| *** rpittau|afk is now known as rpittau | 06:15 | |
| *** mtreinish_ is now known as mtreinish | 06:40 | |
| *** jpena|off is now known as jpena | 07:37 | |
| *** jpena is now known as jpena|lunch | 11:25 | |
| *** dviroel|out is now known as dviroel | 11:26 | |
| *** xek_ is now known as xek | 11:52 | |
| *** jpena|lunch is now known as jpena | 12:27 | |
| *** geguileo is now known as Guest3812 | 12:30 | |
| *** geguileor is now known as geguileo | 12:48 | |
| *** lbragstad__ is now known as lbragstad | 13:35 | |
| *** slaweq_ is now known as slaweq | 14:01 | |
| *** whoami-rajat__ is now known as whoami-rajat | 14:06 | |
| lbragstad | gmann do you know if the default permissions for devstack accounts changed recently? | 14:25 |
|---|---|---|
| lbragstad | i'm noticing something strange with the keystone protection job | 14:26 |
| gmann | lbragstad: few of the operation are made as admin i think. and one change in Tempest is about no network creation for system scope token | 14:27 |
| lbragstad | ok - interesting | 14:28 |
| lbragstad | https://bugs.launchpad.net/keystone/+bug/1939350 | 14:28 |
| gmann | lbragstad: ah I think I am also seeing failure about project creation - https://review.opendev.org/c/openstack/keystone/+/799423 | 14:28 |
| lbragstad | with that - i noticed that one of the failures was because devstack couldn't create admin resources (like role assignments) | 14:29 |
| gmann | lbragstad: yeah same issue, there was change in network creation for ovn | 14:29 |
| lbragstad | https://github.com/openstack/devstack/blob/a5ed116814fa3a435f15231aa7b18d389f917844/lib/glance#L312 fails when KEYSTONE_ENFORCE_SCOPE == True because that request isn't made with a system-scoped token | 14:29 |
| gmann | let me find patch | 14:30 |
| gmann | lbragstad: this caused the net id fetch (network creation on ovn) and then it is reverted https://review.opendev.org/c/openstack/neutron/+/801478 | 14:34 |
| gmann | lbragstad: and I think it is same time I think keystone protection job started failing for project_id demo | 14:36 |
| lbragstad | ok so the original patch broke tempest becuase the project wasn't created? | 14:36 |
| lbragstad | and it just cascades from there? | 14:36 |
| gmann | lbragstad: network creation in tempest for system scope is stopped in https://review.opendev.org/c/openstack/tempest/+/798130 | 14:38 |
| gmann | I am not sure it caused any issue? | 14:39 |
| gmann | lbragstad: for neutron change, default network was not created for ovn | 14:39 |
| lbragstad | hmm - ok | 14:40 |
| lbragstad | in my local environment if i enable KEYSTONE_ENFORCE_SCOPE and the keystone devstack plugin, i see a lot of 403s as devstack goes through and sets things up | 14:40 |
| lbragstad | and i'm not sure why it's a problem now since it was passing earlier | 14:41 |
| lbragstad | and so i thought it was the glance change to enable quotas, but it appears to be wider than that | 14:41 |
| gmann | lbragstad: ah, is this making any difference, it is effort to move the setting from keystone devstack plugin to devstack https://review.opendev.org/c/openstack/devstack/+/778975/1 | 14:44 |
| gmann | basically these setting https://review.opendev.org/c/openstack/keystone/+/778979 | 14:45 |
| lbragstad | mmm | 14:46 |
| lbragstad | https://github.com/openstack/keystone/blob/master/devstack/plugin.sh#L51-L55 | 14:46 |
| lbragstad | when we did that in keystone's devstack plugin we did it in test-config | 14:46 |
| lbragstad | so, after everything was setup, i believe | 14:46 |
| lbragstad | this is happening during keystone configuration | 14:47 |
| lbragstad | https://review.opendev.org/c/openstack/devstack/+/778975/1/lib/keystone | 14:47 |
| lbragstad | which is before anything in devstack is created | 14:47 |
| gmann | hummmm | 14:47 |
| lbragstad | which might explain why *everything* is failing with a 403 | 14:47 |
| gmann | we need to move devstack creation to system first in this case | 14:47 |
| lbragstad | yeah - devstack needs to know what profile to use in either case | 14:48 |
| lbragstad | https://github.com/openstack/keystone/blob/master/devstack/plugin.sh#L52-L53 | 14:48 |
| lbragstad | i think that's the primary reason why we did that in test-config | 14:48 |
| gmann | lbragstad: yeah, you are right. let me revert that for now and then we can do it once we move whole devstack to system scope setting. | 14:48 |
| lbragstad | i'll test your revert locally when you get the proposed | 14:48 |
| *** ralonsoh_ is now known as ralonsoh | 15:22 | |
| *** owalsh_ is now known as owalsh | 15:31 | |
| *** jpena is now known as jpena|off | 15:37 | |
| *** rpittau is now known as rpittau|afk | 16:31 | |
| *** dviroel is now known as dviroel|brb | 18:41 | |
| *** dviroel|brb is now known as dviroel | 19:00 | |
| *** lbragstad_ is now known as lbragstad | 19:45 | |
| *** dviroel is now known as dviroel|out | 20:52 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!