Friday, 2022-03-11

« Thursday, 2022-03-10 Index Saturday, 2022-03-12 »
*** chandankumar is now known as chkumar|rover08:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Add ansible.utils collectoin requirement  https://review.opendev.org/c/openstack/openstack-ansible/+/83152509:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Update netcommon collection  https://review.opendev.org/c/openstack/openstack-ansible/+/83311709:19
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Change location of ipaddr filter  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/83152609:20
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_nova master: Add configuration option for heartbeat_in_pthread  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/83323609:33
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_neutron master: Add configuration option for heartbeat_in_pthread  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/83323709:33
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_cinder master: Add configuration option for heartbeat_in_pthread  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/83323809:34
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Disable heartbeat_in_pthread for non-uwsgi services  https://review.opendev.org/c/openstack/openstack-ansible/+/83323909:34
MrClayPoleHi, We are losing access to our public DNS and we have to migrate to a new public DNS on our OSA Train deployment. I'm guessing I just need to update "external_lb_vip_address" and then run the haproxy and setup-openstack playbooks (I can see it reference in a lot of the sub-playbooks). Should this be ok or is there more to consider? We'll also be replacing the SSL cert as well09:41
noonedeadpunkMrClayPole: so you're changing domain name, right? I guess you will need to manually drop endpoints after re-running playbooks10:01
MrClayPoleThats correct. Thanks I add that to my migration plan10:02
noonedeadpunkAnd you're using internal_lb_vip as domain name as well?10:05
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Disable heartbeat_in_pthread for non-uwsgi services  https://review.opendev.org/c/openstack/openstack-ansible/+/83323910:20
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Update MariDB version to 10.6.7  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/83325910:51
MrClayPolenoonedeadpunk: No just the "external_lb_vip_address"11:00
anskiyAre you talking about LE support by any chance? :)11:01
noonedeadpunkanskiy: which we have for quite some time? :)11:02
MrClayPoleCurrently I'm being force to use our companies wildcard cert but would like to move to LE as cert are a pain in the bum11:05
MrClayPoleplus LE is broken in OSA train so would have to wait until we upgraded before I could deploy11:08
*** dviroel|out is now known as dviroel|ruck11:12
noonedeadpunkHm, is it?11:20
noonedeadpunkhaven't we fixed that?11:20
admin1enabling LE broke  some of my UI/API requests every N turn  (like round robin) .. so i am back to professional * wildcard certs 11:34
anskiywell, it seems LE support is broken in xena (and wallaby) too, and I do believe it ended in that state with this change: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/813945. According to docs `external_lb_vip_address` should be set to hostname (and complimentary `haproxy_bind_external_lb_vip_address` should be set to IP) and after that change `haproxy_bind_external_lb_vip_address` is fed to `cer11:38
noonedeadpunkanskiy: it seems that end of message was cut11:44
noonedeadpunkBut I guess I got idea. except that haproxy_bind_external_lb_vip_address defaults to external_lb_vip_address11:46
MrClayPolenoonedeadpunk: LE in train reaches out to a depracated script/service. Last time we spoke you suggested we back port from Ussrui as it had be re-writen but as I'm planning to upgrade soon to Victoria I though I would leave it until I upgrade.11:52
noonedeadpunkwell, that's bad mindset, as you could also help others with backporting stuff ;)11:53
noonedeadpunkand basically landing fix11:53
MrClayPoleIf only I had the skills, I'm a little nervous of "doing it wrong"11:54
MrClayPoleIf I did back port how would I know if I broke someones existing deployment?11:58
anskiynoonedeadpunk: yeah, but if you don't set  `haproxy_bind_external_lb_vip_address` to IP-address, then domain name from `external_lb_vip_address` ends up in haproxy's bind directive, which breaks it :)11:59
*** dviroel is now known as dviroel|ruck12:20
mgariepymorning everyone12:55
MrClayPoleanskiy: I've found that as long as you set "external_lb_vip_address" to your public DNS and then ensure that either via the /etc/hosts or local DNS resolves to the VIP of the load balancers then haproxy binds ok.13:06
jrosserafaik. I thing is wrong with LE in train, I don’t know about deprecated scripts at all13:10
jrosserit requires a bunch more config in older releases than new ones13:10
jrosser*nothing is wrong with…..13:11
noonedeadpunkYeah for some point I was sure that haproxy should bind nicely as long as it can resolve DNS...13:11
jrosserwe’ve run it since T so if anyone needs advice on a setup just ask13:12
noonedeadpunkbut you're right that it might worth improving things with adding new variable for domain name for which cert will be issued, if this makes confusion13:13
jrosserwe’ve had a few issues when people set their hostname to the fqdn13:14
jrosserbut that’s kind of expected to break things, imho13:14
jrosseranskiy: if you think it is broken please raise a bug?13:18
jrosserMrClayPole: similarly, iirc for Train the LE support was extremely basic and did not support more than one controller. it would have never worked on an HA deployment13:20
jrosserI refactored the whole thing for Ussuri to be HA capable13:21
jrosserthen for V onward the variables had a really big tidy up to make the integration with haproxy very straightforward13:22
anskiyMrClayPole: ugh, I've double checked it, and now it works :(. Maybe I've got some resolving issues at that time (and systemd-resolved cached that error), but haproxy proxy docs explicitly state that it is supposed to be IP-address, that's why I was so sure. Nevertheless, I've already hacked the playbook a bit.13:23
noonedeadpunkyou should have really filled in bug report at least ;(13:24
jrosseradmin1: also if you have 1-in-N failures the. you need to debug rather than give up :) certbot independently runs for each controller so it has to succeed for each controller or you will get errors13:24
jrosserthough that really sounds like something totally not to do with LE13:25
jrosser1-in-N errors are related to round robin on the backends, not the cert on the front end13:27
anskiynoonedeadpunk: but it works as expected, it's just my misunderstanding and kinda "used to see" IPs in bind directives. Sorry :)13:27
noonedeadpunkoh, ok then13:33
noonedeadpunkandrewbonney: regarding heartbeat_in_pthread - my second thought next to splitting configs, was to add logic to templates, as we close to never will want it for wsgi? and then super easy to exclude neutron-server if needed13:40
noonedeadpunkbut if you say that schedulers/conductors not affected current way is fine for me as well13:41
andrewbonneyYeah I'd be happy to do that if preferred, even if just for neutron. I did consider adding something there myself but thought initially this might appear cleaner13:41
noonedeadpunkI don't have really strong opinion but I catched myself that group_vars in osa repo is last place where I look for logic...13:46
noonedeadpunkWe can actually make conditional in defaults/main.yml instead of template13:46
noonedeadpunk(or make it in vars with right to override)13:47
opendevreviewMerged openstack/openstack-ansible-os_magnum master: Do not install python development packages  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/82421215:23
*** dviroel|ruck is now known as dviroel|ruck|lunch15:48
*** dviroel|ruck|lunch is now known as dviroel|ruck16:46
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/xena: horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/83290817:47
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/wallaby: horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/83290917:47
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/victoria: horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/83319017:47
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/ussuri: horizon_local_settings.py.j2: adding SECURE_PROXY_ADDR_HEADER  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/83319117:47
opendevreviewMerged openstack/openstack-ansible-os_keystone master: add oauth support  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83301718:00
*** odyssey4me is now known as odyssey4me|away18:16
*** odyssey4me|away is now known as odyssey4me18:16
*** odyssey4me is now known as odyssey4me|away20:09
*** odyssey4me|away is now known as odyssey4me20:09
*** odyssey4me is now known as odyssey4me|away20:24
opendevreviewMerged openstack/openstack-ansible-os_neutron stable/xena: Change os_region to region_name  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/83118121:14
*** dviroel|ruck is now known as dviroel|out21:19
*** odyssey4me|away is now known as odyssey4me22:08
*** odyssey4me is now known as odyssey4me|away22:09
« Thursday, 2022-03-10 Index Saturday, 2022-03-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!