| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Disable upgrade jobs after switching Xena to EM https://review.opendev.org/c/openstack/openstack-ansible/+/884928 | 10:45 |
|---|---|---|
| noonedeadpunk | This has finally passed and ready for review https://review.opendev.org/c/openstack/openstack-ansible/+/884924 | 10:48 |
| NeilHanlon | 👍 | 12:34 |
| NeilHanlon | mornin' | 12:34 |
| noonedeadpunk | o/ | 12:37 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Remove obsoleted provider drivers https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/885519 | 16:02 |
| jrosser | `nova.exception.ImageNotAuthorized: Not authorized for image 8b68d0fd-6adb-4255-9d1e-67f8b892721a` | 16:23 |
| jrosser | this is especially hard to debug :( | 16:23 |
| jrosser | glance logs seem really unhelpful even with debug | 16:24 |
| mgariepy | hmm fun | 16:25 |
| jrosser | someone asked to make an application credential thats only allowed to create/delete instances | 16:26 |
| jrosser | omg turns out thats really hard | 16:26 |
| mgariepy | do you really have a solution for that ? | 16:26 |
| mgariepy | it does implies a lots or 3rd party api calls.. hahaha | 16:26 |
| jrosser | well i am 90% of the way there | 16:26 |
| jrosser | expect for ^ that error :) | 16:27 |
| mgariepy | if i read that right the app cred will have more rigth than *just* create/delete instances ? | 16:27 |
| jrosser | this so far https://paste.opendev.org/show/bKBnfsgXHy1cYHBjL3Aw/ | 16:28 |
| mgariepy | nice. | 16:29 |
| mgariepy | method patch for glance? | 16:32 |
| mgariepy | https://bugzilla.redhat.com/show_bug.cgi?id=1382737 (PATCH stuff in this issue) | 16:33 |
| jrosser | hmm seems haproxy log looks like a good place to see all these 401, as it also shows the path and http method | 16:34 |
| jrosser | oh cool i made it work | 16:43 |
| jrosser | haproxy log is totally the only way to be able to construct the rules | 16:43 |
| jrosser | i have no idea whatsoever how end users are supposed to be able to use this | 16:44 |
| NeilHanlon | you hire an openstack engineer of course! | 16:44 |
| mgariepy | also fork the code a bit to add your magic sauce to it ;p | 16:47 |
| mgariepy | jrosser, what was missing ? | 16:50 |
| jrosser | GET of glance /v2/schemas/image | 16:51 |
| jrosser | i'm just sorting server delete out and i'll paste the whole rules | 16:51 |
| jrosser | nova-compute seems to do that GET against glance | 16:51 |
| mgariepy | ha ok | 16:52 |
| jrosser | thats the slightly absurd thing here that you have to allow all the internal API calls in the app cred too | 16:53 |
| jrosser | even though you never see them at the cli yourself | 16:53 |
| mgariepy | yeah.. juste like there is no delete --cascade to purge all the things .. | 16:54 |
| NeilHanlon | do we already have some collection of rbac roles, like what you're setting up, jrosser? | 16:55 |
| jrosser | no, i've tried to do this before and failed | 16:55 |
| jrosser | this is the first time i've been persistent enough to understand / make it work | 16:55 |
| jrosser | definatly worth a documentation i think | 16:55 |
| jrosser | the use case here is that someone is setting up a thing to use github ephemeral runners against our openstack | 16:56 |
| * NeilHanlon is interested in this use case :D | 16:56 | |
| jrosser | so we want a limited token that it can use to just launch / destroy instances | 16:56 |
| jrosser | we've forked the philips labs stuff | 16:56 |
| jrosser | i *think* it's this https://github.com/philips-labs/terraform-aws-github-runner | 16:57 |
| jrosser | i've not been involved in that part, but as i understand it there is some github actions <> AWS lambdas stuff, which we've extended to drive openstack instead of AWS | 16:57 |
| jrosser | mgariepy: NeilHanlon this is what i have to create/delete now https://paste.opendev.org/show/bSDoK24YP70FNdUZfCUG/ | 17:10 |
| jrosser | not sure the volumes stuff is actually needed - i added to what someone else made till it worked | 17:10 |
| mgariepy | i guess it depends if it booted from a volume or not. | 17:11 |
| jrosser | anyway, pretty please with that as it's something i've wanted to understand better for a while now | 17:12 |
| jrosser | just regular app cred is far too powerful imho | 17:12 |
| jrosser | NeilHanlon: did you have an example cli to show building rocky9 + 64k page kernel? | 18:55 |
| jrosser | `DIB_RELEASE=9 DIB_ROCKY_KERNEL_64k=1 DIB_CLOUD_INIT_DATASOURCES=Ec2 DIB_CLOUD_INIT_GROWPART_DEVICES='["/"]' disk-image-create -a arm64 rocky-container vm block-device-efi cloud-init openssh-server cloud-init-datasources cloud-init-growpart -o baremetal-rocky-9-efi-amd64.qcow2` | 18:56 |
| jrosser | ^ that doesnt get us a kernel on the grub menu | 18:56 |
| NeilHanlon | I think I had trouble passing 'arm64' when building and had to use 'aarch64' -- I didn't dig down enough to understand what was going wrong, though | 19:21 |
| NeilHanlon | `DIB_BOOT_LABEL=rocky DIB_RELEASE=9 DIB_ROCKY_KERNEL_64k=1 disk-image-create -a aarch64 -o rocky-arm64-64k.qcow2 vm rocky-container` is what I'd been doing | 19:21 |
| jrosser | hah i think i have a spurious amd64 in the image name there | 19:22 |
| NeilHanlon | it wasn't clear to me if/when/how arm64 is translated to/from aarch64, and what I should use in the package-installs.yaml here https://review.opendev.org/c/openstack/diskimage-builder/+/884452/3/diskimage_builder/elements/rocky-container/package-installs.yaml#11 | 19:27 |
| NeilHanlon | I think because you're passing `-a arm64`, it doesn't match these pacakge install specifications unless it is `-a aarch64` | 19:28 |
| NeilHanlon | therefore, neither kernel nor kernel-64k are installed | 19:28 |
| jrosser | ahha ok that makes sense | 19:29 |
| opendevreview | Merged openstack/openstack-ansible master: Start 2023.2 (Bobcat) development https://review.opendev.org/c/openstack/openstack-ansible/+/884924 | 20:36 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!