*** jph8 is now known as jph | 03:06 | |
SvenKieske | mhm our CI is completely blocked by the opensearch jobs being broken, I look into how we can pass auth from haproxy to opensearch, if anybody has already the knowledge how to do this your help is appreciated, see the comments here: https://review.opendev.org/c/openstack/kolla-ansible/+/915119 | 09:46 |
---|---|---|
mnasiadka | It’s a bug in 2.13 | 10:22 |
mnasiadka | I would rather pin to 2.12 for now | 10:22 |
mnasiadka | Until we find a proper solution | 10:22 |
mnasiadka | Especially that it has broken everybody now | 10:22 |
mnasiadka | (So raise a bug and backport the pin to stable branches) | 10:23 |
mnasiadka | And maybe we should pin by default and knowingly bump opensearch versions | 10:24 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/2023.2: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915317 | 10:37 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/2023.1: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915154 | 10:38 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/2023.1: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915154 | 10:39 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915155 | 10:39 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915155 | 10:40 |
opendevreview | Mark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI https://review.opendev.org/c/openstack/kolla-ansible/+/915155 | 10:40 |
SvenKieske | mnasiadka: ok, I will do so | 11:16 |
SvenKieske | mnasiadka: is it save to downgrade though? or do you just mean pin to 2.12 for CI? | 11:24 |
SvenKieske | I guess if I just pin in master no user should be affected :) | 11:38 |
kevko | fg | 11:39 |
SvenKieske | tracking bug: https://bugs.launchpad.net/kolla/+bug/2060668 | 11:45 |
SvenKieske | kevko: foreground? was that for your shell? :D | 11:45 |
opendevreview | Sven Kieske proposed openstack/kolla master: CI/Master only: pin opensearch{-dashboard} https://review.opendev.org/c/openstack/kolla/+/915322 | 12:12 |
mnasiadka | SvenKieske: yeah, pinning in stable branches will affect some people, but I doubt they got to the point how to log in - since we don't set any password :) | 12:44 |
mnasiadka | it was always unauthenticated - hence the http auth on haproxy | 12:44 |
SvenKieske | yes, the above fix should hopefully work, but I wonder, wasn't this introduced in 2.12 already? maybe I mixed up the version numbers. | 12:44 |
SvenKieske | the opensearch release notes are very very long, I currently don't really find the change that is the culprit, neither in 2.12 nor 2.13 :D I guess I'll just wait for CI results. | 12:48 |
mnasiadka | hmm, maybe the culprit is security plugin config on opensearch side (not -dashboards) | 12:57 |
mnasiadka | but without a local deploy I don't think we can get to the bottom of it | 12:57 |
SvenKieske | I guess I can install inside a local rocky container and manually emulate the dashboard curl, maybe. but also need to set the appropriate ENV vars, because openstack-dashboard package just refused to install in it's POST phase during testing. I assume we set that? | 13:00 |
SvenKieske | error was: ERROR: Opensearch 2.12 and later requires the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD to be defined to setup the opensearch-security demo configuration | 13:00 |
mnasiadka | yeah, I think I posted a patch to set it | 13:02 |
mnasiadka | SvenKieske: https://review.opendev.org/c/openstack/kolla/+/909644 | 13:03 |
mnasiadka | maybe that's the culprit now | 13:03 |
SvenKieske | yeah, just found it. anyway I'm now in nova PTG and I think most are in kayobe PTG? :D | 13:03 |
mnasiadka | that we have an admin password | 13:03 |
opendevreview | Rafael Weingartner proposed openstack/kolla-ansible master: Customize the authentication error timeout page in modOIDC https://review.opendev.org/c/openstack/kolla-ansible/+/832806 | 13:04 |
SvenKieske | mnasiadka: without that the password set the package installation of the dashboard hard fails even in version 2.12 | 13:04 |
SvenKieske | I'm fairly sure we can patch haproxy to forward proper auth to opensearch dashboard and we are good, I just need a calm minute to think about it and implement that | 13:06 |
mnasiadka | or make opensearch dashboards accept the authenticated header from haproxy | 13:07 |
SvenKieske | yeah, that was what I intended to do. | 13:07 |
SvenKieske | mnasiadka: this should do the trick I think, will add that to the bug report as well: https://opensearch.org/docs/latest/security/access-control/impersonation/ | 13:09 |
mnasiadka | SvenKieske: rather https://opensearch.org/docs/latest/security/authentication-backends/proxy/ | 13:28 |
opendevreview | Sven Kieske proposed openstack/kolla master: CI/Master only: pin opensearch{-dashboard} https://review.opendev.org/c/openstack/kolla/+/915322 | 13:30 |
SvenKieske | mnasiadka: ah nice, didn't know there is explicit proxy support | 13:31 |
opendevreview | Pierre Riteau proposed openstack/kayobe master: CI: Run kayobe-tox-ansible using Rocky Linux 9 https://review.opendev.org/c/openstack/kayobe/+/915330 | 13:38 |
opendevreview | Grzegorz Bialas proposed openstack/kolla-ansible master: add scaphandre https://review.opendev.org/c/openstack/kolla-ansible/+/915337 | 14:37 |
SvenKieske | interesting topic from nova ptg is now live: healthchecks for nova/graceful shutdown https://etherpad.opendev.org/p/nova-dalmatian-ptg#L173 | 14:43 |
opendevreview | Martin Hiner proposed openstack/kolla-ansible master: Add container engine migration scenario https://review.opendev.org/c/openstack/kolla-ansible/+/836941 | 15:14 |
opendevreview | Maksim Malchuk proposed openstack/kayobe master: CI: fetch Bifrost's disk-image-create log file https://review.opendev.org/c/openstack/kayobe/+/915362 | 15:43 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!