noonedeadpunk | mornings | 08:21 |
---|---|---|
noonedeadpunk | nice - https://review.opendev.org/c/openstack/openstack-ansible/+/955226 is passing now | 08:21 |
jrosser | o/ morning | 09:01 |
* jrosser waves to andrewbonney | 09:01 | |
andrewbonney | hi! | 09:01 |
noonedeadpunk | ┳━┳ ヽ(ಠل͜ಠ)ノ | 09:02 |
noonedeadpunk | \o/ | 09:02 |
opendevreview | Merged openstack/openstack-ansible-os_neutron master: Switch Neutron to uWSGI one more time https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/955610 | 10:20 |
opendevreview | Merged openstack/openstack-ansible-lxc_hosts master: Revert "Remove lxc_net_mtu definition" https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/955554 | 12:36 |
opendevreview | Merged openstack/openstack-ansible master: Bump SHAs for master https://review.opendev.org/c/openstack/openstack-ansible/+/955226 | 13:02 |
*** jotik is now known as Guest22544 | 14:26 | |
*** jotik^^ is now known as jotik | 14:26 | |
drarvese | Hello! I'm doing a new 2025.1 install and running into issues with the Keystone install. We're configuring it as an SP with SAML and the OSA install is failing to copy some files to /etc/shibboleth inside the the container because it doesn't exist | 15:24 |
drarvese | https://paste.openstack.org/show/bJZ9s3UH7JHEEh27p1gq/ | 15:25 |
drarvese | https://paste.openstack.org/show/b6MxmQfLtjbsqsjstB8Z/ is the relevant keystone configs in user_variables.yml | 15:25 |
drarvese | I've used this same config on multiple installs with no issues. | 15:26 |
drarvese | Is there something I'm missing? | 15:27 |
drarvese | If I create /etc/shibboleth in the keystone container the playbook then fails on the "Generate the Shibboleth SP key-pair" task because shib-keygen doesn't exist | 15:28 |
jrosser | drarvese: is this a different operating system to what you have used before? | 15:34 |
drarvese | No, Ubuntu 24.04. But this is the first 2025.1 install I've done | 15:35 |
jrosser | shib-keygen missing suggests that there is some difference to before meaning that a required package is not installed | 15:36 |
jrosser | that should come from `shibboleth-sp-utils` | 15:36 |
jrosser | i can't see immediately how that would have been installed - possibly a dependancy of the apache module? | 15:38 |
jrosser | anyway - needs understanding which package is missing (this likely also explains the missing directory) | 15:39 |
drarvese | If I install shibboleth-sp-utils in the Keystone container the install succeeds | 16:12 |
opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Change the format of 'san' parameter in `pki_certificates` variable https://review.opendev.org/c/openstack/ansible-role-pki/+/948879 | 16:51 |
opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities https://review.opendev.org/c/openstack/ansible-role-pki/+/948880 | 18:01 |
noonedeadpunk | drarvese: can you please submit a bug report to https://bugs.launchpad.net/openstack-ansible ? | 18:02 |
noonedeadpunk | unless you willing to submit just a patch :) | 18:03 |
opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities https://review.opendev.org/c/openstack/ansible-role-pki/+/948880 | 18:06 |
drarvese | I can submit a bug report | 18:14 |
noonedeadpunk | ++ that would be cool, thanks | 18:16 |
opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities https://review.opendev.org/c/openstack/ansible-role-pki/+/948880 | 18:22 |
opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Add hashi_vault backend https://review.opendev.org/c/openstack/ansible-role-pki/+/948881 | 18:22 |
opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_neutron master: Add hashi_vault pki backend support https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/949420 | 18:32 |
damiandabrowski | noonedeadpunk: thanks for your pki comments today, I think I answered all of them | 18:37 |
jrosser | did we decide how to handle user defined certs in the end? | 19:08 |
jrosser | i.e what the behaviour when `src:` is defined for the installation step | 19:08 |
damiandabrowski | for standalone backend, it seems like your patch covers it: https://review.opendev.org/c/openstack/ansible-role-pki/+/954239 | 20:01 |
damiandabrowski | for hashi_vault backend, we rely on *_pki_backend(like neutron_pki_backend) | 20:01 |
damiandabrowski | there is an open discussion about this topic here: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/949420/comment/870da622_215b554f/ | 20:01 |
damiandabrowski | I posted there explanation why for hashi_vault backend we cannot rely just on src parameter | 20:02 |
jrosser | tbh i really don't understand the explanation | 20:06 |
jrosser | every time i see something that needs special handling for one backend or the other then that sounds like a bug | 20:33 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!