Tuesday, 2022-03-08

« Monday, 2022-03-07 Index Wednesday, 2022-03-09 »
*** frenzy_friday is now known as frenzyfriday|rover03:00
*** frenzy_friday is now known as frenzyfriday|rover07:44
*** frenzy_friday is now known as frenzyfriday|rover10:01
*** frenzy_friday is now known as frenzyfriday|rover10:51
*** dviroel|out is now known as dviroel11:22
mgariepyadmin1, did you find what is causing your issue with horizon?12:32
admin1mgariepy, i actually did a tcpdump capture .. intend to start on it in the next 30 mins to figure out where its stuck 12:33
mgariepyfor galera what is your max connection ?12:33
admin16000 12:41
mgariepyis it a new deployment or an upgrade?12:55
gokhaniHi folks, I wonder can I use zfs pool shared with nfs for nova vm disks and do you recommend  this?13:06
noonedeadpunk#startmeeting openstack_ansible_meeting15:04
opendevmeetMeeting started Tue Mar  8 15:04:18 2022 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:04
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:04
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:04
damiandabrowski[m]hi!15:04
noonedeadpunk#topic office hours15:04
noonedeadpunkHey!15:04
noonedeadpunkSorry, I'm not really around right now as clean forgot about meeting and in the middle of shopping mall now :D15:05
noonedeadpunkI guess main questions is CI functional tests that I failed to suggest poc for to compare with jrosser idea15:06
damiandabrowski[m]haha, that's a dedication :D 15:06
NeilHanlonhehe15:06
jamesdentonmorninm15:06
noonedeadpunkThen Rocky patch seems super close, just blocked with collection issue15:07
noonedeadpunkAnd we have keystone scopes to figure out at least for Y15:07
noonedeadpunkAnd tempest stuff is still blocked I bet15:08
noonedeadpunkI will try to proceed with some topics this week for real now15:08
noonedeadpunkBut now I need to search for belongings my son dropped all over mall :D15:09
noonedeadpunkFeel free to discuss stuff and endmeeting15:10
noonedeadpunk:)15:10
damiandabrowski[m]I'll also plan to focus on OSA(mainly tempest patches) next week15:10
NeilHanlonthanks noonedeadpunk! :) 15:10
noonedeadpunkGreat!15:10
noonedeadpunkI guess question is also if we want to backport rocky support to Xena?15:11
noonedeadpunkAs changes were quite trivial?15:11
NeilHanlonyeah i think I'd like to if it's relatively easy15:12
noonedeadpunkYeah, I think it should be doable at least if we say it's experimental15:13
NeilHanloncool, i'll take a look at that this week if I can15:14
noonedeadpunk#endmeeting15:56
opendevmeetMeeting ended Tue Mar  8 15:56:41 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:56
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-03-08-15.04.html15:56
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-03-08-15.04.txt15:56
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-03-08-15.04.log.html15:56
jrossernoonedeadpunk: on CI functional tests i had some ideas about making molecule stuff more manageable. However i can't spend any time on it at all until next week.16:07
*** dviroel is now known as dviroel|lunch16:57
jamesdentonjohnsom Do you know offhand what might be causing this error when creating a TERMINATED_HTTPS listener? "The selected protocol is not allowed in this deployment: TERMINATED_HTTPS"16:57
jamesdentonThis is Ussuri, fwiw16:57
johnsomjamesdention. Yes, on minute16:58
johnsomjamesdention https://docs.openstack.org/octavia/latest/configuration/configref.html#api_settings.allow_tls_terminated_listeners16:58
agemuendHi jrosser. You once said you worked considerably on openstack-ansible-os_keystone. I hope it's okay if I ask a question here.16:59
jrosseragemuend: my team did a lot of work on OIDC integration17:00
*** frenzyfriday|rover is now known as frenzyfriday|pto17:00
jamesdentondoh! thanks, johnsom 17:00
johnsomNP17:00
agemuendWe'd like to set OIDCOAuthIntrospectionEndpoint, OIDCOAuthClientID and OIDCOAuthClientSecret in addition to the OIDC counterparts to allow CLI auth. How could we best achieve that as they are not supported by the role directly?17:01
agemuendIts to support the EGI "Federated Cloud", a federation of academic Cloud sites in the wider European Open Science Cloud (EOSC) effort, if you're interested in the background17:02
jrosserwe did CLI using PKCE17:03
jrosserhttps://github.com/bbc/keystoneauth-oidc17:04
agemuendOh its interesting that this is forked from IFCA, as they are part of the initiative I'm talking about17:05
jrosserok17:06
jrosserwe were not happy using a client secret for CLI users17:06
jrosserthe client secret is really for trusted server<>server use cases17:07
jrosserthough CLI is "hard" so client secrets are abused for that17:07
jrosserit would be great to upstream our changed back to the IFCA repo17:07
jrosser*changes17:07
jrosserwe have an architecture where keycloak is the IdP, and we have in integration between keycloak and horizon for GUI, and we enable PKCE on keycloak to enable CLI users without needing a client secret17:08
jrosserPKCE dynamically generates the equivalent of a client secret on demand, so it is ephemeral17:09
agemuendInteresting17:09
agemuendThe federation suggests the client secret for the introspection endpoint though: https://docs.egi.eu/providers/cloud-compute/openstack/aai/#apache-configuration17:10
jrosserhave you checked this out? https://docs.openstack.org/openstack-ansible-os_keystone/latest/configure-federation-sp.html#service-provider-configuration-for-oidc-using-mod-auth-openidc17:10
agemuendYes, but the variables I mentioned are not part of that list17:11
agemuendI guess for now we need to hardcode the variables into the keystone-httpd.conf.j217:14
jrosserwell17:14
jrosserwe are talking about openid-connect, or oauth2 ?17:15
jrosserthe options in the role already have been completely sufficent to do horizon and CLI between openstack ans keycloak using OIDC17:15
jrosserthis is all sufficuently complex that i'm likley confused with what you are needing to do17:18
jrosseragemuend: also see the warning here https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L322-L33417:22
agemuendprobably I'm misunderstanding something. I was judging from the comment in that reference config I linked to, which says "# OAuth for CLI access"17:24
agemuendInteresting thanks17:26
jrosserright yes interesting, the egi docs use --os-auth-type v3oidcaccesstoken17:26
jrosserand we used --os-auth-type v3oidccode17:27
jrosserso there are two completely different OIDC flows involved there17:27
jrosserif you need support for those other variables then it should be easy to create a patch for os_keystone to support those17:27
jrosserthe patch would look something like this https://github.com/openstack/openstack-ansible-os_keystone/commit/3b283edf8a2c2d51236631a9fcd9b3f5f744f6ed17:29
jrosseragemuend: i suspect that the OIDC code flow + PKCE is a more modern variant on OIDC + access token, it's probably worth some study on the relative security/benefits of both17:30
jrosserthough really it is no problem to support both in the os_keystone role17:30
agemuendCool, you'd consider the PR?  on Github? (never used opendev)17:31
jrosserah no, you need to submit to gerrit..... theres is just automatic mirroring to github17:31
jrosserif thats too much hassle, create a diff and put it at paste.opendev.org and we can make a patch for you17:31
jrossera diff against master17:32
jrosserfor gerrit workflow see this https://docs.opendev.org/opendev/infra-manual/latest/gettingstarted.html17:32
agemuendOkay cool, thx17:34
agemuendWe'll take a stab at the Gerrit workflow tomorrow, I guess its good to get acquainted with that17:37
jrosserthat would be great if you could17:38
*** odyssey4me is now known as Guest162017:47
*** dviroel|lunch is now known as dviroel17:52
mgariepyjrosser, can we push this one ?https://review.opendev.org/c/openstack/openstack-ansible/+/831536/418:42
jrossermgariepy: done19:38
mgariepythanks19:41
mgariepyshould we disable voting on rocky ?19:41
mgariepy:/ failing on dependecy issue while building nova..19:41
mgariepyhttps://paste.openstack.org/show/b3Eh0w86aGlAfwYzb01Z/19:43
jrosserpypowervm 1.1.27 depends on futures>=3.0 / The user requested (constraint) futures===3.0.519:44
mgariepyLOL19:45
jrosseri thought that this was fixed by a bump in nova19:45
jrosseri bet we need this first https://review.opendev.org/c/openstack/openstack-ansible/+/83027319:46
mgariepyho. wow. the relation chain is somewhat inconsistent accross reviews ..19:47
jrosseryes lets have this merge https://review.opendev.org/c/openstack/openstack-ansible/+/831536/219:47
jrosserrather than rease19:47
jrosserrebase19:47
jrosserfix ansible collections -> merge sha bump -> rebase rocky patch19:48
jrossersomething like that19:48
mgariepyok20:27
mgariepykinda too late now. but at worst for the next patch we maybe can stack them and merge them together.20:28
mgariepyarf. bulleyes failed :(20:31
mgariepybullseye i meant :(20:33
*** odyssey4me is now known as Guest163421:15
*** dviroel is now known as dviroel|afk22:03
« Monday, 2022-03-07 Index Wednesday, 2022-03-09 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!