| ozzzo_work | I'm running kolla-ansible Train. If I go into my designate-central container and run "oslopolicy-sample-generator --namespace designate" I get a sample config output that shows the default policies | 12:39 |
|---|---|---|
| ozzzo_work | So I created a file in under kolla-ansible in etc/kolla/config/designate/policy.yaml that looks like this: https://paste.openstack.org/show/bnfAsJqapRgajT93pexx/ | 12:40 |
| ozzzo_work | After deploying, my designate containers restart, and I see those contents in the designate-central container, in /etc/designate/policy.yaml | 12:41 |
| ozzzo_work | but when I run the sample generator, it still outputs the default config. What am I missing? | 12:42 |
| ozzzo_work | I also tried naming it policy.json but that didn't make a difference | 12:42 |
| johnsom | ozzo_work Can you check that you told oslo.policy about the file? https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.policy_file | 14:14 |
| ozzzo_work | I can't find Train in github so I'm looking at Wallaby. It looks like it's set here: https://github.com/openstack/kolla-ansible/blob/stable/wallaby/ansible/roles/designate/tasks/config.yml#L15 | 16:06 |
| ozzzo_work | We have node_custom_config: "./etc/kolla/config" so I think it should be seeing etc/kolla/config/designate/policy.yaml | 16:07 |
| johnsom | You can check that the line is in the designate.conf | 16:10 |
| ozzzo_work | yes, under [oslo_policy] I have "policy_file = policy.yaml" | 16:12 |
| eandersson | You can use the tag to get the train version https://github.com/openstack/kolla-ansible/blob/train-eol/ansible/roles/designate/tasks/config.yml | 16:14 |
| ozzzo_work | If I introduce errors into policy.yaml, for example by removing a comma,, then I get errors in designate-central.log: https://paste.openstack.org/show/bFJ2BSSF3hhdcUjMPQ53/ | 16:17 |
| ozzzo_work | but if there are no errors in policy.yaml then it seems to be ignored | 16:18 |
| johnsom | Ok, if you are getting that error, it's picking up the file | 16:23 |
| ozzzo_work | Is "designate" the right namespace to check with the sample generator? | 16:24 |
| johnsom | Yeah, so remember "sample generation" just dumps the defaults. You want to use oslopolicy-policy-generator to get the "merged" results | 16:25 |
| johnsom | Here are the docs I wrote up for Octavia: https://docs.openstack.org/octavia/latest/configuration/policy.html#merged-file-generation | 16:26 |
| ozzzo_work | aha that must be it; trying that | 16:28 |
| ozzzo_work | I tried "oslopolicy-policy-generator --namespace designate" but I get: KeyError: 'Namespace "designate" not found.' | 16:32 |
| ozzzo_work | do I need to give it a --config-file? | 16:33 |
| johnsom | Yeah, I think the config file is mandatory | 16:33 |
| johnsom | Here is an example: https://github.com/openstack/octavia/blob/master/etc/policy/octavia-policy-generator.conf | 16:33 |
| ozzzo_work | I tried this: https://paste.openstack.org/show/bNv8nRSYtPO8DRfxXrvR/ but I still get: KeyError: 'Namespace "designate" not found.' | 16:39 |
| ozzzo_work | Is the designate-central container the right place to run it? | 16:39 |
| johnsom | It should be fine | 16:40 |
| ozzzo_work | it finds the "designate" namespace when i run the sample generator but not when I run policy generator | 16:40 |
| johnsom | Hmm, it should be able to find it: https://github.com/openstack/designate/blob/master/setup.cfg#L43 | 16:42 |
| ozzzo_work | I tried a couple of other designate containers and I get the same result; I can find the "designate" namespace with oslopolicy-sample-generator but not with oslopolicy-policy-generator | 16:50 |
| ozzzo_work | Does the policy generator work differently in Train? | 16:51 |
| johnsom | Maybe? It's been years since I have really messed with the oslo policy generation tools. | 16:54 |
| ozzzo_work | Where would be a good place to ask more questions about oslo.policy? | 16:57 |
| johnsom | In #openstack-oslo. I can try this out and debug a bit later today though | 16:57 |
| ozzzo_work | ok ty! I'll try over there for now | 17:01 |
| johnsom | ozzzo_work Hmmm, so I loaded up devstack with designate installed. The oslopolicy-policy-generator runs just fine (tons of warnings about deprecated policies due to the SRBAC changes). | 19:17 |
| johnsom | You are back on train, I'm going to see if I can load that up and try it. Maybe I fixed something in the SRBAC work | 19:17 |
| johnsom | Yeah, ok, so I get the same result on Train | 19:22 |
| johnsom | ozzzo_work https://review.opendev.org/c/openstack/designate/+/872345 | 19:31 |
| johnsom | So that was added to Designate in Antelope | 19:33 |
| johnsom | https://bugs.launchpad.net/designate/+bug/2004421 | 19:34 |
| ozzzo_work | ok ty, I'll try cherry-picking this into our lab | 19:45 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!