[10:50:09] <jelto>	 cc from our gdoc: Ceph-based object storage and persistent volumes are available in aux-k8s-eqiad. codfw is wip. Although running privileged:true would be a dealbreaker in aux-k8s (not possible by Kubernetes admissionPolicy)
[17:18:20] <mutante>	 Should we have a single tracking/parent ticket for everything releated to the zuul(3) project?  Then link all other tasks to that?
[17:18:56] <jelto>	 Sounds like a good idea 
[17:18:58] <mutante>	 We already have VM request, then access requests next.. and there will probably be more.  Or we can just use a specific phab tag.
[17:19:25] <mutante>	 I edited the VM request ticket to ask for 6 instead of just 1 VM.
[17:19:38] <mutante>	 alright!
[17:20:33] <thcipriani>	 we are using https://phabricator.wikimedia.org/project/view/7592/
[17:20:43] <thcipriani>	 having a tracking test would be good there.
[17:20:54] <thcipriani>	 (if we want one)
[17:22:03] <thcipriani>	 initial doc is here: https://docs.google.com/document/d/1Y-0nX_0n0AymZ3N-KDRIwuy6V-WXb_EhEP11O0vvAek/edit?tab=t.0
[17:22:36] <mutante>	 ACK! :)
[17:24:08] <mutante>	 adds "in progress" column
[17:34:01] <thcipriani>	 goal for the doc: initial design for entire working zuulv3+ system: both ci workers and production component set up. sobanski jelto mutante work through tentative design of the admin/operations side of zuul, the vision for how we want to run these things in prod and what your needs/functional requirements are (e.g., active/passive failover). hashar dduvall and I will work on CI/product/end
[17:34:03] <thcipriani>	 user needs (e.g., workers, workloads). And we'll all use comments to ask questions/seek advice/bug corvus for input. How's that sound? The output should be a doc that we can refer back to answer our questions along the way as we bump into new functional requirements/friciton points.
[17:40:52] <mutante>	 told Moritz about the updated VM request for a total of 6 machines. He did not veto it but advised we should do only 2GB for the executor and 4GB for the runner. with additional comment that they can be adjusted later.
[17:41:34] <mutante>	 ticket for the new admin group needs some comment who exactly should be in it besides James 
[17:44:42] <thcipriani>	 this is the group of people able to login to those VMs, correct?
[17:45:51] <mutante>	 yes
[17:46:02] <mutante>	 called it "zuul-devs" so far
[17:46:36] <mutante>	 you could say "all of releng" or specific names
[18:03:09] <thcipriani>	 offhand, I'd say same members as contint-roots, dduvall hashar or bd808 any opinions on ^ ?
[18:04:45] <bd808>	 this feels like the same stuff as contint-roots to me.
[18:05:44] <bd808>	 `members: &contint_roots_members [*releng_members, jforrester, bd808]`
[18:06:42] <mutante>	 ok! yep
[18:06:46] <bd808>	 eventually we would want to open things up to contint-admins, but we need to know what sudo tasks to allow for that
[18:07:41] <mutante>	 it feels like it's going to be "sudo docker*" or so .. but yes
[18:07:50] <mutante>	 everything inside container
[18:14:32] <mutante>	  what did we say needs to be able to talk to cloud VPS
[18:58:45] <thcipriani>	 mutante: Zuul executor will need to be able to communicate via ssh to workers, including cloud VPS VMs.
[18:59:36] <thcipriani>	 I added a "Components" section to the doc that has a "communicates with" point under each component. I added a comment asking for verification that that's the only thing that needs to communicate to workers.
[19:00:50] <mutante>	 ACK, I will make a ticket for that too so we can tag netops etc
[19:00:56] <thcipriani>	 The other option that was mentioned today is moving the executor outside the prod cluster, but then the executor needs to communicate with zookeeper, so either way: some communication to prod cluster needed. ssh matches how jenkins behaves currently.
[19:23:50] <mutante>	 I am going with executors in production and allowing them to talk to cloud VPS.. for now.
[19:49:45] <corvus>	 thcipriani: yep, executor is the only one that needs to talk to worker nodes; nodepool-launcher can, but it's not necessary when you're configuring static worker nodes.
[19:50:04] <corvus>	 (it's more important for nodepool-launcher to be able to reach the nodes when using cloud drivers)
[20:31:52] <thcipriani>	 ah, thanks for confirming, that's helpful. And, yeah, we've been using static worker nodes and likely won't change that as part of this migration.
[23:56:17] <bd808>	 ssh access into Cloud VPS space from prod shouldn't require anything special at the network level. The Cloud VPS bastions have public IPs that prod traffic would use to hop into the Neutron network space where the instances live. https://wikitech.wikimedia.org/wiki/Cross-Realm_traffic_guidelines#Case_3:_generic_network_access_prod_--%3E_cloud