Thursday, 2021-03-11

ianwI wonder if it's worth switching our realm to OPENDEV.ORG00:05
clarkbI think that came up when we were switching thigns and we decided it would be painful?00:05
ianwless painful with 778840 i think :)  but yes, still a lot of fiddling00:08
ianwit would be a good chance to, instead of hand-generating service keytabs, get that done via ansible.  similar to letsencrypt where we could loop through client requests and generate keytabs for distribution00:10
ianwanother one for the "todo" list if anyone wants an introductory project :)00:11
clarkbwould the transition look like running two realms on the same hardware then transition the clients over?00:11
ianwsomething like that might work, that way you could validate all the hosts have the new key material00:13
ianw"Database propagation to SUCCEEDED"00:14
clarkbdo all the afs clients need to be in the same realm at though?00:14
ianwyay, so the roles now setup both hosts, ensure everything is going and can replicate the db between primary/replica00:14
ianwyeah, i was reading about cross-realm authentication which maybe works.  i dunno.  definitely would need more investigation00:17
ianwthe new roles shouldn't change anything on the production hosts, but will handle distribution of key material and host principal generation etc.00:18
*** tosky has quit IRC00:26
*** mlavalle has quit IRC01:00
openstackgerritIan Wienand proposed opendev/system-config master: [wip] kerberos ansible
*** dmellado has quit IRC01:25
*** dmellado has joined #opendev01:52
openstackgerritMerged openstack/project-config master: Add the Gerrit reviewers plugin repository to Zuul
openstackgerritMerged openstack/project-config master: Change gerrit ACLs for glance-tempest-plugin
openstackgerritMerged openstack/project-config master: Add New Repo for StoryBoard-vue
openstackgerritMerged openstack/project-config master: Add create ref acl for osh release groups
openstackgerritIan Wienand proposed opendev/system-config master: kerberos-kdc: role to manage Kerberos KDC servers
*** SotK has quit IRC02:36
*** SotK has joined #opendev02:37
openstackgerritIan Wienand proposed opendev/system-config master: kerberos: switch servers to Ansible control
openstackgerritIan Wienand proposed opendev/system-config master: kerberos-kdc: add database backups
*** openstackgerrit has quit IRC03:25
*** openstackgerrit has joined #opendev03:27
openstackgerritIan Wienand proposed opendev/system-config master: [wip] handle zuul-summary-results as .jar / per-project config
openstackgerritMerged opendev/system-config master: refstack: Edit URL of public RefStackAPI
fungilooks like we finally caught up on the node request backlog a couple of hours ago04:19
openstackgerritIan Wienand proposed opendev/system-config master: [wip] handle zuul-summary-results as .jar / per-project config
*** marios has joined #opendev06:01
*** zbr6 has joined #opendev06:03
*** zbr has quit IRC06:06
*** zbr6 is now known as zbr06:06
openstackgerritOpenStack Proposal Bot proposed openstack/project-config master: Normalize projects.yaml
*** ralonsoh has joined #opendev06:51
*** gothicserpent has quit IRC07:00
*** sboyron has joined #opendev07:07
*** slaweq has joined #opendev07:13
*** jaicaa has quit IRC07:33
*** jaicaa has joined #opendev07:34
*** eolivare has joined #opendev07:34
*** lpetrut has joined #opendev07:41
*** marios has quit IRC07:49
*** marios has joined #opendev07:55
*** hashar has joined #opendev08:08
openstackgerritMerged openstack/project-config master: Normalize projects.yaml
*** gothicserpent has joined #opendev08:22
*** andrewbonney has joined #opendev08:24
*** jpena|off is now known as jpena08:33
*** tosky has joined #opendev08:33
*** tosky_ has joined #opendev08:52
*** tosky is now known as Guest8681408:53
*** tosky_ is now known as tosky08:53
*** Guest86814 has quit IRC08:55
*** marios has quit IRC09:25
*** toomer has joined #opendev09:33
*** toomer has quit IRC09:35
*** toomer has joined #opendev09:37
*** toomer has quit IRC09:40
*** toomer has joined #opendev09:45
*** toomer has quit IRC09:46
*** toomer has joined #opendev09:47
*** toomer has quit IRC09:49
*** toomer has joined #opendev09:49
*** toomer has quit IRC09:50
*** toomer has joined #opendev09:52
*** SWAT has quit IRC10:09
*** SWAT has joined #opendev10:12
*** dtantsur|afk is now known as dtantsur10:17
openstackgerritMerged zuul/zuul-jobs master: Bits to keep ansible-lint happy
openstackgerritMerged opendev/irc-meetings master: Add Cinder bug squad meeting
openstackgerritSorin Sbârnea proposed zuul/zuul-jobs master: Upgrade ansible-lint to 5.0
*** jpena is now known as jpena|lunch12:35
openstackgerritSorin Sbârnea proposed zuul/zuul-jobs master: Upgrade ansible-lint to 5.0
*** openstack has joined #opendev13:16
*** ChanServ sets mode: +o openstack13:16
*** jpena|lunch is now known as jpena13:30
*** SWAT has quit IRC13:36
*** klonn has joined #opendev13:44
*** klonn has quit IRC13:48
openstackgerritAurelien Lourot proposed openstack/project-config master: Add Manila-NetApp backend charm to OpenStack charms
*** weshay|ruck has joined #opendev13:57
openstackgerritAurelien Lourot proposed openstack/project-config master: Add Manila-NetApp backend charm to OpenStack charms
*** chandankumar is now known as raukadah15:02
*** spotz has joined #opendev15:10
hashartristanC: fungi: thank you for approval of the  opendev/gear changes :]15:19
fungihashar: yw, i'm looking to see what other polish it may need prior to a new release15:19
*** dirk2 is now known as dirk15:23
*** lpetrut has quit IRC15:29
hasharthere is one to bump tox min  version
hasharand another one to run tests against more python versions
hasharthat is probably the only last trivial changes ;]15:36
fungiyeah, i asked a question on the tox version bump, i'm dubious of that change15:37
fungiit talks about increasing the minimum tox version to support things we don't use it for on gear. like the unicode removal patch (which i was on the fence about) i think it was one of someone's barrage of mass changes strafing every repository based on incomplete assumptions15:38
fungithe polish i'm thinking of is things like fixing up the docs theming/publishing location, package metadata, et cetera like i did before the most recent bindep and git-review releases, and making sure we've moved the project to our new zuul tenant and moved its jobs in-repo15:39
clarkbinfra-root my plan for this morning after I've caught up on email and scrollback is to retire that single users account which had problems recently then run the external id cleanup on it after16:03
clarkbthen if that looks good I'd like to proceed with the ~70 something external id cleanups that I have proposed on review in my homedir16:03
fungii'm around to help with that. i'll also be trying to work on getting gear ready for a release, when i'm not doing meetings16:04
clarkbfungi: thanks, if you can look over the proposed list and spot check it that would probably be the most useful thing16:05
fungiwill do16:05
*** fressi has quit IRC16:28
*** fressi_ has joined #opendev16:28
*** prometheanfire has joined #opendev16:34
clarkbalright, account cleanup for that single account is done now16:35
clarkbthat user should be able to login with new valid openids that conflict in email address now. They will get a new account id but the old one was never used so not a big deal16:36
*** mlavalle has joined #opendev17:02
clarkbfungi: I think I'm ready to do the bigger external id cleanup whenever you (and anyone else that wants to spot check) are. Just let me know. /me finds breakfast in the interim17:09
fungii'm free to focus a little better after the openstack release management meeting wraps up, unless we end up doing a storyboard meeting17:12
clarkbcool, just ping me if/when I can help.17:21
clarkbLooks like that nodepool launcher id change landed yesterday so I'm going to take a look at restarting on that next17:21
clarkbthough if we are under node contention maybe I should wait for later today?17:22
clarkbnever a good time to do anything half scary during a feature freeze week17:22
clarkbnode requests are currently falling but just under 1k. I'll give nodepool some time to catch up while it can before I introduce a delay17:23
fungithe node request backlog was minimal when i looked a couple hours back17:24
fungihaven't revisited it more recently though17:25
clarkbI just checked it is ~900 right now and falling17:25
clarkbtwo hours ago it was ~15017:25
fungiso we got a bit of a bump in activity i guess17:27
openstackgerritTristan Cacqueray proposed zuul/zuul-jobs master: bindep.txt: skip python-devel for el8 platform
*** mfixtex has joined #opendev17:32
clarkbthe other thing I'm trying to give some brain time this morning is the PTG17:38
clarkbhas anyone else formed strong opinions on whether or not we should be trying to run PTG sessions?17:38
clarkbI'm beginning to think that if we do participate in the PTG that the best use of our time may be as office hours. Basically helping others and not necessarily for our own get together since I think we can do that fairly easily whenever we want17:40
*** fressi_ has quit IRC17:41
fungiit's worked reasonably well in the past sometimes17:44
openstackgerritTristan Cacqueray proposed zuul/zuul-jobs master: bindep.txt: skip python-devel for el8 platform
*** jpena is now known as jpena|off17:44
fungiother times we've sat around with nobody asking for help17:44
clarkbya exactly17:45
*** eolivare has quit IRC18:10
*** andrewbonney has quit IRC18:12
*** mlavalle has quit IRC18:23
*** mlavalle has joined #opendev18:24
clarkbdown to ~700 now. I think if it gets to ~500 I may go for it on nl02 first since it has the lowest max-servers total count18:25
*** hashar is now known as hasharDinner18:26
*** mfixtex has quit IRC18:34
fungithat's really just going to lose in-progress boot calls, release any locks the launcher may have taken on node requests, and temporarily prevent it from creating new nodes in the provider, right?18:36
fungi(for that launcher)18:36
fungiso as long as it's brief, i don't expect it to severely impact the backlog18:37
clarkbya the major impact is losing the inprogress boots they go back on the request queue18:37
*** mlavalle has quit IRC18:38
fungithough the new code will change the identifier, right? are we likely to leak nodes and need to manually delete them because the launcher no longer considers them its own?18:38
clarkbfungi: We don't think so beacuse the old code wasn't using a static identifier anyway (it just happened to eb static the way we use it)18:39
*** dtantsur is now known as dtantsur|afk18:39
fungioh, right, the identifier could change between restarts already18:39
clarkbfolks like bmw run it on openshift/k8s and should get a unique name each time they restart their launchers18:39
fungiso if it was going to leak we'd have seen leaks before now18:39
clarkbthat is a potential impact, but not considered likely18:39
clarkbgiven how others use the launchers and how the code was arleady semi random18:39
clarkbI think you've convinced me to just go for it18:42
clarkbI'll restart nl02 now18:42
fungiyeah, i see no need to wait around18:43
*** ralonsoh has quit IRC18:48
clarkblimestone and kna1 have both booted new instances after the restart. There is one deleting node and two in kna1 that were deleting prior to the restart that appear to not want to delete (and continue to not want to delete)18:49
clarkbotherwise it looks good. I'll let this run for a bit before doing the others so that we can confirm that more of the full lifecycle is exercised18:50
fungione deleting node in limestone?18:51
clarkbyup and two in kna118:52
clarkbbut they were that way before the restart based on logging timestamps18:52
clarkbI have observed nodes go from building -> ready -> in use now18:56
clarkbhaven't found any finish up the delete portion of the lifecylce though18:56
*** hamalq has joined #opendev19:01
*** hasharDinner is now known as hashar19:02
clarkbI'vefound a server that was create a few hours ago that just got deleted. Seems to generally be working19:03
clarkbI'll let it rumble along a bit longer than look at restarting the others19:03
*** fbo has quit IRC19:48
*** fbo has joined #opendev19:48
clarkb0023443410 is a node that did a full lifecycle on nl02 after the restart19:49
clarkbI can't think of anything else to check before restarting the others so will proceed with that now19:50
clarkball but nl01 are done now. Decided to spread out nl01 since it has a high max-server value19:54
funginode request backlog is down around 350 now19:55
fungiclarkb: your external_id_cleanups.txt.20210309.proposed looks good to me based on some spot checking and earlier conversations, e.g. about the tripleo-ci account19:57
clarkbfungi: ok, should I go ahead and run `python3 -u` against that list now?19:59
clarkbthe -u will apparently unbuffer the output so I can skim it as it moves along20:00
fungiyes, and i had forgotten about -u, good call20:00
clarkbalright proceeding with that momentarily20:01
clarkband done20:08
clarkblogs have been pushed to review20:09
clarkbI'm going to get a consistency check run now20:09
openstackgerritJeremy Stanley proposed opendev/gear master: Update testing to Python 3.9 and linters
clarkbsort of related to the account cleanup, its really annoying you have to remember to add a /a to your gerrit urls at times20:14
clarkbI've debugged cannot modify account errors several times in the last few weeks and its alwys I forgot the /a20:15
fungii suppose that made it easy to force auth20:15
clarkbconsistency check is over 5 minutes now, good thing I ran it against localhost20:15
fungii suppose gerrit is busy20:16
clarkbtook 6:0820:17
clarkbdown to 545 email conflicts now20:19
fungiwhere did we start?20:20
clarkbthats about right ~30 for the already inactive accounts that we did in the first pass and ~70 on this pass20:21
clarkband a few accounts have multiple collisions of which we've only handled a subset so they still show up as errors20:21
clarkband for the no external id for preferred eamil address problem we are down from 109 to 1320:22
clarkbfor those remaining 13 we can either set the preferred email address to a value in the external ids for an account, we can remove teh preferred email address entirely (is this properly valid though?), or we can retire the accounts20:22
clarkbconsidering how close to being done with those we are I should probably try and get those fixed next20:23
clarkbthe latest consistency check results including the formatted diffable version are on review in my homedir now too20:24
fungii suppose those accounts could still be usable, but not having a preferred address suggests they're probably also remnants of old cleanups/mergers20:24
clarkbfungi: yup, there are about 3 that appear to be maybe the only account for real users that I can find20:25
clarkbhowever I think those users haven't done anything with our gerrit in a few years20:25
fungii don't think gerrit would have allowed those accounts to get into that situation without manual intervention on our part editing the db contents20:26
fungiand i can't recall any case where we would have removed the preferred address from an account which was expected to still be used20:26
clarkbI need to page that content back in again and look at those 13 accounts more closely, but I suspect we can simply retire them20:28
clarkbthose accounts don't require external id cleanups so unretiring them if their users show up again is pretty straightforward20:28
fungiif none were recently used, i would go ahead and just do that, yeah20:29
clarkbif I fidn evidence of recent activity we can reach out to them directly but pretty sure when I last dug into these there was no recent use20:29
fungithis is amusing:
fungii can't reproduce it locally with my python 3.920:34
fungileads me to suspect it's not python but maybe openssl having a problem20:35
*** tobiash_ is now known as tobiash20:36
fungiwhich points to
openstackLaunchpad bug 1899878 in openssl (Ubuntu) "Python's test_ssl fails starting from Ubuntu 20.04" [Undecided,Incomplete]20:41
clarkbfungi: I modified the audit script to not skip if < 2 accounts are found by email and ran it against the 13. It reports none of the 13 have been used in the last year. One of the 13 appears to have a second account that has been actively used. The other 12 are lost completely to time I suspect. Two of the 12 also have external id conflicts so if we retire them they will show up in top of the20:42
clarkbcleanup list for external id cleanups20:42
clarkbthat makes me feel more confident that we can retire them20:43
clarkbwe can stew on that a bit though and do the cleanups tomorrow if no better ideas pop up20:43
fungiyeah, sounds pretty straightforward though20:44
fungithis ubuntu python ssl rabbit hole goes deeper than i'd hoped20:45
fungiand the only workaround i've found so far is "don't use ubuntu focal"20:48
clarkbI've restart nl01's launcher now20:53
clarkbfungi: this is the thing that guillaumec was working on I think20:54
clarkbthe problem is the options used to configure tls on startup20:54
clarkbfungi: is the related change20:54
*** slaweq has quit IRC20:56
clarkbfungi: there isn't a good way on python 3.5 to set things up in a generic way for best tls available20:56
clarkbwell more specifically on xenial's 3.520:56
clarkbnewer 3.5 did end up fixing that20:56
clarkbthere is a way to use a default ssl context which may work for xenial 3.520:57
fungii wonder if switching on python version would help there20:57
clarkbI think maybe what we want to do is if hasattr(ssl, PROTOCOL_TLS) then use that elif hasattr(ssl, PROTOCOL_TLSv12) use that elif hasattr(ssl, PROTOCOL_TLSv11) use that and so on20:58
clarkbfungi: yes python >= 3.5.3 is fine I think20:58
fungiahh, yeah maybe20:58
clarkbbut xenial is 3.5.220:58
fungii'll try the hasattr() approach. but probably not right now20:58
clarkband probably if TLSv1 doesn't exist don't fall back to sslv23 and just error20:59
ianwinfra-root: if you feel like some review time, the kerberos changes are ready, from
ianwkopecmartin: are we happy with the review rollout now?  should i delete and re-sync the db to the production server and we can switch it over?21:00
kopecmartinianw: yes please21:00
clarkbianw: I'll try to get to it between afternoon meetings21:00
ianwclarkb: thanks, no huge rush :)21:01
ianwok, i'll stop the container on refstack01, drop the existing db and then re-import it21:02
ianwkopecmartin / anyone : now updated to whatever was in the old trove db as of, about right now.  if no issues, i'll change the cname and shutdown the old server21:11
clarkbttx: ^ is there any other cooreindation you think we need for refstack?21:12
kopecmartinianw: it seems ok21:15
clarkbmaybe flip it over but keep the old server around for a few days in case we have to roll back?21:20
ianwyeah i'll only shut it down for now, not remove it21:20
*** hamalq has quit IRC21:30
*** hamalq has joined #opendev21:31
ianw#status log CNAME created to the new refstack server.  The A/AAAA records for the old server are renamed refstack-old until we decommission21:31
openstackstatusianw: finished logging21:31
corvusianw: is it the case that we make a custom grafana image only so we can run grafyaml in it?21:31
ianwcorvus: well, to say another way we install the grafyaml tooling into the base grafana image, but yes21:33
corvusyeah, was trying to ascertain if that was the main/only reason or if there was another one21:34
corvusianw: what do you think about making a grafyaml image instead?  then we can run plain upstream image without rebuild;  could bind-mount the same secrets in so we don't have to pass them on the "docker run" cmdline21:35
ianwcorvus: not really opposed to it; it seems like quite a few more steps and maintaining our container rather than just an install into the existing container, but if you feel there's benefit i don't see why it won't work21:38
corvusianw: should be same number of steps (we build exactly 1 container image).  was mostly thinking it means we auto track grafana container upgrades (which are currently coupled to our image builds).  and having a grafyaml container is useful for grafyaml users who are not us.21:41
corvusianw: i think it's in-scope for a project i'm working on, so if you're not opposed, i'll see what getting a grafyaml build looks like21:42
*** hashar has quit IRC21:51
openstackgerritJames E. Blair proposed opendev/grafyaml master: Build docker images
corvuswow first add of .zuul.yaml to that repo :)21:54
corvusi feel like that may be missing something21:56
openstackgerritJames E. Blair proposed opendev/grafyaml master: Build docker images
corvusnow with dockerfile21:57
*** gothicserpent has quit IRC22:01
ianwi got the system-config job taking screenshots, but didn't go through figuring out how to click on individual graphs in selenium yet.  it would be good as sometimes we've updated grafana and required tweaks to the output json of grafyaml22:05
ianwit is probably significantly easier than the shadow-dom mess gerrit presents22:05
openstackgerritJames E. Blair proposed opendev/grafyaml master: Build docker images
corvussomehow that change which touches no python files fails pep822:12
kopecmartinianw: when logging in i see it's trying to GET to refstack01 .. f.e. the request contains openid.return_to=  ... due to that I'm not redirected back (after I sign in)22:12
kopecmartinany chance there is still a var in a config set to refstack01 instead refstack ?22:12
ianwkopecmartin: hrrmmm ... maybe?  i mean it's whatever is in system-config22:13
openstackgerritJames E. Blair proposed opendev/grafyaml master: Build docker images
ianwinventory/service/group_vars/refstack-docker.yaml:refstack_url: 'https://{{ ansible_fqdn }}'22:16
ianwkopecmartin: i think we need to set ^ to in production, but leave it as ansible_fqdn in the gate; or setup /etc/hosts to override refstack.openstack.org22:21
ianwi am pretty sure the service should be using relative urls.  but realistically i doubt anyone is fixing things at that level22:22
clarkbya you can use an testing group file and a prod groupfile to change those values22:28
openstackgerritIan Wienand proposed opendev/system-config master: refstack: use CNAME for production server
ianwclarkb: haha great minds ^ :)22:30
kopecmartinianw: thank you22:34
* kopecmartin is gonna go to bed because he's falling asleep behind the computer22:35
*** gothicserpent has joined #opendev22:36
ianwkopecmartin: np.  i'll probably try rolling that out, and if it doesn't work, we can revert the old server and re-evaluate22:36
*** hamalq has quit IRC22:38
openstackgerritClark Boylan proposed opendev/gear master: Create SSL context using PROTOCOL_TLS, fallback to highest supported version
clarkbguillaumec: fungi: ^ I had a few minutes between things and wrote that up really quickly22:56
fungiclarkb: ooh, thanks!!!22:57
fungiif that passes, i'll queue 780103 up behind it22:57
johnsomHi opendev folks. Before I screw something up I thought I would ask here first. I would like to release x/wsme (merged a py3 deprecation warning fix). I have "release" permissions. I just create a tag and push origin the tag right?23:03
*** smcginnis has quit IRC23:04
fungijohnsom: pretty much, yep, we have the commands documented, lemme get that link for you23:04
johnsomAh, cool. I looked in the project guide, but it was release team focused. (As I have been)23:04
openstackgerritJames E. Blair proposed opendev/system-config master: Use grafyaml container image
corvusianw: should be ready to go, i tried it in my downstream env and it worked. is written, we'll see how the tests go.  but i think we can go ahead and merge 119 if you like it.23:06
openstackgerritIan Wienand proposed opendev/system-config master: refstack: use CNAME for production server
johnsomI think I found it23:07
fungijohnsom: yep, that's what i linked above23:07
fungiyou found the right docs23:08
johnsomThank you sir23:08
*** Dmitrii-Sh2 has joined #opendev23:10
fungithat also reminds me that we make use of our lovely opendev logo in the infrastructure manual, i should start adding that to our docs builds for our opendev tools repos23:10
*** fdegir has quit IRC23:10
*** fdegir has joined #opendev23:10
*** Dmitrii-Sh has quit IRC23:10
*** Dmitrii-Sh2 is now known as Dmitrii-Sh23:10
*** smcginnis has joined #opendev23:15
*** gothicserpent has quit IRC23:17
openstackgerritMerged opendev/grafyaml master: Build docker images
guillaumecclarkb, in  PS paragraph, I was saying that with PROTOCOL_TLS on focal, ".tox/py38/bin/stestr run TestSchedulerSSL" is OK but, the process hangs forever23:19
clarkbguillaumec: interesting, do we think that is a similar problem to the gear issue?23:23
*** gothicserpent has joined #opendev23:23
openstackgerritIan Wienand proposed opendev/system-config master: refstack: use CNAME for production server
clarkbguillaumec: is the problem negotiation maybe, it never completes so the test hang?23:25
*** smcginnis has quit IRC23:28
guillaumecno clue, I did not look into it that much, provided that TLSv1_2 was ok, so "tox -e py38" worked for zuul test on focal :)23:31
clarkbguillaumec: but won't py38 use PROTOCOL_TLS in your change?23:31
clarkbit checks first that PROTOCOL_TLS is available and uses it if so and it should be available on focal + python 3.823:32
clarkbthe fallback to PROTOCOL_TLSv1_2 shoudl never be used in zuul testing because python is always new enough to have PROTOCOL_TLS23:32
fungiguillaumec: is what i'm seeing trying to add 3.9 testing on focal, fwiw23:33
fungiguessing it's related to and
openstackLaunchpad bug 1899878 in openssl (Ubuntu) "Python's test_ssl fails starting from Ubuntu 20.04" [Undecided,Incomplete]23:33
fungiyour patch at least *sounds* like it's trying to address those23:34
openstackgerritJames E. Blair proposed opendev/system-config master: Use grafyaml container image
guillaumecclarkb, fungi, yes, gear is fine. and for zuul, with gear using PROTOCOL_TLS, SSL test is ok, but for somewhat reason, the process does terminate properly as the "self.poll_thread.join()" hangs.  That's what i meant by : "does not work with PROTOCOL_TLS" in and ended up setting PROTOCOL_TLSv1_2 directly in zuul/.tox/py38/lib/python3.8/site-packages/gear/ so "tox -e py38" will run23:40
guillaumecwithout issue23:40
guillaumecon ubuntu focal, obviously :)23:41
openstackgerritJames E. Blair proposed opendev/system-config master: Use grafyaml container image
fungilooks like it passes tests, so i'll rebase my change on it and see if it's happy23:42
clarkbguillaumec: I see so is unrelated?23:44
clarkbwe can also do more testing with that change now that it passes gear side tests23:44
guillaumecit's related, in this one I was explaining a little my comment from gear change23:44
openstackgerritJeremy Stanley proposed opendev/gear master: Update testing to Python 3.9 and linters
clarkbguillaumec: is it possible that focal + python 3.8 is using tls 1.3?23:48
clarkband forcing tls 1.2 fixes the problem?23:48
clarkbPROTOCOL_TLS is documented as selecting the highest possible option including 1.3 if available23:49
openstackgerritJames E. Blair proposed opendev/system-config master: Use grafyaml container image
openstackgerritJeremy Stanley proposed opendev/gear master: DNM: see if intermediate Python versions work too
clarkbguillaumec: ssl.HAS_TLSv1_3 is true on focal python 3.8 so I bet that is related23:57
clarkbbasically PROTOCOL_TLS is going to use the latest that both sides support and that should be 1.3 if both use PROTOCOL_TLS on python3.8 on focal23:57
clarkbwhen you set it to PROTOCOL_TLSv1_2 then you downgrade slightly23:57
*** mlavalle has joined #opendev23:59

Generated by 2.17.2 by Marius Gedminas - find it at!