Thursday, 2018-12-06

*** ansmith has joined #openstack-ansible00:07
*** rodolof has joined #openstack-ansible00:09
*** gyee has quit IRC00:17
*** weezS has quit IRC00:21
*** cshen has quit IRC00:27
*** spatel has joined #openstack-ansible00:29
*** spatel has quit IRC00:34
*** tosky has quit IRC01:19
*** cshen has joined #openstack-ansible01:21
*** cshen has quit IRC01:25
*** markvoelker has quit IRC01:33
jamesdentonredkrieg still around?01:48
*** mma has joined #openstack-ansible01:55
*** mma has quit IRC01:59
*** spatel has joined #openstack-ansible02:22
redkriegjamesdenton: hey, just finished having dinner02:34
jamesdentonno worries.02:34
jamesdentonlet me wrap up what i'm doing and i will try and help you out02:35
redkriegthanks, I'll be around02:48
jamesdentonalright, enough of that02:48
redkriegoh, hey02:48
jamesdentonSo, single controller, single compute02:49
jamesdentonthe openvswitch_agent.ini you provided - was that from the compute node? controller?02:50
jamesdentonand, what version of OSA is this? Queens? Rocky?02:50
redkriegthe openvswitch_agent was from the compute node, this is rocky02:52
jamesdentonok. so one issue i saw was that the [ovs] block was missing some needed information. notably, the bridge_mappings config02:53
jamesdentonwhich ought to be built out02:53
redkrieginteresting, that exists on the controller but not compute02:53
jamesdentonwhat does it look like on the controller?02:54
redkriegbridge_mappings = flat:br-provider02:54
jamesdentonok, yep.02:54
redkriegwow, it launched successfully02:55
redkriegthat was it02:55
jamesdentonthe neutron-openvswitch-agent.log you provided: was that from controller or compute?02:55
jamesdentonok, great! now to figure out why it didn't get set :D02:55
redkriegcompute02:56
jamesdentonwhen you configured that - did you restart the agent?02:56
jamesdentonjust curious if the agent was in a restart loop02:56
redkriegI did restart it02:57
redkriegforce of habit02:57
jamesdentonok cool02:57
jamesdentonno problem02:57
redkriegI've been beating my head against this for at least a day, thank you so much.  I still don't actually have connectivity, but I think I can probably troubleshoot that after I figure out why the config isn't getting written correctly02:58
jamesdentonahh ok. i found it02:58
jamesdentonhttps://github.com/openstack/openstack-ansible-os_neutron/blob/stable/rocky/templates/plugins/ml2/openvswitch_agent.ini.j2#L10-L1202:58
jamesdentonso basically, the bridge mapping wasn't added because the compute node is not in the neutron-l3-agent group. meaning that the assumption is you would only need provider networks on a network node, and would use vxlan for computes02:59
jamesdentoni don't really like that.02:59
jamesdentoni think there may be a patch out there to address this02:59
jamesdentonactually, it's a regression of sorts03:01
redkriegahh yeah, I want my guest traffic going straight out of the computes for now03:01
jamesdentonrightly so03:01
jamesdentonhttps://bugs.launchpad.net/openstack-ansible/+bug/180707403:05
openstackLaunchpad bug 1807074 in openstack-ansible "Neutron OVS bridge_mappings not built on computes" [Undecided,New]03:05
jamesdentonThanks for the heads up!03:06
redkriegThank you for the quick diagnosis!  Is it safe to add my comp1 node to neutron-l3-agent?  and would the best way to do that be putting it in a neutron-l3-agent_hosts section in openstack_user_config.yml?03:09
jamesdentonhmm, good question. you may be able to get away with changing the neutron_plugin_type from ml2.ovs to ml2.ovs.dvr03:11
redkriegthe last time I looked at that plugin was a couple years back, I assume it's a little further along?03:11
jamesdentonwe have folks using it in production now, so there's some confidence there. But you don't have to use it - we're just using it to manipulate the inventory here03:13
redkriegno, I liked the promises it had before, I just had too many conflicts getting it working with my salt-based setup.  I'm sure it's matured much since then03:14
jamesdentongotcha. yeah, on the surface it works well. it's complicated at the OVS layer, but it's been baking since Juno so I hope it's improved :D03:15
redkrieghopefully it likes my network config, I'm running playbooks and then heading out for the evening so I won't find out until tomorrow.  thanks again for all the help!03:16
jamesdentongood deal. i'll be around, so if you still have issues feel free to ask03:16
redkriegwill do03:17
*** cshen has joined #openstack-ansible03:21
*** rodolof has quit IRC03:23
*** cshen has quit IRC03:26
*** hwoarang has quit IRC03:47
*** rodolof has joined #openstack-ansible03:49
*** hwoarang has joined #openstack-ansible03:50
*** rodolof has quit IRC04:23
*** cshen has joined #openstack-ansible05:22
*** cshen has quit IRC05:26
*** mma has joined #openstack-ansible05:30
*** ahosam has joined #openstack-ansible05:32
*** spatel has quit IRC05:46
*** aedc has joined #openstack-ansible06:35
*** mma has quit IRC06:41
*** aedc has quit IRC06:48
*** radeks__ has joined #openstack-ansible06:49
*** ahosam has quit IRC07:00
*** markvoelker has joined #openstack-ansible07:00
*** markvoelker has quit IRC07:05
*** radeks_ has joined #openstack-ansible07:22
*** vnogin has joined #openstack-ansible07:24
*** ahosam has joined #openstack-ansible07:24
*** radeks__ has quit IRC07:25
openstackgerritjacky06 proposed openstack/openstack-ansible master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62264607:33
openstackgerritjacky06 proposed openstack/openstack-ansible master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62264607:33
*** aedc has joined #openstack-ansible07:40
*** mma has joined #openstack-ansible07:43
*** radeks_ has quit IRC07:50
*** hamzaachi has joined #openstack-ansible07:55
*** pcaruana has joined #openstack-ansible07:58
*** pcaruana is now known as muttley07:58
*** shardy has joined #openstack-ansible08:02
*** shardy has quit IRC08:05
*** faizy_ has joined #openstack-ansible08:07
*** faizy98 has quit IRC08:09
*** gkadam has joined #openstack-ansible08:16
*** faizy_ has quit IRC08:23
*** cshen has joined #openstack-ansible08:26
*** shardy has joined #openstack-ansible08:28
*** rgogunskiy has joined #openstack-ansible08:30
*** aedc has quit IRC08:32
*** dodo_o has quit IRC08:45
*** aedc has joined #openstack-ansible08:52
*** vnogin has quit IRC08:54
*** ahosam has quit IRC08:54
*** rgogunskiy has quit IRC08:57
*** tosky has joined #openstack-ansible09:00
*** ahosam has joined #openstack-ansible09:01
*** markvoelker has joined #openstack-ansible09:01
*** rgogunskiy has joined #openstack-ansible09:04
*** rgogunskiy has quit IRC09:08
chandan_kumarodyssey4me: Hello09:08
chandan_kumarodyssey4me: https://review.openstack.org/622999 please have a look at this one, I am not sure why centos job timed out09:09
chandan_kumarodyssey4me: http://logs.openstack.org/99/622999/1/check/openstack-ansible-functional-centos-7/52422b7/job-output.txt.gz#_2018-12-06_06_07_20_06440209:12
*** sm806 has quit IRC09:14
*** sm806 has joined #openstack-ansible09:14
*** DanyC has joined #openstack-ansible09:24
*** ahosam has quit IRC09:26
*** ahosam has joined #openstack-ansible09:26
*** DanyC has quit IRC09:29
*** DanyC has joined #openstack-ansible09:30
*** markvoelker has quit IRC09:34
*** sm806 has quit IRC09:43
*** sm806 has joined #openstack-ansible09:43
jrosserchandan_kumar: as far as i can see that job has just run extraordinarily slowly throughout - theres no particular bit seems to have got bogged down09:45
chandan_kumarjrosser: let me do a safely recheck09:46
jrosserperhaps something to note is that we are now running centos 7.6 images there, which wasnt the case yesterday09:47
*** mma has quit IRC09:48
*** vnogin has joined #openstack-ansible09:49
*** mma has joined #openstack-ansible10:00
*** electrofelix has joined #openstack-ansible10:04
*** ahosam has quit IRC10:15
*** markvoelker has joined #openstack-ansible10:31
openstackgerritchen jiao proposed openstack/openstack-ansible-os_swift master: spelling error  https://review.openstack.org/62318110:35
*** sm806 has quit IRC10:59
*** sm806 has joined #openstack-ansible11:00
*** markvoelker has quit IRC11:05
openstackgerritChandan Kumar proposed openstack/openstack-ansible-os_tempest master: use tempestconf profile to manage tempestconf cli args  https://review.openstack.org/62318711:08
admin0\o11:10
admin0hi all .. missing what step in the deployment will put "# No DNS servers known."  in the resolv.conf in the containers ?11:10
openstackgerritChandan Kumar proposed openstack/openstack-ansible-os_tempest master: [WIP] use tempestconf profile to manage tempestconf cli args  https://review.openstack.org/62318711:14
*** hamzaachi has quit IRC11:20
*** aedc has quit IRC11:49
*** aedc has joined #openstack-ansible11:49
*** gkadam_ has joined #openstack-ansible12:00
*** aedc has quit IRC12:03
*** gkadam has quit IRC12:03
*** gkadam_ has quit IRC12:03
odyssey4memorning folks, is centos still causing breakage?12:03
*** gkadam has joined #openstack-ansible12:05
*** hamzaachi has joined #openstack-ansible12:10
*** ansmith has quit IRC12:11
*** ahosam has joined #openstack-ansible12:27
*** jferrieu has joined #openstack-ansible12:36
*** udesale has joined #openstack-ansible12:41
canori01hey guys, if I already have containers running rbd-backed cinder-volume instances, and add a new node with lvm-backed cinder-volume, will the latter be deployed to metal regardless of the is_metal setting for the container_skel?12:52
*** gkadam_ has joined #openstack-ansible12:55
*** cshen has quit IRC12:56
*** vnogin has quit IRC12:57
*** gkadam has quit IRC12:58
guilhermespodyssey4me: I didn't see yet but the last update from mnaser was still in progress figuring out the cause13:03
guilhermespI will take a look within a few minutes13:03
odyssey4meit looked to me like it was still some sort of issue related to the new centos version change and osme sort of mismatch between that and the container13:03
guilhermesp^ I do remember something related mentioned in openstack-infra13:08
guilhermespyesterday13:08
*** muttley has quit IRC13:08
jrossero/ hello odyssey4me13:15
odyssey4meo/ jrosser :)13:15
jrosserthis is worrying https://review.openstack.org/#/c/622999/113:15
*** dave-mccowan has joined #openstack-ansible13:16
odyssey4meugh, timeouts - wtf13:16
jrosseri'm slightly concerned about a performance regression with ansible 2.7.413:16
jrosserbut it could be provider having issues13:16
jrosserneed to try to figure out whats going on there13:16
odyssey4me2.7.4 apparently was mostly packaging related changes... although we jumped from 2.7.2 to 2.7.413:17
jrosser.3 was only out for a couple of days, some silly bug made .4 necessary iirc13:17
odyssey4mecanori01 you should be able to override the is_metal flag on a per host basis - although I personally have no idea how to13:19
odyssey4mecanori01 but the answer is that no, as it stands now it will create it in a container13:19
*** dave-mccowan has quit IRC13:21
*** muttley has joined #openstack-ansible13:21
*** muttley has quit IRC13:25
*** muttley has joined #openstack-ansible13:26
guilhermespodyssey4me: I will test it locally to see what is going on https://review.openstack.org/#/c/622551/ Any notes on this?13:27
odyssey4meguilhermesp I'd suggest for now, for placement, just include rabbit for keystone's sake - I'll look into it again some time later, but I don't see the harm in having it there.13:29
*** muttley has quit IRC13:29
guilhermesphum ok odyssey4me I'm going to rollback my PR, seems that we had greenfield before I removed rabbitmq stuff from the role13:29
odyssey4meyeah, it doesn't make sense to delay that work for this issue13:30
*** vollman has joined #openstack-ansible13:30
guilhermespcool, let me revert and I appreciate any review from you and the team :)13:30
*** CeeMac has joined #openstack-ansible13:32
*** pcaruana has joined #openstack-ansible13:34
openstackgerritGuilherme  Steinmuller Pimentel proposed openstack/openstack-ansible-os_placement master: [WIP] Create base files to install placement  https://review.openstack.org/61882013:34
mgariepyany core want an easy one ? https://review.openstack.org/#/c/622978/13:35
mgariepyi should have tagged it [doc]..13:35
CeeMachello channel, I was wondering if anyone was able to answer a couple of (hopefully) quick questions?13:36
*** ahosam has quit IRC13:37
mgariepyCeeMac, the easiest way to know for sure is to ask them :)\13:37
*** ahosam has joined #openstack-ansible13:37
CeeMacfair play :)13:37
CeeMacso, to set the scene, I've a novice at both openstack and ansible. I've made some good progress deploying AIO, and have started working on a distributed install13:38
*** cshen has joined #openstack-ansible13:39
*** pcaruana has quit IRC13:39
CeeMacI'm a little confused around the haproxy set up and 'external' access networks for neutron, where the host bridge configuration is concerned13:39
CeeMaci'd seen a lot of earlier documentation referencing br-ex, but this seems to be depricated now.13:39
jrosserCeeMac: o/ hello there13:40
CeeMacin the user_variables.yml example file, it references br-flat for the haproxy_keepalived_external_interface13:40
jrosserthe example config for openstack ansible assumes that the external network is a single, "untagged" network on br-vlan13:40
jrosserfor the neutron external network13:40
CeeMachi jrosser13:41
jrosseryou can do whatever you like with the haproxy external IP, it doesnt have to be in the same subnet at all as the neutron networks, you can do whatever suits your requirements there13:41
jrosserthe example configs keep things simple, and combine those ranges13:42
CeeMacthat makes sense, say I wanted to keep them on the same subnet though, would they need separate physical nic configurations?13:42
CeeMacor a un-numbered nic, and a bridge with an ip?13:43
CeeMacneutron prefers unnumbered, but haproxy would need a numbered nic with gateway?13:44
*** pcaruana has joined #openstack-ansible13:44
jrosserperhaps it would be worth taking some time to dig through this https://github.com/openstack/openstack-ansible-ops/tree/master/multi-node-aio13:44
jrosserthats a test multnode deploy that runs each node in a VM13:44
jrosseryou should be able to find in there how each node has set up13:44
jamesdentonmornin'13:45
CeeMaccool, I'll go digging there.  I've run myself around in circles looking through various docs for the different projects etc13:45
*** ansmith has joined #openstack-ansible13:46
CeeMacas an aside, is there a configuration override to inject a static route into keepalived via user_variables.yml? Couldn't see anything in the configuration reference13:46
*** pcaruana has quit IRC13:47
*** ahosam has quit IRC13:47
jrosserCeeMac: see right down the bottom of here https://docs.openstack.org/openstack-ansible/rocky/user/prod/example.html13:47
jrosserthats what you need for defining how/which interface keepalived uses for a multinode deploy13:48
jrosserand so that is where the haproxy external VIP will be13:48
CeeMacyep, saw that, thanks. Maybe I'm over complicating things in my head.  I was working on the principle of the interface (ens2 in the example) not having an IP, therefore I'd need to inject a static route for the gateway as part of the keepalived config13:49
jamesdentonCeeMac How many network interfaces are you working with?13:50
CeeMacmaybe it would be more straightforward to have a separate interface for haproxy than for neutron external access13:50
CeeMaci can have as many as need be.  I'm modelling this in vmware right now, so can have up to 1013:50
CeeMacbut irl there would be 4x10GB and min 4x1GB13:50
admin0CeeMac, all that haproxy will do is bind the ip to the interface as secondary .. so any ethX or bridge will work out fine13:51
CeeMacworking on using bonded pairs13:51
admin0and they even don't have to be in any subnets or known subnets13:51
CeeMac@admin0 i saw the IP was added as a secondary to the interface, was just trying to work out the path of return traffic if there was a gateway already existing on a different interface/bridge13:52
CeeMacwould want return traffic to egress the same interface it ingresses on13:53
CeeMacmaybe i'm over-complicating things :s13:53
admin0for example, i have 4 brides and one say eth10 with 192.168.0.1 .. what i do is  give eth10 as my external interface ..   and it listens to that .. now how traffic comes inside eth10 and how it leaves is beyond the role of osa13:54
CeeMacsure13:54
admin0and also, return path does not necessarily have to be the same as incoming oath13:54
admin0if your (public) can ping  and get  a reply from that external IP,  traffic will work out as well13:55
CeeMactrue, providing any upstream firewalls can deal with that. ofc thats out of scope for osa, I appreciate that.13:55
jamesdentonCeeMac here's an example of an infra node on esx, if it helps: http://paste.openstack.org/show/736759/13:56
admin0for example, if your laptop can ping this external IP which you want to give to external endpoint, and you get the response back, then it will work out fine ..13:56
CeeMacthanks jamesdenton, I'll take a look13:56
jamesdentonens224 (not shown) is used for OVS provider bridge in that environment13:56
admin0CeeMac, in that example, if your clients can ping that 10.50.0.11 when its added to that interface and it works, your api/horizon will work fine as wel13:57
*** vnogin has joined #openstack-ansible13:57
CeeMacthanks guys, i'll take a look at those examples and see if I can decode them and make them work in my environment13:57
admin0jamesdenton, i am doing osa+ovs like this way: https://www.openstackfaq.com/openstack-ansible-with-openvswitch/  ..  do you have a better way or recommendation .. now that i want to use 18.1.0 tag .13:58
CeeMacmainly, I need to be able to put the 'public' network and the external ha proxy interface on an internet routable network, so I'll need a dedicated NIC/bridge for that and keep internal flat/vlan/vxlan traffic on separate nic/bridge13:58
admin0CeeMac, or you can still use private IP , but SNAT/DNAT that as wel13:59
CeeMacyeah, but that makes it awkward for managing the upstream NAT to public IPs14:00
jamesdentonyes, it does.14:00
CeeMacI'll ultimately be building a multi-tenant setup14:00
jamesdentonif you have the IPs, go for it14:00
CeeMacso wanted to make it as transparent to the project users as possible14:00
CeeMacjamesdenton, you're using the "new" network management there?14:01
jamesdentonadmin0 i would just make sure your group_binds are updated to only ovs and no linuxbridge14:01
jamesdentonoh yeah, netplan?14:02
CeeMacthats the badger.14:02
jamesdentonit's not ideal IMO. but it was quick14:02
*** rodolof has joined #openstack-ansible14:02
CeeMachaven't got my head around that yet!14:02
jamesdentonyou need ifupdown config?14:02
CeeMacif you have it, please14:02
jrosserfwiw you can still apt install ifupdown and just reuse config you may have from xenial14:02
jrosser^ i do this14:02
CeeMacjrosser, i just paniced and redeployed with 16.04 instead.  my learning curve is already pretty steep jumping in to this project14:03
jamesdentonCeeMac This is a single interface example. If you're using keepalived you should be able to remove the post-up commands. https://gist.github.com/busterswt/01e706086c6bc6108e66e06fc992d1c014:04
jrosserno worries - although if you are just starting out then i'd recommend trying to get 18.04 going14:04
jamesdentonYeah, if you're doing Rocky won't 18.04 be required?14:04
CeeMacyeah, i'll probably revisit that once I bottom out the osa deployment14:04
jrosserrocky is the transition release14:05
jamesdentonoh ok14:05
CeeMaci'd started on queens14:05
CeeMacbeen doing a looooooot of reading and tinkering over the last couple of months, in between my 'normal' work14:05
jrosserCeeMac: how's your nuke-and-start-again plan? Not being too precious about your install and easy starting again is a huge bonus14:06
mgariepyCeeMac, 18.04 and rocky would be better at this point. if you go 16.04, queens, you will need to upgrade to rocky at some point, and then upgrade the OS.14:06
CeeMachmm, that wouldn't be ideal14:06
CeeMacjrosser, I'm about ready to nuke-and-redeploy anyway14:06
jrosserexcellent :)14:06
jamesdentonCeeMac in that gist, eth0.40 is the management interface of the server. Also using the same interface to apply the 'external' vip. You can use eth0 there if you want, and use an eth1 for the br-vlan bridge. Having a dedicated interface/bond for neutron is recommended.14:06
CeeMaci'd hit a wall with neutron agents being dead14:06
*** rodolof has quit IRC14:07
CeeMacthanks jamesdenton14:07
CeeMaci hadn't picked up on that recommendation, but it makes sense14:08
*** rodolof has joined #openstack-ansible14:08
CeeMacin production, i'd probably run haproxy on dedicated hosts, and neutron on dedicated hosts anyway14:08
jamesdentoni've seen it every way under the sun.14:09
CeeMacto limit the external access, and to make it easier to swap out haproxy for 'physical' LBs at some point14:09
jamesdentonOur haproxy implementation has grown on me14:11
jrosserCeeMac: I do something very similar with a "lots of small hosts" approach, and dedicated bridges/nic/switch and so on for the outside netwroks14:11
CeeMacseems tidier / easier for compliance that way14:11
jrosserbut have stuck with the regular haproxy as it seems to work really nicely14:11
*** spatel has joined #openstack-ansible14:13
*** spatel has quit IRC14:13
*** spatel has joined #openstack-ansible14:13
*** cshen has quit IRC14:17
*** spatel has quit IRC14:17
CeeMacas an aside, is there a way to specify the subnet used in the 'public' network that's deployed by osa?14:21
*** cshen has joined #openstack-ansible14:24
jrosserCeeMac: can you be a little more precise? for haproxy/api stuff or for the neutron external network?14:27
CeeMacsorry, the neutron external network14:27
CeeMacits called public14:27
jrosseri think that in that case the OSA specific part is concerned with setting up the information for neutron about which physical interface that is on14:28
CeeMacits been given 10.1.13.0/24 in my deploymeny, presumably thats configurable somewhere14:29
CeeMacas thats not a subnet i have in use14:29
jamesdentoni've not known OSA to configure the network via Neutron API, except maybe for testing14:30
jrosseryou've probably run the tempest tests then14:30
jrosserhttps://github.com/openstack/openstack-ansible-os_tempest/blob/master/defaults/main.yml#L13714:30
CeeMacoh. i ran the tempest playbook, but didn't run any tests yet14:30
jrosserit will have created the resources required for the tests including an external network with the defaults from that file, unless you override them otherwise14:31
CeeMacgot you14:32
jrosserso thats a good example of the division of the setup - OSA configures neutron telling it about the physical interface mappings, "something else" then has to create the logical networks which is either the tempest role or the admin of the cloud via the api/cli/ansible/......14:32
CeeMacok, that makes a lot of sense14:33
CeeMacit was the osa tempest playbook i ran though, so presumably there is a config override value somewhere?14:33
*** vakuznet has joined #openstack-ansible14:34
jrosserthe external interfaces to all those roles are the defaults/main.yml files14:34
odyssey4meCeeMac that defaults file contains everything possible to override, and all overrides go into user_variables.yml or your user space host/group vars14:35
jrosserso you can look through those for the things you can override, and use your user_......14:35
CeeMacah, right. got you.14:35
jrosser^that :)14:35
vakuznetplease review https://review.openstack.org/#/c/621688/14:35
CeeMacthanks, you've all been really helpful :)14:35
CeeMaci'll go ponder some more and adjust my set up accordingly14:35
admin0CeeMac, i have around 10 different osa platforms now .. every lb is a different story14:36
CeeMaci guess I'd tried to merge the 2 things into a single entity. Now I know they are distinct I can move forwards hopefully14:37
admin0CeeMac, also what osa does from the config is maps  vlan to br-vlan ( name) ..  that is all it does .. after the deployment is done,then you tell neutron .. i have x.x/y ip range .. route it via the vlan interface14:37
admin0i have br-ext  br-dmz br-lan     .. so br-ext = public ip,  br-dmz goes via firewalls   br-lan via ipsec to corporate vpn14:38
CeeMacadmin0, is there any reason i can't take the br-vlan 'flat' configuration and set up a seperate br-flat for that?14:38
admin0CeeMac, there is no hard and fast rule in here .. but even if br-flat is ther ein the config, as long as you don't use it .. having it there in the config does not do anything14:39
CeeMacas long as the openstack_user_config matches with the network config on the host/14:39
admin0i have never removed it, but never used it as well14:39
CeeMacso, fire up the basic set up with osa, then use neutron to set up the external network and bind it to the nic/bridge i want?14:40
admin0yep14:40
jrosserCeeMac: one thing to consider with a flat external network is that you are in a corner there as there can only be one subnet14:41
CeeMacthen work out how to reverse-engineer to make that programatically redeployable XD14:41
admin0CeeMac, why use flat when you can use vlans ?14:41
CeeMacyeah, this is specifically for the 'internet' access14:41
jrosseryou would be better off (imho) making it a vlan type and bringing the external network in tagged from your switch14:41
admin0if you need a router, you can use a virtual one14:41
CeeMacactually14:41
CeeMacyeah14:41
CeeMaci'll be having a seperate switching infrastructure for the public subnets though14:42
jrosserthen when the invitable day comes and someone asks you to bring in a second subnet it is trivial14:42
admin0CeeMac,  this is how I usually setup .. https://www.openstackfaq.com/openstack-private-cloud-architecture/  --  either in 1 box or multple .. i use a vyos as the gateway to pxe/dhcp/terminte the vlan and then route from there14:42
CeeMacbut you're right, if i do it through vlans, i can allocate different external subnets to different projects if i want14:42
jrosserenable the tag on the switch, api calls to neutrhon and bingo14:42
jrosser*neutron14:42
CeeMacso, ideally I need 2 vlan bridges ideally?, e.g. br-vlan_int and br-vlan_ext14:44
admin0no need :) its a VLAN :D14:45
admin0you can from your router/switch route vlan 101 to external and 102 to external14:45
CeeMacbut br-vlan is bound to a bond, which has specific nics14:45
admin0or 103 to vpn14:45
admin0right .if yuo want separate nics14:45
CeeMacthen internal and external vlans will be in separate switching domains14:45
CeeMacyeah14:45
CeeMaci need to maintain separation for compliance14:46
CeeMacmakes life easier14:46
CeeMacright now i would do it with dmz vlan and NAT using upstream DC firewall14:46
CeeMacbut I'm bringing in a new edge platform so i can deliver public ips direct to VMs or physical devices14:47
jrosserCeeMac: my setup is the same14:47
jrossernote that neutron is actually wanting an *interface*14:47
jrossernot a bridge14:47
CeeMacright14:47
CeeMacdoes a bond count?14:47
admin0CeeMac, https://www.openstackfaq.com/openstack-add-direct-attached-dhcp-ip/ -- this is how i have for cpanel vms :)14:47
jrosserwhich is why you see references to eth12 through the example documentation14:47
admin0no need to crate network or routers .. direct public IP to the instance14:48
CeeMacoh, thats the reason? I was wondering14:48
admin0only downsize = if deleted, the ip is lost14:48
jrosserthat is a side effect of having the netowrk/controller nodes collapsed and re-using br-vlan for the external (flat) network14:48
admin0this example provides kind of flat network, but under a vlan14:48
jrosserhowever, if you have dedicated network nodes, you can just use the external bond directly in the neutron config14:48
jrossernetwork_mappings: "physnet_rd:bond1" <- there is mine14:49
jrossernetwork_vlan_ranges: "physnet_rd:1:4000" <- i'm able to specify any vlan to neutron as an external one but the switch config defines those present in the trunk14:50
jamesdentonyeah, ultimately it's up to the agent to figure out how the interface is implemented. linuxbridge might tag bond1 and put it in a brqXXXX bridge. While ovs does expect a bridge name, plus the vm into br-int, and and send traffic out br-ex or br-provider or whatever the physnet_rd mapping goes to14:51
admin0i normally give 1:4090 in my config  .. and deal with networking later :)14:51
jrosserCeeMac: i think that this means if you get stuck just shout :)14:52
admin0:D14:52
admin0we talk a lot :)14:52
CeeMachaha, thanks, I'll probably take you up on that offer at some point :D14:52
CeeMaclooking at OVS is on my list as well14:53
CeeMacbut want to get a working environment up and running with linuxbridge first14:53
jamesdentongood idea.14:54
*** francois has joined #openstack-ansible14:54
CeeMaclooping back to 18.04/rocky conversation.  Is OSA supporting netplan now?  I read some forum posts where people were having problems14:54
jamesdentonI'm not sure OSA cares one way or the other.14:54
jamesdentoni'm not sure happy with it, but i use it14:54
jamesdenton*super14:54
CeeMacok14:54
admin0it needs to see the bridges  .. does not care how/who created them14:55
CeeMaci'll see if I can make sense of it then14:55
CeeMaci'll probably rebuild my current rc environment as queens/16.04 and rc2 with rocky/18.04, then i can work on upgrade testing later14:56
*** aedc has joined #openstack-ansible14:57
CeeMacok, thanks again ppl, I'll go look through all of those examples read back through the conversation and see what changes I need to make14:57
jamesdentongood luck!14:58
CeeMacthanks!14:59
odyssey4meCeeMac we use systemd-networkd for everything we setup, because it works on all our supported platforms15:03
odyssey4meBut for your bridges and stuff on the host, it's up to you.15:04
odyssey4methe things we setup are the connections from host to container, and inside the container15:04
*** mkuf has joined #openstack-ansible15:05
CeeMacthanks odyssey4me15:15
admin0jamesdenton, thanks for writing this:  http://www.jimmdenton.com/osa-sriov/15:15
*** gkadam_ has quit IRC15:19
jamesdentonsure!15:21
*** hamzaachi has quit IRC15:22
*** jhesketh has quit IRC15:34
*** jhesketh has joined #openstack-ansible15:35
*** strattao has joined #openstack-ansible15:41
mnaserokay so my progress15:45
mnaserhttp://logs.openstack.org/94/620994/1/check/openstack-ansible-functional-centos-7/0cb1a96/job-output.txt.gz#_2018-12-06_14_50_05_49701515:45
mnasernow both host and container are 7.515:46
mnaser*7.615:46
jrosseri saw some of those15:46
mnaserwoo i see placement jobs pass tho15:48
mnaserbut no tempest jobs for placements run15:48
*** strattao has quit IRC15:49
*** vnogin has quit IRC15:51
*** vnogin has joined #openstack-ansible15:51
*** weezS has joined #openstack-ansible15:56
openstackgerritweizj proposed openstack/openstack-ansible-os_searchlight master: Revert "use include_tasks instead of include"  https://review.openstack.org/62323215:56
odyssey4memnaser so we're all clear for centos now and just need rechecks? or is there something else still broken?15:58
mnaserodyssey4me: i havent seen enough jobs run to know if some of the failures we're seeing are transient or actaul 7.5 failures15:58
mnasera recheck of an integrated change + repo change might be good exercise15:59
*** blinkiz has quit IRC15:59
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/pike: Remove the dependency on SSH for monitors  https://review.openstack.org/62323316:00
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/rocky: Remove the dependency on SSH for monitors  https://review.openstack.org/62323416:00
odyssey4memnaser ok, done a few of those - let's see how they go16:01
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/queens: Remove the dependency on SSH for monitors  https://review.openstack.org/62323516:01
mnaserodyssey4me: cool i'll keep following up, sorry for the blockages, trying to fix things the fastest as i can to unblock us16:01
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/ocata: Remove the dependency on SSH for monitors  https://review.openstack.org/62323616:04
mnaserthe issues resolved so far are: getting the container images to become 7.6, and now the actual os images in upstream to become 7.616:05
Miougelogan-: in Pike I ran into the issue you fixed in 504094 so I figured I would try to backport that into PQR I hope it’s all right16:05
odyssey4memnaser oh yes, that would be an issue16:06
logan-Miouge: thank you!16:06
mnaserso i chased down centos to get 7.6 containers and now the hosts are 7.6 everywhere with infra (there was a build issue going on)16:06
odyssey4meI started working on just using DIB so that we don't rely on upstream images any more - unfortunately I've been side-tracked, but will try to get that done for Stein at least so this isn't an issue in the future.16:06
logan-Miouge: worked for you on Pike? I expect that patch will work just fine on everything Pike and newer16:06
Miougelogan-: Pipeline is in progress so I don’t know if it worked yet :D16:07
*** ThiagoCMC has joined #openstack-ansible16:07
logan-Miouge: ahh gotcha. ceph_client has no real testing, but 'check experimental' will exercise the role using the full integrated OSA build16:08
odyssey4melogan- unfortunately that experimental check won't exercise the ceph check though :p16:08
Miougelogan-: I meant the pipeline to my staging setup16:08
ThiagoCMCHey guys, I'm planning to deploy OpenStack Ansible in multiple regions. But my users wants a single Horizon, is it possible? I'm not planning to share Keystone, since we have LDAP and all Keystones can reach that single LDAP (so, LDAP is the shared part).16:09
logan-Miouge: gotcha16:09
logan-odyssey4me: oh really? I thought it ran a ceph job too :/16:09
logan-dang16:09
odyssey4melogan- well, I think we can make it do so now if we like16:09
odyssey4melemme push up a patch real quick16:09
logan-we should probably just make that test the gate for ceph_client since the current tests are noop16:10
logan-thank you16:10
logan-at least having experimental will help16:10
openstackgerritDmitriy Rabotjagov (noonedeadpunk) proposed openstack/openstack-ansible-os_ceilometer master: Add ability to override meters.yaml and event_defenitions.yaml  https://review.openstack.org/62323916:13
odyssey4melogan- that's exactly what I'm about to do16:16
odyssey4melogan- oh, that experimental one does do the integrated ceph deploy - my mistake16:20
admin0hi logan- , i think you know this:  missing what step in the deployment will put "# No DNS servers known."  in the resolv.conf in the containers ?16:21
openstackgerritMatthew Thode proposed openstack/openstack-ansible-os_keystone master: Force force-tlsv12 only  https://review.openstack.org/62324016:22
ThiagoCMCadmin0, missing you brother!   :-D16:22
admin0hey ThiagoCMC16:22
ThiagoCMCHey!!   ^_^16:22
admin0i was there in CA for 2 weeks .. could not meet you .. you don't reply on skype16:22
admin0now next time :)16:23
ThiagoCMCSure, next time!  lol16:24
ThiagoCMCBesides a single Horizon for multiple regions, I'm also looking to provide "Ceph as a Service", maybe via Manila and I just found this bug here: https://bugs.launchpad.net/openstack-ansible/+bug/178538616:26
openstackLaunchpad bug 1785386 in openstack-ansible "Integration of Swift and Manila with Openstack-ansible having Ceph backend?" [Wishlist,Confirmed]16:26
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Zuul: Simplify the integrated test playbooks  https://review.openstack.org/62325016:36
Miougelogan-: Mmm something went wrong: http://paste.openstack.org/show/736772/ with the “is success” condition16:37
logan-Miouge: you might have to use '| success' in the older ansible version16:37
logan-i'm not sure when the new syntax became valid16:37
logan-2.5 maybe?16:37
logan-admin0: doesn't look like anything OSA related places that text: http://codesearch.openstack.org/?q=No%20DNS%20servers%20known&i=nope&files=&repos=16:38
admin0logan-, :D16:38
odyssey4melogan- admin0 nope, more than likely resolveconf doing it16:38
odyssey4meit can't find DNS servers via DHCP16:38
mnaserodyssey4me: http://logs.openstack.org/04/622304/1/check/openstack-ansible-functional-centos-7/62e4d17/job-output.txt.gz16:39
mnaserjob that just posted results 22 minutes ago16:39
logan-yeah perhaps try restarting the lxc dnsmasq on the host admin016:39
mnaserit's stable/rocky.. but still16:39
admin0hmm.. so aio is not foolproof :)16:39
Miougelogan-: OK, i will check that. Thanks16:40
admin0thanks .. checing16:40
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-ceph_client master: Test using integrated build  https://review.openstack.org/62325316:40
odyssey4memnaser ok, so looking promising16:41
*** joabdearaujo has joined #openstack-ansible16:48
Miougecan I edit a cherry picked patch (is success to | succedd) or does it have to be as is?17:06
odyssey4meMiouge you may edit it17:07
odyssey4meMiouge https://docs.openstack.org/openstack-ansible/latest/contributor/contribute.html#backporting17:07
*** mma has quit IRC17:21
*** mma has joined #openstack-ansible17:21
*** strattao has joined #openstack-ansible17:26
*** mma has quit IRC17:26
*** cshen has quit IRC17:32
*** jferrieu has quit IRC17:36
*** hamzaachi has joined #openstack-ansible17:39
redkrieghey jamesdenton, I tried the dvr plugin we discussed last night but that gave me errors about binding to a dead agent even after reboots and checking services, so I reverted back, disabled the l3 agent that was new, applied playbooks, fixed config, and rebooted.17:39
redkrieghere's my current config if you don't mind giving it a once-over for anything obvious: https://gist.github.com/RedKrieg/d12e3c1d2e0775eaa1f59e89dd99958017:39
redkriegthe errors from when I had the dvr plugin set up are in the comment at the bottom17:40
guilhermesphum timeout http://logs.openstack.org/20/618820/48/check/openstack-ansible-functional-centos-7/63ac1b0/job-output.txt.gz would be related to latest centos issues?17:41
odyssey4meguilhermesp maybe, retry - some are getting through17:43
openstackgerritBen Hundley proposed openstack/openstack-ansible-os_designate master: Expose default_limit_v2 as variable  https://review.openstack.org/62327017:43
*** DanyC has quit IRC17:43
*** hamzaachi has quit IRC17:44
*** hamzaachi has joined #openstack-ansible17:44
*** CeeMac has quit IRC17:48
jrosserodyssey4me: http://grafana.openstack.org/d/4-pSHcImz/openstack-ansible?orgId=1&from=now%2FM&to=now17:54
jrosser^ mnaser17:54
jrosseradded all the distro build time / fail rates17:54
*** gyee has joined #openstack-ansible17:55
mnaserThat’s awesome jrosser17:56
mnaserLet’s see that the numbers add up to be17:56
jrosseri want to add timeout counts too17:57
*** vnogin has quit IRC17:57
*** macza has joined #openstack-ansible17:57
*** mma has joined #openstack-ansible17:59
*** mma has quit IRC18:00
*** udesale has quit IRC18:04
*** spatel has joined #openstack-ansible18:21
*** cshen has joined #openstack-ansible18:25
*** electrofelix has quit IRC18:26
*** dave-mccowan has joined #openstack-ansible18:30
spateldid anyone noticed this bug ?18:55
spatelhttps://bugs.launchpad.net/horizon/+bug/180725118:55
openstackLaunchpad bug 1807251 in OpenStack Dashboard (Horizon) "Horizon Overview summary showing wrong numbers " [Undecided,New]18:55
*** shardy has quit IRC18:59
*** vollman has quit IRC19:04
*** strattao has quit IRC19:04
*** udesale has joined #openstack-ansible19:11
*** aedc has quit IRC19:14
*** strattao has joined #openstack-ansible19:23
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/pike: Remove the dependency on SSH for monitors  https://review.openstack.org/62323319:28
openstackgerritMaxime Guyot proposed openstack/openstack-ansible-ceph_client stable/queens: Remove the dependency on SSH for monitors  https://review.openstack.org/62323519:28
*** strattao has quit IRC19:30
*** udesale has quit IRC19:31
*** strattao has joined #openstack-ansible20:01
*** strattao has quit IRC20:09
redkriegI was able to get the dvr plugin to start by adding neutron_l2_population: True in user_variables.yml, instances create with that but I still am not getting dhcp relayed to the container's interface :|20:18
*** cshen has quit IRC20:20
*** cshen has joined #openstack-ansible20:23
*** mma has joined #openstack-ansible20:24
*** hamzaachi has quit IRC20:27
*** hamzaachi_ has joined #openstack-ansible20:28
spatelI have submit this bug https://bugs.launchpad.net/openstack-ansible/+bug/180726820:28
openstackLaunchpad bug 1807268 in openstack-ansible "CentOS rsyslog bug" [Undecided,New]20:28
*** mma has quit IRC20:28
*** udesale has joined #openstack-ansible20:29
*** cshen has quit IRC20:30
*** cshen has joined #openstack-ansible20:31
*** DanyC has joined #openstack-ansible20:31
*** DanyC has quit IRC20:35
jamesdentonhey redkrieg. If i'm looking at your output correctly, you'll want enp4s0f0 in the br-provider bridge and not br-vlan, especially if br-provider is what is listed in that bridge_mappings config in openvswitch_agent.ini20:46
*** udesale has quit IRC20:46
openstackgerritFrank Kloeker proposed openstack/openstack-ansible-haproxy_server master: Add feature Letsencrypt SSL certification  https://review.openstack.org/58677420:59
*** strattao has joined #openstack-ansible21:13
*** strattao has quit IRC21:27
*** CeeMac has joined #openstack-ansible21:33
*** ansmith has quit IRC21:41
openstackgerritFrank Kloeker proposed openstack/openstack-ansible-haproxy_server master: Add feature Letsencrypt SSL certification  https://review.openstack.org/58677421:47
guilhermespat least for placement pr, the centos jobs are not timing out21:53
guilhermesphttp://grafana.openstack.org/d/4-pSHcImz/openstack-ansible?orgId=1&from=now-6h&to=now&refresh=30s&panelId=10&fullscreen21:55
jrosserthe most recent centos jobs in the integrated jobs have timed out in tempest rather than failed22:00
jrosserthat seems to be a bit of progress22:00
jamesdentonare you seeing "waiting for privilege escalation prompt" or something else?22:01
jrosserthe ones that timed out most recently didnt do that22:03
jrosserfor the openstack-ansible repo anyway, i've just rechecked a bunch to get more examples22:04
openstackgerritMerged openstack/openstack-ansible-os_neutron stable/queens: Fix linuxbridge agent extensions  https://review.openstack.org/62005822:05
guilhermespas Im watching zuul results for my, seems that only one centos job is going to timeout, but has finished the tempest execution22:06
guilhermespseems really slow to run the log collection script22:07
*** spatel has quit IRC22:08
jrosseri wonder if it's doing a bunch of work on shared storage that should really be done in /dev/shm22:09
*** aedc has joined #openstack-ansible22:29
*** rodolof has quit IRC22:37
*** vnogin has joined #openstack-ansible22:58
*** cshen has quit IRC22:59
*** vnogin has quit IRC23:02
*** spatel has joined #openstack-ansible23:04
*** hamzaachi__ has joined #openstack-ansible23:08
*** lbragstad has quit IRC23:08
*** hamzaachi_ has quit IRC23:09
*** spatel has quit IRC23:09
*** lbragstad has joined #openstack-ansible23:09
*** aedc has quit IRC23:12
*** DanyC has joined #openstack-ansible23:16
*** ThiagoCMC has quit IRC23:17
*** DanyC has quit IRC23:20
*** ThiagoCMC has joined #openstack-ansible23:27
redkrieghey jamesdenton thanks for the tip.  I tried changing the openvswitch agent to use br-vlan instead but no luck there.  the eth12 veth device that's tied in to br-provider is bridged to enp4s0f0 though, so I think that might be okay.  I get normal connectivity, just not the dhcp stuff that should be coming in from neutron23:27
*** hamzaachi__ has quit IRC23:32
ThiagoCMCHey guys, how to share one single Horizon with multiple OSA deployments (one complete OSA per Region), the "Federation" is basically a big LDAP that is already reachable across Regions, so, same login on each individual Horizon.23:41
*** timburke has joined #openstack-ansible23:46

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!