Wednesday, 2021-12-08

« Tuesday, 2021-12-07 Index Thursday, 2021-12-09 »
clarkbianw: both updated changes lgtm. It might be a good idea to try and get corvus and/or mordred to look over https://review.opendev.org/c/opendev/system-config/+/820320/ and double check our brainstorm didn't miss anything important. They wrote a bunch of that original code there and also corvus  can probably chime in re doing stuff in a zuul context00:09
*** rlandy|ruck is now known as rlandy|out00:09
clarkband ya computers. Its amazing we get them to do anything useful at all :)00:10
ianwclarkb: minor one but i assume you're ok with the updated tag for system-config @ https://review.opendev.org/c/openstack/project-config/+/819715/2/gerrit/projects.yaml ?00:13
clarkbyup approved00:15
opendevreviewJeremy Stanley proposed opendev/system-config master: Block outbound SMTP connections from test jobs  https://review.opendev.org/c/opendev/system-config/+/82090000:24
clarkbswift is updating jobs to use centos stream instead of centos 800:24
clarkbIts seems we may not have stream set up for arm64. That might be something we need toc onsider?00:24
corvusclarkbianw lgtm, but i have covid booster brain00:24
clarkbcorvus: ha, ok00:24
fungiapparently my egress filtering change was working, i just needed to know what the rule normalized to so i could match it in the test00:25
clarkbThere is a board meeting tonight so I'll probably checkout here shortly then try and be awake in a few hours when that starts00:25
opendevreviewMerged openstack/project-config master: Update the opendev/system-config tag  https://review.opendev.org/c/openstack/project-config/+/81971500:26
clarkbI think I preferred everyone being jetlagged in a room over staying up all night or getting up early :)00:26
fungicorvus: yeah, i got boosted yesterday, and the main thing which seems not to be boosted in the process is my energy level. here's hoping tomorrow is better00:26
*** timburke__ is now known as timburke00:33
opendevreviewMerged openstack/project-config master: Fix Neutron periodic dashboard  https://review.opendev.org/c/openstack/project-config/+/82091200:34
ianwhrm, i thought we were testing 8-stream arm64, let me see00:37
ianwhuh, maybe not00:38
opendevreviewMerged openstack/project-config master: Add rights to neutron-dynamic-routing-stable-maint  https://review.opendev.org/c/openstack/project-config/+/82035100:41
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Test 8-stream aarch64 build  https://review.opendev.org/c/openstack/diskimage-builder/+/82097000:41
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Test 8-stream aarch64 build  https://review.opendev.org/c/openstack/diskimage-builder/+/82097002:30
opendevreviewJeremy Stanley proposed opendev/system-config master: Block outbound SMTP connections from test jobs  https://review.opendev.org/c/opendev/system-config/+/82090002:43
opendevreviewJeremy Stanley proposed opendev/system-config master: Copy Exim logs in system-config-run jobs  https://review.opendev.org/c/opendev/system-config/+/82089903:19
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039203:27
opendevreviewMerged opendev/system-config master: Add zuul-client config to schedulers  https://review.opendev.org/c/opendev/system-config/+/82095103:38
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Use OpenDev mirrors for 8-stream CI builds  https://review.opendev.org/c/openstack/diskimage-builder/+/82097804:17
clarkbianw: thats running an x86-64 build not arm64 right?04:31
clarkboh wait I see it runs on a debian arm64 node04:32
clarkbI guess the arch is by default inherited from the host then04:32
clarkbthat makes sense since dib doesn't really cross build04:32
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039204:40
*** raukadah is now known as chandankumar04:43
*** ysandeep|out is now known as ysandeep04:50
ianwclarkb: yep; i think it will "just work".  going to fiddle with the mirror setups though as that seems to have slipped through04:56
clarkbianw: ya I guess we have the label but no nodeset defined for it and that is what swift tripped over04:57
clarkbhowever I don't see stream-9 on arm so that may actually be missing04:57
clarkbone thing at a time04:57
ianwyeah 9-stream is also missing, i had that on my todo list05:01
fungiso unfortunately, while redirecting stdin from /dev/null does bypass newlist's wait for the confirmation to send a list admin notification, it doesn't appear to actually cause it to send the notification: https://zuul.opendev.org/t/openstack/build/4690bb1000244222baff80e20edd987c/log/lists.openstack.org/exim4/mainlog05:10
fungiso i'm back to square 105:10
clarkbare we sure that exim and mailman are properly configured to talk to each other?05:12
clarkbI wonder if we need to send it a 'yes\n' or similar05:12
fungithey seem to do so in production05:12
fungii wonder if piping /bin/yes into it would suffice05:13
clarkbya I'm just wondering outloud if the special exim for mailman isn't configured on the test node beacuse we're not matching the case for some reason05:13
fungiwell, that's only for inbound delivery anyway though, right?05:14
fungioutbound delivery should be working for all our servers05:14
clarkbI'm not sure. I guess mailman sends email like any other server? so ya maybe that is true05:15
fungitomorrow i'll set an autohold on a broken revision of 820392 and fiddle with the test node to confirm some theories05:16
*** poojajadhav is now known as pojadhav|rover05:38
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Use OpenDev mirrors for 8-stream CI builds  https://review.opendev.org/c/openstack/diskimage-builder/+/82097805:55
clarkbI guess gerrit 3.5.0 has released today06:06
clarkbyesterday? what day is it anyway :)06:06
*** pojadhav is now known as pojadhav|rover06:35
opendevreviewyatin proposed openstack/project-config master: Fix Neutron periodic dashboard  https://review.opendev.org/c/openstack/project-config/+/82098006:37
*** marios is now known as marios|ruck06:43
*** bhagyashris_ is now known as bhagyashris06:57
opendevreviewMichal Nasiadka proposed opendev/irc-meetings master: kolla: Update agenda url  https://review.opendev.org/c/opendev/irc-meetings/+/82098107:14
*** bhagyashris_ is now known as bhagyashris07:19
*** ysandeep is now known as ysandeep|lunch07:23
opendevreviewMerged openstack/project-config master: Fix Neutron periodic dashboard  https://review.opendev.org/c/openstack/project-config/+/82098008:29
*** ysandeep|lunch is now known as ysandeep08:35
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Use OpenDev mirrors for 8-stream CI builds  https://review.opendev.org/c/openstack/diskimage-builder/+/82097808:48
*** pojadhav|rover is now known as pojadhav|lunch09:11
*** ykarel_ is now known as ykarel09:21
*** pojadhav|lunch is now known as pojadhav|rover09:30
*** ysandeep is now known as ysandeep|afk10:11
*** pojadhav|rover is now known as pojadhav|rover|afk10:37
*** pojadhav|rover|afk is now known as pojadhav|rover11:05
*** rlandy|out is now known as rlandy|ruck11:05
*** ysandeep|afk is now known as ysandeep11:16
opendevreviewMerged opendev/irc-meetings master: kolla: Update agenda url  https://review.opendev.org/c/opendev/irc-meetings/+/82098111:24
*** pojadhav|rover is now known as pojadhav|rover|brb12:17
*** pojadhav|rover|brb is now known as pojadhav|rover12:40
*** ysandeep is now known as ysandeep|brb12:49
*** outbrito_ is now known as outbrito13:02
*** ysandeep|brb is now known as ysandeep13:07
*** ysandeep is now known as ysandeep|dinner13:49
*** ykarel is now known as ykarel|away14:07
*** pojadhav|rover is now known as pojadhav|rover|afk14:46
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039214:52
*** artom__ is now known as artom15:08
*** ysandeep|dinner is now known as ysandeep15:45
fungiomg, how did i not notice before? i guess newlist --help is out of sync with the manpage these days16:08
fungithere's a -a/--automate option to newlist now, which is supposed to automatically send the list admin notification without prompting16:09
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039216:09
opendevreviewJeremy Stanley proposed opendev/system-config master: Correct Python interpreter in mailman initscript  https://review.opendev.org/c/opendev/system-config/+/82109516:09
amorinhey team16:11
amorinI proposed this few days ago:16:11
amorinhttps://review.opendev.org/c/openstack/project-config/+/82036916:11
amorinnot sure I am on the right chan16:12
amorincc fungi clarkb 16:12
fungiamorin: oh, thanks for the heads up! i didn't notice that on friday, but yes this is the appropriate channel16:13
clarkbamorin: thank you for the heads up16:15
amorinI have no idea who I should ping for this, you were in my memory :)16:16
fungiwe're both fine choices, thanks so much16:17
clarkbfungi: yay manpages being out of date16:17
amorinso, we will upgrade one of our region (BHS1) to a new openstack release16:18
clarkbfungi: we could just -q or -a depending on the flag if we wanted. Still not great for testing but probably close enough that its fine?16:18
amorinin our procedure, we close the API for few hours (like 2/3 hours)16:18
amorinso I think it better to avoid spawning instances, right?16:18
clarkbamorin: yes, we'll gracefully fallback but if we know it is happening in advance that sort of change is a good way to avoid problems16:18
amorinwe are going to start this at 9 UTC, which is maybe too early for you? Should we merge this the day before?16:19
clarkbamorin: yes the day before is probably a good idea16:20
clarkbthough frickler is in a european timezone and may be able to land it day of. But I'm fine with day before16:20
amorinack, so, I will come back on that channel the day before to ping of of you16:20
amorinone* of you16:21
clarkbsounds good16:22
fungiclarkb: well, the bad news is that i still can't seem to get newlist to actually attempt to send the list admin notifications through the mta (according to exim's logs), even the normal way with no newlist cli options at all. i may need to dig into its source code16:22
clarkbfungi: is it possible there is some other log we need to look at where it is recording things?16:23
fungii did at least confirm that if i try to send mail locally (e.g. with the `mail` utility) then exim logs the rejected outbound smtp connections (both ipv4 and v6) courtesy of the new firewall rules in 82090016:24
fungimailman itself is only creating one log that i could find16:24
fungiand doesn't mention anything about the newlist or notification sending16:24
fungithough it might also be related to 821095, i've got another autohold set with that added to the stack16:25
clarkbfungi: uh isn't mailman python2 only?16:26
clarkbwouldn't it be better to install python2?16:26
clarkbfungi: https://packages.ubuntu.com/focal/mailman it hard depends on python216:27
clarkbfungi: looks like that may only create /usr/bin/python2.7 on focal16:29
clarkbI think that should be what we test for not python316:29
fungioh, weird, i wonder why it wasn't installed?16:32
clarkbfungi: I think it is installed but it doesn't install /usr/bin/python anymore16:32
clarkbonly /usr/bin/python2.716:32
fungiand indeed, mailman was dropped from debian after buster (so not included in bullseye, which has only mailman3)16:34
fungilooks like on lists.o.o /usr/bin/python is a symlink to /usr/bin/python2 which is a symlink to /usr/bin/python2.716:36
fungithe /usr/bin/python symlink on it is being provided by the python-is-python2 package16:38
fungiwe can just add that to the dependencies16:38
*** pojadhav|rover|afk is now known as pojadhav|rover16:44
opendevreviewJeremy Stanley proposed opendev/system-config master: Make sure /usr/bin/python is present for mailman  https://review.opendev.org/c/opendev/system-config/+/82109516:44
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039216:44
*** marios|ruck is now known as marios|out16:56
opendevreviewClark Boylan proposed zuul/zuul-jobs master: Try to fix broken stestr command discovery  https://review.opendev.org/c/zuul/zuul-jobs/+/82110117:04
*** rlandy|ruck is now known as rlandy|ruck|mtg17:09
*** ysandeep is now known as ysandeep|out17:10
fungiokay, so some progress... for whatever reason the server ends up with the mailman-openinfra service in a dead state with no running processes, but if i stop and start it then it does start the expected 9 processes, maybe some sort of startup race?17:12
fungiunfortunately, running newlist to create new lists still does not attempt to send any actual notification to the provided list admin address even going through the normal confirmation prompt manually17:13
fungiheld node is 172.99.67.7217:13
fungi/var/log/exim4/mainlog does not indicate the mta received any messages to deliver17:15
fungioh! mailman is sending directly, not through exim17:15
funginow that services are running, it logs the rejections in /srv/mailman/openinfra/logs/smtp-failure17:16
clarkbcool so things are working as expected now?17:17
clarkbwhich changes do we want to keep ?17:17
fungiaha! i think it's because mailman is sending through 127.0.0.1:25 and that's being rejected by iptables17:17
fungishould we also collect all of /srv/mailman in the system-config-run-lists job? or somehow grab just /srv/mailman/*/logs/* instead?17:19
fungii'm amending the firewalling change to allow localhost smtp but reject remote smtp17:20
clarkbprobably better to not grab all the mailman site contets if we can avoid it17:21
clarkbthere is a lot of not helpful data in there iirc (like all the templates)17:21
jrosserwhen I do a depends-on, does the current branch in the modified repo include that patch, or is the modified repo left in a 'detached' state from the original branch?  (i.e if I locally cloned the on-disk repo using the branch name would I get the additional change)17:22
clarkbjrosser: the repos branches are all updated to the appropriate commit. They won't be detached. But it doesn't cherry pick across branches either17:25
fungijrosser: it's included as long as you use the branch states or checked-out state of the on-disk copy of the repositories17:25
clarkbthat means if you have depends-on repo foo branch A change then repo foo's branch A will be checked out to that proposed state17:26
clarkbs/check out/set/17:26
clarkbyou might have to check it out yourself17:26
jrosserI am looking at how to make ansible-galaxy use collections from the zuul repos17:26
jrosserand it by default clones them from the place you tell it they are17:27
fungibut check it out as 'foo' not 'origin/foo' (the latter represents the state prior to the change being applied)17:27
jrosserso I have to give some refspec to ansible-galaxy which doesn't just throw away any depends-on17:27
fungiwhat branch does ansible-galaxy try to checkout by default?17:28
fungior does it try to use a tag?17:28
clarkbyou would checkout the branch for your depends on17:29
jrosserhah well that's where it gets fun, it expects to be given a value of some sort, which can be a tag or a branch17:29
jrosseror even a SHA I expect17:29
clarkband zuul will automatically update that branch with the depends on content17:29
fungiokay, so any refname git supports, in essence17:29
jrosserok cool, so if I can give it 'master' and that will bring the depends-on with it, it's all good17:29
fungiso yes, specifying the local branch name (not a remote branch) should do what you want17:29
clarkbThe idea is that zuul is setting the repo state so you don'y have to figure that out (historically many many yaers ago, this was a very common source of bugs in gating, jobs weren't testing what they thought they were testing and then things got broken). Then you just interact with the repo on disk and checkout the branches you need17:34
clarkbas fungi points out the origin/ refs are set to the non modified commits and can be used if you need to compare deltas for linting or similar17:34
*** pojadhav|rover is now known as pojadhav|out17:35
fungiokay, so zuul_copy_output doesn't seem to support any sort of wildcarding or regular expressions, making it hard to get /srv/mailman/*/logs from the test node when that * is determined by the mailman_sites list in host_vars17:46
fungiclarkb: any suggestion there?17:46
clarkbfungi: I would use a post-run playbook to copy the files into a better directory that can be copied wholesale17:47
fungiahh, yeah can do that, just a lot more complexity17:47
clarkbthen you can use bash/find/rsync whatever to do the richer thing17:47
fungii'll see if there's a suitable playbook already i can just add it to17:47
clarkbfor X in `ls /srv/mailman` ; do cp -R /srv/mailman/$X/logs /other/location ; done then tell zuul_copy_output to copy /other/location17:48
fungii guess i can do it in a post-run: playbooks/zuul/run-lists-post.yaml17:51
clarkbor append it to the end of the run playbook but post run seems better structurally17:53
clarkb821101 is still waiting for a tumbleweed image. We deleted those right? I'm going to go ahead and propose the removal of tumbleweed testing from zuul-jobs17:54
fungii should be able to loop over mailman_sites if i'm doing it in a playbook17:56
opendevreviewClark Boylan proposed zuul/zuul-jobs master: Remove tumbleweed jobs  https://review.opendev.org/c/zuul/zuul-jobs/+/82111118:01
*** rlandy|ruck|mtg is now known as rlandy|ruck18:05
opendevreviewJeremy Stanley proposed opendev/system-config master: Block outbound SMTP connections from test jobs  https://review.opendev.org/c/opendev/system-config/+/82090018:11
opendevreviewJeremy Stanley proposed opendev/system-config master: Copy Exim logs in system-config-run jobs  https://review.opendev.org/c/opendev/system-config/+/82089918:11
opendevreviewJeremy Stanley proposed opendev/system-config master: Make sure /usr/bin/python is present for mailman  https://review.opendev.org/c/opendev/system-config/+/82109518:11
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039218:11
opendevreviewJeremy Stanley proposed opendev/system-config master: Collect mailman logs in deployment testing  https://review.opendev.org/c/opendev/system-config/+/82111218:11
corvusinfra-root: would you mind looking at https://review.opendev.org/820954 and https://review.opendev.org/820956 -- then we can start playing with keycloak + zuul18:29
clarkbcorvus: can anyone create a keycloak user and say thare in the infra-root group or the openstack group to get zuul admin ?18:33
corvusclarkb: no, groups are managed by admins18:34
corvus(also, i have disabled new user creation for the zuul realm, so only admins can create users)18:34
clarkbgot it18:34
clarkblast question should you restrict those admin rules to the keycloak.opendev.org issuer?18:35
corvusi don't even see groups in the self-serve interface18:35
clarkbI guess right now its equivalent since we only haev one issuer handing out groups18:36
clarkband that is the keycloak issuer18:36
corvusclarkb: that's probably a safer thing to do (more explicit) but not strictly necessary because ^18:36
clarkbok +2'd both but didn't approve project-config change as I think we want the system-config change in first to define the issuer18:37
fungiin https://review.opendev.org/821112 i reference the mailman_sites var which is set in the inventory, but jinja2 seems to think that "'mailman_sites' is undefined"18:38
fungido i need to do something special to reference inventory vars in a playbook?18:39
corvusfungi: it's defined in system-config-ansible's inventory, but not zuul-ansible's inventory18:39
fungioh, wait, this is crossing the boundary between the nested ansible and zuul18:39
corvusyep that18:39
fungiyeah, that just dawned on me18:39
* fungi sighs... rethinking18:39
fungii may have to do clarkb's original suggestion of just doing it in shell script18:40
clarkbAnsible can list directories like that too, but I always find dealing with ansible loops to be so confusing18:43
fungioh, i'll see if i can't figure that out18:45
corvusi would totally do that in shell script; ansible isn't adding anything to that task18:47
fungiyeah, i guess i if i inline the script in the playbook i can still use jinja variable substitution to know the target dir18:49
corvus++ best of both worlds18:49
opendevreviewClark Boylan proposed zuul/zuul-jobs master: Try to fix broken stestr command discovery  https://review.opendev.org/c/zuul/zuul-jobs/+/82110118:52
opendevreviewJeremy Stanley proposed opendev/system-config master: Collect mailman logs in deployment testing  https://review.opendev.org/c/opendev/system-config/+/82111218:56
opendevreviewJeremy Stanley proposed opendev/system-config master: Make sure /usr/bin/python is present for mailman  https://review.opendev.org/c/opendev/system-config/+/82109518:56
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039218:56
fungishould we be mirroring or retrying docker installation? https://80c9b8c03fffae2c70dd-4e6e3c7c56acb1be7502a51f02e38917.ssl.cf2.rackcdn.com/820900/7/check/system-config-run-zuul/2e806cb/bridge.openstack.org/ara-report/results/601.html19:10
clarkbfungi: https://mirror.bhs1.ovh.opendev.org/deb-docker/ we do mirror it19:10
clarkbbut convincing our production playbooks to use the mirror might be more trouble than it is worth19:10
fungiaha, we just don't use it in our tests, i guess plumbing it to the nested ansible is nontrivial19:10
clarkbya it would take some effort to detect running under test then swap in the different urls19:11
fungiretries may not be a terrible idea there though19:11
clarkbya retries seem reasonable19:11
clarkbfungi: if you have time for https://review.opendev.org/c/zuul/zuul-jobs/+/821111/ that would be good. Then I'll keep trying to get tristanC's input on the child for why SF failed third party ci19:15
fungioh, sure19:15
clarkbfungi: looks like tristanC corrected the SF ci if you have another minute to look at the child (821101)19:20
clarkbI'm happy to approve 821101 when I can watch it land in case it does anything unexpected though I think we have decent code coverage in the testing19:20
clarkb(I'm going to try and go on another bike ride today as the forecast says more rain and maybe even snow for the next week so this is my opportunity)19:20
fungion https://review.opendev.org/821112 should i not be using zuul.executor.log_root on the job node? i see run-base-post.yaml uses it on bridge, but i guess i need to get it from the lists node to the bridge node for it to be collected automatically?19:22
clarkbI thought the autocollection collected from the nodes in the zuul homedir somewhere19:23
clarkbfungi: you shouldn't use the zuul executor log root path on the test node though19:24
clarkbthe contexts are different19:24
clarkbfungi: fetch-output is the role that does the automagic19:25
clarkbit says it copies from {{ ansible_user_dir }}/zuul-output by default19:25
opendevreviewJeremy Stanley proposed opendev/system-config master: Collect mailman logs in deployment testing  https://review.opendev.org/c/opendev/system-config/+/82111219:25
opendevreviewJeremy Stanley proposed opendev/system-config master: Make sure /usr/bin/python is present for mailman  https://review.opendev.org/c/opendev/system-config/+/82109519:25
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039219:25
fungii took a different approach for now and just hard-coded a path consistent with the other single-site mailman node, for simplicity19:27
clarkbya I think taht will work19:28
opendevreviewMerged zuul/zuul-jobs master: Remove tumbleweed jobs  https://review.opendev.org/c/zuul/zuul-jobs/+/82111119:29
clarkbfungi: re the docker fetch, we should be careful that didn't fail due to the firewall rule update19:29
fungiit shouldn't unless docker is running a webserver on 25/tcp19:30
fungii rechecked it to find out whether it's consistent though19:30
clarkbya it seems unlikely, but its an outbound tcp connection and we're blocking some outbound tcpconnections19:30
fungias for 821101, i feel like we've already worked around that somewhere at least once, maybe tempest? i recall it was the cause of a significant percentage of failures at one point19:31
clarkbfungi: ya its come up before. There are tasks in there to emit the value for logsatsh tracking19:33
clarkbhttps://zuul.opendev.org/t/openstack/build/d8217da86e3746bd812f30d9c77914b1/console and https://zuul.opendev.org/t/openstack/build/1754d6b32850472e96fbe0af1414d633/console show this happening though and it is relatively infrequent19:34
clarkbI think simply trimming off the extra whitespace and running the comamnd should be a straighforward workaround19:34
clarkbit must be something with how type -p works but I've yet to reproduce it unfortunately19:35
opendevreviewMerged zuul/zuul-jobs master: Try to fix broken stestr command discovery  https://review.opendev.org/c/zuul/zuul-jobs/+/82110119:43
clarkbI think 814783's tox jobs may have started with ^ in place19:48
clarkbya looking at the logs for that it seems happy though hard to be sure we used the new code since the console doesn't show us the actual ansible run19:54
clarkbI don't see anything going super sideways after 821101. I'll get that bike ride in now. Back in a bit19:59
opendevreviewJeremy Stanley proposed opendev/system-config master: Collect mailman logs in deployment testing  https://review.opendev.org/c/opendev/system-config/+/82111220:02
opendevreviewJeremy Stanley proposed opendev/system-config master: Make sure /usr/bin/python is present for mailman  https://review.opendev.org/c/opendev/system-config/+/82109520:02
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039220:02
*** tobias-urdin3 is now known as tobias-urdin20:10
fungii'm beginning to realize that all the log collection in the world isn't going to do much good when the mailman site initscripts aren't started20:42
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039220:45
opendevreviewMerged opendev/system-config master: Rename install-ansible to bootstrap-bridge  https://review.opendev.org/c/opendev/system-config/+/82028220:49
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039221:26
clarkbon my bike ride I was owrried that we might have been taking the first testr command found beacuse the script can output multiple. But it stops looking after the first is found21:59
clarkbfungi: hrm for this exercise I don't know that we need the services running? or does newlist depend on them to be running to send email?22:01
fungii suspect the latter, yes, which is what i'm verifying now22:02
fungiyep, that seems to have done it: https://zuul.opendev.org/t/openstack/build/5f3655828b3342b18ca9f9ad84f0d5a3/log/lists.openstack.org/mailman/openinfra/smtp-failure22:05
fungialso proves that my last edit to the firewall change isn't actually allowing mailman to connect to exim22:06
clarkbdidn't you fix the localhost problem?22:07
fungii thought the last revision had22:08
fungisyslog doesn't seem to be logging the rejections though22:10
fungiyeah, nothing logged for DPT=2522:12
fungii have a feeling we disable logging by applying our ruleset22:12
fungiall the iptables log entries are early, like before the job starts for the most part22:12
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039222:20
fungithat ^ should turn on logging for those rules22:20
*** artom_ is now known as artom23:01
fungihttps://zuul.opendev.org/t/openstack/build/aa179b4022284cfeafe6a9c8bede6168/log/lists.openstack.org/syslog.txt#1970-197123:01
fungithat's it logging the smtp connections, they're definitely localhost23:01
clarkband we want those to go through23:01
clarkb(just making sure I understand)23:01
fungiright23:01
fungimaybe iptables works on a last-match basis not first-match23:02
fungieverything i see says iptables is first-match though23:03
fungiso in theory the -i lo -j ACCEPT should be passing it through per https://zuul.opendev.org/t/openstack/build/aa179b4022284cfeafe6a9c8bede6168/log/lists.openstack.org/rules.v4.txt23:04
fungii'm going to try dropping the first log statement and leaving the second in23:05
fungito make sure we're hitting the reject rule23:05
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039223:05
fungilogging in openbsd's pf is one of the things i really appreciate, you can decorate any rule with the log keyword and it logs not only the packet details but also the action taken and the rule it matched, including its position in the ruleset23:07
clarkbI like that pf rules are interface oriented and not chain oriented23:08
clarkbI find that much easier to reason about23:08
clarkbianw: apparently I had previously written a user conversion for lodgeit https://review.opendev.org/c/opendev/system-config/+/81860623:16
clarkbI've got on my todo list to look at the other irc and matrix bots next though since they cohabitate23:16
clarkbhttps://review.opendev.org/c/opendev/gerritbot/+/818494/ and parent are related to the gerritbot user switch. Probably worth getting thsoe in at this point now as I think we've learned stuff23:17
ianwclarkb: happy to try that; it doesn't seem like it will have any issues with the db23:21
clarkbianw: ya since it all seems to be db focused it should be fine. But let me double check it listens on a high port23:22
clarkbya port 900023:22
clarkbI'll try to approve that tomorrow morning when I can watch it more properly and revert if necessary23:22
*** rlandy|ruck is now known as rlandy|ruck|bbl23:35
opendevreviewIan Wienand proposed openstack/diskimage-builder master: Use OpenDev mirrors for 8-stream CI builds  https://review.opendev.org/c/openstack/diskimage-builder/+/82097823:40
fungiokay, i think https://zuul.opendev.org/t/openstack/build/3051b8a7d0eb421680fb867441e24fd1/log/lists.openstack.org/syslog.txt#1957-1958 confirms we're matching the reject rule for 25/tcp and not the accept rule for the lo interface23:49
fungithe relevant rules: https://zuul.opendev.org/t/openstack/build/3051b8a7d0eb421680fb867441e24fd1/log/lists.openstack.org/rules.v4.txt#23-2523:50
*** ysandeep|out is now known as ysandeep23:51
fungiwhat nuance of iptables am i missing?23:51
fungithe logged entry includes OUT=lo23:52
fungiso why does that packet not match -i lo?23:53
fungiohhh, man iptables says i need -o there23:53
fungi-i is short for --in-interface, there's a separate -o/--out-interface23:54
opendevreviewJeremy Stanley proposed opendev/system-config master: DNM: Confirm outbound E-mail is blocked  https://review.opendev.org/c/opendev/system-config/+/82039223:54
fungii wrongly assumed -i was --interface (direction agnostic)23:55
ianwso it matches incoming lo0 packets, but not outgoing?23:55
ianwis the input already covered by "-A openstack-INPUT -i lo -j ACCEPT" ?23:56
clarkbbtu then on the output chain we blocked it23:56
clarkbthsi is why I don't like iptables chains. Too many places to catch things and be confused.23:57
fungithe new egress rules are on an output chain, because we want to explicitly prevent the server from sending to specific remote addresses/ports with it23:57
fungiso yes, i had it allowing in on the lo interface but not allowing out from the lo interface23:58
fungiand one does not imply the other23:58
« Tuesday, 2021-12-07 Index Thursday, 2021-12-09 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!