Wednesday, 2024-10-16

jrosseri will try to reproduce the deb822 error08:29
jrossernoonedeadpunk: what OS did you find the UCA apt key trouble on?08:31
noonedeadpunkjammy I think08:32
noonedeadpunkand jsut regular aio_lxc scenario08:33
jrosserok, will try this08:33
kleiniI am currently upgrading compute nodes to jammy. Anything I can help in testing UCA repository?09:20
kleiniI am familiar with deb822 format due to my work.09:23
jrosserso we have this patch09:25
jrosserhttps://github.com/openstack/openstack-ansible-openstack_hosts/commit/1aef1f258c8b64b778bb7bc97edd67182290045b09:25
jrosserad that references the gpg key for the uca repo that is in a path here https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/ubuntu.yml#L9109:26
jrosserthat file is present because we install the `ubuntu-cloud-keyring` package, which drops a binary .gpg file in a location which turns out *not* to be part of /etc/apt/.....09:28
jrosserso thats two issues09:29
jrosser1) openstack_hosts is not working the same way as things like the galera role, where we include a copy of the ascii form of the signing key directly in the ansible role (see https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/907752)09:30
jrosser2) for $reasons, everything is working just fine today in the CI jobs, but not locally as there must be some difference in the CI node vs. a regular ubuntu cloud image for the UCA key09:31
jrosserand i guess 3), i am struggling to use the gpg command to create an acceptable ascii form of the binary gpg key to put into the files/gpg directory of the openstack_hosts role for UCA09:31
jrossernoonedeadpunk: so i can totally reproduce it not working09:33
kleinicat packages.mozilla.org.gpg | gpg --dearmour -o /etc/apt/trusted.gpg.d/mozilla.gpg09:34
kleinifor 309:34
kleinioh, that is the other way round for creating the GPG keyring09:34
jrosserright09:34
jrosseri grabbed the Releases key from the UCA repo09:35
jrosserand did `gpg --enarmor < ~/Downloads/Release.gpg > key.asc`09:35
kleinigpg --keyring /etc/apt/trusted.gpg.d/packages.microsoft.gpg --export --armor 09:35
jrosserahha that gives something different09:36
kleiniand then stdout is the ASCII form of the key, that can be directly used in deb822 format09:36
kleiniand this ASCII form is mostly presented as downloadable public key to verify signed packages of deb repositories09:38
jrosserright - we have the binary form here https://git.launchpad.net/ubuntu/+source/ubuntu-cloud-keyring/tree/keyrings/ubuntu-cloud-keyring.gpg09:44
kleinicat ubuntu-cloud-keyring.gpg | gpg --export --armor <- for ASCII form09:46
noonedeadpunkjrosser: I think I've already proposed a patch to cover that?09:47
jrosseroh09:48
noonedeadpunkhttps://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/93241609:48
noonedeadpunksorry, I should have sent it earier09:48
jrosserah doh sorry i didnt see that09:49
noonedeadpunkI used that to decode - `gpg --export --keyring /usr/share/keyrings/ubuntu-cloud-keyring.gpg -a`09:49
jrosseri have the same patch now :) but also i dropped the installation of the keyring package as that would no longer be needed09:49
noonedeadpunkso yeah, exactly what kleini suggested09:49
noonedeadpunkoh, you can propose it instead and we can abandon mine09:50
opendevreviewMerged openstack/openstack-ansible-os_neutron stable/2024.1: Ensure that services that intended to stay disabled are not started  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/93241009:50
opendevreviewMerged openstack/openstack-ansible-os_neutron stable/2023.2: Ensure that services that intended to stay disabled are not started  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/93241209:50
jrosseri can fix it09:50
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Store UCA GPG file in-repo  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/93241609:51
jrosserok right so thats one part09:51
jrosseri guess the other is finding where the UCA key gets into the CI image09:51
noonedeadpunkI assume it probably doesn't even....09:52
noonedeadpunkAs it might be just gpg of the infra mirror?09:52
opendevreviewMerged openstack/openstack-ansible-os_neutron stable/2023.1: Ensure that services that intended to stay disabled are not started  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/93241309:54
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Freeze roles for 30.0.0.0b1 release  https://review.opendev.org/c/openstack/openstack-ansible/+/93161109:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Update Neutron SHA after bugfix  https://review.opendev.org/c/openstack/openstack-ansible/+/93249710:06
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.2: Update Neutron SHA after bugfix  https://review.opendev.org/c/openstack/openstack-ansible/+/93249810:10
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Update Neutron SHA after bugfix  https://review.opendev.org/c/openstack/openstack-ansible/+/93249910:12
*** gmann is now known as gmann_afk20:58
*** gmann_afk is now known as gmann_21:41
*** gmann_ is now known as gmann21:41

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!