Wednesday, 2017-08-30

« Tuesday, 2017-08-29 Index Thursday, 2017-08-31 »
nomaticsShould Install cinder services play be ran against a host? It first runs the play in the container and then on the host. I have is_metal set to false in env.d/cinder-volumes.yml.00:00
*** yifei has joined #openstack-ansible00:03
*** exodusftw has quit IRC00:13
*** marc_ab has quit IRC00:17
*** exodusftw has joined #openstack-ansible00:17
openstackgerritKevin Carter (cloudnull) proposed openstack/openstack-ansible stable/newton: Added a common tag to the common tasks  https://review.openstack.org/49899200:19
*** thorst_afk has joined #openstack-ansible00:22
*** nomatics_ has joined #openstack-ansible00:27
openstackgerritMerged openstack/openstack-ansible stable/newton: migrate_openstack_vars.py: Correct folder name  https://review.openstack.org/49887100:28
*** nomatics has quit IRC00:28
*** thorst_afk has quit IRC00:29
*** thorst_afk has joined #openstack-ansible00:30
*** thorst_afk has quit IRC00:34
*** lbragstad has joined #openstack-ansible00:44
*** exodusftw has quit IRC00:49
*** basilAB has left #openstack-ansible00:51
*** woodard has quit IRC00:51
*** woodard has joined #openstack-ansible00:51
*** exodusftw has joined #openstack-ansible00:55
*** thorst_afk has joined #openstack-ansible01:02
*** thorst_afk has quit IRC01:03
*** galstrom_zzz is now known as galstrom01:41
*** nomatics_ has quit IRC01:53
*** kukacz has quit IRC02:00
*** kukacz has joined #openstack-ansible02:01
*** thorst_afk has joined #openstack-ansible02:04
*** lbragstad has quit IRC02:07
*** thorst_afk has quit IRC02:09
*** dxiri has joined #openstack-ansible02:31
*** dxiri has quit IRC02:32
*** dxiri has joined #openstack-ansible02:32
*** dxiri has quit IRC02:33
*** dxiri_ has quit IRC02:34
*** dxiri has joined #openstack-ansible02:35
*** gouthamr has quit IRC02:46
*** galstrom is now known as galstrom_zzz02:56
*** dxiri has quit IRC02:59
*** dxiri has joined #openstack-ansible03:02
*** thorst_afk has joined #openstack-ansible03:05
*** thorst_afk has quit IRC03:10
cloudnull‎nomatics‎ if you have ismetal false it should only run in the container03:11
cloudnullif it is you may need to clean up the inventory03:12
cloudnullcheckout the inventory-manage script03:13
cloudnulland remove the host from the cinder group03:14
openstackgerritKevin Carter (cloudnull) proposed openstack/openstack-ansible master: Run gate playbooks in parallel  https://review.openstack.org/49774203:17
*** udesale has joined #openstack-ansible03:18
prometheanfireI feel like I should submit reverts to osa-ops for https://github.com/openstack/openstack-ansible-ops/commit/9049479dda62e845e87c6cb22050f82272cc542b and https://github.com/openstack/openstack-ansible-ops/commit/53d548dfba6a8a45c6c7afa6c8550fe76cfd466303:22
prometheanfireeven with the 'fix' leaps are broken03:22
cloudnullfrom those patches ?03:25
prometheanfirecloudnull: yes03:25
prometheanfirealso03:25
prometheanfirelooks like the db migration fixes didn't work03:25
cloudnullit doesn't look like those prs do anything by default ?03:26
cloudnullbeing that the vars are unset ?03:26
prometheanfirere-deploy.sh: line 65: syntax error in conditional expression03:26
prometheanfiremaybe?03:27
prometheanfireI reverted them locally03:27
cloudnullif you remove the -u https://github.com/openstack/openstack-ansible-ops/blob/master/leap-upgrades/re-deploy.sh#L2103:28
cloudnull?03:28
prometheanfiremaybe fine03:28
prometheanfireI'll test it in a bit03:28
prometheanfirecloudnull: /win 103:28
prometheanfirebah03:28
prometheanfirecloudnull: would this work for leap upgrades?  It's my understanding that the leap upgrades don't use anything from the rpc-openstack or it's submodule https://github.com/rcbops/rpc-openstack/pull/2491/files03:29
prometheanfireI'm thinking that the leap upgrades don't care about the rpc-o ansible-role-requirements.yml file03:31
cloudnullI'm not sure, the leap upgrades were not designed with rpc-o specifically in mind.03:32
prometheanfireya03:32
cloudnullthe inline modifications rpco is making to the process change a lot of the functionality03:33
prometheanfireit looks like the rpc-o wraping of the leap upgrades doesn't refrence ansible-role-requirements at all03:33
prometheanfireyep...03:33
cloudnullquite likely03:33
prometheanfirewish I didn't waste the last 12 hours then03:33
*** gkadam_ has joined #openstack-ansible03:33
cloudnullon that file ?03:33
prometheanfireya03:34
prometheanfirewell, I was testing an upgrade03:34
prometheanfirebetween those two commits and that modification...03:34
*** lbragstad has joined #openstack-ansible03:37
*** dave-mccowan has quit IRC03:40
prometheanfirecloudnull: you should like the cruftyness, but here's my osa-ops patch :D http://sprunge.us/iGRf03:53
prometheanfireI'm fairly sure later definitions in ansible-role-requirements.yml override the earlier ones03:53
openstackgerritMerged openstack/openstack-ansible-ops master: Use separate interfaces for lb traffic  https://review.openstack.org/49886203:57
cloudnullit'll pull down the osa roles when the bootstrap is run04:00
prometheanfireI wonder if the leap runs bootstrap for each step04:02
prometheanfireI'd expect it to04:02
* prometheanfire shrugs04:02
cloudnullhttps://github.com/openstack/openstack-ansible-ops/blob/ee85d37ce9fed010d54b2c95d3078cd6f0f4bbe9/leap-upgrades/lib/functions.sh#L12204:03
cloudnullit does04:03
prometheanfirecool04:04
prometheanfireso I should be good with that patch then04:04
prometheanfireas dirty as it is04:04
cloudnullrpc-o should leap and then apply its differences and stop injecting nonsense at runtime.04:05
prometheanfirehttp://i0.kym-cdn.com/photos/images/facebook/000/210/119/9b3.png04:05
*** thorst_afk has joined #openstack-ansible04:06
cloudnullthings like https://github.com/rcbops/rpc-openstack/blob/master/scripts/bootstrap-ansible.sh#L74-L80 should be stopped04:06
cloudnullhahaha04:06
cloudnullthe image applies to the second comment too04:06
prometheanfirebtw, mind reviewing https://review.openstack.org/498987 ?04:08
prometheanfireit's a one character fix :P04:08
prometheanfirewell, two maybe with spacing04:09
*** lbragstad has quit IRC04:09
*** thorst_afk has quit IRC04:10
prometheanfirecloudnull: email sent to rax email explaining it all04:11
cloudnullhttps://github.com/rcbops/rpc-openstack/pull/249204:13
prometheanfire:D04:13
cloudnull^ should help start remove the injections04:13
*** chhavi has joined #openstack-ansible04:15
prometheanfirelooks likt I'm staying up for the night to babysit this04:17
cloudnullhttps://github.com/rcbops/rpc-openstack/pull/249304:34
cloudnullprometheanfire: ^04:34
bhujaytrying to build multios repo. repo1 - 3 are Ubuntu containers and repo4 is  centos . build on repo 4 went smooth but repo1 is failing  at wheel building stage . IOError:[Errorno 2 ] No such file or directory : /var/www/repo/pools/centos-7.3-x86_64/ldappool/ldappool-2.1.0.py2.py3-none-any.whl04:38
bhujayany clue ?04:38
cloudnullbhujay: o/04:40
bhujayI am using OSA 15.1.6 cloud that be a problem ? shd I upgrade to 15.1.8?04:40
cloudnullI'd not expect so , however using the latest stable is a good way to rule out issues.04:41
bhujaysure , let me try04:41
*** rstarmer has quit IRC04:43
*** rstarmer has joined #openstack-ansible04:43
*** chyka has quit IRC04:58
*** thorst_afk has joined #openstack-ansible05:07
*** thorst_afk has quit IRC05:11
*** chhavi has quit IRC05:12
*** chhavi has joined #openstack-ansible05:12
*** udesale__ has joined #openstack-ansible05:13
*** a0x3e8 has quit IRC05:13
*** udesale has quit IRC05:15
*** zcourts has quit IRC05:20
*** zcourts has joined #openstack-ansible05:21
*** yolanda has quit IRC05:21
*** zcourts has quit IRC05:25
prometheanfireturns out cats don't like the taste of espresso05:43
cloudnullwho knew :D05:49
prometheanfireme05:52
prometheanfirenow :P05:52
prometheanfirejust about time to test another leap05:52
*** vishwana_ has quit IRC06:02
*** vishwanathj has joined #openstack-ansible06:03
*** jwitko has quit IRC06:03
*** jwitko has joined #openstack-ansible06:04
*** poopcat has quit IRC06:04
*** drifterza has joined #openstack-ansible06:05
*** poopcat has joined #openstack-ansible06:06
*** thorst_afk has joined #openstack-ansible06:07
*** thorst_afk has quit IRC06:12
*** Oku_OS-away is now known as Oku_OS06:15
hw_wutianweicloudnull: hi, I meet some issue http://paste.openstack.org/show/619849/06:17
hw_wutianweiI use master06:17
hw_wutianweidid I miss something?06:17
*** huxinhui_ has joined #openstack-ansible06:21
cloudnullhw_wutianwei: maybe missed something in the user config06:26
cloudnullhave a look at https://docs.openstack.org/openstack-ansible-haproxy_server/latest/06:26
cloudnullfor more on the haproxy configs06:26
hw_wutianweicloudnull: I check the keepalived code {% for name, sync_group in keepalived_sync_groups.iteritems() %}, 'iteritems()' seem to be a function.06:33
*** cshen has quit IRC06:33
*** cshen has joined #openstack-ansible06:35
hw_wutianweicloudnull:  I have no idea which I missed. In my opinion, there are default when I missed06:36
cloudnullhw_wutianwei: can you check the python version06:40
cloudnullin /opt/ansible-runtime/bin/python06:40
cloudnullhw_wutianwei: If  you have py306:41
cloudnulli wonder if you have an old version of the keepalived role ?06:41
cloudnullhttps://github.com/evrardjp/ansible-keepalived/commit/2553ddffd948f3e8e8196cd017d27716b396554a06:41
cloudnullI got a change in that role a while back to address the py3 issues06:41
cloudnullhttps://github.com/openstack/openstack-ansible/blob/master/ansible-role-requirements.yml#L29-L3206:42
cloudnullyou should have that role out of master06:42
hw_wutianweithe python version is 3.5.206:42
cloudnullso you shouldn't see that specific error06:42
cloudnullwhen was this master repo cloned?06:42
*** pcaruana has joined #openstack-ansible06:43
hw_wutianweicommit 4d39f2cc29417153780210fc0bb86223387e996806:43
hw_wutianweiMerge: b4f0401 c5b317d06:43
hw_wutianweiAuthor: Jenkins <jenkins@review.openstack.org>06:43
hw_wutianweiDate:   Wed Aug 23 00:06:31 2017 +000006:43
hw_wutianweicloudnull: this is the latest git log.06:44
cloudnullwas this an old checkout before ?06:45
cloudnullif so have you rerun ./scripts/bootstrap-ansible.sh06:45
cloudnullthat will pull down the latest roles.06:45
neithhey guys when rebuilding venvs after updating from 14.04 to 16.04 I get06:46
neithhttps://www.irccloud.com/pastebin/BaONKje9/06:46
neithany idea?06:46
hw_wutianweicloudnull: ok, I will try06:47
hw_wutianweithanks06:47
cloudnullhw_wutianwei: np06:48
cloudnullneith: running repo-build?06:48
cloudnulldo you still have a 14.04 host ?06:48
neithcloudnull: TASK [repo_build : Create OpenStack-Ansible requirement wheels] ****************06:48
neithcloudnull: yes06:48
cloudnullhttp://paste.openstack.org/show/619850/06:49
cloudnulllooks like that's the error06:50
cloudnullseems the gnocci checkout is missing?06:50
cloudnulls'/checkout/wheel/06:50
cloudnull# /var/www/repo/pools/ubuntu-14.04-x86_64/gnocchiclient/gnocchiclient-2.8.2-py2.py3-none-any.whl06:50
cloudnullmaybe that's a broken link?06:50
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Correct cinder online migrations command  https://review.openstack.org/49904406:51
neithcloudnull: maybe06:51
neithcloudnull: the file is present06:53
cloudnulland its not a broken symlink ?06:54
cloudnullif no, try rerunning the repo-build06:54
*** gtrxcb has quit IRC06:54
cloudnullalso do you have both 14.04 and 16.04 infra hosts?06:55
neithcloudnull: my bad the pools dir is empty06:55
cloudnullah. ok.06:55
neiththough /var/www/repo/ubuntu-14.04-x86_64/gnocchiclient/gnocchiclient-2.8.2-py2.py3-none-any.whl exists06:55
cloudnullyou'll need to comb through the dirs and clean up any busted symlinks06:55
cloudnullor nuke /var/www/repo/ubuntu-14.04-x86_64 and rerun the repo-build06:56
neithcloudnull: I can nuke it06:56
cloudnullso long as you have 1 infra 14.04 and 1 infra 16.04 it will rebuild06:56
neith:)06:56
neithits the first infra i'm upgrading06:57
*** yolanda has joined #openstack-ansible06:57
neithyet, I dont have any working unfra on 16.0406:57
*** drifterza has quit IRC06:57
cloudnullah. you will need at least 1 16.04 infra06:59
*** a0x3e8 has joined #openstack-ansible06:59
cloudnullto build the different system wheels06:59
a0x3e8hello. problem: I finally managed to deploy openstack using ansible but I had to create cinder volume manually. anyway, I want to access to my instances from outside of the stack so I need network. in my setup I used 3 physical interfaces instead of 3 vlans in default configurations. my management ip is 10.1.10.0/24, network if: 10.1.20.0/24 and st07:00
a0x3e8orage network: 10.1.30.0/24. I tried to create a network with subnet 10.1.20.0/24 and made it external! but no access! how should I create a network with external access which will connect to my 10.1.20.0/24 vlan in router?07:00
neithcloudnull: infra1 is on 16.0407:00
neithcloudnull: but the repo container get the task I previously mentionned07:00
cloudnulloh.07:00
cloudnullok07:00
cloudnullit should go serially and build everything for each os type it encounters and then sync07:01
*** arbrandes has joined #openstack-ansible07:01
neithcloudnull: destroying the container and replay all the playbboks should help?07:03
*** arbrandes1 has quit IRC07:04
cloudnullneith: you can destroy just that one. then rebuild it and run the repo buts07:05
cloudnull**bits07:05
cloudnullsomething like `openstack-ansible lxc-container-destroy.yml lxc-container-create.yml repo-install.yml --limit repo_all`07:05
cloudnullI'm off.07:05
* cloudnull time for sleep07:05
cloudnulltake care all07:06
neithcloudnull: sleep tight ;)07:06
*** a0x3e8 has left #openstack-ansible07:08
*** thorst_afk has joined #openstack-ansible07:08
*** jvidal has joined #openstack-ansible07:09
*** jamielennox has quit IRC07:09
*** gus has quit IRC07:09
*** gus has joined #openstack-ansible07:10
*** thorst_afk has quit IRC07:13
*** jamielennox has joined #openstack-ansible07:14
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:15
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:17
*** sxc731 has joined #openstack-ansible07:20
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:22
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:23
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:24
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:27
*** drifterza has joined #openstack-ansible07:28
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:28
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:30
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Pin erlang packages to version 19.3  https://review.openstack.org/49895207:32
*** coolkil has joined #openstack-ansible07:32
coolkilmorning07:33
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895107:33
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-rabbitmq_server stable/newton: Pin erlang packages to version 19.3  https://review.openstack.org/49895207:33
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Update documentation redirects  https://review.openstack.org/49905907:35
coolkilim looking at https://github.com/openstack/openstack-ansible-repo_server/blob/master/tasks/repo_post_install.yml#L71-L89 I'm wondering why the base venvs directory is not created during this stage?07:36
*** mbuil has joined #openstack-ansible07:38
odyssey4mecoolkil it gets done here instead: https://github.com/openstack/openstack-ansible-repo_build/blob/master/tasks/repo_build_venvs.yml#L16-L2407:38
coolkilthe problem is that when somone builds the repo for the very first time while using multiple architectures the sync_repo.yml wil try to sync to /var/www/repo/vens/<openstack_versionnr> but because the venvs dir is nonexistant on the target server this fails07:39
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/ocata: Update documentation redirects  https://review.openstack.org/49906407:40
odyssey4mecoolkil aha, well that's a bug then07:40
odyssey4meit does seem sensible to create it in the repo_server role along with the others07:40
coolkilthe only differance is the permissions07:41
coolkilvenvs is 755 and the rest is 77507:42
coolkilscratch that07:42
coolkilread the code wrong07:42
coolkilI'l make the change!07:43
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-ops master: Correct leap hook closing brackets  https://review.openstack.org/49906507:47
openstackgerritTaseer Ahmed proposed openstack/openstack-ansible-specs master: (WIP) Blueprint for Congress integration with OSA.  https://review.openstack.org/49906607:48
odyssey4methanks coolkil07:48
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Correct cinder online migrations command  https://review.openstack.org/49906807:50
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/ocata: Correct cinder online migrations command  https://review.openstack.org/49906907:50
bhujaya0x3e8:While creating the external net using openstack network create , have you  mentioned  a gateway for  1.20 netwrok ,  that is physically existing and connected physical net  1.2007:56
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-os_cinder master: Correct cinder online migrations command  https://review.openstack.org/49907107:57
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-os_cinder stable/pike: Correct cinder online migrations command  https://review.openstack.org/49907207:58
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-os_cinder stable/ocata: Correct cinder online migrations command  https://review.openstack.org/49907307:59
*** drifterza has quit IRC08:05
bhujayMy repo build  job   completed ok  with Ubuntu and Centos . I  updated OSA to 15.1.8 and also re  - created clean  repo containers .08:05
*** thorst_afk has joined #openstack-ansible08:09
*** jafeha has joined #openstack-ansible08:11
bhujaya0x3e8: Are you saying  on the server side there is no VLAN or subinterface but at the switch side you have VLAN ?08:13
*** thorst_afk has quit IRC08:14
bhujaythis could be a problem forwarding traffic without appropriate VLAN tagging  . I suggest you create a router in the external net , note down the routers interface ip in 1.20 net , connect external net in a switch without VLAN and from external net try to ping the routers IP . If this goes through the problem is with VLAN . You may also change the  switch port type to trunk port / 802.1q see if that helps08:19
openstackgerritTaseer Ahmed proposed openstack/openstack-ansible-specs master: (WIP) Blueprint for Congress integration with OSA. Congress is a policy framework for OpenStack.  https://review.openstack.org/49906608:19
*** maybebuggy has joined #openstack-ansible08:20
openstackgerritTaseer Ahmed proposed openstack/openstack-ansible-specs master: (WIP) Blueprint for Congress integration with OSA. Congress is a policy framework for OpenStack.  https://review.openstack.org/49906608:21
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49907908:37
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Enable verbose logging when fetching roles via git-clone  https://review.openstack.org/49878808:38
*** vnogin has joined #openstack-ansible08:41
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49907908:43
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Enable verbose logging when fetching roles via git-clone  https://review.openstack.org/49878808:43
*** andreas_s has joined #openstack-ansible08:44
*** andreas_s has quit IRC08:44
*** andreas_s has joined #openstack-ansible08:45
*** andreas_s has quit IRC08:46
*** andreas_s has joined #openstack-ansible08:47
*** andreas_s has quit IRC08:47
openstackgerritChris Beukers proposed openstack/openstack-ansible-repo_server master: Create venvs directory when repo server container is created  https://review.openstack.org/49908308:49
openstackgerritChris Beukers proposed openstack/openstack-ansible-repo_build master: Removes creation of venvs directory during repo build  https://review.openstack.org/49908408:59
*** drifterza has joined #openstack-ansible09:03
coolkilwhat is neccesary to get this accepted? https://review.openstack.org/#/c/479844/ besides removing the wip part? it still needs a change to https://github.com/openstack/openstack-ansible/blob/master/group_vars/all/nova.yml#L31-L33 but that is a different repository09:05
*** sxc731 has quit IRC09:07
*** andreas_s has joined #openstack-ansible09:10
*** thorst_afk has joined #openstack-ansible09:10
*** thorst_afk has quit IRC09:14
odyssey4mecoolkil no-one will touch it until the WIP is removed09:15
odyssey4meand you can submit the other patch with 'Depends-On: <change ID>' in the commit message to have them tested together09:15
*** sxc731 has joined #openstack-ansible09:17
*** electrofelix has joined #openstack-ansible09:23
coolkilah thnx odyssey4me wil run the other change localy first if it works here i will submit it09:26
*** a0x3e8 has joined #openstack-ansible09:26
*** hw_wutianwei has quit IRC09:37
*** yifei has quit IRC09:39
openstackgerritJean-Philippe Evrard proposed openstack/openstack-ansible-ops master: Allow overrides of bootstrap ansible script  https://review.openstack.org/49910210:11
*** thorst_afk has joined #openstack-ansible10:11
*** thorst_afk has quit IRC10:15
*** askb has quit IRC10:15
*** m3rl1n has joined #openstack-ansible10:24
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49907910:26
*** dave-mccowan has joined #openstack-ansible10:29
*** stuartgr has joined #openstack-ansible10:29
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Enable verbose logging when fetching roles via git-clone  https://review.openstack.org/49878810:30
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49907910:33
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Enable verbose logging when fetching roles via git-clone  https://review.openstack.org/49878810:33
*** sxc731 has quit IRC10:43
odyssey4meevrardjp andymccr alright, it looks like https://review.openstack.org/499079 is actually resolving the zuul-cloner on pike issue10:48
odyssey4meonce that merges I'll forward port to master if that's ok?10:48
*** oneswig has joined #openstack-ansible11:00
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-repo_build master: Removes creation of venvs directory during repo build  https://review.openstack.org/49908411:08
*** thorst_afk has joined #openstack-ansible11:12
*** ivveh has quit IRC11:12
*** thorst_afk has quit IRC11:16
openstackgerritMerged openstack/openstack-ansible-ops master: Fix venv build in when mariadb is installed  https://review.openstack.org/49898711:20
openstackgerritJean-Philippe Evrard proposed openstack/openstack-ansible-ops master: Allow overrides of bootstrap ansible script  https://review.openstack.org/49910211:27
openstackgerritJean-Philippe Evrard proposed openstack/openstack-ansible-ops master: Allow overrides of bootstrap ansible script  https://review.openstack.org/49910211:28
openstackgerritMerged openstack/openstack-ansible-lxc_hosts master: Sync apt preferences during lxc host configuration  https://review.openstack.org/49880211:29
coolkilodyssey4me you made a change to the commit message how do i pull that change to my enviroment or is that not neccesary?11:34
odyssey4mecoolkil git review -d <review number>11:35
odyssey4methat downloads the review in its current state11:35
coolkilthnx!!11:35
*** fxpester has joined #openstack-ansible11:36
openstackgerritChris Beukers proposed openstack/openstack-ansible-repo_build master: Removes creation of venvs directory during repo build  https://review.openstack.org/49908411:39
*** bauruine has quit IRC11:40
*** bauruine has joined #openstack-ansible11:41
*** rstarmer has quit IRC11:41
*** rstarmer has joined #openstack-ansible11:42
*** sxc731 has joined #openstack-ansible11:45
*** sxc731 has quit IRC11:51
*** gkadam_ has quit IRC11:54
*** thorst_afk has joined #openstack-ansible11:56
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/newton: Update role SHA's for online migration fixes  https://review.openstack.org/49912111:57
*** yifei has joined #openstack-ansible11:57
*** yifei has quit IRC12:01
*** yifei has joined #openstack-ansible12:04
*** maybebuggy has quit IRC12:07
*** a0x3e8 has quit IRC12:07
*** ianychoi has quit IRC12:07
*** brad[] has quit IRC12:07
*** mrda has quit IRC12:07
*** Jeffrey4l has quit IRC12:07
*** logan- has quit IRC12:07
*** hamzy has quit IRC12:07
*** jrosser has quit IRC12:07
*** fdegir has quit IRC12:07
*** nyloc has quit IRC12:07
*** mrhillsman has quit IRC12:07
*** neillc has quit IRC12:07
*** ianychoi_ has joined #openstack-ansible12:07
*** jrosser has joined #openstack-ansible12:07
*** brad[]` has joined #openstack-ansible12:07
*** Jeffrey4l has joined #openstack-ansible12:07
*** hamzy has joined #openstack-ansible12:07
*** a0x3e8 has joined #openstack-ansible12:12
*** sxc731 has joined #openstack-ansible12:19
*** maybebuggy has joined #openstack-ansible12:22
*** mrda has joined #openstack-ansible12:22
*** logan- has joined #openstack-ansible12:22
*** fdegir has joined #openstack-ansible12:22
*** nyloc has joined #openstack-ansible12:22
*** mrhillsman has joined #openstack-ansible12:22
*** neillc has joined #openstack-ansible12:22
*** yifei has quit IRC12:27
*** huxinhui_ has quit IRC12:30
*** pester has joined #openstack-ansible12:35
*** hw_wutianwei has joined #openstack-ansible12:36
*** fxpester has quit IRC12:38
*** hachi has joined #openstack-ansible12:42
*** oneswig has quit IRC12:43
*** woodard has quit IRC12:51
*** woodard has joined #openstack-ansible12:52
*** japestinho has joined #openstack-ansible12:53
*** a0x3e8 has quit IRC12:54
odyssey4me@andymccr mhayden FYI https://review.openstack.org/496671 is failing consistently with a functional test failure for swift12:54
odyssey4memhayden https://review.openstack.org/497293 is failing consistently with an idempotence failure for debian12:54
mhaydeni was seeing that too :/12:54
mhaydenodyssey4me: https://review.openstack.org/#/c/498468/12:55
mhaydenthat will fix it12:55
odyssey4mewe'll need https://review.openstack.org/499079 in to resolve pike integrated build failures12:55
odyssey4meah yes, that one - need another vote :/12:55
*** a0x3e8 has joined #openstack-ansible12:55
openstackgerritMajor Hayden proposed openstack/ansible-hardening master: Updated from OpenStack Ansible Tests  https://review.openstack.org/49729312:55
openstackgerritAndy McCrae proposed openstack/openstack-ansible-os_swift stable/pike: Updated from OpenStack Ansible Tests  https://review.openstack.org/49667112:57
*** drifterza has quit IRC13:02
mhaydenandymccr: could i request a bit of gandering at https://review.openstack.org/498468 ? :)13:07
mhaydensi vous plait ;)13:07
andymccrwill take a look!13:07
mhaydenandymccr: gracias13:08
mgariepymorning everyone.13:10
*** esberglu has joined #openstack-ansible13:10
*** dxiri has quit IRC13:10
andymccrmorning mgariepy!13:10
*** dxiri has joined #openstack-ansible13:11
openstackgerritMerged openstack/openstack-ansible-rabbitmq_server stable/newton: Install specific version of Erlang from ESL  https://review.openstack.org/49895113:11
openstackgerritMerged openstack/openstack-ansible-rabbitmq_server stable/newton: Pin erlang packages to version 19.3  https://review.openstack.org/49895213:11
mgariepyhow are you guys doing ?13:11
*** andreas_s has quit IRC13:11
mgariepyhmm mhayden seen this  ?http://logs.openstack.org/79/499079/4/check/gate-openstack-ansible-openstack-ansible-ceph-centos-7-nv/80dbf0a/console.html#_2017-08-30_11_44_13_33036613:12
mgariepy\n\nFailed:\n  python2-urllib3.noarch 0:1.16-1.el713:12
* mhayden toots13:12
mhaydenwhoa13:12
mhaydenerror unpacking?13:12
mhaydenhas it happened more than once? i wonder if it's something broken in the mirror perhaps13:13
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/newton: Update role SHA's for online migration fixes  https://review.openstack.org/49912113:13
mgariepyyep happenned for other review in the centos-Ceph  test13:14
openstackgerritMajor Hayden proposed openstack/ansible-hardening stable/pike: Update vars and test tooling for Pike  https://review.openstack.org/49662613:16
openstackgerritMajor Hayden proposed openstack/ansible-hardening stable/pike: Updated from OpenStack Ansible Tests  https://review.openstack.org/49691513:18
mhaydenodyssey4me: okay, i think i have the ansible-hardening patches stacked properly13:19
*** gouthamr has joined #openstack-ansible13:19
mhaydenpike may need the apparmor idempotency test backported to make those work consistently -- they will fail intermittently until that gets in13:19
odyssey4methen we wait :)13:20
*** Apsu has joined #openstack-ansible13:24
*** chyka has joined #openstack-ansible13:25
*** chyka has quit IRC13:30
cloudnullmornings13:40
openstackgerritMerged openstack/openstack-ansible-ops master: Allow overrides of bootstrap ansible script  https://review.openstack.org/49910213:40
mgariepyis the leap upgrade from K > N ready yet ?13:41
openstackgerritMerged openstack/openstack-ansible-ops master: Correct leap hook closing brackets  https://review.openstack.org/49906513:41
cloudnull+/- ready13:41
cloudnullI know folks have been testing with it recently13:41
mgariepycloudnull, what's the overall process like ?13:42
evrardjpmgariepy: no13:43
*** sxc731 has quit IRC13:44
cloudnullassuming you have a happy health, stable kilo cloud, you would clone the ops repo, cd into the leap dir and run the scripts.13:44
*** lbragstad has joined #openstack-ansible13:44
cloudnullit would migrate your dbs, then redeploy on newton13:44
*** mrch has joined #openstack-ansible13:44
cloudnullit aggregates most of our upgrade utilities and adds a few more to the mix13:45
cloudnullevrardjp: It more or less works when deploying with OSA.13:46
cloudnullmgariepy: if you have a test environment or the hardware to do a multi-node-aio you can try it out13:46
cloudnullwhich I'd recommend using your configs13:46
*** chhavi has quit IRC13:47
*** Donckers has joined #openstack-ansible13:47
mgariepywell, I could install a testbed to test it.13:47
cloudnullI think jmccrory has done some work with it too ?13:47
mgariepyI probably will.. :)13:47
cloudnullbut it'd be great to get additional feedback on it13:47
*** lucasxu has joined #openstack-ansible13:48
odyssey4methe first challenge is to deploy kilo :/13:49
odyssey4meunfortunately that will require a fork to patch up a few things to get it working13:49
evrardjpmore or less.13:51
cloudnullhttps://github.com/rcbops/rpc-maas/blob/master/tests/aio-create.sh -- odyssey4me mgariepy -- pass in IRR_CONTEXT=kilo and it should go13:52
cloudnullthat works fairly reliably for an AIO but if you need kilo those couple of additions should make ti work13:53
mgariepycool.13:54
mgariepyit will probably be a month or 2 before I start digging deeply into this.13:55
cloudnullcool13:55
mgariepyI hop it won't be too much trouble :D13:56
mgariepyat least once it's done I won't have to maintain that kitten anymore :D13:57
cloudnullodyssey4me: http://logs.openstack.org/42/497742/18/check/gate-openstack-ansible-openstack-ansible-aio-ubuntu-xenial/0af9d0f/console.html#_2017-08-30_04_04_14_453839 - is that something we're aware of ?13:58
*** hw_wutianwei has quit IRC13:59
openstackgerritKevin Carter (cloudnull) proposed openstack/openstack-ansible master: Run gate playbooks in parallel  https://review.openstack.org/49774213:59
cloudnullah https://review.openstack.org/#/c/499071/14:00
cloudnullodyssey4me: ^ is that all we need?14:00
*** mrch has quit IRC14:00
odyssey4mecloudnull that's the role fix, there's also a playbook fix14:01
*** a0x3e8 has quit IRC14:01
cloudnullok14:01
odyssey4mehttps://review.openstack.org/#/q/topic:rolling-upgrades+status:open14:01
odyssey4mealso need this to fix pike https://review.openstack.org/49907914:02
*** marst has joined #openstack-ansible14:02
dmsimardandymccr, cloudnull, mgariepy, odyssey4me, evrardjp: heads up, the -testing repos for RDO will be fully populated in preparation for imminent release today14:02
cloudnullcoool14:03
*** chhavi has joined #openstack-ansible14:04
evrardjpcool indeed14:04
*** vakuznet has joined #openstack-ansible14:04
*** pcaruana has quit IRC14:06
*** rstarmer has quit IRC14:07
neithhow are the directory /var/www/repo/pools/ubuntu-14.04-x86_64 is populated?14:12
neith*is14:12
openstackgerritJean-Philippe Evrard proposed openstack/openstack-ansible-ops master: redeploy should be done in the proper folder  https://review.openstack.org/49916414:13
*** aludwar has quit IRC14:15
*** woodard has quit IRC14:20
openstackgerritMerged openstack/openstack-ansible stable/newton: Added a common tag to the common tasks  https://review.openstack.org/49899214:22
*** pester has quit IRC14:22
MasterofJOKersneith, the role repo_build should be responsible for that. look into /etc/ansible/roles/repo_build on your deploy host14:23
*** fxpester has joined #openstack-ansible14:24
*** weezS has joined #openstack-ansible14:27
neithMasterofJOKers: thks14:28
openstackgerritMerged openstack/openstack-ansible-os_cinder master: Correct cinder online migrations command  https://review.openstack.org/49907114:32
*** hachi has quit IRC14:33
*** hachi has joined #openstack-ansible14:33
jafehahey everbody. we have deployed pike rc1 with haproxy as external load balancer and set the address to the fqdn (externally resolved). we're now having an issue that the external lb address is not excluded from the lxc containers list. i'm not sure if this should be considered a bug or just a non-intended setup.14:33
jafeha for the moment we're asking ourselfs: how do we get out of this mess? :) (destroy / rebuild the container and blacklist the ip wrongly used ip)14:33
openstackgerritMerged openstack/openstack-ansible-ops master: redeploy should be done in the proper folder  https://review.openstack.org/49916414:34
neiththe weird thing is that when I rebuild the repo containers it fails only on my ubuntu 16.04 host not on ubuntu 14.04 with a No such file or directory: '/var/www/repo/pools/ubuntu-14.04-x86_64/gnocchiclient/gnocchiclient-2.8.2-py2.py3-none-any.whl error. any idea?14:36
*** galstrom_zzz is now known as galstrom14:37
odyssey4melooking for reviews for https://review.openstack.org/499121 please14:38
openstackgerritMerged openstack/openstack-ansible-os_cinder stable/pike: Correct cinder online migrations command  https://review.openstack.org/49907214:39
*** kjw3 has joined #openstack-ansible14:39
openstackgerritMerged openstack/openstack-ansible-os_cinder stable/ocata: Correct cinder online migrations command  https://review.openstack.org/49907314:39
*** drifterza has joined #openstack-ansible14:40
*** hachi has quit IRC14:43
openstackgerritMerged openstack/openstack-ansible-repo_server master: Create venvs directory when repo server container is created  https://review.openstack.org/49908314:50
firebatHey guys quick dumbo question: in the ovs documentation physnet1 represents the physical interface the bridge and OVS port sit on top of?14:52
firebatAdditionally leveraging vlan inside openstack to separate tenant private traffic can those ranges be for openstack only and not exist outside if the ports are trunked?14:54
*** hachi has joined #openstack-ansible14:54
openstackgerritAndy McCrae proposed openstack/openstack-ansible-os_tacker master: Update roles & vars for stable/pike  https://review.openstack.org/49918314:58
*** dxiri has quit IRC14:59
*** woodard has joined #openstack-ansible15:03
*** vnogin has quit IRC15:06
*** vnogin has joined #openstack-ansible15:07
*** thegreenhundred has joined #openstack-ansible15:10
*** chyka has joined #openstack-ansible15:16
*** chyka has quit IRC15:17
lbragstadmhayden: you run fedora 26 still, right?15:17
*** Oku_OS is now known as Oku_OS-away15:18
*** hachi has quit IRC15:19
*** hachi has joined #openstack-ansible15:19
openstackgerritMerged openstack/openstack-ansible-ops master: Bump compute RAM to 8192MB  https://review.openstack.org/49891715:19
*** chyka has joined #openstack-ansible15:19
mgariepyanyone having some issue with galera when performing minor upgrade15:20
*** woodard has quit IRC15:21
cloudnullmgariepy: which release ?15:21
mgariepynewton15:21
cloudnullI've not had issues recently15:21
cloudnullwhat are you seeing ?15:21
*** woodard has joined #openstack-ansible15:21
mgariepyfrom 14.2.4 to .815:21
mgariepyif I do a dist-upgrade on 1 galera node15:22
cloudnullis it failing to install the new packages or just sart post upgrade?15:22
mgariepyit fail to start mysql15:22
cloudnullis it a wsrep issue?15:22
mgariepyneed to install percona-xtrabackup15:22
mgariepyfirst.15:22
mgariepyif I install this pkg then do the dist-upgrade it passes without issue.15:23
mgariepywhen installing the percona-extrabackup pkg it removes :  percona-xtrabackup-2215:25
*** aludwar has joined #openstack-ansible15:26
*** marc_ab has joined #openstack-ansible15:26
*** udesale__ has quit IRC15:26
*** coolkil has quit IRC15:31
*** marc_ab has quit IRC15:31
*** thegreenhundred has quit IRC15:48
*** manjaroi3 has joined #openstack-ansible15:48
mhaydenlbragstad: yessir15:50
*** hachi has quit IRC15:52
*** gouthamr has quit IRC15:53
*** pcaruana has joined #openstack-ansible15:54
lbragstadmhayden: do you run containers locally at all?15:55
lbragstadusing lxc?15:55
mhaydeni usually go with systemd-nspawn15:55
lbragstadaha - got it15:55
*** manjaroi3 has quit IRC15:56
*** thegreenhundred has joined #openstack-ansible15:56
*** thegreenhundred has quit IRC15:58
*** thegreenhundred has joined #openstack-ansible15:58
openstackgerritManuel Buil proposed openstack/openstack-ansible-os_neutron master: L3 Support for ODL deployments  https://review.openstack.org/49745815:58
*** dxiri has joined #openstack-ansible15:59
*** esberglu has quit IRC16:04
*** esberglu has joined #openstack-ansible16:05
*** esberglu has quit IRC16:06
*** marc_ab has joined #openstack-ansible16:11
*** japestinho has quit IRC16:11
*** dxiri has quit IRC16:15
*** m3rl1n has quit IRC16:16
*** esberglu has joined #openstack-ansible16:18
*** gouthamr has joined #openstack-ansible16:19
taskerok -- once I did the OSA newton upgrade I am having a heck of a time fixing these SSL problems. changing the "public" endpoints to SSL just seems to make it worse. horizon can't connect to neutron endpoint. neutron CLI works if I give it "--insecure". the openstack CLI seems to work just fine.16:24
taskersearching out SSL on the bug launchpad doesn't show much help. it seemed that setting the public endpoints to https as recommended by the Newton release notes didn't help.16:24
taskerhas anyone else in here wrestled with this?16:24
taskerif I use the "admin" or "internal" endpoints in curl calls, it's OK.16:27
taskerof course, this is all probably going to be a fault of my configuration because I have two different IPs: one for public and one for andmin and internal.16:27
taskerif I use "--insecure / -k" on a curl poke to the public endpoint it works. otherwise it doesn't.16:29
*** germs has joined #openstack-ansible16:29
taskerahh . well, this is helping (but not optimal): OS_INTERFACE="admin"16:31
taskerso it looks like things are pointing to the "public" url and SSL.16:31
openstackgerritMerged openstack/openstack-ansible-repo_build master: Removes creation of venvs directory during repo build  https://review.openstack.org/49908416:31
*** markvoelker has joined #openstack-ansible16:32
openstackgerritAndy McCrae proposed openstack/openstack-ansible master: [DOC] Check Galera/Rabbitmq versions during cycle  https://review.openstack.org/49922616:34
*** weezS has quit IRC16:37
taskeran https poke direct to the internal IP of the service (not the haproxy endpoint) does not work: "SSL23_GET_SERVER_HELLO:unknown protocol". using http works just fine.16:40
*** zcourts_ has joined #openstack-ansible16:40
odyssey4metasker are you using a real cert, or a self-signed cert, or a cert from some sort of internal CA?16:42
taskerself-signed. i was under the impression that was an OSA thing.16:42
odyssey4meoh no - the self-signed is for demo purposes16:42
tasker. (16:43
odyssey4meyou should ideally use a real cert of some sort16:43
*** vikrant has joined #openstack-ansible16:43
odyssey4meyou can use self-signed if you really want to, but then your client needs to be able to verify it16:43
odyssey4meif it can't, then the client has to use --insecure16:43
taskerwhich echos what I'm seeing.16:44
mhaydencloudnull: would you have a moment to gander at https://review.openstack.org/498468 today? :)16:44
taskerthanks for the clarification, odyssey4me.16:44
odyssey4metasker to allow horizon to work with a self-signed cert, this var needs to be set to disable ssl verification: https://github.com/openstack/openstack-ansible-os_horizon/blob/master/templates/horizon_local_settings.py.j2#L21016:44
odyssey4me*but* horizon should be set to use the *internal* keystone interface by default, which by default is non-SSL16:45
odyssey4metake a peek at the value of this in the horizon container: https://github.com/openstack/openstack-ansible-os_horizon/blob/master/templates/horizon_local_settings.py.j2#L16916:45
odyssey4meis that pointing at the internal or public endpoint?16:45
taskerthat is the internal / admin endpoint in my cluster.16:46
odyssey4meok, but it's getting redirected to the public one?16:47
taskerand OPENSTACK_SSL_NO_VERIFY = False.16:47
*** vnogin has quit IRC16:47
taskerkeystone works. it's the various other endpoints: neutron, nova, etc.16:47
taskerI can log into horizon just fine and see quite a bit of info.16:48
odyssey4mewhat's the value of https://github.com/openstack/openstack-ansible-os_horizon/blob/master/templates/horizon_local_settings.py.j2#L376 ?16:48
tasker"internalURL"16:48
*** jwitko has quit IRC16:48
odyssey4meok, so horizon is then set to use the internal endpoint when it can16:48
odyssey4methe way the clients work is that they will speak to keystone, get the service catalog, then use the public endpoint by default - unless you've told it to use something else16:49
odyssey4meand only an admin can use endpoints that aren't public16:49
odyssey4meso when you set 'OS_INTERFACE' in your env vars, you're telling it to use another interface16:50
*** vikrant has quit IRC16:50
odyssey4meso basically you've got to decide whether you're going to replace the self-signed certs with real ones, whether you're going to keep the self-signed cert and alias your commands (as we do in the utility container), or whether you disable ssl for public endpoints16:51
*** zcourts has joined #openstack-ansible16:54
*** vikrant has joined #openstack-ansible16:54
*** gkadam_ has joined #openstack-ansible16:57
*** zcourts_ has quit IRC16:57
*** markvoelker has quit IRC17:07
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-repo_build stable/pike: Reduce package list for CentOS  https://review.openstack.org/49674117:09
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-os_nova master: Update upgrade role for Pike  https://review.openstack.org/49667917:09
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-os_neutron master: Update upgrade role for Pike  https://review.openstack.org/49668017:09
*** mbuil has quit IRC17:10
*** strigazi has joined #openstack-ansible17:11
admin0hi all17:12
admin0we have pike stable ?17:14
*** strigazi has quit IRC17:14
admin0this soon :)17:14
admin0awesome17:14
odyssey4meadmin0 not released yet, RC for now17:15
odyssey4menote https://docs.openstack.org/openstack-ansible/latest/#pike-release-candidate17:15
admin0how does it handle multi cells ? can i give 3 controllers for 1 cell and only 1 controller for another ?17:15
odyssey4meno idea how cells work17:15
odyssey4menot even sure whether it's ready from a nova standpoint just yet17:16
admin0its marketed as its ready with nova cells v217:16
odyssey4mecells v2 has been there since ocata17:17
odyssey4mebut  don't know how feature complete it is17:17
odyssey4meas with most things, I expect it depends on your use case17:17
odyssey4mewe, for now, enroll all computes into the first cell17:17
odyssey4meI don't think we've done anything to handle more cells at this point. Someone would have to figure out how it's supposed to work and build in the capability to extend to more cells.17:18
*** vnogin has joined #openstack-ansible17:18
admin0my use case is this.. i have 2 tenants using 1 cloud env inside office ..  one is very stable .. has production stuff runining .. other tenant has demo/training running .. so they create like 50-100 machines every 5 mins .. do some demo, destroy it and repeat the cycle continously ..  so with multi cells, i was hoping to isolate the db/rabbit chatter to a different cell dedicted to this tenant17:19
*** zcourts_ has joined #openstack-ansible17:19
*** zcourts has quit IRC17:22
*** vnogin has quit IRC17:22
*** dxiri has joined #openstack-ansible17:33
bhujayodyssey4me :  As per  openstack security guide both internal and external endpoints should be ssl enabled .  I am using self signed certs .   Will it not be possible through OSA  configs ?17:36
openstackgerritMerged openstack/openstack-ansible stable/pike: Correct cinder online migrations command  https://review.openstack.org/49906817:36
SamYaplebhujay: let me just inject here... internal endpoints being ssl'd may be a good idea, but you still have services like memcached that has *no* auth/security/etc and can be accessed and modified by anyone17:37
odyssey4mebhujay self-signed certs give you no security whatsoever, easy to man-in-the-middle, and therefore pointless17:37
openstackgerritMerged openstack/openstack-ansible stable/ocata: Correct cinder online migrations command  https://review.openstack.org/49906917:37
SamYaplethat requires network security to ensure that data isn't red in the clear17:37
odyssey4mebhujay however, external - absolutely, internal - probably with some var tweaks and requiring the shipping of your CA cert all over the place17:38
SamYapleodyssey4me: thats not entirely true, a cert of some kind would be needed to encrypt the data. if the in flight traffic was teh concern, self-signed helps there17:39
odyssey4meSamYaple fair enough17:40
bhujaySelf signed is not  a constraint for me , we can get one CA cert once I establish all SSL communication. But What Sam says is worrysome , We will se that. First if you can help me understand 1) whether all the internal comms will work properly once SSL is enabled  and 2) its possible to enable through OSA17:41
openstackgerritMerged openstack/openstack-ansible stable/pike: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49907917:41
openstackgerritMerged openstack/openstack-ansible stable/pike: Enable verbose logging when fetching roles via git-clone  https://review.openstack.org/49878817:41
openstackgerritMerged openstack/openstack-ansible stable/newton: Update role SHA's for online migration fixes  https://review.openstack.org/49912117:41
bhujayYeah  Sam that's the point our security team first look into that the data is not  passing cleartext17:42
odyssey4mebhujay you'll have to try it to find out - in our history of working with SSL we have found the support from a client standpoint to be a bit hit and miss17:42
odyssey4mesometimes the service middleware doesn't work with it either17:42
SamYaplebhujay: there is no getting around the memcache in the clear thing. that said, *most* of the data can be encrypted, but not all of it (nova-consoleauth, im looking at you)17:42
odyssey4methese have nothing to do with deployment tooling, and everything to do with the upstream services/libraries17:43
SamYapleyou can technically run without memcached but with huge performance losses (and not HA for some services)17:43
bhujayI will try this in few weeks , building a separate env just for this test so that my current installation works . I had lot of issues in  my initial installation and then I followed osa docs where it suggests disabling SSL for self signed certs . I had hope that I will be able to overcome once I learn a little more about OSA... lets see17:47
bhujayAs an alternate approach ...17:47
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/ocata: Update role SHA's for online migration fixes  https://review.openstack.org/49924417:49
*** DanyC has joined #openstack-ansible17:49
odyssey4mebhujay as with the discussion with tasker above - self-signed certs are not great unless you know what you're in for and happy with that17:50
bhujayIn case internal SSL really fails , I have to segregate the network into multiple segments   with firewalls in between such as haproxy , api , db/mq and compute .  I was wondering if  using the openstack-user_config , containers_network section I should be able to do that , any suggestions ?17:50
bhujaypoint noted about self signed certs17:51
bhujayas of now we define one ip range for br-mgmt  but shd it not be possible to provide multiple range of IP's ?17:52
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/pike: Update role SHA's for online migration fixes  https://review.openstack.org/49924617:52
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Correct zuul-cloner cloning of pinned SHA's  https://review.openstack.org/49924717:53
odyssey4mebhujay you may be interested to take a look at the routed environment example configs: https://docs.openstack.org/project-deploy-guide/openstack-ansible/pike/app-config-pod.html17:57
jrosserwe do it more simply, the haproxy public vip is on a completely different net / interface to the internal one17:58
jrosserso external things can never ever get at the internal vip17:59
jrosserand there is no connection between the external net and the mgmt net, nice and simple17:59
*** gkadam_ has quit IRC18:01
*** electrofelix has quit IRC18:01
bhujayMany thanks odyssey,  looks like a great match with what I was thinking . Need to study this tomorrow . But it is only for pike or shd be applicable for  stable/ocata as well ?18:02
*** poopcat has quit IRC18:03
odyssey4mebhujay not sure personally - haven't looked in great detail... OSA is infinitely flexible for the most part if you have the skills and determination to do it...18:03
odyssey4mejmccrory wrote up that documentation, so he might be able to shed some light on what it'll work with18:04
odyssey4meotherwise, yeah jrosser and others have implemented alternative ways of doing things :)18:04
*** weezS has joined #openstack-ansible18:04
jrosseri was also scratching my head on the SSL stuff :) self signed is of course an excellent way to ensure that only trusted internal things can talk to internal endpoints18:05
jrosserso some kind of self-signed internal / public-signed external setup would be interesting18:05
*** vikrant has quit IRC18:05
*** poopcat has joined #openstack-ansible18:05
bhujayI thought it was lot to do with the   dynamic inventory management.py which actually creates the network address for the containers18:06
jrosserbut understood on tool trouble with self-signed18:06
odyssey4mejrosser yeah, I would think an internal CA would be better18:06
jrossersomething very much like that is done with radius servers in wpa-enterprise wifi18:07
bhujayjrosser : I have done that too , haproxy  is on a separate host and network , however that host itself is a bridge between two network18:07
jrosseryou just cant use a public cert there18:07
odyssey4meif someone implemented a playbook to use a role not maintained by this community (ideally) to setup a CA which can do all the right things then that would be far better18:07
bhujaytherefore  it is best to ensure all internal communicatiosn are also encrypted .  This has been very well described in openstack security guide how the domains overlaps in an cloud environment18:08
odyssey4meI'm out for the night - cheers all!18:09
jrosseri'm not sure i've seen any special treatment of the haproxy host to prevent it ip forwarding between networks18:09
*** markvoelker has joined #openstack-ansible18:10
bhujaythanks for the doc link and suggestions on ssl odyssey , have a great night out :)18:10
*** albertcard1 has joined #openstack-ansible18:11
*** poopcat has quit IRC18:14
*** chhavi has quit IRC18:17
*** dxiri has quit IRC18:26
*** gouthamr has quit IRC18:28
*** jwitko has joined #openstack-ansible18:33
*** stuartgr has quit IRC18:34
firebatMy god guys I'm almost done deploying I just need to get networking to work :)18:36
firebatDoes anyone have a good link on how to debug the networking services?18:39
*** markvoelker has quit IRC18:43
*** gouthamr has joined #openstack-ansible18:44
*** dxiri has joined #openstack-ansible18:48
*** weezS_ has joined #openstack-ansible19:00
*** weezS has quit IRC19:01
*** weezS_ is now known as weezS19:01
admin0firebat:  whats wrong with networking ?19:02
*** admin0 has left #openstack-ansible19:03
*** admin0 has joined #openstack-ansible19:03
firebatadmin0: Trying to figure that out now19:03
*** markvoelker has joined #openstack-ansible19:06
mhaydenandymccr: for what it's worth, i have a patch in there for upgrading to RabbitMQ 3.6.11 -> https://review.openstack.org/#/c/496801/19:21
openstackgerritMerged openstack/openstack-ansible master: [DOC] Check Galera/Rabbitmq versions during cycle  https://review.openstack.org/49922619:29
openstackgerritMajor Hayden proposed openstack/ansible-hardening master: Add release note for F26 support  https://review.openstack.org/49884719:30
*** markvoelker has quit IRC19:37
*** markvoelker has joined #openstack-ansible19:38
openstackgerritMajor Hayden proposed openstack/ansible-hardening master: Add release note for F26 support  https://review.openstack.org/49884719:40
taskerhere's a fun one, if you're following my SSL tribulations: if I set "OPENSTACK_ENDPOINT_TYPE='adminURL'" (originally 'internalURL') in the horizon settings (and restart) it works just fine. the fun piece is that 'internal' and 'admin' are the same IP/port at the same haproxy.19:49
taskerit does nothing for my CLI utilities or the actual problem, but at least my cluster is not "broken".19:52
admin0tasker: whats the issue with SSL ( was not following )19:52
admin0you need to use 2 different IPs and URLs which seperates it properly19:53
admin0i have NFS and CEPH cinder ,, so the is_metal is set to false .. now I want to add a physical linux LVM  to the mix .. is it posible to say this is metal for just this storage host ?19:54
*** markvoelker has quit IRC19:56
*** woodard_ has joined #openstack-ansible20:01
taskeromg. nevermind. turns out that my horizon problems were because my internal neturon endpoint had 'https' instead of 'http'.20:01
*** woodard has quit IRC20:05
*** woodard_ has quit IRC20:06
*** weezS has quit IRC20:13
*** weezS has joined #openstack-ansible20:13
*** vakuznet has quit IRC20:25
*** pcaruana has quit IRC20:40
openstackgerritMajor Hayden proposed openstack/openstack-ansible-galera_server master: Update to MariaDB 10.2  https://review.openstack.org/49930020:41
SamYaplemhayden: i had issues when testing with mariadb 10.2, specfically during migrations. are you seeing anything liek that?20:43
mhaydennot so far20:43
SamYaplei was testing against newton with 10.2, maybe that was it then. ill have to retest with master20:44
openstackgerritMajor Hayden proposed openstack/openstack-ansible-tests master: [TEST] Test with MariaDB 10.2  https://review.openstack.org/49931720:45
*** germs has quit IRC20:47
*** lucasxu has quit IRC20:49
*** gouthamr has quit IRC20:54
*** germs has joined #openstack-ansible20:54
*** tots has joined #openstack-ansible20:57
totshello . how would you remote scp some files from a container to localhost ?20:58
cloudnulladmin0: yes.  you can set things that way21:03
cloudnulltasker: good to go now?21:03
cloudnulltots: are the contianers using a file store or lvm ?21:03
cloudnullSamYaple: mgariepy: was having maria migration issues in newton . maybe related?21:04
totsits a fresh installation cloudnull and i want to copy something from the utility container , so i guess its file store21:04
cloudnullthe filesystem for the container is located under /var/lib/lxc/$CONTAINER_NAME/rootfs/21:05
cloudnullso from the host you can just cp the data elsewhere21:05
cloudnullor you can scp directly from the deploynode.21:05
cloudnullscp root@@CONTAINER_NAME:/things/and/stuff /place/locally/21:06
*** gouthamr has joined #openstack-ansible21:10
*** thorst_afk has quit IRC21:12
*** weezS has quit IRC21:16
*** DanyC_ has joined #openstack-ansible21:18
SamYaplecloudnull: might be. but newton is about to go eol so ill just test against ocata/pike/master and see what happens21:20
taskercloudnull: for the most part, yes. still need to do something about the "public" endpoints, but that can wait until later.21:20
*** DanyC has quit IRC21:22
admin0cloudnull:  is there a sample i can see ?21:22
admin0where we do it on a per-container/host basis21:22
cloudnulladmin0: I think you can set that in the openstack_user_config using host_vars21:24
cloudnullthough you may need to mangle the env.d/cinder file to setup a new is_metal: false group21:25
cloudnullSamYaple: ++21:25
taskerSamYaple: when is newton slated for EOL?21:28
*** woodard has joined #openstack-ansible21:29
cloudnulli think next month21:30
taskerfantastic!21:31
taskerdoes osa newton support enabling nova placement service?21:31
*** tots has quit IRC21:31
cloudnullyes i believe thats done by default ?21:32
taskermy nova-compute log states that there is "No authentication information found for placement API". this is not something I thought prior to doing the upgrade.21:33
cloudnullI am mistaken21:37
cloudnullin newton its not there.21:37
cloudnullin ocata is it21:37
cloudnull**it is21:37
taskerok, thanks!21:37
cloudnulltasker: https://releases.openstack.org/21:37
cloudnullnewton is dead 17.10.1121:37
cloudnullthe branch will likely be around for a while after it goes EOL21:38
cloudnulllike it was with mitaka21:38
cloudnullbut not much will go back21:39
DimGRopenstack-ansible has to be the best software humans ever produced period21:43
*** esberglu has quit IRC21:45
*** askb has joined #openstack-ansible21:47
*** nomatics has joined #openstack-ansible21:47
*** kjw3 has quit IRC21:48
*** vnogin has joined #openstack-ansible21:48
cloudnulllol...21:49
*** vnogin has quit IRC21:53
nomaticsAfter a failed build, lxc_hosts : Prepare cached image setup commands is now failing for me. Packages are trying to be installed from a node via yum proxy and the connection is refused.21:54
nomaticsCan someone provide insight on whats going or a place to start debuging?21:54
cloudnullnomatics: was the repo container up21:55
cloudnulland you've since deletred it ?21:55
cloudnullwe use a local proxy through the repo containers maybe something that needs to be cleaned up ?21:56
*** thegreenhundred has quit IRC21:56
nomaticsThe play is in setup-hosts, which is before buildign the containers21:56
nomaticsBefore this I was running setup-openstack and made a typo in in openstack_user_config. I knew i made a mistake and killed the build, fixed the typo and re-rand all playbooks. Now the error is coming up.21:57
cloudnullnomatics: https://github.com/openstack/openstack-ansible/blob/master/playbooks/common-tasks/package-cache-proxy.yml#L58-L8321:57
cloudnullI think your bumping up against that21:58
cloudnullcheck the /etc/yum.conf file21:58
cloudnulland remove the local proxy line21:58
cloudnullor dnf.conf if you're using that21:58
nomaticsYea, I have it commneted out right now21:59
nomaticsBut I assume that it puts it back?21:59
cloudnullit will once the repo servers are back online21:59
cloudnullthe cache will inherit a couple files from the host then build22:00
cloudnullmaybe its inherited this one but without the commented proxy config ?22:01
cloudnullI would destory the cache and just rerun `openstack-ansible lxc-hosts.yml lxc-container-create.yml`22:01
cloudnullyou should be able to delete the base cache container and remove the base image from machinectl22:02
cloudnullwhich would start 100% fresh22:02
nomaticsI've destroyed all the containers and cleaned up as much as I know22:02
cloudnullthe base lxc cache is under /var/cache/lxc22:02
nomaticslxc-ls shows no running containers and proxy is removed from the host yum.conf22:02
cloudnullthere's likely a pre-constucted tar ball there22:03
nomaticsAh okah. Can I just nuke /var/cache/lxc/*?22:04
cloudnullyup22:04
cloudnullleave the lxc dir in place22:04
cloudnullbut all the files within can go away22:04
openstackgerritMerged openstack/openstack-ansible master: Correct cinder online migrations command  https://review.openstack.org/49904422:04
cloudnullalso, just to nuke it from orbit run `machinectl list-images` and remove any images found there too22:05
cloudnullits the only way to be sure :)22:05
nomaticsThanks22:05
cloudnullhttps://media.giphy.com/media/ISAHN6dnrJHry/giphy.gif22:06
nomaticsLol thanks22:06
nomaticsIs there any docs on cleaning up / full restart?22:11
nomaticsSo far I've been destroying all containers, cleaning up /etc/hosts and yum config, and now I know to purge the lxc cache.22:12
*** dave-mccowan has quit IRC22:12
nomaticsOkay so nuking /var/cache/lxc didn't work ?22:16
nomaticsI also deleted /etc/openstack_deploy and reboot strapped. :/22:17
*** thegreenhundred has joined #openstack-ansible22:18
taskeri think I've just bumped into this: https://bugs.launchpad.net/openstack-ansible/+bug/1630953. however, I'm not fully following. there are no console endpoints registerd within keystone's catalog and all of the various nova config files do indeed have 'https' for "html5proxy_base_url", but i am still not getting a console.22:20
openstackLaunchpad bug 1630953 in openstack-ansible "haproxy SSL, nova console is blank . " [Medium,Fix released] - Assigned to Jesse Pretorius (jesse-pretorius)22:20
*** marst has quit IRC22:20
*** zcourts has joined #openstack-ansible22:20
taskeris an endpoint suppsoed to be registered to keystone? where does the resultant url generated by "nova_spice_html5proxy_base_proto" end up?22:21
*** DanyC_ has quit IRC22:21
taskerI'm under the impression (from the release notes) that the OSA upgrade does not regenerate the catalog.22:21
*** zcourts_ has quit IRC22:23
taskerso, the setting given by nova_spice_html5proxy_base_url is used in /etc/ansible/roles/os_nova/templates/nova.conf.j2 and applied to the nova conf. it's not registerd with keystone.22:32
taskeranyone know what other roles or repos pulled in by OSA would make reference to nova_spice_html5proxy_base_url?22:33
*** rstarmer has joined #openstack-ansible22:35
*** thegreenhundred has quit IRC22:39
cloudnullI think there is, one sec22:40
cloudnullnomatics: ^22:40
*** galstrom is now known as galstrom_zzz22:44
cloudnulltasker: nova_spice_html5proxy_base_url is only used in os_nova to the best of my knowledge22:44
taskerthanks.22:45
cloudnullnomatics: https://docs.openstack.org/openstack-ansible/pike/contributor/quickstart-aio.html#rebuilding-an-aio - thats what i remember22:47
cloudnullmore geared toward the aio22:47
nomaticscloudnull: thanks, I think i found the problem.22:47
cloudnullbut similar non-the-less22:47
nomaticsI had a container named 'LXC_NAME' which I deleted.22:47
nomaticsI thought it was just the output of the lxc-ls command, so I over looked it :/ Strange.22:48
nomaticsAfter deleting that the play continues tho22:49
cloudnullcool. that is initialized container cache22:49
cloudnullso if it gets angry when creating the cache its likely going to be a point of frustration.22:50
DimGRcloudnull tasker speaking of spike  , one time i had it working , another time not . Both deployments were using the exact same configs22:51
taskerdid you ever figure out why it didn't work?22:53
DimGRnever bothered :P22:53
taskerlol.22:53
taskerif I told my CIO that, I'd get the literal ax.22:54
taskerso, i kinda need to bother.  <G>22:54
DimGRi checked just now and  its a no go when in fact was working a month ago when i last checked it but i suspect the reason is that i did an upgrade to stable/ocata and somehow  it decided not to work now22:55
DimGRtasker  tell him to ssh instead :)22:55
taskerhe'd reply with some variation of "it's for our customers".22:55
DimGRi think its network related22:56
DimGRi think22:56
taskerI'm outta here for the day. I'll be back to throw curses at this tomorrow.22:57
taskercloudnull: thanks for your help!22:57
cloudnullget what to work ?22:58
DimGRspike22:58
cloudnullspice?22:58
cloudnullthe console22:58
cloudnull?22:58
cloudnullspice22:59
DimGRspice yes22:59
cloudnulloh ok .22:59
cloudnulltasker: the endpoint should be restered within the service catalog22:59
* cloudnull going to look it up22:59
cloudnullbut its not the full url23:00
DimGRchecking my instances and console is loading , they were loading before the minor upgrade23:00
DimGRis not loading *23:00
cloudnullit hits the nova proxy, then passing the traffic back to the console service23:00
cloudnullit is NOT loading after the upgrade?23:00
DimGRit is not23:01
cloudnullis it running the latest release?23:05
cloudnullcan you login to the nova console contianer and see if the console service is running ?23:05
DimGRok hold on23:06
cloudnullanything interesting in th elogs23:06
DimGR 01:03:31.915 13494 INFO nova.consoleauth.manager [req-83fd2027-523e-4e0e-8b94-d2300aa27936 f1c34db4c8f5488da1b8acc8e57e958c 04a241a0bfc24deebeb5ea53e2581aa6 - - -] Received Token: 2caaf684-6f9a-47d1-9862-0b29b22dfa87, {'instance_uuid': u'5b18c940-50f1-483e-b8fb-e6a22abe6c42', 'access_url': u'http://172.29.248.106:6082/spice_auto.html?token=2caaf684-6f9a-47d1-9862-0b29b22dfa87', 'token': u'2caaf684-6f9a-47d1-9862-0b23:08
DimGR29b22dfa87', 'last_activity_at': 1504134211.914083, 'internal_access_path': None, 'console_type': u'spice-html5', 'host': u'172.29.248.106', 'port': u'5902'}23:08
DimGRit is running openstack/venvs/nova-15.1.8/bin/python /openstack/venvs/nova-15.1.8/bin/nova-consoleauth --log-file=/var/log/nova/nova-consoleauth.log23:09
*** chyka has quit IRC23:10
DimGRcloudnull ^^23:12
DimGRi dont like the internal access path : none23:14
cloudnullcan you curl that URL ?23:16
cloudnullare you using haproxy ?23:17
DimGRit is haproxy23:17
cloudnull`curl http://172.29.248.106:6082/spice_auto.html`23:17
DimGRcurl: (52) Empty reply from server23:18
*** weezS has joined #openstack-ansible23:18
cloudnull`curl -D - http://172.29.248.106:6082`23:18
DimGRsame exact error23:18
cloudnullwhats the response code?23:19
DimGRcurl: (52) Empty reply from server23:19
cloudnulland is haproxy reporting the backend is up ?23:19
*** nomatics has quit IRC23:19
cloudnullalso is memcached up ?23:19
DimGRchecking23:20
DimGRmemcache is up and running23:21
cloudnullthe proxy server and console auth work together and require the use of memcached to store / generate a token, so if any one of those things is down or otherwise unavailable the console will not work.23:21
DimGRhaproxy logs are not showing any errors23:21
cloudnullhatop -s /var/run/haproxy.sock23:22
cloudnull^ its an interactive console for haproxy and your backends23:22
DimGRhttp://paste.openstack.org/show/619955/23:23
DimGRthere you are , some down23:24
DimGRits haproxy.stats :)23:24
cloudnullso is the console auth down ?23:25
DimGRit says so23:26
cloudnullcan you checkout or restart the console containers to verify  ?23:26
cloudnullyyou might need to just restart the console service?23:27
DimGRgive me the full ansible syntax please :)23:27
DimGRwill it cause any running instances to go crazy  ?23:27
cloudnullno.23:28
cloudnullit wont go crazy23:28
cloudnullansible -m shell -a 'systemctl restart nova-consoleauth' nova_console23:28
DimGRok they are restarted23:29
DimGRbut still down when i view them with hatop23:30
openstackgerritKevin Carter (cloudnull) proposed openstack/openstack-ansible master: Fix LXC container start order  https://review.openstack.org/49772123:30
cloudnullstill down ?23:36
cloudnullis the service running ?23:36
cloudnullmaybe something interesting in the log?23:36
DimGRansible -m shell -a 'systemctl status nova-consoleauth' nova_console       and everything is running23:38
*** rstarmer has quit IRC23:38
DimGRchecking logs23:38
DimGRhttp://paste.openstack.org/show/619956/ i see these cloudnull  not sure if they are errors though23:40
DimGRwarnings23:40
cloudnullyea23:40
*** woodard has quit IRC23:41
*** woodard has joined #openstack-ansible23:42
*** markvoelker_ has joined #openstack-ansible23:45
DimGRmemcache service is running too23:45
cloudnulland hap is still saying its down23:46
cloudnull?23:46
DimGRyes23:47
cloudnullif you curl the ip address of the container23:47
cloudnullon 6082 is it up ?23:47
DimGRnova console container ?23:47
cloudnullyes23:47
openstackgerritMerged openstack/openstack-ansible-os_tacker master: Update roles & vars for stable/pike  https://review.openstack.org/49918323:48
*** woodard has quit IRC23:48
*** woodard has joined #openstack-ansible23:48
*** woodard has quit IRC23:48
*** woodard has joined #openstack-ansible23:48
DimGRconnection refused23:49
*** woodard has quit IRC23:49
*** woodard has joined #openstack-ansible23:50
cloudnullwithin the console container run `ss -ntlp`23:52
cloudnullis there anything listening on port 6082 ?23:53
*** woodard has quit IRC23:54
DimGRhttp://paste.openstack.org/show/619957/23:54
DimGRnope23:54
DimGRcould this be a bug ?23:57
openstackgerritKevin Carter (cloudnull) proposed openstack/openstack-ansible master: [WIP] Further hyper-converge our container usage  https://review.openstack.org/49939623:58
cloudnullno, I wouldnt think so23:58
cloudnullcan you restart the containers.23:58
cloudnulland see if it comes back ?23:58
cloudnullI have to run23:58
cloudnullbut will be back online later.23:58
DimGRok i will , i will update you  tomorrow your time23:58
cloudnullok23:58
DimGRits 3 am23:58
DimGRsafe to restart them eh23:59
« Tuesday, 2017-08-29 Index Thursday, 2017-08-31 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!