Tuesday, 2021-02-02

« Monday, 2021-02-01 Index Wednesday, 2021-02-03 »
*** cshen has quit IRC00:35
-openstackstatus- NOTICE: The Gerrit service on review.opendev.org is being quickly restarted to apply a new security patch00:55
*** spatel has joined #openstack-ansible01:00
*** spatel has quit IRC01:04
*** gyee has quit IRC01:09
*** maharg101 has joined #openstack-ansible01:47
*** maharg101 has quit IRC01:52
*** macz_ has quit IRC02:14
*** cshen has joined #openstack-ansible02:31
*** cshen has quit IRC02:36
*** cshen has joined #openstack-ansible02:45
*** cshen has quit IRC02:49
*** irclogbot_2 has quit IRC03:27
*** irclogbot_3 has joined #openstack-ansible04:15
*** irclogbot_3 has quit IRC04:20
*** jfan has quit IRC04:26
*** lemko2 has joined #openstack-ansible04:28
*** lemko2 has quit IRC04:29
*** lemko0 has joined #openstack-ansible04:29
*** lemko has quit IRC04:30
*** lemko0 is now known as lemko04:30
*** irclogbot_2 has joined #openstack-ansible04:40
*** cshen has joined #openstack-ansible04:45
*** cshen has quit IRC04:49
*** irclogbot_2 has quit IRC04:54
*** irclogbot_2 has joined #openstack-ansible04:58
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-ansible05:33
*** sc has quit IRC05:36
*** priteau has quit IRC05:47
*** sc has joined #openstack-ansible05:48
*** yasemind has joined #openstack-ansible05:48
*** maharg101 has joined #openstack-ansible05:49
*** hamzaachi has joined #openstack-ansible05:53
*** maharg101 has quit IRC05:53
*** spatel has joined #openstack-ansible05:58
*** spatel has quit IRC05:58
*** cshen has joined #openstack-ansible06:00
*** hamzaachi has quit IRC06:03
*** cshen has quit IRC06:04
*** cshen has joined #openstack-ansible06:34
*** cshen has quit IRC06:40
*** yasemind has quit IRC06:44
*** macz_ has joined #openstack-ansible06:56
*** macz_ has quit IRC07:01
*** miloa has joined #openstack-ansible07:21
*** hamzaachi has joined #openstack-ansible07:28
*** macz_ has joined #openstack-ansible07:49
*** maharg101 has joined #openstack-ansible07:50
*** macz_ has quit IRC07:53
*** maharg101 has quit IRC07:55
*** klamath_atx has joined #openstack-ansible08:05
*** poopcat has quit IRC08:08
*** cshen has joined #openstack-ansible08:08
*** SiavashSardari has joined #openstack-ansible08:10
*** poopcat has joined #openstack-ansible08:11
*** klamath_atx has quit IRC08:24
*** rpittau|afk is now known as rpittau08:25
*** andrewbonney has joined #openstack-ansible08:27
*** maharg101 has joined #openstack-ansible08:31
*** gillesMo has quit IRC08:50
*** gillesMo has joined #openstack-ansible08:50
openstackgerritAndrew Bonney proposed openstack/openstack-ansible-galera_server stable/victoria: Bring db setup vars in line with other roles  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/77255008:51
*** priteau has joined #openstack-ansible08:56
*** tosky has joined #openstack-ansible09:02
*** jbadiapa has joined #openstack-ansible09:17
jrossermorning09:18
admin0\o morning09:21
SiavashSardarimorning09:24
openstackgerritMerged openstack/openstack-ansible-tests master: Bump ansible-base to 2.10.5  https://review.opendev.org/c/openstack/openstack-ansible-tests/+/77346709:27
openstackgerritJonathan Rosser proposed openstack/openstack-ansible master: Increase git clone depth from 10 to 20  https://review.opendev.org/c/openstack/openstack-ansible/+/77335209:34
*** d34dh0r53 has quit IRC09:39
*** d34dh0r53 has joined #openstack-ansible09:39
SiavashSardarijrosser yesterday you mentioned log dir in containers mounts on physical hosts and I remember using that journalctl --merge on physical hosts (this was my train release setup and was at least month ago) anyways, I forgot about that and installed vector as log shipper on all containers. today I wanted to redesign my log stuff and while the mounting09:47
SiavashSardariof log dirs happened, but the logs are in /run/log/journal/ dir. did I miss something here? I don't remember changing journal.conf last time I used that in OSA09:47
*** d34dh0r53 has quit IRC09:48
*** d34dh0r53 has joined #openstack-ansible09:49
jrosserSiavashSardari: on my pyhsical hosts i see the journals all mounted to /var/log/journal09:51
jrosseri don't think OSA has ever touched journal.conf09:52
SiavashSardarijrosser in my setup I have mounted directories in /var/log/journal but in containers journal files are in /run/log/journal/ directory.09:59
SiavashSardarimaybe somtething changed in systemd-journald??10:00
jrosserperhaps it depends on the OS, mine are ubuntu10:00
*** jbadiapa has quit IRC10:11
*** jbadiapa has joined #openstack-ansible10:11
*** avagi has quit IRC10:13
SiavashSardarijrosser mine are Ubuntu too, but now focal in previous setup I mentioned it was bionic10:21
*** avagi has joined #openstack-ansible10:22
jrosserSiavashSardari: could you check if you think that this needs updating to use OS-specific paths for the journals? https://opendev.org/openstack/openstack-ansible-lxc_container_create/src/branch/master/tasks/lxc_container_config.yml#L261-L29110:28
*** tosky has quit IRC10:33
*** tosky has joined #openstack-ansible10:34
SiavashSardarijrosser will do. but just to make sure, your setup is bionic?10:37
jrosseryes it's currently bionic10:37
SiavashSardariany one here has a setup with focal? and if you have, could you please check if your journal files are in /var/log/journal or in /run/log/journal?10:39
SiavashSardariI will dig a bit on systemd versions maybe I can find something there10:39
*** ierdem has joined #openstack-ansible10:48
ierdemHello everyone, I encountered a problem about keepalived. I am using OSA-Stable/Ussuri on Ubuntu 18.04LTS. Keepalived seems works fine but I can not connect external lbvip address, oddly I can connect internal one. When I stop keepalived on infra hosts and attach external IP manually with "ip addr add 172.30.22.200/32 dev br-openstack" this10:51
ierdemcommand, I can connect and it works10:51
ierdemkeepalived version is 1.3.9. Do you have any idea about this problem? Thanks10:53
jrosserSiavashSardari: turns out i have a focal AIO here, but it's without containers10:55
*** macz_ has joined #openstack-ansible10:55
jrosserthe system journal is in /var/log/journal/<machine-id> and /run/log/journal directory is present but empty10:56
*** macz_ has quit IRC11:00
SiavashSardarijrosser interestingly enough I have some logs in /var/log/journal/<machine-id> but they are from Dec 21.11:00
jrossercontainer logs?11:01
SiavashSardariyep11:01
jrossercheck for this if the logs don't look current https://review.opendev.org/c/openstack/openstack-ansible/+/77120511:01
SiavashSardariit is their boot logs I think11:01
openstackgerritDmitriy Rabotyagov proposed openstack/ansible-hardening master: Fix linter errors  https://review.opendev.org/c/openstack/ansible-hardening/+/77148111:05
openstackgerritDmitriy Rabotyagov proposed openstack/ansible-hardening master: Fix linter errors  https://review.opendev.org/c/openstack/ansible-hardening/+/77148111:11
openstackgerritDmitriy Rabotyagov proposed openstack/ansible-hardening master: Make possible to avoid aide installation  https://review.opendev.org/c/openstack/ansible-hardening/+/77256111:16
*** SiavashSardari has quit IRC11:26
*** sshnaidm|ruck is now known as sshnaidm|afk11:38
*** SiavashSardari has joined #openstack-ansible11:44
ierdemI am repeating my problem, can you please help me if you know the solution; I encountered a problem about keepalived. I am using OSA-Stable/Ussuri on Ubuntu 18.04LTS. Keepalived seems works fine but I can not connect external lbvip address, oddly I can connect internal one. When I stop keepalived on infra hosts and attach external IP manually with11:46
ierdem"ip addr add 172.30.22.200/32 dev br-openstack" with this command, I can connect and it works. keepalived version is 1.3.9. Do you have any idea about this problem? Thanks11:46
jrosserierdem: the answer probably lies in the keepalived logs11:47
jrosserif you are able to find anything suspicious looking there about keepalived binding to br-openstack then you can paste it at paste.openstack.org11:49
jrosseralso check that the contents of the keepalived config file looks sensible11:49
SiavashSardarijrosser sorry, was at a meeting. so the bug you send happens when adding new container to an existing setup??12:01
jrosserit's a bug https://bugs.launchpad.net/openstack-ansible/+bug/189553312:02
openstackLaunchpad bug 1895533 in openstack-ansible "/var/log bind mount overshadows /var/log/journal bindmount in lxc container setup" [High,Fix released] - Assigned to Dmitriy Rabotyagov (noonedeadpunk)12:02
jrossertheres quite a good description there12:03
SiavashSardariyeah I already read that12:04
ierdemjrosser I checked keepalived logs, there is nothing suspicious in there, also I checked confs and they are ok too. My problem is keepalived attaches External IP correctly but I cannot ping or ssh. If I attach this IP manually it works fine. I could not find the root of problem12:04
jrosserierdem: can you not even ping locally from the host it has attached the IP to?12:04
ierdemI can not12:05
jrosseri am wondering if the /32 is correct12:07
ierdemI tried first with /24 and it did not work12:07
jrosserwhen it's assigned with keepalived what do you see with ip addr | grep br-openstack12:08
ierdem8: br-openstack: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 100012:11
ierdem    inet 172.30.22.40/24 brd 172.30.22.255 scope global br-openstack12:11
ierdem    inet 170.30.22.200/32 scope global br-openstack12:11
ierdem15: bond0.50@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-openstack state UP group default qlen 100012:11
ierdemsorry I should copy that to paste.openstack.org,12:12
jrosserand what error do you get with ping 170.30.22.20012:15
ierdemhttp://paste.openstack.org/show/802229/12:16
jrosserand what is 172.30.22.42 ?12:17
jrosser(i am assuming that you are testing the ping from the host with 172.30.22.40 on br-openstack)12:18
ierdemit is same on infra01, http://paste.openstack.org/show/802230/. We are accesing our physical hosts (infra and computes) via br-openstack interface12:21
ierdem172.30.22.[40-42] -> infra0[1-3] , 172.30.22.[43-50] -> compute[1-10]12:21
admin0ierdem, you should add the full /subnet and not /3212:23
admin0can u show your config lines ?12:23
ierdemok, I am changing the keepalived confs now, I will share the ping outputs and confs after this12:24
admin0don't share the ping outputs :)  .. share the haproxy/keeplive config from user_variables, run the haproxy playbook and then share the ip -4 a output from the 3 controllers12:24
admin0also ip route show also helps12:25
admin0in case your ip is overlapping with some other routes12:25
jrosserit was wondering why the 'destination unreachable' was coming from .42 when the host we are on is .4012:27
*** SiavashSardari has quit IRC12:27
ierdemadmin0 Now I got it, while I am doing this changes may you please give me advice about that Keepalived attaches both of external and internal lbvip addresses and I can reach internal lbvip but cannot external. Also I tried to attach different IPs to external lbvip from the same network. Even in this case my IP12:29
ierdem... Even in this case may my IP overlaps?12:29
admin0show me config first please.. coz i cannot make sense of that statement :)12:30
ierdemjrosser I tried to ping 22.200 from the infra3 (.22.42) host first http://paste.openstack.org/show/802229/, after you said I also tried it from infra1 (.22.40) http://paste.openstack.org/show/802230/12:31
jrosserok12:31
admin0why are you not pasting ip -4 and route -n output and only failed pings ?12:32
*** sshnaidm|afk is now known as sshnaidm|ruck12:36
ierdemadmin0  user_variables file http://paste.openstack.org/show/802233/, ip -4 a http://paste.openstack.org/show/802235/, route -n http://paste.openstack.org/show/802236/ for 3 hosts12:37
ierdemadmin0 I realized that route -n command shows 2 br-openstack interface12:38
ierdemon infra1 hosts12:38
fricklerierdem: do you really want 170.30.22.200 or is this a typo?12:39
ierdemWe will use this IP, so yes I want it, its correct12:40
jrosseromg how did i miss that12:41
fricklerfrom your other configuration it looks like you'd want 172.30.22.20012:42
jrosserierdem: 172.30 vs. 170.30? really?12:42
admin0:)12:43
ierdemOMG :(12:43
jrosserwe've all been there :)12:43
admin0yep . now you know why config/ip/route helps to see12:43
admin0ierdem, was there a reason to not use 172.29.x -- the openstack ranges ?12:44
admin0as in the config ?12:45
ierdemThank you so much, probably I could not find that if I check for hours. Thank you for your time, admin0 jrosser frickler12:45
jrosserno worries12:45
ierdemadmin0 our clients ararnged this ranges for us, it was not our choice12:47
admin0ok12:47
*** gokhani has joined #openstack-ansible12:47
jrosser172.16.0.0/12 is quite likely already in use inside company networks as its regular rfc1918 address space12:49
jrossercertainly the case here for me so i can't use the default OSA cidr as they're already in use for something else12:49
admin0in my case, i always ask for 3 vlans to use those and only the external is the one that office can access .. this way, i try to make sure anyone in the team can read the osa docs and exactly know how the cloud is built12:50
jrosserhere reuse of address space is forbidden12:55
*** SmearedBeard has joined #openstack-ansible13:12
*** cshen_ has joined #openstack-ansible13:13
*** cshen has quit IRC13:16
*** cshen_ has quit IRC13:54
admin0i set metering_hosts: *infrastructure_hosts .. but gnocchi api container is not being created13:59
admin0isnt this line enough to create those ?13:59
admin0https://pastebin.com/wwhft8Ht -- this is what I have14:00
mgariepynoonedeadpunk, you found the ansible-hardening issue i guess14:05
noonedeadpunkyeah14:10
noonedeadpunkit was so stupid....14:10
noonedeadpunkthat functional test was running with check....14:10
openstackgerritDmitriy Rabotyagov proposed openstack/ansible-hardening master: Fix linter errors  https://review.opendev.org/c/openstack/ansible-hardening/+/77148114:11
openstackgerritDmitriy Rabotyagov proposed openstack/ansible-hardening master: Make possible to avoid aide installation  https://review.opendev.org/c/openstack/ansible-hardening/+/77256114:12
mgariepyyep saw the diff14:14
mgariepycomputer are hard.14:14
noonedeadpunkindeed14:19
mgariepyi also found an issue on neutron  ;) https://review.opendev.org/c/openstack/neutron/+/77316514:23
openstackgerritAndrew Bonney proposed openstack/openstack-ansible-lxc_container_create master: Avoid delegation to the target container  https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/77369014:25
*** gshippey has joined #openstack-ansible14:45
*** spatel has joined #openstack-ansible14:50
*** gokhani has quit IRC14:51
*** cshen has joined #openstack-ansible14:51
*** spatel has quit IRC14:54
*** spatel has joined #openstack-ansible14:55
*** pcaruana has quit IRC15:03
spateljrosser hey, finally journalbeat is working but look like its sending too much information, I have used some drop field to trim it down. I am trying to find if somehow i can use container name in logs statement or filter because all current logs coming from infra* nodes and hard to know what container they are associated15:18
*** miloa has quit IRC15:20
*** ilush has joined #openstack-ansible15:21
*** pcaruana has joined #openstack-ansible15:25
jrosserspatel: the journal entries should all have info about where they come from i think.....15:28
spatelhmm! i am not able to find that information on my graylog server, may be i need parser to filter out that particular information15:30
spatelLet me play and see if i missing something.15:30
jrosserspatel: it's elasticsearch backed? i don't know about how graylog is set up but at this point i'd be using kibana to look at the raw data thats been collected15:42
spatelGraylog use elasticsearch to store all logs15:43
spatelgraylog is just fancy GUI with enterprise level of feature but behind the scenes its elasticsearch storage15:46
spateljrosser i can hookup kibana and look into raw data.15:50
noonedeadpunkyeah, and it's way simpler that elk stack, though, it has more interesting design (at least for alerts imo)15:51
spatelare you doing any log parsing before pumping data into ES?15:51
jrosseryes lots with logstash15:51
noonedeadpunksince graylog uses input chacne and proceed all alerts before writing to elastic15:51
spatelmay be that is the key..15:51
noonedeadpunkinstead of reading from it all new stuff and then alert...15:51
jrossersee the pipeline in https://github.com/openstack/openstack-ansible-ops/blob/master/elk_metrics_7x/templates/logstash-pipelines.yml.j215:52
jrosserdoes things like unify the timestamps and make sense of the special fields that oslo.log is putting into the journal15:52
jrosserlike the req_id i think15:52
spatelthat is possible graylog not filtering proper field and just doing all standard stuff.15:52
jrosserthing is that the journal is not just a list of log text lines15:53
jrosserthere are many other fields that you don't normally see15:53
noonedeadpunkthere's an gelf input and journalctl module that puts stuff into correct fields15:53
jrosserok cool15:53
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-ops/src/branch/master/graylog/graylog-forward-logs.yml15:54
spateljrosser oh i can see logstash is doing all work there. maybe i need to look into that15:54
jrosseri can't say really - we don't have a graylog here so i can't compare what you might want to do15:54
spatelnoonedeadpunk can journalbeat support gelf ?15:54
noonedeadpunknah, I don't think so. gelf is graylog specific format15:55
noonedeadpunkbut there's another tooling for elk iirc15:55
spatelgelf need some golang stuff etc.. i hate to install all those stuff if they are not useful enough15:55
noonedeadpunkactually I think it's journalbeat15:56
spatellet me keep playing to get more ideas. Thank you15:57
gshippeyo/15:58
noonedeadpunk#startmeeting openstack_ansible_meeting16:00
openstackMeeting started Tue Feb  2 16:00:14 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: openstack_ansible_meeting)"16:00
openstackThe meeting name has been set to 'openstack_ansible_meeting'16:00
noonedeadpunk# topic office hours16:00
noonedeadpunk#topic office hours16:00
*** openstack changes topic to "office hours (Meeting topic: openstack_ansible_meeting)"16:00
noonedeadpunk\o/16:00
*** ilush has quit IRC16:01
noonedeadpunkSo, with release of amqp 5.0.5 it seems we need to speed up with SSL topic16:02
noonedeadpunkI tried to cover some of the comments raised for https://review.opendev.org/c/openstack/openstack-ansible-specs/+/75880516:02
noonedeadpunkbut maybe let's discuss them?16:02
noonedeadpunk`What to do when certs expire (including the root cert) and how that should be managed, including their default lifetimes`16:03
noonedeadpunkI'd say that we should just have a flag that will force role to renew certificate or root ca16:03
*** macz_ has joined #openstack-ansible16:04
*** SmearedBeard has quit IRC16:05
noonedeadpunkI don't feel like we should be watching after expiration dates atm out of the box. Considering we should be able to work with user provided certificates and let's encrypt where applicable16:05
*** SmearedBeard has joined #openstack-ansible16:05
noonedeadpunkBut yes, we totally need to have a valid mechanism of root ca update without making cluster stuck because of that update16:05
noonedeadpunkalso imo cert revocation systems is kind of overkill at the moment as well16:06
noonedeadpunkit's probably nice to have feature, but where we are at the moment and what needs to be done overall is kind of...16:07
noonedeadpunkBtw I already asked for repo creation https://review.opendev.org/q/topic:%22osa%252Fpki%22+(status:open%20OR%20status:merged)16:07
jrossero/ hello16:09
andrewbonneyFor expiry I guess the main detail is making sure the expiring one remains trusted whilst rollover happens16:10
jrosserthe root CA would be extremely long lived and in intermediate is the more likley thing to need rotating?16:10
jrosserso probably two different things, rotate root CA (very very infrequent unless some security incident with it)16:11
noonedeadpunkyes, totally, 2 different flags16:11
jrosserre-issue service cert + intermediate bundle against a new intermediate, and that should be much much easier than rotating a root16:12
noonedeadpunkbut again with remaining root ca trusted even when new one is in place16:12
noonedeadpunkbecause otherwise I don't see how to update root. It was super clever suggestion I was not aware of16:13
noonedeadpunkI mean https://tools.ietf.org/html/rfc4210#section-4.416:13
noonedeadpunkhm I guess I'm a bit lost in terminology ( So intermediate is root CA and "root" in private key, right?16:14
noonedeadpunkor you're talking about something extra? As intermediate I guess is addition to CA one?16:15
jrossergenerally certs for services are not signed directly with the private key of the root CA16:16
jrosserthe only thing you use that for is to generate an intermediate CA cert/key, and you can have as many of those as you like16:16
noonedeadpunkand you issue certificates with intermediate ones?16:16
jrosserwhich is good, because you can revoke/change an intermediate whenever you like without affecting the trust of stuff signed from a different intermediate16:17
jrosserit's like a tree16:17
noonedeadpunkI just never was digging deep in how certs are issued on provider side16:17
jrosserthats why generally you make the root CA valid for a very very long time16:17
jrosserbut you can make the lifetime of the intermediates shorter, and the pain of rolling them is really much smaller than if you wanted to roll the entire root CA16:18
noonedeadpunkI'm not sure if you can put CA in trust store... I guess you can?16:18
jrosseroh absolutely, thats pretty much what it contains16:18
noonedeadpunkJust in terms that we won't need to define intermediate chan to the services since they will be trusted system wide?16:19
noonedeadpunkok, I guess I got the idea. Need to read more anyway16:19
jrossersure well i think we should write more and maybe test some of this16:20
jrosserthere doesnt seem to be anything too major we have missed from the comments16:22
noonedeadpunkyeah, I guess so16:23
noonedeadpunkbut all comments were really valid though16:24
noonedeadpunkregarding hardening - it seems I got role unstuck https://review.opendev.org/c/openstack/ansible-hardening/+/77148116:25
noonedeadpunkbut I'm not sure in 1 thing there, which makes role compatible with ansible 2.10 and later only16:26
noonedeadpunkwhich is `truthy(convert_bool=True)` filter16:26
jrosserfor master/osa thats fine, not sure how much use we get beyond that?16:26
noonedeadpunkI guess we can use for V as well?16:32
noonedeadpunkthe main concern is that role was used not only by OSA I guess16:33
noonedeadpunkit has been used even outside of the openstack...16:33
jrosseri expect you used the new 2.10 keyword for a good reason?16:34
noonedeadpunkgood question... I used to replace https://opendev.org/openstack/ansible-hardening/src/branch/master/tasks/rhel7stig/accounts.yml#L147 to fix linters16:34
noonedeadpunkbut... item.value here might be either int or bool or string16:35
noonedeadpunkand I'm out of good ideas how to test them except comparing to empty string or with truthy test...16:35
noonedeadpunkbecause bool for string will be false and you can't check legth of int or bool...16:36
noonedeadpunkwe can leave it as is and add noqa here16:36
jrossersounds reasonable as its a difficult test to do properly16:39
jrosserare there bugs to look at?16:40
noonedeadpunkthere were no new ones. But there were some untriaged left from last year16:41
noonedeadpunk#topic bug triage16:41
*** openstack changes topic to "bug triage (Meeting topic: openstack_ansible_meeting)"16:41
noonedeadpunkI guess I just found extra one:)16:41
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-os_nova/src/branch/master/templates/nova.conf.j2#L241 - this will be always false right?16:41
noonedeadpunkgood place to use new trythy filter as well?16:42
jrosserthats just broken now?16:43
jrosserstring -> false16:43
noonedeadpunkyeah...16:43
noonedeadpunkjust faced it16:43
* noonedeadpunk upgrading T->V directly16:44
jrosserhow does that even work at all then16:44
jrosserV ceph job for example16:44
noonedeadpunkwe have a lot of diskspace :p16:44
noonedeadpunkso nova uses local storage for ephemeral drives16:45
jrosserandrewbonney: ^ one to add to the list! :)16:45
noonedeadpunkand nova_rbd_inuse is defined not correctly as well... doh16:46
jrosserhmm seems like we need a LP bug for this16:47
noonedeadpunkyeah, will spawn some16:47
* noonedeadpunk fixing environment16:47
openstackgerritMerged openstack/openstack-ansible-galera_server stable/victoria: Bring db setup vars in line with other roles  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/77255016:48
noonedeadpunkoh, btw, what about galera issue we're facing...16:49
noonedeadpunkI think it might be worth reaching galera folks for some help with that?16:49
noonedeadpunkoh, and https://bugs.launchpad.net/openstack-ansible/+bug/190870316:50
openstackLaunchpad bug 1908703 in openstack-ansible "federation domain not configured correct" [Undecided,New]16:50
jrosseryeah, i made a paste with the journal when galera had not started properly, that should be useful16:51
jrossergshippey: are you around?16:52
gshippeyI am16:52
jrosserthe federation bug just mentioned before, does it look like the example mapping we give in the docs is missing some things for the default domain?16:52
gshippeyJust had a quick look at the docs, and the domain_id on the trusted_idp is there. Give me a sec, need to find some old patches of mine16:57
noonedeadpunkannoying thing is that gerrit now not linked to LP16:58
gshippeyif anything looking at the keystone_sp structure in https://docs.openstack.org/openstack-ansible-os_keystone/latest/ the federated_identities should be pulling the domain from the idp rather than the other way around16:58
jrosserhmm looks like pertoft is not here in irc?16:59
jrossergshippey: if you would be able to follow up to the reply on that bug it would be awesome17:00
jrossernoonedeadpunk: we are encountering this in our upgrade work https://github.com/ansible/ansible/issues/7277617:01
noonedeadpunkyeah I saw patch from andrewbonney, but didn't have time to read bug carefully17:03
gshippeyI will do, essentially I don't think the domain of the idp functionally matters and to maintain backwards compatibility specifying the domain of the idp has to be optional.17:03
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-os_nova master: Fix nova_libvirt_images_rbd_pool check  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/77373217:03
jrossernoonedeadpunk: i am not sure if it is triggered by something specific in our environment17:03
andrewbonneyI'm still investigating at the moment but I think in our case it's because our deploy host doesn't have name resolution for the container hosts17:03
jrosserto do with the way hosts vs. IPs in the inventory17:04
andrewbonneyOr rather that's why it doesn't show up elsewhere17:04
jrosserthere was discussion recently if the OSA things should be adding entries to the deploy host /etc/hosts17:05
jrosserbecasue the behavour currently will be different if infra1 is the deploy host vs. some dedicated deploy host17:05
noonedeadpunkand in your case deploy host is placed on infra?17:06
jrosserand we would never see this sort of thing in CI jobs because deploy==infra host17:06
jrosserno it's seperate17:06
noonedeadpunkit's also separate for me...17:07
noonedeadpunkbut anyway I see nothing wrong in setting hosts file to the deploy host as well17:07
noonedeadpunkexcept it's not so easy to achieve I guess)17:07
noonedeadpunkas we don't want to run whole openstack_hosts against deploy17:07
jrosserno we do not want to do that17:08
jrosseri think we let andrewbonney dig into this and see what the root cause is17:08
jrosserthere is a further instance of it beyond the patch today which cannot be fixed in a straightforward way17:09
noonedeadpunkBtw I'm thinking if we should release 22.0.1 now (once all V backports will land) and 22.1.0 after that I guess?17:09
noonedeadpunkas point release used to mark that it's pretty safe to upgrade?:)17:09
jrossersounds like we are both working though V upgrades on prod environments and catching a few things17:10
jrosserso yes a 22.1.0 when all that is settled would be good17:11
noonedeadpunkk17:11
noonedeadpunk#endmeeting17:11
*** openstack changes topic to "Launchpad: https://launchpad.net/openstack-ansible || Weekly Meetings: https://wiki.openstack.org/wiki/Meetings/openstack-ansible || Review Dashboard: http://bit.ly/osa-review-board-v3"17:11
openstackMeeting ended Tue Feb  2 17:11:11 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)17:11
openstackMinutes:        http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-02-02-16.00.html17:11
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-02-02-16.00.txt17:11
openstackLog:            http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-02-02-16.00.log.html17:11
*** hamzaachi has quit IRC17:16
*** macz_ has quit IRC17:16
gshippeyhttps://bugs.launchpad.net/openstack-ansible/+bug/1890492 and https://bugs.launchpad.net/openstack-ansible/+bug/1720535 should be set to wont fix? We don't use those nova filters in newer versions do we?17:28
openstackLaunchpad bug 1890492 in openstack-ansible "Rocky Deployments Fail During repo_build" [Undecided,New]17:28
openstackLaunchpad bug 1720535 in openstack-ansible "lxd.filters out of date" [Medium,Confirmed]17:28
noonedeadpunkgshippey: yeah, I guess so17:33
*** d34dh0r53 has quit IRC17:42
*** jbadiapa has quit IRC17:42
*** spatel has quit IRC17:44
*** spatel has joined #openstack-ansible17:46
gshippeyalso @jrosser didn't you fix this?? https://bugs.launchpad.net/openstack-ansible/+bug/190080817:47
openstackLaunchpad bug 1900808 in openstack-ansible "keystone SAML2 federation installation error " [Undecided,New]17:47
*** d34dh0r53 has joined #openstack-ansible17:50
jrossergshippey: yes though I thing because the launchpad/Herriot integration no longer works that’s not been automatically marked as resolved17:52
jrosser*Gerrit17:53
noonedeadpunkand it's not a prio for infra btw to fix integration17:53
noonedeadpunk"fix when convenient"17:54
jrosserI maybe even forgot to put the header in the patch :(17:54
*** maharg101 has quit IRC18:02
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_hosts master: Fix lxc_hosts_container_image_url condition  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/77378118:07
*** SmearedBeard has quit IRC18:10
*** macz_ has joined #openstack-ansible18:12
*** sshnaidm|ruck is now known as sshnaidm|afk18:34
*** rpittau is now known as rpittau|afk18:39
*** andrewbonney has quit IRC19:15
*** ierdem has quit IRC19:23
*** ierdem has joined #openstack-ansible19:26
*** evrardjp has quit IRC19:51
*** maharg101 has joined #openstack-ansible19:59
*** maharg101 has quit IRC20:04
*** maharg101 has joined #openstack-ansible20:08
*** evrardjp has joined #openstack-ansible20:18
*** evrardjp has quit IRC20:26
*** evrardjp has joined #openstack-ansible20:27
*** maharg101 has quit IRC20:41
*** ierdem has quit IRC21:07
*** spatel has quit IRC21:09
*** cshen has quit IRC21:37
*** cshen has joined #openstack-ansible21:39
*** cshen has quit IRC21:44
*** cshen has joined #openstack-ansible21:53
*** cshen has quit IRC22:05
*** cshen has joined #openstack-ansible22:17
*** ChiTo has joined #openstack-ansible22:24
ChiToHi OSA team22:24
ChiToI remember there is a variable I can pass as -e "" to force a reinstallation on a specific playbook, but I don't recall it, by chance can you assist me?22:25
ChiToI would like to make sure that I can reinstall all the packages for a specific service (in my case Barbican)22:25
*** gshippey has quit IRC22:36
admin0-e build_venv=true ?22:37
*** maharg101 has joined #openstack-ansible22:39
*** maharg101 has quit IRC22:43
*** spatel has joined #openstack-ansible22:46
ChiToadmin0: Thanks admin0 that is the good one22:46
ChiToby chance do you know if OSA is able to install the barbican UI?22:47
ChiToI noticed that there are no variables associated to horizon_enable_barbican_ui22:47
*** spatel has quit IRC23:13
jrosserChiTo: unless there is a specific reason to use venv_rebuild=true then i would be cautious with it23:22
jrosserit would be much better to submit a bug report for the reason that you think you need that flag23:22
ChiTojrosser: 100% agreed, since my deployment was on VMs treated as bare metal sometimes it is difficult to me to remove the venvs23:23
jrosseradmin0: you should read this https://bugs.launchpad.net/openstack-ansible/+bug/191430123:23
openstackLaunchpad bug 1914301 in openstack-ansible "passing venv_rebuild=true leaves repo server in unusable state" [Undecided,New]23:23
jrosseryou can just delete them23:23
*** spatel has joined #openstack-ansible23:23
jrosserlike with rm23:23
jrosseror if it is an lxc deployment delete/recreate the containers23:25
ChiTojrosser: got it, thanks for the hint, I think that would be the best approach to go. Next regions I will deploy will be on LXC to avoid this situation23:25
jrosserok well also do check out that bug i just linked23:25
jrossernot sure if you will have a repo host or not for a metal deploy, so this may not be an issue23:26
ChiTojrosser: btw I noticed that the redhat7 yaml variables file required a ksmtuned package, but on rhel 7 or centos7 it is not a pkg but a kernel module, when I was setting some specific filters I found that the playbook failed because the ksmtuned was not found, not sure if I have to open a ticket due this package exists only in Ubuntu23:26
ChiTojrosser: Agreed thanks for the clarification, definitely I will deploy on LXC23:26
jrosserChiTo: you mean this? https://opendev.org/openstack/openstack-ansible-os_nova/src/branch/master/vars/redhat.yml#L82-L8323:28
ChiTojrosser: that is correct23:29
openstackgerritMerged openstack/openstack-ansible master: Increase git clone depth from 10 to 20  https://review.opendev.org/c/openstack/openstack-ansible/+/77335223:29
jrosseroh hmm "The ksm service is included in the qemu-kvm package."23:29
jrosserfrom here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/chap-ksm23:29
jrosseryes so that looks like a bug23:29
jrosserdoes the kernel module get loaded properly?23:29
ChiToI just got: paste.openstack.org/show/80226423:30
ChiTojrosser: Yes it was loaded properly that i why I just commented it out23:31
ChiToto avoid to look for the package23:31
jrosserok so it looks like a simple fix23:31
ChiToagreed23:31
jrosserif you are using Centos note that we don't yet have a good answer for what to do woth centos8-stream23:32
jrosserthe things we need from EPEL are not working with stream23:33
ChiTojrosser: got it, I am aware of it, I think eventually I will go with Ubuntu23:33
ChiTojrosser: In the meantime I will continue only with CentOS 7.X and then to see what happens with a repo for Stream, but in my case it is very likely I will go to Ubuntu23:33
*** spatel has quit IRC23:34
jrosseri need to take another look at it, things may have changed23:34
ChiTothx jrosser for your recommendations23:35
*** ChiTo has quit IRC23:45
*** spatel has joined #openstack-ansible23:50
« Monday, 2021-02-01 Index Wednesday, 2021-02-03 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!