)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":14394,"name":"Dale Smith","email":"dale@catalystcloud.nz","username":"dalees"},"change_message_id":"32fd35505aeda3fdd5572e27e1fcf823f1b903ad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"be1006b7_56666b01","updated":"2022-02-03 01:07:23.000000000","message":"I might be misunderstanding where/when this code is being run, but it seems to skip the Fedora CoreOS upgrade and do a CA cert rotation instead.","commit_id":"a1198bc01841f3bee512cc77234f567b176b1d9d"}],"magnum/drivers/common/templates/kubernetes/fragments/upgrade-kubernetes.sh":[{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"06d7cc5920fdec04b47b582b948f5bb94e7bf20d","unresolved":true,"context_lines":[{"line_number":136,"context_line":"    $ssh_cmd cat \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-primary \u003c\u003c EOF"},{"line_number":137,"context_line":"-----BEGIN PGP PUBLIC KEY BLOCK-----"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"mQINBF4wBvsBEADQmcGbVUbDRUoXADReRmOOEMeydHghtKC9uRs9YNpGYZIB+bie"},{"line_number":140,"context_line":"bGYZmflQayfh/wEpO2W/IZfGpHPL42V7SbyvqMjwNls/fnXsCtf4LRofNK8Qd9fN"},{"line_number":141,"context_line":"kYargc9R7BEz/mwXKMiRQVx+DzkmqGWy2gq4iD0/mCyf5FdJCE40fOWoIGJXaOI1"},{"line_number":142,"context_line":"Tz1vWqKwLS5T0dfmi9U4Tp/XsKOZGvN8oi5h0KmqFk7LEZr1MXarhi2Va86sgxsF"}],"source_content_type":"text/x-sh","patch_set":7,"id":"41ec5ecc_21154d6d","line":139,"updated":"2021-03-15 06:40:33.000000000","message":"What is the source of this key? Can we not just download it as before?","commit_id":"e2453517e41e2922929c899fab50ce80299e1efa"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"1c5e08d39ffb6c442a42568351a444a828eaadf8","unresolved":true,"context_lines":[{"line_number":136,"context_line":"    $ssh_cmd cat \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-primary \u003c\u003c EOF"},{"line_number":137,"context_line":"-----BEGIN PGP PUBLIC KEY BLOCK-----"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"mQINBF4wBvsBEADQmcGbVUbDRUoXADReRmOOEMeydHghtKC9uRs9YNpGYZIB+bie"},{"line_number":140,"context_line":"bGYZmflQayfh/wEpO2W/IZfGpHPL42V7SbyvqMjwNls/fnXsCtf4LRofNK8Qd9fN"},{"line_number":141,"context_line":"kYargc9R7BEz/mwXKMiRQVx+DzkmqGWy2gq4iD0/mCyf5FdJCE40fOWoIGJXaOI1"},{"line_number":142,"context_line":"Tz1vWqKwLS5T0dfmi9U4Tp/XsKOZGvN8oi5h0KmqFk7LEZr1MXarhi2Va86sgxsF"}],"source_content_type":"text/x-sh","patch_set":7,"id":"d875590a_619baf00","line":139,"in_reply_to":"41ec5ecc_21154d6d","updated":"2021-03-16 20:49:23.000000000","message":"Thanks for the question. It\u0027s the RPM GPG key for Fedora CoreOS 33 branch. Without import it, a node created based on Fedora 31 cannot be upgrade to Fedora CoreOS 33, because usually, it only contains the key of N+1 version.","commit_id":"e2453517e41e2922929c899fab50ce80299e1efa"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"bf66b8d790bff53f05c76c0538974bf4987841dc","unresolved":true,"context_lines":[{"line_number":136,"context_line":"    $ssh_cmd cat \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-primary \u003c\u003c EOF"},{"line_number":137,"context_line":"-----BEGIN PGP PUBLIC KEY BLOCK-----"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"mQINBF4wBvsBEADQmcGbVUbDRUoXADReRmOOEMeydHghtKC9uRs9YNpGYZIB+bie"},{"line_number":140,"context_line":"bGYZmflQayfh/wEpO2W/IZfGpHPL42V7SbyvqMjwNls/fnXsCtf4LRofNK8Qd9fN"},{"line_number":141,"context_line":"kYargc9R7BEz/mwXKMiRQVx+DzkmqGWy2gq4iD0/mCyf5FdJCE40fOWoIGJXaOI1"},{"line_number":142,"context_line":"Tz1vWqKwLS5T0dfmi9U4Tp/XsKOZGvN8oi5h0KmqFk7LEZr1MXarhi2Va86sgxsF"}],"source_content_type":"text/x-sh","patch_set":7,"id":"1b8e7862_962f2663","line":139,"in_reply_to":"bb6940f4_b29eb104","updated":"2021-03-16 21:58:19.000000000","message":"I\u0027m testing if I can just import it from a key url like this:\n\ncurl https://getfedora.org/static/fedora.gpg | gpg --import\n\nSee https://getfedora.org/security/","commit_id":"e2453517e41e2922929c899fab50ce80299e1efa"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"00e2b7c444007b55a65e9191c6b8f5511e87299b","unresolved":true,"context_lines":[{"line_number":136,"context_line":"    $ssh_cmd cat \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-33-primary \u003c\u003c EOF"},{"line_number":137,"context_line":"-----BEGIN PGP PUBLIC KEY BLOCK-----"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"mQINBF4wBvsBEADQmcGbVUbDRUoXADReRmOOEMeydHghtKC9uRs9YNpGYZIB+bie"},{"line_number":140,"context_line":"bGYZmflQayfh/wEpO2W/IZfGpHPL42V7SbyvqMjwNls/fnXsCtf4LRofNK8Qd9fN"},{"line_number":141,"context_line":"kYargc9R7BEz/mwXKMiRQVx+DzkmqGWy2gq4iD0/mCyf5FdJCE40fOWoIGJXaOI1"},{"line_number":142,"context_line":"Tz1vWqKwLS5T0dfmi9U4Tp/XsKOZGvN8oi5h0KmqFk7LEZr1MXarhi2Va86sgxsF"}],"source_content_type":"text/x-sh","patch_set":7,"id":"bb6940f4_b29eb104","line":139,"in_reply_to":"d875590a_619baf00","updated":"2021-03-16 21:42:54.000000000","message":"Can we not download it from the original source?","commit_id":"e2453517e41e2922929c899fab50ce80299e1efa"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"c3af69620bb323954eb13b08f4eaee6bc19f634a","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"7366345b_c2af7ffe","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"updated":"2021-03-23 09:09:19.000000000","message":"does gpg --import not work here?","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"d8799ce635c30700ee377549890e3d59945bc2c7","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"b82a9a1b_dbcb224a","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"in_reply_to":"190bdb1a_40a2283d","updated":"2021-04-06 10:19:35.000000000","message":"Looks like you can do this which may be a bit cleaner:\n\n```\n[root@k8s-1-20-3eibkggotlvv-node-0 core]# ostree remote add --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org\n[root@k8s-1-20-3eibkggotlvv-node-0 core]# curl https://getfedora.org/static/fedora.gpg | ostree remote gpg-import fedora-latest --stdin\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 12543  100 12543    0     0  19598      0 --:--:-- --:--:-- --:--:-- 19567\nImported 8 GPG keys to remote \"fedora-latest\"\n```","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"4a9d82fc9ce0a6e9bfb9301dbca59fada3331e29","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"f8ef39a6_9ab333cc","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"in_reply_to":"7366345b_c2af7ffe","updated":"2021-03-23 17:34:12.000000000","message":"Yep, based on my testing. It didn\u0027t work. We need to save the key into a place and then add a \"remote\" branch to consume that key.\n\nIn my testing, after the import, I cannot know where the key was actually saved then don\u0027t know how to add the \"remote\" to consume that key.","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"589c23ca2ac2decd8f46a84afddb320c9e942289","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"190bdb1a_40a2283d","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"in_reply_to":"a5cdea86_265dcfcd","updated":"2021-04-02 19:43:44.000000000","message":"Yep, I don\u0027t really understand why, TBH. But it doesn\u0027t work, you can download this patch and give it a try in case I missed something.","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"7f19c31c350050742f8f26fec45b1aa59088ae74","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"2702199d_e854f0d6","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"in_reply_to":"b82a9a1b_dbcb224a","updated":"2021-04-06 23:24:36.000000000","message":"unfortunately, it doesn\u0027t work for me.\n\n[root@k8s-2-6c22ineprx5f-master-0 core]# ostree remote add --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org\n[root@k8s-2-6c22ineprx5f-master-0 core]# curl https://getfedora.org/static/fedora.gpg | ostree remote gpg-import fedora-latest --stdin\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100 12543  100 12543    0     0  10222      0  0:00:01  0:00:01 --:--:-- 10230\nImported 8 GPG keys to remote \"fedora-latest\"\n[root@k8s-2-6c22ineprx5f-master-0 core]# rpm-ostree deploy 7e0bab11e0b085a010a316acd0ccb9781f2e1fbe04e0355b88aff02feefda7b8\nValidating checksum \u00277e0bab11e0b085a010a316acd0ccb9781f2e1fbe04e0355b88aff02feefda7b8\u0027\nReceiving metadata objects: 0/(estimating) -/s 0 bytes... done\nerror: Commit db5401f9952d87d93fed66fc13ce1a837f8150ee55b1585434f33eba6f600df9: Signature made Mon Mar 29 14:55:15 2021 using RSA key ID 49FD77499570FF31\nCan\u0027t check signature: public key not found","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"e6170373f25b02c38d7e1f9cc86161f628300182","unresolved":true,"context_lines":[{"line_number":113,"context_line":"if [[ $current_ostree_remote \u003d\u003d *\"fedora:fedora/x86_64/coreos/stable\"* ]]; then"},{"line_number":114,"context_line":"    # By default there is no RPM PGP key for FC33 if the server built on"},{"line_number":115,"context_line":"    # FC31, so add the GPG key to make sure server can upgrade from FC31 to FC33."},{"line_number":116,"context_line":"    ${ssh_cmd} curl https://getfedora.org/static/fedora.gpg \u003e /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary"},{"line_number":117,"context_line":"    ${ssh_cmd} ostree remote add --set\u003dgpgkeypath\u003d/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-latest-primary --contenturl\u003dmirrorlist\u003dhttps://ostree.fedoraproject.org/mirrorlist fedora-latest https://ostree.fedoraproject.org"},{"line_number":118,"context_line":"fi"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-sh","patch_set":8,"id":"a5cdea86_265dcfcd","line":116,"range":{"start_line":116,"start_character":60,"end_line":116,"end_character":112},"in_reply_to":"f8ef39a6_9ab333cc","updated":"2021-04-01 08:26:13.000000000","message":"Strange, I thought it would work without specifying the gpgkeypath at all since it has already been \"imported\"","commit_id":"1b098943988348599e3adef8d45f5ded98779f53"},{"author":{"_account_id":20498,"name":"Spyros Trigazis","email":"spyridon.trigazis@cern.ch","username":"strigazi"},"change_message_id":"0a102122d8c55461dc78467e10ff7e77f1d0a5db","unresolved":true,"context_lines":[{"line_number":2,"context_line":""},{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -d \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":9,"id":"f2d0f529_755b9b75","line":5,"updated":"2021-04-01 09:34:54.000000000","message":"Isn\u0027t this a file? so -f","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"7ad1ba8850c83499f4cd5c7ab65e8efe114ab82c","unresolved":true,"context_lines":[{"line_number":2,"context_line":""},{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -d \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"}],"source_content_type":"text/x-sh","patch_set":9,"id":"0a0a69c6_c278a048","line":5,"in_reply_to":"f2d0f529_755b9b75","updated":"2021-04-02 19:40:36.000000000","message":"nice catch. I will fix it.","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":20498,"name":"Spyros Trigazis","email":"spyridon.trigazis@cern.ch","username":"strigazi"},"change_message_id":"0a102122d8c55461dc78467e10ff7e77f1d0a5db","unresolved":true,"context_lines":[{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -d \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-sh","patch_set":9,"id":"157587ff_21b45f3e","line":6,"range":{"start_line":6,"start_character":60,"end_line":6,"end_character":103},"updated":"2021-04-01 09:34:54.000000000","message":"When does this happen?","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"7ad1ba8850c83499f4cd5c7ab65e8efe114ab82c","unresolved":true,"context_lines":[{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -d \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-sh","patch_set":9,"id":"199f5220_e1dc1940","line":6,"range":{"start_line":6,"start_character":60,"end_line":6,"end_character":103},"in_reply_to":"157587ff_21b45f3e","updated":"2021-04-02 19:40:36.000000000","message":"It\u0027s a tricky scenario. When doing a cluster upgrade and if the image_id changed in the new cluster template, Heat will trigger Nova instance rebuild during the cluster upgrade. As a result, all those 3 software deployments(kube_cluster_deploy, master_config_deployment and upgrade_kubernetes_deployment) will be triggerred with an unexpected order. And that\u0027s why I\u0027m using depends_on to make sure upgrade_kubernetes_deployment will be run after master_config_deployment. And use \"name\" to make sure kube_cluster_deploy run after master_config_deployment, see http://greenstack.die.upm.es/2015/05/05/heat-softwareconfig-resources-primeroverview/\n\nI hope that makes more sense now.","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":16036,"name":"Krzysztof Klimonda","email":"kklimonda@syntaxhighlighted.com","username":"kklimonda"},"change_message_id":"3e3cff7bd0c2234ec13fcb57d44597e5039b28cc","unresolved":true,"context_lines":[{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -f \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-sh","patch_set":12,"id":"433d4607_50a9d3ae","line":6,"updated":"2021-04-21 17:06:35.000000000","message":"Wouldn\u0027t it make sense to drain the node at this point, if we know for the fact that it\u0027s about to be rebuilt? If for whatever reason it\u0027s not a good place to do that, is there some better way of ensuring that the node is drained before we rebuild it?","commit_id":"0a92b33b61ec519d1afbbed6217cf225a02927a6"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"2c1dae3c38d85e0c3414afb76dcd5f642e8d9176","unresolved":true,"context_lines":[{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -f \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-sh","patch_set":12,"id":"ccc74f49_554dd87b","line":6,"in_reply_to":"433d4607_50a9d3ae","updated":"2021-04-23 02:05:23.000000000","message":"Hi Krzysztof, thanks for your comments. Unfortunately, we cannot do that. Because when this piece of code being run, the node has already been rebuilt. So we cannot drain the node here 😞\n\nI\u0027m thinking to leverage the pre-create or pre-update hook of Heat to \u0027pause\u0027 the process, so that we can get a chance to drain the node, but that probably means we have to use something running inside the cluster to trigger the drain action and then signal Heat to continue. Please let me know if you have a better idea. Cheers.","commit_id":"0a92b33b61ec519d1afbbed6217cf225a02927a6"},{"author":{"_account_id":16036,"name":"Krzysztof Klimonda","email":"kklimonda@syntaxhighlighted.com","username":"kklimonda"},"change_message_id":"c8050425268a4b9c76d9afa9c2f186d318245cbf","unresolved":true,"context_lines":[{"line_number":3,"context_line":"set +x"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"if [ ! -f \"/etc/sysconfig/heat-params\" ]; then"},{"line_number":6,"context_line":"    echo \"File /etc/sysconfig/heat-params can not be found. Cluster update is involving a node rebuild.\""},{"line_number":7,"context_line":"    exit 0"},{"line_number":8,"context_line":"fi"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-sh","patch_set":12,"id":"c7717e63_02423089","line":6,"in_reply_to":"ccc74f49_554dd87b","updated":"2021-04-27 12:20:00.000000000","message":"Thanks, I kind of expected that to be the case based on my previous findings but hope dies last - perhaps you could make the wording more explicit? Something like \"Node rebuilt as part of the cluster update\"?\n\nI have to say, trying to figure out what exactly can be done in Heat has been an exercise in frustration. There was a blueprint draft started here that talked about adding support for what we seemingly need: https://blueprints.launchpad.net/heat/+spec/update-hooks but the comment only mentions another blueprint that\u0027s supposed to \"cover 99% or more of [usecases]\". The aforementioned blueprint is https://blueprints.launchpad.net/heat/+spec/action-aware-sw-config but it\u0027s not clear to me what is actually implemented and how it works - I have a feeling that it doesn\u0027t, as SoftwareDeployment \"depends\" on the Server so I assume it will only start updating after server is rebuilt. Also, I don\u0027t think it\u0027s safe to upgrade master nodes (and etcd cluster) without some sort of global/shared lock anyway so that may be dead end anyway.\n\nPerhaps you are right, and pre-update hooks are what we really should be using - I\u0027ve looked into them but came to the same conclusion that some extra component running in the cluster are needed. But perhaps that\u0027s the case and there is no reason to look for something else? If so, what would the upgrade process look like? Is there a way for magnum to push information about pending update to the cluster component, or would it have to query magnum periodically?","commit_id":"0a92b33b61ec519d1afbbed6217cf225a02927a6"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"f947bbdc8c62899ef601ca2ffd9f04bf12b6ecf7","unresolved":true,"context_lines":[{"line_number":10,"context_line":". /etc/sysconfig/heat-params"},{"line_number":11,"context_line":"set -x"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"set -eu -o pipefail"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"ssh_cmd\u003d\"ssh -F /srv/magnum/.ssh/config root@localhost\""},{"line_number":16,"context_line":"KUBECONFIG\u003d\"/etc/kubernetes/kubelet-config.yaml\""}],"source_content_type":"text/x-sh","patch_set":20,"id":"f8d6b0af_01a2c541","line":13,"range":{"start_line":13,"start_character":4,"end_line":13,"end_character":8},"updated":"2021-08-27 19:24:19.000000000","message":"-eux?","commit_id":"dbb66db345b7807f3ef0dc1cc4cc7768b8a91775"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"04e00fb3c673a333af0658acb25380dc3a098096","unresolved":true,"context_lines":[{"line_number":10,"context_line":". /etc/sysconfig/heat-params"},{"line_number":11,"context_line":"set -x"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"set -eu -o pipefail"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"ssh_cmd\u003d\"ssh -F /srv/magnum/.ssh/config root@localhost\""},{"line_number":16,"context_line":"KUBECONFIG\u003d\"/etc/kubernetes/kubelet-config.yaml\""}],"source_content_type":"text/x-sh","patch_set":20,"id":"6a1c6134_147dc6ed","line":13,"range":{"start_line":13,"start_character":4,"end_line":13,"end_character":8},"in_reply_to":"f8d6b0af_01a2c541","updated":"2021-09-14 22:43:15.000000000","message":"Will fix it in next PS.","commit_id":"dbb66db345b7807f3ef0dc1cc4cc7768b8a91775"},{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"f947bbdc8c62899ef601ca2ffd9f04bf12b6ecf7","unresolved":true,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"# TODO: Remove this after k8s v1.20 end of life"},{"line_number":44,"context_line":"function fix_v1_20_insecure_port {"},{"line_number":45,"context_line":"    # Only hanlde case upgrade to v1.20.x, with insecured port 8080 on master nodes"},{"line_number":46,"context_line":"    if [[ ${new_kube_tag} \u003d~ v1.20.* ]] \u0026\u0026 [[ -f /etc/kubernetes/apiserver ]] \u0026\u0026 grep \"insecure-port\u003d8080\" /etc/kubernetes/apiserver; then"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        if [ \"$VERIFY_CA\" \u003d\u003d \"True\" ]; then"}],"source_content_type":"text/x-sh","patch_set":20,"id":"a13976c9_ced7788f","line":45,"range":{"start_line":45,"start_character":4,"end_line":45,"end_character":83},"updated":"2021-08-27 19:24:19.000000000","message":"this is only for clusters older than 1.20 created with this template correct? it wouldnt work for existing clusters for example?","commit_id":"dbb66db345b7807f3ef0dc1cc4cc7768b8a91775"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"04e00fb3c673a333af0658acb25380dc3a098096","unresolved":true,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"# TODO: Remove this after k8s v1.20 end of life"},{"line_number":44,"context_line":"function fix_v1_20_insecure_port {"},{"line_number":45,"context_line":"    # Only hanlde case upgrade to v1.20.x, with insecured port 8080 on master nodes"},{"line_number":46,"context_line":"    if [[ ${new_kube_tag} \u003d~ v1.20.* ]] \u0026\u0026 [[ -f /etc/kubernetes/apiserver ]] \u0026\u0026 grep \"insecure-port\u003d8080\" /etc/kubernetes/apiserver; then"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        if [ \"$VERIFY_CA\" \u003d\u003d \"True\" ]; then"}],"source_content_type":"text/x-sh","patch_set":20,"id":"addaba33_e5679349","line":45,"range":{"start_line":45,"start_character":4,"end_line":45,"end_character":83},"in_reply_to":"a13976c9_ced7788f","updated":"2021-09-14 22:43:15.000000000","message":"Yes, correct.","commit_id":"dbb66db345b7807f3ef0dc1cc4cc7768b8a91775"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"8ad385f54edbf5d310bc6cc0628670df4c1c87b6","unresolved":true,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"# TODO: Remove this after k8s v1.20 end of life"},{"line_number":44,"context_line":"function fix_v1_20_insecure_port {"},{"line_number":45,"context_line":"    # Only hanlde case upgrade to v1.20.x, with insecured port 8080 on master nodes"},{"line_number":46,"context_line":"    if [[ ${new_kube_tag} \u003d~ v1.20.* ]] \u0026\u0026 [[ -f /etc/kubernetes/apiserver ]] \u0026\u0026 grep \"insecure-port\u003d8080\" /etc/kubernetes/apiserver; then"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"        if [ \"$VERIFY_CA\" \u003d\u003d \"True\" ]; then"}],"source_content_type":"text/x-sh","patch_set":20,"id":"63623cbb_f7b8f625","line":45,"range":{"start_line":45,"start_character":4,"end_line":45,"end_character":83},"in_reply_to":"addaba33_e5679349","updated":"2021-09-22 21:26:54.000000000","message":"Actually, I probably need to improve this, because some versions of v1.19.x are also affected by this insecured port issue.","commit_id":"dbb66db345b7807f3ef0dc1cc4cc7768b8a91775"},{"author":{"_account_id":14394,"name":"Dale Smith","email":"dale@catalystcloud.nz","username":"dalees"},"change_message_id":"32fd35505aeda3fdd5572e27e1fcf823f1b903ad","unresolved":true,"context_lines":[{"line_number":295,"context_line":"# NOTE(flwang): 1. Either deploy or rebase for only one upgrade"},{"line_number":296,"context_line":"#               2. Using rpm-ostree command instead of atomic command to keep the possibility of supporting fedora coreos 30"},{"line_number":297,"context_line":"#               3. Do not trigger upgrade if it\u0027s a CA rotate action"},{"line_number":298,"context_line":"if [ -z \"$service_account_key\" ] \u0026\u0026 [ -z \"$service_account_private_key\" ] ; then"},{"line_number":299,"context_line":"    if [ \"$new_ostree_commit\" !\u003d \"\" ] \u0026\u0026 [ \"$current_ostree_commit\" !\u003d \"\" ] \u0026\u0026 [ \"$current_ostree_commit\" !\u003d \"$new_ostree_commit\" ]; then"},{"line_number":300,"context_line":"        drain"},{"line_number":301,"context_line":"        ${ssh_cmd} rpm-ostree deploy $new_ostree_commit"}],"source_content_type":"text/x-sh","patch_set":21,"id":"2d9e8e8d_28951da3","line":298,"updated":"2022-02-03 01:07:23.000000000","message":"When I trigger an upgrade using a template with only a changed `ostree_commit` value, the upgrade script runs but this \u0027if\u0027 statement is false due to `$service_account_key` existing. The node upgrade does not take place.\n\nInstead I see output that ends up performing \"rotate CA certs on master\".\n\nBut the action I\u0027d expect is to perform the drain, and deploy of a new ostree.\n\nIs this `if` statement checking the correct thing?","commit_id":"a1198bc01841f3bee512cc77234f567b176b1d9d"}],"magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml":[{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"e6170373f25b02c38d7e1f9cc86161f628300182","unresolved":true,"context_lines":[{"line_number":1396,"context_line":"    type: OS::Heat::SoftwareDeployment"},{"line_number":1397,"context_line":"    properties:"},{"line_number":1398,"context_line":"      actions: [\u0027CREATE\u0027]"},{"line_number":1399,"context_line":"      name: master_config_deployment_2"},{"line_number":1400,"context_line":"      signal_transport: HEAT_SIGNAL"},{"line_number":1401,"context_line":"      config:"},{"line_number":1402,"context_line":"        get_resource: kube_cluster_config"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"bba445ee_2fbf7272","line":1399,"range":{"start_line":1399,"start_character":12,"end_line":1399,"end_character":38},"updated":"2021-04-01 08:26:13.000000000","message":"it makes sense to call this cluster_config_deployment rather than master_config_deployment_2 since it only needs to run in the cluster once one one of the master nodes.","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"a5b47c7e3adca590f39ff3ba30703b1d057fcba5","unresolved":true,"context_lines":[{"line_number":1396,"context_line":"    type: OS::Heat::SoftwareDeployment"},{"line_number":1397,"context_line":"    properties:"},{"line_number":1398,"context_line":"      actions: [\u0027CREATE\u0027]"},{"line_number":1399,"context_line":"      name: master_config_deployment_2"},{"line_number":1400,"context_line":"      signal_transport: HEAT_SIGNAL"},{"line_number":1401,"context_line":"      config:"},{"line_number":1402,"context_line":"        get_resource: kube_cluster_config"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"f24b8ba3_baec5436","line":1399,"range":{"start_line":1399,"start_character":12,"end_line":1399,"end_character":38},"in_reply_to":"bba445ee_2fbf7272","updated":"2021-04-05 23:54:10.000000000","message":"Did you see my comments about answering Spyros\u0027s question? That explains why we need the attribute \u0027name\u0027.","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"}],"magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml":[{"author":{"_account_id":28022,"name":"Bharat Kunwar","email":"brtknr@bath.edu","username":"brtknr"},"change_message_id":"e6170373f25b02c38d7e1f9cc86161f628300182","unresolved":true,"context_lines":[{"line_number":915,"context_line":"  master_config_deployment:"},{"line_number":916,"context_line":"    type: OS::Heat::SoftwareDeployment"},{"line_number":917,"context_line":"    properties:"},{"line_number":918,"context_line":"      name: master_config_deployment_1"},{"line_number":919,"context_line":"      signal_transport: HEAT_SIGNAL"},{"line_number":920,"context_line":"      config: {get_resource: master_config}"},{"line_number":921,"context_line":"      server: {if: [\"volume_based\", {get_resource: kube-master-bfv}, {get_resource: kube-master}]}"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"85386b1c_2ab59241","line":918,"range":{"start_line":918,"start_character":12,"end_line":918,"end_character":38},"updated":"2021-04-01 08:26:13.000000000","message":"lets discard this name and leave it as \"master_config_deployment\"","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"},{"author":{"_account_id":6484,"name":"Feilong Wang","email":"hustemb@gmail.com","username":"flwang"},"change_message_id":"37770adbea6820c33d87df41c69a1bf489d01a3d","unresolved":true,"context_lines":[{"line_number":915,"context_line":"  master_config_deployment:"},{"line_number":916,"context_line":"    type: OS::Heat::SoftwareDeployment"},{"line_number":917,"context_line":"    properties:"},{"line_number":918,"context_line":"      name: master_config_deployment_1"},{"line_number":919,"context_line":"      signal_transport: HEAT_SIGNAL"},{"line_number":920,"context_line":"      config: {get_resource: master_config}"},{"line_number":921,"context_line":"      server: {if: [\"volume_based\", {get_resource: kube-master-bfv}, {get_resource: kube-master}]}"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3afe738b_68fbd5e0","line":918,"range":{"start_line":918,"start_character":12,"end_line":918,"end_character":38},"in_reply_to":"85386b1c_2ab59241","updated":"2021-04-01 08:39:53.000000000","message":"Sorry, I should explain this. There is an order issue, without the name, the kube_cluster_deploy softwareDeployment will run first and fail because the kube-apiserver hasnot been delopyed yet.\n\nWith the attribute \"name\", we can do a sort order, see http://greenstack.die.upm.es/2015/05/05/heat-softwareconfig-resources-primeroverview/","commit_id":"0a6d91362ae4b76d6dc7280765072df7993f6017"}]}