| *** rpittau|afk is now known as rpittau | 07:07 | |
| *** odyssey4me is now known as Guest1488 | 08:33 | |
| jrosser | interesting question on the ML about all endpoints on port 443 | 09:04 |
|---|---|---|
| kleini | really interesting | 09:08 |
| noonedeadpunk | yeah, I'd love to have that supported. But I'm not sure it is atm | 09:42 |
| jrosser | i replied to it, i think it maybe can be done with a bunch of overrrides | 09:43 |
| noonedeadpunk | well, you still would need to have public and internal endpoints? | 09:51 |
| kleini | there is an external and an internal VIP. isn't that sufficient for public and internal endpoints? | 10:09 |
| anskiy | Hey guys! I'm now in a state of planning a stage deployment of OpenStack (I'm still haven't settled up on the exact tool which I'm gonna use for deploy). And I have several questions about OSA: | 10:29 |
| anskiy | 1. in the docs it says that OVN support is experimental and not production ready (I've seen some guides on how to use it, tho), and there is an issue on launchpad to add support for clustered OVN DB (with some workaround). I'd love to go with OVN bc it's what I'm kinda familiar with (more than all the intricancies of Linux bridge configuration in OpenStack). Should I try going with OVN AND OSA? | 10:30 |
| anskiy | 2. I dislike containerized solution (LXC or Docker in Kolla/Kayobe) as I would like to keep things as simple as possible, but it looks like I'm out of options or... | 10:30 |
| anskiy | 3. ...should I consider writing my own playbooks for tailoring OpenStack for my own needs? | 10:30 |
| anskiy | Production deployment would be a small cluster with 20+ compute nodes, flat provider network and local storage on computes, which is gonna supersede in-house, non-clustered Python solution based on Libvirt/OVS/OVN so, I'm leaning towards vanilla distritubion of OpenStack instead of TripleO (RDO). | 10:30 |
| noonedeadpunk | anskiy: 1. we do active development of OVN, and I think spatel added clustered db recently. | 10:47 |
| noonedeadpunk | 2. We support bare metal deployments! | 10:47 |
| noonedeadpunk | 3. Not quite sure what do you mean here | 10:48 |
| noonedeadpunk | 1. https://opendev.org/openstack/openstack-ansible-os_neutron/commit/d6198cdd32053e9e14ba7d163e31b5cbed2cdb10 | 10:49 |
| noonedeadpunk | but, if you're familiar with OVN, we would lovely take contirbutions to make OVN stable and take it out of experimental. I think it's now in experimental mostly because nobody dared to use it in production yet | 10:50 |
| kleini | 3. OSA should provide enough configuration options and furthermore a lot of opinionated configuration can be overwritten if not all of it. | 10:51 |
| noonedeadpunk | anskiy: 2 https://docs.openstack.org/openstack-ansible/latest/reference/inventory/configure-inventory.html#deploying-directly-on-hosts | 10:57 |
| anskiy | Thank you for reigniting my confidence about going with OSA :) Gonna dig into docs and see how well would OVN route do. | 11:15 |
| *** odyssey4me is now known as Guest1498 | 11:38 | |
| noonedeadpunk | we also tested ovn in CI and it used to work until some super recent update on master | 11:50 |
| noonedeadpunk | W should be fine though | 11:50 |
| dmsimard | noonedeadpunk, odyssey4me: o/ btw re: https://github.com/ansible-collections/community.rabbitmq/issues/72 we are doing a bit of outreach to find new contributors/maintainers for community.rabbitmq | 13:26 |
| dmsimard | there's https://github.com/ansible-collections/community.rabbitmq/issues/81 but we'll also include it in the bullhorn (developer) newsletter and such | 13:27 |
| odyssey4me | dmsimard yep, thanks - that's much appreciated | 13:27 |
| dmsimard | odyssey4me: thanks for your work thus far <3 | 13:28 |
| odyssey4me | dmsimard the libvirt collection needs help too, if that could also be added to bullhorn that'd be great | 13:28 |
| dmsimard | yep, a colleague of mine is also looking into it: https://github.com/ansible-collections/community.libvirt/issues/78 | 13:29 |
| noonedeadpunk | Yeah, I said I will help, but still didn't have time. THough, we should push some PR with adding some modules | 13:30 |
| noonedeadpunk | I _really_ will try to spend and dedicate time for thisd.... | 13:30 |
| dmsimard | noonedeadpunk: no hard feelings, I know time is a limited resource :) | 13:30 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
| opendevmeet | Meeting started Tue Jul 20 15:00:24 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
| noonedeadpunk | #topic rollcall | 15:00 |
| noonedeadpunk | o/ | 15:00 |
| jrosser | o/ hello | 15:01 |
| noonedeadpunk | #topic office hours | 15:03 |
| noonedeadpunk | So, I think I have the only question for today - next PTG time... | 15:03 |
| noonedeadpunk | Should I call for doodle vote or we can just go with same time/days that we previously did? | 15:04 |
| noonedeadpunk | I think 2x2h slots were working really fine | 15:04 |
| noonedeadpunk | there's ethercalc with other slots https://ethercalc.openstack.org/8tum5yl1bx43 | 15:07 |
| noonedeadpunk | So suggested from me slots are 15:00 - 17:00 UTC on Tuesday October 19 and 15:00 - 17:00 UTC on Wednesday October 20 | 15:08 |
| * noonedeadpunk has a feeling that it's a bit too early now | 15:09 | |
| * jrosser on vacation that week | 15:11 | |
| jrosser | oh | 15:11 |
| noonedeadpunk | huh.... | 15:11 |
| jrosser | no sorry looking at wrong month /o\ | 15:11 |
| noonedeadpunk | haha) | 15:11 |
| noonedeadpunk | well, October is perfect time for vacation overall ) | 15:12 |
| noonedeadpunk | Then for now I'm booking these timeframes and write ML to get other opinions if any | 15:13 |
| jrosser | ok cool | 15:14 |
| jrosser | is there stuff to go over which we need to fix for next W point release? | 15:14 |
| jrosser | seems i made a bunch of typos in the rabbitmq SSL stuff :/ | 15:14 |
| noonedeadpunk | well. Octavia is still broken though when multiple containers are used | 15:15 |
| noonedeadpunk | looking into it | 15:15 |
| noonedeadpunk | and after that we can do point release | 15:15 |
| noonedeadpunk | btw, I still haven't moved bump bot to github actions (as it got broken with travis policy change) | 15:16 |
| noonedeadpunk | So will do these manually for now I guess | 15:16 |
| noonedeadpunk | Created etherpad as well for ptg | 15:17 |
| noonedeadpunk | Regarding octavia - https://bugs.launchpad.net/openstack-ansible/+bug/1936646 | 15:19 |
| noonedeadpunk | I'm trying to use delegate_facts and gain them from specific host | 15:19 |
| noonedeadpunk | I think we should actually replace all of that with pki... | 15:20 |
| jrosser | well i was going to say | 15:21 |
| jrosser | all of that could just be deleted and go away | 15:21 |
| jrosser | though just pushing out a new cert there in an existing deployment results in $bad-times | 15:22 |
| noonedeadpunk | I'm not 100% sure I understand what these certs are for. For securing amphoras->api? | 15:23 |
| jrosser | yes, there is mutal TLS between the service and the amphoras | 15:24 |
| noonedeadpunk | then rotating this might be a disaster.... | 15:24 |
| jrosser | if you somehow lose or accidentally rotate it then things go super wierd | 15:24 |
| jrosser | also this is where the deployment actually puts those certs in ~ of the deploy user | 15:24 |
| noonedeadpunk | I can recall this now :) | 15:24 |
| jrosser | we rebuilt a deploy host and lost ours | 15:25 |
| noonedeadpunk | Yeah, I have overwriten this path everywhere | 15:25 |
| jrosser | there is documentation here https://docs.openstack.org/octavia/latest/admin/guides/operator-maintenance.html | 15:29 |
| jrosser | at some point we must deal with this as part of using the PKI role - but not sure how the best way to approach this is for a deployment | 15:33 |
| noonedeadpunk | yeah, not sure either. It seems we have here a bit different concept (in terms that we have server and client partsd) | 15:37 |
| noonedeadpunk | So might be worth doing just bugfix now? | 15:37 |
| jrosser | can we just revert the patch that caused this trouble? | 15:39 |
| noonedeadpunk | I already have fix:) | 15:39 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Fix self-signed certs distribution https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/801505 | 15:41 |
| noonedeadpunk | ^ | 15:41 |
| jrosser | ahha | 15:41 |
| johnsom | FYI, there is also a detailed certificate guide for Octavia here: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html | 15:41 |
| jrosser | johnsom: awesome thanks, we have a new ansible role here https://github.com/openstack/ansible-role-pki which we plan to replace all our ad-hoc cert generation with (including in our octavia role) | 15:43 |
| noonedeadpunk | I tend to use PKI role for master only to not mess up ppl envs while backporting | 15:44 |
| johnsom | Ok. I wrote that guide, so feel free to ping me if you have questions. | 15:44 |
| noonedeadpunk | sure, thanks! | 15:44 |
| noonedeadpunk | We never hesitate pinging ;) | 15:44 |
| johnsom | grin | 15:44 |
| jrosser | noonedeadpunk: yes agreed, this is likley to need a rotation of the CA I think, unless we can import existing certs under the PKI role as part of an upgrade | 15:45 |
| noonedeadpunk | I think we can provide path to existing one? | 15:45 |
| jrosser | we can certainly retrieve them from one of the containers and copy to /etc/openstack_deploy/pki/..... | 15:46 |
| noonedeadpunk | yeah, it's for upgrade path for sure... | 15:46 |
| jrosser | it would be like a user supplied one from that point on | 15:46 |
| noonedeadpunk | and I gues we would need to set some vars as well | 15:46 |
| noonedeadpunk | (to use that CA only for octavia?) | 15:47 |
| jrosser | yes, and the vars being set would cause it to be installed from the copy with the regular PKI role | 15:47 |
| jrosser | i think we have a choice, it can be it's own CA, or an intermediate off the one we have already, lots of ways to do it | 15:47 |
| jrosser | sounds like we need to be really mindful of the upgrade path when adjusting the octavia role here | 15:48 |
| jrosser | much more so than other places where it's not going to break stuff | 15:49 |
| noonedeadpunk | yes, agreed | 15:50 |
| noonedeadpunk | btw, regarding typos - mind merging https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/801072 ?:) | 15:51 |
| noonedeadpunk | I guess for upgrade it would be required anyway | 15:51 |
| noonedeadpunk | (on master gnocchi is failing for some reason) | 15:51 |
| noonedeadpunk | https://bugs.launchpad.net/openstack-ansible/+bug/1936576 | 15:52 |
| jrosser | done | 15:52 |
| noonedeadpunk | `SQLAlchemy===1.4.20` in u-c | 15:53 |
| jrosser | oh there were a whole flurry of patches about updated sqalchemy recently i think | 15:53 |
| noonedeadpunk | and there's a fix:) https://github.com/gnocchixyz/gnocchi/commit/62ee223b456fa8e185720c18439d929d0f8cb0d4 | 15:54 |
| noonedeadpunk | So I guess I will do master bump now | 15:54 |
| noonedeadpunk | oh! btw, I've posted vault role I had | 15:54 |
| noonedeadpunk | some weird things going is CI though | 15:55 |
| noonedeadpunk | https://review.opendev.org/c/openstack/ansible-role-vault/+/800792 | 15:55 |
| noonedeadpunk | for some reason db_setup is not delegated or smth like that... | 15:55 |
| jrosser | maybe it needs to be after utility_install | 15:59 |
| jrosser | otherwise there is no galera_client yet to do the db setup? | 15:59 |
| noonedeadpunk | oh, that's good point | 15:59 |
| noonedeadpunk | #endmeeting | 16:00 |
| opendevmeet | Meeting ended Tue Jul 20 16:00:15 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:00 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-07-20-15.00.html | 16:00 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-07-20-15.00.txt | 16:00 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-07-20-15.00.log.html | 16:00 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Add Vault role support https://review.opendev.org/c/openstack/openstack-ansible/+/800787 | 16:00 |
| jrosser | did i see the vault root keys and unseal keys are plaintext in facts? | 16:01 |
| noonedeadpunk | they are now | 16:01 |
| jrosser | now we have the pki role i think we can fix that | 16:01 |
| noonedeadpunk | oh, yes, we totally can! | 16:01 |
| jrosser | i will dig around but we have an approach which uses the deploy user private key to encrypt them | 16:02 |
| noonedeadpunk | I actually haven't thought about it | 16:02 |
| jrosser | and and ansible filter which encrypt/decrypt | 16:02 |
| jrosser | so we keep them on the vault nodes, but not plaintext | 16:02 |
| noonedeadpunk | yeah, that sounds the way better. Actually I have thought of placing them in user_secrets, but not sure if it's better | 16:02 |
| noonedeadpunk | with PKI role this would be really nice | 16:03 |
| jrosser | it would be so cool to be putting user_secrets in vault too | 16:03 |
| jrosser | but this is chicken/egg currently with galera | 16:03 |
| noonedeadpunk | yeah, agree | 16:03 |
| jrosser | vault internal storage instead would fix that | 16:03 |
| noonedeadpunk | well, I think it's matter of documentation | 16:04 |
| noonedeadpunk | As we might say to move user_secrets after setup-infrastructure if neded | 16:04 |
| jrosser | oh right kind of seed vault with the user_secrets content | 16:04 |
| jrosser | need to be able to do things when galera is broken though :) | 16:04 |
| noonedeadpunk | well yeah | 16:05 |
| noonedeadpunk | I dunno how I feel about vult native storage... | 16:05 |
| noonedeadpunk | *vault | 16:05 |
| noonedeadpunk | It had some tricky things as well iirc | 16:05 |
| noonedeadpunk | but can't really recall now | 16:05 |
| noonedeadpunk | (smth related to replication?) | 16:06 |
| noonedeadpunk | We can setup it as well - have nothing against that | 16:06 |
| noonedeadpunk | It might be selection of driver as well | 16:07 |
| noonedeadpunk | (you can push your role variant instead - have nothing against it as well) | 16:08 |
| jrosser | it has a lot of history tbh which is messy | 16:08 |
| jrosser | i think picking out specific bits like the x509 encryption of the root keys and adding to yours will be cleaner | 16:08 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump master branch https://review.opendev.org/c/openstack/openstack-ansible/+/801510 | 16:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Do not set Open vSwitch hostname https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/793009 | 16:19 |
| noonedeadpunk | btw, for W point release we might also need this https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/798960 | 16:20 |
| jrosser | looks like something gone strange with OVN | 16:21 |
| noonedeadpunk | yeah, it does... | 16:29 |
| noonedeadpunk | I have close to no knowledge regarding ovn :( | 16:30 |
| noonedeadpunk | Well, will need to gain one haha | 16:31 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add documenation about elasticsearch cluster concepts https://review.opendev.org/c/openstack/openstack-ansible-ops/+/801516 | 16:45 |
| *** rpittau is now known as rpittau|afk | 16:45 | |
| opendevreview | Merged openstack/openstack-ansible-os_keystone master: Refactor out library/keystone_sp and updates to use collections https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/798962 | 16:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add documenation about elasticsearch cluster concepts https://review.opendev.org/c/openstack/openstack-ansible-ops/+/801516 | 17:01 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest master: DNM testing tempestconf's os_interface option https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/787940 | 17:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone stable/ussuri: Use absolute path for uwsgi_params include https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/785393 | 17:23 |
| opendevreview | Merged openstack/openstack-ansible-os_ceilometer stable/wallaby: Fix wrong variable name in ceilometer.conf.j2 template. https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/801072 | 17:28 |
| opendevreview | Merged openstack/openstack-ansible-os_keystone master: Updates to federation documentation https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/800504 | 18:49 |
| opendevreview | Merged openstack/openstack-ansible-os_keystone stable/ussuri: Use absolute path for uwsgi_params include https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/785393 | 21:19 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!