| opendevreview | Takashi Kajinami proposed openstack/octavia master: Drop SQLALCHEMY_WARN_20 https://review.opendev.org/c/openstack/octavia/+/929394 | 06:17 |
|---|---|---|
| opendevreview | Takashi Kajinami proposed openstack/octavia master: Drop SQLALCHEMY_WARN_20 https://review.opendev.org/c/openstack/octavia/+/929394 | 06:25 |
| opendevreview | Gregory Thiemonge proposed openstack/octavia master: Support for Jobboard etcd backend https://review.opendev.org/c/openstack/octavia/+/915834 | 07:51 |
| zigo | hi there! What's the reason for Octavia requiring cryptography >= 42? I'm having a hard time to backport cryptography to Debian 12, and would prefer to avoid that work. | 07:51 |
| zigo | Any comment? | 07:51 |
| zigo | I have octavia.tests.unit.common.tls_utils.test_cert_parser.TestTLSParseUtils.test_get_cert_expiration failing in bookworm, is this related to the version of cryptography? | 07:52 |
| gthiemonge | zigo: we had to bump it after this patch https://review.opendev.org/c/openstack/octavia/+/921356 | 07:53 |
| gthiemonge | https://review.opendev.org/c/openstack/octavia/+/921752 | 07:55 |
| gthiemonge | see https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.not_valid_after | 07:55 |
| zigo | Ah, indeed, that's what I'm seeing failing over here. | 07:59 |
| zigo | Maybe I'd better just revert the change then? | 07:59 |
| gthiemonge | zigo: yeah you can revert it in your downstream branch ;-) | 08:03 |
| gthiemonge | zigo: we'll discuss it with the team, I don't know if we can revert requirements, on master and on stable branches | 08:04 |
| zigo | Ok, thanks. | 08:04 |
| zigo | IMO, what would have been best, would have been to do a conditionnal, depending on the cryptography version. | 08:04 |
| zigo | As in: if >= 42, use the _utc version of the function. | 08:04 |
| zigo | I'm probably going to end up doing that in the package, so I can backport from Unstable to Bookworm easily. | 08:05 |
| gthiemonge | zigo: what's the version of cryptography in bookworm? | 08:07 |
| zigo | 38 | 08:07 |
| zigo | It's very much ok if I keep this downstream. | 08:15 |
| zigo | In Epoxy, I'll remove my patch, as Epoxy will be on Debian 13 only (while Dalmatian, I'm packaging for both Debian 12 and 13). | 08:16 |
| gthiemonge | ah ok, I see Debian 12 in the Tested Runtimes for Epoxy | 08:18 |
| gthiemonge | I'm asking on #openstack-release how we can deal with it | 08:19 |
| opendevreview | Gregory Thiemonge proposed openstack/octavia master: Support for Jobboard etcd backend https://review.opendev.org/c/openstack/octavia/+/915834 | 08:48 |
| tobias-urdin | gthiemonge: small fix to tests to fix upcoming legacyenginefacade being removed https://review.opendev.org/c/openstack/octavia/+/926625 | 11:31 |
| gthiemonge | tobias-urdin: thanks, I'll look at it | 11:56 |
| wncslln | morning, octavia o/ I'm facing a problem with connection between controllers and amphoraes. the following error was thrown | 12:21 |
| wncslln | Failure: octavia.amphorae.driver_exceptions.exceptions.AmpConnectionRetry: Could not connect to amphora, exception caught: HTTPSConnectionPool(host='10.x.x.x', port=9443): Max retries exceeded with url: // (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired (_ssl.c:1007)')))] | 12:21 |
| wncslln | someone can give me a help? | 12:21 |
| wncslln | I already have tried to regenerate certificates with kolla-ansible automation and failover the LB, but still cant connect to amphora | 12:22 |
| tweining | hm, according to https://docs.openstack.org/octavia/latest/admin/guides/certificates.html the server certificates get rotated automatically. not sure what's wrong. | 12:24 |
| tweining | did you read https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html#rotating-cryptographic-certificates ? | 12:25 |
| wncslln | yeah. the server certificates get rotated, but the client certs the operator must generate it | 12:46 |
| wncslln | i noticed that the certificates within containers are not matching in controllers, so i ran a reconfigure and the certs are copied to containers. this works | 12:47 |
| johnsom | zigo So UC is already updated for cryptography 42 (and has been for I bit I think). It seems like it might be best to have a downstream workaround for Debian 12. | 15:45 |
| johnsom | zigo I also wonder, if Debian 12 is going to be on the PTI, shouldn't there be gate jobs that would have caught this packaging issue? I mean, we move forward on package versions all of the time to fix bugs and deprecations. | 15:46 |
| opendevreview | Merged openstack/octavia master: Support for Jobboard etcd backend https://review.opendev.org/c/openstack/octavia/+/915834 | 17:11 |
| opendevreview | Michael Johnson proposed openstack/octavia master: Make keystone default roles the default RBAC https://review.opendev.org/c/openstack/octavia/+/929580 | 23:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!