02:19 <jmarrero> dustymabe: ostree release is now up for test: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9847dd06c4

13:46 <dustymabe> jmarrero: thanks!

14:54 <dustymabe> simple review to unblock rawhide: https://github.com/coreos/fedora-coreos-config/pull/2428

14:56 <dustymabe> jlebon: i'm thinking it's time for us to try to enable pruning again

14:56 <dustymabe> was going to give it a go this weekend.. WDYT?

15:14 <jlebon> dustymabe: i forgot, why did we disable it last time?

15:14 <dustymabe> there were things getting deleted that shouldn't have been

15:14 <dustymabe> I think

15:16 <dustymabe> https://pagure.io/fedora-infra/ansible/c/3354d0b

15:19 <jlebon> ok right, and it was in the 2023.1 release which went into the Fedora repos about 3 months ago

15:20 <jlebon> for this retry, should we try it not on the weekend so we're around if something happens again?

15:21 <dustymabe> the problem I think is that this first run will take a really long time

15:22 <dustymabe> and if it disrupts builds in some way we don't want it to be at a time critical time I don't think

15:22 <dustymabe> WDYT?

15:23 <jlebon> right, the megaprune

15:23 <jlebon> hmm, i'm somewhat confident things will work this time, but i would've liked a more methodical approach to this

15:24 <jlebon> let's at least ensure a snapshot is taken right before

15:24 <dustymabe> i'm open to ideas

15:24 <dustymabe> yeah

15:24 <dustymabe> want me to ask or do you?

15:24 <jlebon> can do so

15:50 <dustymabe> jlebon: FYI updating containers to F38 (and also some rework for sericea)

15:50 <dustymabe> https://github.com/coreos/fedora-coreos-cincinnati/pull/89

15:50 <dustymabe> https://github.com/coreos/fedora-coreos-releng-automation/pull/172

15:57 <jlebon> dustymabe: nice, lgtm!

16:17 <dustymabe> this one needs a review to unblock rawhide: https://github.com/coreos/fedora-coreos-config/pull/2428

16:44 <dustymabe> This should get all but cincinnati up to date in fedora inra: https://pagure.io/fedora-infra/ansible/pull-request/1453

19:04 <dustymabe> a little coreos-cincinnati overhaul to make it look a little more like the rest of our apps: https://pagure.io/fedora-infra/ansible/pull-request/1454

19:13 <JamesBelchamber[> Of interest: I'm currently going through setting up my homelab and as part of it I note that it's quite messy to layer a package with butane. This leads to a more philosophical question, prompted by the documentation notes around this: is rpm-ostree (particularly the layering process) not something the CoreOS people want to use going forward? I ask because it's a key reason I want to use Silverblue/CoreOS 😅 but it would

19:13 <JamesBelchamber[> explain the similar push against using it in Silverblue

19:13 <JamesBelchamber[> (in this instance I'm installing python3 so I can use Ansible against it; I know this is also sort-of considered an anti-pattern with CoreOS)

19:40 <walters> James Belchamber: Yes, though https://github.com/coreos/layering-examples/tree/main/ansible-firewalld demonstrates using ansible at build time.

19:42 <JamesBelchamber[> Interesting. Is the yes in response to it being an anti-pattern then? Or the not wanting to use rpm-ostree going forward?

19:45 <walters> client-side layering was an immense amount of work and is obviously very useful at "small scale" down to single nodes. But certainly if I had a time machine, I would definitely have gone all in on a container-native model from the start...

19:46 <JamesBelchamber[> I'm currently at a large (unwieldingly large) corporate and I reckon layering is how I could set them on the path towards container-native

19:47 <JamesBelchamber[> I appreciate that it might have been a lot of work, mind 😅 and I guess it's frustrating that it can never really cross the line into supporting all RPMs (technically no distro ever does, mind)

19:48 <JamesBelchamber[> What attracts me to using CoreOS over, say, Flatcar. Is the fact that if I can't get something working in a containerised fashion I can just layer it and get 90% of the way there (then we can hack on the hard bit while the rest is happily off out in production)

19:50 <JamesBelchamber[> I'm also kicking up a relative amount of stink around Silverblue and the stigma against layering (in my view it's just fine to layer), but I didn't have the perspective that it's discouraged in CoreOS until today

20:07 <dustymabe> jlebon: do you think we should be adventurous and try to get https://pagure.io/fedora-infra/ansible/pull-request/1454 in today? or wait til next week?

20:08 <nirik> I just glanced over it and it seems ok, but it's a ton of changes. ;)

20:10 <dustymabe> nirik: yeah that last commit is the bulk of it (yamllint stuff)

20:10 <dustymabe> if you review commit by commit it should be easier

20:15 <nirik> yeah, from a glance it seems ok... but up to you if you want to push it friday. ;)

20:17 <dustymabe> I figure maybe I'll just merge the code and at least get it looking good in staging

20:17 <dustymabe> maybe won't push to prod until monday

20:17 <jlebon> dustymabe: LGTM too. i think we'll find out pretty quick if something breaks or not, so if you're going to test that everything works fine right away after merging, WFM

20:17 <dustymabe> might need some followup PRs since it's hard to test this stuff without merging

20:19 <dustymabe> jlebon: do you think we changed things significantly enough that we should delete and start the project fresh?

20:19 <dustymabe> just to make sure there isn't any cruft left over

20:19 <dustymabe> I think that's at least what I'm going to do in staging first

20:22 <jlebon> dustymabe: hmm, did you forget to `git add` imagestream.yml?

20:25 <jlebon> dustymabe: i think the main stale thing is the old buildconfig. so doesn't seem especially necessary?

20:25 <dustymabe> yup forgot to add the imagestream

20:27 <dustymabe> jlebon: https://pagure.io/fedora-infra/ansible/pull-request/1456

20:27 <dustymabe> sigh

20:27 <dustymabe> and I see a typo

20:28 <dustymabe> ok pushed a fix for that

20:28 <jlebon> stamped!

20:28 <jlebon> bbiab

20:34 <dustymabe> nirik: getting this error https://paste.centos.org/view/56a0f47e when deploying using ansible

20:34 <dustymabe> i'm wondering if that egresspolicy file needs to use the full API name for egresspolicy now

20:35 <dustymabe> like v1/....

20:38 <nirik> yeah, it likely needs a updated name there...

20:39 <dustymabe> nirik: ideas on how to find what that should be?

20:40 <nirik> looking

20:41 <jlebon> possibly like https://pagure.io/fedora-infra/ansible/blob/3152c186a14c3ac98c3b830d16d85f829ed296c3/f/roles/openshift/project/templates/egresspolicy.yml#_2 ?

20:42 <dustymabe> jlebon: bingo

20:43 <nirik> looks like it changed in 4.12, but still digging

20:45 <nirik> I think it's now this: https://docs.openshift.com/container-platform/4.12//networking/network_policy/creating-network-policy.html#creating-network-policy

20:46 <nirik> I have to wander away soon, but if you like I can look later (possibly monday), or you can poke at it.

20:48 <dustymabe> nirik: i.e. `EgressNetworkPolicy` isn't a thing anymore and we have to use `NetworkPolicy` ?

20:49 <nirik> thats what it looks like, but I might be missing something.

20:49 <nirik> We could ask darknao :)

20:49 <dustymabe> if you look at the running prod cluster

20:49 <dustymabe> what objects exist for this?

20:49 <dustymabe> I haven't touched the running prod cluster, just staging

20:57 <nirik> I'm not sure... I'm trying to finish some other things and then have to head out, so I haven't been able to look closely. This was working in 4.11 and before, but I guess 4.12 will require adjustment...

21:00 <dustymabe> nirik: no worries

21:00 <dustymabe> have a good rest of your day and weekend!

21:00 <dustymabe> i'll do some digging

21:03 <nirik> perhaps it just needs apiVersion: network.operator.openshift.io/v1 ?

21:03 <nirik> not sure.

21:14 <dustymabe> hmm the more I look at it i'm trying to figure out if this egress policy makes sense anyway.. the last rule in the list is to allow everything to "0.0.0.0/0"

21:15 <dustymabe> ahh

21:15 <dustymabe> yep: https://pagure.io/fedora-infra/ansible/c/3cd0849

22:56 <darknao> it's network.openshift.io/v1

22:58 <darknao> but I'm not sure what you're trying to achieve with that egress network policies, as everything is allowed by default