Wednesday, 2022-02-23

« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »
*** dviroel is now known as dviroel|out00:20
gillesMoHello ! We're in a move to forbid all root user access on aur servers. I have problems to run openstack-ansible from a standrad user. I see somm tasks in playbooks/roles with "user: root", why not "become: true" ?08:34
jrossergillesMo: that would be an excellent piece of long term work to contribute08:35
jrosseri expect that there are a bunch of corner cases and hidden things that would need to be fixed08:38
jrossersome work was done on the ssh connection plugin to allow become: to work for lxc containers already08:38
gillesMojrosser: a grep on all the roles shows that it's certainly a long term work :-(08:41
jrosserif it is a priority for you then the best advice i can give is to contribute patches08:42
jrosserand i feel that it is sufficiently subtle that the CI jobs would need to be adjusted to cover this use case as I think that it is easy to overlook something08:43
gillesMoOf course ! but we have an audit very soon, and we will certainly manage an exception for the moment... 08:43
jrosseryou would have yo grant passwordless sudo to another user, who would need to be able to run any command08:44
jrosserthis question does come up a lot in #ansible and the discussion really does always end up at what the actual risk is that is being mitigated, rather than just ticking boxes08:44
jrosserif you are concerned about arbitrary users having permanent access to ssh keys which allow root access to everything, there are other ways to mitigate that other than disallowing root access08:45
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-python_venv_build stable/xena: Slurp constraints.txt separately for each host in a batch  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/83036908:54
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-python_venv_build stable/wallaby: Slurp constraints.txt separately for each host in a batch  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/83057008:54
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-python_venv_build stable/victoria: Slurp constraints.txt separately for each host in a batch  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/83057108:54
jrossergillesMo: you could probably get a long way through it by working on an lxc AIO deployment in a VM09:07
*** dviroel|out is now known as dviroel11:26
lowercasenoonedeadpunk: Last week we talked about enabling fluentd in oslo logging. I made alterations to the config and I'm not getting any different output. In my default config file, I add [loggers], handlers, formatters and hander_fluent. However, I do not see any difference in the logs or an open port 2422413:54
noonedeadpunkwell, that's sad to hear :( tbh I'm even not sure who could be asked for some help regarding that... 13:55
lowercasesimply adding the use_json param is working for me howevor. Fluentd likes that.13:57
jrosserlowercase: did you also `pip install fluent-logger` ?14:07
lowercaseyes14:07
jrosserand debug=true in the config file can help14:08
jrosserpip install inside the nova venv?14:09
lowercaseyes, both are true14:29
lowercasei just verified my results. use_json isn't enough to get fluentd to recognize the different fields and break apart the json. fluentd escapes all of the quotes, invaliding the json.14:31
lowercase"{\"message\": \"Creating TransportKeyController\", \"asctime\": \"2022-02-23 14:21:18\", \"name\": \"barbican.api.controllers.transportkeys\", \"msg\": \"Creat14:31
lowercaseI'm testing with barbican because i can restart the barbi service anytime i want, vs nova i do not have the same luxery.14:31
jrosserthis sort of thing is really good to poke at in an AIO14:32
jrosseryou can make one in an hour in a VM14:32
*** gmann is now known as gmann_afk15:59
jrosseri have still not any good ideas about testing ansible roles16:04
*** gmann_afk is now known as gmann16:17
admin1is there a safe way to move from 3x controllers to 1x controller ? 16:42
admin1for rabbitmq and galera 16:42
admin1in one of my cluster,  2 controllers went down ( and not able to recover) 16:42
jrossernoonedeadpunk: did this ever work properly? https://review.opendev.org/c/openstack/ansible-role-pki/+/82102316:43
jrosseri forget what we needed it for, but i have lots of trouble with that and the keystone changes right now16:43
noonedeadpunkI think for galera16:45
jrosseris rejectattr('condition', 'false') even valid?16:46
jrosseri get some error like "no test 'false'"16:46
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-galera_server/src/branch/master/defaults/main.yml#L20916:46
jrosseroh well thats conditional ca16:47
noonedeadpunksays that it is.... https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-tests.false 16:48
noonedeadpunkbut it's for jinja 2.11+ only...16:48
noonedeadpunkbut u-c says should be 3.0.316:49
jrosseroh that explains a lot16:50
jrosseri am doing some basic tests of the pki role in a vanilla focal vm16:50
jrosserand there i have Jinja2==2.10.116:50
noonedeadpunkoh16:51
noonedeadpunkdoes jinja upgrade helps?:)16:51
jrosserwell, actually i refactored out the rejectattr just now16:51
noonedeadpunkwould be interesting to understand if we did smth wrong or it's just wrong jinja version...16:52
jrosseryes, forcing the version to 3.0.3 makes it work16:57
jrosseri will work on this some more16:57
spateladmin1 can you re-build 2 controller?17:22
admin1spatel, i cannot.. the m1000e cmc is unresponsive :( .. 17:45
spateli meant fix hardware and build it.. or get new server and do it 17:45
spatel:)17:45
*** dviroel is now known as dviroel|out21:18
« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!