)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"f7443cb95f1b173a05a8dc30f262f9934f03a865","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ee267986_389ccd68","updated":"2023-10-20 03:33:48.000000000","message":"I prefer to add a new opts such as ssl_ca_files, because Trove guest agent not only needs to communicate with RabbitMQ but also other service, such as Swift.","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":31737,"name":"Hirotaka Wakabayashi","email":"hiwkby@yahoo.com","username":"hiwkby"},"change_message_id":"c12e5a1fce5d1577b058cd983f75811ca60cf70f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ff490c91_be01c459","updated":"2023-10-19 16:05:38.000000000","message":"recheck","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"cd783adbf0d59e08d236ed83dd90d8eebcaca5b0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"278ed582_25eac61f","in_reply_to":"ee267986_389ccd68","updated":"2023-10-23 09:54:20.000000000","message":"Fair enough. Will update commit.","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"7cc353217c2dc77d381fe35c38797361788e5890","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"d781f5fd_60cd8a64","updated":"2023-11-13 13:23:05.000000000","message":"sorry for my previous comment again. After I checked the swift and keystone code used in the trove, I realized  that They use ``ssl_verify\u003dfalse`` or something like to skip the verification of SSL, so this patch should focus on the rabbitmq SSL only. I also tested this patch in my local environment, But I got an error: `Request is too large. Larger than max_request_body_size (114688)` which is the same as[0], this message indicates the user_data is too larger against the post nova_api.[1]\nI will investigate to see if there are any better solutions\n\n[0]:https://lists.openstack.org/pipermail/openstack-discuss/2023-February/032163.html\n[1]:https://docs.openstack.org/mitaka/config-reference/compute/config-options.html","commit_id":"578eb98dc3ea6475a7f43880081cb79058d70907"}],"trove/instance/models.py":[{"author":{"_account_id":28691,"name":"Bo Tran","email":"ministry.96.nd@gmail.com","username":"ministry"},"change_message_id":"c6e297673dc53f9a909b5c25259924d7398634f7","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        # These sections might not exist in CONF if the config file do not"},{"line_number":1036,"context_line":"        # contain them."},{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"}],"source_content_type":"text/x-python","patch_set":4,"id":"feaee9a5_d8911cb2","line":1038,"range":{"start_line":1038,"start_character":8,"end_line":1038,"end_character":78},"updated":"2023-10-20 01:54:48.000000000","message":"it should be `if oslo_messaging_rabbit.ssl`","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"8be568e513c78d50aecd0e6bcb6c1ef19c8f802b","unresolved":false,"context_lines":[{"line_number":1035,"context_line":"        # These sections might not exist in CONF if the config file do not"},{"line_number":1036,"context_line":"        # contain them."},{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"}],"source_content_type":"text/x-python","patch_set":4,"id":"2d8914c5_762fe1fc","line":1038,"range":{"start_line":1038,"start_character":8,"end_line":1038,"end_character":78},"in_reply_to":"0c660bda_e1ae6a80","updated":"2023-10-23 15:41:56.000000000","message":"Done","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"cd783adbf0d59e08d236ed83dd90d8eebcaca5b0","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        # These sections might not exist in CONF if the config file do not"},{"line_number":1036,"context_line":"        # contain them."},{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"}],"source_content_type":"text/x-python","patch_set":4,"id":"0c660bda_e1ae6a80","line":1038,"range":{"start_line":1038,"start_character":8,"end_line":1038,"end_character":78},"in_reply_to":"feaee9a5_d8911cb2","updated":"2023-10-23 09:54:20.000000000","message":"We need to check if the group exists first, otherwise we\u0027d get an ``oslo_config.cfg.NoSuchOptError: no such option oslo_messaging_rabbit in group [DEFAULT]``:\n\n```\nTraceback (most recent call last):\n  File \"/usr/lib/python3.8/unittest/mock.py\", line 1325, in patched\n    return func(*newargs, **newkeywargs)\n  File \"/home/ubuntu/workdir/trove/trove/tests/unittests/instance/test_instance_models.py\", line 151, in test_get_injected_files\n    files \u003d self.instance.get_injected_files(fake_manager, fake_version,\n  File \"/home/ubuntu/workdir/trove/trove/instance/models.py\", line 1038, in get_injected_files\n    if CONF.oslo_messaging_rabbit.ssl:\n  File \"/home/ubuntu/workdir/trove/.tox/genconfig/lib/python3.8/site-packages/oslo_config/cfg.py\", line 2223, in __getattr__\n    raise NoSuchOptError(name)\noslo_config.cfg.NoSuchOptError: no such option oslo_messaging_rabbit in group [DEFAULT]\n```\n\nThat is because these groups are only registered once the respective driver gets instantiated, for example: https://github.com/openstack/oslo.messaging/blob/f455edd60153116397a4c240dd1194861cb0bbf1/oslo_messaging/_drivers/impl_rabbit.py#L1573C1-L1576","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":28691,"name":"Bo Tran","email":"ministry.96.nd@gmail.com","username":"ministry"},"change_message_id":"c6e297673dc53f9a909b5c25259924d7398634f7","unresolved":true,"context_lines":[{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"},{"line_number":1042,"context_line":""},{"line_number":1043,"context_line":"        for ssl_ca_file in ssl_ca_files:"}],"source_content_type":"text/x-python","patch_set":4,"id":"530ceec5_1d79f388","line":1040,"range":{"start_line":1040,"start_character":8,"end_line":1040,"end_character":73},"updated":"2023-10-20 01:54:48.000000000","message":"ditto. it should be `if CONF.oslo_messaging_amqp.ssl`","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"cd783adbf0d59e08d236ed83dd90d8eebcaca5b0","unresolved":true,"context_lines":[{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"},{"line_number":1042,"context_line":""},{"line_number":1043,"context_line":"        for ssl_ca_file in ssl_ca_files:"}],"source_content_type":"text/x-python","patch_set":4,"id":"97210e88_c0263425","line":1040,"range":{"start_line":1040,"start_character":8,"end_line":1040,"end_character":73},"in_reply_to":"530ceec5_1d79f388","updated":"2023-10-23 09:54:20.000000000","message":"ditto.","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"8be568e513c78d50aecd0e6bcb6c1ef19c8f802b","unresolved":false,"context_lines":[{"line_number":1037,"context_line":"        ssl_ca_files \u003d []"},{"line_number":1038,"context_line":"        if \u0027oslo_messaging_rabbit\u0027 in CONF and CONF.oslo_messaging_rabbit.ssl:"},{"line_number":1039,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_rabbit.ssl_ca_file)"},{"line_number":1040,"context_line":"        if \u0027oslo_messaging_amqp\u0027 in CONF and CONF.oslo_messaging_amqp.ssl:"},{"line_number":1041,"context_line":"            ssl_ca_files.append(CONF.oslo_messaging_amqp.ssl_ca_file)"},{"line_number":1042,"context_line":""},{"line_number":1043,"context_line":"        for ssl_ca_file in ssl_ca_files:"}],"source_content_type":"text/x-python","patch_set":4,"id":"decaa839_7d129eda","line":1040,"range":{"start_line":1040,"start_character":8,"end_line":1040,"end_character":73},"in_reply_to":"97210e88_c0263425","updated":"2023-10-23 15:41:56.000000000","message":"Done","commit_id":"56e8990870256f81289e62887d3e04df6a229592"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"a329a239dc13ffc1bb7a5e6289a4d47c363c8c9b","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        for ssl_ca_file in CONF.ssl_ca_files:"},{"line_number":1036,"context_line":"            if os.path.isfile(ssl_ca_file):"},{"line_number":1037,"context_line":"                filepath \u003d os.path.join(injected_config_location,"},{"line_number":1038,"context_line":"                                        os.path.basename(ssl_ca_file))"},{"line_number":1039,"context_line":"                with open(ssl_ca_file, \"r\") as f:"},{"line_number":1040,"context_line":"                    files[filepath] \u003d f.read()"},{"line_number":1041,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"4b82808a_b7d3177e","line":1038,"updated":"2023-10-23 13:37:17.000000000","message":"Hi, I am sorry for my previous comment. after taking a loot at the story, I think that coping the ca_files to `injected_config_location` may be not enough here. because the config opts should be something like `ssl_ca_file \u003d /etc/nova/rabbit-client-ca.pem`, but the injected_config_location is \"/etc/trove/conf.d\"， my initial thought is that coping the ssl_ca_certs to linux default ssl directory(`/etc/ssl/certs`), but i am not sure whether this work with rabbitmq. I will take some time to investigate it.","commit_id":"578eb98dc3ea6475a7f43880081cb79058d70907"},{"author":{"_account_id":8213,"name":"Claudiu Belu","email":"claudiu.belu@canonical.com","username":"claudiub"},"change_message_id":"8be568e513c78d50aecd0e6bcb6c1ef19c8f802b","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        for ssl_ca_file in CONF.ssl_ca_files:"},{"line_number":1036,"context_line":"            if os.path.isfile(ssl_ca_file):"},{"line_number":1037,"context_line":"                filepath \u003d os.path.join(injected_config_location,"},{"line_number":1038,"context_line":"                                        os.path.basename(ssl_ca_file))"},{"line_number":1039,"context_line":"                with open(ssl_ca_file, \"r\") as f:"},{"line_number":1040,"context_line":"                    files[filepath] \u003d f.read()"},{"line_number":1041,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"9e581ed1_97d0bb7b","line":1038,"in_reply_to":"4b82808a_b7d3177e","updated":"2023-10-23 15:41:56.000000000","message":"So, there are 2 parts to this: One is indeed the part which injects the certificate(s) into the VMs, and then the second is actually setting the ``ssl_ca_file`` config option to the certificate\u0027s location into the ``trove-guestagent.conf``. This approach seems to be working for us.","commit_id":"578eb98dc3ea6475a7f43880081cb79058d70907"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"ca73674dc273c82c287c9043906bab2ee55c037c","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        for ssl_ca_file in CONF.ssl_ca_files:"},{"line_number":1036,"context_line":"            if os.path.isfile(ssl_ca_file):"},{"line_number":1037,"context_line":"                filepath \u003d os.path.join(injected_config_location,"},{"line_number":1038,"context_line":"                                        os.path.basename(ssl_ca_file))"},{"line_number":1039,"context_line":"                with open(ssl_ca_file, \"r\") as f:"},{"line_number":1040,"context_line":"                    files[filepath] \u003d f.read()"},{"line_number":1041,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"bdfe54dc_aa8668f8","line":1038,"in_reply_to":"9e581ed1_97d0bb7b","updated":"2023-10-24 01:25:24.000000000","message":"sounds great. have you tried it in your environment?  if possible, take a test for backup as well. thanks in advance.","commit_id":"578eb98dc3ea6475a7f43880081cb79058d70907"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"cbd65ddaca86cadc871b92064134b56c3e59b13b","unresolved":true,"context_lines":[{"line_number":1035,"context_line":"        for ssl_ca_file in CONF.ssl_ca_files:"},{"line_number":1036,"context_line":"            if os.path.isfile(ssl_ca_file):"},{"line_number":1037,"context_line":"                filepath \u003d os.path.join(injected_config_location,"},{"line_number":1038,"context_line":"                                        os.path.basename(ssl_ca_file))"},{"line_number":1039,"context_line":"                with open(ssl_ca_file, \"r\") as f:"},{"line_number":1040,"context_line":"                    files[filepath] \u003d f.read()"},{"line_number":1041,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"6361495f_713927ac","line":1038,"in_reply_to":"bdfe54dc_aa8668f8","updated":"2023-10-24 03:35:15.000000000","message":"Hi, It seems like setting the ca_certificates is an alternative to setting it in trove-guestagent.conf?https://cloudinit.readthedocs.io/en/17.2/topics/examples.html#configure-an-instances-trusted-ca-certificates","commit_id":"578eb98dc3ea6475a7f43880081cb79058d70907"}]}