| mossblaser | newbie question: is there a straight-forward way to run the tests for the openstack-ansible-plugins repo locally? (run_tests.sh seems to generally not work -- though perhaps this is due to being on Ubuntu Noble?) | 09:00 |
|---|---|---|
| noonedeadpunk | mossblaser: no, not really today | 09:02 |
| noonedeadpunk | there's an ongoing work for adding molecule support | 09:02 |
| noonedeadpunk | but it's still on the way kinda | 09:02 |
| mossblaser | ah, OK, no worries -- I'll feel a little less bad about spending zuul time on silly mistakes :) | 09:03 |
| noonedeadpunk | run_tests is the old method we;re trying to get rid of/replace for years... | 09:03 |
| noonedeadpunk | ie https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939898 | 09:03 |
| mossblaser | ah; nice | 09:07 |
| mossblaser | I notice in the sample test you're attempting to test SSH connectivity from the test runner to the container (which seems to be blowing up on centos for whatever reason?) -- have you considered running the test connections between nodes created by molecule? (this is what I've been doing for testing network-connected things and it seems to avoid networking quirks between "inside" and "outside" | 09:12 |
| noonedeadpunk | so in this specific case the issue seems to be in apparmor somewhere when sshd inside of the centos container tries to use PAM | 09:17 |
| noonedeadpunk | and then also this test worked on jammy, but is broken on noble | 09:17 |
| noonedeadpunk | and then another lead is that root user gets somehow disabled inside of the docker | 09:18 |
| noonedeadpunk | and most nasty part - is that locally it works - but not in zuul | 09:18 |
| mossblaser | eep! | 09:18 |
| noonedeadpunk | so it has to do with set of apparmor rules used in the zuul image I'd imagine | 09:18 |
| mossblaser | (I recall jrosser banging his head against a wall about PAM the other day... this must have been it :)) | 09:18 |
| noonedeadpunk | it was it I bet :D | 09:20 |
| jrosser | mossblaser: it’s to do with wanting to test ssh and the connection plugin in the plugins repo, the tests fail on things that don’t use the native docker connection method | 09:24 |
| jrosser | you’ll likely run into the same for centos-container-on-noble-host with any kind of ssh | 09:25 |
| jrosser | if we weren’t trying to make the centos tests work the molecule patches for the plugins repo would have merged weeks ago | 09:26 |
| mossblaser | hmm; I did run into a mysterious PAM related issue when running a Rocky9 container on Noble the other day which I didn't dig into further but I imagine that might be the same thing then | 09:30 |
| noonedeadpunk | btw funny thing that rocky seem to pass in ci? | 10:31 |
| mossblaser | this was in an entirely local molecule environment fwiw | 10:33 |
| mossblaser | (which I rather grossly worked-around at the time with UsePAM no since it was just a test environment...) | 10:34 |
| mossblaser | (but I can see why you might not want to do that in OSA!) | 10:35 |
| noonedeadpunk | I'd say it might be good as well in this usecase, as very unlikely we expect anyone to use docker containers as hosts tbh | 10:36 |
| noonedeadpunk | and then using centos inside docker on noble hosts... | 10:36 |
| noonedeadpunk | so that test is completely artifical just to test the plugin general functionality | 10:36 |
| noonedeadpunk | otherwise we indeed can use CentOS hosts to run molecule on, to avoid apparmor things... But then we need to maintain running molecule on different distros | 10:37 |
| noonedeadpunk | so yeah, dunno | 10:38 |
| mossblaser | the RedHat flavoured OpenSSH does spit out warnings if you use that option which might slightly confuse future debugging as my other non-realism-related concern | 10:38 |
| noonedeadpunk | it doesn't if you comment it out :) | 10:49 |
| noonedeadpunk | with same effect based on https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/943390/11/molecule/default/prepare.yml L66 | 10:50 |
| mossblaser | oh; so its only the combination of UsePAM no followed by UsePAM yes that produces the warning? | 10:51 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: [DNM] Check if we can workaround centos issue https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/943390 | 10:53 |
| noonedeadpunk | I think you get warning only when you explicitly set `UsePAM no`, but it's not 100% | 10:54 |
| mossblaser | ah -- and RHEL isn't patching the default to be yes or something like that are they? | 10:55 |
| noonedeadpunk | it seems they are not... | 10:56 |
| noonedeadpunk | at least, without UsePAM at all we get auth error, and when it's set to `UsePAM yes` - connection dropped | 10:56 |
| mossblaser | the other thing I encountered was that if the dummy accounts I was SSHing into didn't have a password set they appeared to be treated as disabled and SSH wouldn't try and use them -- though that might be an entirely unrelated issue | 10:59 |
| noonedeadpunk | I think it's related | 11:09 |
| noonedeadpunk | as in this specific case root seems to appear disabled | 11:09 |
| noonedeadpunk | even though in any test VM I used - it was never disabled | 11:09 |
| noonedeadpunk | and no issues with PAM | 11:10 |
| noonedeadpunk | so I think it's a completely related things and specific to noble | 11:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: [DNM] Check if we can workaround centos issue https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/943390 | 12:45 |
| mossblaser | I also had to add a password to my dummy user to make it work on Rocky 9, if that was what you were trying out above? | 13:05 |
| noonedeadpunk | yeah, but so far `passwd not found` | 13:34 |
| mossblaser | I set the password using the ansible user module with password: "{{ 'insecure' | password_hash('sha512', 'insecure') }}" | 13:35 |
| noonedeadpunk | ah, right, that could be enough | 13:40 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: [DNM] Check if we can workaround centos issue https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/943390 | 13:42 |
| noonedeadpunk | (I wanna check with passwd still :D) | 13:42 |
| noonedeadpunk | ok, so a passsword is not really needed. Just an account is locked... | 13:57 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: [DNM] Check if we can workaround centos issue https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/943390 | 14:04 |
| mossblaser | ugh; I'm getting towards the end of day three of not being able to come up with a solution I'm happy with for having OSA and non-OSA managed CA user/principals mappings coexist :( Each solution inevitably ends up with the non-OSA thing having to be intimately tied to OSA implementation details | 14:41 |
| mossblaser | I think I'm going to put off further thought until next week and hope inspiration strikes over the weekend... If anyone has any good ideas I'd be very keen to know! | 14:42 |
| opendevreview | Vincent Legoll proposed openstack/openstack-ansible master: [NOMERGE] Dummy commit to test for bug 2096936 https://review.opendev.org/c/openstack/openstack-ansible/+/944400 | 15:39 |
| noonedeadpunk | mossblaser: totally worth having some rest :) so have a good weekend! | 16:29 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-plugins master: Support more openstack.cloud.subnet arguments https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/944414 | 16:35 |
| mossblaser | ty; and you! | 16:41 |
| majotorres | Hi, does anyone know if is it possible for OpenStack to automatically generate hostnames for instances with a specific domain? | 17:04 |
| noonedeadpunk | majotorres: um, I think it is? do you need it to be generally resolvable or only inside of openstack? | 18:53 |
| majotorres | only inside openstack | 18:56 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!