Tuesday, 2021-10-19

« Monday, 2021-10-18 Index Wednesday, 2021-10-20 »
ianwthat's not true *either*.  the seed pip in virtualenv in centos7 doesn't have the LE ISRG key.  *but*, if you upgrade that pip, it brings in 20.3.4 which *does* have that bundled in certifi -- but centos7's 1.0.2 openssl doesn't understand the expiry00:18
ianwso it's still broken, just in a different way00:18
opendevreviewIan Wienand proposed openstack/openstack-ansible stable/stein: Workaround broken centos 7 pip  https://review.opendev.org/c/openstack/openstack-ansible/+/81450600:57
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_masakari stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/81434500:59
opendevreviewIan Wienand proposed openstack/openstack-ansible stable/stein: Workaround broken centos 7 pip  https://review.opendev.org/c/openstack/openstack-ansible/+/81450601:26
ianwjrosser / johnsom : well, i tried, but it's getting a bit in-depth for me now.  it's now failing somewhere in https://codesearch.opendev.org/?q=python_venv_build.  what's your feeling on me force-merging the debian-stable removal changes  so we can remove that node type?01:50
ianwit's only on stable/stein01:51
ianwi'm not sure how much excitement there is for fixing centos7 on that branch ...01:51
ianwnoonedeadpunk: ^ sorry, not johnsom :)01:53
johnsomIanw I was wondering what I had forgot. Lol01:57
opendevreviewIan Wienand proposed openstack/openstack-ansible stable/stein: Workaround broken centos 7 pip  https://review.opendev.org/c/openstack/openstack-ansible/+/81450602:19
opendevreviewIan Wienand proposed openstack/openstack-ansible stable/stein: Workaround broken centos 7 pip  https://review.opendev.org/c/openstack/openstack-ansible/+/81450604:06
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_barbican stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/81433704:57
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_blazar stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/81433904:58
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_designate stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/81434104:59
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_heat stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/81434205:00
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_ironic stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/81434305:00
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_magnum stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/81434405:00
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_masakari stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/81434505:00
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_mistral stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/81434605:01
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_octavia stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/81434705:01
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_rally stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_rally/+/81434805:02
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_sahara stable/stein: Remove debian-stable jobs  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/81434905:02
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_swift stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/81435005:02
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_tacker stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/81435105:02
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_trove stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/81433805:03
ianwnoonedeadpunk: ^ that got a few more passing.  the remaining ones i still don't know.  e.g. https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/814337 is trying to install tempest-barbican from master which has dropped py2 support06:55
ianwi don't think it's worth chasing stuff like that imo06:55
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_barbican stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/81433707:50
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_octavia stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/81434707:52
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_designate stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/81434107:55
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_sahara stable/stein: Remove debian-stable jobs  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/81434907:57
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_barbican stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/81433707:58
opendevreviewIan Wienand proposed openstack/openstack-ansible-os_magnum stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/81434408:00
jrosseri'll recheck this to see if its also an issue on ussuri https://review.opendev.org/c/openstack/openstack-ansible/+/80392608:02
jrosserit looks like we were still python2 in the ansible virtualenv for U https://github.com/openstack/openstack-ansible/blob/stable/ussuri/scripts/bootstrap-ansible.sh#L7708:04
opendevreviewchandan kumar proposed openstack/openstack-ansible-os_tempest master: Use single var file for rpm based distros  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81452608:05
ianwjrosser: i would say though that ubuntu ships a much later pip in the default virtualenv though08:11
ianwcentos7 has pip 9, so the cacert.pem it vendors doesn't have the right certificates for LE now08:11
jrosseryeah, this is all a centos mess08:11
ianw++08:12
jrosserneed to think about it a bit,as theres fixing CI and then making it do the right thing on a real multinode production deployment08:12
ianwyep :)  all i *really* want to do is get rid of debian-stable though08:13
jrosseri know :)08:13
ianwa typical yak-shaving adventure08:13
jrosseri'll have a mess with it today08:14
ianwthanks08:14
* ianw day is over now :)08:14
jrosserthanks for digging into this - appreciated08:14
noonedeadpunkactually - I saw the same hapenning in my ubuntu 18.04 deployments on V08:46
noonedeadpunkbut what helped us was upgrading of certifi iirc08:46
jrosservia pip?08:46
noonedeadpunkyep08:46
noonedeadpunkbut the thing is that it is constrainted08:46
jrosseryeah so thats in an existing deployment08:47
noonedeadpunkI believe this is smth my team looking into how to fix better now...08:47
jrosserah ok i was just going to spin a centos7 aio and look specifically at the centos part08:47
noonedeadpunkwell - we were doing upgrade from T->V in one of the regions08:47
jrosserbut yes existing deployments will be in trouble08:48
noonedeadpunkI think even new ones are...08:48
noonedeadpunkbecause ce-certificates were latest version but had no effect, until certifi got updated08:48
jrosseris is that u-c holds it back?08:49
noonedeadpunkand it was constrainted to the version that does not have new LE root08:49
noonedeadpunkyeah08:49
jrosserthats uncool - as a result of a pin on requests or smt?08:49
noonedeadpunkIt's a separate line https://opendev.org/openstack/requirements/src/branch/stable/victoria/upper-constraints.txt#L3908:50
noonedeadpunkI guess we should just suggest patch to bump it08:50
jrosseroh wow, if theres one thing you don't want to pin, it's that08:50
noonedeadpunkyeah...08:50
noonedeadpunkprometheanfire: your opinion on pinning certifi?:)08:51
opendevreviewchandan kumar proposed openstack/openstack-ansible-os_tempest master: Use single var file for rpm based distros  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81452609:03
opendevreviewchandan kumar proposed openstack/openstack-ansible-os_tempest master: Added var file for EL9  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81452609:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest stable/stein: Fix tempest plugin versions  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81453509:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_barbican stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/81433709:24
jrossernoonedeadpunk: this will fix the ansible-runtime venv build for CI and real world https://paste.opendev.org/show/810071/09:58
noonedeadpunkUm, there should be some filtering as well?10:00
noonedeadpunku-c feels to me like some burden atm....10:00
noonedeadpunkah10:02
noonedeadpunkI got it now...10:02
noonedeadpunkhm, now I start wondering, why we saw issues only during bootstrap...10:03
jrosserread back overnight10:03
jrossertldr is old pip has bundled certs pem which is not up to date10:03
jrosserso it fails to get the u-c url content with pip internals/requests, which is a precursor to updating pip/setuptools/wheel10:04
noonedeadpunkum, yeah, I got that10:05
noonedeadpunkI was more thinking about what I've seen....10:06
noonedeadpunkI mean - we saw issues during bootstrap on ubuntu - actually same issue as here with centos10:06
noonedeadpunkbut we never saw things failing with same constraints in python_venv_bild10:06
jrosserwell i think there are multiple things here10:07
noonedeadpunkand ansible not failing with that certifi version...10:07
jrosseri have a feeling that centos7 is going to break on python_venv_build similarly10:08
noonedeadpunkyeah, at least that's what ianw said...10:09
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest stable/stein: Fix tempest plugin versions  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81453510:24
ierdemHi everyone, we are trying to deploy OSA Victoria. we use proxy on both infrastructure and compute hosts. While running setup-hosts.yaml, it stuckes on TASK [lxc_hosts : Wait for base image download]  task. We set the proxy settings in user_variables but problem still exist. Do u have any ideas? Thanks11:02
opendevreviewMerged openstack/openstack-ansible-os_tempest stable/victoria: Pin neutron-tempest-plugin to v1.6.0  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81425811:13
jrosserierdem: can you see the url it is trying to fetch? putting some logs at paste.opendev.org is helpful if you have the11:22
jrosserm11:22
ierdemjrosser, thanks for your answer, i disabled/enabled proxy and after that it works :)  11:22
ierdemjrosser, new error occured :/  in setup-infrastruce.yml https://paste.opendev.org/show/810074/ cannot update apt-cache on galera11:27
noonedeadpunkHm, I do see release file here... https://downloads.mariadb.com/MariaDB/mariadb-10.5.8/repo/ubuntu/dists/focal/11:34
noonedeadpunkmaybe gpg has changed...11:34
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/stein: Remove tempest plugins CI overrides  https://review.opendev.org/c/openstack/openstack-ansible/+/81455811:35
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_barbican stable/stein: Remove debian-stable job  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/81433711:35
ierdemI manually updated cache, it skipped that step but after https://paste.opendev.org/show/810075/ 11:36
noonedeadpunkum, but might be that repo jsut got disabled?11:37
opendevreviewJonathan Rosser proposed openstack/ansible-role-python_venv_build stable/stein: Workaround distro provided pip having old CA certs on centos-7  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/81455911:38
ierdemnoonedeadpunk, so should I install mariadb manually ? 11:39
noonedeadpunkum, no11:39
noonedeadpunkyou should check why repo is not being used11:39
noonedeadpunkor why it got disabled11:40
ierdemmay apt-secure cause this problem?11:41
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/stein: Fetch upper constraints file with curl rather than allow pip to download it  https://review.opendev.org/c/openstack/openstack-ansible/+/81456011:43
noonedeadpunkit should not on it's own11:44
noonedeadpunkhonestly it's hard to say without being able to check some things 11:45
noonedeadpunklike if installed gpg is valid and matching11:45
noonedeadpunkif gpg is present at all11:45
MrClayPoleHi, I'm attempting to use LetsEncrypt certificate for haproxy on OSA Train. It appears that the install method via https://dl.eff.org/certbot-auto has been deprecated/not available and this causes "TASK [haproxy_server : Download certbot]" to fail. I can see this has been fixed in Ussuri but is there a way to get this fixed/workaround in Train as I won't be able to upgrade for a while?11:52
noonedeadpunkMrClayPole: Looking at patch, I'm not sure we can backport it easily https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/72242112:11
noonedeadpunkwhat you can probably try doing - use ussuri version of the role12:12
noonedeadpunkbecause there we a lot of changes to it that are tighten together...12:12
MrClayPoleYeah, I was looking myself. Looks like a pretty big change as it adds the option to use the disto package from what I can tell. We have a cert covering us until May 2022 so as long as we can upgrade before then I'll be good. I was just checking it there was an easy way round this issue.12:13
MrClayPoleAs it looks like there isn't then I'll park this until I can upgrade to at least Ussuri12:14
MrClayPoleThanks for you help noonedeadpunk12:18
noonedeadpunkI think you can just checkout haproxy role to ussuri12:20
noonedeadpunkI don't expect there to be some incompatabilities with ansible version or anything12:20
noonedeadpunkand then upgrade would be easier as well, since you will have all variables set in "new way:12:21
mgariepyanyone tried ceph multi-attach for rbd volumes ?12:21
noonedeadpunkI did and it was broken12:22
noonedeadpunknova said just - don't use that :)12:22
noonedeadpunk(or it was cinder folks..)12:22
noonedeadpunkbut it was broken in multiple pretty obvious places...12:22
noonedeadpunklike manila is what you actually need anyway12:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-memcached_server master: [doc] Fix haproxy_extra_services layout  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/80599612:24
mgariepywhat i need is the user to rewrite his software.. but that's another issue.12:29
mgariepyFor manilla i guess you do 2 sepearate ceph cluster  on for rbd / s3 and one for manilla ?12:31
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest stable/stein: Fix tempest plugin versions  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81453512:36
noonedeadpunkum, I don't think ita a requirement12:37
noonedeadpunkas for manila you generally need just mds12:37
noonedeadpunk(and I guess ganesha-nfs depending on setup)12:38
noonedeadpunkthere're challenges though regarding ganesha to work in HA setup12:38
mgariepyyeah i guess it it could be.12:38
mgariepyhave you setup manilla ?12:39
noonedeadpunkthat what you want is manila - I was told on the question why not to fix multiattach12:39
mgariepydo you have some number on what type of hw and perf you sqeeze out of it ?12:39
noonedeadpunkwell, for test only and have some non-production setup with generic driver as well12:39
noonedeadpunkalways wanted to add it to production but not yet(12:40
mgariepyok12:41
mgariepy Guests need IP connectivity to Ceph cluster.. 12:43
noonedeadpunkthey don't if you use ganesha)12:43
mgariepyi do not like that..12:43
noonedeadpunkganesha acts like proxy12:44
noonedeadpunkso it provides nfs interface to cephfs12:44
mgariepyganasha will probably endup to be a single point of failure and bottleneck for perfs12:44
noonedeadpunkit does, yes...12:44
jrossermaybe Y release will have new enough libvirt for virtiofs stuff to become real12:45
noonedeadpunkwell, there're workarounds I was pointed to12:45
jrosserthen it all become much more sane12:45
noonedeadpunkthat would be awesome... But I haven't checked if it has ever landed to libvirt at all?12:45
jrosseri think you need 6.6 or later12:45
noonedeadpunkah12:45
jrosserwe were looking at it for something else and were sad to see it not there in 6.012:46
noonedeadpunkthat would be awesome indeed12:46
jrosserwe wanted to give guests a view of their energy consumption inside their VM https://hubblo-org.github.io/scaphandre-documentation/how-to_guides/propagate-metrics-hypervisor-to-vm_qemu-kvm.html12:47
noonedeadpunkBut there's a lot of work on nova/manila side as well...12:47
noonedeadpunkI guess nova-compute won't like these changes...12:49
noonedeadpunkAnd would just drop them?12:49
noonedeadpunkOr there's a way to make them persistant and respected?12:49
jrossernot sure really, didnt look very hard12:50
tbarronmost of the work will be in nova: https://review.opendev.org/c/openstack/nova-specs/+/81318012:50
tbarrongonna take 2-3 cycles though12:50
noonedeadpunkand manila will act like cyborg does kind of?12:50
noonedeadpunkbut yeah, I guess spec if pretty self-explasnatory12:51
tbarronumm, compute nodes will just stage remote mounts using manila and then supply them to guests via virtiofs12:51
noonedeadpunkyeah, there're tons of work...12:52
tbarronon the ganesha front, ceph cluster will run ganesha itself (ceph orchestrator backed by cephadm), do its own nfs ha, and put an "ingress" in front of a set of ganeshas (a ganesha cluster)12:53
noonedeadpunkis it already in stable? or it's wip?12:54
tbarroninstead of openstack being responsible for running haproxy/pacemaker/etc. and controlling lifecycle of ganesha daemoons12:54
tbarronwip12:55
noonedeadpunkaha12:55
tbarronwell, ceph pacific has the basics12:55
tbarronbut manila driver isn't using this yet12:55
noonedeadpunkmgariepy: I guess we can balance it with haproxy/keepalived as we run them anyway today12:55
jrossernever seen anyone brave enough to use the ceph orchestrator12:55
noonedeadpunk+112:55
tbarronhopefully Y cycle we'llget it wired up upstream12:55
mgariepywill there be an upgrade path to this if a deployment currently do some stuff over manilla then when upgrading to the new release with all those feature implemented ?12:56
noonedeadpunkbut I guess modern ceph-ansible about to leverage it?12:56
tbarronjrosser: well, we're going to try to do upstream manila devstack with it real soon now; that's of course different than cutting over a production cluster12:56
mgariepyfor my ceph cluster i do use ceph-ansible but not via osa.. 12:56
noonedeadpunkhttps://github.com/ceph/ceph-ansible/blob/master/infrastructure-playbooks/cephadm.yml12:57
tbarronbut from upstream dev perspective we have two promising paths for cephfs where you don't put guests directly on the ceph public network: virtiofs, and cephadm/orchestrator12:58
tbarronmanaged nfs12:58
jrosservirtiofs is super attractive becasue the compute nodes already have all the required connectivity to the ceph cluster today12:58
jrosserand we can keep our really total decoupling between the ceph and openstack deployments, which are really seperate entities12:59
noonedeadpunkyeah, that;s true13:00
jrosseri remeber we have OSA users where the openstack guys don't even get ssh onto the ceph mon hosts13:00
jrosserso supporting those very split responsibilities is important13:01
tbarronmgariepy: upgrade path is not fully solved. It may be easier for virtiofs.  For nfs, I don't see a nondisruptive upgrade since the ganesha export ip13:03
tbarronmoves from living in openstack to living in the ceph cluster13:03
mgariepywell yep i guess. it will be disruptive for the nfs :D13:04
tbarronfwiw tripleo is discussing the nfs deployment stuff with cephadm/orch in 6 minutes13:05
noonedeadpunkwhile there're lot of ppl here I want to use moment and ask for some reviews on https://review.opendev.org/c/openstack/openstack-ansible/+/81388513:06
noonedeadpunkwe have ganesha deployment for quite a while but I didn't manage to write haproxy balancing for it :(13:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Fix netplan sample  https://review.opendev.org/c/openstack/openstack-ansible/+/81457913:26
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Fix netplan sample  https://review.opendev.org/c/openstack/openstack-ansible/+/81457913:26
* jrosser curses centos (again)13:44
mgariepyhow comes jrosser ?13:57
mgariepyit's enterprizy..13:57
jrosserhttps://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/81455913:58
jrosserthe letsecrypt root CA changes have caught up with python2 on centos-713:58
mgariepyarf.13:59
mgariepystein is still tested?13:59
noonedeadpunk well, it's in EM, but I believe it's pretty widely used14:00
noonedeadpunkand we got bunch of patches there14:00
jrosserjust starting my AIO from fresh as it's all gone wrong in CI14:00
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ceph_client master: Ensure role not fail when mon_host is not part of ceph_extra_confs  https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/81458614:08
noonedeadpunkand in aio it's fine?14:09
noonedeadpunkbtw we also have tests repo failing on master14:09
jrosserit was fine in AIO14:10
jrosserbut i did some hacking there to make it work, so just want to double check it with everything clean14:10
noonedeadpunkdoh14:10
jrosserthankfully it's quick as it works/breaks for the utility container which is early14:11
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Add option to use alernative CA server for certbot  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81436414:12
mgariepyi did an upgrade to stein last week and on python 2.7 it was breaking also. on ubuntu 18.04.14:13
noonedeadpunkyeah, root certs rotation is always tough thing...14:14
mgariepyit failed on creating the ansible-runtime.. 14:15
noonedeadpunksame for me14:15
noonedeadpunkat it was because of certifi... but actually making pip to use system trust is maybe better solution14:15
mgariepyi did overwrote https>http.. 14:18
mgariepylol14:18
ierdemhi, my OSA victoria installation stucked at TASK [python_venv_build : Install python packages into the venv] step, setup-infrastrure playbook is running now. No errors, no warnings and no logs. Any ideas?14:27
jrosserthrere will be a log file in /var/log/python_venv_build.log which is usually very helpful14:28
prometheanfirenoonedeadpunk: pinning certifi?14:33
noonedeadpunkyeah, like https://opendev.org/openstack/requirements/src/branch/stable/victoria/upper-constraints.txt#L3914:34
prometheanfireas a general matter of policy I'm against pinning (capping) libs, you always forget to uncap/pin and it prevents you from getting updates (security and otherwise)14:34
noonedeadpunkwhich does not contain correct root ca for LE14:34
odyssey4mehey folks - my OSA is a little rusty... I recall there was something we configured to stop the haproxy checks from spamming the log files... can someone help me find where that was?14:34
noonedeadpunkafaik14:34
prometheanfireodyssey4me: ltns :D14:35
odyssey4meprometheanfire o/ indeed... hope you and yours are doing well!14:36
prometheanfirenoonedeadpunk: I'm not sure the reason for pinning, is it because old versions have LE root certs and new versions removed it?14:36
prometheanfireodyssey4me: likewise to you as well14:36
noonedeadpunkI'd say vice versa. So as you might now LE jsut rotated their root CA. And eventually, your systems must contain valid CAs to be able  communicate 14:37
noonedeadpunkand opendev is also using LE14:37
noonedeadpunkodyssey4me: I can recall smth like that, but I'm not sure if it wasn't rsyslog only?14:38
noonedeadpunkSo I guess we added specific user-agent to haproxy checks, and I guess we should have been filtering based on that14:38
noonedeadpunkBut I dunno how this could be done with journald14:39
prometheanfirenoonedeadpunk: so, what exactly are you proposing?  updating the pin on a stable branch?  I can see that being needed with the rotation14:39
noonedeadpunkexcept on before forwarding logs14:39
odyssey4menoonedeadpunk I really thought this was something configured in middleware or something in the op[penstack services... but maybe my memory has become faulty in my old age :p14:39
noonedeadpunkprometheanfire: yeah, that is one thing to do. Or eventually validate if we ever need this to be pinned at all14:39
jrosserlike this https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/haproxy/haproxy.yml#L4914:39
odyssey4mejrosser yes!14:40
noonedeadpunkbut obviously this alone does not prevent from spamming logs... And I believe we don't have anything prior to that14:41
odyssey4mejrosser and https://opendev.org/openstack/ansible-role-uwsgi/src/branch/master/templates/uwsgi.ini.j2#L3714:41
noonedeadpunkah14:41
ierdemjrosser, I've checked the logs in /var/log/python_venv_build.log and saw that utility container can not establish connection with the repo container. My OSA configuration has 1 infra host and 2 computes. Logs --> https://paste.opendev.org/show/810078/14:41
ierdemWhat internal_lb_vip_address should be ? 14:42
ierdemi set it the same address with br-mgmt14:42
jrosseri think thats fine14:43
noonedeadpunkit should be set on the interface with keepalived14:43
jrosseryou should be able to test this all out with curl14:43
noonedeadpunkbut looks fine indeed14:43
jrossernot keepalived with just one infra node14:43
noonedeadpunkprometheanfire: because eventually certifi is just set of root CAs and it's always good to have latest I guess?14:44
noonedeadpunkor we really need to keep an eye on it at all times14:44
jrosserierdem: try to curl the URL in the venv build log, duplicate the problem14:46
ierdemjrosser, I've tried, cannot curl 14:46
jrosserthen swap out the IP for the one of the repo server, and see if that works14:46
jrosserif the repo server is broken, and haproxy has marked it as bad14:46
ierdemrepo server is working14:46
jrosserthen you wont be able to connect at the VIP14:46
jrosserright, so then need to debug from the perspective of haproxy14:46
jrosserdoes it think the repo server is up or down.....14:47
jrossernoonedeadpunk: rather annoyingly https://review.opendev.org/c/openstack/openstack-ansible/+/814560 is working locally for me in a fresh centos-7 vm :(14:48
jrosseri even applied the patches with the gerrit cherry pick to make sure i've got exactly the same changes14:50
ierdemjrosser, haproxy logs --> https://paste.opendev.org/show/810079/ . 192.168.137.10 is the external_lb_vip_address. We use this 192.168.137.X network as external, also our hosts has ip from this subnet14:52
ierdemI can reach hosts from these ips but there is no binding for 192.168.137.1014:52
jrosseris this an lxc or metal deployment14:52
ierdemlxc14:53
jrosseryou should be able to use netstat -plant to see whats already bound to that port/ip14:53
jrosserwhich should be nothing14:54
ierdemyes, there is nothing 14:55
mgariepyierdem, is keepalived adding the ip to your host?14:57
jrosserif its just one controller then i'm not sure we setup keepalived14:57
ierdemI have 1 infra hosts, so there is no keepalived 14:57
mgariepythe ip is configured  then ?14:58
jrosserahh good question :)14:58
jrosser"could not bind to" is either something already is bound, or the IP is not there to use14:58
mgariepyno keepalived> not config to bind to non-existing address.14:59
ierdemI set  br-mgmt as internal_lb_vip_address, and this ip has binded to infra114:59
jrosserfor a single infra host you need to manually set up the external IP on a suitable interface15:00
jrosseras keepalived isnt there to do that for you15:00
noonedeadpunkJust in case - we have PTG now in https://www.openstack.org/ptg/rooms/havana15:00
jrosseroh!15:00
prometheanfirenoonedeadpunk: well, if you don't want to pin within OSA I think that's fine (for certifi)15:00
prometheanfirewe pin in gate to have a single test surface15:01
ierdemjrosser, how can I set external ip manually?15:01
noonedeadpunkprometheanfire: well, we either use or not use u-c?15:03
noonedeadpunkand I guess we're running circles here...15:03
noonedeadpunkEither I don't get why u-c exists or they're widely misused15:04
noonedeadpunk*what u-c are for15:04
prometheanfiremain reason for UC to exist is for gate to have a single test surface15:05
prometheanfirea product of that is that UC is useful for downstream, because all those libs are known to work (for packaging or deployment consumers)15:05
prometheanfireI thought OSA had a way of removing a pin for individual libraries15:06
jrossercertifi isnt a proper python package15:06
jrosserits a .pem of CA certificates15:06
prometheanfireya, certifi is more special15:06
prometheanfirewell, odd lol15:06
jrosserand is now bogusly pinned as the contents are expired15:06
jrosserso this is not the normal "what is u-c for anyway" question15:07
ierdemjrosser, problem resolved. We add 'net.ipv4.ip_nonlocal_bind=1' top /etc/sysctl.conf and ran sysctl -p. After these restarted haproxy and setup-infrastructure.yml. It seems fine now 15:08
prometheanfirewe do have a procedure for updating UC for stable branches, it's probably a lib that should not be pinned (we have a few of those, this is another)15:08
mgariepyierdem, how the ip gets on the host then ?15:15
mgariepyi am confused a bit..15:15
ierdeminternal or external ?15:15
mgariepyha. well the external will need to work at some point.15:15
mgariepyi geuss the deployment will/should work if only internal is reachable. 15:16
prometheanfirejrosser, noonedeadpunk: if you want to not pin certifi that's fine, but to do so openstack wide will require a ML discussion15:17
prometheanfirethat said, I still remember discussion years ago about OSA being able to remove or change individual lines for constraints15:17
jrosseryes we can do that but we have to patch every instance of that in every role, it's very unwieldy15:18
prometheanfireah15:18
prometheanfirewell, in that case, like I said, I can support removing the pin openstack wide15:18
prometheanfireI don't think we can remove it retroactively though15:18
prometheanfirewhich sucks, given the cert rotation15:19
opendevreviewMerged openstack/openstack-ansible-os_tempest master: python-tempestconf moved from osf/ to openinfra  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81440415:36
opendevreviewMerged openstack/openstack-ansible master: Fix manila haproxy manage  https://review.opendev.org/c/openstack/openstack-ansible/+/81388516:06
noonedeadpunkprometheanfire: but we can update pin on stable branches at least?16:59
-opendevstatus- NOTICE: Both Gerrit and Zuul services are being restarted briefly for minor updates, and should return to service momentarily; all previously running builds will be reenqueued once Zuul is fully started again17:00
prometheanfirenoonedeadpunk: yep17:00
jrosserianw: annoyingly this (and its dependancy) seem to work for me here in a centos-7 vm...... https://review.opendev.org/c/openstack/openstack-ansible/+/81456017:21
jrosserthat addresses both the in-CI and out-of-CI cases17:22
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Fix manila haproxy manage  https://review.opendev.org/c/openstack/openstack-ansible/+/81465019:02
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/victoria: Fix manila haproxy manage  https://review.opendev.org/c/openstack/openstack-ansible/+/81465119:03
ianwjrosser: that failure is the second one in python_venv_build19:08
ianwit might be from urls in the constraint?19:08
jrosserthe depends-on is supposed to fix that19:08
jrosserand appears to locally19:09
ianwjrosser: oh, i see.  yeah, guess what -- that overrides pip.conf by default :)19:10
jrosseroh, have I missed something obvious?19:11
ianwjrosser: https://review.opendev.org/c/openstack/openstack-ansible/+/814506/4/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j219:12
ianwit is not obvious, it took me quite some time to figure out :)19:12
jrosserdoh!19:13
ianwjrosser: i'm sort of ambivalent on how that gets fixed; although i think directing pip at the system cacert is probably a more generic solution (even if we move it into the job, rather than a zuul pre step)19:23
ianwbut there's a lot of other issues with stein that follow after that; it seems like thing like barbican tempest plugins all try and install v3 only which fails19:24
jrosserI think noonedeadpunk has patches for that already19:24
ianwoh https://review.opendev.org/c/openstack/openstack-ansible/+/814558 ?19:29
ianwdoes that mean it just falls back to pip for them?19:29
jrosserit’s maybe just disabling those tests entirely19:32
ianwjrosser: is this something that could be done as a follow-up to the debian-stable removal?19:37
ianwi'm just wondering the most efficient path to getting rid of that19:38
jrosserif you want to force merge some stuff to remove those jobs then sure19:38
jrosserfeels like we start a new rabbit hole of fixing centos which is tangential to that19:39
ianwyep :)  although i think it's been good to get a clear idea of what is going on19:39
ianwif you're happy then, i might re-propose changes to just remove debian-stable and force merge those.  the other changes can be used for testing these other fixes19:41
jrosserI would be fine with that19:45
ianwthank you!19:47
spatelhow do i restart dhcp namespace ? i had ip conflict and look like that creating issue so wanted to restart namespace 20:35
spatelI did systemctl restart neutron-dhcp-agent20:35
spateldoes that restart namespace?20:36
« Monday, 2021-10-18 Index Wednesday, 2021-10-20 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!