Wednesday, 2021-05-12

« Tuesday, 2021-05-11 Index Thursday, 2021-05-13 »
*** spatel_ has joined #openstack-ansible02:16
*** spatel_ is now known as spatel02:16
*** gyee has quit IRC02:20
*** evrardjp has quit IRC02:33
*** evrardjp has joined #openstack-ansible02:33
*** spatel has quit IRC03:08
*** macz_ has joined #openstack-ansible05:37
*** macz_ has quit IRC05:43
*** miloa has joined #openstack-ansible05:57
*** miloa has quit IRC06:12
openstackgerritJonathan Rosser proposed openstack/ansible-role-pki master: Create CA and server certificates  https://review.opendev.org/c/openstack/ansible-role-pki/+/78802106:20
*** rh-jlabarre has joined #openstack-ansible06:22
*** rh-jelabarre has quit IRC06:22
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Use PKI role to install CA certificates  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/79043106:26
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-rabbitmq_server master: Modernise TLS configuration  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/78978906:33
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-rabbitmq_server master: Use ansible-role-pki to generate SSL certificates  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/78803206:33
*** kleini has joined #openstack-ansible06:33
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Use integrated tests for haproxy_server  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79009006:37
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Use external PKI role to manage haproxy self-signed certificates  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79007806:37
*** ChipOManiac has joined #openstack-ansible06:38
*** pto_ has joined #openstack-ansible06:47
*** pto has quit IRC06:50
*** pto_ has quit IRC06:51
*** tinwood has quit IRC06:54
*** tinwood has joined #openstack-ansible06:57
*** jhesketh has quit IRC07:08
*** tosky has joined #openstack-ansible07:09
*** pto has joined #openstack-ansible07:14
*** macz_ has joined #openstack-ansible07:17
*** andrewbonney has joined #openstack-ansible07:17
*** macz_ has quit IRC07:21
*** rpittau|afk is now known as rpittau07:26
noonedeadpunkmornings07:57
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest master: Rename whitelist and blacklist in role  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/78488508:04
ChipOManiacnoonedeadpunk morning.08:08
*** macz_ has joined #openstack-ansible08:09
jrossermorning08:11
*** macz_ has quit IRC08:13
*** mgariepy has quit IRC08:15
admin0mornings08:17
*** mgariepy has joined #openstack-ansible08:18
CeeMacmorning08:18
openstackgerritJonathan Herlin proposed openstack/openstack-ansible-os_tempest master: Rename whitelist and blacklist in role  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/78488508:18
jonhermorning08:19
noonedeadpunkthanks for fixing :)08:22
*** jhesketh has joined #openstack-ansible08:23
*** pto has quit IRC08:29
*** dave-mccowan has joined #openstack-ansible08:31
*** pto has joined #openstack-ansible08:31
jonheryeah i was waiting for centos things to be fixed before triggering another ci pipeline with just comments, but since you edited it now i just fixed the spelling08:36
*** pto_ has joined #openstack-ansible08:37
*** pto has quit IRC08:40
noonedeadpunkI hope they are now actually08:43
noonedeadpunkhttps://review.rdoproject.org/r/c/rdoinfo/+/3342008:43
jonheroh ok :) we'll see if zuul agrees08:46
*** sshnaidm_ has joined #openstack-ansible08:48
*** pto has joined #openstack-ansible08:50
*** sshnaidm has quit IRC08:50
*** pto has quit IRC08:51
*** pto has joined #openstack-ansible08:52
jrossernoonedeadpunk: after setting the transport_url to a template with nova-manage, should we restart the services?08:55
jrosseri'm now unable to reproduce the nova-conductor SSL error here locally, maybe because i run the playbooks / restart things a a few times08:55
jrosseri.e we have no notify: stuff around this https://github.com/openstack/openstack-ansible-os_nova/blob/master/tasks/nova_db_setup.yml#L68-L9908:56
noonedeadpunkjrosser: so, if it's not template - then service restart is not required. If it's template and you change config file then you need to restart iirc as template is evaluated on service startup08:58
jrosseri am still a bit confused about how this works tbh as we have a template with nova-manage and also transport_url in the config file08:59
noonedeadpunkso on startup nova parse transport_url from the config file. it sets local variables as of scheme, username, password, etc, based on the parsing result (like just named groups of regexp). and substitute template based on the stuf it parses from config file09:01
jrosserand this is becasue normally transport_url is in the DB for nova?09:05
noonedeadpunkno, it should be in both places actually anyway09:05
jrosserlol :)09:05
noonedeadpunkfrom cell_mappings it's used by conductor only, and all other services use config09:06
noonedeadpunkbut template kind of allows to specify just in config and don't really care about db since it will be the same09:06
*** rpittau is now known as rpittau|bbl09:07
jrosserok that makes sense09:07
noonedeadpunkotherwise, in case you change nova password, you have to update db as well with new credentials09:07
noonedeadpunkas conductor will try to connect with old ones09:07
noonedeadpunk(eventually that's how I found that all out)09:07
noonedeadpunkBut, it parses only what you have for transport_url and don't really care about other options/sections of the config file09:08
noonedeadpunkso it takes just transport_url and apply regexp to it09:09
noonedeadpunkbut I think I just don't really understood the question :(09:14
*** pto has quit IRC09:19
jrosserwell in the simplest sense the question is wtf is happening here :) https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_4b3/788032/6/check/openstack-ansible-deploy-aio_metal-ubuntu-focal/4b3e6f1/logs/host/nova-conductor.service.journal-08-05-13.log.txt09:20
jrosserand it's kind of tough because the logging is not really actually helpful for what has failed09:20
jrosserSSL version error could even be its still trying the non-ssl port for rabbitmq for example09:21
noonedeadpunkI think logging is not helpful as we don't really see how template has been filled...09:23
*** sshnaidm_ is now known as sshnaidm09:28
noonedeadpunkoh, that's actually change that implements it https://review.opendev.org/c/openstack/nova/+/578163/4/nova/objects/cell_mapping.py09:28
noonedeadpunkthere's no log.debug there...09:29
*** pto has joined #openstack-ansible09:30
noonedeadpunklet me probably try to spawn up aio as well....09:31
jrossersomething makes me wonder if the logging isn't wired up right, not sure we ever see this https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/_drivers/impl_rabbit.py#L608-L61009:43
noonedeadpunkI never saw that indeed09:43
noonedeadpunkI wonder if it expects debug to be set elsewhere09:44
* jrosser asks in oslo channel09:47
*** macz_ has joined #openstack-ansible10:09
noonedeadpunkit's a bit deserted though :(10:11
*** macz_ has quit IRC10:14
*** rpittau|bbl is now known as rpittau10:19
*** jnamdar has joined #openstack-ansible10:19
*** Mr_Smurf has joined #openstack-ansible10:25
jnamdarHi everyone! I'm trying to spin up an AIO to checkout all of the supported openstack services in openstack-ansible. I was trying out the AIO doc in stable/ussuri and basically using a SCENARIO environnement variable with all the services (like aio_lxc_swift_etc...), but I keep getting into issues with some services like swift, ceph and others (some10:26
jnamdarof these issues are already logged on the launchpad). Has anyone got to setup such a thing (all of the services at once)? Would you recommend me to switch to the latest tag of openstack-ansible? FYI I got to install the default scenario without issues to try it out.10:26
noonedeadpunkI think we never tried using that with _all_ components10:27
noonedeadpunkalso would be great to have some of the examples, as actually fixes might already be landed.10:28
noonedeadpunkimo swift doesn't make much sense when ceph is in place as they're going to conflict (and eventually implement the same functionality)10:29
Mr_Smurfsorry to bother you guys... but I'm stock trying to deploy ceph-rgw-install.yml. I'm missing something because no matter how much i run the openstack-hosts-setup.yml and setup-infrastructure.yml playbooks I don't get any containers. I just get the hostnames generated for them.10:30
*** macz_ has joined #openstack-ansible10:30
Mr_Smurfusing stable/victoria10:31
jnamdarnoonedeadpunk yes that's my thought as well about ceph. I don't really know how to disable it though, I did remove its .yml file from conf.d before launching the setup. For instance I encountered this bug among others https://bugs.launchpad.net/openstack-ansible/+bug/187919210:31
openstackLaunchpad bug 1879192 in openstack-ansible "AIO with swift gnocchi and ceilometer will not install" [Undecided,New]10:31
*** corbani has quit IRC10:32
noonedeadpunkinteresting. Actualy I somehow missed that bug :(10:33
noonedeadpunkwell, personally I'd prefer ceph instead of the classic swift :)10:33
*** macz_ has quit IRC10:34
noonedeadpunkMr_Smurf: so, when you run `./scripts/inventory-manage.py -g` you see all of the container names, but doesn't for `lxc-ls`?10:36
noonedeadpunkjnamdar: ceph basically shouldn't be deployed unless you provide it in scenario....10:37
Mr_Smurfnoonedeadpunk: yes10:37
noonedeadpunklet me try to spawn aio to catch the bug. Not an expert in swift :(10:38
Mr_Smurfnoonedeadpunk: I am using an exteral ceph so I only want to deply the rgw service. I have configured ceph-rgw_hosts (ceph-osd_hosts and ceph-osd_hosts are set to {})10:40
noonedeadpunkMr_Smurf: ok, so you're missing only rgw container or all of them?10:41
Mr_Smurfnoonedeadpunk: all of them10:41
Mr_Smurfnoonedeadpunk: correction.. all of the rgw containers.. I have other containsers10:42
Mr_Smurfnoonedeadpunk: the cloud is functional and I have lots of other containers but I can't get it to create the rgw containers10:43
noonedeadpunkoh, well. I think to create containers you would need to run setup-hosts.yml instead of the openstack-hosts-setup.yml (openstack-hosts-setup.yml is included in setup-hosts.yml though)10:43
noonedeadpunkah, ok10:43
noonedeadpunkwell, try doing this10:43
Mr_Smurfnoonedeadpunk, I'll try that10:43
noonedeadpunkwait :)10:43
noonedeadpunkopenstack-ansible playbooks/lxc-containers-create.yml  --limit ceph-rgw,lxc_hosts10:44
*** sshnaidm is now known as sshnaidm|afk10:46
jnamdarnoonedeadpunk yes I know right, I didn't provide it in the scenario env. variable so I don't know why it started installing10:48
Mr_Smurfnoonedeadpunk: well when you say it... it's all obvious.. I'll run that :) Thanks10:48
Mr_Smurfnoonedeadpunk: it looks like the containtser are beeing created now, thank you.10:50
*** shyamb has joined #openstack-ansible11:14
noonedeadpunkMr_Smurf: ok, sweet :)11:14
noonedeadpunkjnamdar: maybe you've added manila?11:15
jrossernoonedeadpunk: https://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.default_log_levels11:17
noonedeadpunko_O11:17
noonedeadpunkI'd expect inheriting debug = true tbh11:19
noonedeadpunkare ppl really expected to set all this for debug of wtf is going on?11:20
jrosseralso like really? 'oslo.messaging=INFO', 'oslo_messaging=INFO'11:21
jrosserand i am wondering if i need the entire giant string just to override one of those :/11:22
noonedeadpunkI guess just `oslo.messaging=INFO,oslo_messaging=INFO`11:22
noonedeadpunkwell, depends if all of these have defaults...11:22
Mr_Smurfnoonedeadpunk: now I just have to figure out how to prevent it from trying to generate fsid and use the one I have in my ceph cluster :)11:22
noonedeadpunkI think it's set with some variable...11:23
Mr_Smurfnoonedeadpunk: yes.. I'm browsing documentaion...11:23
noonedeadpunkoh, like `generate_fsid: false`11:23
noonedeadpunkand `fsid: $UUID`11:24
*** shyamb has quit IRC11:24
jrosseri wonder if deploying radosgw with OSA but the rest of ceph externally is something tried before11:25
Mr_Smurfnoonedeadpunk: thanks, generate_fsid: false was missing in my config11:25
jrosserthat would be interesting to document what is needed11:26
Mr_SmurfI've not found any documentaion on that.. I can make some notes on what I'm doing11:26
jrosserthat would be great, we have a section in the docs for various kinds of ceph integrations but not quite this scenario11:28
jonher^ probably want to do the same soon. external ceph but rgw on OSA nodes11:29
Mr_Smurfjonher: then I can take notes and you can verify them before posting it in the documentation11:31
jonhersounds good11:32
jnamdarnoonedeadpunk mmh yes I may have added manila in the scenario triggering a ceph vs swift conflict.  Is there any doc that could point me to a setup with lots of services so I can avoid these kind of conflicts?11:43
noonedeadpunkum, no, I don't think we have one. but you can check https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/vars/main.yml for implicitly included scenarios11:45
jnamdarnoonedeadpunk Oh I see, so if I use SCENARIO='aio_lxc_telemetry' for instance, that should be safe ? But 'aio_lxc_ironic_manila' would not?11:49
noonedeadpunkjnamdar: yeah, kind of11:55
noonedeadpunkonce you said that, I think we kind of need the way to override this behaviour...11:56
noonedeadpunkas we were doing that mainly for CI purposes...11:56
jrosseri guess that SCENARIO is designed to cover a fixed set of things for automating CI and local development11:56
Mr_Smurfjonher: well, it did not work all the way... TASK [ceph-rgw : get keys from monitors] *** fatal: [host-ceph-rgw_container-36c58c34]: FAILED! => {"msg": "list object has no element 0"}11:57
jrosserif you want a more complex setup than that can accomodate you're probably at the point of having to understand how to create a custom config anyway11:57
jnamdarBefore I started using SCENARIO, I was manually adding .yml files for each role in the conf.d folder, but that wasn't working as well (some config was missing)11:58
jonherMr_Smurf my first guess would be yaml formatting seeing that error11:58
jnamdar@jros11:58
jnamdar@jrosser yeah, I think so too11:58
jonheroh i see, it tries to fetch from nodes that are not part of the deployment :)11:59
Mr_Smurfjonher: it might be looking in the list for OSA monitors that is not defined11:59
noonedeadpunkyeah, was just about to write that you still need to provide monitors for ceph-ansible, or you can probably jsut provide keys (can't recall exactly if they have option for that)12:01
jrosserthere is documentation for that here https://docs.openstack.org/openstack-ansible-ceph_client/latest/config-from-file.html12:02
jrosseri think in this case becasue the mons are not part of the deployment you can't have ceph-ansible ssh to them, as they're not in the inventory12:04
jrosserso keys will need to be provided via the deployment host to the rgw12:05
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-os_nova master: Add variables for rabbitmq ssl configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/79003712:07
Mr_Smurfjrosser: I'm running an strace to see if it is even looking in the ceph_keyrings_dir12:09
jrosserMr_Smurf: there are very specific ansible tasks for that here https://github.com/openstack/openstack-ansible-ceph_client/blob/master/tasks/ceph_get_keyrings_from_files.yml12:11
Mr_Smurfjonher: yes, it's not even looking.. so I need to skip that task in some way12:11
jrosserso i thiink that an important thing first is that the condition here is met https://github.com/openstack/openstack-ansible-ceph_client/blob/master/tasks/ceph_auth.yml#L23-L2412:11
jrosserit should be possible to debug most of this with adding maybe -vv to the openstack-ansible command12:12
jrosserand also add a few debug: var=<foo> tasks into the roles if you need to see some values at runtime12:13
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-os_nova master: Add variables for rabbitmq ssl configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/79003712:14
*** sshnaidm|afk is now known as sshnaidm12:19
*** ChipOManiac has quit IRC12:21
*** shyamb has joined #openstack-ansible12:23
*** macz_ has joined #openstack-ansible12:28
noonedeadpunkoh my ^12:30
*** macz_ has quit IRC12:33
noonedeadpunkjrosser: btw, have you seen that? It happens during parallel git clone http://paste.openstack.org/show/805279/12:34
noonedeadpunkon focal (works nicely on the bionic at the same time)12:34
noonedeadpunkoh, well, this happens I think jsut during re-run...12:41
noonedeadpunkactually that's pretty logical... since we don't have tags for our repos...12:46
noonedeadpunkat least with depth=20 for sure12:46
*** spatel has joined #openstack-ansible12:52
*** jpward has joined #openstack-ansible12:54
*** shyamb has quit IRC12:57
noonedeadpunksome logic feels a bit weird to me...13:00
noonedeadpunkwhy don't we check for this for hash scenario? https://opendev.org/openstack/openstack-ansible/src/branch/master/playbooks/library/git_requirements.py#L19213:01
*** macz_ has joined #openstack-ansible13:05
noonedeadpunkand why we do all these fetching if we need to checkout to master...13:06
*** macz_ has quit IRC13:09
*** pto has quit IRC13:15
*** dave-mccowan has quit IRC13:24
Mr_Smurfjonher: I just commented out the part the copied the keys in the role file and then made new keys manually and placed in the containers13:35
Mr_Smurfjrosser: ^^13:36
jonherok we have done a takeover in a separate repo from OSA so i'll likely have mons available for that step, or configure the dir that it _should_ look in13:36
Mr_Smurfjonher: anyway I now hav a working set of rgw:s and a ceph cluster complaining about stray hosts but that is to be expected13:38
noonedeadpunkok, parallel clone is kind of broken IMO....13:43
noonedeadpunkIe, i set `ok: [localhost] => (item={'name': 'os_ironic', 'scm': 'git', 'src': 'https://opendev.org/openstack/openstack-ansible-os_ironic', 'version': '109698e942a3c20a3e4d0fc66ffa94e741d2738e', 'trackbranch': 'master'}) `13:43
noonedeadpunkbut have `On branch master` with git status13:43
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible stable/train: Prepare Train to EM  https://review.opendev.org/c/openstack/openstack-ansible/+/79065513:49
*** gshippey has joined #openstack-ansible13:53
noonedeadpunkoh, hm... it's actually working... just git status confuses a lot...13:57
jrossernoonedeadpunk: gshippey has been doing related work here recently for parallel clone, was there something to look at14:00
* jrosser -ETO_MANY_MEETINGS14:00
noonedeadpunkreset_to_version is really weird....14:00
noonedeadpunkI mean even if we reset to tag, it would be still master, but diverged one...14:01
noonedeadpunksame applies to sha14:01
*** sgautam has joined #openstack-ansible14:57
sgautamGreeting everyone.15:02
sgautamI was trying to add the custom built service to the openstack stack though Openstack Ansible. I can see that repo in the repo_packages are public repo. Is there a way for us to use the private repo?15:02
*** macz_ has joined #openstack-ansible15:06
noonedeadpunksgautam: Um, I guess as repo you can provide `git@github.com:mylogin/hello.git` ?15:06
noonedeadpunkeventually we leverage ansible's git module for cloning repos15:06
jrosserif you want to extend repo_packages, variables of the same pattern can go in user_variables.yml15:07
noonedeadpunkoh, right, I was talking more about roles...15:08
noonedeadpunkbut eventually we use stuff from repo_packages as regular variables in our roles during venv build process15:09
*** macz_ has quit IRC15:10
sgautamSo we might need to provide private key? As currently that project is private. I though the one provided in repo_packages are public repository.15:11
*** spatel has quit IRC15:14
*** cyberpear has quit IRC15:15
*** spatel_ has joined #openstack-ansible15:19
*** spatel_ is now known as spatel15:19
noonedeadpunkIt feels for me I'm not sure about usecase you see? So you want to install extra service from private repo. But you would need to also have a role that will deploy it?15:22
noonedeadpunkor it should integrate with some openstack service?15:22
noonedeadpunkie be part of nova or whatever?15:22
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: Always use checkout for git_requirements library  https://review.opendev.org/c/openstack/openstack-ansible/+/79101115:24
noonedeadpunkjrosser: I come up to this ^ but not really sure if I've missed some valid usecase for git reset... I couldn't think about any tbh15:25
jrossersgautam: you can also clone the repo to a local mirror if you have one and reference that, no authentication would be needed then15:26
*** macz_ has joined #openstack-ansible15:26
*** gyee has joined #openstack-ansible15:26
jnamdarnoonedeadpunk : I was wondering which version and OS is the most tested for OSA? Would that be the latest OSA tag on Ubuntu 20 for instance ?15:27
jnamdar(I am including OSA roles as well like os_trove etc.)15:27
evrardjpOne thing I regret since we split the roles into their own repo (rightfully so), is the complexity for ppl to understand how they can have their own roles.15:28
jrosseri never did find a nice pattern for own playbook to go with own role though15:29
evrardjpIf you are interested, I still have an idea about that, but it would require the usual suspects for that to be around the table, and decide :)15:29
noonedeadpunkjnamdar: I think trove is valid actually only for master atm15:29
jrosseri think theres a chicken/egg about not being able to include_playbook unless you know the name ahead of time15:29
evrardjpjrosser: could you clarify why is that a problem?15:30
noonedeadpunkjnamdar: it should be pretty broken even for victoria15:30
evrardjpI am not sure to understand the problem :)15:30
noonedeadpunkbut yes, that would be ubuntu focal15:30
evrardjpand hello folks15:30
jrosserwell i guess at the end of setup_openstack you want to also run {{ user_playbooks }}15:31
-openstackstatus- NOTICE: Any builds with POST_FAILURE result and no available logs between 11:41 and 14:41 UTC today were related to an authentication endpoint problem in one of our providers and can be safely rechecked now15:31
jrosserand maybe end of setup_hosts and setup_infrastructure too15:31
noonedeadpunkevrardjp: I think in this case we're talking about really service, not the role.15:31
noonedeadpunkwell, I think we can jsut include smth like user_playbook and not fail if it doesn't exist?15:32
jrosseryeah, well we have nice extensibility currently for roles with openstack_deploy/user_role_requirements.yml15:32
jrosserbut no equivalent hook point for playbooks to deploy those extra roles you bring in15:32
jrosserevrardjp: ^ i think thats really the thing we miss to bring in a user defined service15:33
noonedeadpunkor can even check for existance of files in /etc/openstack_deploy/playbooks and just inlcude them15:34
noonedeadpunkshouldn't be really tough. but not sure how it's required though15:34
jrosserright, but adding stuff into that dir is nasty really from a version control POV15:34
noonedeadpunkas eventually you run setup-openstack sooooo rarely in prod15:34
noonedeadpunkum why so? git submodules?15:35
evrardjpnoonedeadpunk: I have another idea , but you are closer :)15:35
*** spatel has quit IRC15:35
jrosser:) i think i try literally everything else before submodules15:35
jnamdarnoonedeadpunk is there any board where I can check the testing results of these roles?15:35
evrardjpjrosser: we can blame the lack of ambition around python for this15:35
noonedeadpunkjrosser:  ln -s ?:)15:36
jrosserthat would do it :)15:36
jrosserwith a gitignore entry15:36
evrardjphowever, I feel like it OSA could have be smarter in terms of playbooks15:36
jrosserideas welcome :)15:36
evrardjpWhen the HP folks finally wanted to collaborate with OSA, I loved their framework and extensibility15:37
noonedeadpunkI mean it doesn't matter much. But what I'd do is just to have another repo in /opt/ with playbooks/custom stuff15:37
evrardjpI quickly realised it was however too complex :)15:37
evrardjpnoonedeadpunk: yeah, but it's annoying to say: run these 5 playbooks from there, then that one from here, then that 5 last ones from there15:38
evrardjpso you end up writing a script to do it, then you realise it's also annoying when something fails15:38
evrardjpbut I guess we have to live with Ansible's nature :)15:38
noonedeadpunkevrardjp: well, for adding new compute we have that actually https://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/add-compute.sh15:38
evrardjpyeah I am not surprised15:39
evrardjp:D15:39
noonedeadpunkwhere you can define pre and post tasks with env vars15:39
noonedeadpunknot ideal...15:39
evrardjpAt some point, I wanted to have OSA without a-r-r15:40
evrardjpso it would force people to deal with osa tree, and deal with git.15:40
noonedeadpunkum.....15:41
evrardjpand to avoid the mess ups, I wanted to have all the roles as subtrees (intended to pull only) inside roles/15:41
evrardjpso basically when you clone OSA, you have everything, but you will still need to do your homework in terms of branching, etc.15:41
evrardjpThe benefit I saw was that people, contributin to the tree all the time, would be just one step away from contributing to OSA.15:42
noonedeadpunkwell I was thinking more about collections I guess.15:42
evrardjpOh those are old ideas , I don't mean they are relevant today :)15:43
evrardjpI just fixed my bouncer, saw light, so I just came by to say hello.15:43
noonedeadpunkAnd I guess what stopps from contributing upstream is not being aware how easy that could be and you are not unique with your usecase - it can be helpful for others15:44
*** spatel_ has joined #openstack-ansible15:44
*** spatel_ is now known as spatel15:44
noonedeadpunkso ppl continue to maintain stuff locally as they got used to with all that corporate stuff they've used before15:45
evrardjpso true15:45
noonedeadpunkit's more mindset thing I guess15:45
evrardjpyeah it was, and still is15:45
evrardjpglad we have good folks around this channel though! :)15:48
evrardjphow is everyone?15:49
noonedeadpunkdoing babysteps I think )15:49
noonedeadpunkyeah, you should come by more often to keep level of the channel :p15:50
jrossertheres good stuff happening, though keeping on top of operating system churn is kind of a big overhead15:50
noonedeadpunkespecially when we're talking about centos15:51
jrossersupport matrix feels barely sustainable sometimes15:51
noonedeadpunkoh! support matrix15:51
jrosserah whoops :)15:51
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: Always use checkout for git_requirements library  https://review.opendev.org/c/openstack/openstack-ansible/+/79101115:52
evrardjpjrosser: yes that's annoying. But I doubt anytime soon that ppl will move to a rolling release15:53
evrardjpI mean, I would totally love to see openstack on arch linux15:53
evrardjpyou have latest python, so you also have the latest bugs15:53
evrardjpbut it's also the right place to fix stuff and never care about doing an upgrade anymore15:53
noonedeadpunkwell, I think from deployment tool prespective, rolling releases are not much better as they would require attention more often?15:54
evrardjpnevertheless, I see people not doing CI/CD with openstack, or having a very loose definition of _continuous_ :)15:54
evrardjpdo they?15:54
evrardjpAssuming openstack is ready for those bits (which it isn't, let's be clear)15:54
jrosserstuff takes too long though15:55
noonedeadpunkwell, you got new libvirt version, that nova has no idea of...15:55
jrosserlike overnight we find rabbitmq is totally hosed for SSL15:55
jrosserand a whole cycle to deal with fixing that15:55
noonedeadpunkyeah15:55
noonedeadpunk :(15:55
noonedeadpunkwell, let's sey we spent it for super proper fix imo15:55
evrardjpyeah it's a different mindset15:56
noonedeadpunkas we could do smth nasty really fast to cover that15:56
evrardjpI don't think it's a failure in either case, it's just a different approach :)15:56
evrardjpI know when I said that last time, ppl went out with their pitchforks15:57
evrardjpI am not sure why I am saying this again, maybe I am expecting to be chopped in bits this time instead?15:58
evrardjphaha15:58
noonedeadpunkMaybe you just like pain?:)15:58
evrardjpHow long have you been PTL again? ;)15:58
noonedeadpunkum, year I guess?15:58
evrardjpYou see, you like it too!15:59
evrardjpj/k ofc15:59
noonedeadpunkah, no, just beginning of the second cycle!15:59
noonedeadpunkSo I'm jsut trying to get used to it haha15:59
evrardjphehe :)15:59
evrardjpyeah that makes sense15:59
evrardjpwhy is jrosser hiding now?16:00
noonedeadpunkAnd I do really terrible job in terms of recruting cores16:00
jrosserhmm?16:00
evrardjpjrosser: It's just that I am happy to see you here :)16:00
noonedeadpunkbut remote events doesn't help here tbh16:00
jrosserevrardjp: nice to see you back around too!16:01
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add OS compatability matrix  https://review.opendev.org/c/openstack/openstack-ansible/+/78937616:01
evrardjpI am not really back, I am just stuck between a CI and meetings ;p16:01
evrardjpand FIPS stuff!16:01
noonedeadpunkevrardjp: oh, well, Walmart also aims to make pretty big thing during this cycle16:01
evrardjpnoonedeadpunk: oh really?16:02
evrardjpThey are still active here?16:02
jrosserwe've added some cool things in the last few years, OIDC is pretty sorted, LetsEncrypt for HA16:02
evrardjpoh nice!16:02
evrardjpOIDC, that's quite fancy16:02
evrardjpso what you are using keystone domains with OIDC?16:02
noonedeadpunkhttps://specs.openstack.org/openstack/openstack-ansible-specs/specs/xena/protecting-plaintext-configs.html16:02
jrossermy team have OSA -> keycloak -> corporate IdP16:03
evrardjpnice!16:03
jrosserand we also got CLI working with OIDC auth16:03
evrardjpoh wow16:03
evrardjpthat's very interesting!16:03
evrardjpDid you make a presentation on how this was done?16:03
jrosserit needs to launch a browser to auth and do the 2FA bit16:03
evrardjpand what it looks like?16:03
evrardjpthis is awesome!16:03
jrosserbut it returns a token into your shell and off you go16:03
noonedeadpunkwe're looking into keycloak as well, for different thing atm, but hopefully will integrate with keystone one day as well16:04
evrardjpKeycloak is super well known16:04
evrardjpRH took the market there :D16:04
evrardjpjrosser: your corporate IdP is based on SAML or is it with OIDC too?16:04
jrosserit's both, forgerock stuff i think16:05
evrardjpI am just wondering how it works in terms of protocols behind this, and how it works on the openstack bits16:05
evrardjpI have to go, sadly!16:05
noonedeadpunkyeah, they did along with ipa...16:05
evrardjpI am super eager to hear about this too16:06
noonedeadpunkhope seeing you around:)16:06
evrardjpthe castellan bits are also interesting btw :)16:06
evrardjpIt's great to see you folks, and to see OSA in good hands. :)16:06
jrosseri think this is a public repo https://github.com/bbc/keystoneauth-oidc16:07
noonedeadpunkit is16:07
jrosserthats our fork with added support for PKCE which makes the CLI user-experience not ridiculous16:07
noonedeadpunkoh, so you actually auth services through oidc as well?16:07
jrosserotherwise you need to share a OIDC client-secret with CLI users which is really not cool16:08
jrosseryes, nothing except the corporate auth provider from an end-user perspective16:08
jrosserit's really minimised the overhead of user management16:08
jrosserlike its zero, basically16:09
noonedeadpunkand you skip `service_setup.yml` I guess? since you pre-provision service users?16:10
jrosseroh hold on no.....16:11
evrardjpthat would make a _great_ summit video16:11
jrosserexternal auth for users is all OIDC16:11
noonedeadpunkand internal still password?16:11
jrosserinternal stuff for serivces is just as usual16:11
noonedeadpunkah, I see16:11
evrardjpyou could do service users though, I guess? and application passwords?16:12
jrosserand we need keycloak there to enhance the forgerock backend stuff which we could have used directly, but doesnt do fancy things like PKCE16:12
noonedeadpunkI just really looking into some solution not to make password rotations when ppl leave insane16:12
*** rpittau is now known as rpittau|afk16:12
jrosseri would seriously look at keycloak + vault + signed keys16:13
jrosserand try to just get rid of passwords16:13
noonedeadpunkand actually keycloak looks like solution16:13
jrossermanaging ssh key add/remove is totally PITA so making that go away as well is really excellent16:13
noonedeadpunkyeah, that was my thought as well.... not enough time and not super high prio I guess now though...16:14
noonedeadpunkbut super interesting and smth I want to do for sure16:15
noonedeadpunkwell, ssh keys rotation could be perfectly done also with freeipa, and hosts are anyway in ldap... But other option is to delegate that to zuul CD part16:16
noonedeadpunkSince all keys are in repo jsut when you merge change - zuul rollout them16:17
jrosserit's also helpful for re-PXE'ing things, it's a kind of one-line bash late command to insert the CA into openssh config16:18
jrosserthen anyone can ssh straight in the moment the host comes up16:18
noonedeadpunkyeah, agree16:18
* jrosser really looking forward to ripping out os_nova key distribution for this16:19
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: Always use checkout for git_requirements library  https://review.opendev.org/c/openstack/openstack-ansible/+/79101116:20
noonedeadpunkbtw, talking about ssh keys, I think we should add https://opendev.org/openstack/openstack-ansible-openstack_hosts/src/branch/master/tasks/openstack_authorized_keys.yml#L28 "from" option to allow access only from deply host IPs16:21
noonedeadpunkbut it's not place where we place ssh keys....16:27
jrosseri wonder if that breaks anything like lsync or if we have properly other users for that16:28
jrosserwhat even is ssh_key_url?16:29
jrosserlooks like opportunity to just delete that https://codesearch.opendev.org/?q=ssh_key_url16:30
jrossernoonedeadpunk:  i have to head out for a bit bug not really finding whats breaking tempest in this https://7b87cf7610fc809332ed-10283f798a6aff54957655db10501caf.ssl.cf2.rackcdn.com/788031/7/check/openstack-ansible-deploy-aio_metal-debian-buster/df9f979/16:40
jrosserinterested if you can spot something16:40
*** dwilde has joined #openstack-ansible17:10
noonedeadpunkI also looked at ssh_key_url and feeled like probably some leftover from jenkins maybe?17:30
noonedeadpunkwell, it's breaking old good WRONG_VERSION_NUMBER in conductor....17:32
noonedeadpunkbut feels like we should have url logged now...17:32
noonedeadpunkbut don't see a thing....17:34
jrosseroh!17:36
jrossergood spot17:36
jrosserbecasue Connecting to AMQP server on 172.29.236.100:567217:36
jrosserthats not right17:36
noonedeadpunkthat's wrong port?17:37
jrosseryeah, thats the non ssl one17:37
jrossershould be 567117:37
noonedeadpunkbut we don't have that in config....17:37
noonedeadpunkI tried half of the day to spawn 2 aio, but found so many other things on that road....17:38
*** MrClayPole has quit IRC17:38
jrosseroh what, err, earlier in the same log is Connected to AMQP server on 172.29.236.100:567117:38
noonedeadpunkI think really depends on what connects17:39
noonedeadpunkI have a feeling that it's a cell that tries to connect to 567217:39
jrosseri think this is why i didnt see it before17:41
jrossersaw 5671 earlier in the log file and figured it was ok17:41
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add OS compatability matrix  https://review.opendev.org/c/openstack/openstack-ansible/+/78937617:42
noonedeadpunkI really can't imagine how to figure out whats wrong without chiming in nova code...17:43
jrossereven now with all the debugging on it's not really clear what thing is making that MQ connection17:44
noonedeadpunkyeah :(17:44
jrosseri would assume that 5672 is the default in some places, and this maybe means that we don't properly set a var somewhere17:47
jrosserthough somehow it has the IP correct17:47
*** MrClayPole has joined #openstack-ansible17:49
*** jnamdar has quit IRC17:54
*** andrewbonney has quit IRC17:56
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible stable/train: Prepare Train to EM  https://review.opendev.org/c/openstack/openstack-ansible/+/79065517:57
jrossernoonedeadpunk: do you think we are missing {port} here https://github.com/openstack/openstack-ansible-os_nova/commit/c6d4c6207fa904f30e471c598884b7bce66cbc8f#diff-b3bafa1afef99e726b111b31a7802a47258c01212f425b191cd9c1cc87267ce7R9518:17
noonedeadpunkouch18:23
noonedeadpunkjrosser: sorry18:24
jrosserno worries :)18:24
* jrosser makes patch18:24
*** dwilde has quit IRC18:24
noonedeadpunkI think we should also add port for mysql as well...18:27
jrosserhmm, well i was looking in nova.conf and we don't specify the port18:27
noonedeadpunkindeed. And I can recall copy-pasting transport-url :(18:27
noonedeadpunkso stupid :(18:28
noonedeadpunk*copying database_connection and pasting as transport-url18:28
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-os_nova master: Add variables for rabbitmq ssl configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/79003718:28
openstackgerritJonathan Rosser proposed openstack/openstack-ansible-os_nova master: Add port to transport_url database template  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/79103818:28
jrosserwe can maybe look at adding port for db too18:28
jrosserperhaps we have to add that to the url in the config file at the same time18:28
jrosserbut this all has slightly mysterious behaviour w.r.t default values18:29
noonedeadpunkyeah, it's pretty weird overall...18:29
noonedeadpunklike `create_cell` doesn't even check properly for already existing template and just creates as much cells as you run the command, which would be exactly the same18:30
noonedeadpunkas they compare template with interpreted string...18:31
jrosseri guess thats kind of an error that we have a var in os_nova for nova_galera_port but it doesnt quite do what you expect18:31
jrosseranyway, enough for today, i've rechecked some stuff and will look again tomorrow18:32
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible stable/train: Prepare Train to EM  https://review.opendev.org/c/openstack/openstack-ansible/+/79065518:36
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add OS compatability matrix  https://review.opendev.org/c/openstack/openstack-ansible/+/78937618:43
noonedeadpunkI think we need to merge that pki stuff and it would be good point for RC18:52
jrosserwe have to patch all the roles that use rabbitmq18:53
noonedeadpunkwell, yes18:54
jrosserbut I think hopefully now the first set of core roles will work18:54
noonedeadpunkdoh... no release id yet for bullseye... http://paste.openstack.org/show/805309/18:59
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: Remove Debain python workaround  https://review.opendev.org/c/openstack/openstack-ansible/+/79104219:01
noonedeadpunkyes19:02
jrosserif we want to do an rc soon then we should have a big push on merging stuff19:02
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support  https://review.opendev.org/c/openstack/openstack-ansible/+/78360619:02
*** cyberpear has joined #openstack-ansible19:04
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Debian Bullseye support  https://review.opendev.org/c/openstack/openstack-ansible/+/78360619:05
noonedeadpunkand fix facts athering....19:05
noonedeadpunkok, yeah, will focus on reparing roles19:06
noonedeadpunkalong with pushing ssl change then probably?19:06
noonedeadpunkrabbitmq ssl one19:06
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Include galera_devel into main  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/79104519:14
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-os_adjutant master: Install mysql client libraries  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/77760719:15
openstackgerritDmitriy Rabotyagov proposed openstack/openstack-ansible-os_adjutant master: Install mysql client libraries  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/77760719:15
*** macz_ has quit IRC19:16
*** macz_ has joined #openstack-ansible19:32
*** snapdeal has joined #openstack-ansible19:41
*** Jeffrey4l has quit IRC19:49
*** Jeffrey4l has joined #openstack-ansible20:00
*** spatel has quit IRC20:01
*** macz_ has quit IRC20:08
*** macz_ has joined #openstack-ansible20:08
*** mcarden has joined #openstack-ansible20:37
*** openstackgerrit has quit IRC21:47
*** snapdeal has quit IRC22:15
*** tosky has quit IRC23:01
*** macz_ has quit IRC23:08
« Tuesday, 2021-05-11 Index Thursday, 2021-05-13 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!