Thursday, 2021-12-09

« Wednesday, 2021-12-08 Index Friday, 2021-12-10 »
opendevreviewAde Lee proposed openstack/openstack-zuul-jobs master: Enable support for fips on the jobs  https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/81685500:29
mlavallehi, I recently joined Red Hat and I am trying to set up my new laptop to upload changes to gerrit. Is this guide still valid: https://docs.openstack.org/contributors/common/setup-gerrit.html?00:51
fungimlavalle: yes, that's right00:55
fungiscreenshots in it may be outdated since the recent gerrit upgrade though00:55
mlavalleI think I've followed all the steps and still getting: minsel@review.opendev.org: Permission denied (publickey).00:56
clarkbmlavalle: are you on fedora?00:56
mlavalleclarkb: yes00:56
clarkbdid you use an ssh rsa key?00:56
mlavalleI used ssh-keygen, like the fuide says00:57
mlavalleI did exactly like the guide indicates00:58
clarkbyes that generates an rsa key. Fedora's openssh and gerrit's MINA SSHD don't work together using rsa keys due to a deprecation that hasn't been handled in the java server00:58
clarkbI'ev asked for the guide to be updated to use ed25519 keys but maybe I should just write that change already00:58
clarkbmlavalle: your options are to explicitl reenable the deprecated functionality in fedora's openssh or use an  ecdsa or ed25519 key instead00:59
clarkbmlavalle: https://www.openssh.com/txt/release-8.8 under "potentially breaking changes" for the first thing. We recommend against this as it reduces the security stance set by your distro and software01:00
mlavalleclarkb: so to be clear, what I need to use is ed25519 keys, right?01:02
clarkbmlavalle: or ecdsa keys. Yes01:03
mlavalleand the guide should mention that, correct?01:03
clarkbor don't use fedora, or tell fedora/openssh to allow the old less secure rsa implementation. Note rsa itself isn't the problem its the hash used with it. Which is by default sha1 and openssh and fedora didn't update the default to sha201:03
mlavallelet's do something, I'll fix my situation and update the guide01:04
clarkbmlavalle: yes, I've asked that the guide be updated to do ed25519 but that hasn't happened yet01:04
fungithough folks on fips-140 compliant systems may be stuck using ecdsa instead as nist has not yet approved ed2551901:04
clarkbya but I would err on more secure by default ratehr than telling people to use potentailly compromised ecdsa01:05
fungiagreed01:05
clarkbif you are using fips then you should be prepared to figure this stuff out :)01:05
fungion those massive government salaries civil servants get paid, right ;)01:05
mlavalleclarkb, fungi: ok, with this guidance I'll figure out what needs to be done in my case, and with that I'll go to the guide and fix it. does that help?01:06
clarkbmlavalle: yes that would be great.01:06
fungiyes, thanks so much!01:06
clarkbmlavalle: I wouldn't worry about trying to explain all this though. Just change the guide to use a key time (ed25519) that works more universally 01:06
mlavalleclarkb, fungi: I may ask more questions on the way there01:06
clarkbmlavalle: yup feel free. I'll try to keep on eye on this for the next little bit01:06
mlavalleclarkb: I'll do it tomorrow. I'm going to work out now01:07
fungii'll certainly be around tomorrow too01:07
clarkbmlavalle: that works too :)01:07
mlavalleand yeah, I am not going to include this conversation in the guide, just that ed25519 is needed01:08
fungisgtm01:09
clarkbalso upsteram gerrit is aware of this problem and there are some fixes in flight. The SSHD updated but we are waiting on a release of that then we need to update the release of MINA in gerrit which may require jgit updates01:11
clarkbthe jgit updates are why I stopped looking into pushing this upstream as that library is something I don't understand01:11
*** rlandy|ruck|bbl is now known as rlandy|ruck02:19
*** rlandy|ruck is now known as rlandy|out02:23
*** dviroel is now known as dviroel|out02:53
*** bhagyashris_ is now known as bhagyashris03:02
*** akekane_ is now known as abhishekk07:32
*** gibi_ is now known as gibi07:52
*** ysandeep is now known as ysandeep|lunch08:08
*** ysandeep|lunch is now known as ysandeep08:38
opendevreviewMerged openstack/project-config master: Add NVidia vGPU plugin charm to OpenStack charms  https://review.opendev.org/c/openstack/project-config/+/81981809:02
*** jpodivin_ is now known as jpodivin09:55
*** ysandeep is now known as ysandeep|afk10:21
*** redrobot6 is now known as redrobot10:23
*** jpena|off is now known as jpena10:35
*** dviroel|out is now known as dviroel10:49
*** ysandeep|afk is now known as ysandeep10:56
*** rlandy|out is now known as rlandy|ruck11:10
*** jcapitao is now known as jcapitao_lunch12:39
*** ykarel is now known as ykarel|away13:21
*** jcapitao_lunch is now known as jcapitao14:08
opendevreviewdaniel.pawlik proposed openstack/ci-log-processing master: Add required fields for pypi upload  https://review.opendev.org/c/openstack/ci-log-processing/+/82122914:41
fungiricolin: those devstack-platform-arm64 builds which aren't starting seem to use ubuntu-focal-arm64-xxxlarge nodes, so it's possible we're having trouble allocating them. i'm tracking down one of the node requests now15:25
fungilooks like we can only boot ubuntu-focal-arm64-xxxlarge in linaro-us, we don't have it in osuosl (our only other arm64/aarch64 provider currently)15:38
*** ysandeep is now known as ysandeep|out15:45
ricolinfungi, who I can contact to to added that flavor in?15:56
fungiricolin: okay, so the situation is that most of the quota in linaro-us is taken up by stuck "deleting" server instances, we don't seem to be booting any new nodes there15:57
ricolinfungi, thanks, may I ask where I can see the deleting server list?16:00
fungiunfortunately they don't appear in https://zuul.opendev.org/t/openstack/nodes (i think because zk has been wiped more recently than those nodes went into deleting state)16:03
fungiif i `openstack server show` one of the stuck deleting instances, i see it's got a vm_state of "building" with a task_state of "deleting"16:06
fungiso possibly it was stuck building, we gave up waiting and issued a server delete for it16:07
opendevreviewMerged openstack/project-config master: Allow Zuul API access from keycloak server  https://review.opendev.org/c/openstack/project-config/+/82095616:08
ricolinthanks fungi for the detail16:23
fungiricolin: we'll need to engage the assistance of one of the linaro cloud operators (probably kevinz) to clear out those stuck instances as they're undeletable for us, but once that's done we should hopefully be able to boot new nodes there. as for adding a similar flavor to support ubuntu-focal-arm64-xxxlarge in osuosl, we'd probably need to bring it up with lance16:43
ricolinfungi, feel free to lave message to kevinz, I will double check with him tomorrow morning(8 hours later).16:51
*** jpena is now known as jpena|off16:57
*** weechat1 is now known as amorin17:54
*** weechat1 is now known as amorin18:00
*** sshnaidm is now known as sshnaidm|afk19:05
*** dviroel is now known as dviroel|out21:13
opendevreviewScott Little proposed openstack/project-config master: give starlingx-release branch and tag powers in metrics-server-armada-app  https://review.opendev.org/c/openstack/project-config/+/82132121:25
opendevreviewScott Little proposed openstack/project-config master: give starlingx-release branch and tag powers in metrics-server-armada-app  https://review.opendev.org/c/openstack/project-config/+/82132121:29
*** rlandy|ruck is now known as rlandy|out23:30
opendevreviewClark Boylan proposed openstack/ptgbot master: Update ptgbot's docker image to bullseye  https://review.opendev.org/c/openstack/ptgbot/+/82133823:36
« Wednesday, 2021-12-08 Index Friday, 2021-12-10 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!