)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"b3dcc600e2dcf53ec6665037401cd7d067cbe919","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d1b089ef_6c850907","updated":"2022-02-08 07:28:04.000000000","message":"Missing reno - https://docs.openstack.org/kolla/latest/contributor/release-notes.html","commit_id":"4a628b3363de5be247d5d1a8a7b18a473559c09a"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"930ad80e7c0f4949924590df44a983df9049ef91","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"07ac0413_9349eb57","in_reply_to":"d1b089ef_6c850907","updated":"2022-02-08 09:39:46.000000000","message":"Added one, is it acceptable?","commit_id":"4a628b3363de5be247d5d1a8a7b18a473559c09a"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"8d5b817a5de2bbd48261209f53d6389c5ed21eb2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"86a655a0_031bd0b2","updated":"2022-02-09 11:55:34.000000000","message":"I support this change, reducing the impact of maintainances helps performing them more regularly.\n\nJust a nit about the reno.","commit_id":"43401e67aab442ebd72018f090333156ed73def0"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"3aaea2361fa488efba3c8ea7f8b730c7a54a276a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"10e5477e_67305eb1","updated":"2022-02-09 17:18:38.000000000","message":"Spotted why ci fails, https://2bf576cac99ff9fc16fe-93a25d8b6838f520f662813cb255d034.ssl.cf1.rackcdn.com/828107/4/check/kolla-ansible-debian-source/55e5ffd/primary/logs/kolla_configs/haproxy/haproxy.cfg\n\nLost a line break in there somehow...","commit_id":"8030c296aa72b19e262bbbaae4973da67be636fc"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"d0074174c66877c85d5b30c9116d1b30f5831dcb","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"1f4b37f6_8cead12b","updated":"2022-02-14 11:34:58.000000000","message":"Can\u0027t repro that CI failure, doing `tox -elinters  -vv --skip-missing-interpreters\u003dfalse` which is what the CI does locally works.","commit_id":"f4bfab57bda95d02efe0bef5a19625cba99c4742"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"3d36703eab7ca431ed880464f28e4d7a297a62d2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"105f5545_de970725","updated":"2022-02-15 21:13:43.000000000","message":"recheck unrelated lint failure fixed by https://review.opendev.org/c/openstack/kolla-ansible/+/829059","commit_id":"f4bfab57bda95d02efe0bef5a19625cba99c4742"}],"ansible/roles/loadbalancer/templates/haproxy/haproxy_main.cfg.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"65b47c44bc8efe4cb8c9c6a41ab2b128ab0d6b8c","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"9d34fb79_e6d17bbb","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"updated":"2022-02-08 09:49:09.000000000","message":"Sanity check whether this is a security hole.\n\nThis socket is unauthenticated and writable to the kolla group, and exposed via a bind mount:\n\nhaproxy_socket:/var/lib/kolla/haproxy/\n\nThe haproxy, keepalived and prometheus-haproxy-exporter containers have access to the same bind mount.\n\nIn theory this should be ok, but I\u0027m wondering if it should be opt-in, behind a flag?","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"e985b2ad12ffb4b3f72652a0f8903f45b0c44fa3","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"72313545_c32f1fe4","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"2a911126_79ad8f06","updated":"2022-02-09 09:58:33.000000000","message":"As per my bug, if I want to reboot a host for kernel upgrades or something and it\u0027s running API services fronted by HAProxy, is there already a kolla-ansible way of doing that with no downtime/not losing any requests?","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"e9b0e381ddd09aa00ec7b2a52ed42d6c7cb24c38","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"d89b697e_64dbf43c","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"412a41c2_0c264ffc","updated":"2022-02-09 10:46:21.000000000","message":"I wouldn\u0027t assume that other services follow the same pattern as glance (they don\u0027t, in general). In fact, we don\u0027t even set glance_enable_rolling_upgrade to true by default, for reasons I forget.\n\nWe don\u0027t promise zero downtime upgrades, just low downtime rolling upgrades. Typically, we restart all containers of a given type at the same time. See the handlers.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b51324f6ad7f5f546c03553c12c8e06dd3c81a59","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"2a911126_79ad8f06","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"51f17a64_d2e2b2dd","updated":"2022-02-09 09:54:45.000000000","message":"What use case are you talking about? Restarting backends during rolling upgrades, or long-term removal of backends?\n\nIf there\u0027s something we should be doing with haproxy, shouldn\u0027t kolla-ansible automate it?","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"cbc7dd68104aed12726cadd43b21602209ed18c1","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"cab1abc6_f3bf8c56","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"72313545_c32f1fe4","updated":"2022-02-09 10:08:31.000000000","message":"I see, sorry I hadn\u0027t read the bug report. There isn\u0027t currently a kolla-ansible native way to do that. We would stop the backend and accept the consequences.\n\nI\u0027m open to seeing a more complete solution in kolla-ansible. I\u0027d be interested to see data on how bad it actually is to just stop the service though. We have a docker stop timeout of 60 seconds, which should allow most requests to complete. HAProxy should fail over to other backends once one goes down.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"d3993bbc1d8f2a87a70306680bfee9986aa0b3d8","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"9a534466_0d8982ed","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"987fb276_6d0e4a9f","updated":"2022-02-09 09:46:39.000000000","message":"I largely agree with your assessment. The 42499 group is the kolla group in containers, and all users in the containers are in this group.\n\nI think that while the risk here is low, I\u0027d still rather see this behind a flag, given that it will not be used in most deployments.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"17234b678f5be8c6b0d49c6e1b7a1bb61033cdda","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"51f17a64_d2e2b2dd","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"9a534466_0d8982ed","updated":"2022-02-09 09:50:53.000000000","message":"Not used in most deployments? Do people just rip out backend servers and hope for the best?","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"d01d19751a506399a16eeae2c64c81cbb75d56c1","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"987fb276_6d0e4a9f","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"9d34fb79_e6d17bbb","updated":"2022-02-08 10:02:22.000000000","message":"I thought about this in my deployment but came to the conclusion that if you\u0027re able to get access to the docker host then you can do more damage in other ways.\n\nOn the host the socket is 0:42400 660. So you have to be root or be in the gid 42400 which isn\u0027t even a group on my host... \n\nJust checked now and the whole of /var/lib/docker is 710 root:root so you can\u0027t even see it unless you are already root.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"f6e23b253438b6001bd5047366bd3486a902f450","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"412a41c2_0c264ffc","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"cab1abc6_f3bf8c56","updated":"2022-02-09 10:14:47.000000000","message":"I just read over how Kolla does glance rolling upgrades (https://github.com/openstack/kolla-ansible/blob/stable/wallaby/ansible/roles/glance/tasks/rolling_upgrade.yml) and I\u0027m making the assumption it\u0027s the same for other services.\n\nIt looks like as you said, containers just get killed. There\u0027s no real way of tracking or knowing if what state things truly are in. That wouldn\u0027t be acceptable in my use case, good to know for me that 0 downtime upgrades aren\u0027t error free downtime and by some definitions not 0 downtime.\n\nI\u0027ll add the flag as you requested, and if I come up with something that integrates with the Kolla rolling-upgrades stuff I see if I can upstream it.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"98fa6b41706caedf6a73045984f94b6f1115ff8e","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}"},{"line_number":13,"context_line":"        {% endfor %}"},{"line_number":14,"context_line":"    {% endif %}"},{"line_number":15,"context_line":"    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660 level admin"},{"line_number":16,"context_line":"    {% if kolla_enable_tls_external | bool or kolla_enable_tls_internal | bool %}"},{"line_number":17,"context_line":"    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES"},{"line_number":18,"context_line":"    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"f231ec3b_35415d4d","line":15,"range":{"start_line":15,"start_character":74,"end_line":15,"end_character":85},"in_reply_to":"d89b697e_64dbf43c","updated":"2022-02-09 10:51:17.000000000","message":"Thanks, that\u0027s good to know 😊\n\nPushed up the changes you requested in PS3.","commit_id":"fd3cbd3142adc4311b8b95e0eaa59b189108db03"}],"releasenotes/notes/haproxy-add-admin-socket-2c84eabd45b1b3dc.yaml":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"8d5b817a5de2bbd48261209f53d6389c5ed21eb2","unresolved":true,"context_lines":[{"line_number":6,"context_line":"    (default: \"no\") which adds ``level admin`` to socket that gets created at"},{"line_number":7,"context_line":"    ``/var/lib/kolla/haproxy/haproxy.sock`` inside the HAProxy container."},{"line_number":8,"context_line":"    This allows operators to interact with HAProxy, including but not limited"},{"line_number":9,"context_line":"    to disabling backend servers for controlled maintenance operations."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"f0c7b6d6_7bb7f9e5","line":9,"updated":"2022-02-09 11:55:34.000000000","message":"Add a link to your bug? See other renos as example for the formatting.","commit_id":"43401e67aab442ebd72018f090333156ed73def0"},{"author":{"_account_id":34462,"name":"Imran Hussain","email":"ih@imranh.co.uk","username":"imranh2"},"change_message_id":"0423abcffa43d4c9289da01c3bad3a4c91c10beb","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    (default: \"no\") which adds ``level admin`` to socket that gets created at"},{"line_number":7,"context_line":"    ``/var/lib/kolla/haproxy/haproxy.sock`` inside the HAProxy container."},{"line_number":8,"context_line":"    This allows operators to interact with HAProxy, including but not limited"},{"line_number":9,"context_line":"    to disabling backend servers for controlled maintenance operations."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"c0a0b816_5f9d01c5","line":9,"in_reply_to":"f0c7b6d6_7bb7f9e5","updated":"2022-02-09 12:07:40.000000000","message":"Done","commit_id":"43401e67aab442ebd72018f090333156ed73def0"}]}