| *** yolanda has quit IRC | 00:12 | |
| *** yolanda has joined #openstack-ansible | 00:13 | |
| *** yolanda has quit IRC | 02:32 | |
| *** yolanda has joined #openstack-ansible | 02:37 | |
| *** yolanda has quit IRC | 02:43 | |
| *** yolanda has joined #openstack-ansible | 02:44 | |
| *** yolanda has quit IRC | 03:17 | |
| *** yolanda has joined #openstack-ansible | 03:22 | |
| *** udesale has joined #openstack-ansible | 04:04 | |
| openstackgerrit | Chandan Kumar (raukadah) proposed openstack/openstack-ansible-os_tempest master: Fixed the package name of keystone tempest tests https://review.opendev.org/675809 | 04:24 |
|---|---|---|
| *** raukadah is now known as chkumar|ruck | 05:10 | |
| *** pcaruana has joined #openstack-ansible | 05:29 | |
| *** pcaruana has quit IRC | 05:37 | |
| *** miloa has joined #openstack-ansible | 05:41 | |
| *** pcaruana has joined #openstack-ansible | 05:50 | |
| chkumar|ruck | noonedeadpunk: jrosser Good morning | 05:55 |
| chkumar|ruck | noonedeadpunk: jrosser https://review.opendev.org/675809 please have a look needed for RHEL-8 tempest | 05:55 |
| *** markvoelker has joined #openstack-ansible | 06:31 | |
| *** markvoelker has quit IRC | 06:36 | |
| jrosser | chkumar|ruck: done | 06:43 |
| chkumar|ruck | jrosser: thansk! | 06:57 |
| ChosSimbaOne | Good morning. So a few question regarding OSA network design with CEPH. Just to besure i get it right from the documentation. The network br-mgmt is the network intended for node openstack communiation, and not accessible form the internet right ? br-vxlan is where the instances can assign network/ips, right? br-storage should that be the same as ceph public network if I wish to seperate the storage network form the br-mgmt? In terms | 07:04 |
| ChosSimbaOne | of public API will that be accessible via the external lb ip? | 07:04 |
| *** ivve has joined #openstack-ansible | 07:05 | |
| jrosser | chkumar|ruck: | 07:08 |
| jrosser | oops | 07:08 |
| *** luksky has joined #openstack-ansible | 07:09 | |
| jrosser | ChosSimbaOne: if you use the existing interation between OSA and ceph-ansible to deploy ceph then i think that the ceph "public" network might end up on br-mgmt | 07:10 |
| jrosser | if you deploy ceph yourself with a seperate cluster you can have it however you like | 07:10 |
| jrosser | i don't think that things accessible externally via the loadbalancer is an issue either way, with the exception of radosgw if you choose to use that | 07:11 |
| jrosser | both br-mgmt and br-storage are networks internal to your cloud | 07:12 |
| *** tosky has joined #openstack-ansible | 07:17 | |
| *** kopecmartin|off is now known as kopecmartin | 07:18 | |
| ChosSimbaOne | jrosser: thank you for the reply. I pan to deploy ceph with the ceph-ansible playbooks, as I have used them before. Okay i will see if i can test that. The OSA+CEPH uitilizes the ceph-ansible playbooks right? My concern with external access is not related to ceph, but with the openstack API as i understand the documentation all intercommunication in openstack utilizes the API, and I belive that should be accessible from the internet | 07:20 |
| ChosSimbaOne | so it is an alternative to Horizon. Horizon is accessble via the lb_external/internal ip right? is the part of the API that should be public accessible avilable via the lb_external pr. default? but br-mgmt must be a routed network with internet access right? that is not the case for br-storage? It chould a none routed rfc1918 range right? | 07:20 |
| jrosser | The external interface on the load balancer is the only thing that needs to be accessible from the internet | 07:21 |
| jrosser | All of the internal services in your cloud talk to each other with the api through the internal side of the loadbalancer on br-mgmt | 07:31 |
| ChosSimbaOne | jrosser: Cool. Thank you. The I can get on with my design. Will have to look into providernet work. But as i understand: br-mgmt = 1 vlan, br-vxlan= 1 vlan and br-storage can either be a seperate vlan or use the shame ranges as br-mgmt if seperation is not desired. | 07:31 |
| jrosser | This should b rfc1918 | 07:31 |
| ChosSimbaOne | jrosser: got it, thank you. | 07:32 |
| jrosser | And you can make br-mgmt be nat to the Internet for package/git repo access if you wish, or you can keep it totally isolated if your hosts have another interface that you provide with a default route | 07:33 |
| jrosser | Everything we have talked about is separate from neutron networks for VM/floating IP which you can deal with as a different thing | 07:34 |
| jrosser | ChosSimbaOne: if you are deploying a separate ceph yourself then the way to think about OSA br-storage is that it is all the ceph clients | 07:36 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible master: Imported Translations from Zanata https://review.opendev.org/675725 | 07:37 |
| jrosser | So if you want one vlan for your ceph public network, divide the address space and allow OSA to pick addresses from one part for clients, then in your ceph cluster adding addresses yourself to the public interface of the non/osd and so on | 07:38 |
| ChosSimbaOne | jrosser: Okay. so the ceph public network = br-storage. So with the openstack nodes we have dual port 25GbE nics, which i plan to bond as lacp and the trunk the network to the nodes. I know documenation suggest to have two nics and then cross bond, but we did not go for that option. So i am guessing that we will do nat access to the internet from the hosts, I do not see that this should be a security issue. Our network | 07:45 |
| ChosSimbaOne | infrastructure is Cisco and we plan to utilize ACI with the ml2 plugin for neutron. | 07:45 |
| jrosser | Ooh fun :) | 07:46 |
| ChosSimbaOne | Yeah, really looking forward to getting it up and running, but there is just so much to consider :-) Thanks for the clarification on the networking :-) | 07:47 |
| jrosser | I have given dedicated interfaces where internet is needed | 07:47 |
| jrosser | Which is only in a few places, haproxy and neutron nodes | 07:47 |
| *** zbr is now known as zbr|flu | 07:47 | |
| jrosser | Sounds like my setup is similar, separate ceph with ceph-ansible and nexus leaf/spine but not done with ACI | 07:48 |
| ChosSimbaOne | Okay, and as the ha-proxy is clustered you would not experience service outage if one fails, so I can see why this is a good idea. Cool good to know that you have done with I try to, then i know it is not impossible :-) | 07:51 |
| *** rpittau|afk is now known as rpittau | 07:54 | |
| zbr|flu | jrosser: hi! can we merge https://review.opendev.org/#/c/675617/ ? thanks | 08:14 |
| jrosser | zbr|flu: I already voted on that so it’s going to need another core to look | 08:16 |
| chkumar|ruck | zbr|flu: jrosser testing above patch against rhel-8 here https://review.rdoproject.org/r/#/c/21801/ | 08:19 |
| zbr|flu | chkumar|ruck: why you are not activating this job directily? so we can see the result on the patch? | 08:21 |
| chkumar|ruck | zbr|flu: currently the job is broken as we have other issues, fix in progress, will add there soon | 08:22 |
| chkumar|ruck | zbr|flu: https://review.rdoproject.org/r/#/c/21804/ | 08:30 |
| zbr|flu | chkumar|ruck: correct identation and lest merge it. | 08:31 |
| chkumar|ruck | zbr|flu: done | 08:32 |
| zbr|flu | chkumar|ruck: why build containers needs openstack-ansible-os_tempest? | 08:34 |
| zbr|flu | does it also run tempest? | 08:34 |
| chkumar|ruck | zbr|flu: sorry fixed now, need more coffee | 08:35 |
| zbr|flu | yeah, i will do the same, one cup of coffee and one with paracetamol | 08:36 |
| *** CeeMac has joined #openstack-ansible | 08:39 | |
| CeeMac | morning | 08:39 |
| *** miloa has quit IRC | 08:42 | |
| *** irclogbot_1 has quit IRC | 08:42 | |
| *** nyloc has quit IRC | 08:42 | |
| *** persia has quit IRC | 08:42 | |
| *** miloa has joined #openstack-ansible | 08:43 | |
| *** openstackgerrit has quit IRC | 08:45 | |
| *** irclogbot_1 has joined #openstack-ansible | 08:47 | |
| *** nyloc has joined #openstack-ansible | 08:47 | |
| *** persia has joined #openstack-ansible | 08:47 | |
| *** irclogbot_1 has quit IRC | 08:49 | |
| *** irclogbot_1 has joined #openstack-ansible | 08:52 | |
| noonedeadpunk | mornings | 09:09 |
| noonedeadpunk | returning to tempest things, what do you think about https://review.opendev.org/#/c/675353/ chkumar jrosser ? | 09:10 |
| jrosser | noonedeadpunk: did you see I left some comments - nice work there getting it going | 09:14 |
| noonedeadpunk | oh, I missed, sorry:( | 09:15 |
| *** rgogunskiy has joined #openstack-ansible | 09:16 | |
| noonedeadpunk | jrosser: so these conditions are kinda dupicated code, which I'd love to trim insde the tasks | 09:17 |
| noonedeadpunk | That was the reason to add new variable... | 09:18 |
| noonedeadpunk | I'm ok to rename it to smth more reasonable | 09:18 |
| jrosser | Yeah I think I’m suggesting adding two new vars | 09:18 |
| jrosser | The reason it’s hard to come up with a more descriptive name is that the single var does one thing to enable the source tasks include | 09:19 |
| jrosser | Then something very different with the venv settings | 09:20 |
| noonedeadpunk | the problem is, that 2 vars can make more problems regarding this scope thing, since without this default tripleo fails https://review.opendev.org/#/c/675353/4/tasks/tempest_install.yml | 09:20 |
| noonedeadpunk | but I think I got your point now... | 09:21 |
| jrosser | noonedeadpunk: I’m not particularly fussed - just having the code so someone who comes to in in 6mo can understand | 09:22 |
| jrosser | And I really struggled to suggest a better single var name | 09:22 |
| noonedeadpunk | What do you think about tempest_plugin_install_source which will just replace tempest_mixed_setup? I'd say it describes purpose a bit better... | 09:36 |
| noonedeadpunk | Your suggestion is working one, but I really don't love repeating things when this can be ommited | 09:37 |
| jrosser | It could do yes - if that is obvious enough inside source_install.yml when it adjusts the venv settings | 09:38 |
| jrosser | Perhaps make some comments when the vent/pip install uses that var and it is good middle ground? | 09:38 |
| noonedeadpunk | So probably comments while defining can fix that? | 09:38 |
| noonedeadpunk | Oh, yeah) | 09:38 |
| jrosser | Haha poor 4g here you beat me to it | 09:39 |
| *** ArchiFleKs has quit IRC | 09:44 | |
| *** strattao has joined #openstack-ansible | 10:08 | |
| *** markvoelker has joined #openstack-ansible | 10:09 | |
| *** markvoelker has quit IRC | 10:14 | |
| *** ksdean has joined #openstack-ansible | 10:28 | |
| *** ksdean has quit IRC | 10:28 | |
| *** ksdean has joined #openstack-ansible | 10:29 | |
| *** openstackgerrit has joined #openstack-ansible | 10:35 | |
| openstackgerrit | Sorin Sbarnea proposed openstack/openstack-ansible-tests master: WIP: Make tox work on openstack-ansible-tests https://review.opendev.org/675856 | 10:35 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Add image for manila test https://review.opendev.org/674653 | 10:38 |
| *** pcaruana has quit IRC | 10:43 | |
| *** pcaruana has joined #openstack-ansible | 10:43 | |
| noonedeadpunk | odyssey4me: if you're somewhere near, can you kindly check ths PR https://github.com/ansible/ansible/pull/59876 ? | 10:45 |
| odyssey4me | noonedeadpunk, done! | 10:47 |
| noonedeadpunk | Thanks! | 10:49 |
| *** kplant has joined #openstack-ansible | 11:15 | |
| *** udesale has quit IRC | 11:18 | |
| *** electrofelix has joined #openstack-ansible | 11:23 | |
| *** ansmith has quit IRC | 11:30 | |
| *** ansmith has joined #openstack-ansible | 12:14 | |
| openstackgerrit | Jean-Philippe Evrard proposed openstack/openstack-ansible master: Bump SHAs for master https://review.opendev.org/675781 | 12:21 |
| evrardjp | I am on holidays this week, so I won't be able to be very active here (not that I really was active recently, but that's not gonna be better this week) | 12:22 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_horizon stable/stein: Add encoding to local_settings.py https://review.opendev.org/675885 | 12:23 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_horizon stable/rocky: Add encoding to local_settings.py https://review.opendev.org/675886 | 12:23 |
| openstackgerrit | Jean-Philippe Evrard proposed openstack/openstack-ansible master: Mark Stein as Released https://review.opendev.org/674096 | 12:24 |
| ioni | when is the next SHA bump for stein? | 12:26 |
| mnaser | morning everyone | 12:26 |
| mnaser | ioni: i think it was done over the weekend | 12:27 |
| noonedeadpunk | ioni: https://review.opendev.org/#/c/675785/ | 12:27 |
| ioni | cool | 12:27 |
| ioni | https://opendev.org/openstack/openstack-ansible/commits/branch/stable/stein | 12:27 |
| ioni | i was looking at commits :) | 12:27 |
| mnaser | that hasn't merged yet though so we'll need to figure out why ceph is being flakey | 12:28 |
| mnaser | so not out yet :) | 12:28 |
| noonedeadpunk | But I guess that previous one still hasn't resulted in new tag... | 12:28 |
| *** markvoelker has joined #openstack-ansible | 12:28 | |
| ioni | only 2 bumps? | 12:28 |
| evrardjp | https://review.opendev.org/#/c/675785/1 cinder's api is broken | 12:28 |
| noonedeadpunk | yeah, it's kinde very old thing | 12:28 |
| ioni | gnocchi and html5 console | 12:28 |
| ioni | opsy, i don't know how to read | 12:29 |
| ioni | openstack services is also modified | 12:29 |
| evrardjp | if someone could have a look that would be awesome | 12:29 |
| noonedeadpunk | interestingly, that this cinder failure previously didn't affect our gates... | 12:29 |
| ioni | noonedeadpunk, i know that it was a modified in cinder. api related to active-active | 12:30 |
| ioni | instead of rbd:something | 12:30 |
| ioni | i asked mnaser about what ceph fix had landed to see if i want that | 12:30 |
| noonedeadpunk | ioni: we have single cinder-volume in gates so not sure that it's gonna change things, but who knows. | 12:31 |
| ioni | noonedeadpunk, https://opendev.org/openstack/openstack-ansible-os_cinder/commit/918b9077c816be5fc056637301265e0be2f245ab | 12:31 |
| noonedeadpunk | yeah, I saw that patch | 12:31 |
| ioni | mnaser, said that a ceph fix landed but don't know which ceph fix | 12:32 |
| ioni | if you happen to know, can you link me uo? | 12:32 |
| ioni | up | 12:32 |
| noonedeadpunk | evrardjp: I guess I'll be able to look into this... | 12:32 |
| noonedeadpunk | there's huge bug regarding that https://bugs.launchpad.net/cinder/+bug/1806156 :))) | 12:33 |
| openstack | Launchpad bug 1806156 in Cinder "shared_targets_online_data_migration fails when cinder-volume service not running" [Undecided,Confirmed] | 12:33 |
| *** electrofelix has quit IRC | 12:37 | |
| mnaser | i feel like that bug has been talked about for so long | 12:40 |
| *** electrofelix has joined #openstack-ansible | 12:47 | |
| openstackgerrit | Merged openstack/ansible-role-thales-hsm stable/stein: Ensure libnsl is installed https://review.opendev.org/675464 | 12:59 |
| openstackgerrit | Merged openstack/ansible-role-thales-hsm stable/stein: Fix typo in client playbook https://review.opendev.org/675465 | 12:59 |
| *** jroll has quit IRC | 13:01 | |
| *** jroll has joined #openstack-ansible | 13:02 | |
| openstackgerrit | Merged openstack/openstack-ansible-os_manila master: smart_sources: Use config files from repo https://review.opendev.org/674649 | 13:08 |
| *** luksky has quit IRC | 13:08 | |
| openstackgerrit | Merged openstack/openstack-ansible-os_manila master: Add variable files for RedHat and Suse https://review.opendev.org/674851 | 13:12 |
| noonedeadpunk | mnaser: you're absolutelly right about it. It takes place even in rocky, so... | 13:27 |
| *** udesale has joined #openstack-ansible | 13:30 | |
| *** chkumar|ruck is now known as raukadah | 13:30 | |
| mnaser | noonedeadpunk: seems limited to openstack-ansible users surprsingly though | 13:44 |
| noonedeadpunk | yep, agree.... | 13:45 |
| openstackgerrit | Merged openstack/openstack-ansible-os_tempest master: Fixed the package name of keystone tempest tests https://review.opendev.org/675809 | 13:48 |
| *** KeithMnemonic has joined #openstack-ansible | 13:54 | |
| *** rgogunskiy has quit IRC | 13:57 | |
| *** BjoernT has joined #openstack-ansible | 13:59 | |
| *** BjoernT_ has joined #openstack-ansible | 14:04 | |
| *** BjoernT has quit IRC | 14:05 | |
| *** luksky has joined #openstack-ansible | 14:06 | |
| *** udesale has quit IRC | 14:06 | |
| *** udesale has joined #openstack-ansible | 14:08 | |
| *** udesale has quit IRC | 14:08 | |
| *** udesale has joined #openstack-ansible | 14:08 | |
| openstackgerrit | Merged openstack/openstack-ansible-os_tempest master: Fixed bugs identified by newer ansible-lint https://review.opendev.org/675617 | 14:20 |
| evrardjp | noonedeadpunk: thanks for haivng a look. Like mnaser said, there is something that needs to figure out the full details of this -- it's been rotting for a while :) | 14:26 |
| evrardjp | on a different note -- would you mind if we do a release with mgariepy a little later today? | 14:26 |
| noonedeadpunk | no, I'm not | 14:27 |
| noonedeadpunk | evrardjp: but the previous one is still not merged... | 14:27 |
| openstackgerrit | Merged openstack/openstack-ansible-os_octavia stable/stein: Convert dynamic includes to static imports https://review.opendev.org/675381 | 14:27 |
| noonedeadpunk | So I guess it's probably worth updating it | 14:28 |
| evrardjp | noonedeadpunk: I know | 14:28 |
| evrardjp | that's why in the past I dropped previous releases when this happens -- but it's not the right approach | 14:29 |
| evrardjp | let me talk to you about that :) | 14:29 |
| noonedeadpunk | sure thing | 14:31 |
| openstackgerrit | Merged openstack/openstack-ansible-os_designate stable/stein: Convert dynamic includes to static imports https://review.opendev.org/675380 | 14:31 |
| openstackgerrit | Merged openstack/openstack-ansible stable/rocky: Bump SHAs for stable/rocky https://review.opendev.org/675783 | 14:56 |
| openstackgerrit | Merged openstack/openstack-ansible stable/stein: Mark Stein as released https://review.opendev.org/674098 | 14:57 |
| openstackgerrit | Merged openstack/openstack-ansible-os_heat stable/stein: Convert dynamic includes to static imports https://review.opendev.org/675377 | 14:57 |
| *** allanb has quit IRC | 14:58 | |
| *** macz has joined #openstack-ansible | 15:00 | |
| *** cjloader has joined #openstack-ansible | 15:13 | |
| *** dave-mccowan has joined #openstack-ansible | 15:20 | |
| *** luksky has quit IRC | 15:26 | |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_manila master: Drop unnecessary sections https://review.opendev.org/675934 | 15:30 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_manila master: Add integrated coverage https://review.opendev.org/660333 | 15:30 |
| *** miloa has quit IRC | 15:33 | |
| *** the_intern has joined #openstack-ansible | 15:35 | |
| *** gyee has joined #openstack-ansible | 15:54 | |
| *** udesale has quit IRC | 15:56 | |
| *** dave-mccowan has quit IRC | 15:56 | |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Add image for manila test https://review.opendev.org/674653 | 15:58 |
| *** rpittau is now known as rpittau|afk | 16:15 | |
| noonedeadpunk | jrosser: you're deploying ceph with ceph-ansible? Can you kindly point me to the variable, which defines users to be created for ceph? Like cinder, nova, etc? | 16:21 |
| logan- | noonedeadpunk: in the openstack configuration for ceph-ansible at the very bottom of this block there is the openstack_keys var which determines which cephx keys are created by ceph-ansible for openstack usage: https://github.com/ceph/ceph-ansible/blob/master/group_vars/all.yml.sample#L596-L697 | 16:29 |
| noonedeadpunk | logan-: oh, great, thanks | 16:29 |
| noonedeadpunk | logan-: one more thing - I don't see how we define these variables while CI for example - can't find anything regarding that... | 16:33 |
| noonedeadpunk | just trying to understand how exactly we're using / integrated with ceph-ansible | 16:34 |
| logan- | the only CI specific ceph overrides we drop are https://github.com/openstack/openstack-ansible/blob/master/tests/roles/bootstrap-host/templates/user_variables_ceph.yml.j2 | 16:38 |
| noonedeadpunk | yeah saw them, but can't anyhow connect with ceph-ansible ones:( ok, thanks! | 16:39 |
| logan- | https://github.com/openstack/openstack-ansible/blob/master/tests/roles/bootstrap-host/templates/user_variables_ceph.yml.j2#L23 | 16:40 |
| logan- | that's the main one you are probably wondering about w/r/t keys and pools | 16:40 |
| logan- | flipping that switch turns on all of those default values you see for keys/pools in the ceph-ansible vars | 16:40 |
| noonedeadpunk | oh, yeah, that makes sense | 16:41 |
| evrardjp | mgariepy: are you there? I am back | 16:46 |
| *** ut2k3 has joined #openstack-ansible | 16:56 | |
| ut2k3 | Hi guys! We accidentally deleted our cinder_volumes_container, how can we recreate it? | 16:57 |
| kplant | like.. 'docker rm cinder_volumes_container' ? | 17:02 |
| noonedeadpunk | I guess mor like lxc-destroy -n cinder_volumes_container :) | 17:02 |
| kplant | derp, i thought i was focused on #openstack-kolla | 17:02 |
| noonedeadpunk | ut2k3: try running openstack-ansible /opt/openstack-ansibe/playbooks/containers-deploy.yml --limit lxc_hosts,cinder_volume | 17:04 |
| noonedeadpunk | Ad afterwards /opt/openstack-ansibe/playbooks/os-cinder-install.yml --limit cinder_volume | 17:05 |
| ut2k3 | Ok, gonna give it a try. Thanks | 17:06 |
| *** weifan has joined #openstack-ansible | 17:12 | |
| ut2k3 | noonedeadpunk, thanks it was working :) | 17:13 |
| noonedeadpunk | welcome:) | 17:14 |
| *** weifan has quit IRC | 17:17 | |
| *** weifan has joined #openstack-ansible | 17:20 | |
| *** electrofelix has quit IRC | 17:21 | |
| noonedeadpunk | mnaser: new errors for manila after removing default driver... https://logs.opendev.org/33/660333/14/check/openstack-ansible-deploy-aio_metal-ubuntu-bionic/d151b44/logs/host/nova-compute.service.journal-17-08-45.log.txt.gz#_Aug_12_17_07_42 | 17:22 |
| noonedeadpunk | Strange thing that it's failing to remove interface from instance scheduled for termination.... | 17:23 |
| *** BjoernT_ is now known as BjoernT | 17:23 | |
| *** ivve has quit IRC | 17:27 | |
| mgariepy | evrardjp, i am now ! | 17:30 |
| admin0 | hi all.. recreating heat container failed with this: /openstack/venvs/heat-18.1.5/bin/uwsgi: error while loading shared libraries: libpython2.7.so.1.0: cannot open shared obj.. .. is this a known one ? .. if i upgrade to 18.1.9, is apt-get update on the OS also required ? | 17:45 |
| admin0 | what would/could cause libpython2.7.so to suddently disappear | 17:48 |
| *** masterpe is now known as mp | 17:53 | |
| admin0 | if i am to upgrade to 18.1.9, do i do apt-get update on all servers befre i run the playbooks ? | 18:04 |
| admin0 | when do we actually apt update on the systems ( controllers + hypervisor base OS ) | 18:04 |
| *** luksky has joined #openstack-ansible | 18:12 | |
| *** markvoelker has quit IRC | 18:13 | |
| *** markvoelker has joined #openstack-ansible | 18:20 | |
| *** masterpe has joined #openstack-ansible | 18:21 | |
| *** masterpe has left #openstack-ansible | 18:21 | |
| *** markvoelker has quit IRC | 18:39 | |
| *** markvoelker has joined #openstack-ansible | 18:40 | |
| *** weifan has quit IRC | 18:52 | |
| *** kopecmartin is now known as kopecmartin|off | 18:55 | |
| *** the_intern has quit IRC | 18:57 | |
| *** ivve has joined #openstack-ansible | 18:58 | |
| *** ut2k3 has quit IRC | 19:12 | |
| *** poopcat has quit IRC | 19:27 | |
| *** poopcat has joined #openstack-ansible | 19:41 | |
| *** kplant has quit IRC | 19:44 | |
| *** dave-mccowan has joined #openstack-ansible | 19:54 | |
| *** masterpe has joined #openstack-ansible | 19:59 | |
| *** weifan has joined #openstack-ansible | 20:14 | |
| *** mp has quit IRC | 20:15 | |
| *** weifan has quit IRC | 20:19 | |
| jrosser | urgh this affects us in stein only becasue of a missing backport of this patch to ansible 2.7 https://github.com/ansible/ansible/pull/60222 | 20:37 |
| jrosser | it's in 2.6 and earlier also 2.8 and we fall foul of the short lifespan of ansible versions | 20:37 |
| *** ansmith has quit IRC | 20:44 | |
| openstackgerrit | Merged openstack/openstack-ansible master: Mark Stein as Released https://review.opendev.org/674096 | 20:55 |
| *** pcaruana has quit IRC | 20:56 | |
| admin0 | jrosser, was that answer to me ? | 21:01 |
| jrosser | admin0: nope :) | 21:05 |
| admin0 | ok :) | 21:05 |
| *** spatel has joined #openstack-ansible | 21:05 | |
| admin0 | the 2.7 matched :) | 21:05 |
| redkrieg | hi all, I was wondering whether running playbooks with the 18.1.9 tag checked out will result in an install patched against [OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433). If not, what do I need to do to ensure that updated version is installed on my hosts? | 21:05 |
| jrosser | admin0: interesting - you missing a libpython2.7? | 21:06 |
| jrosser | there was a time i had to do a bunch of patches ensuring that was present | 21:06 |
| admin0 | i am trying to go to 18.1.9 to see if it fixes it | 21:08 |
| jrosser | redkrieg: you can find the launchpad bug from a link on the CVE https://bugs.launchpad.net/nova/+bug/1837877 | 21:09 |
| openstack | Launchpad bug 1837877 in OpenStack Compute (nova) ocata "[OSSA-2019-003] Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433)" [High,In progress] - Assigned to Matt Riedemann (mriedem) | 21:09 |
| redkrieg | ahh so it's not in fix released status yet. my apologies | 21:10 |
| jrosser | redkrieg: then you can look at the patches which were created for each branch of the nova code, and see if the 18.1.9 tag includes that patch by looking at the SHA it uses https://github.com/openstack/openstack-ansible/blob/master/playbooks/defaults/repo_packages/openstack_services.yml#L203 | 21:11 |
| redkrieg | fantastic, thanks as always for the detailed response | 21:12 |
| jrosser | it looks like there is a patch merged for rocky https://opendev.org/openstack/nova/commit/e0b91a5b1e89bd0506dc6da86bc61f1708f0215a | 21:13 |
| redkrieg | looks like 18.1.9 was cut over a week before that. based on what's disclosed and my use case, I don't think it'll expose anything sensitive on my deployment. I'll hold off until the next openstack-ansible release that includes it instead of manually patching for now. | 21:16 |
| *** ansmith has joined #openstack-ansible | 21:17 | |
| *** markvoelker has quit IRC | 21:24 | |
| jrosser | redkrieg: you can update the SHA yourself if needed in your user variables | 21:25 |
| jrosser | there is an example here https://docs.openstack.org/openstack-ansible/latest/user/source-overrides/index.html | 21:26 |
| redkrieg | ahh, that's an even better solution. thanks much | 21:26 |
| jrosser | so if there was something that you felt was super critical you can move the SHA forward yourself | 21:26 |
| redkrieg | I think in my deployment the risk is low, but I'm most certainly keeping a note of this for later. | 21:27 |
| jrosser | or for something more complex you can fork the upstream repo and cherry-pick / whatever and point to your own github or internal repo | 21:27 |
| *** weifan has joined #openstack-ansible | 21:32 | |
| *** spatel has quit IRC | 21:38 | |
| *** tosky has quit IRC | 21:55 | |
| *** markvoelker has joined #openstack-ansible | 22:03 | |
| *** BjoernT has quit IRC | 22:07 | |
| *** lbragstad has joined #openstack-ansible | 22:09 | |
| *** spatel has joined #openstack-ansible | 22:14 | |
| *** lbragstad has quit IRC | 22:17 | |
| *** ivve has quit IRC | 22:33 | |
| *** markvoelker has quit IRC | 22:35 | |
| *** spatel has quit IRC | 22:37 | |
| *** weifan has quit IRC | 22:59 | |
| *** macz has quit IRC | 22:59 | |
| *** macz has joined #openstack-ansible | 23:00 | |
| *** markvoelker has joined #openstack-ansible | 23:00 | |
| *** markvoelker has quit IRC | 23:05 | |
| *** weifan has joined #openstack-ansible | 23:10 | |
| *** weifan has quit IRC | 23:14 | |
| *** weifan has joined #openstack-ansible | 23:14 | |
| *** dave-mccowan has quit IRC | 23:17 | |
| *** markvoelker has joined #openstack-ansible | 23:18 | |
| *** weifan has quit IRC | 23:19 | |
| *** weifan has joined #openstack-ansible | 23:24 | |
| *** luksky has quit IRC | 23:31 | |
| *** weifan has quit IRC | 23:32 | |
| *** weifan has joined #openstack-ansible | 23:33 | |
| *** weifan has quit IRC | 23:35 | |
| *** dave-mccowan has joined #openstack-ansible | 23:37 | |
| *** spatel has joined #openstack-ansible | 23:54 | |
| *** spatel has quit IRC | 23:59 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!