| ianw | :/ | 00:00 |
|---|---|---|
| *** dviroel|afk is now known as dviroel|out | 00:46 | |
| opendevreview | Merged opendev/system-config master: Correct Apache restart for vexxhost-sjc1 mirror https://review.opendev.org/c/opendev/system-config/+/832730 | 01:55 |
| opendevreview | Merged openstack/project-config master: Remove 'glance' group from project entry https://review.opendev.org/c/openstack/project-config/+/802548 | 03:10 |
| opendevreview | Ian Wienand proposed openstack/project-config master: grafana: remove bridge-runtime graphs https://review.opendev.org/c/openstack/project-config/+/832746 | 03:17 |
| *** ykarel is now known as ykarel|mtg | 05:26 | |
| opendevreview | Ian Wienand proposed opendev/system-config master: prod-playbook : send playbook runtime/status to graphite https://review.opendev.org/c/opendev/system-config/+/832754 | 05:55 |
| *** ykarel|mtg is now known as ykarel | 07:01 | |
| *** arxcruz|off is now known as arxcruz | 08:12 | |
| *** jpena|off is now known as jpena | 08:36 | |
| *** rlandy|out is now known as rlandy|ruck | 11:14 | |
| *** dviroel|out is now known as dviroel | 11:19 | |
| opendevreview | yatin proposed zuul/zuul-jobs master: [multi-node-bridge] Allow to skip openvswitch installation https://review.opendev.org/c/zuul/zuul-jobs/+/832497 | 12:58 |
| *** ykarel is now known as ykarel|away | 13:32 | |
| *** iurygregory_ is now known as iurygregory | 13:48 | |
| *** dviroel is now known as dviroel|lunch | 15:14 | |
| yoctozepto | hello! would it be possible to enable private changes in gerrit? to allow for easier sharing and review of security patches | 15:38 |
| clarkb | yoctozepto: no there isn't such a thing | 15:38 |
| clarkb | gerrit doesn't support it | 15:38 |
| clarkb | the closest thing would be to maintain forks of all the projects under different names that are not replicated or to run a second gerrit | 15:39 |
| yoctozepto | clarkb: well, I can run git-review with -p but it says private changes have been disabled | 15:39 |
| clarkb | yoctozepto: yes because they aren't actually private | 15:39 |
| clarkb | its a trap | 15:39 |
| yoctozepto | clarkb: lol | 15:39 |
| clarkb | yoctozepto: https://gerrit-review.googlesource.com/Documentation/intro-user.html#private-changes-pitfalls | 15:41 |
| clarkb | they explicitly say do not use this feature for security fixes | 15:41 |
| clarkb | we have explicitly disabled them because that is exactly what everyone assumes they can do | 15:41 |
| yoctozepto | clarkb: well, only the last bullet point bothers me - is it affecting us? guessing yes? | 15:43 |
| yoctozepto | the other bullet points are non-issue to us | 15:43 |
| yoctozepto | (kolla) | 15:43 |
| fungi | we replicate all references to our git servers | 15:44 |
| clarkb | yes it most definitely affects us | 15:44 |
| fungi | share patches in your defect tracker | 15:44 |
| clarkb | yoctozepto: read above the pitfalls | 15:44 |
| clarkb | they explicitly say do not do this for the reasons that we shouldn't :) | 15:45 |
| fungi | yoctozepto: the openstack vmt has spent years trying to come up with better solutions which won't add additional administrative overhead for someone, but defect trackers (and only having private discussions about bugs when absolutely necessary) are the best options we have | 15:46 |
| fungi | yoctozepto: privately discussing security bugs should really only be something you do for very, very serious exploitable vulnerabilities, not just a general thing you do for anything which might seem like it could be a security risk | 15:47 |
| yoctozepto | clarkb, fungi: ack, thanks for the explanations | 15:48 |
| fungi | it's fine to start a discussion about a bug in private if you're unsure, but by the time you get to the point where you're writing fixes it's almost never necessary to keep things private at that point. on the rare occasions where it is, reviewing patches in a defect tracker shouldn't be a massive inconvenience | 15:49 |
| fungi | also if we went out of our way to make private code review easier, people would have a tendency to use it even when not absolutely necessary, and that erodes community trust | 15:50 |
| yoctozepto | agreed | 15:50 |
| fungi | yoctozepto: https://access.redhat.com/blogs/766093/posts/1976653 is also a really good read on that subject | 15:52 |
| fungi | and if you need help with a vulnerability report in openstack, it's fine to hit up the vmt members for help too | 15:54 |
| yoctozepto | fungi: thanks, that's an interesting viewpoint | 16:01 |
| fungi | note that kurt is a long-time lead vulnerability manager at red hat too | 16:02 |
| clarkb | fwiw I believe upstream gerrit runs a second gerrit with a fork of gerrit to do their security fixes | 16:02 |
| clarkb | then they push the end results of change sthere to new branches in the canonical repo then merge that branch in | 16:02 |
| fungi | yeah, at one time long ago i was looking at making a second secret gerrit for vulnerability patches, and quickly realized that doubling the gerrit infrastructure for the benefit of 0.00001% of openstack's patches was not a worthwhile cost/benefit ratio | 16:03 |
| *** dviroel|lunch is now known as dviroel | 16:42 | |
| *** marios is now known as marios|out | 16:51 | |
| fungi | #status log Restarted the ptgbot service on eavesdrop since it seems to have not started cleanly when the server was rebooted on 2022-01-27 | 17:12 |
| opendevstatus | fungi: finished logging | 17:12 |
| corvus | fungi: clarkb i had a summit committee meeting recently where we tried to use meetpad, and had audio issues similar to those clarkb and i had, but we couldn't resolve them and changed platforms. it may be worth some more investigation. | 17:21 |
| clarkb | hrm. Ya I guess the difficult thing is trying to determine if the error is on the client or the server. In my case restarting the client fixed it | 17:23 |
| clarkb | I wonder if the browser debug tools have any insight into webrtc | 17:24 |
| clarkb | https://stackoverflow.com/questions/17530197/how-to-do-network-tracking-or-debugging-webrtc-peer-to-peer-connection if we can reproduce it something like this may be the next thing to look at | 17:26 |
| fungi | which audio issues did you have? | 17:30 |
| clarkb | fungi: corvus and I started a call and he couldn't hear me. | 17:30 |
| fungi | i was able to use it successfully recently for a diversity and inclusion working group meeting | 17:30 |
| clarkb | I theorized at hte time that the issue may be that I had unmuted my mic in pulseaudio after joining the call. I stopped chrome and then started it again so that it would start with the mic unmuted and it worked | 17:31 |
| clarkb | of course that is one small sample point and the issue oculd be elsewhere | 17:31 |
| fungi | i've stopped having as many audio issues after i found pavucontrol and have used it to consistently disable all the inputs and outputs i'm not using so that my browser correctly picks the right ones | 17:31 |
| clarkb | ya pavucontrol is what I used to unmute my mic. But I had done that after I had joined the call so theorized that maybe the browser didn't know which input to pull from | 17:32 |
| fungi | i've noticed that both ff and chrome have gotten really terrible at picking the right devices or giving in-browser apps an adequate view of them | 17:32 |
| clarkb | I think we can do some test calls and if we manage to reproduce have the client side open the webrtc info pages for the browser they are using and see if webrtc is doing useful stuff | 17:33 |
| clarkb | and then dig from there | 17:33 |
| fungi | discovered that whenever my audio cuts out, it's almost always that the browser has decided to route audio to an hdmi connector | 17:33 |
| fungi | but yeah, i agree there are so many possible causes, debugging them further is warranted | 17:34 |
| *** jpena is now known as jpena|off | 17:52 | |
| *** odyssey4me is now known as Guest1716 | 18:49 | |
| ianw | clarkb: are you ok with https://review.opendev.org/c/opendev/system-config/+/832754, which makes the prod runs send stats again? instead of deleting the old grafana page, i might try to update it | 19:58 |
| clarkb | let me see | 19:59 |
| clarkb | ya I think that is fine | 20:01 |
| ianw | thanks; i did test out that delta split/munging on a local run, but will monitor closely today | 20:02 |
| ianw | i also have a couple of fixes for the dib-build grafana page too | 20:05 |
| ianw | although weirdly, one of the stats doesn't seem to get through | 20:05 |
| ianw | stats.gauges.nodepool.dib_image_build.<image>.duration | 20:05 |
| ianw | i'm wondering if maybe "duration" is a reserved word and you can't have a key named that? | 20:06 |
| ianw | oh doh, i guess it's under 'stats.timers.nodepool.dib_image_build' ... | 20:13 |
| ianw | ohhh, interesting ... | 20:20 |
| ianw | https://grafana.opendev.org/d/f3089338b3/nodepool-dib-status?orgId=1 | 20:20 |
| ianw | the "Build duration" looks right, but graphite is sending us back an error | 20:21 |
| ianw | grafana does a POST with | 20:21 |
| ianw | target:"alias(keepLastValue(stats.timers.nodepool.dib_image_build.ubuntu-focal.status.duration.mean, 'None'), \"Time\")" | 20:21 |
| ianw | graphite is actually responding with a python exception : https://paste.opendev.org/show/bobB7xOYwHlodlTuSjfT/ | 20:22 |
| *** dviroel is now known as dviroel|out | 21:29 | |
| *** artom__ is now known as artom | 22:49 | |
| corvus | clarkb: it appears zuul-core is owned by infra-ptl...i think that is an omission -- we probably forgot to make it self-owned after the, erm, graduation or whatever we're calling it... do you agree? | 23:08 |
| corvus | (also zuul-jobs-core) | 23:09 |
| corvus | Clark: ^ | 23:13 |
| *** rlandy|ruck is now known as rlandy|ruck|bbl | 23:26 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!