[09:14:07] <jelto>	 🥳
[16:03:55] <thcipriani>	 first thought from meeting just now: sounds like it might be tough to put new zuul in the aux k8s cluster.
[16:04:11] <thcipriani>	 (the executor/scheduler bits, anyway)
[16:08:39] <bd808>	 From the description at https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters#aux it already seemed unlikely to me. Combining the risks of CI payloads with "SRE supported critical infrastructure services" does not seem generally the way we have done things around here.
[16:18:01] <thcipriani>	 if not aux cluster, then that would leave: plan for new cluster, and then there's a decision about interim state. Or interim/long term host. One other thought: that was sparked by jelto 's question about how to containerize execution: I'm uncertain about how we would use a k8s cluster for workers very effectively.
[16:19:54] <thcipriani>	 dduvall: or hashar any thoughts about workers from that call? (though I know a lot was focused on executor)
[16:22:20] <hashar>	 I'd argue the CI control plane is critical infra
[16:23:17] <hashar>	 at least I have a better mental model of the scheduler > executor > workers
[16:23:40] <hashar>	 so the workers can be scaled to whatever,  and I think the dumbest way is to mimic what we do currently
[16:23:56] <hashar>	 use static nodes in Nodepool (similar to how we statically define Jenkins agents in the Jenkins controller)
[16:24:16] <dduvall>	 re: the description of how the executor dispatches jobs, i don't think we should rule out k8s for workloads completely, but from the description of what privileges the executor needs itself, i think we can rules out k8s for the moment
[16:24:35] <hashar>	 have those static nodes be WMCS instances that have Docker running and whatever basic config (that is how I have set it up on zuul-dev)
[16:25:16] <dduvall>	 yeah, that's something we didn't bring up in the meeting, the fact that all of our jobs are current run via docker
[16:25:59] <hashar>	 I talked about that with James some years ago and we can use the Ansible playbook that runs test_command
[16:26:03] <hashar>	 and pass it "docker run whatever"
[16:26:11] <hashar>	 for a first step that might be sufficient
[16:26:23] <dduvall>	 that's probably sufficient, yeah
[16:26:51] <hashar>	 another possibility would be to run the current CI images in k8s and via nodepool
[16:27:40] <hashar>	 so that Zuul would require a resource for a label mediawiki-php81,  nodepool will spin up a container from the releng/quibble-bullseye-php81 image
[16:27:56] <hashar>	 and once the container is ready ansible will be able to run `quibble --whatever`
[16:28:07] <hashar>	 but we don't have a kubernetes cluster to run those ci images
[16:28:08] <hashar>	 anyway
[16:28:29] <hashar>	 the big Q is where we run the Executors :/
[16:29:54] <hashar>	 or we run it 
[16:30:01] <hashar>	 but it seems using upstream containers is the easiest
[16:30:22] <hashar>	 and if I got it right nobody bother with the Helm chart (why would you really?) 
[16:31:00] <hashar>	 and the operator had some traction but is probably barely used
[16:31:59] <hashar>	 so that leaves out docker compose   or well simply `docker run` (potentially using systemd to meet what our monitoring system is expecting and to make it consistent with how we do things)
[16:35:26] <thcipriani>	 no stupid questions: docker in systemd: do we have a way to scale the number of instances? Or would we need docker-compose?
[16:35:49] <dduvall>	 docker compose in prod seems weird to me
[16:36:12] <hashar>	 ditto
[16:36:20] <hashar>	 I can already hear _joe_ mumbling from the end of the building
[16:36:21] <hashar>	 :b
[16:36:53] <dduvall>	 we already run docker based things via systemd (like buildkitd) so i think we should stick to that if we're not going to use k8s
[16:37:04] <dduvall>	 there are puppet manifests for it
[16:37:19] <thcipriani>	 cool
[16:37:40] <dduvall>	 scaling, well, if not using k8s it requires provisioning additional hosts. this is all sre collab's domain though :)
[16:38:13] <thcipriani>	 got it, so no benefit to scaling on a single host?
[16:38:28] <thcipriani>	 only by adding additional hosts when running docker
[16:38:38] <dduvall>	 not that i can think of. it wouldn't help with load or failover
[16:39:19] <dduvall>	 ease of upgrades is definitely a joint releng/collab concern, however
[16:39:20] <thcipriani>	 gotcha
[16:40:08] <dduvall>	 so we should definitely consider what upgrades look like when using upstream vs vendored vs wmf built images
[16:40:24] <thcipriani>	 for systemd it would be bumping a hiera value somewhere vs. k8s it's a helm deploy (which anyone could do)
[16:40:41] <thcipriani>	 maybe...
[16:40:44] <dduvall>	 (by vendored images, i mean upstream images imported into our registry)
[16:41:19] <thcipriani>	 do we have any of those now?
[16:42:51] <dduvall>	 https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/hieradata/role/common/gitlab_runner.yaml#84 is where we bump the buildkitd image ref
[16:43:35] <dduvall>	 hmm, i'm not sure if we have images that are directly imported, but i recall doing `FROM some.example/upstream/image@{digest}` in the past :D
[16:43:40] <hashar>	 I'll catch up tomorrow, I have to head yoga!
[16:43:49] <dduvall>	 hashar: enjoy!
[16:48:38] * corvus waves
[16:54:39] <paladox>	 hi corvus!
[16:57:36] <corvus>	 here's how opendev runs, for example, the zuul-executor via docker-compose: https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/zuul-executor/files/docker-compose.yaml
[16:57:41] <corvus>	 all the other components are similarly represented. and there's an overall "zuul" role that sets up some users, permissions, etc
[16:57:47] <corvus>	 we used docker-compose just to have some isolation from the underlying os (we started doing this when we would have had to choose between upstart and systemd!)
[16:57:51] <corvus>	 but structurally, starting the container with systemd should be very similar
[16:59:20] <corvus>	 here's a k8s manifest deployment of zuul: https://gerrit.googlesource.com/zuul/ops/+/refs/heads/master/k8s/zuul.yaml
[17:00:27] <corvus>	 that has some google-cloud specific stuff in it, but, in general, that file is very similar to the docker-compose files: just "run this container image" with a few mountpoints.
[17:01:14] <corvus>	 here are the helm charts: https://opendev.org/zuul/zuul-helm
[17:01:29] <corvus>	 they may be a good starting point, but they may have bitrotted
[17:01:50] <thcipriani>	 thanks corvus and welcome!
[17:04:28] <corvus>	 thanks!
[17:05:07] <thcipriani>	 ^ bd808 if you want to do any voiced magic for corvus, he's here \o/
[17:05:21] <corvus>	 i like to reference opendev a lot because all the ops are fully public
[17:05:44] <corvus>	 here's a zuul gate job that runs a complete copy of the zuul system on ephemeral nodes to check all our deployment code: https://zuul.opendev.org/t/openstack/build/2089be9926d24f3b8fd240a5577433a7
[17:07:10] <corvus>	 (it runs on 8 ephemeral virtual machines, and spins up an executor, launcher, merger, scheduler, database, zookeeper, and load balancer -- all using those docker-compose files
[17:13:31] <thcipriani>	 very cool, that's a nice template to follow. Is there a good reason to keep these services on seperate boxes? The current zuul set up has the scheduler, merger, and jenkins running on a single beefy host (we have a few schedulers to keep up with demand). Seems like that would be akin to executor, launcher, merger, and scheduler on one machine.
[17:26:47] <bd808>	 !issync
[17:26:47] <ircservserv-wm>	 Syncing #wikimedia-zuul (requested by bd808)
[17:26:49] <ircservserv-wm>	 Set /cs flags #wikimedia-zuul dduvall +AVfiortv
[17:26:51] <ircservserv-wm>	 Set /cs flags #wikimedia-zuul marxarelli -AVfiortv
[17:26:53] <ircservserv-wm>	 Set /cs flags #wikimedia-zuul corvus +Vv
[17:28:15] <bd808>	 why does the bot keep wheel warring on dan's accounts?
[17:28:19] * bd808 looks at config
[17:29:17] <dduvall>	 maybe because my nick is not my username?
[17:34:00] <bd808>	 dduvall: yeah, that is my guess too. The config is using your nick and I think i should be using your account instead. Same with the role I just added for c.orvus. Fix inbound.
[17:35:16] <corvus>	 thcipriani: it's not necessary to have them on separate boxes.  opendev does it because we scale out the vms for capacity perposes (while also running at least 2 of everything for availability).  but all-in-one, or any combination is fine.
[17:36:07] <corvus>	 (there is also a small amount of right-sizing, in that opendev runs smaller zuul-merger vms than others because they max out using fewer resources)
[17:36:28] <corvus>	 s/than others/than the other services/
[17:39:13] <thcipriani>	 ack, thanks for confirming, our current setup has two of our beefy boxen for redundancy. I'm sure collab folks will have other considerations to think about for splitting services, but good to know our existing split is still a valid one.
[17:40:50] <bd808>	 !issync
[17:40:50] <ircservserv-wm>	 Syncing #wikimedia-zuul (requested by bd808)
[17:40:52] <ircservserv-wm>	 Set /cs flags #wikimedia-zuul marxarelli +AVfiortv
[17:41:03] <bd808>	 !issync
[17:41:03] <ircservserv-wm>	 Syncing #wikimedia-zuul (requested by bd808)
[17:41:04] <ircservserv-wm>	 No updates for #wikimedia-zuul
[17:41:15] <bd808>	 wheel war stopped I think :)
[17:41:20] <dduvall>	 :(
[17:41:22] <dduvall>	 :)
[17:41:27] <dduvall>	 haha