)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Michal Nasiadka \u003cmnasiadka@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2019-12-12 16:42:02 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Restart keystone container after fernet bootstrap"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"There are cases when a multinode deployment ends up in unusable"},{"line_number":10,"context_line":"keystone public wsgi on some nodes."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"3fa7e38b_27f80d7a","line":7,"updated":"2019-12-12 15:50:34.000000000","message":"Needs updating","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The root cause is that keystone public wsgi doesn\u0027t find fernet"},{"line_number":13,"context_line":"keys on startup - and then persists on sending 500 errors to any"},{"line_number":14,"context_line":"requests."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Change-Id: I63709c2e3f6a893db82a05640da78f492bf8440f"},{"line_number":17,"context_line":"Closes-Bug: #1846789"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"3fa7e38b_07e951a9","line":14,"updated":"2019-12-12 15:50:34.000000000","message":"Due to a race condition between fernet_setup/fernet-push.sh and keystone startup.","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"}],"ansible/library/kolla_docker.py":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e28b17a62a552239cb97b665d67df0819b48639","unresolved":false,"context_lines":[{"line_number":822,"context_line":"        name \u003d self.params.get(\u0027name\u0027)"},{"line_number":823,"context_line":"        info \u003d self.get_container_info()"},{"line_number":824,"context_line":"        if not info:"},{"line_number":825,"context_line":"            self.module.fail_json(msg\u003d\"No such container: {}\".format(name))"},{"line_number":826,"context_line":"        else:"},{"line_number":827,"context_line":"            self.module.exit_json(**info[\u0027State\u0027])"},{"line_number":828,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"3fa7e38b_e06e8963","side":"PARENT","line":825,"updated":"2020-01-24 12:41:03.000000000","message":"will break usage where asking for Status\n\nSince it\u0027s for our use I would just return \"No such container\" for status","commit_id":"91c3dfe91c931ba640a243fe787c0c9fa93f0db2"}],"ansible/roles/keystone/handlers/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":65,"context_line":"  until: check_keystone_ssh_port is success"},{"line_number":66,"context_line":"  retries: 10"},{"line_number":67,"context_line":"  delay: 5"},{"line_number":68,"context_line":"  listen: \"Restart keystone-fernet container\""},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"- name: Initialise fernet key authentication"},{"line_number":71,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3fa7e38b_870b017a","line":68,"updated":"2019-12-12 15:50:34.000000000","message":"when:\n  - kolla_action in [\"deploy\", \"reconfigure\"]\n\non all of these","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":69,"context_line":""},{"line_number":70,"context_line":"- name: Initialise fernet key authentication"},{"line_number":71,"context_line":"  become: true"},{"line_number":72,"context_line":"  command: \"docker exec -t keystone_fernet keystone-manage --config-file /etc/keystone/keystone.conf fernet_setup --keystone-user {{ keystone_username }} --keystone-group{{ keystone_groupname }}\""},{"line_number":73,"context_line":"  register: fernet_create"},{"line_number":74,"context_line":"  changed_when: \"fernet_create.stdout.find(\u0027Key repository is already initialized\u0027) !\u003d -1\""},{"line_number":75,"context_line":"  until: fernet_create is success"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3fa7e38b_472189fb","line":72,"range":{"start_line":72,"start_character":165,"end_line":72,"end_character":170},"updated":"2019-12-12 15:50:34.000000000","message":"missing space","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":77,"context_line":"  delay: 5"},{"line_number":78,"context_line":"  run_once: True"},{"line_number":79,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":80,"context_line":"  listen: \"Restart keystone-fernet container\""},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"- name: Run key distribution"},{"line_number":83,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3fa7e38b_8780e1bf","line":80,"updated":"2019-12-12 15:50:34.000000000","message":"If we now trust the \u0027changed\u0027 flag, we could notify \u0027Run key distribution\u0027","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"5c44b3ead88f13459afb07df689e8c2c300f072a","unresolved":false,"context_lines":[{"line_number":84,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":85,"context_line":"  run_once: True"},{"line_number":86,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":87,"context_line":"  listen: \"Restart keystone-fernet container\""},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"- name: Restart keystone container"},{"line_number":90,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3fa7e38b_27548d53","line":87,"updated":"2019-12-12 15:50:34.000000000","message":"Remove if doing the above notify trick","commit_id":"2d10a1f82fd6d2af52b2f969fb7eff9e99cb4a63"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"7dcbb6082f64888b9d43dc39f81a2d5b9d55568b","unresolved":false,"context_lines":[{"line_number":89,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":90,"context_line":"  run_once: True"},{"line_number":91,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":92,"context_line":"  when:"},{"line_number":93,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"- name: Restart keystone container"},{"line_number":96,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"3fa7e38b_1d23e0bf","line":93,"range":{"start_line":92,"start_character":0,"end_line":93,"end_character":47},"updated":"2019-12-12 17:45:52.000000000","message":"nit: not required","commit_id":"cbf01ac2e9dde641989432481066a3bc8c389048"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"7ced123b0e1337312d23fac9fe7e1dac91d6948d","unresolved":false,"context_lines":[{"line_number":65,"context_line":"  until: check_keystone_ssh_port is success"},{"line_number":66,"context_line":"  retries: 10"},{"line_number":67,"context_line":"  delay: 5"},{"line_number":68,"context_line":"  listen: \"Restart keystone container\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa7e38b_96b32d09","line":68,"range":{"start_line":68,"start_character":11,"end_line":68,"end_character":37},"updated":"2019-12-12 20:12:02.000000000","message":"Restart keystone-ssh container","commit_id":"7c416eb60958d8c31b765a4a099d246741f1c540"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"49055334f5f7439d440895d9ac2887a7c64a1269","unresolved":false,"context_lines":[{"line_number":65,"context_line":"  until: check_keystone_ssh_port is success"},{"line_number":66,"context_line":"  retries: 10"},{"line_number":67,"context_line":"  delay: 5"},{"line_number":68,"context_line":"  listen: \"Restart keystone container\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa7e38b_9bc5910c","line":68,"range":{"start_line":68,"start_character":11,"end_line":68,"end_character":37},"in_reply_to":"3fa7e38b_3bf33da1","updated":"2019-12-13 06:16:35.000000000","message":"Well - as a second thought - we might, but the downside is we trust keystone-ssh to be running correctly when something triggers only keystone container restart...","commit_id":"7c416eb60958d8c31b765a4a099d246741f1c540"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5b95038e4a37df5cb507442a3dfeb06ae1e59ab2","unresolved":false,"context_lines":[{"line_number":65,"context_line":"  until: check_keystone_ssh_port is success"},{"line_number":66,"context_line":"  retries: 10"},{"line_number":67,"context_line":"  delay: 5"},{"line_number":68,"context_line":"  listen: \"Restart keystone container\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa7e38b_3bf33da1","line":68,"range":{"start_line":68,"start_character":11,"end_line":68,"end_character":37},"in_reply_to":"3fa7e38b_96b32d09","updated":"2019-12-13 06:03:13.000000000","message":"Nope.","commit_id":"7c416eb60958d8c31b765a4a099d246741f1c540"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"94195d58997dd896579bea279b8feca22c35445b","unresolved":false,"context_lines":[{"line_number":65,"context_line":"  until: check_keystone_ssh_port is success"},{"line_number":66,"context_line":"  retries: 10"},{"line_number":67,"context_line":"  delay: 5"},{"line_number":68,"context_line":"  listen: \"Restart keystone container\""},{"line_number":69,"context_line":"  when:"},{"line_number":70,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa7e38b_c6a6d0ac","line":68,"range":{"start_line":68,"start_character":11,"end_line":68,"end_character":37},"in_reply_to":"3fa7e38b_9bc5910c","updated":"2019-12-13 08:33:09.000000000","message":"Yeah, that\u0027s the problem with these handlers. Init is actually one-off stuff.","commit_id":"7c416eb60958d8c31b765a4a099d246741f1c540"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"6fd4003bbd2acde720224574ca28a632002babd1","unresolved":false,"context_lines":[{"line_number":72,"context_line":"- name: Run key distribution"},{"line_number":73,"context_line":"  become: true"},{"line_number":74,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":75,"context_line":"  run_once: True"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- name: Initialise fernet key authentication and run key distribution"},{"line_number":78,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_9c1b447e","line":75,"range":{"start_line":75,"start_character":2,"end_line":75,"end_character":10},"updated":"2019-12-13 14:40:31.000000000","message":"I think there needs to be a bit more control over which host does this.","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"d6161fc81b914ec68dc69bde74ee9fa0228947e6","unresolved":false,"context_lines":[{"line_number":72,"context_line":"- name: Run key distribution"},{"line_number":73,"context_line":"  become: true"},{"line_number":74,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":75,"context_line":"  run_once: True"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- name: Initialise fernet key authentication and run key distribution"},{"line_number":78,"context_line":"  become: true"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_2fed3423","line":75,"range":{"start_line":75,"start_character":2,"end_line":75,"end_character":10},"in_reply_to":"3fa7e38b_9c1b447e","updated":"2019-12-13 14:50:53.000000000","message":"run_once not needed in handler - only notified host will run this","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"6fd4003bbd2acde720224574ca28a632002babd1","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":75,"context_line":"  run_once: True"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- name: Initialise fernet key authentication and run key distribution"},{"line_number":78,"context_line":"  become: true"},{"line_number":79,"context_line":"  command: \"docker exec -t keystone_fernet keystone-manage --config-file /etc/keystone/keystone.conf fernet_setup --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }}\""},{"line_number":80,"context_line":"  register: fernet_create"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_1c1e7473","line":77,"range":{"start_line":77,"start_character":44,"end_line":77,"end_character":69},"updated":"2019-12-13 14:40:31.000000000","message":"This task isn\u0027t doing it","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"3903b66100b6400af93dc913b64d8c5f2ef545b4","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":75,"context_line":"  run_once: True"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- name: Initialise fernet key authentication and run key distribution"},{"line_number":78,"context_line":"  become: true"},{"line_number":79,"context_line":"  command: \"docker exec -t keystone_fernet keystone-manage --config-file /etc/keystone/keystone.conf fernet_setup --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }}\""},{"line_number":80,"context_line":"  register: fernet_create"}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_ed53a46a","line":77,"range":{"start_line":77,"start_character":44,"end_line":77,"end_character":69},"in_reply_to":"3fa7e38b_1c1e7473","updated":"2019-12-13 16:56:09.000000000","message":"Yeah, fixed - leftover from another idea.","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"d6161fc81b914ec68dc69bde74ee9fa0228947e6","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  run_once: True"},{"line_number":86,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":87,"context_line":"  listen: \"Restart keystone container\""},{"line_number":88,"context_line":"  notify: \"Run key distribution\""},{"line_number":89,"context_line":"  when:"},{"line_number":90,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_afe04428","line":88,"range":{"start_line":88,"start_character":2,"end_line":88,"end_character":32},"updated":"2019-12-13 14:50:53.000000000","message":"might be too late","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"8f822ee81175c37d9bf89005428cb6c1d52f2e61","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  run_once: True"},{"line_number":86,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":87,"context_line":"  listen: \"Restart keystone container\""},{"line_number":88,"context_line":"  notify: \"Run key distribution\""},{"line_number":89,"context_line":"  when:"},{"line_number":90,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_cb46c6a8","line":88,"range":{"start_line":88,"start_character":2,"end_line":88,"end_character":32},"in_reply_to":"3fa7e38b_4dce782c","updated":"2019-12-15 10:32:04.000000000","message":"Well, the handler is above this, so it will run in another handlers session (not this one).","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"3903b66100b6400af93dc913b64d8c5f2ef545b4","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  run_once: True"},{"line_number":86,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":87,"context_line":"  listen: \"Restart keystone container\""},{"line_number":88,"context_line":"  notify: \"Run key distribution\""},{"line_number":89,"context_line":"  when:"},{"line_number":90,"context_line":"    - kolla_action in [\"deploy\", \"reconfigure\"]"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_4dce782c","line":88,"range":{"start_line":88,"start_character":2,"end_line":88,"end_character":32},"in_reply_to":"3fa7e38b_afe04428","updated":"2019-12-13 16:56:09.000000000","message":"Well, not really - we need to run key distribution in two cases:\n1) Bootstrap (init fernet + distribution)\n2) Adding new host (distribution only)","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":90,"context_line":"  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":91,"context_line":"  run_once: True"},{"line_number":92,"context_line":"  listen: \"Restart keystone container\""},{"line_number":93,"context_line":"  delegate_to: \"{{ groups[\u0027keystone\u0027][0] }}\""},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"- name: Restart keystone container"},{"line_number":96,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_aa9a59c1","line":93,"updated":"2019-12-16 15:27:59.000000000","message":"when:\n  - kolla_action in [\"deploy\", \"reconfigure\"]","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"}],"ansible/roles/keystone/tasks/bootstrap.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":41,"context_line":"  register: fernet_container_state"},{"line_number":42,"context_line":"  failed_when: false"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"- block:"},{"line_number":45,"context_line":"    - name: Run key distribution when new host needs to be bootstrapped"},{"line_number":46,"context_line":"      command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":47,"context_line":"      run_once: true"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_aae81915","line":44,"range":{"start_line":44,"start_character":2,"end_line":44,"end_character":7},"updated":"2019-12-16 15:27:59.000000000","message":"Block is a bit weird here. Could just do this:\n\nwhen:\n  - not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))\n  - \u003e\n    (groups[\u0027keystone\u0027] | length) \u003e\n    (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |\n    selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d6747f885207b45adb781cc1f53eff3039cd7232","unresolved":false,"context_lines":[{"line_number":41,"context_line":"  register: fernet_container_state"},{"line_number":42,"context_line":"  failed_when: false"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"- block:"},{"line_number":45,"context_line":"    - name: Run key distribution when new host needs to be bootstrapped"},{"line_number":46,"context_line":"      command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":47,"context_line":"      run_once: true"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_659ed207","line":44,"range":{"start_line":44,"start_character":2,"end_line":44,"end_character":7},"in_reply_to":"3fa7e38b_aae81915","updated":"2019-12-16 15:46:53.000000000","message":"Ok, will test.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":44,"context_line":"- block:"},{"line_number":45,"context_line":"    - name: Run key distribution when new host needs to be bootstrapped"},{"line_number":46,"context_line":"      command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":47,"context_line":"      run_once: true"},{"line_number":48,"context_line":"      when: \u003e"},{"line_number":49,"context_line":"        (groups[\u0027keystone\u0027] | length) \u003e"},{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_a5836a55","line":47,"range":{"start_line":47,"start_character":6,"end_line":47,"end_character":20},"updated":"2019-12-16 15:27:59.000000000","message":"run_once and when interact a bit weirdly here - run_once picks a random (maybe) host. Then when determines if the task runs. You need delegate_to to ensure you run on a host where keystone_fernet is running.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d6747f885207b45adb781cc1f53eff3039cd7232","unresolved":false,"context_lines":[{"line_number":44,"context_line":"- block:"},{"line_number":45,"context_line":"    - name: Run key distribution when new host needs to be bootstrapped"},{"line_number":46,"context_line":"      command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh"},{"line_number":47,"context_line":"      run_once: true"},{"line_number":48,"context_line":"      when: \u003e"},{"line_number":49,"context_line":"        (groups[\u0027keystone\u0027] | length) \u003e"},{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_e5f40258","line":47,"range":{"start_line":47,"start_character":6,"end_line":47,"end_character":20},"in_reply_to":"3fa7e38b_a5836a55","updated":"2019-12-16 15:46:53.000000000","message":"Right, let\u0027s see if that is easily achievable.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":48,"context_line":"      when: \u003e"},{"line_number":49,"context_line":"        (groups[\u0027keystone\u0027] | length) \u003e"},{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"},{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_65f25208","line":51,"range":{"start_line":51,"start_character":51,"end_line":51,"end_character":76},"updated":"2019-12-16 15:27:59.000000000","message":"nit: I don\u0027t think this last map is necessary if we just want a length.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d6747f885207b45adb781cc1f53eff3039cd7232","unresolved":false,"context_lines":[{"line_number":48,"context_line":"      when: \u003e"},{"line_number":49,"context_line":"        (groups[\u0027keystone\u0027] | length) \u003e"},{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"},{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_e5dba2e7","line":51,"range":{"start_line":51,"start_character":51,"end_line":51,"end_character":76},"in_reply_to":"3fa7e38b_65f25208","updated":"2019-12-16 15:46:53.000000000","message":"Right.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"},{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_65401208","line":53,"range":{"start_line":53,"start_character":8,"end_line":53,"end_character":75},"updated":"2019-12-16 15:27:59.000000000","message":"Is this select used to match on every field in the dict? Could we just use the actual field that has the message?","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d6747f885207b45adb781cc1f53eff3039cd7232","unresolved":false,"context_lines":[{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"},{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_65d012ca","line":53,"range":{"start_line":53,"start_character":8,"end_line":53,"end_character":75},"in_reply_to":"3fa7e38b_65401208","updated":"2019-12-16 15:46:53.000000000","message":"I would love to, but the module is very inconsistent in it\u0027s return messages:\nOutput when container exists:\n    \"fernet_exists\": {\n        \"Dead\": false,\n        \"Error\": \"\",\n        \"ExitCode\": 0,\n        \"FinishedAt\": \"0001-01-01T00:00:00Z\",\n        \"OOMKilled\": false,\n        \"Paused\": false,\n        \"Pid\": 14809,\n        \"Restarting\": false,\n        \"Running\": true,\n        \"StartedAt\": \"2019-12-13T18:22:37.347788682Z\",\n        \"Status\": \"running\",\n        \"changed\": false,\n        \"failed\": false\n    }\n\nOutput when container does not exist:\n    \"fernet_exists\": {\n        \"changed\": false,\n        \"failed\": false,\n        \"failed_when_result\": false,\n        \"msg\": \"No such container: cron2\"\n    }","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"67c63b5b5b32c32b128a9464fef7f8da946b7c54","unresolved":false,"context_lines":[{"line_number":50,"context_line":"        (ansible_play_hosts | map(\u0027extract\u0027, hostvars, \u0027fernet_container_state\u0027) |"},{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_c501c609","line":53,"range":{"start_line":53,"start_character":8,"end_line":53,"end_character":75},"in_reply_to":"3fa7e38b_65d012ca","updated":"2019-12-16 15:55:03.000000000","message":"when: fernet_exists.msg | default(\u0027\u0027) is not match(\u0027No such container\u0027)","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"f3fbb5d27d22dd713fcb4b904e528e99ada6aed2","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_05ca7e6e","line":54,"updated":"2019-12-16 15:27:59.000000000","message":"We do have an issue here that when adding a new host it won\u0027t have the keystone_ssh container running.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d6747f885207b45adb781cc1f53eff3039cd7232","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_c5dea6da","line":54,"in_reply_to":"3fa7e38b_05ca7e6e","updated":"2019-12-16 15:46:53.000000000","message":"Right, I\u0027ll take that into consideration - but I guess there\u0027s no other option to just run it. \nMaybe just copying a task that will be running keystone_fernet with nodetach for doing init when no containers exist + running distribution from handler is the best approach here...","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"67c63b5b5b32c32b128a9464fef7f8da946b7c54","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        selectattr(\u0027Status\u0027, \u0027equalto\u0027, \u0027running\u0027) | map(attribute\u003d\u0027Status\u0027) | list | length)"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  when: not (fernet_container_state | select(\u0027match\u0027, \u0027No such container\u0027))"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"- include_tasks: bootstrap_service.yml"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"3fa7e38b_90222aa6","line":54,"in_reply_to":"3fa7e38b_c5dea6da","updated":"2019-12-16 15:55:03.000000000","message":"The problem is that the SSH server needs to be running on all hosts other than the one doing the pushing.","commit_id":"2417b838d880c319aeddaa8c2284e99cfeacb9a1"}],"ansible/roles/keystone/tasks/bootstrap_service.yml":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"816a322232484ee00c54cbf9ebe207e08865d594","unresolved":false,"context_lines":[{"line_number":5,"context_line":"    action: \"get_container_state\""},{"line_number":6,"context_line":"    name: \"keystone_fernet\""},{"line_number":7,"context_line":"  register: fernet_container_state"},{"line_number":8,"context_line":"  failed_when: false"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"- name: Group nodes where keystone_fernet is running"},{"line_number":11,"context_line":"  group_by:"}],"source_content_type":"text/x-yaml","patch_set":31,"id":"3fa7e38b_2555f71f","line":8,"updated":"2020-01-17 09:00:26.000000000","message":"the issue with that is that it may also fail when docker is grumpy and still break logic - best differentiate between the two paths (docker grumpy vs container really missing)","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"ce9da1be3c4d89e9633481a923ad0ab621567b0d","unresolved":false,"context_lines":[{"line_number":5,"context_line":"    action: \"get_container_state\""},{"line_number":6,"context_line":"    name: \"keystone_fernet\""},{"line_number":7,"context_line":"  register: fernet_container_state"},{"line_number":8,"context_line":"  failed_when: false"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"- name: Group nodes where keystone_fernet is running"},{"line_number":11,"context_line":"  group_by:"}],"source_content_type":"text/x-yaml","patch_set":31,"id":"3fa7e38b_b7aed27d","line":8,"in_reply_to":"3fa7e38b_2555f71f","updated":"2020-01-21 08:07:33.000000000","message":"Ok, let me find how to extend failed_when to fail when Docker is grumpy, but not when container is missing ;-)","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"816a322232484ee00c54cbf9ebe207e08865d594","unresolved":false,"context_lines":[{"line_number":29,"context_line":"    restart_policy: no"},{"line_number":30,"context_line":"    volumes: \"{{ keystone.volumes|reject(\u0027equalto\u0027, \u0027\u0027)|list }}\""},{"line_number":31,"context_line":"  run_once: True"},{"line_number":32,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":33,"context_line":"  when: groups[\u0027keystone_fernet_running\u0027] is not defined"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"- name: Running Keystone fernet bootstrap container"},{"line_number":36,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":31,"id":"3fa7e38b_251ad77f","line":33,"range":{"start_line":32,"start_character":0,"end_line":33,"end_character":56},"updated":"2020-01-17 09:00:26.000000000","message":"I would not make it depend on fernet, it\u0027s orthogonal, best leave it be","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"ce9da1be3c4d89e9633481a923ad0ab621567b0d","unresolved":false,"context_lines":[{"line_number":29,"context_line":"    restart_policy: no"},{"line_number":30,"context_line":"    volumes: \"{{ keystone.volumes|reject(\u0027equalto\u0027, \u0027\u0027)|list }}\""},{"line_number":31,"context_line":"  run_once: True"},{"line_number":32,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":33,"context_line":"  when: groups[\u0027keystone_fernet_running\u0027] is not defined"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"- name: Running Keystone fernet bootstrap container"},{"line_number":36,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":31,"id":"3fa7e38b_779b7a63","line":33,"range":{"start_line":32,"start_character":0,"end_line":33,"end_character":56},"in_reply_to":"3fa7e38b_251ad77f","updated":"2020-01-21 08:07:33.000000000","message":"Ok, I\u0027ll pursue the \"keystone bootstrap always runs and sets changed\u003dtrue\" in another patchset","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e28b17a62a552239cb97b665d67df0819b48639","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"- name: Group nodes where keystone_fernet is running"},{"line_number":10,"context_line":"  group_by:"},{"line_number":11,"context_line":"    key: keystone_fernet_{{ fernet_container_state.Status | default(\u0027bootstrap\u0027) }}"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"- name: Running Keystone bootstrap container"},{"line_number":14,"context_line":"  vars:"}],"source_content_type":"text/x-yaml","patch_set":38,"id":"3fa7e38b_006c0569","line":11,"range":{"start_line":11,"start_character":28,"end_line":11,"end_character":57},"updated":"2020-01-24 12:41:03.000000000","message":"even this one","commit_id":"3c5a2b75686d0c200a2862f2dd8657963b4d55de"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":50,"context_line":"    restart_policy: no"},{"line_number":51,"context_line":"    volumes: \"{{ keystone_fernet.volumes|reject(\u0027equalto\u0027, \u0027\u0027)|list }}\""},{"line_number":52,"context_line":"  run_once: True"},{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_73d97825","line":53,"range":{"start_line":53,"start_character":27,"end_line":53,"end_character":52},"updated":"2020-02-05 14:09:25.000000000","message":"I think just the keystone group would work here.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":50,"context_line":"    restart_policy: no"},{"line_number":51,"context_line":"    volumes: \"{{ keystone_fernet.volumes|reject(\u0027equalto\u0027, \u0027\u0027)|list }}\""},{"line_number":52,"context_line":"  run_once: True"},{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_fe4e8cc1","line":53,"range":{"start_line":53,"start_character":27,"end_line":53,"end_character":52},"in_reply_to":"3fa7e38b_73d97825","updated":"2020-02-05 16:47:21.000000000","message":"The idea was to run this only, if there are no keystone_fernet containers running anywhere - that\u0027s why group_by defaults to bootstrap (instead of keystone_fernet_running)","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"28a250daa8a1d24c789797e168567a4ffecf685b","unresolved":false,"context_lines":[{"line_number":50,"context_line":"    restart_policy: no"},{"line_number":51,"context_line":"    volumes: \"{{ keystone_fernet.volumes|reject(\u0027equalto\u0027, \u0027\u0027)|list }}\""},{"line_number":52,"context_line":"  run_once: True"},{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_f96226da","line":53,"range":{"start_line":53,"start_character":27,"end_line":53,"end_character":52},"in_reply_to":"3fa7e38b_fe4e8cc1","updated":"2020-02-05 16:58:30.000000000","message":"Makes sense, but we may as well use the keystone group here so that later on when we distribute we know we will get the bootstrap host.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_93be74ad","line":56,"range":{"start_line":56,"start_character":30,"end_line":56,"end_character":37},"updated":"2020-02-05 14:09:25.000000000","message":"Would this get tripped up by a stopped fernet container?","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_9ec3d805","line":56,"range":{"start_line":56,"start_character":30,"end_line":56,"end_character":37},"in_reply_to":"3fa7e38b_93be74ad","updated":"2020-02-05 16:47:21.000000000","message":"stopped will get in keystone_fernet_stopped (or any other status given by Docker API/docker python)","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"28a250daa8a1d24c789797e168567a4ffecf685b","unresolved":false,"context_lines":[{"line_number":53,"context_line":"  delegate_to: \"{{ groups[\u0027keystone_fernet_bootstrap\u0027][0] }}\""},{"line_number":54,"context_line":"  when:"},{"line_number":55,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":56,"context_line":"    - groups[\u0027keystone_fernet_running\u0027] is not defined"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_399e7eb7","line":56,"range":{"start_line":56,"start_character":30,"end_line":56,"end_character":37},"in_reply_to":"3fa7e38b_9ec3d805","updated":"2020-02-05 16:58:30.000000000","message":"Yes, but a stopped container is probably still bootstrapped. It\u0027s a corner case, but if for some reason all your fernet containers are stopped then you\u0027d end up regenerating fernet keys unnecessarily (and potentially breaking anyone using an old key).","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"}],"ansible/roles/keystone/tasks/deploy.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"6fd4003bbd2acde720224574ca28a632002babd1","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: bootstrap.yml"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"- include_tasks: config.yml"},{"line_number":5,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_3c67b026","line":2,"range":{"start_line":2,"start_character":17,"end_line":2,"end_character":26},"updated":"2019-12-13 14:40:31.000000000","message":"Bootstrap needs config to exist.","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3d999db2d39fb40e88056f167892a28b0be3d785","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: bootstrap.yml"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"- include_tasks: config.yml"},{"line_number":5,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_48a2e6fc","line":2,"range":{"start_line":2,"start_character":17,"end_line":2,"end_character":26},"in_reply_to":"3fa7e38b_0dfde039","updated":"2019-12-13 17:11:44.000000000","message":"bootstrap_service.yml will require config.json for keystone.","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"3903b66100b6400af93dc913b64d8c5f2ef545b4","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: bootstrap.yml"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"- include_tasks: config.yml"},{"line_number":5,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_0dfde039","line":2,"range":{"start_line":2,"start_character":17,"end_line":2,"end_character":26},"in_reply_to":"3fa7e38b_3c67b026","updated":"2019-12-13 16:56:09.000000000","message":"I tend to disagree, tasks in bootstrap.yml don\u0027t config data to run their tasks, but I can move it after config if it looks better - we run the handlers after config anyway ;-)","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"a7d5f79b3a6621027ad9b5e07df84f84b7770c7d","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"- include_tasks: bootstrap.yml"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"- include_tasks: config.yml"},{"line_number":5,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":8,"id":"3fa7e38b_88069ecc","line":2,"range":{"start_line":2,"start_character":17,"end_line":2,"end_character":26},"in_reply_to":"3fa7e38b_48a2e6fc","updated":"2019-12-13 17:19:29.000000000","message":"Right, forgot about the include - my bad.","commit_id":"b6496744835b2539fbf9ad8b5d0cc637e045785a"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":10,"context_line":"- name: Flush handlers"},{"line_number":11,"context_line":"  meta: flush_handlers"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"- include_tasks: distribute_fernet.yml"},{"line_number":14,"context_line":"  when:"},{"line_number":15,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"- include_tasks: register.yml"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_13984418","line":15,"range":{"start_line":13,"start_character":0,"end_line":15,"end_character":41},"updated":"2020-02-05 14:09:25.000000000","message":"We\u0027re still distributing the keys after starting keystone. The commit message suggests that could be a problem.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":10,"context_line":"- name: Flush handlers"},{"line_number":11,"context_line":"  meta: flush_handlers"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"- include_tasks: distribute_fernet.yml"},{"line_number":14,"context_line":"  when:"},{"line_number":15,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"- include_tasks: register.yml"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_bedd74df","line":15,"range":{"start_line":13,"start_character":0,"end_line":15,"end_character":41},"in_reply_to":"3fa7e38b_13984418","updated":"2020-02-05 16:47:21.000000000","message":"Yes, but fernet-node-sync.sh script is updated to check for unpopulated token store and wait with startup until it is populated (or restart whole container after n retries)","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"28a250daa8a1d24c789797e168567a4ffecf685b","unresolved":false,"context_lines":[{"line_number":10,"context_line":"- name: Flush handlers"},{"line_number":11,"context_line":"  meta: flush_handlers"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"- include_tasks: distribute_fernet.yml"},{"line_number":14,"context_line":"  when:"},{"line_number":15,"context_line":"    - keystone_token_provider \u003d\u003d \u0027fernet\u0027"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"- include_tasks: register.yml"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_39c51e91","line":15,"range":{"start_line":13,"start_character":0,"end_line":15,"end_character":41},"in_reply_to":"3fa7e38b_bedd74df","updated":"2020-02-05 16:58:30.000000000","message":"But that\u0027s in the keystone-fernet container. It won\u0027t prevent the keystone container from starting up.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"}],"ansible/roles/keystone/tasks/distribute_fernet.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":16,"context_line":"  delegate_to: \u003e-"},{"line_number":17,"context_line":"    {% if groups[\u0027keystone_fernet_running\u0027] is defined -%}"},{"line_number":18,"context_line":"    {{ groups[\u0027keystone_fernet_running\u0027][0] }}"},{"line_number":19,"context_line":"    {%- else -%}{{ groups[\u0027keystone\u0027][0] }}{%- endif %}"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_337f80df","line":19,"range":{"start_line":19,"start_character":27,"end_line":19,"end_character":35},"updated":"2020-02-05 14:09:25.000000000","message":"In the bootstrap we used the keystone_fernet_bootstrap group. They need to be the same, but I\u0027d suggest using just keystone.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":16,"context_line":"  delegate_to: \u003e-"},{"line_number":17,"context_line":"    {% if groups[\u0027keystone_fernet_running\u0027] is defined -%}"},{"line_number":18,"context_line":"    {{ groups[\u0027keystone_fernet_running\u0027][0] }}"},{"line_number":19,"context_line":"    {%- else -%}{{ groups[\u0027keystone\u0027][0] }}{%- endif %}"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_de8630b8","line":19,"range":{"start_line":19,"start_character":27,"end_line":19,"end_character":35},"in_reply_to":"3fa7e38b_337f80df","updated":"2020-02-05 16:47:21.000000000","message":"ok, I\u0027ll follow up with a patch - it doesn\u0027t really kill us if we run key distribution every time - but then this task will always be changed\u003dtrue if we delegate_to: keystone","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"28a250daa8a1d24c789797e168567a4ffecf685b","unresolved":false,"context_lines":[{"line_number":16,"context_line":"  delegate_to: \u003e-"},{"line_number":17,"context_line":"    {% if groups[\u0027keystone_fernet_running\u0027] is defined -%}"},{"line_number":18,"context_line":"    {{ groups[\u0027keystone_fernet_running\u0027][0] }}"},{"line_number":19,"context_line":"    {%- else -%}{{ groups[\u0027keystone\u0027][0] }}{%- endif %}"}],"source_content_type":"text/x-yaml","patch_set":39,"id":"3fa7e38b_191622f5","line":19,"range":{"start_line":19,"start_character":27,"end_line":19,"end_character":35},"in_reply_to":"3fa7e38b_de8630b8","updated":"2020-02-05 16:58:30.000000000","message":"To be clear - I think this is ok. It\u0027s the bootstrap that should change to use the keystone group since the bootstrap group may not exist.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"}],"ansible/roles/keystone/tasks/init_fernet.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"cccd6f6562e9ed711821a938a68f71f1c0d5f7fc","unresolved":false,"context_lines":[{"line_number":13,"context_line":"  become: true"},{"line_number":14,"context_line":"  command: \"docker exec -t keystone_fernet kolla_keystone_bootstrap {{ keystone_username }} {{ keystone_groupname }}\""},{"line_number":15,"context_line":"  register: fernet_create"},{"line_number":16,"context_line":"  changed_when: fernet_create.stdout.find(\u0027localhost | SUCCESS \u003d\u003e \u0027) !\u003d -1 and (fernet_create.stdout.split(\u0027localhost | SUCCESS \u003d\u003e \u0027)[1]|from_json).changed"},{"line_number":17,"context_line":"  until: fernet_create.stdout.split()[2] \u003d\u003d \u0027SUCCESS\u0027 or fernet_create.stdout.find(\u0027Key repository is already initialized\u0027) !\u003d -1"},{"line_number":18,"context_line":"  retries: 10"},{"line_number":19,"context_line":"  delay: 5"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_cf0355bd","line":16,"range":{"start_line":16,"start_character":43,"end_line":16,"end_character":62},"updated":"2019-12-12 12:33:46.000000000","message":"This stuff is unnecessary - we don\u0027t use ansible here. I think it will never show as changed because it will never find this string in the output, which is just JSON.\n\nSee use of find_disks for swift \u0026 ceph for comparison.","commit_id":"cfbb840ae3a7ee40607a5ac7ed43330815490d19"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"a9776e27f2136f94535accaf77b4b6adcc20781a","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"- name: Trigger keystone restart after fernet init"},{"line_number":30,"context_line":"  command: /bin/true"},{"line_number":31,"context_line":"  notify: \"Restart keystone container\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3fa7e38b_3a6d8566","line":31,"updated":"2019-12-12 13:50:15.000000000","message":"when: fernet_create.changed","commit_id":"77de29f20ed8ff47cba46b75de526d8086106237"}],"ansible/roles/keystone/templates/fernet-node-sync.sh.j2":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"816a322232484ee00c54cbf9ebe207e08865d594","unresolved":false,"context_lines":[{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n {{ (groups[\u0027keystone\u0027] | length) + 1 }})"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"# Ensure tokens are populated"},{"line_number":10,"context_line":"if $(echo \"$TOKEN_CHECK\" | grep -q \u0027\"populated\": false\u0027); then"},{"line_number":11,"context_line":"    exit 0;"},{"line_number":12,"context_line":"fi"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Ensure the primary token exists and is not stale"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_450ef33d","line":11,"range":{"start_line":9,"start_character":0,"end_line":11,"end_character":11},"updated":"2020-01-17 09:00:26.000000000","message":"I don\u0027t get how this is a successful sync","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"ce9da1be3c4d89e9633481a923ad0ab621567b0d","unresolved":false,"context_lines":[{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n {{ (groups[\u0027keystone\u0027] | length) + 1 }})"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"# Ensure tokens are populated"},{"line_number":10,"context_line":"if $(echo \"$TOKEN_CHECK\" | grep -q \u0027\"populated\": false\u0027); then"},{"line_number":11,"context_line":"    exit 0;"},{"line_number":12,"context_line":"fi"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Ensure the primary token exists and is not stale"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_977b9629","line":11,"range":{"start_line":9,"start_character":0,"end_line":11,"end_character":11},"in_reply_to":"3fa7e38b_450ef33d","updated":"2020-01-21 08:07:33.000000000","message":"This is fernet-node-sync.sh, which runs on container start (via kolla_extend_start) - we\u0027re just making sure here, we\u0027re not syncing keys from a container, that is not populated ;-) (which will bring other containers to the same state - zero keys)","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"33d67e36ca5d3a3ee2accac86f4becb4a5f85083","unresolved":false,"context_lines":[{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n {{ (groups[\u0027keystone\u0027] | length) + 1 }})"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"# Ensure tokens are populated"},{"line_number":10,"context_line":"if $(echo \"$TOKEN_CHECK\" | grep -q \u0027\"populated\": false\u0027); then"},{"line_number":11,"context_line":"    exit 0;"},{"line_number":12,"context_line":"fi"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Ensure the primary token exists and is not stale"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_5aaa25d3","line":11,"range":{"start_line":9,"start_character":0,"end_line":11,"end_character":11},"in_reply_to":"3fa7e38b_57ff5e34","updated":"2020-01-21 08:50:06.000000000","message":"We\u0027ll get a restart loop on the container, but it might make sense - thanks.","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"64c744c7a95b95cda0d6508bdc6c88cfd8c2171d","unresolved":false,"context_lines":[{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n {{ (groups[\u0027keystone\u0027] | length) + 1 }})"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"# Ensure tokens are populated"},{"line_number":10,"context_line":"if $(echo \"$TOKEN_CHECK\" | grep -q \u0027\"populated\": false\u0027); then"},{"line_number":11,"context_line":"    exit 0;"},{"line_number":12,"context_line":"fi"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"# Ensure the primary token exists and is not stale"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_57ff5e34","line":11,"range":{"start_line":9,"start_character":0,"end_line":11,"end_character":11},"in_reply_to":"3fa7e38b_977b9629","updated":"2020-01-21 08:22:19.000000000","message":"exit 1?","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"# NOTE(mnasiadka): Check for existence of at least two tokens (should exist after bootstrap)"},{"line_number":8,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n 2)"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"# Ensure tokens are populated"},{"line_number":11,"context_line":"n\u003d0"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_a52487b2","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":11},"updated":"2020-02-05 14:09:25.000000000","message":"Wouldn\u0027t it make more sense to do the query final check after the loop? i.e. just before TOKEN_CHECK is used later.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"# Get data on the fernet tokens"},{"line_number":7,"context_line":"# NOTE(mnasiadka): Check for existence of at least two tokens (should exist after bootstrap)"},{"line_number":8,"context_line":"TOKEN_CHECK\u003d$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n 2)"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"# Ensure tokens are populated"},{"line_number":11,"context_line":"n\u003d0"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_5eb48081","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":11},"in_reply_to":"3fa7e38b_a52487b2","updated":"2020-02-05 16:47:21.000000000","message":"Yeah, makes sense - will fix in a followup.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":"# Ensure tokens are populated"},{"line_number":11,"context_line":"n\u003d0"},{"line_number":12,"context_line":"while /usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t 86400 -n 1 | grep -q \u0027\"populated\": false\u0027; do"},{"line_number":13,"context_line":"    if [ $n -lt 10 ]; then"},{"line_number":14,"context_line":"        n\u003d$(( n + 1 ))"},{"line_number":15,"context_line":"        echo \"ERROR: Fernet tokens have not been populated, rechecking in 1 minute\""}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_535c7c57","line":12,"range":{"start_line":12,"start_character":84,"end_line":12,"end_character":89},"updated":"2020-02-05 14:09:25.000000000","message":"Should this be fernet_token_expiry?","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":"# Ensure tokens are populated"},{"line_number":11,"context_line":"n\u003d0"},{"line_number":12,"context_line":"while /usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t 86400 -n 1 | grep -q \u0027\"populated\": false\u0027; do"},{"line_number":13,"context_line":"    if [ $n -lt 10 ]; then"},{"line_number":14,"context_line":"        n\u003d$(( n + 1 ))"},{"line_number":15,"context_line":"        echo \"ERROR: Fernet tokens have not been populated, rechecking in 1 minute\""}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_1ea60857","line":12,"range":{"start_line":12,"start_character":84,"end_line":12,"end_character":89},"in_reply_to":"3fa7e38b_535c7c57","updated":"2020-02-05 16:47:21.000000000","message":"Right, will followup.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":27,"context_line":"    exit 0;"},{"line_number":28,"context_line":"fi"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# For each host node sync tokens"},{"line_number":31,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":32,"context_line":"{% if inventory_hostname !\u003d host %}"},{"line_number":33,"context_line":"/usr/bin/rsync -azu --delete -e \u0027ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host][\u0027keystone_ssh_port\u0027] }} -F /var/lib/keystone/.ssh/config\u0027 keystone@{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys"},{"line_number":34,"context_line":"{% endif %}"},{"line_number":35,"context_line":"{% endfor %}"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_050c7b38","line":35,"range":{"start_line":30,"start_character":0,"end_line":35,"end_character":12},"updated":"2020-02-05 14:09:25.000000000","message":"This seems weird. This script gets executed by keystone-fernet on startup. If it thinks its tokens are stale, it will pull tokens from all other hosts. What if those other hosts are out of sync? If the last host has no tokens we\u0027ll remove our own tokens due to --delete.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":27,"context_line":"    exit 0;"},{"line_number":28,"context_line":"fi"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# For each host node sync tokens"},{"line_number":31,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":32,"context_line":"{% if inventory_hostname !\u003d host %}"},{"line_number":33,"context_line":"/usr/bin/rsync -azu --delete -e \u0027ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host][\u0027keystone_ssh_port\u0027] }} -F /var/lib/keystone/.ssh/config\u0027 keystone@{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys"},{"line_number":34,"context_line":"{% endif %}"},{"line_number":35,"context_line":"{% endfor %}"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_1e54c822","line":35,"range":{"start_line":30,"start_character":0,"end_line":35,"end_character":12},"in_reply_to":"3fa7e38b_050c7b38","updated":"2020-02-05 16:47:21.000000000","message":"Well, I have missed that logic - but you are right. Changing the logic to copy the keys to remote fernet containers makes more sense - or we could remove it completely?","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"28a250daa8a1d24c789797e168567a4ffecf685b","unresolved":false,"context_lines":[{"line_number":27,"context_line":"    exit 0;"},{"line_number":28,"context_line":"fi"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"# For each host node sync tokens"},{"line_number":31,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":32,"context_line":"{% if inventory_hostname !\u003d host %}"},{"line_number":33,"context_line":"/usr/bin/rsync -azu --delete -e \u0027ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host][\u0027keystone_ssh_port\u0027] }} -F /var/lib/keystone/.ssh/config\u0027 keystone@{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:/etc/keystone/fernet-keys/ /etc/keystone/fernet-keys"},{"line_number":34,"context_line":"{% endif %}"},{"line_number":35,"context_line":"{% endfor %}"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_59801af7","line":35,"range":{"start_line":30,"start_character":0,"end_line":35,"end_character":12},"in_reply_to":"3fa7e38b_1e54c822","updated":"2020-02-05 16:58:30.000000000","message":"I\u0027m not sure what case this is supposed to cover. Maybe we should just remove it.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"}],"ansible/roles/keystone/templates/fernet-push.sh.j2":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"816a322232484ee00c54cbf9ebe207e08865d594","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":7,"context_line":"{% if inventory_hostname !\u003d host %}"},{"line_number":8,"context_line":"/usr/bin/rsync -az --stats -e \u0027ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host][\u0027keystone_ssh_port\u0027] }} -F /var/lib/keystone/.ssh/config\u0027 --delete /etc/keystone/fernet-keys/ keystone@{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:/etc/keystone/fernet-keys"},{"line_number":9,"context_line":"{% endif %}"},{"line_number":10,"context_line":"{% endfor %}"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_c5018309","line":8,"range":{"start_line":8,"start_character":19,"end_line":8,"end_character":26},"updated":"2020-01-17 09:00:26.000000000","message":"really? :D","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"ce9da1be3c4d89e9633481a923ad0ab621567b0d","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":7,"context_line":"{% if inventory_hostname !\u003d host %}"},{"line_number":8,"context_line":"/usr/bin/rsync -az --stats -e \u0027ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host][\u0027keystone_ssh_port\u0027] }} -F /var/lib/keystone/.ssh/config\u0027 --delete /etc/keystone/fernet-keys/ keystone@{{ \u0027api\u0027 | kolla_address(host) | put_address_in_context(\u0027url\u0027) }}:/etc/keystone/fernet-keys"},{"line_number":9,"context_line":"{% endif %}"},{"line_number":10,"context_line":"{% endfor %}"}],"source_content_type":"text/x-jinja2","patch_set":31,"id":"3fa7e38b_f78f6a1f","line":8,"range":{"start_line":8,"start_character":19,"end_line":8,"end_character":26},"in_reply_to":"3fa7e38b_c5018309","updated":"2020-01-21 08:07:33.000000000","message":"naah, part of debugging why are we removing keys from other containers ;-) will remove","commit_id":"574fb7a4db8da5fb64a80d191aad8cb726dc8f97"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"615d349d0b34f2fa43c3a2463e30031b4356ec73","unresolved":false,"context_lines":[{"line_number":1,"context_line":"#!/bin/bash"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"set -o errexit"},{"line_number":4,"context_line":"set -o pipefail"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":7,"context_line":"{% if inventory_hostname !\u003d host %}"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_93a4344e","line":4,"range":{"start_line":3,"start_character":0,"end_line":4,"end_character":15},"updated":"2020-02-05 14:09:25.000000000","message":"If a node goes down we\u0027ll fail fast now. I wonder if we\u0027d be better to attempt all, and exit non-zero if any fail.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5e78f28653561b1a97c7285f855038f35a669425","unresolved":false,"context_lines":[{"line_number":1,"context_line":"#!/bin/bash"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"set -o errexit"},{"line_number":4,"context_line":"set -o pipefail"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"{% for host in groups[\u0027keystone\u0027] %}"},{"line_number":7,"context_line":"{% if inventory_hostname !\u003d host %}"}],"source_content_type":"text/x-jinja2","patch_set":39,"id":"3fa7e38b_7e137c69","line":4,"range":{"start_line":3,"start_character":0,"end_line":4,"end_character":15},"in_reply_to":"3fa7e38b_93a4344e","updated":"2020-02-05 16:47:21.000000000","message":"Yeah, we\u0027ll fail on any connection error - another candidate for a followup change.","commit_id":"0799782ce83d1057f262b44c979a15f9a1b05c72"}],"tests/test_kolla_docker.py":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0e28b17a62a552239cb97b665d67df0819b48639","unresolved":false,"context_lines":[{"line_number":517,"context_line":"        self.assertFalse(self.dw.changed)"},{"line_number":518,"context_line":"        self.dw.dc.containers.assert_called_once_with(all\u003dTrue)"},{"line_number":519,"context_line":"        self.dw.module.fail_json.assert_called_once_with("},{"line_number":520,"context_line":"            msg\u003d\"No such container: fake_container\")"},{"line_number":521,"context_line":""},{"line_number":522,"context_line":"    def test_recreate_or_restart_container_not_container(self):"},{"line_number":523,"context_line":"        self.dw \u003d get_DockerWorker({"}],"source_content_type":"text/x-python","patch_set":38,"id":"3fa7e38b_c08fcd1f","side":"PARENT","line":520,"updated":"2020-01-24 12:41:03.000000000","message":"do not remove, change expectations...","commit_id":"91c3dfe91c931ba640a243fe787c0c9fa93f0db2"}]}