| opendevreview | Steve Baker proposed openstack/diskimage-builder master: Add setuptools for python3.12 support in venvs https://review.opendev.org/c/openstack/diskimage-builder/+/902497 | 01:02 |
|---|---|---|
| *** ykarel|away is now known as ykarel | 04:48 | |
| *** cloudnull0 is now known as cloudnull | 05:57 | |
| opendevreview | Clark Boylan proposed opendev/system-config master: Reapply "Switch Gerrit replication to a larger RSA key" https://review.opendev.org/c/opendev/system-config/+/902490 | 16:29 |
| clarkb | one of my forced failures didn't work due to the ansible inventory name not matching the host in the playbook :/ | 16:29 |
| fungi | i'm going to pop out for lunch, back in an hour-ish | 16:31 |
| tonyb | clarkb: It's my understanding that we want to apply the revert 902481, and use the reapply 902490 and autoholds to test the new key setup and ssh config. Is that right? | 17:39 |
| clarkb | tonyb: yes the revert is to match the current state where I manually moved the .ssh/conifg aside. Then followup changes will be more strictly tested and landing them should be safe | 17:40 |
| tonyb | So it's okay to +2+W 902481 now | 17:40 |
| fungi | yes, deployment to the server is still disabled anyway | 17:54 |
| clarkb | if anyone is wondering there are a lot of little details in testing this. Currently not understanding why known_hosts isn't being written out when I manually accept the key for gitea as gerrit2 on test gerrit | 18:08 |
| clarkb | but also you have to set application/json content type headers when posting the key to trust to gitea otherwise you get back an error message about "Title" being required and curl exits 0 | 18:09 |
| clarkb | ok known_hosts is owned by root. That explains that | 18:09 |
| clarkb | and after all that I've reproduced the failures we saw previously but with the regex. I suspect that maybe I need a port rule in here or need to drop the port rule? I'll experiment | 18:13 |
| fungi | sounded like maybe it needed to be a regex and a port | 18:13 |
| clarkb | I'm beginning to wonder if this config file is used at all | 18:32 |
| clarkb | like maybe gerrit doesn't plumb in the config from file properly | 18:33 |
| clarkb | ebcause I've tried probably 20 different approaches and can get none to work. Including dropping regexes and relying on explicit names and IPs and explicit usernames and explicit ports | 18:33 |
| clarkb | I can see it consistently log that it is trying the wrong key (id_rsa or the hash matching the key in id_rsa.pub) | 18:34 |
| clarkb | so nothing I'm doing appears to even try the other key | 18:34 |
| fungi | does swapping out the private/public keypair seem to work at least? | 18:34 |
| clarkb | I'm about to test that next | 18:34 |
| fungi | because really, if that doesn't work, i can only conclude that either the 4k rsa pem is formatted incorrectly, or gerrit/mina doesn't support 4k rsa keys | 18:35 |
| fungi | also, how is the initial (working) 2k rsa key generated? | 18:36 |
| clarkb | the 4k key works as id_rsa with the pubkey also copied over | 18:39 |
| clarkb | I think that I've also discovered that the "all" replication target doesn't replicate change refs | 18:40 |
| clarkb | it "consolidated" replication of patchset refs under a change into the all meta replication target then it only replication refs/heads/master | 18:40 |
| clarkb | fungi: fwiw in the test env there is no initial working 2k key. But also the 4k key does work it just has to be in the default location because it seems all attempts to choose a non default location don't work | 18:44 |
| fungi | got it. disappointing but at least we have a way forward, even if it's not convenient | 18:45 |
| clarkb | I understand what MINA is attempting to do a bit better now and see at least one bug (they only parse out the port if you wrap the host in [] first | 19:07 |
| clarkb | then they convert a lone * to .* and ? to . | 19:07 |
| fungi | oh, so they try to sort of convert globs to regexes? | 19:07 |
| clarkb | so you can't actually use regexes like you normally would | 19:07 |
| clarkb | but you can totally use non conflicting regex chars as far as I can tell | 19:08 |
| clarkb | but also knowing this I still haven't managed to get it to work | 19:08 |
| clarkb | oh they then filter out invalid cahrs? | 19:11 |
| clarkb | Trying with Host * doesn't seem to chagne anything either | 19:18 |
| fungi | you should be able to put the key directive outside a host block too | 19:19 |
| fungi | in which case it's assumed to apply globally, i think? | 19:19 |
| fungi | but again, who knows if mina parses it that way | 19:20 |
| fungi | ah, no i'm wrong | 19:21 |
| fungi | global ssh_config starts with a Host * line too | 19:21 |
| clarkb | I think this is where I facepalm | 19:26 |
| clarkb | the paths are different in the container! now to retest everything! | 19:26 |
| *** jonher_ is now known as jonher | 19:28 | |
| opendevreview | Clark Boylan proposed opendev/system-config master: Reapply "Switch Gerrit replication to a larger RSA key" https://review.opendev.org/c/opendev/system-config/+/902490 | 19:34 |
| fungi | gah | 19:57 |
| fungi | i'll admit i got too focused on making sure the path to the config made sense inside the container, and failed to consider the same for the key path included within the config | 20:00 |
| clarkb | fungi: tonyb: frickler: corvus: I've written a 2023 annual report for opendev draft here: https://etherpad.opendev.org/p/2023-opendev-annual-report | 22:49 |
| clarkb | feedback very much welcome. One thing I worry about is how muc hattention we should bring to the gerrit 3.9.0 situation, but I think our ability to test and report that quickly was a beneficial cross community interaction so wanted to call out we are doing stuff like that | 22:50 |
| clarkb | fungi: also I put $PLACEHOLDER strings in for where we'll need to fill in the blanks from your generated stats info | 22:51 |
| * clarkb takes a break before writing a draft for zuul next | 22:53 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!