Wednesday, 2025-07-23

noonedeadpunkmornings08:21
noonedeadpunknice - https://review.opendev.org/c/openstack/openstack-ansible/+/955226 is passing now08:21
jrossero/ morning09:01
* jrosser waves to andrewbonney 09:01
andrewbonneyhi!09:01
noonedeadpunk┳━┳ ヽ(ಠل͜ಠ)ノ09:02
noonedeadpunk\o/09:02
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Switch Neutron to uWSGI one more time  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/95561010:20
opendevreviewMerged openstack/openstack-ansible-lxc_hosts master: Revert "Remove lxc_net_mtu definition"  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/95555412:36
opendevreviewMerged openstack/openstack-ansible master: Bump SHAs for master  https://review.opendev.org/c/openstack/openstack-ansible/+/95522613:02
*** jotik is now known as Guest2254414:26
*** jotik^^ is now known as jotik14:26
drarveseHello! I'm doing a new 2025.1 install and running into issues with the Keystone install. We're configuring it as an SP with SAML and the OSA install is failing to copy some files to /etc/shibboleth inside the the container because it doesn't exist15:24
drarvesehttps://paste.openstack.org/show/bJZ9s3UH7JHEEh27p1gq/15:25
drarvesehttps://paste.openstack.org/show/b6MxmQfLtjbsqsjstB8Z/ is the relevant keystone configs in user_variables.yml15:25
drarveseI've used this same config on multiple installs with no issues.15:26
drarveseIs there something I'm missing?15:27
drarveseIf I create /etc/shibboleth in the keystone container the playbook then fails on the "Generate the Shibboleth SP key-pair" task because shib-keygen doesn't exist15:28
jrosserdrarvese: is this a different operating system to what you have used before?15:34
drarveseNo, Ubuntu 24.04. But this is the first 2025.1 install I've done15:35
jrossershib-keygen missing suggests that there is some difference to before meaning that a required package is not installed15:36
jrosserthat should come from `shibboleth-sp-utils`15:36
jrosseri can't see immediately how that would have been installed - possibly a dependancy of the apache module?15:38
jrosseranyway - needs understanding which package is missing (this likely also explains the missing directory)15:39
drarveseIf I install shibboleth-sp-utils in the Keystone container the install succeeds16:12
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Change the format of 'san' parameter in `pki_certificates` variable  https://review.opendev.org/c/openstack/ansible-role-pki/+/94887916:51
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888018:01
noonedeadpunkdrarvese: can you please submit a bug report to https://bugs.launchpad.net/openstack-ansible ?18:02
noonedeadpunkunless you willing to submit just a patch :)18:03
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888018:06
drarveseI can submit a bug report18:14
noonedeadpunk++ that would be cool, thanks18:16
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888018:22
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Add hashi_vault backend  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888118:22
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_neutron master: Add hashi_vault pki backend support  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/94942018:32
damiandabrowskinoonedeadpunk: thanks for your pki comments today, I think I answered all of them18:37
jrosserdid we decide how to handle user defined certs in the end?19:08
jrosseri.e what the behaviour when `src:` is defined for the installation step19:08
damiandabrowskifor standalone backend, it seems like your patch covers it: https://review.opendev.org/c/openstack/ansible-role-pki/+/95423920:01
damiandabrowskifor hashi_vault backend, we rely on *_pki_backend(like neutron_pki_backend)20:01
damiandabrowskithere is an open discussion about this topic here: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/949420/comment/870da622_215b554f/20:01
damiandabrowskiI posted there explanation why for hashi_vault backend we cannot rely just on src parameter20:02
jrossertbh i really don't understand the explanation20:06
jrosserevery time i see something that needs special handling for one backend or the other then that sounds like a bug20:33

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!