)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"d8af6e1dc746a636e1112e45963b1841950ad771","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ec20f2fd_2006590b","updated":"2025-07-24 12:02:30.000000000","message":"2025-07-21T12:38:03.592747758Z ++ sudo usermod -aG systemd-journal fluentd\n2025-07-21T12:38:03.599514094Z sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper\n2025-07-21T12:38:03.599739766Z sudo: a password is required","commit_id":"2fcbbe17136d7255a72872fb52818307f0f055f1"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"8510606868e87fca608805a3690d5a7dce9d2ce5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"84796690_077055d0","updated":"2025-07-21 12:12:35.000000000","message":"recheck","commit_id":"2fcbbe17136d7255a72872fb52818307f0f055f1"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"ccc7b66c2e0918945269c40373db331d6afb2b38","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4f965c33_29b91398","in_reply_to":"ec20f2fd_2006590b","updated":"2025-07-25 09:30:09.000000000","message":"thanks - I\u0027ve added an entry in the sudoers file","commit_id":"2fcbbe17136d7255a72872fb52818307f0f055f1"}],"docker/base/Dockerfile.j2":[{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"6801a5057872552ae6a8987cc64da41563fea386","unresolved":true,"context_lines":[{"line_number":253,"context_line":"COPY sources.list.{{ base_distro }}.{{ base_arch }} /etc/apt/sources.list"},{"line_number":254,"context_line":"{% endif %}"},{"line_number":255,"context_line":"COPY sources.list /etc/apt/sources.list.d/kolla-custom.list"},{"line_number":256,"context_line":"RUN echo \"g systemd-journal - -\" \u003e\u003e /usr/lib/sysusers.d/systemd-journal.conf"},{"line_number":257,"context_line":"{% endblock %}"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"{% block base_debian_after_sources_list %}{% endblock %}"}],"source_content_type":"text/x-jinja2","patch_set":7,"id":"d73b273a_626508da","line":256,"updated":"2025-08-15 16:21:04.000000000","message":"This is a hack, but see if it works.","commit_id":"26cefee13e85873363584684672f2f46b12a4900"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"d9663416d4782f93f3fe7d3a0c7ef6e3b50af67c","unresolved":false,"context_lines":[{"line_number":253,"context_line":"COPY sources.list.{{ base_distro }}.{{ base_arch }} /etc/apt/sources.list"},{"line_number":254,"context_line":"{% endif %}"},{"line_number":255,"context_line":"COPY sources.list /etc/apt/sources.list.d/kolla-custom.list"},{"line_number":256,"context_line":"RUN echo \"g systemd-journal - -\" \u003e\u003e /usr/lib/sysusers.d/systemd-journal.conf"},{"line_number":257,"context_line":"{% endblock %}"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"{% block base_debian_after_sources_list %}{% endblock %}"}],"source_content_type":"text/x-jinja2","patch_set":7,"id":"ed4e561c_0dddc3bf","line":256,"in_reply_to":"217d7ce4_8ee119cc","updated":"2025-09-01 14:39:12.000000000","message":"Done","commit_id":"26cefee13e85873363584684672f2f46b12a4900"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"666cfd73b882496a681fbac04c0186d683634f89","unresolved":true,"context_lines":[{"line_number":253,"context_line":"COPY sources.list.{{ base_distro }}.{{ base_arch }} /etc/apt/sources.list"},{"line_number":254,"context_line":"{% endif %}"},{"line_number":255,"context_line":"COPY sources.list /etc/apt/sources.list.d/kolla-custom.list"},{"line_number":256,"context_line":"RUN echo \"g systemd-journal - -\" \u003e\u003e /usr/lib/sysusers.d/systemd-journal.conf"},{"line_number":257,"context_line":"{% endblock %}"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"{% block base_debian_after_sources_list %}{% endblock %}"}],"source_content_type":"text/x-jinja2","patch_set":7,"id":"217d7ce4_8ee119cc","line":256,"in_reply_to":"d73b273a_626508da","updated":"2025-08-15 16:37:51.000000000","message":"This is where it normally comes from:\n\nroot@doug-tmp-noble:/usr/lib/sysusers.d# apt-file search systemd-journal.conf\nsystemd: /usr/lib/sysusers.d/systemd-journal.conf","commit_id":"26cefee13e85873363584684672f2f46b12a4900"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"d9663416d4782f93f3fe7d3a0c7ef6e3b50af67c","unresolved":true,"context_lines":[{"line_number":327,"context_line":"    \u0026\u0026 apt-get -y upgrade \\"},{"line_number":328,"context_line":"    \u0026\u0026 apt-get -y dist-upgrade \\"},{"line_number":329,"context_line":"    # NOTE: This workaround is required so that we can map the systemd-journal group ID"},{"line_number":330,"context_line":"    # (GID) to the same GID as used on the host. If we don\u0027t pre-emptively reserve the group ID"},{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."}],"source_content_type":"text/x-jinja2","patch_set":12,"id":"cbb09a55_ebe16583","line":330,"updated":"2025-09-01 14:39:12.000000000","message":"If preferred I could move the Kolla group creation on line 344 to above 323 and manage this special group ID in the same way as the Kolla groups. But this works as-is.","commit_id":"a94f2d9af3c97fc20b07a3eed286cd1623d0b062"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"bc02741867becf0048e0414b2a7235ba63f1184a","unresolved":true,"context_lines":[{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."},{"line_number":334,"context_line":"    \u0026\u0026 addgroup --gid 999 systemd-journal \\"},{"line_number":335,"context_line":"    \u0026\u0026 {{ macros.install_packages(base_apt_packages | customizable(\u0027apt_packages\u0027), True) }} \\"},{"line_number":336,"context_line":"    # NOTE: python3-pip installs dependent tzdata package and blocks mount in docker - 2091161"},{"line_number":337,"context_line":"    \u0026\u0026 unlink /etc/localtime"}],"source_content_type":"text/x-jinja2","patch_set":13,"id":"c0a75d99_9a8c0b16","line":334,"range":{"start_line":334,"start_character":22,"end_line":334,"end_character":25},"updated":"2025-09-08 19:10:36.000000000","message":"unsure that this is the correct hardcoded constant number","commit_id":"abcf83c992514f02849c40c7a402664d044b48d5"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"05f88425d2b37d1d771423e52509571356c12c9d","unresolved":true,"context_lines":[{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."},{"line_number":334,"context_line":"    \u0026\u0026 addgroup --gid 999 systemd-journal \\"},{"line_number":335,"context_line":"    \u0026\u0026 {{ macros.install_packages(base_apt_packages | customizable(\u0027apt_packages\u0027), True) }} \\"},{"line_number":336,"context_line":"    # NOTE: python3-pip installs dependent tzdata package and blocks mount in docker - 2091161"},{"line_number":337,"context_line":"    \u0026\u0026 unlink /etc/localtime"}],"source_content_type":"text/x-jinja2","patch_set":13,"id":"9b11d1c8_cf4c760b","line":334,"range":{"start_line":334,"start_character":22,"end_line":334,"end_character":25},"in_reply_to":"33ec8691_578f24d0","updated":"2025-10-17 15:57:40.000000000","message":"Thanks Maksim. I have updated the patch which should work for any GID value.","commit_id":"abcf83c992514f02849c40c7a402664d044b48d5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"d88980111ccc5a27efedba6fc10f01ea779aaa49","unresolved":false,"context_lines":[{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."},{"line_number":334,"context_line":"    \u0026\u0026 addgroup --gid 999 systemd-journal \\"},{"line_number":335,"context_line":"    \u0026\u0026 {{ macros.install_packages(base_apt_packages | customizable(\u0027apt_packages\u0027), True) }} \\"},{"line_number":336,"context_line":"    # NOTE: python3-pip installs dependent tzdata package and blocks mount in docker - 2091161"},{"line_number":337,"context_line":"    \u0026\u0026 unlink /etc/localtime"}],"source_content_type":"text/x-jinja2","patch_set":13,"id":"ed81be71_c9a11e40","line":334,"range":{"start_line":334,"start_character":22,"end_line":334,"end_character":25},"in_reply_to":"9b11d1c8_cf4c760b","updated":"2025-10-17 17:25:50.000000000","message":"It is much better that you moved this to the runtime.","commit_id":"abcf83c992514f02849c40c7a402664d044b48d5"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"6ac0a5fe175fd7535179b63eef26dc2ab7ebce3c","unresolved":true,"context_lines":[{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."},{"line_number":334,"context_line":"    \u0026\u0026 addgroup --gid 999 systemd-journal \\"},{"line_number":335,"context_line":"    \u0026\u0026 {{ macros.install_packages(base_apt_packages | customizable(\u0027apt_packages\u0027), True) }} \\"},{"line_number":336,"context_line":"    # NOTE: python3-pip installs dependent tzdata package and blocks mount in docker - 2091161"},{"line_number":337,"context_line":"    \u0026\u0026 unlink /etc/localtime"}],"source_content_type":"text/x-jinja2","patch_set":13,"id":"cf08ce81_ef2b138c","line":334,"range":{"start_line":334,"start_character":22,"end_line":334,"end_character":25},"in_reply_to":"c0a75d99_9a8c0b16","updated":"2025-09-10 10:46:08.000000000","message":"Fair point- I don\u0027t believe GID 999 is reserved specifically for systemd-journal in Debuntu. At least I can\u0027t find anything setting SYSTEMD_JOURNAL_GID [1].  Various bugs report that it gets mapped to 999 in practice. Eg [2].\n\nI can think of various alternatives. None are optimal.\n\n1. Revert the patch that triggered this issue [3]. Not ideal. Would cause other minor issues that need fixing.\n\n2. Open up read permissions on the systemd-journal. Ruled out due to security risk.\n\n3. At container run time, find the systemd-journal group GID on host. Add the fluentd user to that group in the container. Not ideal, because we will be adding fluentd to some random group, which could theoretically create a security risk. Not as bad as 2 perhaps.\n\n4. Stop dynamic allocation of GID 999 in Kolla containers I.e. reduce available range to 998 in base container. This allows option 3) to work smoothly. Perhaps this is slighter better than the approach taken here?\n\nAny preference / other idea?\n\n[1] https://github.com/systemd/systemd/blob/main/sysusers.d/systemd-journal.conf.in  \n[2] https://bugs.launchpad.net/ubuntu/+source/casper/+bug/2004092\n[3] https://review.opendev.org/c/openstack/kolla/+/958284","commit_id":"abcf83c992514f02849c40c7a402664d044b48d5"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"06aa483bc3c8e098c0bd9c9c028f67030f3588ed","unresolved":true,"context_lines":[{"line_number":331,"context_line":"    # then it is taken by another group during the base apt package install below. This happens"},{"line_number":332,"context_line":"    # because the files used to create the systemd-journal group are removed when"},{"line_number":333,"context_line":"    # systemd-standalone-sysusers is installed."},{"line_number":334,"context_line":"    \u0026\u0026 addgroup --gid 999 systemd-journal \\"},{"line_number":335,"context_line":"    \u0026\u0026 {{ macros.install_packages(base_apt_packages | customizable(\u0027apt_packages\u0027), True) }} \\"},{"line_number":336,"context_line":"    # NOTE: python3-pip installs dependent tzdata package and blocks mount in docker - 2091161"},{"line_number":337,"context_line":"    \u0026\u0026 unlink /etc/localtime"}],"source_content_type":"text/x-jinja2","patch_set":13,"id":"33ec8691_578f24d0","line":334,"range":{"start_line":334,"start_character":22,"end_line":334,"end_character":25},"in_reply_to":"cf08ce81_ef2b138c","updated":"2025-09-10 12:53:56.000000000","message":"yep.\n1. the GID is taken dynamically because not declared in the /usr/lib/sysusers.d/systemd-journal.conf on plain installed systems.\n2. sysusers.d(5) don\u0027t declare any defaults for now.\nIMHO we should declare some env variable with 999 value that would be visible in the Dockerfile and use it. later we can change the constant the right way.\n@doug@stackhpc.com what about do it this way right now?","commit_id":"abcf83c992514f02849c40c7a402664d044b48d5"}],"docker/fluentd/extend_start.sh":[{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"04612ed91878b0e6053897be2c6807020110a096","unresolved":true,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Allow fluentd to read the systemd journal"},{"line_number":23,"context_line":"if [ ! $(id -nG fluentd | grep -o \u0027systemd-journal\u0027) ]; then"},{"line_number":24,"context_line":"    sudo usermod -aG systemd-journal fluentd"},{"line_number":25,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":3,"id":"80d24747_c071f112","line":24,"updated":"2025-07-25 11:17:51.000000000","message":"Works for Centos, but not Debian/Ubuntu:\n\n```\n2025-07-25T09:48:47.174223204Z ++ sudo usermod -aG systemd-journal fluentd\n2025-07-25T09:48:47.186426022Z usermod: group \u0027systemd-journal\u0027 does not exist\n```","commit_id":"f935b856c520ccbc57eee6bf1d6ef2e6194ae6e8"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"f939e328fcb023ad383f1894799bdae140f3dd2a","unresolved":true,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Allow fluentd to read the systemd journal"},{"line_number":23,"context_line":"if [ ! $(id -nG fluentd | grep -o \u0027systemd-journal\u0027) ]; then"},{"line_number":24,"context_line":"    sudo usermod -aG systemd-journal fluentd"},{"line_number":25,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":3,"id":"a4aebdd5_cfe06f83","line":24,"in_reply_to":"80d24747_c071f112","updated":"2025-08-01 15:55:39.000000000","message":"What appears to be going wrong, is that during the base image build the systemd groups get trashed. On Ubuntu/Debian, systemd-journal takes GID 999, but then something awful happens:\n\nINFO:kolla.common.utils.base:Creating group \u0027input\u0027 with GID 999.\nINFO:kolla.common.utils.base:Creating group \u0027sgx\u0027 with GID 998.\nINFO:kolla.common.utils.base:Creating group \u0027kvm\u0027 with GID 997.","commit_id":"f935b856c520ccbc57eee6bf1d6ef2e6194ae6e8"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"691871a50dadcdb2a4fe2685af83990926bf9eca","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Allow fluentd to read the systemd journal"},{"line_number":23,"context_line":"if [ ! $(id -nG fluentd | grep -o \u0027systemd-journal\u0027) ]; then"},{"line_number":24,"context_line":"    sudo usermod -aG systemd-journal fluentd"},{"line_number":25,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":3,"id":"7b302698_fa67fe16","line":24,"in_reply_to":"849a03e9_d42b4246","updated":"2025-09-01 14:41:42.000000000","message":"Fixed via hardcoded group creation before the input/sgx/kvm groups are created","commit_id":"f935b856c520ccbc57eee6bf1d6ef2e6194ae6e8"},{"author":{"_account_id":17669,"name":"Doug Szumski","email":"doug@stackhpc.com","username":"DougSzumski"},"change_message_id":"db2656d5cd6e260cb107e54d784bd1b8103eb2a1","unresolved":true,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"# Allow fluentd to read the systemd journal"},{"line_number":23,"context_line":"if [ ! $(id -nG fluentd | grep -o \u0027systemd-journal\u0027) ]; then"},{"line_number":24,"context_line":"    sudo usermod -aG systemd-journal fluentd"},{"line_number":25,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":3,"id":"849a03e9_d42b4246","line":24,"in_reply_to":"a4aebdd5_cfe06f83","updated":"2025-08-22 15:22:18.000000000","message":"What is going here is that the systemd-standalone-users package removes the files that create the systemd-journal group and others. This results in other groups taking their group IDs, like \u0027input\u0027 above.","commit_id":"f935b856c520ccbc57eee6bf1d6ef2e6194ae6e8"}]}