| opendevreview | James Denton proposed openstack/openstack-ansible-os_neutron master: [WIP] adjust some ovn tasks https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/760647 | 03:06 |
|---|---|---|
| opendevreview | James Denton proposed openstack/openstack-ansible-os_neutron master: [WIP] Separate OVN gateway functions from ovn-controllers https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/760647 | 04:16 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Disable/stop/mask Open vSwitch on ovn-northd nodes https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/855829 | 07:46 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Disable/stop/mask Open vSwitch on ovn-northd nodes https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/855829 | 07:51 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Disable/stop/mask Open vSwitch on ovn-northd nodes https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/855829 | 07:53 |
| noonedeadpunk | anskiy: I updated a bit the patch. If it passes CI would be great if you could test it out | 07:57 |
| *** carloss_ is now known as carloss | 08:07 | |
| *** andrewbonney_ is now known as andrewbonney | 08:07 | |
| *** gouthamr_ is now known as gouthamr | 08:07 | |
| *** PrinzElvis_ is now known as PrinzElvis | 08:07 | |
| *** odyssey4me_ is now known as odyssey4me | 08:13 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Make Ubuntu Jammy voting https://review.opendev.org/c/openstack/openstack-ansible/+/862869 | 08:33 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Do not run CentOS 9 Stream jobs in gates https://review.opendev.org/c/openstack/openstack-ansible/+/862870 | 08:37 |
| anskiy | noonedeadpunk: thank you, I haven't been able to take a look at CI logs yet -_- | 09:10 |
| opendevreview | Merged openstack/openstack-ansible-rabbitmq_server stable/stein: Use cloudsmith repo for rabbit and erlang https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/862104 | 09:12 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Add support for apt package pinning https://review.opendev.org/c/openstack/openstack-ansible-ops/+/843573 | 09:51 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Add support for enabling ELK stack security https://review.opendev.org/c/openstack/openstack-ansible-ops/+/862873 | 09:51 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Enable cluster ID monitoring setting for beats using logstash https://review.opendev.org/c/openstack/openstack-ansible-ops/+/862874 | 09:51 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Set permissions on elastic data directories https://review.opendev.org/c/openstack/openstack-ansible-ops/+/862875 | 09:51 |
| *** arxcruz is now known as arxcruz|ruck | 10:36 | |
| *** dviroel is now known as dviroel|rover | 11:44 | |
| nixbuilder | How do I define which user is the "cloud_admin"... and can this be done in user_variables.yml before installation. | 13:03 |
| nixbuilder | In Pike I had the cloud_admin defined in /etc/openstack-dashboard/keystone_policy.json... but I don't see that file on my new Yoga installation. | 13:04 |
| nixbuilder | Never mind... I think I have finally found the answer... maybe. | 13:10 |
| noonedeadpunk | you have an openrc file inside utility container | 13:11 |
| noonedeadpunk | but it's "admin" | 13:11 |
| nixbuilder | noonedeadpunk: Thanks! | 13:13 |
| foutatoro | hi all, I'm trying an AIO deployement but I get ths error 'dict object' has no attribute 'interface' https://paste.openstack.org/show/btj5Ox2cA6yI5CHQCbBz/ | 13:23 |
| foutatoro | I try 2 differents OS and branches but I still get the same error | 13:24 |
| jamesdenton_ | did you run the scripts/bootstrap-aio.sh script? | 13:25 |
| foutatoro | jamesdenton_: yes this error come while running scripts/bootstrap-aio.sh | 13:27 |
| jamesdenton_ | hmm, which distro are you using? and which branch? | 13:28 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Fix role installation in tests https://review.opendev.org/c/openstack/openstack-ansible-ops/+/862915 | 13:28 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Add support for apt package pinning https://review.opendev.org/c/openstack/openstack-ansible-ops/+/843573 | 13:29 |
| foutatoro | # git status HEAD detached at 25.1.0 # lsb_release -a No LSB modules are available. Distributor ID:Ubuntu Description:Ubuntu 22.04.1 LTS Release:22.04 Codename:jammy | 13:31 |
| mgariepy | well..ovn + ssl != FUN. | 13:33 |
| jrosser | foutatoro: i think you need to do something like `ansible localhost -m setup` in your openstack-ansible directory | 13:34 |
| jrosser | jamesdenton_: i have seen this before with missing facts for the interfaces in AIO ^ | 13:35 |
| jamesdenton_ | jrosser can't say i've run into that myself, but i believe it. | 13:38 |
| jamesdenton_ | mgariepy thanks for falling on the sword | 13:38 |
| mgariepy | lol | 13:38 |
| mgariepy | i regret it now haha | 13:38 |
| foutatoro | jrosser: I run the command `ansible localhost -m setup` but stil get the error while running scripts/bootstrap-aio.sh | 13:39 |
| jrosser | foutatoro: then you will need to debug why ansible_facts['default_ipv4']['interface'] is not defined | 13:40 |
| jrosser | one cause would be you not having a default route defined, for example | 13:41 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-ops master: Add support for apt package pinning https://review.opendev.org/c/openstack/openstack-ansible-ops/+/843573 | 13:57 |
| * noonedeadpunk trying to dig into apache mpm event logic... | 14:11 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Try to adjust Apache directives for AIO https://review.opendev.org/c/openstack/openstack-ansible/+/862922 | 14:27 |
| mgariepy | jrosser, can it be missing a step here:https://github.com/openstack/ansible-role-pki/blob/master/tasks/standalone/install_ca.yml#L25-L37 | 14:28 |
| noonedeadpunk | what step? | 14:31 |
| mgariepy | hmm. forget it. | 14:31 |
| mgariepy | adding the cert to ca-certificate.conf | 14:31 |
| noonedeadpunk | Update CA store does that | 14:31 |
| mgariepy | but the symlink seems to do the job | 14:32 |
| noonedeadpunk | there default commands for updating CA store are used | 14:32 |
| mgariepy | yeah indeed. | 14:35 |
| jrosser | mgariepy: depeding on the implementation inside OVN it might / might not use the system trust store | 14:36 |
| jamesdenton_ | jrosser Jammy deploy w/ Yoga failed locally, seems to be an issue with the bridges not coming up and no IP. Will debug later | 14:37 |
| mgariepy | yeah it's a pita to make it work. | 14:37 |
| mgariepy | the take a bit too litterally documentation as code | 14:38 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Implement OVN inventory and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 14:44 |
| jrosser | we had similar trouble with libvirt | 14:44 |
| jrosser | where it was not at all obvious which thing should have the CA+intermediate as a chain, or the cert+intermediate | 14:45 |
| jrosser | all the docs just assumed a certificate derived straight from the root CA | 14:45 |
| mgariepy | something like that ? https://paste.openstack.org/show/bGlw1oRyGbPg2SoWmrAg/ | 14:55 |
| mgariepy | all i get from ovn is : SSL routines:tls_process_server_certificate:certificate verify failed | 15:04 |
| mgariepy | https://paste.openstack.org/show/b9RGicP4u7NCE38cMgBE/ | 15:09 |
| opendevreview | James Denton proposed openstack/openstack-ansible-os_neutron master: [WIP] Separate OVN gateway functions from ovn-controllers https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/760647 | 15:18 |
| jamesdenton_ | foutatoro i was able to replicate you issue, somewhat. Have you tried 20.04 instead? | 15:22 |
| opendevreview | Marc Gariépy proposed openstack/openstack-ansible-os_neutron master: [WIP] add ovn ssl config https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/862403 | 15:28 |
| jrosser | mgariepy: did you make it work? | 15:32 |
| mgariepy | nop | 15:33 |
| mgariepy | i'm just kinda out of idea and courage lol | 15:33 |
| jamesdenton_ | lol | 15:33 |
| mgariepy | ovn-central does a bit too much also .. it do manage all the different services | 15:36 |
| *** dviroel|rover is now known as dviroel|rover|lunch | 15:37 | |
| jrosser | where is the code for this, ovn or neutron? | 15:37 |
| mgariepy | it's in ovn | 15:37 |
| mgariepy | i just try to have the ovn clustering work. | 15:38 |
| mgariepy | https://satishdotpatel.github.io/ovn-ssl-setup-with-openstack/ | 15:39 |
| mgariepy | this post does a small portion of it. | 15:39 |
| mgariepy | but it doesn't do all the ssl. | 15:40 |
| mgariepy | when you do cluster you have raft elections and this part needs also to be ssl | 15:41 |
| jamesdenton_ | SSL, all the way down | 15:41 |
| mgariepy | yeah but when i set the cert key and ca it won't validate. | 15:41 |
| mgariepy | for REASONs | 15:41 |
| jrosser | do you set the CA to the root or the intermediate? | 15:59 |
| mgariepy | openstack_pki_service_intermediate_cert_name | 16:00 |
| mgariepy | so it's the intermediate i guess | 16:03 |
| *** dviroel|rover|lunch is now known as dviroel|rover | 16:31 | |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Implement OVN inventory and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 17:06 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Implement OVN inventory and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 17:25 |
| opendevreview | Marc Gariépy proposed openstack/openstack-ansible-os_neutron master: [WIP] add ovn ssl config https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/862403 | 17:25 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Implement OVN inventory and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 17:32 |
| mgariepy | ho. progress.. | 17:35 |
| mgariepy | i think :D | 17:35 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Implement OVN inventory and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 17:37 |
| jamesdenton_ | is there any order of preference when there are multiple user_variables_*.yml files? | 17:40 |
| mgariepy | https://paste.openstack.org/show/b9X86czYLpNB0LznPiUm/ | 17:41 |
| jamesdenton_ | 2/3? | 17:42 |
| mgariepy | not 100% correct because it seems that one is candiate | 17:43 |
| mgariepy | at least they to speak to each other via ssl without complaints | 17:44 |
| mgariepy | they need to have the full chain in the CA. | 17:44 |
| opendevreview | Merged openstack/openstack-ansible stable/stein: Remove periodic jobs https://review.opendev.org/c/openstack/openstack-ansible/+/847966 | 17:46 |
| foutatoro | jamesdenton_: yes I just try with ubuntu 20.04 with the same error | 17:57 |
| mgariepy | jamesdenton_, restart on ovn service doesn't seems to work well. | 18:06 |
| mgariepy | so now that i have a less vague idea how pki and ovn-ssl works. how should we do it? 1 key for everything? or we try to split by layers with intermediates ? | 18:26 |
| jamesdenton_ | maybe a single key this time around, and expand on that later? | 19:15 |
| mgariepy | how complicated will it be to migrate later | 19:16 |
| mgariepy | ? | 19:16 |
| jamesdenton_ | "not my problem" | 19:16 |
| jamesdenton_ | :D | 19:16 |
| mgariepy | f%$# future self! | 19:16 |
| jamesdenton_ | that's for your grandchildren to figure out | 19:16 |
| mgariepy | not close enough of my retirement | 19:17 |
| jamesdenton_ | is this all auto-generated stuff? Is there an expectation that someone will want to use their own certs? What's really being secured here? | 19:17 |
| mgariepy | the compute cannot talk to ovn nb .. only sb. | 19:19 |
| mgariepy | but yeah. indeed. it's not much if you get a shell on the compute.. | 19:19 |
| jamesdenton_ | this is only control plane chatter between OVS? no data? | 19:21 |
| mgariepy | yep control chatter for port config and so on. | 19:26 |
| mgariepy | not the data form the vm directly. | 19:26 |
| jamesdenton_ | on a related note, happy to report the new grouping mechanism is working OK for ovn_gateway_chassis nodes | 19:28 |
| jamesdenton_ | but for the switch from LXB->OVN, trying to be careful for those that want to upgrade LXB->LXB while also making it somewhat easy to have a default for AIO | 19:28 |
| mgariepy | ho nice for the gateway stuff | 19:29 |
| mgariepy | you only set a group to the relevant nodes ? | 19:29 |
| jamesdenton_ | yeah, i actually added a new inventory group, network-gateway_nodes, and operator can set it to particular hosts, or *compute_nodes, or *network_nodes, or whatever | 19:30 |
| mgariepy | nice :D | 19:30 |
| jamesdenton_ | so, "network-gateway_nodes: *compute_nodes" in openstack_user_config.yml does the needful | 19:30 |
| jamesdenton_ | no assumptions. if you don't specify, it doesn't set any as gateway at all | 19:30 |
| mgariepy | so we can set it to a subset of compute also :D | 19:31 |
| jamesdenton_ | yep | 19:31 |
| mgariepy | is it possible to move a gateway around manually ? | 19:31 |
| jamesdenton_ | i believe it's just a setting in open_vswitch table | 19:32 |
| jamesdenton_ | as for moving a router between gateways, i'm not sure | 19:32 |
| mgariepy | for lxd it's a ha chassis group priority. | 19:32 |
| jamesdenton_ | there does seem to be a priority mechanism, but i haven't verified how it works | 19:36 |
| mgariepy | ok | 19:38 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: Implement OVN inventory changes and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 19:51 |
| opendevreview | Marc Gariépy proposed openstack/openstack-ansible-os_neutron master: [WIP] add ovn ssl config https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/862403 | 20:20 |
| *** dviroel|rover is now known as dviroel|rover|afk | 20:22 | |
| opendevreview | Marc Gariépy proposed openstack/openstack-ansible-os_neutron master: [WIP] add ovn ssl config https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/862403 | 20:25 |
| opendevreview | Marc Gariépy proposed openstack/openstack-ansible-os_neutron master: [WIP] add ovn ssl config https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/862403 | 20:26 |
| mgariepy | let's try like this. | 20:27 |
| mgariepy | not sure how it will behave on a single ovn-northd container also. | 20:28 |
| opendevreview | James Denton proposed openstack/openstack-ansible-os_neutron master: Separate OVN gateway functions from ovn-controllers https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/760647 | 21:05 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: Implement OVN inventory changes and deploy by default https://review.opendev.org/c/openstack/openstack-ansible/+/862924 | 21:12 |
| *** dviroel|rover|afk is now known as dviroel|rover | 21:34 | |
| *** dviroel|rover is now known as dviroel|out | 21:36 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!