| opendevreview | Taavi Ansper proposed openstack/kolla-ansible master: Fix keystone with IDP configured. https://review.opendev.org/c/openstack/kolla-ansible/+/975901 | 07:54 |
|---|---|---|
| AminAlimoradi | Hi @bbezak, just wanted to gently ping you to review this patch #975351 when you have a moment. https://review.opendev.org/c/openstack/kolla-ansible/+/975351 | 09:21 |
| opendevreview | Michal Nasiadka proposed openstack/kolla master: openvswitch: Adapt extend_start.sh to run non-root https://review.opendev.org/c/openstack/kolla/+/975013 | 09:29 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: openvswitch: Switch to running as unprivileged https://review.opendev.org/c/openstack/kolla-ansible/+/975014 | 09:30 |
| mnasiadka | AminAlimoradi: replied in Gerrit | 09:38 |
| AminAlimoradi | @mnasiadka:thanks, I'll provide more details. | 09:49 |
| opendevreview | Taavi Ansper proposed openstack/kolla-ansible master: Fix keystone with IDP configured. https://review.opendev.org/c/openstack/kolla-ansible/+/975901 | 09:55 |
| *** jhorstmann is now known as Guest2965 | 10:15 | |
| opendevreview | Merged openstack/kolla-ansible master: ci: improve verbosity of idempotence check https://review.opendev.org/c/openstack/kolla-ansible/+/976970 | 10:19 |
| opendevreview | Merged openstack/kolla master: tox: Drop basepython https://review.opendev.org/c/openstack/kolla/+/974611 | 10:19 |
| tafkamax | Hmm, maybe I need to run a test cluster myself on master branch myself... to see what is happening with my proposed idp ci changes | 10:33 |
| opendevreview | Michal Nasiadka proposed openstack/kolla master: openvswitch: Adapt extend_start.sh to run non-root https://review.opendev.org/c/openstack/kolla/+/975013 | 10:34 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: kolla_container: Add support for user and security_opt parameters https://review.opendev.org/c/openstack/kolla-ansible/+/975065 | 10:34 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: openvswitch: Switch to running as unprivileged https://review.opendev.org/c/openstack/kolla-ansible/+/975014 | 10:34 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:37 |
| tafkamax | I might need to setup an actual simple deployment of an IDP provider, but I am not sure yet. | 10:38 |
| tafkamax | Adding a test CI config to setup and configure a keycloak might be needed in the worse case :/ | 10:38 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:39 |
| tafkamax | which will make the CI better, but also more worky | 10:39 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:39 |
| tafkamax | aha huh I think I found error | 10:45 |
| tafkamax | Feb 17 10:14:56 primary docker[47801]: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/etc/kolla/keystone/federation" to rootfs at "/var/lib/kolla/config_files/federation": create mountpoint for /var/lib/kolla/config_files/federation mount: make mountpoint | 10:45 |
| tafkamax | "/var/lib/kolla/config_files/federation": mkdirat /var/lib/docker/overlay2/b62d25e91a8654444f746580b63c8b7fdf78a15cc7f962bc7b2f8ca18e86ff22/merged/var/lib/kolla/config_files/federation: read-only file system | 10:45 |
| tafkamax | interesting trying to write stuff | 10:45 |
| tafkamax | primary/logs/system_logs/syslog.txt helped me | 10:45 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:53 |
| opendevreview | Taavi Ansper proposed openstack/kolla-ansible master: Fix keystone with IDP configured. https://review.opendev.org/c/openstack/kolla-ansible/+/975901 | 10:53 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:53 |
| tafkamax | Hmm. Could it be that first /var/lib/kolla/config_files is mounted as read-only and I am trying to mount another volume on a subdirectory there /var/lib/kolla/config_files/federation and this fails, because the parent directory is read-only? | 10:55 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:55 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 10:57 |
| tafkamax | I think this describes the issue: https://forums.docker.com/t/fail-to-setup-read-only-bind-mount-and-anonymous-volume/139766 but im not 100% sure | 10:58 |
| tafkamax | It could be that I need to create directory manually beforehand? | 10:58 |
| tafkamax | s/manually// | 10:59 |
| Vii | Podman 5.8.0: Fixed a bug where healthchecks would sometimes fail to execute due to systemd rate limits. | 11:47 |
| Vii | I hope that the problems with rabbitmq and mariadb will disappear | 11:47 |
| opendevreview | Taavi Ansper proposed openstack/kolla-ansible master: Fix keystone with IDP configured. https://review.opendev.org/c/openstack/kolla-ansible/+/975901 | 12:05 |
| tafkamax | Heh cool to look at logs and find out the CI uses xen virtualization underneath | 12:05 |
| tafkamax | We just moved away from it because of more bugs than kvm | 12:06 |
| tafkamax | as it uses a different kernel | 12:06 |
| opendevreview | Taavi Ansper proposed openstack/kolla-ansible master: Fix keystone with IDP configured. https://review.opendev.org/c/openstack/kolla-ansible/+/975901 | 12:31 |
| tafkamax | Ok, finally federation CI is not failing :-) | 13:12 |
| tafkamax | atleast rocky finished first and is green | 13:12 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 13:12 |
| tafkamax | mnasiadka: what do you mean by the horizon testinfra tests? | 13:12 |
| mnasiadka | tafkamax: https://opendev.org/openstack/kolla-ansible/src/branch/master/tests/testinfra/test_horizon.py | 13:14 |
| mnasiadka | From what I see test_horizon_login should fail if you enable multidomain | 13:14 |
| tafkamax | oke thx will look into it | 13:14 |
| mnasiadka | The fact deployment suceeds doesn’t mean it works | 13:14 |
| tafkamax | yesh, it is good point, I was trying to fix templating :D | 13:15 |
| tafkamax | I can try to add in the future an actual working keycloak setup :D | 13:15 |
| tafkamax | So The topic is to add horizon tests, that will check against the federation login and should fail, because it points to an example config where the actual endpoints are not defined. | 13:16 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: loadbalancer: drop privileged mode for haproxy and add capabilities https://review.opendev.org/c/openstack/kolla-ansible/+/975551 | 13:24 |
| tafkamax | Hmm I think I have code how to select federation login in seleneium | 13:28 |
| tafkamax | now I need "wrong" data | 13:28 |
| tafkamax | For example what is displayed in html when I click on the secondary auth provider and it doesn't work. This requires me to setup an non-working setup I guess locally. | 13:29 |
| mnasiadka | tafkamax: keycloak might use a bit too much memory, if there are some other very minimal oidc providers then it would probably be better to use them | 13:35 |
| opendevreview | Verification of a change to openstack/kolla master failed: Drop Telegraf https://review.opendev.org/c/openstack/kolla/+/974319 | 13:36 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: loadbalancer: drop privileged mode for haproxy and add capabilities https://review.opendev.org/c/openstack/kolla-ansible/+/975551 | 13:38 |
| tafkamax | mnasiadka: ok, that is a valid point, I have exp with KC and it is the de facto standard | 13:54 |
| tafkamax | For dev purposes 512MB seems to be the minimum :/ | 13:55 |
| tafkamax | which is not too bad I suppose | 13:55 |
| tafkamax | hmm, how would one install kolla-ansible from a review branch? let me see | 14:16 |
| mnasiadka | git review -d change_number is your friend | 14:16 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: loadbalancer: drop privileged mode for haproxy and add capabilities https://review.opendev.org/c/openstack/kolla-ansible/+/975551 | 16:05 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: harden: update HAProxy TLS settings for OpenSSL 3.x https://review.opendev.org/c/openstack/kolla-ansible/+/958888 | 16:21 |
| opendevreview | Piotr Milewski proposed openstack/kolla-ansible master: loadbalancer: drop privileged mode for haproxy and add capabilities https://review.opendev.org/c/openstack/kolla-ansible/+/975551 | 16:31 |
| opendevreview | Verification of a change to openstack/kolla master failed: Drop Telegraf https://review.opendev.org/c/openstack/kolla/+/974319 | 16:59 |
| frickler | oh, yay, testtools update got us, too https://zuul.opendev.org/t/openstack/build/b73ca1153a0a4310abd0c1fcbb35ead8 cf. https://github.com/mtreinish/stestr/pull/377 | 17:04 |
| frickler | also setuptools issues have now made their way into py<=311 https://zuul.opendev.org/t/openstack/buildset/1310711f94264182811dbc1bd7d81b78 | 17:24 |
| tafkamax | Hmm authelia and authentik both seem to run lower spec than keycloak | 17:38 |
| tafkamax | I know of both of them but havent touched them | 17:38 |
| tafkamax | authelia allows yaml configs which is nice. | 17:38 |
| tafkamax | could be rather easy to setup an actual server | 17:39 |
| tafkamax | under 100mb for authelia definitiely | 17:40 |
| blanson[m] | authentik is a nono from memory POV, and the hassle it is to set it up | 18:54 |
| tafkamax | Ok, authelia seems to be light under >100mb and uses yaml for config. | 18:55 |
| blanson[m] | I think authelia is the best option tbh, very lightweight, supports sqlite and everything | 18:55 |
| tafkamax | some saying 25mb ram usage | 18:55 |
| blanson[m] | authelia is fairly simple yh with file backend and sqlite I think it would suffice and be easy to setup | 18:55 |
| blanson[m] | that would be such a good test job btw, I hope it goes the way you want Taavi Ansper ! | 18:57 |
| tafkamax | blanson[m]: Thanks. For authelia I don't want to take it into under the current bug umbrella. I am setting up a broken federation r/n to get some info for selenium tests. | 18:58 |
| tafkamax | Would like to fix the issue for myself and other ppl faster | 18:58 |
| opendevreview | Merged openstack/kayobe master: Split Python installation from user bootstrap https://review.opendev.org/c/openstack/kayobe/+/976011 | 19:32 |
| opendevreview | Verification of a change to openstack/kayobe master failed: Support Python installation through Apt proxy https://review.opendev.org/c/openstack/kayobe/+/901551 | 19:40 |
| opendevreview | Pierre Riteau proposed openstack/kayobe master: Support Python installation through Apt proxy https://review.opendev.org/c/openstack/kayobe/+/901551 | 20:51 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!