for gerrit and refstack. Then make a general plan that applies to each of the services then go through them one by one and fix them | 21:33 |
| fungi | yes, we could race ansible during a service restart | 21:33 |
| fungi | or interrupt it with a poorly-timed reboot | 21:33 |
| fungi | e.g., if the vm hung at just the wrong time | 21:34 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Don't set lodgeit db dir perms https://review.opendev.org/c/opendev/system-config/+/816754 | 21:37 |
| clarkb | it is lodgeit not refstack with the same problem ^ I went ahead and pushed a fix for that too | 21:38 |
| fungi | thanks, taking a look | 21:38 |
| ianw | thanks | 21:54 |
| ianw | mariadb just adds a user https://github.com/MariaDB/mariadb-docker/blob/master/10.4/Dockerfile#L5 | 21:55 |
| ianw | it seems like it's a bit arbitrary what that uid will be. from an external pov it could change depending on what versions of things are in the container | 21:56 |
| *** dviroel|rover is now known as dviroel|out | 22:13 | |
| ianw | clarkb: it seems to me we have the same thing in refstack? | 22:32 |
| ianw | i guess we should also extend gerrit testing to leave a review on a file. we currently set votes, but i guess nothing actually tries to use the reviewdb | 22:35 |
| clarkb | ianw: I thought we did but then I looked again and didn't see it. If I just missed the second time around I say go for it (to fix it) | 22:36 |
| opendevreview | Ian Wienand proposed opendev/system-config master: refstack: don't chown db directory https://review.opendev.org/c/opendev/system-config/+/816761 | 22:40 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run zookeeper-statsd as the zookeeper user https://review.opendev.org/c/opendev/system-config/+/816762 | 22:41 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Update zookeeper-statsd to python3.9 on bullseye https://review.opendev.org/c/opendev/system-config/+/816763 | 22:41 |
| clarkb | fungi: ^ if you have time for those that would be great | 22:43 |
| clarkb | (including the lodgeit and refstack changes) | 22:43 |
| fungi | yep | 22:44 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run haproxy-statsd as uid 10001 https://review.opendev.org/c/opendev/system-config/+/816764 | 22:51 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Update haproxy-statsd to bullseye and python3.9 https://review.opendev.org/c/opendev/system-config/+/816765 | 22:51 |
| clarkb | Thats a pair of chagnes to match what I did in zookeeper-statsd | 22:52 |
| clarkb | but let me check something on those | 22:52 |
| clarkb | ah yup I need to do a thing | 22:53 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Update haproxy-statsd to bullseye and python3.9 https://review.opendev.org/c/opendev/system-config/+/816765 | 22:54 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run haproxy-statsd as uid 1000 https://review.opendev.org/c/opendev/system-config/+/816764 | 22:54 |
| clarkb | it should match the haproxy uid like the zookeeper one matches zookeeper | 22:55 |
| clarkb | fungi: also https://review.opendev.org/c/opendev/system-config/+/816754 | 22:59 |
| fungi | clarkb: ianw and i both commented on that one | 23:03 |
| clarkb | ah yup I can add the comment | 23:04 |
| opendevreview | Ian Wienand proposed opendev/system-config master: gerrit: mark file reviewed during testing https://review.opendev.org/c/opendev/system-config/+/816766 | 23:06 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Don't set lodgeit db dir perms https://review.opendev.org/c/opendev/system-config/+/816754 | 23:06 |
| clarkb | done and thanks | 23:07 |
| fungi | thanks! | 23:07 |
| ianw | the zookeeper-statsd should be ok to merge, right? it's not going to down the whole cluster at once or something? | 23:28 |
| clarkb | ianw: it shouldn't because it runs as a separate process | 23:30 |
| clarkb | I think worse case we stop getting the stats from it | 23:30 |
| clarkb | but zk itself will keep moving along | 23:30 |
| ianw | clarkb: don't you need to set the user *before* the CMD in https://review.opendev.org/c/opendev/system-config/+/816762/1/docker/zookeeper-statsd/Dockerfile ? | 23:33 |
| clarkb | I wasn't sure about that. gitea does it tht way too | 23:33 |
| clarkb | I think its ok because CMD is setting metadata and not running things | 23:34 |
| clarkb | you do want to set it before any RUNs that need to run as that user | 23:34 |
| ianw | the manual does say "that follow it" | 23:34 |
| ianw | can we tell if it worked from ci? | 23:35 |
| clarkb | thats a good question. I'm not sure how much testing that gets | 23:36 |
| clarkb | ianw: there is a check that checks we restartcount 0 on that container in testinfra | 23:37 |
| clarkb | however because I'm belts an suspendering with the user directive in docker-compose.yaml I think it may work even if the compose file is off | 23:37 |
| ianw | https://2f9cb09b127967d2da70-41653d64c774f0a46c6c3814f9b6e52b.ssl.cf1.rackcdn.com/816762/1/check/system-config-run-zookeeper/ec671e3/zk04.opendev.org/docker/zookeeper-compose_zookeeper-statsd_1.txt | 23:38 |
| ianw | is blank, not sure if that is it's usual state however | 23:38 |
| clarkb | I agree it should come before | 23:38 |
| clarkb | let me finish the change I'm working on now then I'll fix the two user stacks for statsd | 23:39 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run gerritbot with a user that will be shared with matrix-gerritbot https://review.opendev.org/c/opendev/system-config/+/816769 | 23:46 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run matrix-gerritbot with gerritbot user https://review.opendev.org/c/opendev/system-config/+/816770 | 23:46 |
| clarkb | tristanC: corvus ^ you may be interestedin that stack | 23:47 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run haproxy-statsd as uid 1000 https://review.opendev.org/c/opendev/system-config/+/816764 | 23:48 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Run zookeeper-statsd as the zookeeper user https://review.opendev.org/c/opendev/system-config/+/816762 | 23:49 |
| opendevreview | Clark Boylan proposed opendev/system-config master: Update zookeeper-statsd to python3.9 on bullseye https://review.opendev.org/c/opendev/system-config/+/816763 | 23:49 |
| clarkb | ianw: ^ should be fixed in both of those changes now. Thanks | 23:49 |
| corvus | Clark: qq on 816769 | 23:49 |
| corvus | maybe the answer is matrix-gerritbot writes files, and you just wanted consistency between the two? | 23:50 |
| corvus | but, actually, does it write anything? | 23:50 |
| clarkb | corvus: I'm more worried about being able to read things while not letting other bots cross contaminate | 23:51 |
| corvus | istr tristanC felt strongly about not writing any state in matrix-gerritbot, in which case, maybe my question is relevant | 23:51 |
| clarkb | the idea is that we'd do similar to the other bots then they would respect each others boundaries | 23:51 |
| corvus | oh, there's private keys involved | 23:52 |
| corvus | so root:root,0444 isn't sufficient, we need some 0400 files | 23:53 |
| clarkb | ya exactly | 23:53 |
| corvus | ok all caught up, sgtm, thanks! | 23:53 |
| clarkb | thank you for the review! | 23:53 |
| opendevreview | Merged openstack/project-config master: Add support for CentOS Stream 9 in nodepool elements https://review.opendev.org/c/openstack/project-config/+/811442 | 23:58 |
| opendevreview | Merged openstack/project-config master: Add centos-9-stream nodepool image https://review.opendev.org/c/openstack/project-config/+/816465 | 23:59 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!