Friday, 2026-02-06

« Thursday, 2026-02-05 Index Saturday, 2026-02-07 »
tafkamaxaha07:17
tafkamaxI have back with some news atleast, my colleague who setup the previous cluster ran into this issue. https://bugs.launchpad.net/kolla-ansible/+bug/213445507:18
tafkamaxthe fix there helped him07:18
tafkamaxI want to create a patch to fix this07:18
tafkamaxI used the command specified there: `cp -r /etc/kolla/keystone/federation /etc/kolla/keystone-httpd/ && docker restart keystone_httpd`07:23
tafkamaxrunning deploy again, let's see07:23
tafkamaxyup seems this fix worked. I did this command on all controller hosts.07:31
tafkamaxI wonder why this issue is not present in the CI07:34
tafkamaxin the 2025.2 branch: https://opendev.org/openstack/kolla-ansible/src/commit/b45acb4879e33fa5af808f68ca99bea2df6199c6/ansible/roles/keystone/tasks/config.yml#L16607:37
tafkamaxthis is where configuration files are copied07:37
tafkamaxWell it seems the federation files are configured here: https://opendev.org/openstack/kolla-ansible/src/commit/b45acb4879e33fa5af808f68ca99bea2df6199c6/ansible/roles/keystone/tasks/config-federation-oidc.yml07:39
tafkamaxhttps://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/roles/keystone/defaults/main.yml#L26607:43
tafkamaxthe config dirs are specified here07:44
tafkamaxAha, keystone uses uswgi and keystone_httpd uses apache2!07:44
tafkamaxDoes the federation config need to be configured even under /etc/kolla/keystone/federation ?07:48
tafkamaxOr can I change the path myself?07:48
tafkamaxLet's see I will do destroy and deploy again. 07:53
tafkamaxChanged this in globals: keystone_host_federation_base_folder: "{{ node_config_directory }}/keystone-httpd/federation"07:53
bbezakRight, it was omitted when uwsgi was implemented08:20
bbezakSo now you can now what to fix!08:20
bbezak:)08:20
tafkamaxWhat was omitted? keystone-httpd service?08:21
tafkamaxI have both keystone and keystone-httpd running. I don't know exactly why the httpd is needed, maybe for oidc?08:22
bbezakYes it does08:41
tafkamaxSeems like the fix above did not work. ERROR MissingRequiredSource: /var/lib/kolla/config_files/federation/oidc/metadata file is not found" 11:54 09:58
tafkamaxI think I will need to try to create a fix somehow and maybe try to create a patch.09:59
tafkamaxCurrently the only place where the `keystone-httpd` folder is created is in this one template command. 09:59
tafkamaxhttps://opendev.org/openstack/kolla-ansible/src/commit/5b5b1d668ad7f5e28fa5d783463538cf152388da/ansible/roles/keystone/tasks/config.yml#L16809:59
bbezakLet me see10:15
bbezakOk, so federation CI is not failing because of we got keystone_identity_providers empty in CI10:19
bbezak:)10:19
*** jhorstmann is now known as Guest168010:25
tafkamaxAha10:30
tafkamaxCan it even be tested showhow? It requires somekind of IDP to be configured?10:35
tafkamaxor it can be "blackhole" ?10:35
* tafkamax sent a code block: https://matrix.org/oftc/media/v1/media/download/AZDEa7S0yVupSZM6aCRiI57it_6vb5ou4dzfk6DnsyFclIDnab9d0YCJUgfl6m3TdBVHRwR1jRI9UvJxCvKSTbpCeceqAUBQAG1hdHJpeC5vcmcvRXhTUkx1Vnl3R2VPaU5KTUFVbExUZ09210:37
tafkamax* ```... (full message at <https://matrix.org/oftc/media/v1/media/download/AbFRdHSwdG-qJgm5MKltdYJAb1r-fgt6ig2jXIPJan9Qleng3TKBRIUbxAwz8B5ss1h45BAOLkcLGGvU1z6qqqVCeceqBfxQAG1hdHJpeC5vcmcvcUxBTEFWWkFLQkV5WXVlamN0YnFXcFdH>)10:37
tafkamaxIf I wish to work on a bug then this is a good branch name, correct? git checkout -b bug/213445510:56
bbezakIIRC then Gerrit will create this change with topic based on your branch name11:00
bbezakYou can work directly on master branch, gerrit will handle that11:00
tafkamaxaha okay11:01
tafkamaxI don't think I have any more time today. I am still trying to understand if the main keystone container even needs the "federation" folder or it can all live inside the keystone-httpd folder.11:02
tafkamaxOne solution would be to just add duplicate config options for everything keystone-httpd and federation related.11:02
bbezakSeems to me that keystone_httpd_default_volumes needs to mount the same volume11:11
bbezakAs RO11:11
tafkamaxaha interesting variable11:13
tafkamaxI will try patch11:15
tafkamaxI will try it on my cluster first... I have a deploy running with another potential fix that will probably fail so it will take some time...11:19
tafkamaxWhat do you think about creating some blackhole/devnull type of config for the keystone_identity_providers though in CI to test this use case? Or does it need to be an service that actually responds to requests?11:19
tafkamaxThen it might need to be more complicated to setup an simple IDP that responds :/11:20
bbezakDepends what we want to test. If just we want to extend the CI just to test templating, then I think we can just add some dummy templates11:29
bbezakpotentially11:29
bbezakI didn’t check it deeply11:29
bbezakBut to fix initial issue, maybe sth like:11:32
bbezak - "{{ keystone_host_federation_base_folder ~ ':' ~ container_config_directory ~ '/federation:ro' if keystone_enable_federation_openid | bool else '' }}"11:32
bbezakIn keystone_httpd_default_volumes11:32
bbezakBut it would be nice first extend CI indeed11:33
bbezakNot to break it again :)11:33
tafkamaxWould it need to be under zuul.d or tests ?11:39
tafkamaxI see there is zuul.d/keystone-federation.yaml11:40
bbezakmaybe tests/templates/keystone-federation11:42
tafkamaxi found tests/templates/globals-default.j2 that has this block:... (full message at <https://matrix.org/oftc/media/v1/media/download/AbVHe3FU3h9uGWlMfUTGG5DKaLfSQAetFOQERmJgKpcG4ZQumd3T5JDNIxrLdT5NvtoG012rRpU_DdBZyoPhUjpCecetyHJAAG1hdHJpeC5vcmcvQUlPU2ZiRUxYT2xTT2RmQ21iWHd4dFhn>)11:43
tafkamaxAll federation is not OIDC though. But adding it under that?11:43
bbezakyeah, keystone_identity_providers  in tests/templates/globals-default.j211:46
bbezak(It should go there)11:46
tafkamaxthx11:46
*** amin is now known as AminAlimoradi11:58
AminAlimoradiHi all, just following up on issue #975351. Please let me know if I can assist with any further information.review.opendev.org/c/openstack/kolla-ansible/+/97535111:58
tafkamaxHmm I can't seem to use git review, it asks for password instead of ssh key.11:59
AminAlimoradiHi all, just following up on issue #975351. Please let me know if I can assist with any further information.  review.opendev.org/c/openstack/kolla-ansible/+/97535111:59
bbezaktafkamax: did you follow https://docs.openstack.org/doc-contrib-guide/quickstart/first-timers.html ?12:01
tafkamaxI followed this one: https://docs.opendev.org/opendev/infra-manual/latest/developers.html12:02
tafkamaxI just found the one you linked and there is an example ssh remote12:02
bbezakAminAlimoradi: thx. I added review priority to that patch12:02
bbezakI think I just need that in my .gitconfig:12:03
bbezakcat .gitconfig12:03
bbezak[gitreview]12:03
bbezakusername = b.bezak12:03
bbezak(The same username as in gerrit options)12:04
bbezakAnd the same ssh key existing in ssh-agent12:04
bbezakAnd that was it12:04
tafkamaxi almost got it12:06
tafkamaxI need to use my personal email12:06
tafkamaxport seemed to be ok now12:06
AminAlimoradi@bbezak: Thanks for your attention.12:06
opendevreviewTaavi Ansper proposed openstack/kolla-ansible master: Add CI coverage for keystone_identity_providers under federation scenario.  https://review.opendev.org/c/openstack/kolla-ansible/+/97590112:08
tafkamaxOk thanks for help.12:09
tafkamaxLets see what CI does. I am thinking that I have defined custom mappings aswell, which require extra variables. I can try to add them aswell, but should they be as an variable or a separate file?12:10
* tafkamax sent a code block: https://matrix.org/oftc/media/v1/media/download/AWueq6oGoHgvuCtAAV1BJ5NL9H9rb70gn5w-84kPEemPWIGvMv7XWRk_xDu4sEEbFYNZyLqn2zHDiEDCh3CPru1CecevXOCQAG1hdHJpeC5vcmcvcWRtYUtHbmFhVndSdU9QTmpBa1dvWElm12:10
tafkamaxShould I add somebody who I wish to add as reviewer myself or will people pick it up? https://review.opendev.org/c/openstack/kolla-ansible/+/97590112:18
bbezakI can take a look12:18
bbezakthx12:18
tafkamaxAt first imperssions the git review is pretty cool as an mechanism12:22
tafkamaxnever used it before12:22
bbezakYes, I love it too :)12:24
bbezakYou can check the jobs running for your change here - https://zuul.opendev.org/t/openstack/status?change=97590112:24
bbezakEven before they will finish12:25
tafkamaxok thxx12:25
blanson[m]wait I didn't you could see job results live 12:58
blanson[m]I always waited a freaking hour or two to get the callback in gerrit 12:58
bbezak:D12:58
blanson[m]that's very cool12:59
bbezakNow you know12:59
blanson[m]thanks ! :D 12:59
bbezakNp ;)13:07
opendevreviewPierre Riteau proposed openstack/kolla-ansible master: Add support for changing Grafana admin username  https://review.opendev.org/c/openstack/kolla-ansible/+/97499314:21
opendevreviewJohn Garbutt proposed openstack/kolla-ansible master: Stop setting ha_vrrp_health_check_interval by default  https://review.opendev.org/c/openstack/kolla-ansible/+/97591515:14
opendevreviewPierre Riteau proposed openstack/kolla-ansible master: Add support for changing Grafana admin username  https://review.opendev.org/c/openstack/kolla-ansible/+/97499315:16
opendevreviewJohn Garbutt proposed openstack/kolla-ansible master: Stop setting ha_vrrp_health_check_interval by default  https://review.opendev.org/c/openstack/kolla-ansible/+/97591515:42
tafkamaxSeems i need to add metadata folder17:03
* tafkamax sent a code block: https://matrix.org/oftc/media/v1/media/download/AYUJKB75Y6om7jvJUzSmKEdiixeCMXZnLZAEOcjLsH10am3Cn3PAi0LMgLYIsaHw6kFx11jtdqtzR0kdpXo8os1CecfAHafgAG1hdHJpeC5vcmcvd3lkSlhQUEVjZnhvaVV3Yk9zc2tmRXNO17:03
tafkamaxsorry for long paste17:03
tafkamaxhttps://zuul.opendev.org/t/openstack/build/a18d5b560f144c67a0396a1ef1510c53/log/primary/logs/ansible/deploy17:03
opendevreviewPablo Colson proposed openstack/kolla-ansible master: valkey: Fix undefined 'redis' group error during upgrade  https://review.opendev.org/c/openstack/kolla-ansible/+/97593217:07
-opendevstatus- NOTICE: Gerrit on review.opendev.org will experience a short outage while we upgrade it to 3.11.817:50
opendevreviewBartosz Bezak proposed openstack/kolla master: [release] Use UCA Gazpacho  https://review.opendev.org/c/openstack/kolla/+/97594018:21
opendevreviewPiotr Milewski proposed openstack/kolla-ansible stable/2025.2: valkey: fix upgrade failure when redis inventory group is absent  https://review.opendev.org/c/openstack/kolla-ansible/+/97594118:27
opendevreviewPiotr Milewski proposed openstack/kolla-ansible master: valkey: fix upgrade failure when redis inventory group is absent  https://review.opendev.org/c/openstack/kolla-ansible/+/97594518:47
fungii like how https://devguide.python.org/developer-workflow/psrt/ relies on cut-and-paste response templates like we do20:05
fungii notice they have sections on how to join their equivalent of a vmt, and enumerate the responsibilities20:06
fungisomeone added a security advisory task to a 3yo public cinder bug earlier today: https://bugs.launchpad.net/cinder/+bug/202011320:49
fungianyone know what that's about?20:49
fungii just realized my buffer numbers shifted and this is not the #openstack-security channel. sorry everybody!20:50
opendevreviewPierre Riteau proposed openstack/kayobe master: Remove compatibility with Ansible 11  https://review.opendev.org/c/openstack/kayobe/+/97596321:14
opendevreviewPierre Riteau proposed openstack/kayobe master: Remove compatibility with Ansible 11  https://review.opendev.org/c/openstack/kayobe/+/97596321:14
pabloclsnis Piotr Milewski here ? 22:38
pabloclsnwhat sould we do about those two : https://review.opendev.org/c/openstack/kolla-ansible/+/975932 https://review.opendev.org/c/openstack/kolla-ansible/+/975945 whats the best way they wre created 20 min apart22:40
*** gmaan is now known as gmaan_afk22:46
« Thursday, 2026-02-05 Index Saturday, 2026-02-07 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!