| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Drop removed [DEFAULT] nova_catalog_admin_info option https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976018 | 02:17 |
|---|---|---|
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Drop removed [DEFAULT] nova_catalog_admin_info option https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976018 | 02:22 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Replace usage of legacy and ineffective [nova] os_region_name https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976019 | 02:22 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Drop removed [DEFAULT] nova_catalog_admin_info option https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976018 | 02:24 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Drop removed [DEFAULT] os_region_name https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976019 | 02:24 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cinder master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/976020 | 02:27 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_aodh master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/976021 | 02:28 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_glance master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/976022 | 02:29 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_gnocchi master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/976023 | 02:29 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_heat master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/976024 | 02:30 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_nova master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/976025 | 02:31 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_ironic master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/976026 | 02:32 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_manila master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/976027 | 02:33 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_neutron master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/976028 | 02:34 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_magnum master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/976029 | 02:35 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_masakari master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/976030 | 02:35 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_octavia master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/976031 | 02:37 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_barbican master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/976032 | 02:38 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_cloudkitty master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/976033 | 02:39 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_mistral master: Remove /v3 prefix from www_authenticate_uri https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/976034 | 02:40 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_trove master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/976035 | 02:41 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_designate master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/976036 | 02:41 |
| *** zseguin is now known as Guest1888 | 05:07 | |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_keystone master: Add shibboleth repo only when it's in use https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/970454 | 10:42 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Don't attempt to loop over undefined variables https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/975052 | 10:42 |
| jrosser | frickler: are you really sure about this? https://review.opendev.org/c/openstack/kolla-ansible/+/938324 | 11:55 |
| jrosser | we have a whole similar raft of patches made against OSA now and i am not sure it is correct | 11:56 |
| jrosser | this is pretty clear that it expects public endpoint though https://docs.openstack.org/keystonemiddleware/2025.2/middlewarearchitecture.html | 12:12 |
| frickler | jrosser: yes, I'm very sure, I already did the same a long time ago for openstack-chef. and the docs I cited are also pretty explicit about it https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L31-L50 | 12:31 |
| jrosser | right - though its one thing to get all the things set correctly in the service config files according to the keystone docs | 12:34 |
| jrosser | and its quite another that the internals of those services use them as expected, particuarly those with hand rolled internal clients of other services rather than using osc | 12:35 |
| jrosser | (/me stares hard at magnum) | 12:35 |
| jrosser | anyway, maybe this is all improved but as someone who runs regions where the place that the services run is not routable to the public endpoint, i am very familiar in a bad way with this stuff | 12:36 |
| opendevreview | Takashi Kajinami proposed openstack/openstack-ansible-os_octavia master: Avoid leaking internal url for authentication error https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/976031 | 12:55 |
| opendevreview | Merged openstack/openstack-ansible stable/2025.1: Ensure bash-completion also search for .yaml https://review.opendev.org/c/openstack/openstack-ansible/+/971695 | 15:34 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_ironic master: wip https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/976061 | 18:55 |
| noonedeadpunk | I really wonder how that is gonna work, in case like service and admin users are not allowed to authenticate against "public" endpoints and are simply firewalled from doing so... | 18:57 |
| noonedeadpunk | As it sounds like it shouldn't.... | 18:57 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_ironic master: wip https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/976061 | 19:04 |
| noonedeadpunk | frankly I what I currently absolutely hate in keystone/authtoken, is that there's no way to limit used endpoints by roles/users... | 19:08 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_nova master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/976062 | 19:11 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_nova master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/976062 | 19:14 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_nova master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/976062 | 19:15 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_cinder master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/974657 | 19:17 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_cinder master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/974657 | 19:18 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_cinder master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/974657 | 19:18 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_neutron master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/976063 | 19:20 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_neutron master: Remove deprecated heartbeat_in_pthread https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/976063 | 19:22 |
| jrosser | noonedeadpunk: with those www auth uri patches it needs really careful understanding of why some of them (Octavia?) are totally failing - maybe a sha bump has done this and we don’t notice, or maybe it’s related to that change | 19:28 |
| jrosser | I saw cloud kitty fail totally too which could point to something in the telemetry stack also being affected | 19:28 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_glance master: Remove deprecated digest_algorithm https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/976064 | 19:29 |
| noonedeadpunk[e] | In Octavia specifically I saw some neutron ovn agent issue | 19:30 |
| jrosser | but it could totally be that we’re not specifically configuring things like the [nova] config sections everywhere to point the services at the internal endpoint whilst normal users with tokens hit the public endpoint | 19:30 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_glance master: Remove deprecated digest_algorithm https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/976064 | 19:31 |
| jrosser | it would be interesting to check what we have vs the kolla patch I linked | 19:31 |
| noonedeadpunk[e] | I am not really getting these changes tbh. | 19:31 |
| jrosser | well the documentation is kind of poor/nonexistent for this | 19:31 |
| noonedeadpunk[e] | Like why services are pointing to keystone at all... | 19:31 |
| jrosser | because what exactly you mean by “client” is very important | 19:32 |
| jrosser | oh well if you try to use neutron api and auth fails, it tells you where keystone is in the 401 to go do your auth | 19:32 |
| noonedeadpunk[e] | Yes, right, I was actually thinking that in context of dinner service client would be the service itself | 19:33 |
| noonedeadpunk[e] | And if client-client comes without token it'd be just getting unauthorized | 19:33 |
| jrosser | right, so in Octavia.conf or wherever there would be a separate [nova] section telling it to use internal url from the service catalog | 19:34 |
| johnsom | There is | 19:34 |
| jrosser | but thats for a client of nova inside the Octavia service | 19:35 |
| jrosser | however, historically magnum and others have made a wild mess of this | 19:35 |
| johnsom | Right, it's used when we call nova to spin up a vm | 19:35 |
| noonedeadpunk[e] | So this www_uri is not used by service itself to issue token. Just reply for 401? | 19:35 |
| noonedeadpunk[e] | /me gonna read some code in the morning | 19:36 |
| jrosser | yeah would be a good idea | 19:37 |
| jrosser | this is supposedly simple from reading the keystone docs | 19:37 |
| jrosser | but the implementation in the services themselves is in my experience quite variable | 19:38 |
| jrosser | and devstack doesn’t really excercise the endpoint distinctions at all, iirc | 19:38 |
| noonedeadpunk[e] | In devstack there was a different mess iirc | 19:39 |
| noonedeadpunk[e] | With these path-based endpoints | 19:39 |
| noonedeadpunk[e] | That URI in response can be different from the request | 19:40 |
| noonedeadpunk[e] | Anyway | 19:41 |
| opendevreview | Dmitriy Chubinidze proposed openstack/openstack-ansible-plugins stable/2025.2: images: limit memory usage for xz decompression https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/976065 | 20:13 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_magnum stable/2025.2: Rename CI jobs to match AIO pattern expectations https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/975433 | 20:51 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: wip https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/973144 | 21:01 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: Remove deprecated innodb-file-per-table https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/973144 | 21:01 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: Remove deprecated innodb-file-per-table https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/973144 | 21:02 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: Remove deprecated innodb-file-per-table https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/973144 | 21:03 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: Remove deprecated innodb-flush-method https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/976067 | 21:08 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-galera_server master: Remove deprecated innodb-flush-method https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/976067 | 21:08 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!