Wednesday, 2022-05-11

« Tuesday, 2022-05-10 Index Thursday, 2022-05-12 »
*** rlandy|bbl is now known as rlandy|out00:03
*** ysandeep|out is now known as ysandeep|rover01:21
*** ysandeep|rover is now known as ysandeep|rover|bbl02:08
*** dasm|bbl is now known as dasm|off03:40
*** bhagyashris|out is now known as bhagyashris03:58
*** ysandeep|rover|bbl is now known as ysandeep|rover04:23
*** soniya29 is now known as soniya29|ruck04:51
opendevreviewPranali Deore proposed openstack/openstack-zuul-jobs master: Update python testing as per zed cycle testing runtime  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/84136806:39
opendevreviewPranali Deore proposed openstack/openstack-zuul-jobs master: Update python testing as per zed cycle testing runtime  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/84136806:46
*** ysandeep|rover is now known as ysandeep|rover|brb07:29
*** soniya is now known as soniya|ruck07:40
*** ysandeep|rover|brb is now known as ysandeep|rover07:40
*** soniya|ruck is now known as soniya|ruck|dinner07:51
*** soniya|ruck|dinner is now known as soniya|ruck|lunch07:53
*** ysandeep|rover is now known as ysandeep|rover|lunch08:01
opendevreviewBar hochman proposed openstack/pbr master: fix: check for the installed version of importlib_metadata and use it only if pbr supports it. bug-report: https://bugs.launchpad.net/pbr/+bug/1972975 Change-Id: If67caac8d7ee7d5f22d0c6d262582b432d3370d1  https://review.opendev.org/c/openstack/pbr/+/84122208:51
*** soniya|ruck|lunch is now known as soniya|ruck08:56
*** ysandeep|rover|lunch is now known as ysandeep|rover09:02
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Checking Zuul stdout issue  https://review.opendev.org/c/openstack/ci-log-processing/+/84138809:21
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Checking Zuul stdout issue  https://review.opendev.org/c/openstack/ci-log-processing/+/84138809:33
*** jpena|off is now known as jpena09:39
opendevreviewlikui proposed openstack/openstack-zuul-jobs master: The Python 3.6 Support has been dropped since zed for charm  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/84139009:43
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: DNM Checking Zuul stdout issue  https://review.opendev.org/c/openstack/ci-log-processing/+/84138809:44
dpawlikfungi, clarkb: hey, this is also not affecting you https://review.opendev.org/c/openstack/ci-log-processing/+/841388/ ?09:49
*** bhagyashris_ is now known as bhagyashris11:03
*** rlandy|out is now known as rlandy11:21
fungidpawlik: is what not affecting us? that just looks like an example of setting no_log on an ansible task11:27
*** dviroel|out is now known as dviroel11:31
*** ysandeep|rover is now known as ysandeep|rover|brb11:32
*** ysandeep|rover|brb is now known as ysandeep|rover11:37
*** dasm|off is now known as dasm11:46
*** ysandeep|rover is now known as ysandeep|rover|mtg11:55
opendevreviewTristan Cacqueray proposed openstack/ci-log-processing master: DNM Checking Zuul stdout issue  https://review.opendev.org/c/openstack/ci-log-processing/+/84138812:05
dpawlikfungi: so result of that tasks https://review.opendev.org/c/openstack/ci-log-processing/+/841388/4/ansible/playbooks/bcrypt.yml#8  should be message with message b6412:13
dpawlikwhen no_log is set, it does not print and it is just unset12:14
fungidpawlik: i don't think we've tried that (we use no_log very rarely in zuul playbooks, usually just around places where zuul secrets are accessed)12:23
fungilooking in opendev/base-jobs and openstack/project-config, the only uses of no_log are in post-run playbooks handling swift upload credentials12:25
fungihttps://opendev.org/opendev/base-jobs/src/branch/master/playbooks/base/post-logs.yaml#L1212:26
*** ysandeep|rover|mtg is now known as ysandeep|rover12:37
dpawlikem, it should not affect 13:08
fungiyeah, i'm not surprised that no_log interferes with accessing stdout from a command13:10
*** ysandeep|rover is now known as ysandeep|rover|brb13:21
*** ysandeep|rover|brb is now known as ysandeep|rover13:31
*** bhagyashris_ is now known as bhagyashris13:33
clarkbit is my understanding that that is what no_log is expected to do otherwise you'll record the secret in the json file at the very least and that would be bad14:41
clarkbanyway I've left a comment on the zuul change asking for clarification and providing feedback on the implementation should we decide to proceed with it14:41
fungiyeah, my hope is that adding tests will be able to prove whether it's safe14:45
*** soniya|ruck is now known as soniya|out15:05
*** dviroel is now known as dviroel|lunch15:09
dpawlikclarkb: What about the tempaltes?15:09
dpawliktemplates*15:09
clarkbI'm not sure I understand the question. Which templates?15:10
dpawlikclarkb: in the PoC PS there are few things that are affected by no log15:11
dpawlikso if some command like uuidgen were registered, then you set is as fact, then you want to use template, you will got empty messagw15:11
dpawlikclarkb: so for example, https://softwarefactory-project.io/paste/show/2213/15:12
dpawlikhash should be filled, not empty15:12
dpawlikand normally ansible is putting that value there, where zuul is removing15:12
clarkbright, but does zuul not removing it expose the information publicly? That is what zuul is attempting to guard against15:13
clarkbspecifically via the ansible json log file that zuul records15:13
dpawlikclarkb: ah15:17
dpawlikclarkb: so very basic ansible playbook that is just printing an echo text that was registered in the task is impossible to read, because zuul does not allow for that15:18
dpawlikseems to be a bug for me15:18
dpawliksecrets should be in other box15:19
dpawlikthan registered variables15:19
dpawlikbut I agree, someone can do an echo on sensitive variables, register and expose it15:19
*** ysandeep|rover is now known as ysandeep|rover|out15:26
fungidoes setting no_log under normal ansible not also break that? zuul's command.py is essentially a fork of code from ansible15:26
fungii haven't looked to see how far the no_log handling has diverged though15:27
clarkbfungi: this specific portion of the code is different than upstream ansible in order to tail the log without blocking15:31
fungiyeah, i just don't know how much of what's there regarding no_log handling is taken from upstream ansible15:32
fungiand whether this particular stdout filtering behavior is also present in ansible itself15:32
jrosseri don't think that it is15:32
jrosserhttps://paste.opendev.org/show/bIJUvEhlY9YMk141pl2b/15:33
fungifrom the zuul side of things, i'm happy for task stdout handling to be as close as possible to ansible's own behaviors, so long as we can do it in a safe way in order to avoid leaking sensitive data in logs15:34
clarkbright this portion of the code is different so that you can get a live console log. Ansible proper blocks and reads the info at the end15:35
clarkbthen separately we have to handle no_log in a way that makes sense for the ansible json recording15:35
clarkbIt is possible that this handling isn't necessary and ansible filters that separately, but I believe that was the intent here15:35
clarkbbut also this discussion should happen in #zuul15:35
fungior on 84141815:36
*** dviroel|lunch is now known as dviroel16:03
opendevreviewMerged openstack/pbr master: Adding python classifiers py38 & py39  https://review.opendev.org/c/openstack/pbr/+/84063316:09
*** jpena is now known as jpena|off17:01
*** dviroel is now known as dviroel|afk20:53
*** timburke__ is now known as timburke21:00
*** dasm is now known as dasm|off21:02
*** rlandy is now known as rlandy|bbl22:08
opendevreviewMerged openstack/openstack-zuul-jobs master: infra-deb-ppa-push: push to production repos  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/84057223:16
« Tuesday, 2022-05-10 Index Thursday, 2022-05-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!