[09:08:08] brennen: I merged gitlab runner: restrict docker images and services (https://gerrit.wikimedia.org/r/c/operations/puppet/+/724472) and re-registered Trusted Runners. I did not re-registered WMCS runners [09:08:39] let me know if you want me to re-register them as well [11:39:21] 10GitLab (Infrastructure), 10serviceops: Reduce usage of public IPv4 addresses on GitLab hosts - https://phabricator.wikimedia.org/T310265 (10Jelto) [11:39:40] 10GitLab (Infrastructure), 10serviceops: Reduce usage of public IPv4 addresses on GitLab hosts - https://phabricator.wikimedia.org/T310265 (10Jelto) p:05Triage→03Medium [14:21:26] Do we have a way of getting an interactive terminal with a gitlab runner to test ci jobs? [14:26:31] Oh there's the container it's using. The answer would be do a docker run on docker-registry.wikimedia.org/buster:latest , Does that seem right? [14:33:16] hmm. [14:33:53] Which CI job are you trying to test? I might be able to give a better answer with that information. [15:09:30] I'm trying to recreate the blubber test used in quarry. Currently it runs on jenkins, launched by something in gerrit [15:09:54] I'm starting to get the feeling that we don't like the idea of docker in docker for the gitlab runners? [15:57:46] 10GitLab (Project Migration), 10Release-Engineering-Team: Create new GitLab project group: content-transform - https://phabricator.wikimedia.org/T309194 (10brennen) 05Open→03Resolved a:03brennen Created: https://gitlab.wikimedia.org/repos/content-transform Added everyone on Content Transform I could fin... [16:20:08] Another question could be do we have any examples of porting jenkins jobs launched by gerrit to gitlab? [16:41:57] Rook: Sorry for the delay. We're still working on codifying best practices for converting from Jenkins to Gitlab. There are a couple of blockers that are getting in the way. [16:42:52] Docker-in-docker will definitely not happen in the runners that we provide (insecure). However, we expect to promote the use of 'buildkit' to perform builds inside of docker. [16:42:58] I'll dig up an example [16:43:40] Np. Would you recommend I delay in moving quarry? It isn't currently blocking anything by remaining in at the moment [16:44:21] Yeah, I recommend waiting. [16:48:19] 👍 [17:10:50] 10GitLab (CI & Job Runners), 10Security-Team, 10Release-Engineering-Team (GitLab-a-thon 🦊), 10Security, 10User-brennen: Limit GitLab shared runners to images from Wikimedia Docker registry - https://phabricator.wikimedia.org/T291978 (10brennen) 05Stalled→03Resolved Noting from IRC: ` brennen... [17:22:42] 10GitLab (Project Migration), 10Quarry: Move quarry to gitlab - https://phabricator.wikimedia.org/T308978 (10rook) Seems like waiting on this until some of the CI bits of gitlab are better established is recommended. ` Ahmon Dancy Rook: Sorry for the delay. We're still working on codifying best pract... [19:16:41] 10GitLab (Infrastructure), 10serviceops: Reduce usage of public IPv4 addresses on GitLab hosts - https://phabricator.wikimedia.org/T310265 (10Dzahn) > moving gitlab1001.wikimedia.org to gitlab1001.eqiad.wmnet This is possible but would require reaching out to dcops to physically connect it to a different netw... [19:23:17] 10GitLab (Infrastructure), 10serviceops: Reduce usage of public IPv4 addresses on GitLab hosts - https://phabricator.wikimedia.org/T310265 (10Dzahn) First and foremost though, the reason why gitlab has all public IPs is because we were trying to emulate the gerrit setup. And gerrit has public IPs and is not be...