upgrade-guide: manager update for seed-container deploys#1009
Draft
ideaship wants to merge 3 commits into
Draft
Conversation
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 5 | 0 | 0 | 0.03s | |
| ✅ JSON | jsonlint | 4 | 0 | 0 | 0.12s | |
| ✅ JSON | prettier | 4 | 0 | 0 | 0.44s | |
| ✅ JSON | v8r | 4 | 0 | 0 | 10.17s | |
| ✅ MARKDOWN | markdownlint | 160 | 0 | 0 | 2.57s | |
| ✅ MARKDOWN | markdown-table-formatter | 160 | 0 | 0 | 0.37s | |
| ✅ REPOSITORY | checkov | yes | no | no | 19.92s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.04s | |
| ✅ REPOSITORY | secretlint | yes | no | no | 1.77s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 4.2s | |
| ✅ SPELL | codespell | 170 | 0 | 0 | 0.63s | |
| lychee | 170 | 3 | 0 | 22.46s | ||
| ✅ YAML | prettier | 6 | 0 | 0 | 0.33s | |
| ✅ YAML | v8r | 6 | 0 | 0 | 6.51s | |
| ✅ YAML | yamllint | 6 | 0 | 0 | 0.43s |
Detailed Issues
⚠️ SPELL / lychee - 3 errors
📝 Summary
---------------------
🔍 Total..........923
🔗 Unique.........746
✅ Successful.....850
⏳ Timeouts.........9
🔀 Redirected......46
👻 Excluded........61
❓ Unknown..........0
🚫 Errors...........3
⛔ Unsupported......3
Errors in docs/appendix/security/ossa-2026-001.md
[TIMEOUT] https://bugs.launchpad.net/keystonemiddleware/+bug/2129018 (at 124:3) | Request timed out
Errors in docs/appendix/security/ossa-2026-002.md
[TIMEOUT] https://bugs.launchpad.net/nova/+bug/2137507 (at 111:3) | Request timed out
Errors in docs/appendix/security/ossa-2026-015.md
[TIMEOUT] https://bugs.launchpad.net/keystone/+bug/2148398 (at 174:3) | Request timed out
[TIMEOUT] https://bugs.launchpad.net/keystone/+bug/2148477 (at 175:3) | Request timed out
[TIMEOUT] https://bugs.launchpad.net/keystone/+bug/2149789 (at 177:3) | Request timed out
[TIMEOUT] https://bugs.launchpad.net/keystone/+bug/2150089 (at 178:3) | Request timed out
[TIMEOUT] https://bugs.launchpad.net/keystone/+bug/2150379 (at 179:3) | Request timed out
Errors in docs/appendix/security/ossa-2026-022.md
[TIMEOUT] https://bugs.launchpad.net/nova/+bug/2151252 (at 145:3) | Request timed out
Errors in docs/guides/user-guide/openstack/migration-vmware-esxi.md
[ERROR] https://www.openstack.org/vmware-migration-to-openstack (at 20:1) | Connection failed. Check network connectivity and firewall settings
Errors in docs/release-notes/index.md
[ERROR] https://release.osism.tech/ (at 11:1) | Connection failed. Check network connectivity and firewall settings
Errors in docs/release-notes/osism-7.md
[ERROR] https://www.openstack.org/software/openstack-bobcat (at 977:38) | Connection failed. Check network connectivity and firewall settings
Errors in docs/release-notes/osism-9.md
[TIMEOUT] https://bugs.launchpad.net/kolla/+bug/2111620 (at 96:47) | Request timed out
Hint: Followed 46 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Notices
📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_SECRETLINT,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,SPELL_CODESPELL,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
Show us your support by starring ⭐ the repository
ideaship
force-pushed
the
docs/upgrade-guide-seed-container-update
branch
from
8f12f4f to
6741d46
Compare
The step-3 note claimed the --ask-vault-pass argument is no longer necessary from OSISM >= 8.0.0. That relief applies to osism apply, which reads the vault password from the OSISM workers (set with osism set vault password, stored in Redis). It does not apply to osism update manager. osism update manager runs out-of-band: it recreates the manager containers and therefore cannot rely on the worker-side vault password. Whenever environments/manager/secrets.yml is encrypted, the password must be supplied directly to this command, via --ask-vault-pass or ANSIBLE_VAULT_PASSWORD_FILE, regardless of the OSISM release. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi <luethi@osism.tech>
The seed container is now a documented deploy path, so a manager may have no local Ansible venv. The manager update step assumed the self-bootstrapped manager and gave no guidance for a cluster deployed from a separate seed node. Add an admonition that names the same osism.manager.manager playbook behind every update and selects the launcher by deployment topology: run osism update manager on a manager that has a local venv, or re-run ./run.sh manager from a still-available seed node. Steps 1, 2 and 4-6 are unchanged across topologies; only step 3 differs. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi <luethi@osism.tech>
Add the remaining deploy topology to the manager update admonition: a manager deployed with the seed container and then separated from its seed has no local Ansible venv, yet the documented update runs osism update manager on the manager. Document that such a manager updates with run.sh from the configuration repository on the manager itself. run.sh ships in the repository and is refreshed by make sync, so it does not depend on the manager's installed tooling; with a container engine present and no local venv it runs the playbook inside the osism/seed container automatically (SEED_CONTAINER=auto). The vault password must be reachable (environments/.vault_pass or ANSIBLE_ASK_VAULT_PASS). Once the manager runs a release whose osism-update-manager wrapper reaches seed-container parity, osism update manager does the same and can be used instead; that wrapper change is a separate, non-blocking improvement in osism/ansible-collection-services. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi <luethi@osism.tech>
ideaship
force-pushed
the
docs/upgrade-guide-seed-container-update
branch
from
6741d46 to
7fd0264
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Give
upgrade-guide/manager.mdxa seed-container update story. The seedcontainer is now a documented (and default) deploy path, which can leave a
manager with no local Ansible venv — but the manager update step assumed the
self-bootstrapped manager and gave no guidance otherwise.
Commits (one concern each)
upgrade-guide: fix vault note for manager update— Corrects the step-3 note:the ">= 8.0.0
--ask-vault-passno longer necessary" relief is theosism apply/ worker path.
osism update managerruns out-of-band (it recreates the managercontainers) and cannot use the Redis-stored worker vault password, so the
password must be supplied directly whenever
secrets.ymlis encrypted.upgrade-guide: map manager update to deploy topology— Adds an admonitionnaming the same
osism.manager.managerplaybook behind every update andselecting the launcher by topology:
osism update manageron a manager with alocal venv, or re-run
./run.sh managerfrom a still-available seed node.upgrade-guide: document seed-container manager update— Adds the third row: amanager deployed with the seed container and separated from its seed (no venv)
updates with
./run.sh managerfrom the configuration repository on the manageritself.
run.shships in the repo and is refreshed bymake sync, so it runsthe update inside the
osism/seedcontainer (SEED_CONTAINER=auto) independentof the manager's installed tooling.
Merge order
All three commits are accurate on current
mainand can land independently — theseed-container row uses
run.sh, which is already released, so the upgrade doesnot depend on any unreleased change. Bringing the
osism-update-managerwrapperto seed-container parity, so
osism update managerworks as a drop-in alias forrun.sh, is a separate and non-blocking improvement:🤖 Generated with Claude Code