)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"5492f4de_104deca9","updated":"2024-01-31 00:04:20.000000000","message":"-1 for the group var updates. Everything else is more informational/discussion worthy.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"}],"inventory/service/group_vars/keycloak.yaml":[{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":true,"context_lines":[{"line_number":1,"context_line":"letsencrypt_certs:"},{"line_number":2,"context_line":"  keycloak01-opendev-org-main:"},{"line_number":3,"context_line":"    # List the service name first since that determines the filename"},{"line_number":4,"context_line":"    # and is referenced in the apache config."},{"line_number":5,"context_line":"    - keycloak.opendev.org"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"c32b02be_78e0d498","line":2,"range":{"start_line":2,"start_character":2,"end_line":2,"end_character":12},"updated":"2024-01-31 00:04:20.000000000","message":"This var should be renamed now that it is part of a group file. The handler in the LE cert handler list will need to be updated to accomodate.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"fa072996cf48a8a3722465656793b361c1c414e9","unresolved":false,"context_lines":[{"line_number":1,"context_line":"letsencrypt_certs:"},{"line_number":2,"context_line":"  keycloak01-opendev-org-main:"},{"line_number":3,"context_line":"    # List the service name first since that determines the filename"},{"line_number":4,"context_line":"    # and is referenced in the apache config."},{"line_number":5,"context_line":"    - keycloak.opendev.org"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"4c05c5e3_74e0b086","line":2,"range":{"start_line":2,"start_character":2,"end_line":2,"end_character":12},"in_reply_to":"c32b02be_78e0d498","updated":"2024-01-31 16:35:21.000000000","message":"Done","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":true,"context_lines":[{"line_number":3,"context_line":"    # List the service name first since that determines the filename"},{"line_number":4,"context_line":"    # and is referenced in the apache config."},{"line_number":5,"context_line":"    - keycloak.opendev.org"},{"line_number":6,"context_line":"    - keycloak01.opendev.org"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"2d974998_f03f4436","line":6,"updated":"2024-01-31 00:04:20.000000000","message":"This entry should use inventory hostname. The etherpad group var can serve as an example.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"fa072996cf48a8a3722465656793b361c1c414e9","unresolved":false,"context_lines":[{"line_number":3,"context_line":"    # List the service name first since that determines the filename"},{"line_number":4,"context_line":"    # and is referenced in the apache config."},{"line_number":5,"context_line":"    - keycloak.opendev.org"},{"line_number":6,"context_line":"    - keycloak01.opendev.org"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"02c62bbc_9c434c86","line":6,"in_reply_to":"2d974998_f03f4436","updated":"2024-01-31 16:35:21.000000000","message":"Done","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"}],"playbooks/roles/keycloak/tasks/main.yaml":[{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"85f3dc1598e27a3cad0512472c312f60f3ff4a05","unresolved":true,"context_lines":[{"line_number":77,"context_line":"- name: Wait for keycloak to start"},{"line_number":78,"context_line":"  wait_for:"},{"line_number":79,"context_line":"    port: 8080"},{"line_number":80,"context_line":"    timeout: 60"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"- name: Run docker prune to cleanup unneeded images"},{"line_number":83,"context_line":"  shell:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"0ca4e349_4aeec11d","line":80,"updated":"2024-01-30 18:13:03.000000000","message":"This wait_for task defaults to checking 127.0.0.1. We listen on ::1 now which should also accept connections for 127.0.0.1 but maybe the java network stack is doing ipv6 only?","commit_id":"cecaf64107d348f5b15f00b8714ae1ceb313343b"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":false,"context_lines":[{"line_number":77,"context_line":"- name: Wait for keycloak to start"},{"line_number":78,"context_line":"  wait_for:"},{"line_number":79,"context_line":"    port: 8080"},{"line_number":80,"context_line":"    timeout: 60"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"- name: Run docker prune to cleanup unneeded images"},{"line_number":83,"context_line":"  shell:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"2b5dde03_84fec269","line":80,"in_reply_to":"0ca4e349_4aeec11d","updated":"2024-01-31 00:04:20.000000000","message":"Done","commit_id":"cecaf64107d348f5b15f00b8714ae1ceb313343b"}],"playbooks/roles/keycloak/templates/docker-compose.yaml.j2":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"c1a5cb4b89924b869eccd042b82bfad1b00e47a8","unresolved":false,"context_lines":[{"line_number":15,"context_line":"      MARIADB_PASSWORD: \"{{ keycloak_db_password }}\""},{"line_number":16,"context_line":"    volumes:"},{"line_number":17,"context_line":"      - /var/keycloak/db:/var/lib/mysql"},{"line_number":18,"context_line":"      - /var/keycloak/99-bind-address.cnf:/etc/mysql/conf.d/99-bind-address.cnf:ro"},{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"32c87e6a_6deaf7f0","line":18,"updated":"2024-01-30 21:35:59.000000000","message":"Should we install these to /srv/keycloak instead? The old server used a /var/keycloak/data to persist its H2 databases, so I stuck with it for consistency, but it\u0027s not very FHS and if we\u0027re going to change it then it\u0027s easier to do it now rather than later.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"11b10bfa41afe8835c7b3a8701af5d95cc030494","unresolved":false,"context_lines":[{"line_number":15,"context_line":"      MARIADB_PASSWORD: \"{{ keycloak_db_password }}\""},{"line_number":16,"context_line":"    volumes:"},{"line_number":17,"context_line":"      - /var/keycloak/db:/var/lib/mysql"},{"line_number":18,"context_line":"      - /var/keycloak/99-bind-address.cnf:/etc/mysql/conf.d/99-bind-address.cnf:ro"},{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"da996b59_afed1dc7","line":18,"updated":"2024-01-31 15:06:47.000000000","message":"Yes, but in /var/$service or somewhere like /var/lib/$service instead? Checking other compose files for examples, looks like we do a lot of both, but putting things in /var/lib seems to be slightly more common than polluting the main /var directory. I\u0027ll switch it, thanks.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":false,"context_lines":[{"line_number":15,"context_line":"      MARIADB_PASSWORD: \"{{ keycloak_db_password }}\""},{"line_number":16,"context_line":"    volumes:"},{"line_number":17,"context_line":"      - /var/keycloak/db:/var/lib/mysql"},{"line_number":18,"context_line":"      - /var/keycloak/99-bind-address.cnf:/etc/mysql/conf.d/99-bind-address.cnf:ro"},{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"3ef14137_908e2aa0","line":18,"in_reply_to":"32c87e6a_6deaf7f0","updated":"2024-01-31 00:04:20.000000000","message":"Most of our services put the persistent container data in /var. The exceptions are things like gerrit which have a long history of using another location and/or volumes.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":true,"context_lines":[{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"},{"line_number":22,"context_line":"        tag: docker-mariadb"},{"line_number":23,"context_line":"  keycloak:"},{"line_number":24,"context_line":"    depends_on:"},{"line_number":25,"context_line":"      - mariadb"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"29445fd8_2827dba4","line":22,"updated":"2024-01-31 00:04:20.000000000","message":"I can\u0027t remember do we need to configure syslog to write out the resulting log to a specific file or is that automagic with our configs? Check /var/log/containers/mariadb.log or similar to see if it is automagic.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"11b10bfa41afe8835c7b3a8701af5d95cc030494","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"},{"line_number":22,"context_line":"        tag: docker-mariadb"},{"line_number":23,"context_line":"  keycloak:"},{"line_number":24,"context_line":"    depends_on:"},{"line_number":25,"context_line":"      - mariadb"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"56bf3f68_515f1067","line":22,"updated":"2024-01-31 15:06:47.000000000","message":"It\u0027s present on the held node with expected content, but we do also successfully collect it in the system-config-run-keycloak builds: https://zuul.opendev.org/t/openstack/build/fca2527bf8524b8183949fa4712b6a46/log/keycloak99.opendev.org/containers/docker-mariadb.log","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"fa072996cf48a8a3722465656793b361c1c414e9","unresolved":false,"context_lines":[{"line_number":19,"context_line":"    logging:"},{"line_number":20,"context_line":"      driver: syslog"},{"line_number":21,"context_line":"      options:"},{"line_number":22,"context_line":"        tag: docker-mariadb"},{"line_number":23,"context_line":"  keycloak:"},{"line_number":24,"context_line":"    depends_on:"},{"line_number":25,"context_line":"      - mariadb"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"4edb6b9b_7d3d23e3","line":22,"in_reply_to":"29445fd8_2827dba4","updated":"2024-01-31 16:35:21.000000000","message":"Done","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":true,"context_lines":[{"line_number":41,"context_line":"      - \u0027--http-host\u003d::1\u0027"},{"line_number":42,"context_line":"      - \u0027--proxy\u003dedge\u0027"},{"line_number":43,"context_line":"    volumes:"},{"line_number":44,"context_line":"      - /var/log/keycloak:/opt/keycloak/log"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"b46c256f_81bf3594","line":44,"updated":"2024-01-31 00:04:20.000000000","message":"You should add the same syslog logging to keycloak for consistency. That will preserve any stdout/stderr that keycloak writes outside of the docker logging system.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"fa072996cf48a8a3722465656793b361c1c414e9","unresolved":false,"context_lines":[{"line_number":41,"context_line":"      - \u0027--http-host\u003d::1\u0027"},{"line_number":42,"context_line":"      - \u0027--proxy\u003dedge\u0027"},{"line_number":43,"context_line":"    volumes:"},{"line_number":44,"context_line":"      - /var/log/keycloak:/opt/keycloak/log"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"7735cd48_c5f260a7","line":44,"in_reply_to":"b46c256f_81bf3594","updated":"2024-01-31 16:35:21.000000000","message":"Done","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"}],"playbooks/zuul/templates/group_vars/keycloak.yaml.j2":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"c1a5cb4b89924b869eccd042b82bfad1b00e47a8","unresolved":false,"context_lines":[{"line_number":1,"context_line":"keycloak_admin_password: testpassword"},{"line_number":2,"context_line":"keycloak_root_db_password: testdbrootpass"},{"line_number":3,"context_line":"keycloak_db_password: testdbuserpass"}],"source_content_type":"text/x-jinja2","patch_set":10,"id":"6ba9c02c_eee06ee2","line":3,"updated":"2024-01-30 21:35:59.000000000","message":"I\u0027ve added these two new vars with random values to our private group_vars on bridge.","commit_id":"ebe9a69224a58c0ba52392e30ccadfd2e51fd11f"}],"testinfra/test_keycloak.py":[{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"85f3dc1598e27a3cad0512472c312f60f3ff4a05","unresolved":true,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"def test_rdbms_listening(host):"},{"line_number":24,"context_line":"    keycloak \u003d host.socket(\"tcp://::ffff:127.0.0.1:8080\")"},{"line_number":25,"context_line":"    assert keycloak.is_listening"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"def test_keycloak_listening(host):"}],"source_content_type":"text/x-python","patch_set":7,"id":"d2584235_de88b022","line":24,"range":{"start_line":24,"start_character":51,"end_line":24,"end_character":55},"updated":"2024-01-30 18:13:03.000000000","message":"The default port for mariadb/mysql is 3306.","commit_id":"cecaf64107d348f5b15f00b8714ae1ceb313343b"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"e1e28f601c269ac3e3e3c349343c7dc2b2cebe48","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"def test_rdbms_listening(host):"},{"line_number":24,"context_line":"    keycloak \u003d host.socket(\"tcp://::ffff:127.0.0.1:8080\")"},{"line_number":25,"context_line":"    assert keycloak.is_listening"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"def test_keycloak_listening(host):"}],"source_content_type":"text/x-python","patch_set":7,"id":"d27a30bf_3fb28ca9","line":24,"range":{"start_line":24,"start_character":51,"end_line":24,"end_character":55},"in_reply_to":"d2584235_de88b022","updated":"2024-01-31 00:04:20.000000000","message":"Done","commit_id":"cecaf64107d348f5b15f00b8714ae1ceb313343b"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"49eea4503eaaee8b3d1c63cf649966e69142510c","unresolved":false,"context_lines":[{"line_number":35,"context_line":"                   \"-f /etc/keycloak-docker/docker-compose.yaml \""},{"line_number":36,"context_line":"                   \"exec -T mariadb bash -c \""},{"line_number":37,"context_line":"                   \"\u0027/usr/bin/mysqldump --opt --databases keycloak \""},{"line_number":38,"context_line":"                   \"--single-transaction -ukeycloak -ptestdbuserpass\u0027\")"},{"line_number":39,"context_line":"    assert (\"\u0027default-roles-master\u0027\" in cmd.stdout)"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"def test_keycloak_openid_config(host):"}],"source_content_type":"text/x-python","patch_set":12,"id":"d4ca71e1_33975193","line":38,"updated":"2024-01-31 19:19:41.000000000","message":"This was shamelessly plagiarized from our database backup cronjobs, but I could instead do a batch query from the command line like...\n\n  mysql -B -ptestdbuserpass -ukeycloak -e\n  \"select DESCRIPTION from keycloak.KEYCLOAK_ROLE where NAME\u003d\u0027default-roles-master\u0027\"\n\n...and then check that the output contains \"role_default-roles\". Anyone have a preference?","commit_id":"73047c69a9ff6a146ccfb3b0c7f4f0268682165c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"c4d6b4923e045506b9e74fb3ef046b7f08e70561","unresolved":false,"context_lines":[{"line_number":35,"context_line":"                   \"-f /etc/keycloak-docker/docker-compose.yaml \""},{"line_number":36,"context_line":"                   \"exec -T mariadb bash -c \""},{"line_number":37,"context_line":"                   \"\u0027/usr/bin/mysqldump --opt --databases keycloak \""},{"line_number":38,"context_line":"                   \"--single-transaction -ukeycloak -ptestdbuserpass\u0027\")"},{"line_number":39,"context_line":"    assert (\"\u0027default-roles-master\u0027\" in cmd.stdout)"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"def test_keycloak_openid_config(host):"}],"source_content_type":"text/x-python","patch_set":12,"id":"cfd18941_89d0a09d","line":38,"in_reply_to":"d4ca71e1_33975193","updated":"2024-02-05 18:42:17.000000000","message":"I like using the docker version because it keeps passwords out of logs. You can edit this command to use the env var for the password instead to do so.","commit_id":"73047c69a9ff6a146ccfb3b0c7f4f0268682165c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"b6098d9085314704c7027f0a15eff55e8497ff61","unresolved":true,"context_lines":[{"line_number":39,"context_line":"    cmd \u003d host.run("},{"line_number":40,"context_line":"        \"\"\"docker-compose -f /etc/keycloak-docker/docker-compose.yaml \\"},{"line_number":41,"context_line":"        exec -T mariadb bash -c \u0027/usr/bin/mysql -B -p$MARIADB_PASSWORD \\"},{"line_number":42,"context_line":"        -ukeycloak -e \"%s\"\u0027\"\"\" % query)"},{"line_number":43,"context_line":"    assert (\"role_default-roles\" in cmd.stdout)"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"def test_keycloak_openid_config(host):"}],"source_content_type":"text/x-python","patch_set":22,"id":"a3f63a52_dd935836","line":42,"updated":"2024-02-06 21:11:08.000000000","message":"Nit the docstrings here seem a bit overkill? But maybe that is to make the nest levels more clear?","commit_id":"f477e35561e0e9f45503cfc0ca70624d7a9d2792"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"33d742bee904dbd1d375ace5ecc6ec8539440572","unresolved":false,"context_lines":[{"line_number":39,"context_line":"    cmd \u003d host.run("},{"line_number":40,"context_line":"        \"\"\"docker-compose -f /etc/keycloak-docker/docker-compose.yaml \\"},{"line_number":41,"context_line":"        exec -T mariadb bash -c \u0027/usr/bin/mysql -B -p$MARIADB_PASSWORD \\"},{"line_number":42,"context_line":"        -ukeycloak -e \"%s\"\u0027\"\"\" % query)"},{"line_number":43,"context_line":"    assert (\"role_default-roles\" in cmd.stdout)"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"def test_keycloak_openid_config(host):"}],"source_content_type":"text/x-python","patch_set":22,"id":"a0b5d459_0df4c6d3","line":42,"updated":"2024-02-07 22:53:47.000000000","message":"Yes, the problem is that the final command includes a column name in a sql query string in a bash command line in a docker-compose exec parameter, so there\u0027s quoting four layers deep (not including the Python string quoting itself). I ran out of toothpicks, but happy to entertain a cleaner solution if you have one.","commit_id":"f477e35561e0e9f45503cfc0ca70624d7a9d2792"}]}