jrosser | i will try to reproduce the deb822 error | 08:29 |
---|---|---|
jrosser | noonedeadpunk: what OS did you find the UCA apt key trouble on? | 08:31 |
noonedeadpunk | jammy I think | 08:32 |
noonedeadpunk | and jsut regular aio_lxc scenario | 08:33 |
jrosser | ok, will try this | 08:33 |
kleini | I am currently upgrading compute nodes to jammy. Anything I can help in testing UCA repository? | 09:20 |
kleini | I am familiar with deb822 format due to my work. | 09:23 |
jrosser | so we have this patch | 09:25 |
jrosser | https://github.com/openstack/openstack-ansible-openstack_hosts/commit/1aef1f258c8b64b778bb7bc97edd67182290045b | 09:25 |
jrosser | ad that references the gpg key for the uca repo that is in a path here https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/ubuntu.yml#L91 | 09:26 |
jrosser | that file is present because we install the `ubuntu-cloud-keyring` package, which drops a binary .gpg file in a location which turns out *not* to be part of /etc/apt/..... | 09:28 |
jrosser | so thats two issues | 09:29 |
jrosser | 1) openstack_hosts is not working the same way as things like the galera role, where we include a copy of the ascii form of the signing key directly in the ansible role (see https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/907752) | 09:30 |
jrosser | 2) for $reasons, everything is working just fine today in the CI jobs, but not locally as there must be some difference in the CI node vs. a regular ubuntu cloud image for the UCA key | 09:31 |
jrosser | and i guess 3), i am struggling to use the gpg command to create an acceptable ascii form of the binary gpg key to put into the files/gpg directory of the openstack_hosts role for UCA | 09:31 |
jrosser | noonedeadpunk: so i can totally reproduce it not working | 09:33 |
kleini | cat packages.mozilla.org.gpg | gpg --dearmour -o /etc/apt/trusted.gpg.d/mozilla.gpg | 09:34 |
kleini | for 3 | 09:34 |
kleini | oh, that is the other way round for creating the GPG keyring | 09:34 |
jrosser | right | 09:34 |
jrosser | i grabbed the Releases key from the UCA repo | 09:35 |
jrosser | and did `gpg --enarmor < ~/Downloads/Release.gpg > key.asc` | 09:35 |
kleini | gpg --keyring /etc/apt/trusted.gpg.d/packages.microsoft.gpg --export --armor | 09:35 |
jrosser | ahha that gives something different | 09:36 |
kleini | and then stdout is the ASCII form of the key, that can be directly used in deb822 format | 09:36 |
kleini | and this ASCII form is mostly presented as downloadable public key to verify signed packages of deb repositories | 09:38 |
jrosser | right - we have the binary form here https://git.launchpad.net/ubuntu/+source/ubuntu-cloud-keyring/tree/keyrings/ubuntu-cloud-keyring.gpg | 09:44 |
kleini | cat ubuntu-cloud-keyring.gpg | gpg --export --armor <- for ASCII form | 09:46 |
noonedeadpunk | jrosser: I think I've already proposed a patch to cover that? | 09:47 |
jrosser | oh | 09:48 |
noonedeadpunk | https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/932416 | 09:48 |
noonedeadpunk | sorry, I should have sent it earier | 09:48 |
jrosser | ah doh sorry i didnt see that | 09:49 |
noonedeadpunk | I used that to decode - `gpg --export --keyring /usr/share/keyrings/ubuntu-cloud-keyring.gpg -a` | 09:49 |
jrosser | i have the same patch now :) but also i dropped the installation of the keyring package as that would no longer be needed | 09:49 |
noonedeadpunk | so yeah, exactly what kleini suggested | 09:49 |
noonedeadpunk | oh, you can propose it instead and we can abandon mine | 09:50 |
opendevreview | Merged openstack/openstack-ansible-os_neutron stable/2024.1: Ensure that services that intended to stay disabled are not started https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/932410 | 09:50 |
opendevreview | Merged openstack/openstack-ansible-os_neutron stable/2023.2: Ensure that services that intended to stay disabled are not started https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/932412 | 09:50 |
jrosser | i can fix it | 09:50 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Store UCA GPG file in-repo https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/932416 | 09:51 |
jrosser | ok right so thats one part | 09:51 |
jrosser | i guess the other is finding where the UCA key gets into the CI image | 09:51 |
noonedeadpunk | I assume it probably doesn't even.... | 09:52 |
noonedeadpunk | As it might be just gpg of the infra mirror? | 09:52 |
opendevreview | Merged openstack/openstack-ansible-os_neutron stable/2023.1: Ensure that services that intended to stay disabled are not started https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/932413 | 09:54 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Freeze roles for 30.0.0.0b1 release https://review.opendev.org/c/openstack/openstack-ansible/+/931611 | 09:55 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Update Neutron SHA after bugfix https://review.opendev.org/c/openstack/openstack-ansible/+/932497 | 10:06 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.2: Update Neutron SHA after bugfix https://review.opendev.org/c/openstack/openstack-ansible/+/932498 | 10:10 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Update Neutron SHA after bugfix https://review.opendev.org/c/openstack/openstack-ansible/+/932499 | 10:12 |
*** gmann is now known as gmann_afk | 20:58 | |
*** gmann_afk is now known as gmann_ | 21:41 | |
*** gmann_ is now known as gmann | 21:41 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!