| *** ysandeep|out is now known as ysandeep | 03:09 | |
| *** ysandeep is now known as ysandeep|afk | 03:58 | |
| *** ysandeep|afk is now known as ysandeep | 04:38 | |
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-python_venv_build master: Improve python version detection when symlinking libraries https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/838826 | 06:54 |
|---|---|---|
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-uwsgi master: Refactor installation of libpython for debian/ubuntu https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/838830 | 07:05 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Do not install UCA repository for ubuntu 22.04 https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838832 | 07:11 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 07:46 |
| *** ysandeep is now known as ysandeep|lunch | 07:52 | |
| *** ysandeep|lunch is now known as ysandeep | 08:36 | |
| noonedeadpunk | andrewbonney: mgariepy can you kindly review bumps to unblock gates https://review.opendev.org/q/topic:bump_osa+status:open - in order for X to pass, W should be merged first. | 09:21 |
| jrosser | noonedeadpunk: 22.04 works pretty well, it is the usual things like no upstream packages for mariadb, and there is some python brokenness in horizon which I didn't yet look at | 09:38 |
| jrosser | what is nice is that the few changes that i have made seem to be making things more general to also work with 22.04 rather than adding specific vars or settings only for 22.04 | 09:38 |
| noonedeadpunk | thankfully ubuntu doesn't break everything around with each release (unlike redhat) | 09:46 |
| * noonedeadpunk can't wait for 22.04.1 | 09:46 | |
| noonedeadpunk | btw regarding nobody cares about centos 8 distro path - seems it's fixed https://zuul.opendev.org/t/openstack/build/e227187b7d1546148d8b0c97a07d5a7d | 09:47 |
| noonedeadpunk | uh, what awful wording I used but I hope you got idea :) | 09:48 |
| noonedeadpunk | will try to play with centos 9.... or with Octavia.... Not sure what is less pleasent task to do :p | 09:49 |
| *** ysandeep is now known as ysandeep|afk | 10:50 | |
| jrosser | damiandabrowski[m]: i think you are right with your comment on https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838657 | 11:02 |
| jrosser | we are OK for focal, as the version of ceph there is 15.x | 11:02 |
| jrosser | but unfortunately i just start test 22.04 and there i find ceph 17.x already in the repo | 11:03 |
| jrosser | noonedeadpunk: ^ more trouble with ceph pins :( | 11:03 |
| jrosser | perhaps we have to be more forceful about it, set priority -1 on pacakges: src:ceph from both UCA and the ubuntu repo | 11:04 |
| jrosser | so it will fail hard unless any part of ceph comes from ceph.com | 11:04 |
| jrosser | and also configure no-recommends somewhere in openstack-hosts | 11:06 |
| noonedeadpunk | I think I missed the output of issue when ceph_client tries to downgrade librbd... Does it lead to some package removal? | 11:09 |
| noonedeadpunk | As at least for focal, in package requirements it says smth like librbd1>=11.smth | 11:10 |
| damiandabrowski[m] | noonedeadpunk: https://paste.openstack.org/show/bRMsII6P2s1YyjugFuWk/ | 11:11 |
| noonedeadpunk | so technically, if ceph.com repo has prio >1000, it should jsut downgrade it... | 11:11 |
| damiandabrowski[m] | something like this | 11:11 |
| damiandabrowski[m] | another thing is to allow downgrades but it sounds nasty | 11:11 |
| noonedeadpunk | maybe we should just allow downgrades for ceph?:) | 11:11 |
| damiandabrowski[m] | another option* | 11:11 |
| noonedeadpunk | damiandabrowski[m]: and what prio you have for repo in /etc/apt/preferences.d? | 11:12 |
| damiandabrowski[m] | i no longer have this test environment, but it was before jrosser's patch | 11:12 |
| noonedeadpunk | his patch doesn't change that... | 11:13 |
| noonedeadpunk | should be 1001 | 11:13 |
| damiandabrowski[m] | ouh, but still - i will have to build AIO from scratch to see this error again | 11:14 |
| noonedeadpunk | ok-ok | 11:15 |
| jrosser | unless we allow it, downgrade is an error | 11:16 |
| jrosser | and it would also uninstall ${who-knows-what} as dependancies | 11:16 |
| noonedeadpunk | maybe indeed we can jsut add ` allow_downgrade: true` here https://opendev.org/openstack/openstack-ansible-ceph_client/src/branch/master/tasks/ceph_install.yml ? | 11:16 |
| jrosser | which wouldnt then get re-installed | 11:16 |
| jrosser | downgrade is bad :/ | 11:16 |
| damiandabrowski[m] | btw. i still stick to the idea to just add ceph repo on all baremetal hosts with high prio :D | 11:17 |
| jrosser | because a previous play could have installed ABC which requires librbd | 11:17 |
| jrosser | downgrading librbd will uninstall ABC? | 11:17 |
| noonedeadpunk | no, unless ABC requires librbd version higher then would be installed after downgrade afaik | 11:17 |
| jrosser | this needs to be tested | 11:18 |
| noonedeadpunk | does ceph repos already have smth for 22.04? | 11:18 |
| jrosser | becasue it is kind of the horrible situation with OFED all over again | 11:18 |
| noonedeadpunk | As I heard stories about redhat dropping ubuntu packaging for quite a while now | 11:19 |
| noonedeadpunk | oh, well, OFED lol | 11:19 |
| noonedeadpunk | yes, that would be interesting | 11:20 |
| jrosser | ceph.com only goes up to focal | 11:20 |
| jrosser | but tbh 22.04 is a bit of an outlier here as it is soooo early | 11:20 |
| jrosser | but still they ship 17.x in the distro repo which is going to cause another different problem | 11:21 |
| noonedeadpunk | just in case there's nothing for 22.04 present in ceph repos | 11:21 |
| noonedeadpunk | and I kind of unsure if they will add 16.x for it | 11:22 |
| noonedeadpunk | at all | 11:22 |
| * damiandabrowski[m] need to leave for some time, will try to follow the conversation on mobile | 11:22 | |
| noonedeadpunk | if we forget about 22.04 - https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838657 sounds like proper solution | 11:22 |
| noonedeadpunk | but it might happen that with 22.04 we will have to bump ceph release to 17.x for everything | 11:23 |
| damiandabrowski[m] | noonedeadpunk: i think it depends on `ceph_stable_release` :D | 11:23 |
| noonedeadpunk | it does | 11:24 |
| noonedeadpunk | but it will also affect ceph-ansible which might not be ready for quincy | 11:24 |
| jrosser | it does feel like we might have experimental support for 22.04 in Y but certainly not ceph | 11:25 |
| noonedeadpunk | yup... | 11:25 |
| jrosser | so making a plan for ceph 17.x transition in Z would be helpful | 11:25 |
| jrosser | then we can tidy up the mess | 11:25 |
| noonedeadpunk | and on top of that to get mariadb packages we would likely need to wait for their new release | 11:26 |
| noonedeadpunk | as they don't build packages for older ones | 11:26 |
| jrosser | yes - we can make a hack like for centos-9 to use the distro package in the meantime | 11:26 |
| jrosser | but another reason for only experimental support | 11:26 |
| noonedeadpunk | exactly... | 11:26 |
| noonedeadpunk | Though I'm quite afraid about libvirt version that focal would have | 11:27 |
| noonedeadpunk | which might be already not supported in Z | 11:27 |
| noonedeadpunk | but anyway | 11:27 |
| noonedeadpunk | we can backprot things if needed | 11:27 |
| damiandabrowski[m] | when i mentioned `ceph_stable_release` i was thinking about the situation, when someone want's to install octopus on 20.04 | 11:28 |
| jrosser | i think in that case we would say "external ceph cluster" | 11:28 |
| noonedeadpunk | I guess what Damian means is that ceph_client would try to downgrade things as well | 11:29 |
| jrosser | yes it would | 11:29 |
| noonedeadpunk | tbh I like disabling installation of recommended packages more.... | 11:30 |
| jrosser | we should probably do this anyway | 11:30 |
| damiandabrowski[m] | i know i'm pain in the ass right now, but what's the disadvantage of setting ceph repo with high prio on all baremetal nodes? we'll have it unnecessarily defined in a few places, that's right | 11:30 |
| damiandabrowski[m] | but in overall, it should make our lives much easier :D | 11:31 |
| damiandabrowski[m] | and for ex. we still be able to support ubuntu 20.04 + octopus scenario | 11:31 |
| noonedeadpunk | There's no issue with that approach, except there should be no librbd installed when ceph is not used at all:) | 11:31 |
| damiandabrowski[m] | we will still be able* | 11:31 |
| noonedeadpunk | It's just with what we fight - with matter or with result | 11:33 |
| damiandabrowski[m] | you may be right.. | 11:33 |
| noonedeadpunk | enabling ceph repo early is fixing result of the thing that likely should not happen.... | 11:33 |
| noonedeadpunk | it's easy fix indeed though | 11:34 |
| opendevreview | Merged openstack/openstack-ansible stable/victoria: Bump SHAa for Victoria https://review.opendev.org/c/openstack/openstack-ansible/+/838754 | 11:39 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Add default package manager config https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838855 | 11:55 |
| opendevreview | Merged openstack/openstack-ansible stable/wallaby: Bump SHAs for Wallaby https://review.opendev.org/c/openstack/openstack-ansible/+/838758 | 12:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM https://review.opendev.org/c/openstack/openstack-ansible/+/838858 | 12:16 |
| damiandabrowski[m] | hmm, what does DNS mean? do not merge? | 12:18 |
| damiandabrowski[m] | what's the difference between dnm and wip? | 12:18 |
| damiandabrowski[m] | DNM* | 12:18 |
| mgariepy | do not merge yes | 12:18 |
| mgariepy | usually dnm patch can be only to tests something in the gate, wip means it's work in progress and not finished yet | 12:19 |
| damiandabrowski[m] | ahh, thanks! | 12:20 |
| noonedeadpunk | or Deep And Meaningfull :D | 12:20 |
| mgariepy | ho then i was wrong all those years | 12:21 |
| noonedeadpunk | or Does not Matter | 12:21 |
| noonedeadpunk | But all represent kind of DO NOT MERGE anyway lol | 12:21 |
| mgariepy | lol | 12:22 |
| *** ysandeep|afk is now known as ysandeep | 12:22 | |
| damiandabrowski[m] | :D | 12:27 |
| *** ysandeep is now known as ysandeep|afk | 12:43 | |
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-uwsgi master: Refactor installation of libpython for debian/ubuntu https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/838830 | 12:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Prevent ceph packages installing from ubuntu-cloud-archive https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838657 | 12:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 12:55 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 12:55 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Do not install UCA repository for ubuntu 22.04 https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838832 | 12:56 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Do not install recomended packages with apt https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838890 | 13:13 |
| *** ysandeep|afk is now known as ysandeep | 13:24 | |
| *** ysandeep is now known as ysandeep|afk | 13:41 | |
| NeilHanlon | lol noonedeadpunk, i love all those definitions :) | 13:50 |
| noonedeadpunk | jrosser: btw are we sure that what we do regarding ceph related to missing ceph-volume? | 13:55 |
| jrosser | actually no | 13:55 |
| jrosser | i was just assuming that was some side effect of accidentally installing 17.x | 13:55 |
| jrosser | but i have not checked that | 13:55 |
| noonedeadpunk | ok, I just realized what the issue is:) | 13:55 |
| mgariepy | the ceph-volume is onluy in a sperate pkg | 13:56 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Add default package manager config https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838855 | 13:57 |
| noonedeadpunk | yeah, we still need to lower prio for some reason | 13:57 |
| noonedeadpunk | or dunno... How that happens actually... https://zuul.opendev.org/t/openstack/build/009a78dbd38b4194a048c51e7f8cdce1/log/logs/host/apt/history.log.txt | 13:59 |
| noonedeadpunk | (l56) | 13:59 |
| noonedeadpunk | hm... https://zuul.opendev.org/t/openstack/build/009a78dbd38b4194a048c51e7f8cdce1/log/logs/etc/host/apt/preferences.d/ceph_community_pin.pref.txt | 14:00 |
| noonedeadpunk | like either our pin does not work for https://zuul.opendev.org/t/openstack/build/009a78dbd38b4194a048c51e7f8cdce1/log/logs/etc/host/apt/sources.list.d/mirror_mtl01_iweb_opendev_org_ceph_deb_octopus.list.txt | 14:01 |
| noonedeadpunk | or we add wrong repo.... | 14:01 |
| jrosser | oh well | 14:01 |
| noonedeadpunk | release file looks good https://mirror.mtl01.iweb.opendev.org/ceph-deb-octopus/lists/debian-ceph-octopus_focal_Release | 14:02 |
| NeilHanlon | oh good it's not a rocky issue this time :P | 14:02 |
| jrosser | but this wont work in CI https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838657/6/defaults/main.yml | 14:02 |
| noonedeadpunk | yeah, once upon a time ubuntu brings interesting stuff as well lol | 14:02 |
| mgariepy | isnt recommends one that needs to be turned off? | 14:03 |
| noonedeadpunk | Why not? we use upstream uca - not infra one from what I see in https://zuul.opendev.org/t/openstack/build/009a78dbd38b4194a048c51e7f8cdce1/log/logs/etc/host/apt/sources.list.d/uca.list.txt | 14:04 |
| noonedeadpunk | mgariepy: it's there? https://zuul.opendev.org/t/openstack/build/009a78dbd38b4194a048c51e7f8cdce1/log/logs/etc/host/apt/apt.conf.d/99openstack-ansible.txt | 14:05 |
| noonedeadpunk | also I don't see this time that lxc pulls in librbd1 | 14:06 |
| noonedeadpunk | but we still get ceph 17 | 14:06 |
| mgariepy | https://paste.openstack.org/show/bq0yJcOaQddlr6vUxrPQ/ | 14:06 |
| jrosser | not suggests | 14:06 |
| jrosser | recommends | 14:06 |
| noonedeadpunk | pfffff | 14:06 |
| mgariepy | no-install-recommends | 14:06 |
| noonedeadpunk | damn it | 14:07 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Add default package manager config https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/838855 | 14:08 |
| noonedeadpunk | ok, that explains | 14:08 |
| noonedeadpunk | thanks) | 14:08 |
| NeilHanlon | jrosser: do you need/want me to poke at hacking to make rocky work with respect to that centos-release- stuff? | 14:09 |
| jrosser | NeilHanlon: i put a hack in here https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/837582/20/roles/glusterfs/tasks/main.yml#44 | 14:10 |
| NeilHanlon | 👍 cool. hopefully will have those fixed upstream soon | 14:11 |
| NeilHanlon | putting it in my notes to update that after | 14:11 |
| noonedeadpunk | while reading octavia certs code my eyes are bleeding.... | 14:26 |
| mgariepy | is it that bad ? | 14:27 |
| noonedeadpunk | well.... these 2 facts are exact same things in the end https://opendev.org/openstack/openstack-ansible-os_octavia/src/branch/master/tasks/octavia_certs.yml#L101-L102 | 14:27 |
| noonedeadpunk | I had to make some debug to realize that: "(hostvars[octavia_cert_setup_host]['octavia_ca_certificate_fact'] == hostvars[octavia_cert_setup_host]['octavia_server_ca_fact'])": true | 14:28 |
| mgariepy | shouldn't this use the pki stuff ? | 14:29 |
| noonedeadpunk | THat's what I'm trying to do but got mind broken | 14:35 |
| noonedeadpunk | when tried to map things | 14:35 |
| noonedeadpunk | as some migration should be made as well... | 14:36 |
| spatel | I want to apply thirdparty certificate to haproxy. can i bundle my crt/key/chain-ca and give it to this variable? haproxy_user_ssl_cert: ? | 14:36 |
| spatel | hmm - https://docs.openstack.org/project-deploy-guide/openstack-ansible/draft/app-advanced-config-sslcertificates.html | 14:38 |
| noonedeadpunk | yes, I think this is correct way of doing that | 14:39 |
| spatel | assuming this is going to be chain certificate - haproxy_user_ssl_ca_cert: /etc/openstack_deploy/ssl/ExampleCA.crt | 14:39 |
| johnsom | noonedeadpunk If you haven't seen it, there is a guide to how it should be set up: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html | 14:41 |
| noonedeadpunk | johnsom: I pushed some fix for it today ;) https://review.opendev.org/c/openstack/octavia/+/838851 | 14:42 |
| noonedeadpunk | now it's jsut our codebase that's hard to read :) | 14:42 |
| johnsom | noonedeadpunk Hmmm, will review. | 14:43 |
| noonedeadpunk | as last thing you want is to loose certs :) | 14:43 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 14:47 |
| jrosser | need to merge this to unblock things https://review.opendev.org/c/openstack/openstack-ansible/+/838762 | 14:55 |
| noonedeadpunk | jrosser: do you recall where we create combined .pem for haproxy? | 14:59 |
| *** ysandeep|afk is now known as ysandeep | 15:00 | |
| jrosser | the pki role makes a variety of different chains depending on what wierdness we need :) | 15:00 |
| noonedeadpunk | then just need to figure out hwo we trigger that lol | 15:00 |
| jrosser | well certainly here actually https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/create_cert.yml#L78-L81 | 15:02 |
| noonedeadpunk | jrosser: it creates only chain + cert. But haproxy has that + key | 15:02 |
| noonedeadpunk | so I'm looking where last merging with key happens | 15:03 |
| jrosser | in my AIO they are separate files? | 15:03 |
| noonedeadpunk | unless you check `/etc/haproxy/ssl/` ? | 15:04 |
| jrosser | hmm | 15:04 |
| jrosser | here? https://github.com/openstack/openstack-ansible-haproxy_server/blob/800254b3549ed9c772798637bca7695a294dd869/tasks/haproxy_ssl_letsencrypt.yml#L106-L114 | 15:05 |
| jrosser | oh well thats in the LE tasks..... | 15:05 |
| noonedeadpunk | maybe we run that anyway.... | 15:06 |
| jrosser | here we go https://github.com/openstack/openstack-ansible-haproxy_server/blob/1dc4fa621c153f1503933f1bb185d9fef2789f79/handlers/main.yml#L16-L22 | 15:06 |
| jrosser | handler | 15:06 |
| noonedeadpunk | I liked that assemble more.... | 15:06 |
| jrosser | i was thinking about spatel question, and if a user supplied cert should only apply to external | 15:07 |
| noonedeadpunk | I bet there's way to make both | 15:07 |
| noonedeadpunk | but then cert must be wildcard | 15:07 |
| spatel | jrosser i want to apply that to external VIP | 15:07 |
| noonedeadpunk | or sun | 15:07 |
| jrosser | imho they should be different> | 15:08 |
| jrosser | ? | 15:08 |
| jrosser | internal from PKI role and external from <wherever> | 15:08 |
| noonedeadpunk | but not sure if you can have own ssl covering external endpoint and self-signed for internal | 15:08 |
| jrosser | right - i think we may have a functionality gap there | 15:08 |
| noonedeadpunk | right now I guess you can either go with all yours or all self signed. Or leave internal without ssl | 15:09 |
| noonedeadpunk | yup, I'd say it would be nice to use different ones | 15:09 |
| jrosser | so this code iterates over all the vip https://github.com/openstack/openstack-ansible-haproxy_server/blob/master/vars/main.yml#L41-L77 | 15:09 |
| noonedeadpunk | as well as controll lets encrypt to run for external only | 15:10 |
| jrosser | tbh i think we have two sets of half finished code | 15:10 |
| jrosser | originally i patched for LE only on external | 15:11 |
| jrosser | the haproxy config file references two different sets of cert files, one for each vip | 15:15 |
| jrosser | so thats OK | 15:15 |
| jrosser | its that this doesnt distinguish between the VIP when applying the user provided certificate | 15:17 |
| jrosser | this will be an issue for internal https use cases bacause the external cert on the internal vip will not be valid | 15:18 |
| jrosser | noonedeadpunk: maybe it needs a list of VIP to apply to? | 15:23 |
| jrosser | `'src': ((haproxy_user_ssl_cert is defined) and (haproxy_user_ssl_vips | intersect(_haproxy_tls_vip_binds))) | ternary(haproxy_user_ssl_cert, haproxy_pki_certs_path ~ _cert_basename ~ '.crt')` | 15:23 |
| jrosser | spatel: would be interested to get this certs stuff right...... | 15:25 |
| noonedeadpunk | ` external cert on the internal vip will not be valid` unless it's wildcard or sun :) | 15:25 |
| noonedeadpunk | but yes | 15:25 |
| noonedeadpunk | well, we would need to change whole logic heavily I guess | 15:25 |
| jrosser | how about my attempt ^^ | 15:26 |
| spatel | currently i did by hand override my haproxy.pem with my cert | 15:26 |
| spatel | I am not using SSL on internal vip | 15:27 |
| noonedeadpunk | jrosser: that's too complex to think about haproxy for me today, sorry | 15:27 |
| jrosser | no problem! :) | 15:27 |
| noonedeadpunk | I mean - we also have extra vips there or smth like that... | 15:28 |
| noonedeadpunk | and basically we kind of lack variables at the moment | 15:28 |
| jrosser | i was thinking to have the user supply a list of the VIP that the user cert should apply to | 15:28 |
| jrosser | then it's not so complicated logic | 15:28 |
| noonedeadpunk | but that doesn't cover usecase of having 2 different certs on different vips? | 15:29 |
| jrosser | it would default to using the PKI generated cert | 15:29 |
| jrosser | so anywhere you didnt say to put the user supplied one would get that | 15:29 |
| noonedeadpunk | I was just thinking if I don't want to issue wildcard (as I do now), but jsut 2 certs (as it's cheaper?) to cover internal and external separately... | 15:30 |
| noonedeadpunk | But then you'd need to have list of certs kind of | 15:30 |
| jrosser | yes you would | 15:31 |
| noonedeadpunk | and things go quite complicated.... | 15:31 |
| jrosser | there is also an argument that 'proper' cert on the inside is less secure | 15:31 |
| noonedeadpunk | but yeah, I agree, your solution improves things | 15:31 |
| noonedeadpunk | and easy to achieve | 15:31 |
| jrosser | mutual TLS with a private CA cannot be talked to from something with a public trusted certificate | 15:32 |
| noonedeadpunk | I felt myself more comfortable regarding encryption and certs at ages of SSLv2 lol | 15:38 |
| noonedeadpunk | Now I feel like I don't understand a shit there | 15:38 |
| *** ysandeep is now known as ysandeep|dinner | 16:07 | |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 16:37 |
| opendevreview | Merged openstack/openstack-ansible stable/xena: Bump SHAs for Xena https://review.opendev.org/c/openstack/openstack-ansible/+/838762 | 17:24 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 17:27 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 17:50 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Unify debian and ubuntu cache prep scripts https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/838836 | 18:13 |
| *** ysandeep|dinner is now known as ysandeep | 18:14 | |
| *** ysandeep is now known as ysandeep|out | 18:20 | |
| opendevreview | Merged openstack/ansible-role-pki master: Explicitly use community.crypto collection https://review.opendev.org/c/openstack/ansible-role-pki/+/838714 | 18:24 |
| opendevreview | Merged openstack/ansible-role-python_venv_build master: Improve python version detection when symlinking libraries https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/838826 | 19:16 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!