Tuesday, 2023-01-10

« Monday, 2023-01-09 Index Wednesday, 2023-01-11 »
opendevreviewMerged openstack/openstack-ansible stable/yoga: Unset OSA-defined variables for bootstrap  https://review.opendev.org/c/openstack/openstack-ansible/+/86827300:47
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/86965608:35
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Bump ansible version to 2.14.1  https://review.opendev.org/c/openstack/openstack-ansible/+/86959908:38
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible/+/86965708:38
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Remove "warn" paramter from command module  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/86965808:39
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-ops master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/86966008:40
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_cinder master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/86966108:41
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_neutron master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/86966208:42
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-rabbitmq_server master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/86966308:43
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Bump ansible version to 2.14.1  https://review.opendev.org/c/openstack/openstack-ansible/+/86959908:46
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Update variables gathering to use vars/varnames lookups  https://review.opendev.org/c/openstack/ansible-role-pki/+/86966409:21
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-rabbitmq_server master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/86966309:24
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible/+/86965709:37
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible version to 2.14.1  https://review.opendev.org/c/openstack/openstack-ansible/+/86959909:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/86966109:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/86965609:39
jrosseroh my - i think i need more coffee09:41
jrossernoonedeadpunk: ^ thanks for fixing those :)09:41
noonedeadpunkno worries :-) 09:42
jrossernoonedeadpunk: i was wondering about making a variable for the server URL in here https://github.com/openstack/openstack-ansible/blob/master/playbooks/defaults/repo_packages/openstack_services.yml09:43
jrosserlike one single place to switch over all the repos to point at a mirror, or github instead of opendev for example09:43
jrosserbut i think this may interfere with the sha bump tool?09:43
noonedeadpunkwell, I can patch the tool - it's not a problem09:44
noonedeadpunkI can't recall if we can do same in a-r-r though....09:45
jrosserwe had some wierd network outage yesterday, like broken route/transit to opendev.org and i was thinking how nice it would be to be able to easily switch the whole thing to use github09:45
noonedeadpunkwell, it would be also quite sweet for me as well to switch to internal git mirror :)09:46
noonedeadpunkrather then override each one just define single variable09:47
jrosseryeah09:47
jrosserbootstrap is a bit different but i expect that can be done too09:47
noonedeadpunkwell, bootstrap is maybe a bit less of an issue... maybe...09:48
noonedeadpunkas you don't need to pull things that frequently09:48
noonedeadpunkand we have a mix of github/opendev there already09:49
noonedeadpunkthough I kind of wonder where such variable should be defined then09:49
noonedeadpunkgiven we also have openstack_testing.yml09:50
jrosserwe can put one in each of openstack_services / openstack_testing as defaults as a starting point, they will be very low priority09:52
jrosseralso the 2.14 patch failed oddly on focal - need to look if we even have a valid python version there09:53
jrosserand i don't recall if we discussed how long to keep focal support either09:53
noonedeadpunkI haven't checked 2.14 release notes yet... In case it requires >3.8 then we have an issue09:53
noonedeadpunkwe must keep it for Antelope 09:53
noonedeadpunkand drop right after09:53
noonedeadpunkas it's part of PTI for SLURP upgrades09:54
jrosserah `ansible - Increase minimum Python requirement to Python 3.9 for CLI utilities and controller code`09:54
noonedeadpunktbh I'd propose then to stay on 2.13 for AA09:55
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Update IPA image for the Zed release  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/86957009:56
opendevreviewMerged openstack/openstack-ansible-plugins stable/zed: Limit maximum number of threads for parallel git clone  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86946310:06
opendevreviewMerged openstack/openstack-ansible-plugins stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86749810:06
opendevreviewMerged openstack/ansible-role-pki master: Allow to define mode and ownership for CA private keys  https://review.opendev.org/c/openstack/ansible-role-pki/+/86755310:15
opendevreviewMerged openstack/openstack-ansible-os_nova stable/zed: Enable rbd download when nova_glance_rbd is in use  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/86946610:15
jrossernoonedeadpunk: do you want to backport https://review.opendev.org/c/openstack/ansible-role-pki/+/867553 ?10:15
noonedeadpunkwell, might be nice to, but https://review.opendev.org/c/openstack/ansible-role-pki/+/867555 also works10:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Correct series names for documentation  https://review.opendev.org/c/openstack/openstack-ansible/+/86967010:18
opendevreviewMerged openstack/openstack-ansible-openstack_hosts master: Allow to manage extra services, mounts and networks  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/86853410:25
opendevreviewMerged openstack/ansible-role-systemd_networkd master: Allow to provide multiple VLANs  https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/86850010:28
opendevreviewMerged openstack/openstack-ansible-plugins master: Unify vars for glusterfs RHEL variants and remove rocky-8 workaround.  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86611610:32
opendevreviewMerged openstack/openstack-ansible-plugins master: Add variable to control no_log in db_setup role  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86954610:32
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/zed: Sync ZFS pool names  https://review.opendev.org/c/openstack/openstack-ansible/+/86963310:36
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Sync ZFS pool names  https://review.opendev.org/c/openstack/openstack-ansible/+/86963410:36
opendevreviewMerged openstack/openstack-ansible-ops master: Remove "warn" parameter from command module  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/86966010:36
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_hosts stable/zed: Ensure tar is installed on LXC host  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/86817610:37
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_hosts stable/yoga: Ensure tar is installed on LXC host  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/86817710:38
opendevreviewMerged openstack/openstack-ansible stable/zed: Define name for all collections in a-r-r  https://review.opendev.org/c/openstack/openstack-ansible/+/86946011:21
opendevreviewMerged openstack/openstack-ansible stable/zed: Prevent bootstrap failure when all roles/collections are overriden  https://review.opendev.org/c/openstack/openstack-ansible/+/86945811:21
opendevreviewMerged openstack/openstack-ansible stable/xena: Unset OSA-defined variables for bootstrap  https://review.opendev.org/c/openstack/openstack-ansible/+/86827111:21
opendevreviewMerged openstack/openstack-ansible master: [doc] Update repositiories for mirroring  https://review.opendev.org/c/openstack/openstack-ansible/+/86850611:21
opendevreviewMerged openstack/openstack-ansible master: Add reminder to contributor docs to update amphora/IPA images  https://review.opendev.org/c/openstack/openstack-ansible/+/86957411:21
opendevreviewMerged openstack/openstack-ansible master: Set defaults for octavia-ovn-provider driver  https://review.opendev.org/c/openstack/openstack-ansible/+/86846111:37
opendevreviewMerged openstack/openstack-ansible master: Sync ZFS pool names  https://review.opendev.org/c/openstack/openstack-ansible/+/86957511:37
opendevreviewMerged openstack/openstack-ansible master: Correct series names for documentation  https://review.opendev.org/c/openstack/openstack-ansible/+/86967011:37
opendevreviewMerged openstack/openstack-ansible master: [doc] Add example on how to provision LXC bridges with OSA  https://review.opendev.org/c/openstack/openstack-ansible/+/86850711:37
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/zed: Correct series names for documentation  https://review.opendev.org/c/openstack/openstack-ansible/+/86963611:39
opendevreviewMerged openstack/openstack-ansible-os_nova stable/yoga: Enable rbd download when nova_glance_rbd is in use  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/86946711:47
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Fix comment typo in nova install playbook  https://review.opendev.org/c/openstack/openstack-ansible/+/86968611:49
moha7Because of this error: http://ix.io/4kNT I think it's needed to add 'RETRY' to the step "Distribute the fernet key repository" for `os-keystone-install.yml`. I passed that failure after 3 attempts of re-deploying that yml script.11:49
opendevreviewMerged openstack/ansible-role-systemd_mount master: Fix mount's systemd unit dependency logic  https://review.opendev.org/c/openstack/ansible-role-systemd_mount/+/86851112:13
jrossermoha7: we need to know why it failed - adding retries there is wrong, and also is not the same as running the playbook multiple times12:15
jrossermoha7: and fundamentally it is network related "ssh: connect to host 172.17.246.173 port 22: No route to host"12:16
opendevreviewMerged openstack/openstack-ansible-os_ironic stable/zed: Update IPA image for the Zed release  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/86946512:17
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/zed: [doc] Update repositiories for mirroring  https://review.opendev.org/c/openstack/openstack-ansible/+/86963712:17
opendevreviewMerged openstack/openstack-ansible stable/zed: Correct series names for documentation  https://review.opendev.org/c/openstack/openstack-ansible/+/86963612:39
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Deploy 3 keystone containers for infra CI jobs  https://review.opendev.org/c/openstack/openstack-ansible/+/86971112:41
jrossermoha7: i added CI coverage for that case of fernet key synchronisation ^12:41
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-plugins master: [DNM] test 869711  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86971312:55
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Bump pip and wheel to latest versions  https://review.opendev.org/c/openstack/openstack-ansible/+/86971513:07
noonedeadpunkI'm a bit confused about what we're doing in cinder role....13:11
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-os_cinder/src/branch/master/tasks/cinder_install_source.yml#L40-L58 won't rsync drop symlink we create?13:11
noonedeadpunkand then we have https://opendev.org/openstack/openstack-ansible-os_cinder/src/branch/master/vars/main.yml#L69-L75 /o\13:14
opendevreviewMerged openstack/openstack-ansible stable/zed: [doc] Update repositiories for mirroring  https://review.opendev.org/c/openstack/openstack-ansible/+/86963713:15
jrosseroh the complexity :/13:15
noonedeadpunkI assume we should have 2 files there tops - one https://opendev.org/openstack/cinder/src/branch/master/etc/cinder/rootwrap.d/volume.filters and second https://opendev.org/openstack/os-brick/src/branch/master/etc/os-brick/rootwrap.d/os-brick.filters13:17
noonedeadpunkEventually if we need os-brick is a question....13:24
jrosserit's a bit ugly because our code doesnt quite manage to say "all of these and all of those, delete everything else"13:25
jrosserwhen in fact there is only one file at each location13:26
noonedeadpunkOk, os-brick likely needed. But then we can fully drop rsync I assume13:28
noonedeadpunkah, ok. now I got it. we assume there can be more files and in order not to maintain the list, we just rsync....13:31
jrosseryes13:32
jrosseri was wondering if rsync can accept two source places13:32
jrosserrsync <these> <those> <to-there>13:32
noonedeadpunkI kind of wonder why --delete doesn't touch symlink... I thought that some flag should be used for that...13:35
noonedeadpunkLike `--no-links` or smth13:36
noonedeadpunkit's even more weird.... /etc/cinder is a symlink to /openstack/venvs/cinder-26.1.0.dev29/etc/cinder so commenting out rsync change nothing14:02
noonedeadpunkso seems like un-needed leftover after smart sources change14:02
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder master: Remove rsync requirement for cinder  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/86972514:10
noonedeadpunkand basically that's the reason why it didn't delete symlink - it was synchronizing directory inside itself14:11
opendevreviewAndrew Bonney proposed openstack/ansible-role-systemd_networkd master: Fix static routes to use Destination rather than Source key  https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/86973314:58
noonedeadpunk#startmeeting openstack_ansible_meeting15:01
opendevmeetMeeting started Tue Jan 10 15:01:24 2023 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:01
noonedeadpunk#topic rollcall15:01
jamesdentono/15:02
noonedeadpunko/15:02
NeilHanlono/15:03
NeilHanlon\o, even15:03
noonedeadpunk:D15:03
damiandabrowskihi!15:03
noonedeadpunk#topic office hours15:06
noonedeadpunkTbh I don't really have an agenda for todays meeting :-)15:07
opendevreviewAndrew Bonney proposed openstack/ansible-role-systemd_networkd master: Handle omitted variables which appear as empty strings  https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/86973615:07
noonedeadpunkI'm waiting for https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/868177 and https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/868176 to issue role/services bump to tag new releases15:08
damiandabrowskiand I was disrupted by some internal things, but this week i resumed work on internal TLS15:09
noonedeadpunkAnd I didn't have a chance to look at PKI role regarding usage of pipes15:09
jamesdentonlast day to get submissions in for Vancouver15:10
noonedeadpunkyes good point ^15:10
noonedeadpunkI've sumbitted osa onboarding at very least and hope to be there15:11
jamesdentoni saw that, thanks15:11
noonedeadpunkBut I might have tricky situation with travels, or it might get sorted out by summit15:12
jamesdentonso, based on recent activity in the channel it's prob a good idea for me to put together an OVN Quick Start guide, or at a minimum improve whatever docs we have15:12
jamesdentonlet's hope you get sorted15:12
noonedeadpunkyeah, I saw docs you pushed, but didn't finish reviewing15:13
noonedeadpunkand yep, it's quite some activity regarding OVN happening15:13
jamesdentonafter mgariepy comments yesterday, i may have some more tweaks15:13
noonedeadpunkAnd I think it's mostly due to breaking changes we made for Zed, so spatel's blog post not valid for Z+15:13
jamesdentonright. his blog is quite popular15:14
spatelnoonedeadpunk i validated in my lab and fixing my blog for zed :)15:14
jamesdentonnice15:14
noonedeadpunkmaybe they can reflact state somewhere there ^_^15:14
noonedeadpunkah, awesome!15:14
noonedeadpunkjamesdenton: you should get new revision of your book to beat spatel's blog success :p15:15
jamesdentonauthoring is a young mans game15:15
jamesdentons/mans/persons15:15
spatelMe and james should come up with new book.. OVN on your way :)15:15
jamesdenton:)15:15
jamesdentoni have much to learn15:16
NeilHanlonI was hoping i could make it to vancouver this year.. but I don't think it'll end up happening :( 15:19
noonedeadpunksad news :(15:19
NeilHanlonwe will see. if I can get work to pay that might happen15:20
spatelwho else going to Vancouver? 15:20
NeilHanlonI will be at FOSDEM next month, if anyone is around :) 15:20
noonedeadpunkit's quite close to where am I, but a bit tired of traveling at the moment, so was going to skip fosdem tbh15:22
NeilHanlonthat's fair. it's quite busy15:22
mgariepyhey i'm late.15:24
jamesdentonthere's no large trout button in this irc client15:25
noonedeadpunkbut will see actually... 15:25
mgariepyi probably won't be in vancouver i got some major home renovation during this time.15:26
noonedeadpunkThere's one small thing. ansible-core 2.14 requires python >=3.9. And Ubuntu 20.04 does have 3.8 out of the box15:27
noonedeadpunkAnd since we should keep 20.04 support for Antelope for upgrade path from Y, my proposal would be to stay on 2.13 for now15:27
spatelwhat are we going to get with 2.14?15:28
jrossero/ sorry late15:32
noonedeadpunknot much I guess - plenty of changes but it's not we want smth specific15:33
noonedeadpunkexcept will to keep closer to latest versions of used software15:33
jrosserandrewbonney: do we need https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/868177 in Zed? Like it's broken without?15:34
jrosserargh15:35
jrosseri mean https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/86973615:35
andrewbonneyNo I don't think it's broken, you just get errors in the log. The static route one does cause brokenness if it's required by a deployment though15:35
noonedeadpunkSo you're trying to override _lxc_container_systemd_networks?15:36
opendevreviewMerged openstack/openstack-ansible master: Block unauthenticated Ironic API endpoints from untrusted networks  https://review.opendev.org/c/openstack/openstack-ansible/+/86807515:37
jrosserno we have a static route defined in provider_networks and it results in broken config15:37
noonedeadpunkah15:37
noonedeadpunkyeah, fair... We should backport that then as well15:37
jrosserandrewbonney is doing a multinode Zed upgrade this week so we will find some bugs i expect15:38
* noonedeadpunk crosses fingers15:38
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/zed: Block unauthenticated Ironic API endpoints from untrusted networks  https://review.opendev.org/c/openstack/openstack-ansible/+/86964115:38
noonedeadpunkwe're going to upgrade straight to AA15:38
jrossermoha7: i have a passing test with multiple keystone / rsync https://zuul.opendev.org/t/openstack/build/992d02393eac48faa2ef13d180949eb8/log/job-output.txt#13455-1345715:40
spatelnoonedeadpunk I have question related shared keystone deployment with OSA. I have openstack RegionOne up and running and i wants to add new cloud RegionTwo 15:41
spatelwhat i should tell new Openstack that use old openstack for keystone? 15:42
noonedeadpunkI think we should also backport AIO fix for keystone - when we randomly were failing temepst15:43
spatelI added this in user_var* file on new openstack - https://paste.opendev.org/show/bimxztCDsaMGpXVj1yxY/15:43
noonedeadpunkwe merged 2 things on master and seems it doesn't happen anymore15:43
spatelif we are in meeting then i will talk later...sorry15:44
noonedeadpunkone was https://opendev.org/openstack/openstack-ansible/commit/078c82b03456d46641a3ec05e3d14bd3ac6d1cd515:44
opendevreviewAndrew Bonney proposed openstack/ansible-role-systemd_networkd master: Handle omitted variables which appear as empty strings  https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/86973615:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Increase thread/process to 2 for keystone  https://review.opendev.org/c/openstack/openstack-ansible/+/86964215:46
noonedeadpunkAnd I think we changed smth for tempest as well....15:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Increase thread/process to 2 for keystone  https://review.opendev.org/c/openstack/openstack-ansible/+/86964215:47
noonedeadpunkAs I see random failures of tempest for Y15:48
jrosserthere were a bunch of other places we reduced threads/workers in roles where that was forgotton15:49
jrosseri think mgariepy made a lot of patches like that15:49
jrosserwould be worth at some point deciding what we want to implement this cycle15:51
jamesdentonRefresher: https://etherpad.opendev.org/p/osa-antelope-ptg15:52
jrosserhttps://etherpad.opendev.org/p/osa-antelope-ptg15:52
jrosseroh snap :)15:52
jamesdentonmind meld15:52
jrosserthe only thing i have to add to that is checking we are doing the right thing with whatever system/reader scope stuff is now15:53
jrosseras we are trying to use the ironic ansible modules here and failing pretty badly15:54
jamesdentonnot familiar, sorry15:54
jrosserall to do with system / not system scope tokens needed for that service somehow differently to other services15:54
jamesdentonahh15:54
noonedeadpunkI _think_ we should be doing it quite right. or well, except we're not enforcing usage of system scopes for services. But I'm not sure we should, given that for services separate "service" role is needed. 15:55
noonedeadpunkBut eventually there's quite a mess in this topic right now and it's not really aligned15:55
jrosserright15:55
jrosserperhaps need to look at what the default setup in openrc is as well15:56
noonedeadpunkso eventually, we should end up not giving service users admin role at all15:56
noonedeadpunkit should be service role, but likely system scoped - but service role was just a discussion point last time I checked15:57
noonedeadpunkfor openrc we have a way to enable system scope iirc15:57
noonedeadpunkbut from what I recall - system scopes should not be enforced, unless I missed smth15:58
mgariepyjrosser, noonedeadpunk threads.. https://review.opendev.org/c/openstack/openstack-ansible/+/85094215:58
noonedeadpunkso I wonder if that could be an issue with just ansible modules15:59
mgariepyarf,15:59
mgariepyno comments.. again :S15:59
opendevreviewMerged openstack/openstack-ansible stable/zed: Sync ZFS pool names  https://review.opendev.org/c/openstack/openstack-ansible/+/86963315:59
jrosseri took a look and think it is policy in ironic15:59
jrosserthinks like "list nodes" was only available with a system scoped token15:59
jrosserand it was very confusing how this was all changed between yoga/zed..16:00
noonedeadpunkthe problem is thta system scopes were not implemented in cinder if I'm right. So enforcing them could be not safe for other services16:00
noonedeadpunkwell, yeah, there was a plan to enforce them in Z, but as it was not aligned I can recall postponing this16:01
noonedeadpunkbut again, I could miss smth16:01
noonedeadpunk#endmeeting16:01
opendevmeetMeeting ended Tue Jan 10 16:01:36 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:01
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-01-10-15.01.html16:01
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-01-10-15.01.txt16:01
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-01-10-15.01.log.html16:01
noonedeadpunkspatel: so, you have keystone in regionA and you're deploying regionB? And you have independant deploy hosts for regionA and regionB?16:02
jrosserit was this sort of thing `"baremetal:node:create": "role:admin and system_scope:all"`16:02
spatelYes.. I have i want to shared keystone between region 16:03
spatelI have added this snippet in RegionB  to point ReagionA  - https://paste.opendev.org/show/bimxztCDsaMGpXVj1yxY/ 16:04
spatelQuestion how does RegionB will add endpoint in RegionA without auth? 16:05
noonedeadpunkjrosser: ah, I pushed that some time ago to address system scopes https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/83283716:07
noonedeadpunkthat's why I thought that we should be doing what's needed16:08
noonedeadpunklikely worth rebasing and checking the result....16:09
jrosseri think this is with our admin user16:09
jrossertrying to issue a system scoped token for that user to then use the ironic module16:09
jrosserwhat i mean is that what i've been trying would have authed as admin16:10
noonedeadpunkwell, our admin user should be system scoped - I think it's default behaviour for keystone now. So should jsut depend on openrc iirc16:10
jrosserhmm16:10
noonedeadpunkand we have that https://opendev.org/openstack/openstack-ansible-openstack_openrc/src/branch/master/tasks/main.yml#L29-L3216:11
noonedeadpunkthough, `openrc_system_scope` will also affect clouds.yaml https://opendev.org/openstack/openstack-ansible-openstack_openrc/src/branch/master/templates/clouds.yaml.j2#L6-L1216:12
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Update variables gathering to use vars/varnames lookups  https://review.opendev.org/c/openstack/ansible-role-pki/+/86966416:37
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Allow git servers for openstack services and tempest to be overridden  https://review.opendev.org/c/openstack/openstack-ansible/+/86974817:20
spatelnoonedeadpunk around.. did you see my ask :)17:31
noonedeadpunkspatel: sorry, I missed that - was side-pinged17:32
spatelno worry, just making sure you saw or i should repost 17:32
noonedeadpunkspatel: um, and deploy hosts are independant, right?17:38
spatelThis is AIO box17:38
noonedeadpunkAh, yes, I think you can't play with env.d for regions anyway17:38
spatelDoes it matter ?17:39
spatelwhy env.d coming in picture here?17:39
noonedeadpunknah, it's not, forget it :D17:39
spatel+117:39
spatelAll i am doing is telling new openstack go and use keystone on old openstack :)17:40
spatelI did that but i encounter error saying RegionTwo doesn't found, ofc because nobody created yet. 17:40
noonedeadpunkRegarding https://paste.opendev.org/show/bimxztCDsaMGpXVj1yxY/ - I don't think you need keystone_service_adminurl but what you need is keystone_service_publicuri17:41
spatelcopy that.. 17:41
noonedeadpunkAlso, you should avoid defining identity_hosts in openstack_user_config17:41
spatelbut still i don't understand logic here17:42
noonedeadpunkand keystone_auth_admin_password in user_secrets should be exactly the same as for first region17:42
spatelBut that doesn't matter if i have keystone installed or not. right?17:42
noonedeadpunkYou don't need to get second keystone installed I assume?17:43
noonedeadpunkAs you want to use keystone  in regionB from regionA?17:43
spatelI did copy user_secret.yml and sync between both cloud so i have same creds for everything17:43
spatelYes, but i can install and leave it there and not use. I don't think that will cause any issue, correct?17:43
noonedeadpunkNah, it shouldn't cause issues, just might give some confusion.17:46
spatel100% agreed with you. I am just trying to understand. 17:46
noonedeadpunkI kind of wonder if you really want to use same creds for everything. As database/rabbitmq users likely worth to differ17:47
spatelI don't know how OSA handle this condition when we point it to other cloud and it will do magic behind the shell 17:47
noonedeadpunkor well, doesn't matter much either17:47
noonedeadpunkosa shouldn't care much about it17:47
spatelThis is my lab to understand stuff before i rollout to production 17:47
noonedeadpunkas long as cloud.yaml and openrc files on utility are correct and pointing to the valid keystone - it should be fine17:48
spatelDo i need to create or copy openrc file to new cloud manually? 17:48
noonedeadpunkAnd it's taken from keystone_service_internalurl17:48
noonedeadpunknope, it will be provisioned with utility setip17:49
spatel? 17:49
noonedeadpunkSo defining keystone_service_*uri and taking care of secrets is close to only thing you should need17:49
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Allow git servers for openstack services and tempest to be overridden  https://review.opendev.org/c/openstack/openstack-ansible/+/86974817:49
spatelYou are saying all i need  keystone_service_*uri and password and just run setup-everything.yml ? 17:51
noonedeadpunkBut I personally would think about separating keystone service users per regions.17:51
noonedeadpunkAs then password rotation might become a nightmare in day217:51
noonedeadpunkbut for POC - yeah, I'd say it should just work. except you will need some extra config for horizon17:52
spatelwe don't do password rotate 17:52
noonedeadpunkNobody ever quit your company alive ? :D17:52
spatelThat is me.. I am the only one here doing this shit :)17:53
noonedeadpunkAh, then fair :D17:53
spatelEven if they take password nothing going to happened :D everything is under private net (nothing public)17:53
spatelWe run private cloud.. hehe 17:54
spatelStill i have question, lets say if i define two variable keystone_auth_admin_password & keystone_service_*uri  but how does other service register or create endpoint in RegionTwo?17:55
spatelHow does new openstack auth using RegionOne and create RegionTwo? 17:56
spatelYesterday i was getting error related RegionTwo didn't find so i created by hand on old openstack and everything start working. 17:56
spatelThat is what trying to understand how... We don't have any document related that in osa offical doc17:57
spateli can give it a try again - keystone_service_publicuri: https://openstack.example.com:5000  is this correct way to define it?17:59
noonedeadpunkyup17:59
noonedeadpunkOh, well...17:59
noonedeadpunkMaybe we indeed don't create regions properly....17:59
spatelI didn't find anything in code who does, may be i missed something. 18:00
spatelonly solution i found was create RegionTwo identity endpoint by hand and after that everything started flowing smoothly 18:01
noonedeadpunkyeah, true18:01
noonedeadpunkWe do create region only during keystone bootstrap18:01
noonedeadpunkAnd since you don't run keystone role - it simply doesn't happen18:01
spatelWe don't do bootstrap in this case correct?18:01
noonedeadpunkYup18:02
spatelI am not crazy here :D18:02
noonedeadpunkSo yeah, you need to create region by hand as of today. I assume that might be worth fixing though... Or just write to docs :D18:02
spatelLet me play enough to find bugs and then we can fix all at once.18:03
spatelThen i don't need keystone_service_publicuri: https://openstack.example.com:5000  because my previous solution working as i mention if i create by hand 18:04
noonedeadpunkwell, it will create wrong public endpoints then?18:08
spatelbut it works for me with this snippet - https://paste.opendev.org/show/bimxztCDsaMGpXVj1yxY/18:09
noonedeadpunkah, yeah, you;re right probably18:09
noonedeadpunkkeystone_service_publicuri in fact is used only for keystone role18:09
noonedeadpunkand well. I found some nasty thing in placement I think18:10
spatelhmm?18:12
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-os_placement/src/branch/master/templates/placement.conf.j2#L1018:16
spatelOoo18:17
spateloh wait.. i am not seeing anything wrong here.. why do you think it will break?18:19
spatelyou are saying keystone_service_publicuri need to specified ?18:19
noonedeadpunkWell, I'm not convinced it's needed there. 18:21
noonedeadpunkbut I see couple of services that use it in keystone_authtoken18:22
noonedeadpunkSo yeah, might be worth to define it after all18:22
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Allow git servers for openstack services and tempest to be overridden  https://review.opendev.org/c/openstack/openstack-ansible/+/86974818:50
opendevreviewMerged openstack/openstack-ansible-lxc_hosts stable/zed: Ensure tar is installed on LXC host  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/86817618:58
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Allow git servers for openstack services and tempest to be overridden  https://review.opendev.org/c/openstack/openstack-ansible/+/86974819:02
opendevreviewMerged openstack/openstack-ansible-plugins stable/yoga: Limit maximum number of threads for parallel git clone  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/86946419:21
BobZAnnapolishey folks - we rebooted the controllers, system came back up . . sort of...looks like the REST API calls are being sent to everyone but nothing is being written into Galera - can't create new users, instances, etc ? Any ideas on what to run after the controllers get rebooted to get full functionality back ? tia19:32
jrosserBobZAnnapolis: you could try come if this https://docs.openstack.org/openstack-ansible/latest/admin/maintenance-tasks.html19:42
jrosser*some of…19:42
BobZAnnapolisjrosser: Thanks, we've started running thru those. . . .almost looks like the db is in read-only mode. Components are rcvng the API "create" commands, but then timing out w/o being able to complete the create requests :-(19:54
moha7A channel gathering tweets about OpenStack: https://t.me/opstweets20:00
opendevreviewMerged openstack/openstack-ansible master: Deploy 3 keystone containers for infra CI jobs  https://review.opendev.org/c/openstack/openstack-ansible/+/86971120:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Allow empty records for container_skel  https://review.opendev.org/c/openstack/openstack-ansible/+/86976220:22
noonedeadpunkthat is quite contraversial change ^, I'm quite open for suggestions on how to do that better/in more clear way. I was thinking on implementing some new property, like "virtual" or smth like that, but once realized that item can be simply empty - decided to simplify that 20:27
noonedeadpunkBut I kind of need some functionality like that - to define a group that will not create any containers, but will include all existing containers of host that part of this group20:28
noonedeadpunkWill mark it as WIP for now as want to play a bit more and see if it doesn't have unexpected flaws20:46
mgariepyno comments.. again :S21:08
mgariepyoops. 21:08
BobZAnnapolisok, new problem....got the Galera DB cluster back working & synch'd up but now. . . .after the the 3-controller reboot - we can't create new instances or volumes - we can delete ones that error out & don't finish getting created, so we can write to disk & start the process on a compute node - but it never finishes :-( - logs indicate a 2-minute timeout from getting a response and then the scheduler attempts to 21:09
noonedeadpunkI assume this might be rabbitmq thing21:13
noonedeadpunktry out re-running `openstack-ansible playbooks/rabbitmq-install -e rabbitmq_upgrade=true`21:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Restore dynamic_inventory unit testing  https://review.opendev.org/c/openstack/openstack-ansible/+/86977622:43
-opendevstatus- NOTICE: One of our CI job log storage providers appears to be having trouble with log uploads and retrievals. We are in the process of removing that provider from the pool.22:43
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Allow empty records for container_skel  https://review.opendev.org/c/openstack/openstack-ansible/+/86976222:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Allow empty records for container_skel  https://review.opendev.org/c/openstack/openstack-ansible/+/86976222:45
« Monday, 2023-01-09 Index Wednesday, 2023-01-11 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!