Monday, 2023-12-04

opendevreviewSteve Baker proposed openstack/diskimage-builder master: Add setuptools for python3.12 support in venvs
*** ykarel|away is now known as ykarel04:48
*** cloudnull0 is now known as cloudnull05:57
opendevreviewClark Boylan proposed opendev/system-config master: Reapply "Switch Gerrit replication to a larger RSA key"
clarkbone of my forced failures didn't work due to the ansible inventory name not matching the host in the playbook :/16:29
fungii'm going to pop out for lunch, back in an hour-ish16:31
tonybclarkb: It's my understanding that we want to apply the revert 902481, and use the reapply 902490 and autoholds to test the new key setup and ssh config.  Is that right?17:39
clarkbtonyb: yes the revert is to match the current state where I manually moved the .ssh/conifg aside. Then followup changes will be more strictly tested and landing them should be safe17:40
tonybSo it's okay to +2+W 902481 now17:40
fungiyes, deployment to the server is still disabled anyway17:54
clarkbif anyone is wondering there are a lot of little details in testing this. Currently not understanding why known_hosts isn't being written out when I manually accept the key for gitea as gerrit2 on test gerrit18:08
clarkbbut also you have to set application/json content type headers when posting the key to trust to gitea otherwise you get back an error message about "Title" being required and curl exits 018:09
clarkbok known_hosts is owned by root. That explains that18:09
clarkband after all that I've reproduced the failures we saw previously but with the regex. I suspect that maybe I need a port rule in here or need to drop the port rule? I'll experiment18:13
fungisounded like maybe it needed to be a regex and a port18:13
clarkbI'm beginning to wonder if this config file is used at all18:32
clarkblike maybe gerrit doesn't plumb in the config from file properly18:33
clarkbebcause I've tried probably 20 different approaches and can get none to work. Including dropping regexes and relying on explicit names and IPs and explicit usernames and explicit ports18:33
clarkbI can see it consistently log that it is trying the wrong key (id_rsa or the hash matching the key in
clarkbso nothing I'm doing appears to even try the other key18:34
fungidoes swapping out the private/public keypair seem to work at least?18:34
clarkbI'm about to test that next18:34
fungibecause really, if that doesn't work, i can only conclude that either the 4k rsa pem is formatted incorrectly, or gerrit/mina doesn't support 4k rsa keys18:35
fungialso, how is the initial (working) 2k rsa key generated?18:36
clarkbthe 4k key works as id_rsa with the pubkey also copied over18:39
clarkbI think that I've also discovered that the "all" replication target doesn't replicate change refs18:40
clarkbit "consolidated" replication of patchset refs under a change into the all meta replication target then it only replication refs/heads/master18:40
clarkbfungi: fwiw in the test env there is no initial working 2k key. But also the 4k key does work it just has to be in the default location because it seems all attempts to choose a non default location don't work18:44
fungigot it. disappointing but at least we have a way forward, even if it's not convenient18:45
clarkbI understand what MINA is attempting to do a bit better now and see at least one bug (they only parse out the port if you wrap the host in [] first19:07
clarkbthen they convert a lone * to .* and ? to .19:07
fungioh, so they try to sort of convert globs to regexes?19:07
clarkbso you can't actually use regexes like you normally would19:07
clarkbbut you can totally use non conflicting regex chars as far as I can tell19:08
clarkbbut also knowing this I still haven't managed to get it to work19:08
clarkboh they then filter out invalid cahrs?19:11
clarkbTrying with Host * doesn't seem to chagne anything either19:18
fungiyou should be able to put the key directive outside a host block too19:19
fungiin which case it's assumed to apply globally, i think?19:19
fungibut again, who knows if mina parses it that way19:20
fungiah, no i'm wrong19:21
fungiglobal ssh_config starts with a Host * line too19:21
clarkbI think this is where I facepalm19:26
clarkbthe paths are different in the container! now to retest everything!19:26
*** jonher_ is now known as jonher19:28
opendevreviewClark Boylan proposed opendev/system-config master: Reapply "Switch Gerrit replication to a larger RSA key"
fungii'll admit i got too focused on making sure the path to the config made sense inside the container, and failed to consider the same for the key path included within the config20:00
clarkbfungi: tonyb: frickler: corvus: I've written a 2023 annual report for opendev draft here:
clarkbfeedback very much welcome. One thing I worry about is how muc hattention we should bring to the gerrit 3.9.0 situation, but I think our ability to test and report that quickly was a beneficial cross community interaction so wanted to call out we are doing stuff like that22:50
clarkbfungi: also I put $PLACEHOLDER strings in for where we'll need to fill in the blanks from your generated stats info22:51
* clarkb takes a break before writing a draft for zuul next22:53

Generated by 2.17.3 by Marius Gedminas - find it at!