mupIssue operator#345 closed: Harness could start with config initialized from config.yaml <Created by jameinel> <Closed by chipaca> <https://github.com/canonical/operator/issues/345>09:30
mupPR operator#403 closed: Make Harness load default values from config.yaml <Created by johnsca> <Merged by chipaca> <https://github.com/canonical/operator/pull/403>09:30
facubatista¡Muy buenos días a todos!11:05
bthomasmorning facubatista11:06
facubatistahola bthomas11:10
* facubatista begs for a review https://github.com/canonical/charmcraft/pull/15611:22
mupPR charmcraft#156: Text builders for simple usage, detailed help, and command help <Created by facundobatista> <https://github.com/canonical/charmcraft/pull/156>11:22
facubatistabthomas, Chipaca ^11:23
mupPR operator#375 closed: first pass at getting travis to do a windows run <Created by chipaca> <Closed by chipaca> <https://github.com/canonical/operator/pull/375>12:37
mupPR operator#408 opened: These changes make it so that the test suite passes on Windows <Created by chipaca> <https://github.com/canonical/operator/pull/408>12:37
ChipacaProgress: Downloading python3 3.8.5... 2PProgrProgress:Progress: DowProgress: DownloaProgress: DownloadingProgress: Downloading pytProgressProgress: DoProgress: DownloProgress: DownloadinProgress: Downloading pyProgress: Downloading pythonProgress: DowProgress: Downloading python3 3.8.5... 54PrProgreProgress: Downloading python 3.8.5... 100%12:43
* Chipaca wonders who thought that was a'ight12:43
Chipaca#408 is green 🙂14:01
mupPR #408: These changes make it so that the test suite passes on Windows <Created by chipaca> <https://github.com/canonical/operator/pull/408>14:01
crodriguezhello hello. I get into a weird situation rn. So, upon deployment of a charm, both the start hook and the config-changed hook are triggered automatically. If my start hooks fails upon something, I set a blocked status. However, the config-changed hook runs right after and removes that blocked status, so the error is being hidden16:05
crodriguezSo, I see a few options. 1) is it possible to *not* run the config-changed hook at the same time as the start hook? I do not see any benefits16:06
crodriguez2) can we get the option of setting the status to error ? maybe that would actually block the other hooks from overwritting the status?16:07
crodriguez@facubatista, I'd like to get your input on this ^16:07
facubatistacrodriguez, reading16:51
facubatistathis is more "juju behaviour", so let's see what jam says about it, but:16:53
narindergupta  File "/var/lib/juju/agents/unit-cassandra-0/charm/venv/ops/model.py", line 979, in _run16:53
narindergupta    raise ModelError(e.stderr)16:53
narinderguptaops.model.ModelError: b'ERROR json: unknown field "lifecycle"\n'16:53
facubatista1) it surprises me that config-changed is triggered after start ended with error16:53
narindergupta@facubatista have you seen frecently?16:53
facubatista2) ah, mmm16:53
facubatistacrodriguez, when you say that the "start hook fails on something", is it actually making the call crash, or you just set up to blocked, and then end the hook "correctly"?16:54
facubatistanarindergupta, nop, do you have more context?17:00
narindergupta@facubatista i just deployed my old cassandra charm and having this issue.17:03
narinderguptafacubatista: i will try to build the charm again and test and if that does not solve then have to look i know this charm was working some time back and wanted to implemented few comments17:03
narinderguptafacubatista: still same error so looks like ops.model.ModelError: b'ERROR json: unknown field "lifecycle"\n'17:07
facubatistanarindergupta, do you have a bigger traceback? where are you seeing this?17:09
narinderguptafacubatista: never mind looks in my template i am adding lifecycle17:09
narinderguptawhich is not supported so far.17:09
facubatistaso the "i just deployed my old cassandra" is "i just added an invalid key to metadata.yaml and tried the deploy"? :)17:10
narinderguptafacubatista: somehow this was there in charm template as well which is weired and when i tested last it was not an issue may be while uploading i might have opush new charm as i was experimenting lifecycle feature17:12
narinderguptain other sense cassandra charm on charmstore is broken17:12
mupIssue operator#409 opened: Setting model.app.status causes the deployment to hang <Created by camille-rodriguez> <https://github.com/canonical/operator/issues/409>17:35
jamfacubatista, crodriguez from her comments on mattermost, it is just setting Blocked in 'start' but config-changed is apparently causing it to set Active.17:36
jamso both (a) start isn't raising an exception/failing non-zero exit code and (b) something in config-changed isn't evaluating the same logic to realize it needs more.17:36
facubatistajam, but it's ok to "start" to "finish ok", right? Even if it detects an underlying problem/issue, and sets the status to Blocked17:39
crodriguezfacubatista, well there's no way for me to easily set an error status, so until now I was using blocked status17:39
crodriguezI'll try the sys.exit strategy and see how that goes. I also opened bug#40917:39
crodriguezfor something else I found (app.status doesnt work..)17:40
jamyou can exit(1) or raise Exception to go into error status17:55
jamjuju doesn't let you status-set error17:56
facubatistajam, crodriguez, my question is what it's expected to happen at "juju level"... Blocked means that manual intervention is needed... so the method should raise an exception instead of finishing correctly?18:21
facubatistais it always that way?18:21
jamfacubatista, no. you may be blocked because you need a relation to a database. That needs a human, but the charm should still be able to respond to relation-created18:22
facubatistaah, good18:22
facubatistaso, in the case of crodriguez she *should* end it in error because it makes no sense to keep receiving events, right?18:23
jamfrom what she's saying, yes.18:23
facubatistagood, thanks18:26
facubatistajam, the "params" part in actions.yaml is used for something? I have a charm with an action without that section, and I was able to call the action using the parameter, and it reached the charm's method just fine18:50
jamfacubatista, there is a field for "allow additional parameters" which you can set to False IIRC, let me check18:51
jamfacubatista, additionalProperties: False18:51
jamsorry, 'false'18:51
facubatistaah, thanks!18:51
jamfacubatista, with additionalProperties: false, then Juju won't let you supply things that aren't in the params.18:52
facubatistajam, so "params" is more about validations before the sent information actually reaches the charm, right?18:56
facubatistae.g.: ERROR validation failed: (root).foo : must be of type string, given 12318:56
jamfacubatista, I believe so, yes18:57
facubatistait can get weird, though:18:57
facubatista$ juju run-action bdv/1 refresh foo='123' --wait18:57
facubatistaERROR validation failed: (root).foo : must be of type string, given 12318:57
jamfacubatista, I would guess the CLI is parsed as YAML, so you would need appropriate quoting to pass a 'looks-like-integer' as a string18:59
jamfoo='"123"' might work18:59
facubatistait did18:59
facubatistait's a nice thing to mention18:59
crodriguezjam, facubatista I have another question and I'm not sure if it's more a juju thing or an operator thing. The K8s API commands that I execute in my charm are launched inside the app controller pod. Everything works well when RBAC is not enabled, but if RBAC is enabled, then the operator pod does not have the required permissions to use the API. I don't understand why in this context, the controller pod is able19:57
crodriguezto set the pod_spec, but not to use the API19:57
jamcrodriguez, the application pod asks Juju to set the pod spec, not the K8s api directly19:57
crodriguezmhm ok. So what are my options then ? I have to give extra permissions to the app operator, but i do not think that juju allows that?19:59
crodriguezthe k8s guys have done a workaround in mutlus where they spin up another container, which they give enough permissions to run kubectl/api19:59
crodriguezbut that's an ugly solution :(20:00
crodriguezso idk jam what you think about that. I'd like to avoid the extra container just to run the api..20:06
jamcrodriguez, it would be good to understand what actual RBAC you need20:09
jamI agree that spinning up another container is not the right way to do it.20:16
crodriguezjam: I need to create pod security policies, create a namespaced role, and bind this role. So I need rbac to be allowed to do this in the controller pod20:20
crodriguezand I'm using the k8s api for this because of LP:1886694 and LP:189607620:21
jambug #188669420:26
jambug #189607620:26
jamI guess mup doesn't do that here?20:26
jamcrodriguez, PodSecurityPolicy is essentially allowing you to root the K8s hosts, it is a pretty dangerous thing to give arbitrarily20:27
crodriguezjam it's not arbitrarily, it's the way upstream MetalLB is designed.20:29
jamhow to put it a different way20:31
jamI understand the desire for the functionality. But it isn't appropriate for every charm to have root on the entire K8s cluster20:31
jamMetalLB is a bit special in that it very much has to control the host to provide the functionality20:31
jambut it is, essentially, getting elevated privileges over everything else running in the cluster.20:32
jameg, kernel level attacks on every K8s worker node20:32
jamnow, we can probably model that with something akin to "juju trust" that would allow for a specific charm to operate with elevated privileges20:34
jamIn the short term, it feels very appropriate to explicitly ask for a Cluster role to be done by someone outside of the charm, before the charm can operate20:36
crodriguezI don't understand how having the ability to create pod security policies means that it would give you root to the entire cluster. Being a juju admin already assumes that you have access to pretty much everything anyway, doesn't it? Pod security policies enables more security , it can let you prevent users from running privileged containers, etc.20:38
jamPodSecurityPolicy defines things like "Can I load a Kernel driver for this pod"20:39
jamOn AWS we don't give the AWS credentials to every charm, or even every machine agent20:39
crodriguezjam: I've replied to you in MM/charmcraft, since this is becoming more of an internal discussion20:48
mupIssue operator#410 opened: Framework does not log re-emission of events <Created by camille-rodriguez> <https://github.com/canonical/operator/issues/410>21:05
* facubatista eods and eows21:10

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!