Tuesday, 2024-04-09

*** jph8 is now known as jph03:06
SvenKieskemhm our CI is completely blocked by the opensearch jobs being broken, I look into how we can pass auth from haproxy to opensearch, if anybody has already the knowledge how to do this your help is appreciated, see the comments here: https://review.opendev.org/c/openstack/kolla-ansible/+/91511909:46
mnasiadkaIt’s a bug in 2.1310:22
mnasiadkaI would rather pin to 2.12 for now10:22
mnasiadkaUntil we find a proper solution10:22
mnasiadkaEspecially that it has broken everybody now10:22
mnasiadka(So raise a bug and backport the pin to stable branches)10:23
mnasiadkaAnd maybe we should pin by default and knowingly bump opensearch versions10:24
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/2023.2: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91531710:37
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/2023.1: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91515410:38
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/2023.1: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91515410:39
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91515510:39
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91515510:40
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: DNM: Test Masakari CI  https://review.opendev.org/c/openstack/kolla-ansible/+/91515510:40
SvenKieskemnasiadka: ok, I will do so11:16
SvenKieskemnasiadka: is it save to downgrade though? or do you just mean pin to 2.12 for CI?11:24
SvenKieskeI guess if I just pin in master no user should be affected :)11:38
kevkofg11:39
SvenKiesketracking bug: https://bugs.launchpad.net/kolla/+bug/206066811:45
SvenKieskekevko: foreground? was that for your shell? :D11:45
opendevreviewSven Kieske proposed openstack/kolla master: CI/Master only: pin opensearch{-dashboard}  https://review.opendev.org/c/openstack/kolla/+/91532212:12
mnasiadkaSvenKieske: yeah, pinning in stable branches will affect some people, but I doubt they got to the point how to log in - since we don't set any password :)12:44
mnasiadkait was always unauthenticated - hence the http auth on haproxy12:44
SvenKieskeyes, the above fix should hopefully work, but I wonder, wasn't this introduced in 2.12 already? maybe I mixed up the version numbers.12:44
SvenKieskethe opensearch release notes are very very long, I currently don't really find the change that is the culprit, neither in 2.12 nor 2.13 :D I guess I'll just wait for CI results.12:48
mnasiadkahmm, maybe the culprit is security plugin config on opensearch side (not -dashboards)12:57
mnasiadkabut without a local deploy I don't think we can get to the bottom of it12:57
SvenKieskeI guess I can install inside a local rocky container and manually emulate the dashboard curl, maybe. but also need to set the appropriate ENV vars, because openstack-dashboard package just refused to install in it's POST phase during testing. I assume we set that?13:00
SvenKieskeerror was: ERROR: Opensearch 2.12 and later requires the env variable OPENSEARCH_INITIAL_ADMIN_PASSWORD to be defined to setup the opensearch-security demo configuration13:00
mnasiadkayeah, I think I posted a patch to set it13:02
mnasiadkaSvenKieske: https://review.opendev.org/c/openstack/kolla/+/90964413:03
mnasiadkamaybe that's the culprit now13:03
SvenKieskeyeah, just found it. anyway I'm now in nova PTG and I think most are in kayobe PTG? :D13:03
mnasiadkathat we have an admin password13:03
opendevreviewRafael Weingartner proposed openstack/kolla-ansible master: Customize the authentication error timeout page in modOIDC  https://review.opendev.org/c/openstack/kolla-ansible/+/83280613:04
SvenKieskemnasiadka: without that the password set the package installation of the dashboard hard fails even in version 2.1213:04
SvenKieskeI'm fairly sure we can patch haproxy to forward proper auth to opensearch dashboard and we are good, I just need a calm minute to think about it and implement that13:06
mnasiadkaor make opensearch dashboards accept the authenticated header from haproxy13:07
SvenKieskeyeah, that was what I intended to do.13:07
SvenKieskemnasiadka: this should do the trick I think, will add that to the bug report as well: https://opensearch.org/docs/latest/security/access-control/impersonation/13:09
mnasiadkaSvenKieske: rather https://opensearch.org/docs/latest/security/authentication-backends/proxy/13:28
opendevreviewSven Kieske proposed openstack/kolla master: CI/Master only: pin opensearch{-dashboard}  https://review.opendev.org/c/openstack/kolla/+/91532213:30
SvenKieskemnasiadka: ah nice, didn't know there is explicit proxy support13:31
opendevreviewPierre Riteau proposed openstack/kayobe master: CI: Run kayobe-tox-ansible using Rocky Linux 9  https://review.opendev.org/c/openstack/kayobe/+/91533013:38
opendevreviewGrzegorz Bialas proposed openstack/kolla-ansible master: add scaphandre  https://review.opendev.org/c/openstack/kolla-ansible/+/91533714:37
SvenKieskeinteresting topic from nova ptg is now live: healthchecks for nova/graceful shutdown https://etherpad.opendev.org/p/nova-dalmatian-ptg#L17314:43
opendevreviewMartin Hiner proposed openstack/kolla-ansible master: Add container engine migration scenario  https://review.opendev.org/c/openstack/kolla-ansible/+/83694115:14
opendevreviewMaksim Malchuk proposed openstack/kayobe master: CI: fetch Bifrost's disk-image-create log file  https://review.opendev.org/c/openstack/kayobe/+/91536215:43

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!