Friday, 2021-12-03

« Thursday, 2021-12-02 Index Saturday, 2021-12-04 »
*** sshnaidm is now known as sshnaidm|off02:57
*** raukadah is now known as chandankumar06:12
jrossersomething very weird with these db pooling patches, the db sync commands fail08:18
noonedeadpunkyeah, saw that, haven't debugged yet08:20
noonedeadpunkit feels that it tries to do more operations then allowed by pool or smth08:20
* noonedeadpunk in meetings queue08:21
noonedeadpunkqueue is wrong word but I hope you got context08:21
noonedeadpunkrow probably would be more correct one08:21
jrosserhttps://zuul.opendev.org/t/openstack/build/84edd8ff25434c28ba30659541ff2542/log/logs/host/syslog.txt#1631408:22
jrosserthere's a stack trace at least08:23
noonedeadpunkum....08:24
noonedeadpunk`ERROR glance     pool.logger.debug("Error on connect(): %s", e)`08:25
noonedeadpunkso AttributeError is probably result of pooling issue08:26
noonedeadpunkdamiandabrowski[m]: you would be interested ^08:26
damiandabrowski[m]:( I'll have a look09:34
noonedeadpunkI'm about to test out thing in aio09:38
noonedeadpunkstack trace in  readable way https://paste.opendev.org/show/811425/09:42
damiandabrowski[m]thanks!09:43
noonedeadpunkoh, i know, lol09:45
noonedeadpunkthat is stupid :)09:45
noonedeadpunkhttps://zuul.opendev.org/t/openstack/build/84edd8ff25434c28ba30659541ff2542/log/logs/etc/host/glance/glance-manage.conf.txt09:45
noonedeadpunk`max_overflow = 50` is on connection string09:45
noonedeadpunkdamiandabrowski[m]:  ^09:45
noonedeadpunkso it's just tempalting issue09:46
damiandabrowski[m]omg :D so probably i need to add one extra blank line after connection string, right? https://paste.openstack.org/raw/811427/09:48
damiandabrowski[m]but can You explain me why it's needed? :D 09:48
noonedeadpunkum, not sure, it might be config_template bug actually....09:50
noonedeadpunkor probably it's somesthing related to whitespace control https://jinja.palletsprojects.com/en/3.0.x/templates/#whitespace-control09:51
noonedeadpunkyes, it's whitespace control09:53
noonedeadpunkso if add `+` to last endif it works as expected09:53
noonedeadpunkie https://paste.opendev.org/show/811428/09:53
noonedeadpunk(see {% endif +%} )09:54
noonedeadpunk(I never fully understood whole whitespace control reasoning)09:57
damiandabrowski[m]great, thanks!09:59
jrosseri've noticed this before, that for a bunch of our templates the blank lines in the .j2 files are super important10:02
damiandabrowski[m]yeah, i didn't know about it, but now it kind of makes sense10:03
jrosserotherwise that kind of joining one line to the next happens, but its really unclear what it is makes that happen10:03
damiandabrowski[m]and that's why we can use conditionals like `{% if nova_ceilometer_enabled %}` without creating an extra blank line10:03
jrosseras in lots of places we have consecutive lines just fine10:03
damiandabrowski[m]i think it happens when {% %} takes a whole line, so statements like proxyclient_address from here, work fine: https://paste.openstack.org/show/811430/10:05
jrossermanybe theres no implicit newline after a final %}10:06
damiandabrowski[m]i think i just wrote something stupid10:11
damiandabrowski[m]but yeah, probably using nested conditionals in one line is a problem for some reason10:11
opendevreviewMerged openstack/openstack-ansible-os_nova master: Don't fail when nova_console_type is disabled  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/82024610:11
noonedeadpunkwell since adding `+` before last `%}`  fixes that which is what exactly decribed in whitespace control10:21
noonedeadpunk`you can manually disable the trim_blocks behavior by putting a plus sign (+) at the end of a block`10:22
opendevreviewMerged openstack/ansible-role-uwsgi master: Refactor definition of lock path  https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/82020810:22
damiandabrowski[m]that's right, i'm fixing it right now10:23
noonedeadpunkand by default `a single trailing newline is stripped if present` but yeah, I guess things go wrong when we use that as oneliner... So next line jsut get's stripped10:24
opendevreviewMerged openstack/openstack-ansible-os_trove master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/82024310:24
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/82022410:36
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_aodh master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/82022610:39
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_barbican master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/82022710:40
noonedeadpunkdamiandabrowski[m]: btw it shouldn't be an issue in defaults though - it only raises while template renderring10:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_blazar master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/82022810:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_cinder master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/82022910:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_cloudkitty master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/82023010:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_designate master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/82023110:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_glance master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/82023210:40
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_heat master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/82023310:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_magnum master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/82023410:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_manila master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/82023510:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_masakari master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/82023610:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_mistral master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/82023710:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_murano master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/82023810:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_neutron master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/82022310:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/82022010:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_placement master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/82023910:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_sahara master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/82024010:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_senlin master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/82024110:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_tacker master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/82024210:41
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_zun master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/82022210:41
damiandabrowski[m]noonedeadpunk: hmm, but aodh which has a connection string defined in defaults also failed, let me have a look10:45
opendevreviewJames Gibson proposed openstack/openstack-ansible master: Add documentation of security improvements made to Openstack Ansible  https://review.opendev.org/c/openstack/openstack-ansible/+/82037010:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define manila_osapi_share_workers for CI  https://review.opendev.org/c/openstack/openstack-ansible/+/82001010:48
noonedeadpunkdamiandabrowski[m]: it failed with some upgrade check, si likely to be unrelated10:48
damiandabrowski[m]ahhh i see, let me revert it then10:49
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_aodh master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/82022610:50
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_cloudkitty master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/82023010:51
damiandabrowski[m]noonedeadpunk:  is there anything left we really want to push before X release? 11:04
jrosserdamiandabrowski[m]: there are a bunch of role default var names that you've changed and these really should have a release note11:09
jawad-axdHi all here, I have runnign OSA env. (wallaby, ubuntu 20.04) with external ceph cluster. I am running manila, cinder already. Want to install/integrate object storage where I can use horizon to create containers and objects. I am not sure how it will do it, since it should be just integration of keystone and rados gateway. How should I define it in openstack_user-config.yaml and user_variables.yaml? 11:09
jrosseranyone upgrading needs to know that to update their overrides11:09
jawad-axd@jrosser Any comment on that? Thanks11:10
jrosserjawad-axd: you already run radosgw in the external ceph?11:11
jawad-axdyes11:12
jrosserok11:12
jrosserso, just like when you integrate external ceph mon with OSA you can also integrate external rgw11:12
opendevreviewMerged openstack/openstack-ansible-ceph_client master: Update ceph clients release to pacific  https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/82000911:13
jrosserjawad-axd: see here https://github.com/openstack/openstack-ansible/blob/master/playbooks/ceph-rgw-install.yml#L1711:13
noonedeadpunkjrosser: I think you meant to more explicit rather then just https://review.opendev.org/c/openstack/openstack-ansible/+/819424/6/releasenotes/notes/db-pooling-7c42f3aed39d5fc9.yaml ? 11:13
jrosserif OSA has deployed the radosgw there will be a host group called {{ rgw_group_name }}11:14
jrosserbut see that it is also looking at the variable ceph_rgws11:14
jrosserthat is where you can give a list of external radosgw, just like you would have done for your mon11:14
noonedeadpunkI'm not sure if we should have reno for _each_ service, but might be indeed we need more explicit version of waht exactly has changed11:16
damiandabrowski[m]noonedeadpunk: i think it's about changes like this: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/820225/1/defaults/main.yml11:16
damiandabrowski[m]for consistency, i've renamed keystone_database_max_pool_size -> keystone_db_max_pool_size as an example11:16
jrosserjawad-axd: to make the horizon dashboard work you must set the RGW up to serve swift API, even if you actually want S3 for users11:16
noonedeadpunkoh, it's bad)11:17
damiandabrowski[m]i can find all repos when i made this changes and write releasenote for them11:17
jrosserit's quite a big deal to change role defaults11:17
noonedeadpunkat least we should cover that with reno and keep compatability for at least one release11:17
noonedeadpunkyeah, agree11:17
jrosserdamiandabrowski[m]: defaults/main.yml is kind of the 'published API' for the roles and theres an expectation of reasonable stability there11:18
jrosserthose vars end up in deployers user_variables and group/host_vars to provide the customisations that they want11:19
jrosserso we have to be careful when changing / renaming things as it can break a lot of stuff11:19
opendevreviewMerged openstack/openstack-ansible master: Update ceph-ansible release to pacific  https://review.opendev.org/c/openstack/openstack-ansible/+/82000811:20
jawad-axd@jrosser Thanks. I am gonna try it now.11:21
damiandabrowski[m]thanks jrosser let me check how many repos are affected11:21
jrosserjawad-axd: there will be a few steps - set up the keystone integration with osa playbooks, there will be stuff needed in the radosgw config files for keystone11:22
jrosseryou need connectivity between the rgw and haproxy, and also the service catalog entries for object storage need to be present and point to the radosgw endpoint/vip11:23
jrosseri guess my point is that this is not a automatic setup, it is expected you'll need to understand/address a bunch of things to make it work11:24
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Allow to provide policy state  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/81991711:27
damiandabrowski[m]jrosser:  noonedeadpunk i have changed variable names only for keystone. So if it's only a single repo, do we still need to keep compatibility for one release or just write deprecation info in releasenotes?11:28
noonedeadpunkif we are to follow best practises you know the answer. esp considering that keystone is core service11:29
jawad-axd@jrosser I am aware of that, its not plain automatic setup. Have seen few articles on it. 11:31
noonedeadpunkbut at least we should cover with release note11:32
damiandabrowski[m]thanks, i'll fix it later today11:37
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Do not fail when nova console is disabled  https://review.opendev.org/c/openstack/openstack-ansible/+/82019211:40
*** arxcruz|rover is now known as arxcruz12:43
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/82022013:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_zun master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/82022213:47
noonedeadpunkwe need to merge https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/820203/1 to fix octavia13:57
noonedeadpunkthis will also bring pile of patches btw... https://review.opendev.org/c/openstack/openstack-ansible-tests/+/81991513:59
spatelnoonedeadpunk or jrosser - could you take a look at this log and tell me what is wrong here? - https://paste.opendev.org/show/811436/14:10
jrosseri would guess you have type/error/formatting problem in provider_networks in openstack_user_config.yml14:12
jrosser*typo hah14:12
spatelhmm let me see 14:14
spatelall other playbooks working fine14:14
jrosserthey likley would, neutron is where provider_networks needs to be dealt with14:16
spateljrosser can you see any typo here - https://paste.opendev.org/show/811438/ 14:30
spatelall looks good to me 14:30
jamesdentonspatel you're missing a container_interface on the br-provider network14:52
jamesdentonit's the logic currently requires it but it may not really be necessary14:53
spatelhmm14:53
jamesdentonjust set container_interface: eth11 and you should be fine. I will not be used14:54
spatelcan you give me snippet ?  how did it work in first time? 14:54
spateloh in - container_bridge: br-provider section right?14:54
jamesdentonwell actually, because northd is in a container it could be used, but it's essentially trying to connect a veth to the br-provider bridge in that container14:55
jamesdentonyes, that section14:55
spatelre-running playbook and look like your nailed it :)14:55
jamesdentoni'm not using lxc for neutron anymore so i can't compare14:56
spatelthat works! 14:56
jamesdentonCool cool. Just FYI, i ran into an issue from Wallaby->Xena (master) yesterday w/ OVN - "Could not retrieve schema from tcp:10.20.0.30:6641,tcp:10.20.0.22:6641,tcp:10.20.0.23:6641". Seems northd isn't starting, and the logs show this: https://paste.opendev.org/show/811439/14:57
jamesdentonI'm not sure why it's expecting SSL now14:57
jamesdentoni have to step away, still looking into that one14:58
spateli have seen that error 14:58
spatelmake sure you have this config in place - https://paste.opendev.org/show/811440/14:59
spateldo you have 3 node infra or single node? 14:59
spatelBRB - meeting time 15:00
jamesdentonspatel that's the thing, i never configured SSL for OVN!15:11
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define manila_osapi_share_workers for CI  https://review.opendev.org/c/openstack/openstack-ansible/+/82001015:28
*** chandankumar is now known as raukadah15:29
opendevreviewMerged openstack/openstack-ansible-os_senlin master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/82024115:34
opendevreviewMerged openstack/openstack-ansible-os_placement master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/82023915:38
spateljamesdenton ah! very odd, then may be by default ovn using SSL. if you don't care about SSL then just switch to tcp 15:38
spatelbut very odd that you are seeing that ssl issue 15:39
opendevreviewMerged openstack/openstack-ansible-os_glance master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/82023215:41
opendevreviewMerged openstack/openstack-ansible-os_designate master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/82023115:43
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/82022515:43
opendevreviewMerged openstack/openstack-ansible-os_tacker master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/82024215:43
damiandabrowski[m]I have fixed db-pooling for keystone, please take a look when You have a moment: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/820225/15:45
damiandabrowski[m]I also wonder how can we ensure that we won't forget to remove these variables in next release? :D 15:45
noonedeadpunkum, I'm not 100% sure but I'd say there's an issue15:45
noonedeadpunkusually we leave # TODO(nickname): Do $stuff in $release15:46
opendevreviewMerged openstack/openstack-ansible-os_heat master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/82023315:46
opendevreviewMerged openstack/openstack-ansible-os_barbican master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/82022715:47
noonedeadpunkdamiandabrowski[m]: but if you tested and it works that way as well - it's okey15:48
opendevreviewMerged openstack/openstack-ansible-os_blazar master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/82022815:49
opendevreviewMerged openstack/openstack-ansible-os_masakari master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/82023615:49
noonedeadpunkdamiandabrowski[m]: there's also an issue with neutron https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/82022315:49
damiandabrowski[m]ouh...thanks15:51
opendevreviewMerged openstack/openstack-ansible-os_cloudkitty master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/82023015:51
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/82022515:53
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/82022515:54
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_neutron master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/82022315:55
opendevreviewMerged openstack/openstack-ansible-os_sahara master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/82024015:55
opendevreviewMerged openstack/openstack-ansible-os_aodh master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/82022616:04
opendevreviewMerged openstack/openstack-ansible-os_magnum master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/82023416:07
noonedeadpunkdamiandabrowski[m]: and, you renamed neutron_db_pool_size to neutron_db_max_pool_size16:12
noonedeadpunkwhich I'd say we can avoid doing at all....16:13
spateljrosser i am playing with ovn pki implementation and i am able to create/install certs but i am seeing its using same CA/cert/key file to copy on each compute nodes, what we need to do to create each compute has own cert? 16:23
spatelwhat is best option copy same cert to all compute or do you recommend different cert for each compute?16:24
spateli think option one is easy and simple 16:25
spateli am using rabbitMQ task/main.yml example to implement that with ovn16:25
jrosserif you look at os_nova you can see in the role defaults that the cert contents depends on a bunch of host variables https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L569-L58116:25
jrosserand then when the certs are installed they are referencing the appropriately named certs on the deploy host https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L590-L60016:27
spatelhmm let me check work flow from os_nova example. 16:28
jrosserfor the rabbitmq role it also creates uniqe certs per host https://github.com/openstack/openstack-ansible-rabbitmq_server/blob/master/defaults/main.yml#L153-L15816:29
spatelThis is what i did in os_neutron/default/main.yml - https://paste.opendev.org/show/811449/16:29
jrosserdon't be confused by the rabbit role also creating a CA - you wont need to do that16:29
jrosserthe rabbit role has it in the defaults because that role could be used outside OSA so needs to stand alone16:29
jrosserthats not the case for os_neutron16:29
spatelI have noticed RabbitMQ has own CA, so you are saying we shouldn't do that with OVN correct? 16:31
jrossercorrect16:31
jrosserstrip it back to look more like what is done for nova16:31
jrosserrabbit / galera / haproxy roles can create their own CA as they have a life outside OSA16:32
spatelmake sense 16:32
jrosserhopefully this is not too complex16:32
jrossereverything is driven by those data structures in defaults/main.yml16:32
spateli am just wrapping my head around this structure. where is the default OSA CA files located?  - https://paste.opendev.org/show/811450/16:34
jrosserthose are the certs16:35
spatelwhere is the CA file? we don't keep them on deployment node? 16:35
jrosserlook in something like /etc/openstack_deploy/pki/roots/.....16:35
spatelah!! got it16:36
jrosserso just like when you define the certs in a role its a list16:36
spatelsorry, i didn't pay attention to that16:36
jrossersame for the roots so there can be as many as we need16:36
jrosserand the "signed_by" in a cert says which root has generated it16:36
spatelwhen i will take example from os_nova then my all cert will get singed by ExampleCorpRoot correct?16:36
jrosserthis https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L57416:37
jrosserwhich goes to https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L56416:38
jrosserin turn goes to https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/ssl.yml#L2516:38
spatellook like i can pretty much copy paste these stanza in neutron playbook and that should work after adjusting dir path etc 16:38
jrosseryes exactly, thats the idea16:39
jrosserthe stuff from defaults/main.yml should be kind of portable across roles with some search/replace16:39
spatelsweet! let me give it a shot 16:39
jrossernova got a bit complicated because libvirt/qemu/vnc all wanted slightly different things16:40
jrosserso hopfully OVN is a bit more consistent and you can keep it simple16:40
spatelwhy don't we create standard place for all cert like /etc/pki/ so that way we don't need to know which directory it will go 16:40
jrosserhmm?16:40
spatelfor example /etc/pki/libvirt 16:41
jrosserwell some things have locations they expect to find stuff16:41
spatelif we dump all certs in /etc/pki/  then we don't need to adjust PKI code for each role 16:42
jrosserright, but if (for example) libvirt looks somewhere else, it needs to be all adjustable16:42
spatellet me first try your code out and see.. i may be saying lots of word which doesn't make sense 16:43
jrosserif OVN lets you specify a path to the files, thats cool16:43
jrossernot everything does and you have to put it exactly where the program wants it16:43
spatel+1 16:43
spatelovn is flexible about path16:44
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_neutron master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/82022316:45
jrosserok so in that case you can use a standard location just like we do for rabbit https://github.com/openstack/openstack-ansible-rabbitmq_server/blob/master/defaults/main.yml#L10516:45
spatelok16:46
noonedeadpunkjrosser: any idea how we can avoid oom killing qemu for manila CI?16:54
noonedeadpunkthat only happens for centos though16:54
noonedeadpunkI'm about to adjust oom score tbh16:54
jrossermanila is a ceph deployment?16:54
noonedeadpunknot sure what would be killed instead though16:54
noonedeadpunkit is16:54
noonedeadpunkwe can probably avoid rgw somehow?16:55
jrosserthere is quite possibly a load of ram chewed up there16:55
jrosserfor manila test certainly yes16:55
jrosserand we can make sure that for CI we just make one OSD16:55
jrosserlike no replicatin16:55
noonedeadpunkaccording to output of https://zuul.opendev.org/t/openstack/build/fa6f6db2d57a422ba3c89aea4f07359f/log/logs/openstack/instance-info/ps_20-55-33.log.txt most consumers are rabbit, galera and neutron. but ofc ceph is also big enough16:56
noonedeadpunkhm, indeed, osd are ram consuming.16:56
noonedeadpunkwould need to check how to do that and leave cluster healthy...16:57
noonedeadpunkbut thanks for idea - that was helpful!16:57
spateladd swap is only solution to stop oom temporally 16:57
noonedeadpunkI was thinking about that. but it would make jobs really slow... and I guess even with swapiness 0 it begin to be used before manila even start...16:58
noonedeadpunkeventually jobs were passing before :(16:58
jrosserthere is also a ram target for OSD16:59
jrosserwhich ceph-ansible defaults to (host ram - safety margin) / num osd 16:59
jrosserand if you set the is_hci flag for a host it makes a very very different assumption, that most of the host ram is required for other things, rather than OSDs17:00
jrosserwe were looking at this very recently as we have a set of mon and osd co-located in one deployment and it was doing OOM17:00
jrossernoonedeadpunk: https://github.com/ceph/ceph-ansible/blob/master/group_vars/all.yml.sample#L339-L34217:02
noonedeadpunkmon and osd on same host not greatest idea from my experience17:03
noonedeadpunkit's even better to have mons in containers17:03
jrosseryes in this case it's a LXD mon on a host which also has OSD17:03
noonedeadpunkas during upgrade, when you need to upgrade monitors first - you will get ceph-common and ceph-osd upgraded as well...17:03
jrosserbut still the config for the OSD gives it all the ram17:04
noonedeadpunkyeah17:04
jrosseranother gotcha was adding more OSD to an existing storage node17:04
jrosserthere is a ceph-ansible bug where it doesnt restart the existing OSD with the new memory target17:04
noonedeadpunkah...17:04
jrosserso you also end up OOM when the extra disks go in17:04
noonedeadpunkwel, our stor teram for reasons I don't understand drift away from ceph-ansible....17:05
opendevreviewJames Gibson proposed openstack/openstack-ansible master: Add documentation of security improvements made to Openstack Ansible  https://review.opendev.org/c/openstack/openstack-ansible/+/82037017:18
opendevreviewMerged openstack/openstack-ansible-os_octavia master: Refactor definition of lock path  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/82020317:30
opendevreviewMerged openstack/openstack-ansible-os_octavia master: Use config_template as a collection  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/81986717:30
evrardjphello mgoddard 18:02
spateljrosser what is servercert.pem vs clientcert.pem ?19:15
jrosserwhere?19:15
spatelhttps://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L59119:15
spatelhttps://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L60419:15
jrosserfor nova live migration it needs "mutual tls"19:16
jrosserso there is a cert on the server side19:16
jrosserand also there is a cert presented "as a client" to another live migration host19:16
spatelin ovn case i only need 3 file CA / certs / key19:16
jrosserso the validation is bidirectional19:16
jrosserwell it depends19:17
jrosseri don't know if OVN wants (or is able) to validate clients19:17
jrossertheres two things possible with TLS, secure the traffic19:17
jrosserand the optionally you can validate the authenticity of the client19:18
spatelHere is the flow of ovn - https://satishdotpatel.github.io/ovn-ssl-setup-with-openstack/19:18
spatelI am generating compute cert and then sign it and copy it to compute machine. 19:19
jrosserwell, according to this https://bugzilla.redhat.com/show_bug.cgi?id=1601926 it is possible to use mutual tls for ovn19:19
jrosseryou are generating the compute server cert19:19
jrosseri think?19:21
spatelI created CA authority and then i generate certificate for each components.. like ovn-central and ovn-controller etc..  19:21
spatelthen i copy those certs/key to compute node and then my compute node start using SSL to talk to ovn-central component 19:22
jrosserthe trouble is that the diagram doesnt show which is a client and which is a server19:22
jrosserone end must initiate the connection?19:23
spatelovn-central is server component 19:23
spatelovn-controller which run on compute connect to ovn-central (so assuming computes are always client and ovn-central is server which is located on infra node)19:24
spatelovn-central never initiate first connection to compute node or never make connection. only compute make first connection. 19:26
spatelI think in OVN clustering we may need mutual connection because each cluster node talk to member vise verse. 19:27
jrosserno thats not what it means19:27
jrosserserver = listening service19:27
jrosserclient = thing that connects to server19:27
jrosserso server certificate, is there basically to secure the traffic to/from the client19:28
jrosserclient certificate lets the server validate that it is a legitimate client19:28
spatelReading - https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/19:28
jrosserfor normal web browsing like https there is almost never a client cert19:29
spateloh! now i am following you 19:29
jrosserso thats kind of whats not clear with the OVN stuff, which is intended to be server side cert, and which to be client19:30
jrosserwe have some mTLS stuff here to secure confluence/jira etc, and the users need a specially issued personal client cert in their browsers19:31
jrosserit lets the server side validate that the user is legitimate and allowed19:32
jrosserso for this OVN stuff thats why it's important to be clear what the purpose of the cert is (and comment as such, you'll see that in os_nova)19:33
spatelI got your point, this way it will provide 100% security both way.. 19:33
jrosseryes thats right19:33
jrosserit means that nothing can connect to the ovn-central unless it's another ovn component19:33
jrosserwell, actually only something that has a certificate which can validate against the provided CA19:34
jrosseryou can examine the certificates from your example with `openssl x509 -in certificate.crt -text -noout`19:35
jrosserthen see here https://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L579-L58119:35
jrosserthe purpose of the cert is encoded inside it, for os_nova for simplicity we create one dual purpose server & client cert19:36
spatelI can understand in NOVA case we need mTLS so two compute node trust each other. but in OVN case i don't think we have that scenario. 19:36
jrosserit looks like that is what is being set up in your ovn blog?19:37
spatelin OVN case all we want to do is secure communication between ovn-central and ovn-controller 19:37
spatelYes, that is what i did 19:38
jrosserotherwise what is the certificate for on the ovn-controller, if it's only a client19:38
spatelhmm! Let me first finish this playbook and then see how it goes.. look like i have more question then answer. i would like jamesdenton also take a look and give some input if i am confused in process. 19:41
spatelfor now i am keeping things as it's to just see what goes where. 19:42
jrossersee the -p -c & -C flags here https://www.ovn.org/support/dist-docs/ovn-controller.8.html19:44
jrosserthis is just normal mTLS stuff by the look of it19:44
spatelhmm.. yes seems like.. 19:45
spatelbecause i am installing certs on each components that means its kinda using mTLS 19:46
jrosseryes, so with the PKI role you need to get the flags in the certs right19:46
jrosserthats why it might be useful to inspect the ones that the `ovs-pki` tool made for you19:46
spatelovs-pki is just toolchain to create certs etc easy way.19:47
spateli don't think it does anything magical for ovn19:48
spateljrosser - i have added this snippet in os_neutron/default/main.yml - https://paste.opendev.org/show/811455/20:08
spatelwhen i run os_neutron playbook somehow these code didn't trigger 20:09
jrosserdo you add the pki role?20:10
jrosserand also it seems that this needs to treat the controller and central nodes differently20:11
opendevreviewMerged openstack/openstack-ansible-os_murano master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/82023820:12
spateldo you add the pki role?    where i should add that?  20:12
jrossersee here in os_nova https://github.com/openstack/openstack-ansible-os_nova/blob/master/tasks/main.yml#L122-L15420:14
jrosseralso see how it is used twice with different data for libvirt and vnc20:14
jrosserthis is what i mean by you may have different requirements for the controller vs. central20:15
spatelThis is what i was looking - https://github.com/openstack/openstack-ansible-os_nova/blob/master/tasks/main.yml#L122-L154 20:16
jrosseryes20:17
spatellet me add that and see.. yes i will create two different task to handle controller vs central 20:17
opendevreviewMerged openstack/openstack-ansible-os_mistral master: Database connection pooling improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/82023720:25
spatelany idea - https://paste.opendev.org/show/811456/20:29
spateljrosser ^20:32
jrosserthats wierd, no i have no idea20:36
spatelin pki/default/main.yml has pki_certificates: []  20:38
spatelbut default should work 20:38
jrosserright, but for nova it's overidden https://github.com/openstack/openstack-ansible-os_nova/blob/master/tasks/main.yml#L13220:39
spatelso where we define nova_pki_compute_certificates ? 20:40
spateli am not seeing it anywhere 20:40
spatelI am searching grep "nova_pki_compute_certificates" * -r  and found nothing 20:41
jrosserhttps://github.com/openstack/openstack-ansible-os_nova/blob/master/defaults/main.yml#L569-L58120:42
spatelhmm20:42
jrosseri'm just giving you examples from nova as thats merged and works20:42
spatelyes i can see it now 20:43
spateli do have that in os_neutron also 20:43
spatellook like need a break :) i will debug it in night with fresh beer 20:47
spateljrosser Thank you for helping me out, let me keep debug and see.. 20:51
jrosserno problem20:51
spatelHave a good weekend 20:51
jrosseryou too20:52
« Thursday, 2021-12-02 Index Saturday, 2021-12-04 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!