)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"62c33da62ba6f889e57f096414a3bfb65ca8fa90","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"e8dfed5c_e6ce29e3","updated":"2026-05-25 13:59:27.000000000","message":"Generally, It looks good to me. but the CI test didn\u0027t pass. please see more details:\n1. https://zuul.opendev.org/t/openstack/build/8dcf296849ff472baa43474131ca0c9e/log/controller/logs/tempest_log.txt#1790\n2. https://zuul.opendev.org/t/openstack/build/c96dde0e48e24e4e80b57e8ab39e2189/log/controller/logs/tempest_log.txt#1781\n3. https://zuul.opendev.org/t/openstack/build/1637980d20424055be17f8a9ebe7e2fb/log/controller/logs/tempest_log.txt#1700","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"b6997f90_2f011ca5","updated":"2026-05-25 16:10:46.000000000","message":"Hello. I used AI to review this commit, and the AI pointed out several questions that I think are valuable.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"eeeac739ce970f1ce255b217016d0ed8e4150369","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"9c2b6821_587a5292","in_reply_to":"e8dfed5c_e6ce29e3","updated":"2026-05-25 14:21:32.000000000","message":"Hello, Wu! Thank you for the review of this huge commit 😆\n\nThose errors are expected. I just print them from test scenarios for debug purposes only, like this:\n```\nLOG.warning(\n    \u0027Exception during SSL check: %s\u0027, e, exc_info\u003dCONF.debug)\n```\nAnd since CONF.debug \u003d True, the full Traceback is printed.\nThe purpose is to see the exact reason why the connection failed in situations when it should fail: wrong CA or wrong Certificate, or an insecure connection is forbidden.\n\nWe can disable it if it\u0027s confusing, of course. How do you think?","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1a39d6c9e9a41a6315eed306b7fef43ce4da8939","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"54974d8e_2add4ee2","updated":"2026-05-26 12:53:02.000000000","message":"recheck","commit_id":"6e133899971354c14b9416441d9bdb01b55b2aac"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"e1fbff8c5a2fde87d43ca3a0a7fb851b36581a54","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"cbef4ba6_2cad0757","updated":"2026-05-27 19:56:05.000000000","message":"Not yet ready for review. I will refactor transactional model asap.","commit_id":"ab3f950ff9c10aa430dfbd3eb1f26e63c2c56d7e"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"dafeb4351ab5d4358347885b257a75349b4932fb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":14,"id":"b1fefd59_3f35b203","updated":"2026-05-28 19:17:16.000000000","message":"Hello, Wu!\nThere is a transactional model for changing instance SSL state now.\nThe idea is to use pattern similar to `run_with_quotas` call.\nThe commit is ready for the next review.\n\nFor the final version which we will merge to master, we can decrease number of tests. E.g. ssl-replication is not necessary to run for each datastore.","commit_id":"54992f249da8c48e910ce58582876ce0a75df252"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"c3702e1064e728d084f6f145d45ebfccc413afeb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"5bfd5e7c_b10d7d63","updated":"2026-06-08 05:58:39.000000000","message":"Once we add the guest-agent rollback, I think this change will be ready for merge.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"ebbf812767abb2b3974e8857bdd7ba98daa89b4a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"cf175238_0e2553bf","updated":"2026-06-04 02:43:57.000000000","message":"aaaaaaaaaaa","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"81d84dafeade6103811f319390d71f1503740ef3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":15,"id":"bd25890a_6228860d","in_reply_to":"cf175238_0e2553bf","updated":"2026-06-04 02:45:10.000000000","message":"sorry, this is a typo.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"e05a167db0201e0e9168990b48753f77719d2673","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":35,"id":"fe9d7489_0a02b0d7","updated":"2026-07-05 15:10:41.000000000","message":"Hello, do you plan to resolve the potential inconsistent state issue between primary and replicas? This happens when the primary node updates successfully while the replicas don’t get updated accordingly.","commit_id":"dd90e68306783efd091f659e1c41453689b8814e"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"21809e21751b12c676aa209a2fefa6a1a6a20024","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":35,"id":"8cfeb2d3_677fe50f","updated":"2026-07-10 13:16:24.000000000","message":"recheck","commit_id":"dd90e68306783efd091f659e1c41453689b8814e"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"d18132fe258e0336c7aad1934e8f71ba27b2d9ac","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":35,"id":"542828b3_336c713e","in_reply_to":"fe9d7489_0a02b0d7","updated":"2026-07-08 05:52:29.000000000","message":"Yes, it\u0027s already implemented. Please take a look at [run_with_ssl_state](https://review.opendev.org/c/openstack/trove/+/988059/35/trove/common/ssl.py#164) helper method.\nThis functionality is very hard to test with a Tempest scenario. I\u0027ve added a unit test only; it\u0027s [here](https://review.opendev.org/c/openstack/trove/+/988059/35/trove/tests/unittests/instance/test_instance_controller.py#690), and another one below for a successful run. I think this would be enough.","commit_id":"dd90e68306783efd091f659e1c41453689b8814e"}],"requirements.txt":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"c3702e1064e728d084f6f145d45ebfccc413afeb","unresolved":true,"context_lines":[{"line_number":21,"context_line":"python-neutronclient\u003e\u003d6.7.0 # Apache-2.0"},{"line_number":22,"context_line":"python-glanceclient\u003e\u003d2.8.0 # Apache-2.0"},{"line_number":23,"context_line":"python-troveclient\u003e\u003d2.2.0 # Apache-2.0"},{"line_number":24,"context_line":"python-barbicanclient\u003e\u003d7.0.0 #Apache-2.0"},{"line_number":25,"context_line":"jsonschema\u003e\u003d3.2.0 # MIT"},{"line_number":26,"context_line":"Jinja2\u003e\u003d2.10 # BSD License (3 clause)"},{"line_number":27,"context_line":"pexpect!\u003d3.3,\u003e\u003d3.1 # ISC License"}],"source_content_type":"text/plain","patch_set":15,"id":"4a3ec54a_e52c204e","line":24,"updated":"2026-06-08 05:58:39.000000000","message":"Add a space after `#`","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"066e05545bda8b8ea897b88319747d6549c41f24","unresolved":false,"context_lines":[{"line_number":21,"context_line":"python-neutronclient\u003e\u003d6.7.0 # Apache-2.0"},{"line_number":22,"context_line":"python-glanceclient\u003e\u003d2.8.0 # Apache-2.0"},{"line_number":23,"context_line":"python-troveclient\u003e\u003d2.2.0 # Apache-2.0"},{"line_number":24,"context_line":"python-barbicanclient\u003e\u003d7.0.0 #Apache-2.0"},{"line_number":25,"context_line":"jsonschema\u003e\u003d3.2.0 # MIT"},{"line_number":26,"context_line":"Jinja2\u003e\u003d2.10 # BSD License (3 clause)"},{"line_number":27,"context_line":"pexpect!\u003d3.3,\u003e\u003d3.1 # ISC License"}],"source_content_type":"text/plain","patch_set":15,"id":"70c55825_3c0b6ac8","line":24,"in_reply_to":"4a3ec54a_e52c204e","updated":"2026-06-08 06:31:33.000000000","message":"Done","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"}],"trove/common/ssl.py":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    import pkcs12, Encoding, PrivateFormat, NoEncryption"},{"line_number":17,"context_line":"from cryptography.hazmat.backends import default_backend"},{"line_number":18,"context_line":"from datetime import datetime"},{"line_number":19,"context_line":"import OpenSSL.crypto as crypto"},{"line_number":20,"context_line":"from trove.common import cfg"},{"line_number":21,"context_line":"from trove.common.clients import barbican_client"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"0eba82d6_da9ffeec","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":31},"updated":"2026-05-25 16:10:46.000000000","message":"please add `pyOpenSSL` to requirements.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    import pkcs12, Encoding, PrivateFormat, NoEncryption"},{"line_number":17,"context_line":"from cryptography.hazmat.backends import default_backend"},{"line_number":18,"context_line":"from datetime import datetime"},{"line_number":19,"context_line":"import OpenSSL.crypto as crypto"},{"line_number":20,"context_line":"from trove.common import cfg"},{"line_number":21,"context_line":"from trove.common.clients import barbican_client"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"502aade6_fcc77d8f","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":31},"updated":"2026-05-25 16:10:46.000000000","message":"please add `pyOpenSSL` to requirements.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":16,"context_line":"    import pkcs12, Encoding, PrivateFormat, NoEncryption"},{"line_number":17,"context_line":"from cryptography.hazmat.backends import default_backend"},{"line_number":18,"context_line":"from datetime import datetime"},{"line_number":19,"context_line":"import OpenSSL.crypto as crypto"},{"line_number":20,"context_line":"from trove.common import cfg"},{"line_number":21,"context_line":"from trove.common.clients import barbican_client"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"69a418c5_cd20e177","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":31},"in_reply_to":"0eba82d6_da9ffeec","updated":"2026-05-26 09:25:57.000000000","message":"Done","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":16,"context_line":"    import pkcs12, Encoding, PrivateFormat, NoEncryption"},{"line_number":17,"context_line":"from cryptography.hazmat.backends import default_backend"},{"line_number":18,"context_line":"from datetime import datetime"},{"line_number":19,"context_line":"import OpenSSL.crypto as crypto"},{"line_number":20,"context_line":"from trove.common import cfg"},{"line_number":21,"context_line":"from trove.common.clients import barbican_client"},{"line_number":22,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"7612e99c_287b6056","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":31},"in_reply_to":"502aade6_fcc77d8f","updated":"2026-05-26 09:25:57.000000000","message":"Done","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"ebbf812767abb2b3974e8857bdd7ba98daa89b4a","unresolved":true,"context_lines":[{"line_number":137,"context_line":"                self.register_consumer(*args)"},{"line_number":138,"context_line":"                rollback_changes.append({\u0027type\u0027: \u0027remove\u0027, \u0027args\u0027: args})"},{"line_number":139,"context_line":"            except barbican_exceptions.HTTPClientError as e:"},{"line_number":140,"context_line":"                LOG.info(\u0027Unable to register consumer for %s: %s\u0027,"},{"line_number":141,"context_line":"                         container_ref, e)"},{"line_number":142,"context_line":"        instance.db_info.save()"},{"line_number":143,"context_line":"        return rollback_changes"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"d1820490_c39480ef","line":141,"range":{"start_line":140,"start_character":0,"end_line":141,"end_character":42},"updated":"2026-06-04 02:43:57.000000000","message":"Do we need to re-raise here ?","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"c3702e1064e728d084f6f145d45ebfccc413afeb","unresolved":false,"context_lines":[{"line_number":137,"context_line":"                self.register_consumer(*args)"},{"line_number":138,"context_line":"                rollback_changes.append({\u0027type\u0027: \u0027remove\u0027, \u0027args\u0027: args})"},{"line_number":139,"context_line":"            except barbican_exceptions.HTTPClientError as e:"},{"line_number":140,"context_line":"                LOG.info(\u0027Unable to register consumer for %s: %s\u0027,"},{"line_number":141,"context_line":"                         container_ref, e)"},{"line_number":142,"context_line":"        instance.db_info.save()"},{"line_number":143,"context_line":"        return rollback_changes"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"14336e39_c5ddb377","line":141,"range":{"start_line":140,"start_character":0,"end_line":141,"end_character":42},"in_reply_to":"9c1cb10d_66fa1099","updated":"2026-06-08 05:58:39.000000000","message":"make sense.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"515eff51963addc6b830841f0563bd94a12cbea1","unresolved":false,"context_lines":[{"line_number":137,"context_line":"                self.register_consumer(*args)"},{"line_number":138,"context_line":"                rollback_changes.append({\u0027type\u0027: \u0027remove\u0027, \u0027args\u0027: args})"},{"line_number":139,"context_line":"            except barbican_exceptions.HTTPClientError as e:"},{"line_number":140,"context_line":"                LOG.info(\u0027Unable to register consumer for %s: %s\u0027,"},{"line_number":141,"context_line":"                         container_ref, e)"},{"line_number":142,"context_line":"        instance.db_info.save()"},{"line_number":143,"context_line":"        return rollback_changes"},{"line_number":144,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"9c1cb10d_66fa1099","line":141,"range":{"start_line":140,"start_character":0,"end_line":141,"end_character":42},"in_reply_to":"d1820490_c39480ef","updated":"2026-06-04 06:16:26.000000000","message":"The problem here is with the design of the Barbican. If you run `enable ssl` by the admin account, it wouldn\u0027t be able to register a consumer for the SSL cert ref (only user may view and edit his certs and refs, even admins are not allowed to do that, it\u0027s a standard vault logic).\n\nSo not throwing an error here is a kind of compromise.\nIf we throw an exception here, the administrator may consider that ssl functionality is broken.\n\nAlso, consumers logic in Barbican doesn\u0027t oblige to anything, it\u0027s just an observability feature, the user should see that a cert is being used somewhere.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"ebbf812767abb2b3974e8857bdd7ba98daa89b4a","unresolved":true,"context_lines":[{"line_number":176,"context_line":"                instance, mode, container_ref, enable, disable)"},{"line_number":177,"context_line":"            states.append(state)"},{"line_number":178,"context_line":"        # Execute the wrapped action"},{"line_number":179,"context_line":"        result \u003d f(*args, **kwargs)"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"    except Exception as e:"},{"line_number":182,"context_line":"        # Rollback all applied states if setup or execution fails"}],"source_content_type":"text/x-python","patch_set":15,"id":"73e65306_0feb01c4","line":179,"range":{"start_line":179,"start_character":8,"end_line":179,"end_character":35},"updated":"2026-06-04 02:43:57.000000000","message":"This function handles guest operations. If the primary instance succeeds but replication fails, do you think we need to add a rollback here?","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"515eff51963addc6b830841f0563bd94a12cbea1","unresolved":false,"context_lines":[{"line_number":176,"context_line":"                instance, mode, container_ref, enable, disable)"},{"line_number":177,"context_line":"            states.append(state)"},{"line_number":178,"context_line":"        # Execute the wrapped action"},{"line_number":179,"context_line":"        result \u003d f(*args, **kwargs)"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"    except Exception as e:"},{"line_number":182,"context_line":"        # Rollback all applied states if setup or execution fails"}],"source_content_type":"text/x-python","patch_set":15,"id":"d6d266c7_573b480c","line":179,"range":{"start_line":179,"start_character":8,"end_line":179,"end_character":35},"in_reply_to":"73e65306_0feb01c4","updated":"2026-06-04 06:16:26.000000000","message":"Yes, we certainly need a rollback here, because most RDBMs are also using the same SSL certificate for the communication between primary and replicas.\n\nSo, leaving primary with the wrong cert will break the replication sync.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"c3702e1064e728d084f6f145d45ebfccc413afeb","unresolved":false,"context_lines":[{"line_number":176,"context_line":"                instance, mode, container_ref, enable, disable)"},{"line_number":177,"context_line":"            states.append(state)"},{"line_number":178,"context_line":"        # Execute the wrapped action"},{"line_number":179,"context_line":"        result \u003d f(*args, **kwargs)"},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"    except Exception as e:"},{"line_number":182,"context_line":"        # Rollback all applied states if setup or execution fails"}],"source_content_type":"text/x-python","patch_set":15,"id":"8a315346_6e040669","line":179,"range":{"start_line":179,"start_character":8,"end_line":179,"end_character":35},"in_reply_to":"d6d266c7_573b480c","updated":"2026-06-08 05:58:39.000000000","message":"ok, Let\u0027s add it then.","commit_id":"382c46212aaaa07b8733bf2d66a274dda32d46e6"}],"trove/guestagent/datastore/manager.py":[{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"e811d06ffce1bda8a35adbf67d4093698f3ed58d","unresolved":false,"context_lines":[{"line_number":1056,"context_line":""},{"line_number":1057,"context_line":"        return {}"},{"line_number":1058,"context_line":""},{"line_number":1059,"context_line":"    def override_guest_info(self, **kwargs):"},{"line_number":1060,"context_line":"        if (\u0027/\u0027 in CONF.guest_info):"},{"line_number":1061,"context_line":"            # Set guest_info_file to exactly guest_info from the conf file."},{"line_number":1062,"context_line":"            # This should be /etc/guest_info for pre-Kilo compatibility."}],"source_content_type":"text/x-python","patch_set":2,"id":"46b2a251_3d3540bb","line":1059,"updated":"2026-05-11 12:18:15.000000000","message":"We should invoke this method in `upgrade()` method, to modify `CONF.datastore_version` (we may do it later, in a separate commit, after merging the current patchset).\nRight now, `CONF.datastore_version` is not updated on upgrade, which may lead to ambiguity and errors.","commit_id":"0b690bfbfda75412570c91ce870961d8e5a2f415"}],"trove/guestagent/datastore/mysql/manager.py":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"62c33da62ba6f889e57f096414a3bfb65ca8fa90","unresolved":true,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"        return status"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"    def _get_default_tls_versions(self):"},{"line_number":71,"context_line":"        # NOTE(mangust404): to operate correctly, your datastore version"},{"line_number":72,"context_line":"        # should contain patch version number. Datastore name like \"5.7\""},{"line_number":73,"context_line":"        # wouldn\u0027t be able to use TLSv1.3"},{"line_number":74,"context_line":"        mysql_5_7_0 \u003d semantic_version.Version(\u00275.7.0\u0027)"},{"line_number":75,"context_line":"        mysql_5_7_27 \u003d semantic_version.Version(\u00275.7.27\u0027)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"        cur_ver \u003d semantic_version.Version.coerce(CONF.datastore_version)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"        if cur_ver \u003c mysql_5_7_0:"},{"line_number":80,"context_line":"            # For MySQL 5.6 there is no TLS support"},{"line_number":81,"context_line":"            raise exception.BadRequest("},{"line_number":82,"context_line":"                \u0027No support of TLS for MySQL prior to 5.7\u0027)"},{"line_number":83,"context_line":"        elif cur_ver \u003c\u003d mysql_5_7_27:"},{"line_number":84,"context_line":"            return \u0027TLSv1,TLSv1.1,TLSv1.2\u0027"},{"line_number":85,"context_line":"        elif cur_ver \u003e mysql_5_7_27:"},{"line_number":86,"context_line":"            return \u0027TLSv1.2,TLSv1.3\u0027"},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"    def _get_enable_client_ssl_overrides(self):"},{"line_number":89,"context_line":"        mysql_8 \u003d semantic_version.Version(\u00278.0.0\u0027)"},{"line_number":90,"context_line":"        cur_ver \u003d semantic_version.Version.coerce(CONF.datastore_version)"}],"source_content_type":"text/x-python","patch_set":9,"id":"ef32c950_79ec84dc","line":87,"range":{"start_line":70,"start_character":0,"end_line":87,"end_character":0},"updated":"2026-05-25 13:59:27.000000000","message":"Since we no longer support MySQL versions below 8.0, should we still consider older database versions here?\nEven though they don\u0027t have any negative effects.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"eeeac739ce970f1ce255b217016d0ed8e4150369","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"        return status"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"    def _get_default_tls_versions(self):"},{"line_number":71,"context_line":"        # NOTE(mangust404): to operate correctly, your datastore version"},{"line_number":72,"context_line":"        # should contain patch version number. Datastore name like \"5.7\""},{"line_number":73,"context_line":"        # wouldn\u0027t be able to use TLSv1.3"},{"line_number":74,"context_line":"        mysql_5_7_0 \u003d semantic_version.Version(\u00275.7.0\u0027)"},{"line_number":75,"context_line":"        mysql_5_7_27 \u003d semantic_version.Version(\u00275.7.27\u0027)"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"        cur_ver \u003d semantic_version.Version.coerce(CONF.datastore_version)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"        if cur_ver \u003c mysql_5_7_0:"},{"line_number":80,"context_line":"            # For MySQL 5.6 there is no TLS support"},{"line_number":81,"context_line":"            raise exception.BadRequest("},{"line_number":82,"context_line":"                \u0027No support of TLS for MySQL prior to 5.7\u0027)"},{"line_number":83,"context_line":"        elif cur_ver \u003c\u003d mysql_5_7_27:"},{"line_number":84,"context_line":"            return \u0027TLSv1,TLSv1.1,TLSv1.2\u0027"},{"line_number":85,"context_line":"        elif cur_ver \u003e mysql_5_7_27:"},{"line_number":86,"context_line":"            return \u0027TLSv1.2,TLSv1.3\u0027"},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"    def _get_enable_client_ssl_overrides(self):"},{"line_number":89,"context_line":"        mysql_8 \u003d semantic_version.Version(\u00278.0.0\u0027)"},{"line_number":90,"context_line":"        cur_ver \u003d semantic_version.Version.coerce(CONF.datastore_version)"}],"source_content_type":"text/x-python","patch_set":9,"id":"992be7a7_affb9d06","line":87,"range":{"start_line":70,"start_character":0,"end_line":87,"end_character":0},"in_reply_to":"ef32c950_79ec84dc","updated":"2026-05-25 14:21:32.000000000","message":"I think we may work out the question about old MySQL versions support soon, so we may leave this code as it is, but refactor it when we decide which approach we will use.\n\nBTW, in addition to decorators, I proposed another approach in the [storyboard](https://storyboard.openstack.org/#!/story/2011789), with Capabilities classes.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"}],"trove/guestagent/strategies/replication/mariadb_gtid.py":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":105,"context_line":"                \u0027password\u0027: replica_conf[\u0027replication_user\u0027][\u0027password\u0027]"},{"line_number":106,"context_line":"            })"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"        if \u0027cert_container\u0027 in master_info and \\"},{"line_number":109,"context_line":"           \u0027ssl_mode\u0027 in master_info:"},{"line_number":110,"context_line":"            change_master_cmd \u003d change_master_cmd + ("},{"line_number":111,"context_line":"                \", MASTER_SSL_VERIFY_SERVER_CERT\u003d0\""},{"line_number":112,"context_line":"                \", MASTER_SSL\u003d0\")"},{"line_number":113,"context_line":"        else:"},{"line_number":114,"context_line":"            change_master_cmd \u003d change_master_cmd + ("},{"line_number":115,"context_line":"                \", MASTER_SSL_VERIFY_SERVER_CERT\u003d0\""},{"line_number":116,"context_line":"                \", MASTER_SSL\u003d0\")"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"        service.execute_sql(change_master_cmd)"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"22950ca7_a60fe7dc","line":116,"range":{"start_line":108,"start_character":0,"end_line":116,"end_character":33},"updated":"2026-05-25 16:10:46.000000000","message":"There is an obvious error here. the command is exactly the same","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":105,"context_line":"                \u0027password\u0027: replica_conf[\u0027replication_user\u0027][\u0027password\u0027]"},{"line_number":106,"context_line":"            })"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"        if \u0027cert_container\u0027 in master_info and \\"},{"line_number":109,"context_line":"           \u0027ssl_mode\u0027 in master_info:"},{"line_number":110,"context_line":"            change_master_cmd \u003d change_master_cmd + ("},{"line_number":111,"context_line":"                \", MASTER_SSL_VERIFY_SERVER_CERT\u003d0\""},{"line_number":112,"context_line":"                \", MASTER_SSL\u003d0\")"},{"line_number":113,"context_line":"        else:"},{"line_number":114,"context_line":"            change_master_cmd \u003d change_master_cmd + ("},{"line_number":115,"context_line":"                \", MASTER_SSL_VERIFY_SERVER_CERT\u003d0\""},{"line_number":116,"context_line":"                \", MASTER_SSL\u003d0\")"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"        service.execute_sql(change_master_cmd)"},{"line_number":119,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"605bfe23_630cfee1","line":116,"range":{"start_line":108,"start_character":0,"end_line":116,"end_character":33},"in_reply_to":"22950ca7_a60fe7dc","updated":"2026-05-26 09:25:57.000000000","message":"Oops, that was leftovers after refactoring. Flags should be set to 1 if ssl is enabled, obviously.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"}],"trove/instance/service.py":[{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":704,"context_line":"            ssl_info[\u0027mode\u0027] \u003d instance.db_info.ssl_mode"},{"line_number":705,"context_line":"        else:"},{"line_number":706,"context_line":"            ssl_info[\u0027mode\u0027] \u003d ssl.MODE_BUILTIN"},{"line_number":707,"context_line":"        include_cert \u003d req.GET.get(\u0027include_certificate\u0027, False)"},{"line_number":708,"context_line":"        if not include_cert and \u0027certificate\u0027 in ssl_info and \\"},{"line_number":709,"context_line":"           \u0027payload\u0027 in ssl_info[\u0027certificate\u0027]:"},{"line_number":710,"context_line":"            del ssl_info[\u0027certificate\u0027][\u0027payload\u0027]"}],"source_content_type":"text/x-python","patch_set":9,"id":"1ac96696_35e266b7","line":707,"range":{"start_line":707,"start_character":8,"end_line":707,"end_character":64},"updated":"2026-05-25 16:10:46.000000000","message":"When the client passes `?include_certificate\u003dfalse`, req.GET.get() returns the string \"false\", not the boolean False. In Python, any non-empty string is truthy, so not include_cert evaluates to False and the certificate payload is not removed.\n\nPlease use `include_cert \u003d strutils.bool_from_string(\n    req.GET.get(\u0027include_certificate\u0027))` instead","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":704,"context_line":"            ssl_info[\u0027mode\u0027] \u003d instance.db_info.ssl_mode"},{"line_number":705,"context_line":"        else:"},{"line_number":706,"context_line":"            ssl_info[\u0027mode\u0027] \u003d ssl.MODE_BUILTIN"},{"line_number":707,"context_line":"        include_cert \u003d req.GET.get(\u0027include_certificate\u0027, False)"},{"line_number":708,"context_line":"        if not include_cert and \u0027certificate\u0027 in ssl_info and \\"},{"line_number":709,"context_line":"           \u0027payload\u0027 in ssl_info[\u0027certificate\u0027]:"},{"line_number":710,"context_line":"            del ssl_info[\u0027certificate\u0027][\u0027payload\u0027]"}],"source_content_type":"text/x-python","patch_set":9,"id":"cbf8a605_64443398","line":707,"range":{"start_line":707,"start_character":8,"end_line":707,"end_character":64},"in_reply_to":"1ac96696_35e266b7","updated":"2026-05-26 09:25:57.000000000","message":"Done. Nice catch. Unit test added.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":742,"context_line":"            raise exception.BadRequest(_("},{"line_number":743,"context_line":"                \"Unknown SSL mode. Available options are: \""},{"line_number":744,"context_line":"                \"%s, %s, %s\", ssl.MODE_BASIC,"},{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"}],"source_content_type":"text/x-python","patch_set":9,"id":"ea14b94d_19375152","line":745,"updated":"2026-05-25 16:10:46.000000000","message":"In this api, you missed the policy check here. you may need to add:         `self.authorize_instance_action(context, \u0027update\u0027, instance)` or something like","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":739,"context_line":"        mode \u003d body[\u0027ssl\u0027].get(\u0027mode\u0027, ssl.MODE_BASIC)"},{"line_number":740,"context_line":"        if mode not in (ssl.MODE_BASIC,"},{"line_number":741,"context_line":"                        ssl.MODE_ENFORCED, ssl.MODE_MTLS):"},{"line_number":742,"context_line":"            raise exception.BadRequest(_("},{"line_number":743,"context_line":"                \"Unknown SSL mode. Available options are: \""},{"line_number":744,"context_line":"                \"%s, %s, %s\", ssl.MODE_BASIC,"},{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"}],"source_content_type":"text/x-python","patch_set":9,"id":"ba0f2305_d190944f","line":745,"range":{"start_line":742,"start_character":0,"end_line":745,"end_character":50},"updated":"2026-05-25 16:10:46.000000000","message":"The _() helper from oslo_i18n only marks a string for translation; it does not perform %-formatting and does not accept extra positional arguments.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":739,"context_line":"        mode \u003d body[\u0027ssl\u0027].get(\u0027mode\u0027, ssl.MODE_BASIC)"},{"line_number":740,"context_line":"        if mode not in (ssl.MODE_BASIC,"},{"line_number":741,"context_line":"                        ssl.MODE_ENFORCED, ssl.MODE_MTLS):"},{"line_number":742,"context_line":"            raise exception.BadRequest(_("},{"line_number":743,"context_line":"                \"Unknown SSL mode. Available options are: \""},{"line_number":744,"context_line":"                \"%s, %s, %s\", ssl.MODE_BASIC,"},{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"}],"source_content_type":"text/x-python","patch_set":9,"id":"553a8db8_a4e0676a","line":745,"range":{"start_line":742,"start_character":0,"end_line":745,"end_character":50},"in_reply_to":"ba0f2305_d190944f","updated":"2026-05-26 09:25:57.000000000","message":"Done","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":742,"context_line":"            raise exception.BadRequest(_("},{"line_number":743,"context_line":"                \"Unknown SSL mode. Available options are: \""},{"line_number":744,"context_line":"                \"%s, %s, %s\", ssl.MODE_BASIC,"},{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"}],"source_content_type":"text/x-python","patch_set":9,"id":"dbc4ff71_82f54fb5","line":745,"in_reply_to":"ea14b94d_19375152","updated":"2026-05-26 09:25:57.000000000","message":"Done. Nice catch too.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"},{"line_number":749,"context_line":"        disable \u003d body[\u0027ssl\u0027].get(\u0027disable\u0027, None)"},{"line_number":750,"context_line":"        actions \u003d [enable, disable]"},{"line_number":751,"context_line":"        if sum(1 for op in actions if op) \u003e 1:"}],"source_content_type":"text/x-python","patch_set":9,"id":"1bf573fe_2ed1a9fd","line":748,"range":{"start_line":748,"start_character":8,"end_line":748,"end_character":48},"updated":"2026-05-25 16:10:46.000000000","message":"we should add a check here. if enabled the ssl, the container_ref must be  not None","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":745,"context_line":"                ssl.MODE_ENFORCED, ssl.MODE_MTLS))"},{"line_number":746,"context_line":"        container_ref \u003d body[\u0027ssl\u0027].get(\u0027container_ref\u0027, None)"},{"line_number":747,"context_line":"        password_ref \u003d body[\u0027ssl\u0027].get(\u0027password_ref\u0027, None)"},{"line_number":748,"context_line":"        enable \u003d body[\u0027ssl\u0027].get(\u0027enable\u0027, None)"},{"line_number":749,"context_line":"        disable \u003d body[\u0027ssl\u0027].get(\u0027disable\u0027, None)"},{"line_number":750,"context_line":"        actions \u003d [enable, disable]"},{"line_number":751,"context_line":"        if sum(1 for op in actions if op) \u003e 1:"}],"source_content_type":"text/x-python","patch_set":9,"id":"f146ead4_2288b814","line":748,"range":{"start_line":748,"start_character":8,"end_line":748,"end_character":48},"in_reply_to":"1bf573fe_2ed1a9fd","updated":"2026-05-26 09:25:57.000000000","message":"Done","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"128a501fdf3e8ad9125269e2b8a7909c12d42bba","unresolved":true,"context_lines":[{"line_number":780,"context_line":"            replicas.append(replica)"},{"line_number":781,"context_line":""},{"line_number":782,"context_line":"        ssl_info \u003d client.ssl_action(mode, container, enable, disable)"},{"line_number":783,"context_line":""},{"line_number":784,"context_line":"        for replica in replicas:"},{"line_number":785,"context_line":"            replica_client \u003d clients.create_guest_client(context, replica.id)"},{"line_number":786,"context_line":"            replica_client.ssl_action(mode, container,"},{"line_number":787,"context_line":"                                      enable, disable)"},{"line_number":788,"context_line":""},{"line_number":789,"context_line":"        if enable:"},{"line_number":790,"context_line":"            self._enable_instance_ssl("},{"line_number":791,"context_line":"                ssl_client, instance, mode, container_ref)"},{"line_number":792,"context_line":"        elif disable:"},{"line_number":793,"context_line":"            self._disable_instance_ssl(ssl_client, instance)"},{"line_number":794,"context_line":""},{"line_number":795,"context_line":"        for replica in replicas:"},{"line_number":796,"context_line":"            if enable:"},{"line_number":797,"context_line":"                self._enable_instance_ssl("},{"line_number":798,"context_line":"                    ssl_client, replica, mode, container_ref)"},{"line_number":799,"context_line":"            elif disable:"},{"line_number":800,"context_line":"                self._disable_instance_ssl(ssl_client, replica)"},{"line_number":801,"context_line":""},{"line_number":802,"context_line":"        return wsgi.Result({\u0027ssl\u0027: ssl_info}, 200)"},{"line_number":803,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"eb55661a_ee262013","line":800,"range":{"start_line":783,"start_character":0,"end_line":800,"end_character":63},"updated":"2026-05-25 16:10:46.000000000","message":"ssl_action applies changes to guest agent first, then updates DB and Barbican. These steps are not transactional — if a later step fails (e.g. replica guest RPC or Barbican register_consumer), earlier guest changes are not rolled back, leaving the instance in an inconsistent state vs. Trove DB. Consider validating Barbican access upfront and/or adding rollback on failure.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"1de2b3db4c5b35bf699bbb2dd4bdc4566cb56359","unresolved":false,"context_lines":[{"line_number":780,"context_line":"            replicas.append(replica)"},{"line_number":781,"context_line":""},{"line_number":782,"context_line":"        ssl_info \u003d client.ssl_action(mode, container, enable, disable)"},{"line_number":783,"context_line":""},{"line_number":784,"context_line":"        for replica in replicas:"},{"line_number":785,"context_line":"            replica_client \u003d clients.create_guest_client(context, replica.id)"},{"line_number":786,"context_line":"            replica_client.ssl_action(mode, container,"},{"line_number":787,"context_line":"                                      enable, disable)"},{"line_number":788,"context_line":""},{"line_number":789,"context_line":"        if enable:"},{"line_number":790,"context_line":"            self._enable_instance_ssl("},{"line_number":791,"context_line":"                ssl_client, instance, mode, container_ref)"},{"line_number":792,"context_line":"        elif disable:"},{"line_number":793,"context_line":"            self._disable_instance_ssl(ssl_client, instance)"},{"line_number":794,"context_line":""},{"line_number":795,"context_line":"        for replica in replicas:"},{"line_number":796,"context_line":"            if enable:"},{"line_number":797,"context_line":"                self._enable_instance_ssl("},{"line_number":798,"context_line":"                    ssl_client, replica, mode, container_ref)"},{"line_number":799,"context_line":"            elif disable:"},{"line_number":800,"context_line":"                self._disable_instance_ssl(ssl_client, replica)"},{"line_number":801,"context_line":""},{"line_number":802,"context_line":"        return wsgi.Result({\u0027ssl\u0027: ssl_info}, 200)"},{"line_number":803,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"21e0f019_ba0731f0","line":800,"range":{"start_line":783,"start_character":0,"end_line":800,"end_character":63},"in_reply_to":"eb55661a_ee262013","updated":"2026-05-26 09:25:57.000000000","message":"Done, with unit tests too.","commit_id":"c93c5b1832c9d44b6ffb42bbf03d68b501c84d35"},{"author":{"_account_id":26285,"name":"wu.chunyang","email":"wchy1001@gmail.com","username":"wu.chunyang"},"change_message_id":"46ee35ea89150541bebd1e68139370ff734a1f36","unresolved":true,"context_lines":[{"line_number":770,"context_line":"        instances \u003d [instance] + replicas"},{"line_number":771,"context_line":""},{"line_number":772,"context_line":"        # Define the actual task to be passed into our transaction wrapper"},{"line_number":773,"context_line":"        def _execute_guest_ssl_actions():"},{"line_number":774,"context_line":"            ssl_info \u003d client.ssl_action(mode, container, enable, disable)"},{"line_number":775,"context_line":"            for replica in replicas:"},{"line_number":776,"context_line":"                replica_clients[replica.id].ssl_action("},{"line_number":777,"context_line":"                    mode, container, enable, disable)"},{"line_number":778,"context_line":"            return ssl_info"},{"line_number":779,"context_line":""},{"line_number":780,"context_line":"        try:"},{"line_number":781,"context_line":"            ssl_info \u003d ssl.run_with_ssl_state("},{"line_number":782,"context_line":"                ssl_client, instances, mode, container_ref, enable, disable,"},{"line_number":783,"context_line":"                _execute_guest_ssl_actions"},{"line_number":784,"context_line":"            )"},{"line_number":785,"context_line":"        except Exception as e:"},{"line_number":786,"context_line":"            LOG.exception(\"Failed to apply SSL action: %s\", e)"},{"line_number":787,"context_line":"            raise"},{"line_number":788,"context_line":""},{"line_number":789,"context_line":"        return wsgi.Result({\u0027ssl\u0027: ssl_info}, 200)"},{"line_number":790,"context_line":""}],"source_content_type":"text/x-python","patch_set":35,"id":"0a6b862e_b7cfd4fa","line":787,"range":{"start_line":773,"start_character":0,"end_line":787,"end_character":17},"updated":"2026-07-08 14:48:38.000000000","message":"run_with_ssl_state rolls back DB/Barbican but not guest configuration\n\n_execute_guest_ssl_actions() calls the primary first, then iterates over replicas sequentially. If an intermediate guest RPC fails (e.g. primary and replica-1 succeed, replica-2 fails, replica-3 is never called), run_with_ssl_state() correctly rolls back DB metadata and Barbican consumers, but does not revert guest-side changes on instances that already succeeded.\n\nThose guests will still have SSL enabled in their config files / guest_info (via enable_ssl_certificate() / override_guest_info()), while Trove DB shows SSL as disabled after rollback. This leaves the cluster in a split state.\n\nShould we compensate by calling disable_ssl_certificate() (or equivalent) on guests that were updated before the failure? Marking the instance as failed and leaving manual recovery to operators may be acceptable for now, but worth documenting or addressing in a follow-up.","commit_id":"dd90e68306783efd091f659e1c41453689b8814e"},{"author":{"_account_id":36080,"name":"Erkin Mussurmankulov","display_name":"Eric","email":"mangust404@gmail.com","username":"mongoose404","status":"PS Cloud services employee"},"change_message_id":"16b4cf556e13f0acac0421922afbe12fd7ae05ec","unresolved":false,"context_lines":[{"line_number":770,"context_line":"        instances \u003d [instance] + replicas"},{"line_number":771,"context_line":""},{"line_number":772,"context_line":"        # Define the actual task to be passed into our transaction wrapper"},{"line_number":773,"context_line":"        def _execute_guest_ssl_actions():"},{"line_number":774,"context_line":"            ssl_info \u003d client.ssl_action(mode, container, enable, disable)"},{"line_number":775,"context_line":"            for replica in replicas:"},{"line_number":776,"context_line":"                replica_clients[replica.id].ssl_action("},{"line_number":777,"context_line":"                    mode, container, enable, disable)"},{"line_number":778,"context_line":"            return ssl_info"},{"line_number":779,"context_line":""},{"line_number":780,"context_line":"        try:"},{"line_number":781,"context_line":"            ssl_info \u003d ssl.run_with_ssl_state("},{"line_number":782,"context_line":"                ssl_client, instances, mode, container_ref, enable, disable,"},{"line_number":783,"context_line":"                _execute_guest_ssl_actions"},{"line_number":784,"context_line":"            )"},{"line_number":785,"context_line":"        except Exception as e:"},{"line_number":786,"context_line":"            LOG.exception(\"Failed to apply SSL action: %s\", e)"},{"line_number":787,"context_line":"            raise"},{"line_number":788,"context_line":""},{"line_number":789,"context_line":"        return wsgi.Result({\u0027ssl\u0027: ssl_info}, 200)"},{"line_number":790,"context_line":""}],"source_content_type":"text/x-python","patch_set":35,"id":"f07de95e_94478be7","line":787,"range":{"start_line":773,"start_character":0,"end_line":787,"end_character":17},"in_reply_to":"0a6b862e_b7cfd4fa","updated":"2026-07-09 08:51:55.000000000","message":"Hmm. Yes, you\u0027re right. I overlooked that.\n\nI think it will be faster and easier to implement the `ssl_rollback` method in the guest agent at this point. We can simply store the previous SSL/TLS settings and restore them when it is called.\n\nI will return with the solution asap.","commit_id":"dd90e68306783efd091f659e1c41453689b8814e"}]}
