2025-10-20T06:42:17 acidsys: Sadly you broke the communication on the host if I understand the error message... 2025-10-20T06:43:09 ? 2025-10-20T06:45:07 @irc_liberachat_cboltz_:opensuse.org: Maybe shut it down? Apparently nobody uses it or cares about it. 2025-10-20T06:47:48 acidsys: What part is not clear? 2025-10-20T06:48:05 what you are trying to reach 2025-10-20T06:48:47 The GitHub API as you can see in the curl call. 2025-10-20T06:50:25 I don't see anything (in case you tried to send a picture: the bridge is broken and does not paste those in IRC). anyways, that's by design - as explained in https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2627 I assumed the host no longer needs it. can add it back 2025-10-20T06:50:52 Please do so. 2025-10-20T06:52:46 I was sending a snippet of code and that apparently is then also going via the bridge. 2025-10-20T06:53:25 aah yes that it probably uploads too (those and images it's supposed to paste a link here) 2025-10-20T06:55:24 I have no looked for a solid 5 minutes at your MR and I can't figure out the nftables syntax to know what part I need to revert. :/ 2025-10-20T06:56:22 * now 2025-10-20T06:57:01 maybe !2631 makes it clearer :) 2025-10-20T07:00:03 I am looking at it. One Moment. 2025-10-20T07:02:16 I will start looking into nftables. This really is black voodo to me. 2025-10-20T07:11:13 is applied 2025-10-20T07:12:24 Thanks. Runner still marked as offline. Investigating with tcpdump. 2025-10-20T07:17:01 I can't do that because you revoked access from inside the MicroVM to our mirrors. Since tcpdump is not part of the image I can't investigate. Shall I add this to the image or what do you wanna do? 2025-10-20T07:17:59 yesterday I already did https://build.opensuse.org/package/rdiff/openSUSE:infrastructure:fireactions/fireactions-runner-container?linkrev=base&rev=6 (sorry, no SR), so if you delete the image and restart in theory you should have repositories 2025-10-20T07:22:54 JFYI you can also attach tcpdump to the tap or bridge interface on the host and should get similar results 2025-10-20T07:32:19 ah nice the repositories in the service are shipped with http but we only allow https 2025-10-20T07:33:10 I will attempt to attach myself to the bridge. 2025-10-20T07:33:20 Just realized the same thing as you regarding http. 2025-10-20T07:36:45 So it seems that the Runner inside the MicroVM still can't talk to GitHub. I again get the HTTPS connection in one direction but never get a reply. 2025-10-20T07:37:38 Example: 07:37:03.398796 IP6 2a07:de40:b27e:4003::104.45014 > 2a07:de40:b27e:64::140a:e236.https: Flags [S], seq 1782309781, win 64800, options [mss 1440,sackOK,TS val 3967537298 ecr 0,nop,wscale 7], length 0 2025-10-20T07:43:09 ah I think I understand 2025-10-20T07:45:13 that address corresponds to 20.10.226.54 2025-10-20T07:45:19 yeah that reveals some technical debt :( 2025-10-20T07:46:58 Meaning? 2025-10-20T07:51:41 it's explained in https://progress.opensuse.org/issues/152863 2025-10-20T07:53:15 with the current setup I cannot allow one subnet unrestricted IPv4 access to the internet without also allowing it for various other hosts 2025-10-20T07:53:49 some of the destinations accidentally happened to work because they were covered by existing github acls 2025-10-20T07:54:05 I will come up with something 2025-10-20T07:55:06 Thank you very much! 2025-10-20T09:04:18 thanks for making me complete the task I procrastinated for 2 years ;-) 2025-10-20T12:23:05 acidsys: The first job has been picked up! 🥳 I report back if I discover more things that are not working. :) 2025-10-20T12:24:14 nice) 2025-10-20T12:29:39 oh one thing I forgot, the OnSuccess=reboot is currently commented out in the service unit (upstream has it for the runner one), if it works out without that is easiest, but if it turns out to be needed we probably want to make subpackages for server/runner as to have the line in the runner one 2025-10-20T12:42:17 Well that is crucial because otherwhise the runner doesn't reboot the VM (meaning a new one is spawned). 2025-10-20T12:42:33 So as a workaround I have to restart the systemd service on the host every time or scale the pool manually. 2025-10-20T12:43:13 interesting I would expect it just sends shutdown on its own when it deems it necessary 2025-10-20T12:43:27 but sure we can refactor it 2025-10-20T12:47:04 Well no need if you "absuse" the oneshot systemd service concept. 2025-10-20T12:47:12 * "abuse" 2025-10-20T14:50:18 onehot services are great 2025-10-20T17:25:33 *** comrad_ is now known as comrad 2025-10-20T21:32:43 egotthold: sent SR, is not tested yet 2025-10-20T21:33:17 btw I also looked into ip= now (it's in net/ipv4/ipconfig.c) and while the parsing is relatively easy to adapt to another delimiter, everything afterwards consists of lots of IPv4-only functions (well, directory name checks out) :-( so more work/fun 2025-10-20T21:58:40 https://lists.opensuse.org/archives/list/users-fr@lists.opensuse.org/latest should be spam-free again 2025-10-20T21:59:11 did you go with the clickops approach? 2025-10-20T21:59:44 yes (while watching a movie on the other screen ;-) 2025-10-20T21:59:59 :D 2025-10-20T22:00:09 on a related note - higher request limits (at least for VPN IPs) would be helpful, haproxy gave me several speeding tickets 2025-10-20T22:01:30 sounds sensible 2025-10-20T22:01:56 and lists.o.o is challenge protected anyways