Monday, 2020-01-06

« Sunday, 2020-01-05 Index Tuesday, 2020-01-07 »
*** tosky has quit IRC00:05
*** udesale has joined #openstack-ansible03:55
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-ansible05:33
*** dave-mccowan has quit IRC05:34
*** cshen has joined #openstack-ansible07:44
*** soren has joined #openstack-ansible07:46
sorenDoes anyone happen to know why the letsencrypt integration in the haproxy_server role doesn't use the letsencrypt module from Ansible?07:47
*** sep has quit IRC08:03
*** sep has joined #openstack-ansible08:03
*** bverschueren has joined #openstack-ansible08:10
*** rpittau|afk is now known as rpittau08:39
*** DanyC has joined #openstack-ansible08:47
jrossersoren: I think because it needs to set up a cron to continually refresh the very rather than obtain/deploy it in a one-off manner with ansible08:54
jrosser*refresh the cert08:54
*** DanyC has quit IRC08:59
*** electrofelix has joined #openstack-ansible09:03
*** DanyC has joined #openstack-ansible09:09
*** DanyC has quit IRC09:20
*** DanyC has joined #openstack-ansible09:24
sorenjrosser: Hm. Yeah, that's a good point.09:30
sorenI'm pretty new to Ansible, so I may be thinking about this all wrong.. I'm making some changes to the haproxy_server role. I have two tasks and in between those two tasks, I need to run another task in the Horizon containers. How do I do that? I thought delegate_to was what I needed, but that doesn't let me specify a group, only a host.09:33
sorenI read a suggestion somewhere to add a task with "delegate_to: 127.0.0.1" that simply invokes ansible-playbook. That would certainly work, but it feels wrong.09:36
*** jawad_axd has joined #openstack-ansible09:43
jrossersoren: that sounds like you are orchestrating some changes between haproxy and horizon..... the haproxy role shouldnt really know anything about horizon09:45
jrosserwhat are you trying to do?09:45
sorenI have multiple infrastructure nodes. I want them to have unique letsencrypt certs. This means I need to run the first phase of the letsencrypt module on the haproxy nodes to generate the ACME challenges, then I need to install these on the Horizon nodes so that they are available for verification by letsencrypt, and then I need to run the second phase of the letsencrypt module to trigger the verification.09:47
sorenAlternatively, I need to set up another webserver just for this purpose, but that feels like overkill.09:47
sorenjrosser: ^09:50
jrossersoren: well, i don't know - is that the right thing to do?09:52
sorenjrosser: What, set up another web server?09:53
jrosseri mean having multiple difference LE certs09:53
sorenjrosser: In a sense, yes. You could still need SSL certs, even if you're not running Horizon.09:53
sorenYes, that's the right thing to do. You shouldn't ever share private keys between servers.09:53
*** pcaruana has joined #openstack-ansible09:53
jrosserand setting up another web server makes a single point of failure which all of this haproxy/keepalived stuff is designed to eliminate09:54
sorenPeople do all the time. I've done it, too, but I'm trying to do this the right way :)09:54
sorenjrosser: Oh, not another server like that.09:54
sorenjrosser: Just another web server process the can serve the files.09:54
jrosserwhat about everything thats not horizon? that is just one of many api endpoints served by SSL09:55
sorenAnd said web server would also need to live on all the infrastructure nodes, because the verification request from letsencrypt could hit any one of them.09:55
sorenjrosser: Yes, but only Horizon makes is easy to just add some flat files to be served.09:56
sorenjrosser: But as I mentioned just before, running Horizon is not a requirement. Without Horizon, you'd still need SSL certs for all the other endpoints. That's a good reason to not rely on Horizon for this.09:57
soren...but the alternative is running another webserver process to simply serve these files. It just feels like massive overkill.09:58
jrosserhaproxy is doing the ssl termination09:58
jrossernot the web server serving horizon09:58
sorenI know.09:58
sorenNot sure where you're going with that :)09:59
jrosseri guess i just totally don't understand what you are trying to achieve10:00
sorenOk.10:00
sorenI want to use letsenrypt to generate my ssl certs. I have multiple infrastructure nodes. Only one of them currently has the public VIP managed by keepalived. This means only one of them can succesfully complete the letsencrypt verification.10:01
sorenMakes sense so far?10:01
jrosserand the current approach with certbot is insufficient?10:02
sorenYes.10:02
sorenFor several reasons:10:02
soren1. It takes down haproxy to do the verification.10:02
soren2. Since only one node has the public VIP managed by keepalived, only one node can succesfully complete the verification. The others will fail.10:03
soren...because they also tear down haproxy and try to serve up the response to the ACME challenge, but since they don't currently have the vip, the verification request from letsencrypt will not find the correct challenge response.10:04
jawad_axd@jrosser : I am planning os update in OSA environment..A thing to clarify. I have  stein environment on centos7.. python 2.7 is what I have now on all management/compute nodes... In case of OS update..if python is upgraded to 3.6 then will it break the environment ? Should I keep the same python version..till I upgrade to TRAIN ?10:04
jrossersoren: well that seems like a bug in the design10:06
sorenjrosser: *Exactly*10:06
jrosserbut modifying the content in the backend horizon servers feels equally wrong10:06
sorenWhat do you mean?10:07
sorenWhat content?10:07
sorenOh.10:07
sorenSorry.10:07
sorenMisread "horizon".10:07
sorenYeah. I know it's not ideal. I just kinda needed this to work yesterday :)10:07
sorenAnd throwing these files on horizon's webroot seemed a heck of a lot easier than adding another webserver process somewhere.10:08
jrosserhorizon is optional10:08
sorenYes, I'm aware.10:08
sorenI've pointed out more than once that that's a good reason not to rely on it.10:09
jrosserjawad_axd: you should be OK on centos7 with python2.7 for train10:10
*** pcaruana has quit IRC10:11
jawad_axd@jrosser Thanks10:11
*** pcaruana has joined #openstack-ansible10:12
jrossersoren: it seems that haproxy can be convinced to serve a static file, or do some lua tricks10:12
jrosserthat might be a better approach10:12
sorenjrosser: You can trick it into serving one file by abusing its http error handler. I guess using Lua, I could do more.10:13
jrosserhttps://discourse.haproxy.org/t/how-do-i-serve-a-single-static-file-from-haproxy/32/1110:14
noonedeadpunkmornings10:18
sorenI'm not convinced that works.10:18
*** gokhani has joined #openstack-ansible10:19
sorena) TTBOMK haproxy chroots, so it wouldn't at runtime be able to read those files.10:20
sorenb) io.* shouldn't (can't?) be invoked at runtime, but only at initialization time.10:20
sorenAnyway. I'll play around some. Thanks for your input.10:20
noonedeadpunkouterrim: hm, http://paste.openstack.org/show/788058/ - that is weird... What I have in my sandbox is: http://paste.openstack.org/show/788073/10:26
*** aedc has joined #openstack-ansible10:32
*** cshen has quit IRC10:32
noonedeadpunkand actually from one stein prod http://paste.openstack.org/show/788074/10:33
noonedeadpunkso maybe we have a bug somewhere, or maybe there's smth wrong in your env.d?10:34
noonedeadpunkups, looks like we don't have an appripriate tempest test neither for heat nor for magnum... https://72ff4c45cca76c771f66-bf1557974eaea0470e1cf519ed1ae972.ssl.cf1.rackcdn.com/701038/1/check/openstack-ansible-deploy-aio_metal-ubuntu-bionic/e33047d/logs/openstack/aio1-utility/stestr_results.html10:42
*** outerrim23 has joined #openstack-ansible11:12
*** udesale has quit IRC11:16
*** admin0 has quit IRC11:33
*** cshen has joined #openstack-ansible11:44
*** outerrim23 has left #openstack-ansible11:55
*** gshippey has joined #openstack-ansible12:07
*** cshen has quit IRC12:19
*** cshen has joined #openstack-ansible12:40
*** ansmith has quit IRC12:43
*** outerrim has quit IRC13:05
*** outerrim has joined #openstack-ansible13:06
outerrimq13:08
*** outerrim has quit IRC13:08
*** outerrim has joined #openstack-ansible13:09
outerrim@noonedeadpunk: Mybe I miss something, but for some services there is (still) a reference to os-infra_*, like https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/env.d/nova.yml#L4413:15
noonedeadpunkhm, and nova_api_placement shouldn't be there as well...13:16
noonedeadpunkI think we should do some clean up then...13:17
*** mgariepy has quit IRC13:21
*** joshualyle has joined #openstack-ansible13:39
*** joshualyle has quit IRC13:40
*** ahosam has joined #openstack-ansible13:46
*** goldyfruit_ has quit IRC13:54
*** tosky has joined #openstack-ansible14:01
*** ansmith has joined #openstack-ansible14:03
*** admin0 has joined #openstack-ansible14:03
*** goldyfruit_ has joined #openstack-ansible14:13
*** mgariepy has joined #openstack-ansible14:17
*** schwicht has joined #openstack-ansible14:18
*** ahosam has quit IRC14:20
openstackgerritDmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Deploy heat with magnum  https://review.opendev.org/70123314:27
*** aedc has quit IRC14:51
*** aedc has joined #openstack-ansible14:51
*** jftalta has joined #openstack-ansible14:52
*** jawad_axd has quit IRC14:58
*** jawad_axd has joined #openstack-ansible14:59
*** goldyfruit_ has quit IRC14:59
*** goldyfruit_ has joined #openstack-ansible14:59
*** jawad_axd has quit IRC15:04
*** aedc_ has joined #openstack-ansible15:08
*** aedc has quit IRC15:12
*** goldyfruit_ has quit IRC15:16
*** jftalta has quit IRC15:47
*** jftalta has joined #openstack-ansible15:48
*** electrofelix has quit IRC15:56
*** cshen has quit IRC16:04
*** jawad_axd has joined #openstack-ansible16:08
*** jawad_axd has quit IRC16:09
*** arxcruz is now known as arxcruz|off16:11
*** gyee has joined #openstack-ansible16:15
*** ahosam has joined #openstack-ansible16:46
*** tosky has quit IRC16:46
*** jftalta has quit IRC16:54
*** rpittau is now known as rpittau|afk16:58
*** nicolasbock has joined #openstack-ansible17:12
*** sshnaidm is now known as sshnaidm|afk17:31
*** evrardjp has quit IRC17:33
*** evrardjp has joined #openstack-ansible17:33
*** ahosam has quit IRC17:39
*** pcaruana has quit IRC18:07
*** mhayden has quit IRC18:10
*** mhayden has joined #openstack-ansible18:11
*** outerrim has quit IRC18:12
*** nicolasbock has quit IRC18:15
*** DanyC_ has joined #openstack-ansible18:25
*** DanyC_ has quit IRC18:27
*** DanyC has quit IRC18:28
*** DanyC has joined #openstack-ansible18:38
openstackgerritMerged openstack/openstack-ansible master: Bump SHAs for master  https://review.opendev.org/70074718:38
openstackgerritMerged openstack/openstack-ansible stable/stein: Bump SHAs for stable/stein  https://review.opendev.org/70075018:38
*** DanyC has quit IRC18:43
*** cloudnull has quit IRC19:16
*** cloudnull has joined #openstack-ansible19:17
*** gshippey has quit IRC19:27
*** ianychoi has quit IRC20:04
*** dave-mccowan has joined #openstack-ansible20:17
*** ianychoi has joined #openstack-ansible20:19
*** mhayden has quit IRC20:30
*** mhayden has joined #openstack-ansible20:45
*** tosky has joined #openstack-ansible20:55
*** mhayden has quit IRC20:58
*** mhayden has joined #openstack-ansible21:00
*** zbr has quit IRC21:05
*** zbr has joined #openstack-ansible21:09
*** zbr has quit IRC21:14
*** zbr has joined #openstack-ansible21:32
*** ansmith has quit IRC21:37
*** zbr_ has joined #openstack-ansible21:38
*** zbr has quit IRC21:39
*** zbr_ has quit IRC22:02
*** zbr has joined #openstack-ansible22:03
*** zbr has quit IRC22:25
*** asettle has quit IRC22:42
*** ansmith has joined #openstack-ansible23:03
*** zbr has joined #openstack-ansible23:04
*** zbr has quit IRC23:09
*** zbr_ has joined #openstack-ansible23:09
*** zbr_ has quit IRC23:14
*** schwicht has quit IRC23:15
*** zbr has joined #openstack-ansible23:22
*** tosky has quit IRC23:23
*** mhayden has quit IRC23:23
*** schwicht has joined #openstack-ansible23:53
*** KeithMnemonic has quit IRC23:56
*** KeithMnemonic has joined #openstack-ansible23:57
*** KeithMnemonic has quit IRC23:58
*** KeithMnemonic has joined #openstack-ansible23:58
« Sunday, 2020-01-05 Index Tuesday, 2020-01-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!