Wednesday, 2020-11-04

« Tuesday, 2020-11-03 Index Thursday, 2020-11-05 »
*** hindret has quit IRC00:03
*** elduderino80 has quit IRC00:03
*** hindret has joined #openstack-ansible00:04
*** macz_ has quit IRC00:18
*** mmethot has quit IRC00:19
openstackgerritMerged openstack/openstack-ansible-os_manila master: Define condition for the first play host one time  https://review.opendev.org/76071500:58
*** fanfi has quit IRC00:58
*** gyee has quit IRC01:02
*** macz_ has joined #openstack-ansible01:11
*** macz_ has quit IRC01:16
*** cshen has quit IRC01:18
openstackgerritMerged openstack/openstack-ansible-os_tempest master: Add ability to define network MTU  https://review.opendev.org/76018701:23
*** NewJorg has quit IRC01:25
*** NewJorg has joined #openstack-ansible01:27
*** macz_ has joined #openstack-ansible01:33
*** macz_ has quit IRC01:37
*** cloudxtiny has quit IRC01:53
*** ThiagoCMC has quit IRC02:02
*** cshen has joined #openstack-ansible02:14
*** cshen has quit IRC02:18
*** ThiagoCMC has joined #openstack-ansible02:27
*** yolanda has quit IRC02:57
*** cshen has joined #openstack-ansible04:14
*** cshen has quit IRC04:19
*** macz_ has joined #openstack-ansible04:34
*** macz_ has quit IRC04:39
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-ansible05:33
*** yasemind1 has joined #openstack-ansible05:54
*** cshen has joined #openstack-ansible06:14
*** cshen has quit IRC06:19
*** recyclehero has quit IRC06:26
*** recyclehero has joined #openstack-ansible06:28
*** macz_ has joined #openstack-ansible06:28
*** macz_ has quit IRC06:33
*** recyclehero has quit IRC06:38
*** recyclehero has joined #openstack-ansible06:39
*** miloa has joined #openstack-ansible06:58
*** cshen has joined #openstack-ansible07:00
*** cshen has quit IRC07:04
*** cshen has joined #openstack-ansible07:22
*** jbadiapa has quit IRC07:33
*** pcaruana has quit IRC07:43
*** pcaruana has joined #openstack-ansible07:55
*** spatel has joined #openstack-ansible07:58
*** spatel has quit IRC08:03
*** sshnaidm|afk is now known as sshnaidm|rover08:08
noonedeadpunkmornings08:08
*** andrewbonney has joined #openstack-ansible08:09
*** jbadiapa has joined #openstack-ansible08:09
*** macz_ has joined #openstack-ansible08:16
*** shyamb has joined #openstack-ansible08:18
*** shyam89 has joined #openstack-ansible08:18
*** shyamb has quit IRC08:19
*** shyam89 has quit IRC08:19
*** shyam89 has joined #openstack-ansible08:20
*** shyamb has joined #openstack-ansible08:20
*** shyamb has quit IRC08:20
*** shyam89 has quit IRC08:20
*** macz_ has quit IRC08:20
*** shyamb has joined #openstack-ansible08:21
*** pto has joined #openstack-ansible08:34
*** shyam89 has joined #openstack-ansible08:37
*** shyamb has quit IRC08:39
*** tosky has joined #openstack-ansible08:42
*** yasemind1 has quit IRC08:49
*** rpittau|afk is now known as rpittau09:05
ptoWhy does the haproxy_keepalived_internal_vip_cidr includes a netmask? I cant find anything in the keepalive docs why is defined?09:13
noonedeadpunkiirc it's needed to add VIP to the interface. I think without netmask it will be /32 but I'd rather specify it explicitly09:18
*** macz_ has joined #openstack-ansible09:24
ptoiirc?09:25
noonedeadpunkif i recall correctly09:25
ptooh. thx09:25
ptoBut what is the purpose of specifying a mask on the VIP address?09:28
noonedeadpunkWell it's needed to be added as alias to the interface09:28
*** macz_ has quit IRC09:29
noonedeadpunkand maybe you want vip from another network that is already used on the interface (ie  ddos protected one)09:29
noonedeadpunkand to make this network routable you will need to provide netmask09:30
noonedeadpunkbut agree that generally it's not probably required and you probavbly can try omiting netmask to get it /3209:33
*** pto has quit IRC09:46
*** pto has joined #openstack-ansible09:46
*** shyamb has joined #openstack-ansible09:48
*** shyam89 has quit IRC09:49
ptonoonedeadpunk: thanks for the clarifications. I suggest we remove it from the examples, or at least document it09:52
noonedeadpunknot sure it makes much sense, since in docs we're following general instructions for keepalived configuration. If you look through all keepalived howtos you will find that all of them have netmask provided09:53
noonedeadpunkwell, redhat is not https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/load_balancer_administration/ch-initial-setup-vsa09:55
noonedeadpunkanyway I don't think it matters much, but you can suggest change if you feel it's worth it09:55
ptonoonedeadpunk: Agree. Its just rather confusing the first time you deploy openstack - i recall.09:56
ptonoonedeadpunk: https://keepalived.readthedocs.io/en/latest/case_study_failover.html and https://keepalived.readthedocs.io/en/latest/configuration_synopsis.html#vrrp-instance-definitions-synopsis specifies @ip09:57
*** fanfi has joined #openstack-ansible09:57
ptoJust a curious question, why do you run python3 -m http.server some seconds before certbot?09:58
noonedeadpunkI think jrosser may explain more, but I think the reason here that in order to start haproxy you need ssl configured, and to configure ssl you need webserver to pass verification.09:59
*** macz_ has joined #openstack-ansible10:00
noonedeadpunkso we spawn temorary web server to issue certificates which will be used so spawn haproxy which will serve for their futher renewals10:00
noonedeadpunkah, well, you're right. just my google showed my old articels at first place, like https://docs.oracle.com/cd/E37670_01/E41138/html/section_uxg_lzh_nr.html10:01
*** sauloasilva1 has quit IRC10:01
noonedeadpunkbut again, I don't think it matters, as it's just what will be passed to `ip address add` command, as without netmask it will be just /32 by default10:02
noonedeadpunkand feel free to push a patch to explain this in docs10:02
*** fresta has joined #openstack-ansible10:03
ptoMake sense... Thanks for clarifying10:05
*** macz_ has quit IRC10:05
*** yann-kaelig has joined #openstack-ansible10:06
openstackgerritMerged openstack/ansible-role-uwsgi master: Allow to globaly override uwsgi params  https://review.opendev.org/76119810:06
*** fresta has quit IRC10:09
*** fresta has joined #openstack-ansible10:11
*** pto has quit IRC10:15
*** fresta_ has joined #openstack-ansible10:23
*** pto has joined #openstack-ansible10:23
*** yann-kaelig has quit IRC10:32
*** spatel has joined #openstack-ansible10:59
*** pto has quit IRC11:04
*** spatel has quit IRC11:04
*** fresta has quit IRC11:08
*** pto has joined #openstack-ansible11:14
ptoKeepalived_vrrp[154790]: (Line 37) VRRP parsed invalid IP strato-new.claaudia.aau.dk. skipping IP...11:18
ptohaproxy_keepalived_external_vip_cidr: "{{external_lb_vip_address}}"11:18
ptoexternal_lb_vip_address: strato-new.claaudia.aau.dk11:19
ptoIs the external_lb_vip_address supposed to be an fqdn or an IP? The example suggest an fqdn11:27
noonedeadpunkexternal_lb_vip_address should be fqdn if needed, but haproxy_keepalived_external_vip_cidr needs to be ip11:32
noonedeadpunkwell it's not cshould but can and preffered to be fqdn if you're going to use SSL11:33
ptonoonedeadpunk: https://github.com/openstack/openstack-ansible/blob/b98646c10121b03a93d1b4e644b90f10e286474c/etc/openstack_deploy/user_variables.yml#L17611:36
ptonoonedeadpunk: The other examples are fine.11:36
*** shyamb has quit IRC11:44
*** NewJorg has quit IRC11:48
noonedeadpunkwell, it can be set that way only if external_lb_vip_address is ip...11:55
noonedeadpunkmaybe worth mentioning that11:55
ptoI think there is a problem with the letsencryp11:56
pto I think there is a problem with the letsencrypt play: Problem binding to port 80: Could not bind to IPv4 or IPv6.11:57
ptoshell: timeout 5 python3 -m http.server 8888 --bind 172.21.212.11 || true && certbot certonly --standalone --agree-tos --non-interactive --text --rsa-key-size 4096 --email perat@its.aau.dk --domains strato-new.claaudia.aau.dk11:57
ptoThis will make the certbot try to bind on port 80, which is allready bound by haproxy11:57
ptoOr did i miss some logic?11:58
*** NewJorg has joined #openstack-ansible12:00
noonedeadpunkI think it should also have --http-01-port and --http-01-address defined12:04
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/tasks/haproxy_ssl_letsencrypt.yml#L64-L8312:04
noonedeadpunkand haproxy_ssl_letsencrypt_certbot_backend_port is 888812:04
noonedeadpunkin U it was handled with haproxy_ssl_letsencrypt_setup_extra_params12:06
*** rh-jelabarre has quit IRC12:06
noonedeadpunkwould be awesome to get https://review.opendev.org/#/c/757937/ merged with all cherry-picks12:15
ptonoonedeadpunk:  Certbot is executed on each infra host in sequence, and the haproxy_ssl_letsencrypt_certbot_bind_address should then be a hostvar of the host running the certbot. I dont see why certbot should be called three times and why you should define a hostvar for each host?12:18
ptonoonedeadpunk: Why not just generate the certs on infra[0] and then copy them to the others?12:19
noonedeadpunkit's usually just set `haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}"`12:19
noonedeadpunknot much reason of doing that, except it was implemented that way one day. from other side it ensures that certbot is working and will be able to care about certificate renewal later on12:21
noonedeadpunkanyway we have huge ssl refactoring topic for the upcoming release12:22
noonedeadpunkbtw I'm not sure how it's all applicable for non-master...12:22
ptonoonedeadpunk: I guess that will fix the problem. Cant try it now, as I have used my le quota for today12:23
noonedeadpunkyeah:( it's really a problem:(12:23
ptonoonedeadpunk: But thanks allot for helping out anyway. I dont think the current stable is working without the haproxy_ssl_letsencrypt_certbot_bind_address: "{{ ansible_host }}" as it will try to bind on the same port as haproxy uses12:26
noonedeadpunkpto: yeah in U it was `haproxy_ssl_letsencrypt_setup_extra_params: "--http-01-address {{ ansible_host }} --http-01-port 8888"`12:26
noonedeadpunkhttps://docs.openstack.org/openstack-ansible/ussuri/user/security/index.html#letsencrypt-certificates12:26
noonedeadpunkit get's simplified in master (V)12:27
*** spatel has joined #openstack-ansible12:27
ptonoonedeadpunk: Awsome! I think it very hard to find the correct conf in the docs. There are som many different versions scattered in many different places12:28
noonedeadpunkwell yes. but everyone is welcome to contribute here! we really don't have resources to take care about everything12:29
*** spatel has quit IRC12:32
ptonoonedeadpunk: I am aware of that. Btw. you are doing a great job :-D12:32
ptonoonedeadpunk: Huge improvements since my last install of queens 2+ years ago12:33
*** yann-kaelig has joined #openstack-ansible12:40
*** pto has quit IRC12:45
*** mgariepy has quit IRC12:47
*** pto has joined #openstack-ansible12:53
jrosserpto: certbot is run multiple times because each haproxy node is responsible for its own certificate12:56
jrosserwe had user request for making the certs unique per node and also you have to consider what happens at renewal time12:56
noonedeadpunkjrosser: I think we still could do init on 1 host only and then for renewals they can be on their own?12:57
noonedeadpunkbut yeah, I think we have such user story of having unique certs12:57
jrosserperhaps, but I’m not sure you can re-renew more than once from the same config, never tried that. there’s all sorts of keys and stuff get generated12:58
jrosserpto: the python web server is run for a few seconds on the backend port to make sure that the active haproxy sees that the certbot on the renewing (or initialising) haproxy node is “up”12:59
jrosserone haproxy will have the vip and needs to direct the challenge to whichever backend certbot is renewing. this is important because the ssl cert fqdn resolves to the vip, not the specific ip of each haproxy13:01
*** rh-jelabarre has joined #openstack-ansible13:01
ptojrosser: thanks for the explanation. It didnt work for me with 3 infra nodes. certbot binded on the same ports as haproxy. I have added haproxy_ssl_letsencrypt_setup_extra_params... which should resolve the binding problem. I cant test today because i have reached the le quota13:01
jrosseryou should test this all out with —staging includes in the extra paeans13:02
jrosserthen you get huge quota but invalid certs13:02
jrosserwhen you are happy with how it works remove —staging, delete all the LE files from the haproxy nodes and re-run to get valid ones13:03
jrosserin Ussuri really only basic support got added to haproxy role and lots of overrides were needed13:04
jrosserthis is now much much cleaner in master branch13:04
ptoIts very nice with the le feature :-)13:07
*** rfolco has joined #openstack-ansible13:07
ptojrosser: Why didnt you merge https://review.opendev.org/#/c/758845/ to master?13:08
jrosserI left a comment on it about needing to check if the libraries are compatible on Debian as well as Ubuntu13:09
*** macz_ has joined #openstack-ansible13:09
jrosserand I’ve not had time to do that....13:10
ptojrosser: No worries. I can confirm it work perfectly.13:11
jrosserpto by the way the quotas for LE production and staging endpoints are independent so if you need to work on it more with the staging endpoint that will still work today13:14
*** macz_ has quit IRC13:14
ptojrosser: I have stopped haproxty & keepalived and run certbot on each node. So for now, it works as expected. I have left a note for myself to test renewal later13:14
pto Do you want me to do further testing on federated identity?13:17
jrosserif you have time to just try installing both oidc and saml packages on a debian10 vm and verify they both want libcurl4, that would mean we can merge / adjust the patch13:19
ptoI dont have a setup available where I cant test that atm. I have a physical stage and a physical prod env i need to finish soon with SAML2 federated id.13:21
ptoThe stage setup works for now, with the workaround by commenting out keystone_federation_sp_idp_setup.yml on the first run of keystone-install.yml and then comment it in and run it again.13:21
*** mgariepy has joined #openstack-ansible13:25
*** luksky has joined #openstack-ansible13:41
ptoWould it make sense to include https://github.com/openstack/openstack-ansible/blob/b98646c10121b03a93d1b4e644b90f10e286474c/playbooks/os-keystone-install.yml#L135 in the os_keystone role when federated identity is configured?13:42
Adri2000should I use something other than "recheck" when the gate is failing? https://review.opendev.org/#/c/758413/ looks like when doing "recheck" it goes through the check queue again instead of "rechecking" the gate...13:53
mgariepyAdri2000, recheck is the way to do it. did you check what was the failure?14:05
mgariepyhttps://zuul.opendev.org/t/openstack/build/c9e2923c93bf41449d534797e561880b/log/job-output.txt#9574 failed to update apt cache.14:06
mgariepy:/14:06
Adri2000mgariepy: ok, so basically in order to merge the patch needs to pass the tests two times in a row? (check queue + gate queue)14:06
Adri2000yes it's some failures unrelated to the patch itself :(14:06
*** nurdie has quit IRC14:07
Adri2000it's failing 80% of the time or so :( so I've been trying to get it merged since October 19th (when it was approved)...14:07
*** nurdie has joined #openstack-ansible14:07
mgariepydo you know whihc repo fail to updatE?14:11
*** nurdie has quit IRC14:12
mgariepyfun. not always the same check that fails.14:14
mgariepyAdri2000, i'll try to monitor it and recheck if it fails.14:15
*** spatel has joined #openstack-ansible14:25
mgariepyAdri2000, https://docs.openstack.org/contributors/common/zuul-status.html#why-do-changes-go-first-in-the-check-queue14:25
*** mmethot has joined #openstack-ansible14:25
*** pcaruana has quit IRC14:27
*** mmethot has quit IRC14:33
*** mmethot has joined #openstack-ansible14:33
spateljamesdenton: morning!14:35
*** cloudxtiny has joined #openstack-ansible14:38
cloudxtinyHello all. question regarding CentOS 8. how do I install bridge-utils? I noticed a few of the openstack-ansible task seem to use it when configuring container networks14:40
*** pcaruana has joined #openstack-ansible14:48
spatelI don't think OSA by default install bridge-utils with CentOS-814:48
spatelnoonedeadpunk: ^^14:48
spatelwe should add that utility because its very hand.14:49
noonedeadpunkspatel: isn't bridge-utils are just missing as class from centos 8?14:49
noonedeadpunkcloudxtiny: can you point to these tasks? As I think we should be using systemd-networkd everywhere14:50
noonedeadpunkbridge-utils is part of the https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/deprecated_functionality14:51
spatelnoonedeadpunk: this is the playbook right to rollout that right? https://opendev.org/openstack/openstack-ansible-lxc_hosts/src/branch/master/vars/redhat-host.yml14:51
noonedeadpunkrollout what? I think there's no official source from which bridge-utils can be installed for centos 8?14:54
spatelbridge-utils RPM is part of rdo-deps and we do have rdo-repo part of OSA so worth installing that tool14:58
spatelnoonedeadpunk: ^14:58
noonedeadpunkyeah, it's really in rdo-deps15:01
noonedeadpunkhowever, I'd install it rather only in case if it's needed for roles. otherwise I'd say everyone can use openstack_host_extra_metal_distro_packages variable to define packages theyd love to see installed on the hosts15:03
noonedeadpunkas we're aiming to install bare minimum of stuff15:04
*** macz_ has joined #openstack-ansible15:06
spatelopenstack_host_extra_metal_distro_packages so i can define it in user_variable.yml right ?15:10
noonedeadpunkyep15:10
*** macz_ has quit IRC15:11
spatelwhat if i want to some utility inside my container (like tcpdump/netstat/iostat etc?)15:11
noonedeadpunkalso we have openstack_host_extra_distro_packages but it's for all hosts (including lxc)15:11
*** yann-kaelig has quit IRC15:12
*** mmethot has quit IRC15:19
*** mmethot has joined #openstack-ansible15:24
mgariepyfun how the neutron agent doesn't work well in container ..15:28
mgariepynoonedeadpunk, would you mind if we add back that test?15:31
noonedeadpunkmgariepy: if I knew what test we're talking about:)15:32
mgariepymoving the neutron agent in a lxc container..15:32
mgariepymaybe we could add it to the check queue, and not gate.15:33
noonedeadpunkand in our functional tests aren't agents in lxc?15:34
mgariepythe check queue does build aio ..15:35
noonedeadpunk(not sure)15:35
noonedeadpunkit's.... ovn related?:) just not sure what it is15:36
mgariepy https://github.com/openstack/openstack-ansible/blob/master/playbooks/common-playbooks/neutron.yml#L54-L6415:36
*** macz_ has joined #openstack-ansible15:36
mgariepynot really15:36
noonedeadpunkah I see15:36
mgariepythis doesn't work on focal.15:36
mgariepyand the ovs deployment in container doesn't either.15:37
noonedeadpunkI can recall some ideas to abandon possibility to deploy neutron agents in lxc at all15:38
mgariepyi like to have the network natting service  in a container and not on the hosts directly.15:38
mgariepyi know it's not quite a standard way of doing it but. it was like that a long time ago and i still prefer to do it that way.15:39
spatelDon't you think reason to run neutron-agent on metal was neutron l3 performance?15:40
spateli may be wrong because i am not running l3-agent in my cloud15:40
mgariepyi don't have dedicated network nodes on all my setup.15:43
noonedeadpunkme neither actually15:43
mgariepyif i had that i would but it's not the case currently.15:43
*** nurdie has joined #openstack-ansible15:43
noonedeadpunkbut l3 nat is done inside namespace isn't it?15:44
mgariepyyes.15:44
noonedeadpunkso kind of safe for host itself. but if you feel it's good usecase, we can make some test15:44
noonedeadpunkeventually we can probably all lxc CI do with neutron agent inside lxc as well15:45
noonedeadpunkand metal jobs should prevent things from being broken in default scenario15:46
noonedeadpunkor we can just add another integrated test for os_neutron role15:46
noonedeadpunkthe only thing I'm not sure about is how to handle env.d file - can't recall if we just copy it or they can be templates15:47
jrosserthere was a migration long ago to move the l3 agents out of containers15:49
jrosseriirc big difficulty when any maintanence restarted infra node lxc you got the l3 agent stopped/started15:51
Adri2000mgariepy: thanks for that link, it's a good explanation15:51
*** klamath_atx has joined #openstack-ansible15:54
openstackgerritRafael Folco proposed openstack/openstack-ansible-os_tempest stable/train: Switch tripleo jobs to content provider  https://review.opendev.org/76102115:55
*** nurdie has quit IRC16:02
cloudxtinyanother point. I want to install clouditty as part of my set. I have added the playbook to the opesntack-ansible conf.d playbook path, but I noticed when I run setup-host and setup-infra, it doesn't get added. Am i missing something?16:02
*** nurdie has joined #openstack-ansible16:03
mgariepyjrosser, yep, but that's why there is a lxc_container_restart variable ;) haha16:06
*** nurdie has quit IRC16:07
*** pto has quit IRC16:08
*** pto has joined #openstack-ansible16:08
*** pto has quit IRC16:15
*** pto has joined #openstack-ansible16:15
ThiagoCMCHey guys, I'm trying to install OSA Ussuri with qdrouterd but the TASK "qdrouterd : Install Qpid Dispatch Router (qdrouterd) packages" is failing, error: '"No package matching 'python-qpid-proton' is available"', the correct package name is actually "python3-qpid-proton"!16:25
ThiagoCMCAny tips?  ^_^16:25
ThiagoCMCI'll try to just change the package name at /etc/ansible/roles/qdrouterd/vars/ubuntu.yml for now...16:26
noonedeadpunkcloudxtiny: nah, we just still didn't put cloudkitty playbook into our integrated repo as not much ppl using it16:29
noonedeadpunkyou can use https://opendev.org/openstack/openstack-ansible-os_cloudkitty/src/branch/master/tests/test-install-cloudkitty.yml as sample and create it somewhere16:30
noonedeadpunkwe will fix this in the next release16:30
cloudxtinynoonedeadpunk thank mate :-)16:30
noonedeadpunkThiagoCMC: seems we suck :(16:31
dmsimardnoonedeadpunk: I am told the openvswitch collection issue should be fixed "soon"16:32
cloudxtinynoonedeadpunk this might be a dumb question as I am still new to ansible :-). how do I run this cloudkitty playbook?16:32
noonedeadpunkcloudxtiny: well, you create file let's say /root/os-cloudkitty.yml and run it as `openstack-ansible /root/os-cloudkitty.yml`16:32
noonedeadpunkdmsimard: great news, thanks)16:33
noonedeadpunkreally waiting for it:)16:33
cloudxtinynoonedeadpunk thanks.16:33
openstackgerritDmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Bump ansible version to 2.10.3  https://review.opendev.org/76144316:34
ThiagoCMCnoonedeadpunk, :-P16:35
ThiagoCMCIt worked!16:35
noonedeadpunkThiagoCMC: what release is that?16:35
ThiagoCMCstable/ussuri16:35
noonedeadpunkhttps://review.opendev.org/#/c/761444/16:36
noonedeadpunkthanks for reporting it16:36
ThiagoCMCMy pleasure!  =)16:37
noonedeadpunkanother vote on https://review.opendev.org/#/c/760188 would be awesome16:37
ThiagoCMCI'm interested on this idea: https://docs.openstack.org/openstack-ansible/ussuri/user/messaging/messaging.html16:38
noonedeadpunkoh, well, I think you will find more things then16:39
ThiagoCMClol16:39
*** djhankb has quit IRC16:40
*** djhankb has joined #openstack-ansible16:40
noonedeadpunkI'm not sure we were paying enough attention to use appropriate variables everywhere, but would be gret to get it really tested by someone (not sure who might be using this scenario)16:41
*** cloudxtiny has quit IRC16:41
*** pto has quit IRC16:43
*** pto has joined #openstack-ansible16:43
ThiagoCMCI'll give it a try! My intention is to reduce the load out of RabbitMQ, I faced many problems with it in the past, where it consumes a lot of CPU and it's very hard to clean it up.16:45
noonedeadpunkactually if you don't have ceilometer or designate, qrouterd will just replace rabbit16:46
noonedeadpunkbut yeah - let us know about how it goes)16:47
ThiagoCMCHmm... Interesting! I don't have those two.16:47
ThiagoCMCI'll!16:47
noonedeadpunknotification is used by these 2 services mostly (if I'm not missing smth)16:48
noonedeadpunkso if you don't have them you won't be using notifications queue16:48
ThiagoCMCGot it16:49
ThiagoCMCI can double check this at, for example, nova.conf and others, right?16:50
noonedeadpunkyep16:50
noonedeadpunkwe should have conditions in template like this https://opendev.org/openstack/openstack-ansible-os_nova/src/branch/master/templates/nova.conf.j2#L62 everywhere16:51
noonedeadpunkotherwise rabbit really goes wild16:51
noonedeadpunkas it will has dozens of messages without any reader16:52
noonedeadpunk*will have16:52
spatelThiagoCMC: i had same issue with my rabbitMQ and reducing all timer in neutron and nova help me a lot to reduce MQ cpu load16:52
ThiagoCMCCool! Thanks spatel!16:53
noonedeadpunkso messeging driver should be noop in case you don't have ceilometer or designate16:53
ThiagoCMCOk16:54
ThiagoCMCI'll test everything and pastebin the nova.conf/neutron.conf/etc files so you can also double check it16:55
spatelThiagoCMC: This is what my timers looks reduce load of MQ  - http://paste.openstack.org/show/799700/16:58
*** pto has quit IRC16:59
*** pto has joined #openstack-ansible16:59
ThiagoCMCAwesome17:01
*** mgariepy has quit IRC17:02
jrosseri think noone uses qdrouterd with OSA at all tbh17:07
jrosserit's in the same category as nspawn, it's 'interesting' but never went beyond POC17:08
jrosserand notably theres no CI jobs for it at all really17:08
noonedeadpunkwell, nspawn was used actually by several ppl17:09
noonedeadpunkso, who knows...17:09
noonedeadpunkmaybe we should add some CI for it one day...17:09
noonedeadpunkas sometimes I feel like I'm done with rabbit17:10
spatelits used by amqp right?17:10
jrosserit would be interesting to prove qdrouterd was really a drop in replacement for rabbit17:11
noonedeadpunkbut at the moment have no idea about qdrouterd....17:11
*** pto has quit IRC17:12
jrosseri asked about this ant the london ops meetup and there was much concern about too much reliance on the specific behaviour of rabbitmq17:12
*** pto has joined #openstack-ansible17:12
noonedeadpunkI think everything using oslo.messaging?17:13
noonedeadpunkWich is kind of abstraction layer17:13
noonedeadpunkbut who knows how do they test qdrouterd support :)17:14
*** tosky has quit IRC17:15
*** nurdie has joined #openstack-ansible17:22
ThiagoCMCI'll test it!   :-P17:26
*** rpittau is now known as rpittau|afk17:35
*** pto has quit IRC17:36
*** pto has joined #openstack-ansible17:36
*** pto has quit IRC17:45
*** pto has joined #openstack-ansible17:45
*** klamath_atx has quit IRC18:09
*** klamath_atx has joined #openstack-ansible18:09
*** pto has quit IRC18:10
*** mgariepy has joined #openstack-ansible18:17
*** mugsie has quit IRC18:18
*** miloa has quit IRC18:18
*** mugsie has joined #openstack-ansible18:21
*** andrewbonney has quit IRC18:24
djhankbHey folks - I am doing some maintenance on my cluster and one of of my controllers I have had several of the containers lose their gateways and DNS18:34
djhankbWhere would I check to see why the gateway would be missing: from within the container, "ip -4 route" shows only connected networks.18:35
*** pto has joined #openstack-ansible18:42
*** pto has quit IRC18:44
*** pto has joined #openstack-ansible18:45
djhankbactually it looks like my lxcbr0 is not working correctly on that controller18:48
djhankbfigured it out, had to restart the lxc-dnsmasq service18:57
noonedeadpunkyeah, sorry for not answering earlier, but good that you've figured it out:)19:02
*** luksky has quit IRC19:12
mgariepyjamesdenton, is there any reason why ovs doesn't use the openvswitch firewall instead of iptables_hybrid ?19:18
mgariepyjamesdenton, https://github.com/openstack/openstack-ansible-os_neutron/blob/master/templates/plugins/ml2/openvswitch_agent.ini.j2#L33-L3619:22
*** luksky has joined #openstack-ansible19:24
dmsimardnoonedeadpunk: https://github.com/ansible-collections/openvswitch.openvswitch/pull/60/files19:27
*** bl0m1 has joined #openstack-ansible19:34
*** NewJorg has quit IRC19:55
spatelmgariepy: I have configured dpdk with ovs and cpu usage showing 100% for ovs-vswitchd. does it normal ?19:55
*** NewJorg has joined #openstack-ansible19:56
*** pto has quit IRC19:57
*** pto has joined #openstack-ansible19:57
*** luksky has quit IRC20:01
mgariepyspatel, i have not idea.20:03
spatelno worry20:03
mgariepyspatel, it's my first ovs install since .... fuel..20:03
spateli am on same boat, trying to learn everything about OVS before pushing out to production20:04
*** pto has quit IRC20:04
*** pto has joined #openstack-ansible20:04
mgariepymeh way easier to fix stuff under pressure no ?20:05
spatel:)20:07
spatelI am so happy with LinuxBridge that now hard to leave it.20:07
spatelis there any openvswitch IRC channel to talk ?20:09
ThiagoCMCspatel, yes, it's normal for an DPDK App to consume an entire CPU Core.20:09
spatelThiagoCMC: thanks for confirmation.20:10
ThiagoCMCIn my lab, with a Supermicro server, 2 x 10G, at least, 2 CPU Cores. With multiqueue, 4.20:10
ThiagoCMCNP!20:10
spatelThiagoCMC: now i have big problem with bonding with DPDK20:10
spatelI have only 2x10G nic card so how do i bound them in OVS ?20:10
spatelbecause DPDK doesn't support bonding outside ovs right?20:11
ThiagoCMCYou can bond with OVS with or without DPKD20:11
ThiagoCMCBut with DPDK is really tricky20:11
ThiagoCMCI did this about 6 months ago... Don't remember the syntax  :-(20:11
spatelHow do i bond because i will loose connection right during building bonding20:12
ThiagoCMCOh, good question... I always had an USB Ethernet as "OOBM Network", outside of OVS, so I don't kick myself out of it20:13
*** luksky has joined #openstack-ansible20:13
spatelThiagoCMC: that is what i am thinking, how to do bonding while SSHing on same interface. (its not like during OS install you have it ready)20:14
spatelEven OSA will install openvswitch during playbook run20:15
spatelif i have 3rd nic then i can solve this issue but not with 2 nic20:15
ThiagoCMCspatel, your best bet would be to have an extra interface, or access the server's IPMI/iLo. Here is where I got docs about bonding with ovs dpdk: https://software.intel.com/content/www/us/en/develop/articles/link-aggregation-configuration-and-usage-in-open-vswitch-with-dpdk.html20:15
spatelI have 300 compute nodes and i can't do that via ILO :) i need something very automated process.20:16
ThiagoCMCtrue lol20:16
ThiagoCMCI wasn't aware that OSA is installing openvswitch now! That's... weird20:16
spatelOSA does install openvswitch during os-neutron-install.yml playbook20:17
spatelcurrently i am running my production workload on SRIOV (reason i was looking for dpdk because it support bonding but look like i hit the wall)20:17
spatelSR-IOV doesn't support bonding.20:18
ThiagoCMCI see... Well, keep in mind that ovs-dpdk is a much more complex environment!20:30
ThiagoCMCYou must play with it without OpenStack... Just Ubuntu 20.40 host, ovs-dpdk and QEMU, nothing else. Then, you'll better understand how it works.20:31
spatelThiagoCMC: totally with you20:33
ThiagoCMC=)20:34
*** tosky has joined #openstack-ansible20:35
djhankbspatel: are you using OVS for your controllers and container networking?20:38
spateldjhankb: currently in my lab i am just playing with OVS20:38
spatelI used LinuxBridge+OVS combo20:39
spatelbr-mgmt in lxb and br-vlan/br-vxlan in OVS20:39
djhankbspatel: gotcha. I have been running OVS for my container networking, i.e. br-mgmt, br-vxlan, br-storage. And I have hit quite a few pitfalls...20:40
spatelOVS isn't fun to run until unless you have army of developer and code digger20:40
djhankbI'm not sure if this has been addressed yet, I'm still on Train/20.0.1 but when building containers there are assumptions made that you are using linuxbridge, and things like 'veth-cleanup.sh' will not delete the ports from OBX20:41
djhankbOVS20:41
spatelI am asking this question to everyone what is the biggest advantage of using OVS over lxb (for get about dpdk etc)20:41
djhankbFor me - I initially set it up as I wanted to try out using Hyper-V for some of my compute nodes, and the Hyper-V VXlan did not work with Linuxbridge VXlan, and OVS was the happy medium as it worked on both.20:42
spatelmake sense.20:46
djhankbThat being said, everything about it is a horrible pain.  Trying to get it all set up using netplan? Forget it, which means you'll have to set up /etc/network/interfaces and deal with that. Then there are custom scripts needed for container networking as when you stop a container, it doesn't automatically remove the port from OVS and then the20:48
djhankbcontainer won't start until you manually remove it.20:48
*** cshen has quit IRC20:48
djhankbI just found another one, where if a container uses br-storage or if one of your bridges uses a VLAN tag, it won't automatically tag the port with the VLAN without editing the .ini file for the eth in the /usr/lib/lxc/foo_container directory20:49
ThiagoCMCAre you guys using Ussuri OSA's Ceph with Erasure Code?21:02
ThiagoCMCI'm curious about something from the OSA Ussuri release notes as well, can someone clarify it for me? Here: https://docs.openstack.org/releasenotes/openstack-ansible/ussuri.html - there is: "Any ceph infrastructure components (OSDs, MONs etc) deployed using the OSA/ceph-ansible tooling will be upgraded to the Ceph Nautilus release." ...21:04
ThiagoCMCHowever, Ceph on Ubuntu 20.04 is Octopus (15), not Nautilus!21:05
*** fanfi has quit IRC21:06
*** cshen has joined #openstack-ansible21:07
jrosserThiagoCMC: the ceph packages are taken from download.ceph.com not from the distro iirc21:27
ThiagoCMCMy file "/etc/openstack_deploy/user_variables-ceph.yml" contains: "ceph_origin: distro", so, it actually installed from Ubuntu itself, which is the way I expect... Is this bad from OSA point of view?21:28
jrosserpossibly, a particular OSA release will bring in a specific major version of ceph-ansible, which in turn will imply a specific ceph major version21:30
ThiagoCMCOh, okay21:30
ThiagoCMCKinda bad to see OSA supporting Ubuntu 20.04 but downgrading Ceph...21:31
kleiniThiagoCMC: I am always deploying Ceph separately from OSA using ceph-ansible. This is very easy and allows then to run different versions.21:32
jrosserare you sure that is actually a release it’s from ussuri?21:32
ThiagoCMCkleini, cool, I'm thinking about doing that too!21:32
ThiagoCMCjrosser, I'm deploying from OSA's stable/ussuri git branch21:32
jrosserrather than a previous release note which is mistakenly on the ussuri release notes page?21:32
ThiagoCMCGood question...21:33
ThiagoCMClol21:33
kleinidjhankb: I use LXB on controller nodes for bridges and LXC containers and OVS on compute and network nodes for bridges and ML221:33
jrosserbecause something truly wierd has happened with the rendering of the release notes21:33
ThiagoCMCO_o21:33
jrosserand no one knows what has caused it21:33
ThiagoCMCWell, I just deployed Ceph 15 from OSA/Ussuri branch21:34
ThiagoCMC"ceph status" is healthy21:34
jrosserwell here is the version which would be installed from downloads.ceph.com for ussuri https://github.com/openstack/openstack-ansible/blob/stable/ussuri/inventory/group_vars/all/ceph.yml#L3021:35
jrosserso i think that the releasenote is unfortunately from Train21:35
ThiagoCMCDamn21:35
ThiagoCMCOk! I'm at Ussuri with Octopus!21:35
ThiagoCMCThe Ussuri's release notes is wrong!21:36
jrosseryes, it seems to have included releasenotes from previous releases21:36
ThiagoCMCOh, I see...21:36
jrosserthe infra/docs folk are not able to figure out why this happens21:36
jrosserthis is all automated somehow in the docs generation21:37
ThiagoCMCOk, no problem, good to know =)21:37
jrosseranyway - if you override the ceph version then thats fine, but you'll have to take care that the OSA / Ansible / ceph-ansible / ceph combination you are trying to deploy is valid21:37
jrosserthose things are all dependant on each other, unfortunately21:38
jrosserthis is one of the biggest reasons to decide to deploy ceph seperately without OSA, because you can decouple the versions and points you decide to upgrade completely21:39
djhankbkleini: I think that's probably the ideal way to use OVS. As I mentioned, my use case was sort of non-traditional, and I had to learn everything about it the hard way of course.21:41
ThiagoCMCjrosser, right, I'll try to deploy ceph-ansible first, and not call "ceph-install.yaml" from OSA21:43
ThiagoCMCjrosser, kleini are you guys using Erasure Code with Ceph pools for OpenStack?21:49
jrosseri don't have any EC pools currently21:49
ThiagoCMCok21:50
jrossereverything is replica 3 right now21:50
ThiagoCMC3 is kinda overkill for me21:50
ThiagoCMCMy cloud is in my basement lol21:50
jrosserworth careful reading becasue i think for rbd you need the metadata on a replica pool anyway21:54
jrosserthere is no omap on en ec pool21:54
ThiagoCMCHmm...21:56
ThiagoCMCResearching about: ceph erasure code openstack21:57
ThiagoCMC=)21:57
djhankbon a deployment host, I could've swore there was a file containing the output of playbook execution. Does anyone recall where that would be?22:05
*** spatel has quit IRC22:06
ThiagoCMCjrosser, looks like that this: https://docs.ceph.com/en/latest/rados/operations/erasure-code/#erasure-coding-with-overwrites - is required to make sure OpenStack can use Erasure Coded pools! - Blog: https://themeanti.me/technology/2018/08/23/ceph_erasure_openstack.html22:27
*** cshen has quit IRC22:27
*** cshen has joined #openstack-ansible22:29
*** rfolco has quit IRC22:30
*** luksky has quit IRC22:48
*** spatel has joined #openstack-ansible23:12
*** spatel has quit IRC23:17
« Tuesday, 2020-11-03 Index Thursday, 2020-11-05 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!