Page MenuHomePhabricator
Create Task
Maniphest T246671

Missing dependencies for openstack queens
Closed, ResolvedPublic
Actions

Description

I have a test instance using

deb http://mirrors.wikimedia.org/osbpo stretch-queens-backports main

That gets me the top-level packages but there are lots of dependency issues:

The following packages have unmet dependencies:
 python-nova : Depends: python-castellan (>= 0.4.0) but it is not going to be installed
               Depends: python-keystonemiddleware (>= 4.0.0) but it is not going to be installed
               Depends: python-os-brick (>= 1.6.1) but it is not going to be installed
               Depends: python-os-vif (>= 1.1.0) but it is not going to be installed
               Depends: python-oslo.db (>= 4.10.0) but it is not going to be installed
               Depends: python-oslo.messaging (>= 5.2.0) but it is not going to be installed
               Depends: python-oslo.middleware (>= 3.0.0) but it is not going to be installed
               Depends: python-oslo.policy (>= 1.9.0) but it is not going to be installed
               Depends: python-oslo.versionedobjects (>= 1.13.0) but it is not going to be installed

I can dig into this myself but iirc last time @aborrero was able to fix this issue in P in a flash. The example VM is abogott-repo-test.testlabs.eqiad.wmflabs

Details

SubjectRepoBranchLines +/-
openstack: serverpackages: include pubkey for osbpo repositoryoperations/puppetproduction+33 -0
openstack: serverpackages: queens: stretch: introduce some apt pinningsoperations/puppetproduction+17 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Mar 2 2020, 3:09 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMar 2 2020, 3:09 PM
aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Mar 3 2020, 9:31 AM
aborrero added a comment.EditedMar 3 2020, 9:43 AM

problem might be py2 vs py3. For queens we only have python3-nova and no python-nova (reference version 2:17.0.11-1).

gerritbot added a comment.Mar 3 2020, 10:17 AM

Change 576290 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: serverpackages: queens: stretch: introduce some apt pinnings

https://gerrit.wikimedia.org/r/576290

gerritbot added a project: Patch-For-Review.Mar 3 2020, 10:17 AM

Change 576290 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: serverpackages: queens: stretch: introduce some apt pinnings

https://gerrit.wikimedia.org/r/576290

aborrero closed this task as Resolved.Mar 3 2020, 10:24 AM

Merged a couple of patches, this should be better now. I can install python3-nova, python3-keystone, python3-neutron, python3-deisgnate and python3-glance without any issue.

Please reopen if required.

Andrew added a comment.Mar 3 2020, 5:20 PM

I'm working on cloudservices2002-dev.

The first issue I see is that we're not getting the key for the new repo from puppet:

GPG error: http://mirrors.wikimedia.org/osbpo stretch-queens-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB

I've hacked around that temporarily; the next issue I see is that apt doesn't ever settle into a state where everything is upgraded. No matter how many 'apt-get update && apt-get upgrade' cycles I run it still shows 20+ packages to upgrade. And some of them behave strangely, e.g.:

Preparing to unpack .../0-python-chardet_3.0.4-1~bpo9+1_all.deb ...
Unpacking python-chardet (3.0.4-1~bpo9+1) over (3.0.4-1~bpo9+1) ...
Preparing to unpack .../1-python-idna_2.6-1~bpo9+1_all.deb ...
Unpacking python-idna (2.6-1~bpo9+1) over (2.6-1~bpo9+1) ...
Preparing to unpack .../2-python-jinja2_2.10-1~bpo9+1_all.deb ...
Unpacking python-jinja2 (2.10-1~bpo9+1) over (2.10-1~bpo9+1) ...
Preparing to unpack .../3-python-munch_2.2.0-2~bpo9+1_all.deb ...
Unpacking python-munch (2.2.0-2~bpo9+1) over (2.2.0-2~bpo9+1) ..

etc.

Andrew reopened this task as Open.Mar 3 2020, 5:20 PM
gerritbot added a comment.Mar 4 2020, 9:50 AM

Change 576643 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: serverpackages: include pubkey for osbpo repository

https://gerrit.wikimedia.org/r/576643

gerritbot added a comment.Mar 4 2020, 10:06 AM

Change 576643 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: serverpackages: include pubkey for osbpo repository

https://gerrit.wikimedia.org/r/576643

aborrero added a comment.Mar 4 2020, 1:24 PM
In T246671#5937828, @Andrew wrote:

I'm working on cloudservices2002-dev.

The first issue I see is that we're not getting the key for the new repo from puppet:

GPG error: http://mirrors.wikimedia.org/osbpo stretch-queens-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB

This should be fixed now, puppet patch.

I've hacked around that temporarily; the next issue I see is that apt doesn't ever settle into a state where everything is upgraded. No matter how many 'apt-get update && apt-get upgrade' cycles I run it still shows 20+ packages to upgrade. And some of them behave strangely, e.g.:

Preparing to unpack .../0-python-chardet_3.0.4-1~bpo9+1_all.deb ...
Unpacking python-chardet (3.0.4-1~bpo9+1) over (3.0.4-1~bpo9+1) ...
Preparing to unpack .../1-python-idna_2.6-1~bpo9+1_all.deb ...
Unpacking python-idna (2.6-1~bpo9+1) over (2.6-1~bpo9+1) ...
Preparing to unpack .../2-python-jinja2_2.10-1~bpo9+1_all.deb ...
Unpacking python-jinja2 (2.10-1~bpo9+1) over (2.10-1~bpo9+1) ...
Preparing to unpack .../3-python-munch_2.2.0-2~bpo9+1_all.deb ...
Unpacking python-munch (2.2.0-2~bpo9+1) over (2.2.0-2~bpo9+1) ..

This is annoying but harmless. I couldn't find yet a proper solution to this.

The problem is the exact same packages are present in two different repositories and this confuses the apt resolver. I tried with different pinning configurations with no luck so far.
I'm inclined to stop looking any further unless we decide this is an actual problem worth investing the time to solve it.

Andrew added a comment.Mar 4 2020, 3:32 PM

Now this weird thing is happening on cloudservices2002-dev:

Err:2 http://apt.wikimedia.org/wikimedia stretch-wikimedia InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D392D3FFADF18FB
No directory, logging in with HOME=/
aborrero added a comment.EditedMar 4 2020, 4:59 PM

This key is apparently configured as part of our server install setup, see modules/install_server/files/autoinstall/common.cfg in the puppet tree.
In the resulting server filesystem, the key is added to /etc/apt/trusted.gpg. In a "sane" hardware server, this contains the apt.wikimedia.org key, but not in cloudservices2002-dev.

I checked the server and I found the /etc/apt/trusted.gpg was mangled (by hand?) and only contained the osbpo key:

aborrero@cloudservices2002-dev:~ $ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-11-16 [SCEA]
      0FB8 E8DD 1949 8FEC 90B2  5E5E 5605 6AB2 FEE4 EECB
uid           [ unknown] Autogenerated key <root@osbpo.debian.net>

So I just added the missing key by hand following the docs: https://wikitech.wikimedia.org/wiki/APT_repository#Security

and now:

aborrero@cloudservices2002-dev:~ 2s $ sudo apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-11-16 [SCEA]
      0FB8 E8DD 1949 8FEC 90B2  5E5E 5605 6AB2 FEE4 EECB
uid           [ unknown] Autogenerated key <root@osbpo.debian.net>

pub   rsa4096 2017-02-10 [SC]
      B8A2 DF05 748F 9D52 4A3A  2ADE 9D39 2D3F FADF 18FB
uid           [ unknown] Wikimedia Archive Automatic Signing Key <root@wikimedia.org>

apt upgrade works now!

aborrero closed this task as Resolved.Mar 5 2020, 10:37 AM

Please reopen again if required.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL