New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start gating Bodhi updates of CoreOS-owned packages on Fedora CoreOS tests #1617
Comments
The common way to gate a group of packages in the global policy is using comps groups. This is what the critical path decision contexts in the global policy refer to. So we could create a new comps group, e.g. Another approach is using |
Just one thing it'd be best to note explicitly: there is rather more to it than just "you can put any comps group you like in a greenwave policy". Rather, the critical path groups are fairly "special". We have a script which runs daily and calculates "full" versions of specific comps groups - currently, all the critical path groups and In practice, extending this mechanism to another group isn't too complicated - you put the group in comps, add it to |
I guess I should highlight that "dependency" thing a bit, too. As far as this system is concerned, all dependencies of packages in a critpath group are part of that group. So e.g. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ff5bd8445c, a So you need to be aware that if you go ahead and use the current critpath mechanism - create a I have considered introducing the concept of a 'non-resolving' group for this kinda case (for e.g. to run and gate on more extensive openQA tests on anaconda updates without running them on every dependency of anaconda). But I hadn't got around to actually doing it yet. |
I suppose another direction we could extend in is to make the Any way we go with this, we may have to consider de-emphasizing the "critical path" relationship, I guess, though that involves doing some conceptual thinking (I wrote a thread on devel@ about this, back when I set this whole mechanism up). |
Thanks for the additional info!
That sounds like a potential path forward. For this first phase, maybe simplest is to host a Whenever we're ready to turn on gating more broadly, we could decide to expand that list or just update
Could you link to that thread? I suppose what you mean here is that the whole process is very geared towards critical path comps groups and gating and we're sort of hijacking those mechanisms for broader purposes? In the smaller scoped instance, keeping the critpath nomenclature seems appropriate, even if it's not sourced from comps. E.g. the list in https://github.com/coreos/coreos-ci/blob/bc8b4aceebf45f0663d48246fce7d500f0c02c50/jobs/bodhi-trigger.Jenkinsfile#L11-L27 can be considered an "FCOS critical path" group. (These are the packages we currently trigger Bodhi tests for.) If we do expand it to all packages in FCOS, I agree it's stretching it. I'm happy to help with this de-emphasis as I work on this if we think it's worthwhile. |
Yeah, more or less. Even without this CoreOS stuff, we're kinda stretching it at present. The initial idea of the "critical path" concept was that it defined the packages absolutely necessary for a system to boot and work. The purpose was to put stricter requirements on updates containing those packages - they require more karma or a longer wait in updates-testing than regular updates. But then when we set up openQA update testing I decided to use "is it critpath?" as a heuristic for whether to run tests on updates - because it was convenient, and more or less mapped to what we wanted to test. Since then we've kinda stretched the critpath definition a bit primarily just to get things tested and gated by openQA, e.g. pulling FreeIPA into the 'critpath' definition for Server. Last year I tweaked the formal critpath definition in the wiki to retcon this: https://fedoraproject.org/w/index.php?title=Critical_path_package&diff=686714&oldid=599546 so we have a bit of wiggle room there, especially you as the CoreOS edition owners can pretty much just declare whatever you like to be on the CoreOS critical path. but still, the further we stretch away from the initial conception of what the 'critical path' was for, the more we might wanna look at separating it from this 'what gets tested and gated' concept, I guess. The thread was this one. Your path forward sounds like it should work, yeah. Any time you want to propose a change to the critpath.py script go ahead and I'll refresh my memory on exactly how the bits plug together, and review it. Just note that per the above, so long as we keep this tie to the 'critical path' concept, anything you mark 'critical path' so it'll be gated also gets the more onerous requirements to be pushed stable. In practical terms, changing that would require some changes to Bodhi, as it'd need a new concept... |
As part of Bodhi gating, we need to deal with source RPM names and not binary RPMs. E.g. Bodhi CI messages include Koji NVRs, not binary RPMs. Having to do the translation between SRPM and RPM is expensive because you need either repodata or e.g. bring up a VM and query the rpmdb. Instead, just have rpm-ostree output the SRPM name as a metadata field in the output lockfile. cosa already saves this and outputs it in the build dir so it ends up in S3 and is much easier to work with. Obviously there's some redundancy there since every binary RPM from the same source RPM will have the same field. But it doesn't seem worth extending the schema for it instead of just working with it as is. Related: coreos/fedora-coreos-tracker#1617
Progress on this!
A lot of the code there will likely look very different depending on how we want to approach this once we're ready to gate a lot more packages (see the commit message in the releng PR, though hoping to do a more detailed braindump on this with options possibly in a Change Proposal draft). |
OK cool, all those patches are in now! It'll take some time to propagate to Bodhi, but if it all works, we should see in the next Bodhi update we do (for any package in this list) that the |
This is done now! Look at e.g. https://bodhi.fedoraproject.org/updates/FEDORA-2024-27f330f546. You can see in the "Automated Tests" tab that the Let's discuss follow-up steps in a separate ticket. |
We recently added ResultsDB reporting for Bodhi tests in coreos/coreos-ci#50. The next step would be gating updates on those results.
Before we propose any wider gating to the community, we need to make sure that it works well. Let's start with gating our own packages first to get a feel for it.
Gating is done using Greenwave, which decides whether a "subject" (e.g. Bodhi update) has passed or not based on test results from ResultsDB and policies described in YAML files. The global policy for Fedora is at https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/greenwave/templates/fedora.yaml.
The text was updated successfully, but these errors were encountered: