Tuesday, 2021-05-11

« Monday, 2021-05-10 Index Wednesday, 2021-05-12 »
*** gyee has quit IRC01:06
*** evrardjp has quit IRC02:33
*** evrardjp has joined #openstack-ansible02:33
*** pto has joined #openstack-ansible04:52
*** pto has joined #openstack-ansible04:53
*** pto has quit IRC05:19
*** prometheanfire has quit IRC05:27
*** prometheanfire has joined #openstack-ansible05:28
*** shyamb has joined #openstack-ansible06:05
*** miloa has joined #openstack-ansible06:27
*** pto has joined #openstack-ansible06:28
*** miloa has quit IRC06:28
jrossermorning06:53
*** macz_ has joined #openstack-ansible07:02
*** sshnaidm|afk has quit IRC07:03
*** macz_ has quit IRC07:07
*** sshnaidm has joined #openstack-ansible07:20
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-os_masakari stable/victoria: Replace deprecated host param for monitors  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/79055807:21
*** andrewbonney has joined #openstack-ansible07:23
*** shyamb has quit IRC07:25
*** crazzy has quit IRC07:38
*** rpittau|afk is now known as rpittau07:38
openstackgerritMerged openstack/openstack-ansible-os_masakari master: setup.cfg: Replace dashes with underscores  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/78839907:39
*** tosky has joined #openstack-ansible07:39
*** waxfire has quit IRC07:49
noonedeadpunkmornings07:50
*** waxfire has joined #openstack-ansible07:50
noonedeadpunkandrewbonney: sorry, was off yestarday07:50
*** oleksandry has joined #openstack-ansible07:51
andrewbonneyno worries07:53
noonedeadpunkthere's a patch for that (eventualy even 2 of them)08:04
noonedeadpunkI think mainly we kind of aim for https://review.opendev.org/c/openstack/openstack-ansible/+/789776/08:05
*** shyamb has joined #openstack-ansible08:12
*** shyamb has quit IRC08:33
*** shyamb has joined #openstack-ansible08:34
*** oleksandry has quit IRC08:36
openstackgerritAndrew Bonney proposed openstack/ansible-role-pki master: WIP - create certificate authorities  https://review.opendev.org/c/openstack/ansible-role-pki/+/78740408:43
openstackgerritAndrew Bonney proposed openstack/ansible-role-pki master: WIP - Create server certificates  https://review.opendev.org/c/openstack/ansible-role-pki/+/78802108:43
openstackgerritAndrew Bonney proposed openstack/ansible-role-pki master: WIP - Experiment with molecule testing  https://review.opendev.org/c/openstack/ansible-role-pki/+/79059408:43
*** macz_ has joined #openstack-ansible08:45
*** waxfire has quit IRC08:48
*** macz_ has quit IRC08:50
*** pto has quit IRC08:50
*** pto has joined #openstack-ansible09:05
*** pto_ has joined #openstack-ansible09:11
*** pto_ has joined #openstack-ansible09:11
*** pto has quit IRC09:14
*** maharg101 has joined #openstack-ansible09:17
*** pto_ has quit IRC09:17
*** pto has joined #openstack-ansible09:20
*** macz_ has joined #openstack-ansible09:55
*** macz_ has quit IRC10:00
*** pto has quit IRC10:01
*** pto has joined #openstack-ansible10:01
noonedeadpunkcan we kindly merge https://review.opendev.org/c/openstack/openstack-ansible/+/790359 ? we need to do last release and prepare for EM-ing Train10:03
*** pto has quit IRC10:08
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible stable/train: Prepare Train to EM  https://review.opendev.org/c/openstack/openstack-ansible/+/79065510:23
*** shyamb has quit IRC10:33
admin0is there any file in OSA that can tell me about what branch the repo is in10:56
admin0there is a very old cluster ( neuton/ocata/pike -- one of those) .. where the osa repo was changed and merged as a new git master branch internally .. i need to upgrade this osa .. but since i don't have the original version info, i am checking here if there is any file in the osa deploy that can give me an idea of the branch10:58
admin0or the tag10:58
admin0i think found one -- openstack_ansible.egg-info/PKG-INFO11:00
*** pto has joined #openstack-ansible11:11
*** pto has quit IRC11:21
*** shyamb has joined #openstack-ansible11:25
*** shyamb has quit IRC11:27
*** jbadiapa has quit IRC11:31
*** pto has joined #openstack-ansible11:35
*** pto has quit IRC11:41
*** pto has joined #openstack-ansible11:42
*** jbadiapa has joined #openstack-ansible11:43
*** pto has quit IRC11:47
*** pto has joined #openstack-ansible11:51
mantiI need to disable vxlan setup, preferably so that everything else still keeps working... Would simply setting neutron_vxlan_enabled=false to user_variables accomplish this even though even openstack_user_config would still have vxlan type network defined?11:55
*** pto has quit IRC11:55
mantiOr actually, what I really need is a way to set the default network type as vlan, when the network is created from horizon. But disabling the vxlan is only thing that came to mind11:56
*** pto has joined #openstack-ansible12:02
*** dpawlik has quit IRC12:12
jrossermanti: i think that the only way you can do that is to disable vxlan, otherwise you'll get vxlan networks by default12:12
jrosserit's not really a horizon issue, it would happen also at the CLI when you create a network as a non-admin, the next available one in the database is given out to normal users. Theres no way to choose the type12:13
jrosseryou'd have to experiment with neutron_vxlan_enabled to see if thats sufficient, vxlan is also listed in tenant_network_types in ml2_conf.ini12:19
*** dpawlik3 has joined #openstack-ansible12:20
*** dpawlik3 is now known as dpawlik12:26
mantiok, have to try it out12:27
mantiI'm using CLI as admin, so didn't think that the type option is not available for non-admins12:27
jrosseryou can create vlan provider networks as an admin and share them with specific projects using neutron RBAC12:33
jrosserit really depends what you want to achieve12:33
mantiI want the vlan to be default, so that in 3/6/12 months when I have forgotten that new network must be created as admin and with specific type, I don't accidentally get vxlan type network and spend hours finding out why it doesn't work12:37
mantisecond option is documenting the whole thing, but I suspect reading the document is not the first thing that happens if there is a need to create new network for some tests or something12:39
openstackgerritMerged openstack/openstack-ansible stable/train: Bump SHAs for stable/train  https://review.opendev.org/c/openstack/openstack-ansible/+/79035912:42
*** dwilde has joined #openstack-ansible12:53
*** spatel_ has joined #openstack-ansible13:00
*** spatel_ is now known as spatel13:00
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: WIP - Use external PKI role to manage haproxy self-signed certificates  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79007813:01
openstackgerritJonathan Rosser proposed openstack/ansible-role-pki master: WIP - Create server certificates  https://review.opendev.org/c/openstack/ansible-role-pki/+/78802113:03
*** dwilde has quit IRC13:04
*** dwilde has joined #openstack-ansible13:25
openstackgerritJonathan Rosser proposed openstack/openstack-ansible master: WIP - Test PKI role  https://review.opendev.org/c/openstack/openstack-ansible/+/78803113:26
jrossernoonedeadpunk: i think i've done as much as a want to on the PKI role for the time being, in case theres some issue needs dealing with13:26
jrosseryou were right though about nova-conductor, there is an issue with that13:27
noonedeadpunko_O molecule test13:28
jrosserwell yeah, just playing/experiment13:28
jrosserthe templated transport_url is causing some trouble for nova13:29
jrosseras far as i can see it's not picking up ssl_version from the config file13:30
*** dwilde has quit IRC13:34
noonedeadpunkhm, at it's not valid for query either, right? as see no https://www.rabbitmq.com/uri-query-parameters.html13:36
jrossernoonedeadpunk: for the galera 10.5.10 patch i could just revert the previos release note13:36
jrosserthough i wasnt sure if that was a good thing to do or not13:36
noonedeadpunkoh, well, thinking about reverting release not, I'm not sure either if it's good idea...13:37
noonedeadpunkI think it should be fine....13:37
noonedeadpunkbut can't recall doing that actually13:37
jrosserit would be tidier, becasue it's kind of like 10.5.9 never happend for W13:39
noonedeadpunkyeah13:39
jrosseri am wondering if https://www.rabbitmq.com/uri-query-parameters.html are the same as transport_url query parameters, because even ssl=1 is not one of the rabbitmq ones13:43
jrosseri think there is parsing of this in nova13:43
noonedeadpunkyep, tempalte parses transport_url - that's 100%13:43
noonedeadpunkcell template13:43
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Update mariadb version to 10.5.10  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/79032913:45
jrosseri think what i'm not understanding is why the ssl_version setting is in [oslo_messaging_rabbit] and how that can be affected by using a transport_url template, or not13:53
noonedeadpunkwell, template is stored inside nova database in cell. And conductor with request to it evaluates this template based on the transport_url only.13:56
*** dwilde has joined #openstack-ansible13:57
jrosserthe version looks like it is set OK https://zuul.opendev.org/t/openstack/build/dfeadfcf2f90485f940288f6bf620779/log/logs/openstack/aio1_nova_api_container-352f42ff/nova-conductor.service.journal-18-02-02.log.txt#161613:57
noonedeadpunkthis is from config opts I guess13:58
jrosseryeah, and i think i expect that to be used by oslo.messaging, not nova itself13:58
*** dwilde has quit IRC13:59
noonedeadpunkyeah, I think that's the question here13:59
*** dwilde has joined #openstack-ansible13:59
noonedeadpunks/question/problem/13:59
noonedeadpunkso we kind of need to either find and fix default tls version, or find the way to pass version as a part of the query14:00
noonedeadpunkeven if not to use template in cell, it won't solve issue I think14:02
noonedeadpunkas still we need to pass everything required to the connection string itself14:02
jrosserwhats a bit surprising is that as far as i can tell, other things are working OK with this configuration14:03
noonedeadpunkI think literally no other service does store database connection credentials in database...14:03
noonedeadpunk(and messaging as well)14:04
noonedeadpunkhttps://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL `Permits passing driver-specific options which override the corresponding values from the configuration file`14:05
noonedeadpunkhave you tried setting just `ssl_version` as query arg?14:06
noonedeadpunk*param14:06
jrosserno, i've not, can try though14:06
jrossermaybe if that works out ok then it's time to ask the nova people what they expect for this14:06
jrosseras thats exactly what i saw in the docs and thought it would be fine to leave the normal entry in the config file14:07
jrosserbut maybe the docs don't quite mean that14:07
noonedeadpunkyeah, I think just docs are confusing really14:07
noonedeadpunkas for nova case you need to have that nasty url either in config, or populate database with it14:08
noonedeadpunkwell, or split nova.conf and nova-conductor.conf14:08
jrosseroh well there is that whole business of db connection strings too14:11
noonedeadpunkyep14:11
noonedeadpunkthey literally store db connection params in db14:11
*** macz_ has joined #openstack-ansible14:15
openstackgerritMerged openstack/openstack-ansible-os_masakari stable/victoria: Replace deprecated host param for monitors  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/79055814:16
noonedeadpunkah, you mean alike with rabbit14:17
noonedeadpunk#startmeeting openstack_ansible_meeting15:02
openstackMeeting started Tue May 11 15:02:55 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:02
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:02
*** openstack changes topic to " (Meeting topic: openstack_ansible_meeting)"15:02
openstackThe meeting name has been set to 'openstack_ansible_meeting'15:03
noonedeadpunk#topic office hours15:03
*** openstack changes topic to "office hours (Meeting topic: openstack_ansible_meeting)"15:03
noonedeadpunko/15:03
*** dave-mccowan has quit IRC15:10
jrossero/ sorry in another meeting for a while15:12
noonedeadpunknp)15:12
noonedeadpunkso, the main thing from me, is that this week we move train to EM15:13
noonedeadpunkalso https://review.opendev.org/c/openstack/openstack-ansible/+/790042 is super close, but upgrade jobs fail in pretty frustrating way tbh15:14
noonedeadpunkoh, well, once I said that, I got the reason:)15:15
noonedeadpunkI had pretty short previous week because of public holidays here, so didn't acomplish much15:16
noonedeadpunkcentos failure for manila is an issue btw, which prevents from fixing a lot of the stuff for the role15:17
noonedeadpunkand it's failing with connection timeouts, like it's oom, but see nothing that would point to it in logs15:17
noonedeadpunkand test_mount_share_one_vm passes there...15:18
noonedeadpunkso really not sure what's wrong there - probably should spawn an aio to check out15:19
noonedeadpunkRegarding PKI role - looks really awesome.15:19
noonedeadpunkI think I will try it out during the week and check how things look like with it15:19
jrosseri need to push a few syntax fixes later15:19
noonedeadpunkprobably worth slowly removing wip?15:20
jrosserbut i think i'm very happy with how it's slotted into rabbitmq and haproxy15:20
noonedeadpunkyeah, roles are now soooo much cleaner15:20
noonedeadpunkwith amount of stuff dropped from them15:20
noonedeadpunkwill try to also pick this up and do galera part in case you haven't started that yet15:21
jrossersure, that would be really nice validation if someone other than me could understand and use it15:21
noonedeadpunkalso massive part there would be documentation of the way we handle SSLs nowadays15:22
noonedeadpunkbut lets merge main things first15:22
jrosseri did a small part on that in the latest WIP patch to openstack-ansible15:22
jrosserbut i think it needs some thought as it's kind of totally configurable15:22
noonedeadpunkoh, I think I just haven't seen it yet :(15:22
noonedeadpunkI think except rabbit/galera/haproxy would be awesome to finally encrypt live migrations as well, but I suspect that there might be pretty tricky things15:24
noonedeadpunkoh, wait. don't we leverage https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/790078/5/tasks/haproxy_ssl_key_distribute.yml for let's encrypt?15:25
jrosserno, each instance is independant15:25
noonedeadpunkeven when we first time issue?15:26
jrosseri think with the PKI role it will run for each host15:26
jrosserrather than need to distribute, and it puts in a SAN for the external_vip15:26
noonedeadpunkbut for sun you need dns-01?15:27
jrosserno, only for wildcard15:27
jrosseroh well hold on15:27
noonedeadpunkah, ok, agree, sorry15:27
jrosserfor the initial selfsigned kind of anything will do15:27
jrosserjust enough to make haproxy start15:27
noonedeadpunkhm, I stopped understanding how lets encrypt works in our scenario :( to make it issue cert we need to stop all haproxy except one, so that VIP was moving between nodes?15:31
noonedeadpunkotherwise how it's passing http-0115:32
noonedeadpunk(without shared storage at least)15:32
jrosserno they all run15:32
jrosserthere is a backend to haproxy which looks for N possible certbots running15:32
noonedeadpunkoh15:33
jrosserthere will only ever be one running on one haproxy when the cert is issued / renewed for *that* node15:33
jrosserwe use haproxy to direct traffic from the VIP to the backend that needs it15:33
noonedeadpunkyeah, agree15:33
noonedeadpunkI kind of recalled why I did all sorts of nasty stuff when wanted let's encrypt to be issues certs behind haproxy15:34
noonedeadpunkbecause that haproxy was in octavia, so disregard please:)15:34
jrosseraah ok15:34
noonedeadpunkI wonder if we can in some time also cover internal endpoints with ssl having pki role on hands15:35
jrosserso i was thinking were do we want to call "done" for W15:35
noonedeadpunkwell, we can, technically, but I meant more about if it makes sense15:35
jrosserit could be haproxy+rabbit then the rabbit and tempest problems go away15:36
jrosserssl for everything else could be for X15:36
noonedeadpunkhaproxy+rabbit+galera?15:36
jrossercould do15:36
noonedeadpunkwe can stop actually just with rabbit. but want to play with role anyway)15:37
jrosserhaproxy might need some work to have different certs on the inside and outside15:37
jrosserthat would be ideal to terminate and re-encrypt with the private CA15:37
noonedeadpunkI'd say let's do this for X ?15:38
jrosseri would say yes, keep it minimal for W15:38
noonedeadpunkFor W I think we need to repair manila and adjutant at least15:38
jrosserit also protects against problem / design issue with the PKI role as it's use is quite minimal15:38
noonedeadpunkoh, well, Bullseye image has landed15:39
noonedeadpunkso probably worth looking it's shape...15:39
jrosseryeah, maybe even condsidering making W the transition if it was possible15:39
jrosserto reduce the amount of stuff to cover for X15:40
noonedeadpunkyeah...15:40
jrossercould probably find in ~ 1 day if it's going to work or not15:40
noonedeadpunkjsut found your comments on https://review.opendev.org/c/openstack/openstack-ansible/+/789376 - will take care of them15:41
noonedeadpunkI also have pretty vague memories about distro upgrade path...15:41
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support  https://review.opendev.org/c/openstack/openstack-ansible/+/78360615:53
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support  https://review.opendev.org/c/openstack/openstack-ansible/+/78360615:57
noonedeadpunk#endmeeting15:57
*** openstack changes topic to "Launchpad: https://launchpad.net/openstack-ansible || Weekly Meetings: https://wiki.openstack.org/wiki/Meetings/openstack-ansible || Review Dashboard: http://bit.ly/osa-review-board-v3"15:57
openstackMeeting ended Tue May 11 15:57:35 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:57
openstackMinutes:        http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-05-11-15.02.html15:57
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-05-11-15.02.txt15:57
openstackLog:            http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-05-11-15.02.log.html15:57
*** jamesden_ has joined #openstack-ansible16:16
*** jamesdenton has quit IRC16:17
*** dwilde has quit IRC16:18
*** dwilde has joined #openstack-ansible16:25
*** dwilde has quit IRC16:35
*** rpittau is now known as rpittau|afk16:36
*** dwilde has joined #openstack-ansible16:41
*** andrewbonney has quit IRC17:07
*** dwilde has quit IRC17:34
*** spatel has quit IRC17:42
*** dwilde has joined #openstack-ansible17:48
*** spatel_ has joined #openstack-ansible17:57
*** spatel_ is now known as spatel17:57
*** dwilde has quit IRC18:05
*** dwilde has joined #openstack-ansible18:07
*** pto has quit IRC18:19
*** pto has joined #openstack-ansible18:35
*** gyee has joined #openstack-ansible18:45
*** dwilde has quit IRC19:39
*** spatel has quit IRC19:50
*** dwilde has joined #openstack-ansible19:57
*** macz_ has quit IRC20:09
*** rh-jelabarre has quit IRC20:09
*** Adri2000 has quit IRC20:09
*** macz_ has joined #openstack-ansible20:13
*** rh-jelabarre has joined #openstack-ansible20:13
*** Adri2000 has joined #openstack-ansible20:13
*** fridtjof[m] has quit IRC20:16
*** manti has quit IRC20:16
*** masterpe has quit IRC20:16
openstackgerritSlawek Kaplonski proposed openstack/openstack-ansible-os_tempest master: Make list of Neutron API extensions to be configurable  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/79081820:28
*** masterpe has joined #openstack-ansible20:37
*** masterpe has quit IRC21:02
*** dwilde has quit IRC21:03
*** manti has joined #openstack-ansible21:08
*** fridtjof[m] has joined #openstack-ansible21:14
*** masterpe has joined #openstack-ansible21:30
*** kleini has quit IRC22:24
*** Carcer has quit IRC23:08
*** Carcer has joined #openstack-ansible23:08
*** macz_ has quit IRC23:17
*** tosky has quit IRC23:24
*** ebbex has quit IRC23:31
*** ebbex has joined #openstack-ansible23:51
« Monday, 2021-05-10 Index Wednesday, 2021-05-12 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!