| noonedeadpunk | jrosser_: hey! Am I right that for multi-regions it's good idea to use same rootCA but use different intermediates? | 08:32 |
|---|---|---|
| jrosser_ | if you ever want the internal networks to share things, that could help | 08:33 |
| noonedeadpunk | nah, we have nothing-shared... | 08:33 |
| noonedeadpunk | so then it's probably doesn't really matter | 08:35 |
| noonedeadpunk | and not worth complexing | 08:35 |
| jrosser_ | or if you want to visit internal url via vpn for debug, or monitoring systems which connect to internal things? | 08:35 |
| noonedeadpunk | oh, well, unless this root we want to use outside of osa ofc... | 08:35 |
| jrosser_ | yes that too | 08:35 |
| noonedeadpunk | yeah, monitoring is valid point | 08:35 |
| noonedeadpunk | thanks! | 08:36 |
| jrosser_ | would be really interesting to test out providing an external root CA, intermediate and key, and see if the PKI role can cope with that | 08:36 |
| jrosser_ | almost certainly some trouble to fix with that but I think it’s a very valid use case | 08:37 |
| noonedeadpunk | If names would be matching I guess it should | 08:37 |
| jrosser_ | yes | 08:37 |
| jrosser_ | we needed to do something like this for ceph rgw | 08:37 |
| jrosser_ | they need to talk https to keystone | 08:38 |
| noonedeadpunk | well, yeah, if they want to talk through internalurl... | 08:39 |
| jrosser_ | yep, it’s all very much depending on what architecture you have | 08:39 |
| noonedeadpunk | would be great if somebody could take a look at https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/822998 | 10:26 |
| noonedeadpunk | as with virtualenv removal from openstack_hosts we got setuptools missing | 10:27 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Allow to create only specific tempest resources. https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803477 | 11:46 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Do not set default value for tempest_private_net_seg_id https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803486 | 11:48 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Allow to create only specific tempest resources. https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803477 | 11:48 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Fix hardcoded flavor_ref and flavor_ref_alt https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803492 | 12:16 |
| opendevreview | Merged openstack/openstack-ansible-os_octavia master: Use focal amphora test image by default https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/822834 | 12:17 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Fix hardcoded flavor_ref and flavor_ref_alt https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803492 | 12:19 |
| damiandabrowski[m] | hey folks, can I ask for some attention on my tempest changes? They were stuck for a few months and I'd love to finally merge them. | 12:32 |
| damiandabrowski[m] | https://review.opendev.org/q/topic:%22tempest-damian-2021-12%22 | 12:32 |
| opendevreview | Merged openstack/ansible-role-python_venv_build master: Replace virtualenv with exacutable for pip https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/822998 | 12:49 |
| noonedeadpunk | damiandabrowski[m]: commented | 13:03 |
| admin1 | i am having a strange issue in an aio setup .. logs here: https://gist.githubusercontent.com/a1git/caa4c3b201d156384134778eeb004959/raw/65ba7ba28263f0068d8888eaf46573cde7a0b7a6/gistfile1.txt . it fails on systemd_service : Create TEMP run dir .. tag = 23.2.0 | 14:33 |
| admin1 | scenaio is aio_ceph | 14:33 |
| noonedeadpunk | I bet you have ens3 interface?:) | 14:48 |
| noonedeadpunk | admin1: we do assumptions here https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/templates/user_variables_ceph.yml.j2#L19 | 14:51 |
| noonedeadpunk | so we expect to see eth1 interface present because that's what we have in CI... | 14:52 |
| noonedeadpunk | not sure how to workaround that to satisfy everybody... | 14:52 |
| noonedeadpunk | maybe check all available interfaces and pick first.... | 14:53 |
| opendevreview | Merged openstack/openstack-ansible-os_glance master: Define _glance_available_stores in variables https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822899 | 14:56 |
| noonedeadpunk | I suggest to cancel today meeting if nobody against that? | 15:00 |
| noonedeadpunk | As I believe everybody having Christmas holidays :) | 15:00 |
| opendevreview | Merged openstack/openstack-ansible-os_glance master: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822870 | 15:04 |
| opendevreview | Merged openstack/openstack-ansible master: Update ansible-core to 2.12.1 https://review.opendev.org/c/openstack/openstack-ansible/+/822063 | 15:05 |
| admin1 | noonedeadpunk i had enp1s0 | 15:10 |
| admin1 | created via kvm | 15:10 |
| admin1 | thank noonedeadpunk .. i know what to check and fix now | 15:11 |
| jamesdenton | i am around, but cancelling the meeting is fine by me | 15:13 |
| noonedeadpunk | ok, thanks) | 15:18 |
| noonedeadpunk | I just don't have an agenda really :( | 15:19 |
| jamesdenton | it's all good | 15:19 |
| noonedeadpunk | Well, maybe I do but let's leave that after holidays ;) | 15:19 |
| jamesdenton | i did want to ask about roles or features in 'experimental' status. working on ironic inspector and may want to change a few things without some extended deprecation notice | 15:21 |
| jamesdenton | i am honestly not sure if anyone is using it | 15:21 |
| noonedeadpunk | I can triplo wer pushing changes to it? | 15:21 |
| noonedeadpunk | *can recall | 15:21 |
| noonedeadpunk | oh not... | 15:22 |
| jamesdenton | possibly - i am mainly looking to split out inspector dnsmasq into its own service (instead of leveraging base dnsmasq) and possibly even make dnsmasq optional, since if you use 'neutron' as the network interface you can rely on neutron's dnsmasq stuff | 15:23 |
| noonedeadpunk | Ironic is still dark magic to me... | 15:24 |
| jamesdenton | me too | 15:24 |
| jamesdenton | :D | 15:24 |
| jamesdenton | there are a lot of knobs | 15:24 |
| noonedeadpunk | We're trying to hire somebody who will be able to focus on it and get us a service, so had no chance to dig there yet | 15:24 |
| noonedeadpunk | Let me read why inspector needs dnsmasq... | 15:26 |
| jamesdenton | oh, to add baremetal instances to your product offering? | 15:26 |
| noonedeadpunk | yeah | 15:26 |
| noonedeadpunk | and for computes/controllers deployment I believe as well. | 15:26 |
| noonedeadpunk | but it's smth that is currently being dicsussed | 15:26 |
| jamesdenton | inspector can work w/ a 'flat' network model or 'neutron' - the former requires its own dnsmasq service and doesn't manage any networking, the latter relies on neutron for dnsmasq and even switchport manipulation (w/ ML2 driver) | 15:28 |
| noonedeadpunk | Um, what is the worst case scenario if to split inspector dnsmasq to separate thing? I just thought that it should be able to access some ironic leases but maybe I';m wrong? | 15:29 |
| jamesdenton | for 'flat' you would need the inspector/controller plugged into a bridge that VMs will ultimately also be connected to - it's one large flat network for provisioning, inspection, etc. | 15:29 |
| jamesdenton | eh, the issues i ran into was that inspector dns config was hanging off of 'dnsmasq' service that didn't want to start due to some conflict, so split it into it's own service w/ own directories, fikles, etc. | 15:29 |
| jamesdenton | one sec | 15:30 |
| jamesdenton | i think it was due to running inspector on metal vs lxc | 15:30 |
| jamesdenton | https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/821503 | 15:30 |
| noonedeadpunk | ah, ironic-inspector is smth like "provisioning" in maas :D | 15:33 |
| noonedeadpunk | But I'm not sure how valid to have separate dnsmasq... | 15:33 |
| jamesdenton | it's sort of like discovery, ironic is the true provisioner | 15:34 |
| jamesdenton | but yeah, all related | 15:34 |
| noonedeadpunk | as I'd say that I'd expect node to have same IP (esp if it's "static") when booting for expection | 15:34 |
| jamesdenton | well, in the case of inspector vs ironic provisioning, it won't have the same IP - it will manage its own leases outside of neutron. and it's usually a 1-time operation AFAIK | 15:35 |
| jamesdenton | for provisioning, those ips are managed by neutron (with a baremetal port -> neutron port) mapping or sorts. | 15:35 |
| noonedeadpunk | s/provisioning/comission/ | 15:36 |
| jamesdenton | yeah ok | 15:36 |
| noonedeadpunk | aha, I see. I just trying to compare to maas as it's smth I'm aware of hehe. And there IP would be consistent for real provisioning and comissioning | 15:37 |
| noonedeadpunk | and how it would work then without net conflicts? as basically you do both operations on the same interface in the same vlan? | 15:38 |
| noonedeadpunk | *ip conflicts | 15:38 |
| jamesdenton | well, you might configure a different CIDR for inspection vs provisioning/tenant | 15:40 |
| noonedeadpunk | for pxe boot you can't use tagged vlans anyway I believe... So dhcp for pxe boot should be kind of same? | 15:40 |
| jamesdenton | and i think there is some iptables magic happening | 15:40 |
| noonedeadpunk | hm | 15:40 |
| noonedeadpunk | so for me tbh sharing dnsmasq sounds more logical, dunno... | 15:41 |
| noonedeadpunk | but if it can be optional, I guess it's ok | 15:42 |
| jamesdenton | i'll have to see if i can track down the error i was getting. but it would be similar to how lxc-dnsmasq is its own service, and i think tripleo breaks it out, too | 15:42 |
| noonedeadpunk | or, well, both using neutron for that sounds fine as well | 15:42 |
| jamesdenton | i'll keep plugging away at it, need to compare lxc and metal deploys again. too many moving pieces right now | 15:43 |
| admin1 | for those with ocd, will ExampleCorp in pki role be a var someday :) ? | 15:52 |
| admin1 | to replace it with MyAwesomeCorp .. | 15:53 |
| jrosser_ | admin1: it is already overridden from the PKI role defaults here https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/all/ssl.yml#L32-L62 | 15:55 |
| jrosser_ | you would redefine openstack_pki_authorities with whatever you want instead | 15:56 |
| admin1 | yay \o/ | 15:56 |
| admin1 | one question question .. does aio ceph also include object_storage via ceph by default | 15:56 |
| jrosser_ | it should do | 15:57 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Allow galera_address to be FQDN https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/823101 | 15:57 |
| noonedeadpunk | spotted that ^ in our dev env during upgrade :( | 15:58 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Fix galera_force_bootstrap behaviour https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/822911 | 16:03 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Fix hardcoded flavor_ref and flavor_ref_alt https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803492 | 17:21 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server stable/xena: Fix galera_force_bootstrap behaviour https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/822942 | 17:30 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server stable/wallaby: Fix galera_force_bootstrap behaviour https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/822943 | 17:31 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_glance stable/xena: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822944 | 17:34 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_glance stable/xena: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822944 | 17:34 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_glance stable/wallaby: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822945 | 17:34 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_glance stable/victoria: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822946 | 17:34 |
| *** dmsimard7 is now known as dmsimard | 17:36 | |
| opendevreview | Merged openstack/openstack-ansible master: [doc] Update infra node scaling documentation https://review.opendev.org/c/openstack/openstack-ansible/+/822912 | 17:52 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_horizon master: Improve defining horizon_lib_dir https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/820928 | 17:57 |
| admin1 | i followed this in an AIO .. https://docs.openstack.org/openstack-ansible-haproxy_server/latest/configure-haproxy.html .. using haproxy wtih letsencrypt .. what I notice is .. when I do cloud.domain.com, it comes 1 time, then goes to 503 .. again 503 .. again 503 and then again comes backup with the actual horizon login | 19:40 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-tests stable/wallaby: Add config_template collection https://review.opendev.org/c/openstack/openstack-ansible-tests/+/822949 | 19:41 |
| admin1 | has anyone else noticed such ? | 19:41 |
| NeilHanlon | admin1: have you checked any logs? syslogs on the host, inside the horizon container? | 19:55 |
| jrosser_ | admin1: if it works once then fails twice you have two broken horizon backends and one working one, check the haproxy status | 19:59 |
| admin1 | tcpdump showed no traffic between haproxy -> horizon container when 503 occoured | 20:00 |
| jrosser_ | 503 can come from haproxy | 20:00 |
| jrosser_ | so check hatop or whatever you normally use | 20:00 |
| admin1 | this one is just 1 controller .. so there were no other backends .. and the ok, not ok, not ok, OK confused me as well .. but i have to test somethign else on it now .. was getting stuck on haproxy ..so i removed the config .. once this test is done, i will put it back on letsencrypt and report back with logs, observations and configs i can | 20:02 |
| admin1 | share | 20:02 |
| admin1 | setting up a new 23.2.0 tag with ceph .. i added ceph rgw as object storage .. the page loads .. but it gives me a new error: Unable to fetch the policy details. .. .. i don't recall this error in older builds .. so a bit confused | 20:23 |
| admin1 | i added the correct entries in the mon in ceph.conf for rgw and added the endpoints, re-run horizon playbook and that was pretty much it . working out of the box | 20:24 |
| admin1 | i hit this bug somehow: https://bugs.launchpad.net/ubuntu/+source/python-swiftclient/+bug/1902944 | 20:29 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Allow to create only specific tempest resources. https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803477 | 21:06 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_tempest master: Fix hardcoded flavor_ref and flavor_ref_alt https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/803492 | 21:10 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!