)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"23ff6e9887c9648879b905e2c698dc3a47d5e5e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"4450cd77_32bc9cf1","updated":"2021-11-29 14:50:05.000000000","message":"we should change this too: https://github.com/openstack/kolla-ansible/blob/fa2a0d572bd195a56e3843e024ac1fdada8e1764/ansible/roles/baremetal/tasks/pre-install.yml#L79-L111\nbecause docker tasks fails on apt_key behind the proxy in case of old methods used\n","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"c4ef1640e76a60b952489093e3f70ea5076b6d09","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"a66324c9_04c381d4","updated":"2022-03-03 14:42:35.000000000","message":"the only prerequisites was a blocker","commit_id":"ea81f088d21cbb1d4ecb5af03ee787474419f674"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"eda47aedfe684cd7f9b0af8eddf12cb16eccd911","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"9939820f_dcfefdf6","updated":"2022-03-22 16:24:37.000000000","message":"recheck","commit_id":"f1e8c5e1902e6989cee44affa852aff51f15640a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"c06561d14374542f46759ad78ada7c632134fad9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"a378d1b4_b507aee1","updated":"2022-03-22 12:33:23.000000000","message":"recheck","commit_id":"f1e8c5e1902e6989cee44affa852aff51f15640a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"f49d0f41c4efec4937a3961ee9f496a417523b75","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"13e79d20_7bed7010","updated":"2022-03-21 23:11:29.000000000","message":"recheck\n","commit_id":"f1e8c5e1902e6989cee44affa852aff51f15640a"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"889cdac3833e5e32cbdd3de12055c665d4141349","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"8dbabcf8_b1531b22","updated":"2022-03-22 21:02:00.000000000","message":"recheck\n","commit_id":"f1e8c5e1902e6989cee44affa852aff51f15640a"}],"ansible/roles/apt/defaults/main.yml":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"d059b69c05cd868a96fd50155f05a7be08d25158","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"973bcf6d_871d6d70","line":15,"updated":"2021-11-29 14:18:32.000000000","message":"why not /etc/apt/trusted.gpg.d/ ? which is still recommended in man-page http://manpages.ubuntu.com/manpages/jammy/man8/apt-key.8.html","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":33692,"name":"ANDREY GRISHIN","email":"zerapuka@inbox.ru"},"change_message_id":"70eb43586c051ed0e6f8296207aa2b42f30aa26f","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"b072b964_0595fdf0","line":15,"in_reply_to":"5a5d354c_ea6690cf","updated":"2021-12-01 14:29:21.000000000","message":"Because of use apt_key module here https://github.com/openstack/kolla-ansible/blob/fa2a0d572bd195a56e3843e024ac1fdada8e1764/ansible/roles/baremetal/tasks/pre-install.yml#L100-L105 without defining proxy we can put docker repo key to apt_keys variable in ansible/roles/apt/defaults/main.yml\nbut also we will need change apt_keys_path to default Ubuntu /etc/apt/trusted.gpg.d or installation will fail. Otherwise ansible apt_key module(and system apt-key util) will not see predefined docker repo key and fails installation because of trying to download this key without proxy.\n\nOr we need to change kolla-ansible code to smth like:\n```\n- name: Install docker apt gpg key\n  environment:\n    http_proxy: \"{{ apt_proxy_http | default(\u0027\u0027, true) }}\"\n    https_proxy: \"{{ apt_proxy_https | default(\u0027\u0027 ,true) }}\"\n  apt_key:\n    url: \"{{ docker_apt_url }}/{{ docker_apt_key_file }}\"\n    id: \"{{ docker_apt_key_id }}\"\n```\nand pass apt_proxy_http* variables from kayobe in ansible/roles/kolla-ansible/templates/globals.yml.j2\nwith smth like:\n```\n{% if apt_proxy_http is defined %}\n   apt_proxy_http: \"{{ apt_proxy_http }}\"\n{% endif %}\n{% if apt_proxy_https is defined %}\n   apt_proxy_https: \"{{ apt_proxy_https }}\"\n{% endif %}\n```\nBut in this case apt_key module anyway put its key to default Ubuntu directory","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"2ee5b4c450fb671e4a9f58fa81b9448babdb91ba","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"79fce52a_fb1a3aef","line":15,"in_reply_to":"5ed699fc_9d5cba9d","updated":"2021-12-22 11:54:52.000000000","message":"\u003e As I mentioned, apt_key is no longer recommended, and several sources point out that the new /etc/apt/trusted.gpg.d location is not ideal, since those keys become trusted for all repositories.\n\u003e \n\u003e Instead, in this approach we trust a specific key for each repository.\n\nok, but we support only Ubuntu for now!? and also the unoficial blog for Debian says \u0027/usr/share/keyrings\u0027 (which exist and provided by the ubuntu-keyring package) not \u0027/usr/local/share/keyrings/ as in your patch.\n\n\u003e As for the proxy issue, I suggest either fixing it in kolla-ansible, or setting enable_docker_repo to false and defining it in kayobe.\n\nindeed. nice catch!","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"fbd40b6702ef744baa0ee76086c52b9d8c1acfd2","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"57a65085_9e9e61aa","line":15,"in_reply_to":"79fce52a_fb1a3aef","updated":"2022-03-03 13:50:16.000000000","message":"/usr/share and /usr/local/share have a similar purpose, but this (and wikipedia) suggest /usr/local/share might be more appropriate here.\n\nhttps://askubuntu.com/questions/1150090/usr-share-vs-usr-local-share-where-to-install-ca-certs","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"47da14b2d725535cb640f3da5431490a969238ef","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"c00b8341_1b545d69","line":15,"in_reply_to":"973bcf6d_871d6d70","updated":"2021-11-29 20:12:46.000000000","message":"Putting keys there makes them trusted by all repos, whereas this location is not trusted by default. See e.g. https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8a695c39e5899dada7c27d798781cb91e0f9a236","unresolved":true,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5ed699fc_9d5cba9d","line":15,"in_reply_to":"b072b964_0595fdf0","updated":"2021-12-21 11:28:33.000000000","message":"As I mentioned, apt_key is no longer recommended, and several sources point out that the new /etc/apt/trusted.gpg.d location is not ideal, since those keys become trusted for all repositories.\n\nInstead, in this approach we trust a specific key for each repository.\n\nAs for the proxy issue, I suggest either fixing it in kolla-ansible, or setting enable_docker_repo to false and defining it in kayobe.","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"631ca715dfb8d5beec393dab16bc953223b5362c","unresolved":false,"context_lines":[{"line_number":12,"context_line":"apt_proxy_https: \"{{ apt_proxy_http }}\""},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Directory containing GPG keyrings for apt repos."},{"line_number":15,"context_line":"apt_keys_path: \"/usr/local/share/keyrings\""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# List of apt keys. Each item is a dict containing the following keys:"},{"line_number":18,"context_line":"# * url: URL of key"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5a5d354c_ea6690cf","line":15,"in_reply_to":"c00b8341_1b545d69","updated":"2021-11-29 20:34:15.000000000","message":"and why we don\u0027t support defaults? BTW we support only Ubuntu in the Debian world: https://docs.openstack.org/kayobe/latest/support-matrix.html","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"}],"ansible/roles/apt/tasks/prerequisites.yml":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"962b94393ee43d33633881f88b4ef19614a664c6","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Install CA certificates and gnupg packages"},{"line_number":3,"context_line":"  package:"},{"line_number":4,"context_line":"    name:"},{"line_number":5,"context_line":"      - ca-certificates"},{"line_number":6,"context_line":"      - gnupg"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"1c8fc9e5_2e63960f","line":3,"updated":"2021-12-03 09:55:55.000000000","message":"the problem of the egg and chicken: we install packages before repos are configured. in the air-gapped environments where we configure our own mirrors this tack fail first!\nthis should be changed to warning or fail message and requirements should be moved to the provisioning and/or used images (the cloud image already contains these packages).","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"2ee5b4c450fb671e4a9f58fa81b9448babdb91ba","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Install CA certificates and gnupg packages"},{"line_number":3,"context_line":"  package:"},{"line_number":4,"context_line":"    name:"},{"line_number":5,"context_line":"      - ca-certificates"},{"line_number":6,"context_line":"      - gnupg"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"f26b0580_6bc9c8b0","line":3,"in_reply_to":"0be21e51_91d52712","updated":"2021-12-22 11:54:52.000000000","message":"this task can be safely removed at all. we already have these packages in the cloud image and docker containers when it executed. the cache updated after the repos configuration tasks anyway.","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"8a695c39e5899dada7c27d798781cb91e0f9a236","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Install CA certificates and gnupg packages"},{"line_number":3,"context_line":"  package:"},{"line_number":4,"context_line":"    name:"},{"line_number":5,"context_line":"      - ca-certificates"},{"line_number":6,"context_line":"      - gnupg"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"0be21e51_91d52712","line":3,"in_reply_to":"1c8fc9e5_2e63960f","updated":"2021-12-21 11:28:33.000000000","message":"Yes, that is a problem. We do need these packages in place however.\n\nI think the part that will fail is the cache update. How about doing a separate cache update first, and allowing it to fail, but require the package install task to succeed?","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"c4ef1640e76a60b952489093e3f70ea5076b6d09","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Install CA certificates and gnupg packages"},{"line_number":3,"context_line":"  package:"},{"line_number":4,"context_line":"    name:"},{"line_number":5,"context_line":"      - ca-certificates"},{"line_number":6,"context_line":"      - gnupg"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5974c488_8b3ae1da","line":3,"in_reply_to":"dd117cc3_4e200586","updated":"2022-03-03 14:42:35.000000000","message":"thanks!","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"fbd40b6702ef744baa0ee76086c52b9d8c1acfd2","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- name: Install CA certificates and gnupg packages"},{"line_number":3,"context_line":"  package:"},{"line_number":4,"context_line":"    name:"},{"line_number":5,"context_line":"      - ca-certificates"},{"line_number":6,"context_line":"      - gnupg"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"dd117cc3_4e200586","line":3,"in_reply_to":"f26b0580_6bc9c8b0","updated":"2022-03-03 13:50:16.000000000","message":"Done","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"}],"ansible/roles/apt/tasks/repos.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"df27452196758699e8a2057c2a51d89376f6e138","unresolved":true,"context_lines":[{"line_number":16,"context_line":"  replace:"},{"line_number":17,"context_line":"    path: /etc/apt/sources.list"},{"line_number":18,"context_line":"    regexp: \u0027^(deb.*)\u0027"},{"line_number":19,"context_line":"    replace: \u0027# \\1\u0027"},{"line_number":20,"context_line":"  when: apt_disable_sources_list | bool"},{"line_number":21,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"8108f46b_72174b92","line":19,"updated":"2021-11-15 17:16:11.000000000","message":"Consider using the backup option here.","commit_id":"b3e4cb9c28eb3cf87acb0f9f94486e49ecf56ca2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"fbd40b6702ef744baa0ee76086c52b9d8c1acfd2","unresolved":false,"context_lines":[{"line_number":16,"context_line":"  replace:"},{"line_number":17,"context_line":"    path: /etc/apt/sources.list"},{"line_number":18,"context_line":"    regexp: \u0027^(deb.*)\u0027"},{"line_number":19,"context_line":"    replace: \u0027# \\1\u0027"},{"line_number":20,"context_line":"  when: apt_disable_sources_list | bool"},{"line_number":21,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"9ba7f13d_59421bb3","line":19,"in_reply_to":"8108f46b_72174b92","updated":"2022-03-03 13:50:16.000000000","message":"Done","commit_id":"b3e4cb9c28eb3cf87acb0f9f94486e49ecf56ca2"}],"doc/source/configuration/reference/hosts.rst":[{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"076cd274358fc13207f46426ab132e2e7708a292","unresolved":false,"context_lines":[{"line_number":332,"context_line":"  default is ``ansible_facts.distribution_release``)"},{"line_number":333,"context_line":"* ``components``: whitespace-separated list of components, e.g. ``main``"},{"line_number":334,"context_line":"  (optional, default is ``main``)"},{"line_number":335,"context_line":"* ``signed_by``: whitespace-separated list of names of GPG keyring files in"},{"line_number":336,"context_line":"  ``apt_keys_path`` (optional, default is unset)"},{"line_number":337,"context_line":"* ``architecture``: whitespace-separated list of architectures that will be used"},{"line_number":338,"context_line":"  (optional, default is unset)"}],"source_content_type":"text/x-rst","patch_set":9,"id":"10fc0e98_bf3a4f2d","line":335,"updated":"2021-11-29 20:37:31.000000000","message":"another one point, this can\u0027t be optional if repo is signed! otherwise will fail because of not default path for gpg-keys.","commit_id":"e58e23238095c02b2d88450ee79513b7a3b46a25"}]}