| jrosser | good morning | 08:14 |
|---|---|---|
| noonedeadpunk | o/ | 08:29 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add releasenote for ANSIBLE_INJECT_FACT_VARS defaulting to false https://review.opendev.org/c/openstack/openstack-ansible/+/876764 | 08:29 |
| noonedeadpunk | So nice seeing stuff getting merged :) | 08:29 |
| noonedeadpunk | Xena is left to fix though... | 08:30 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Deploy step-ca when 'stepca' is part of the deployment scenario. https://review.opendev.org/c/openstack/openstack-ansible/+/876637 | 08:39 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Add a /etc/hosts entry for the external IP of an AIO https://review.opendev.org/c/openstack/openstack-ansible/+/876638 | 08:39 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use certbot to generate SSL cert for the external VIP in 'stepca' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/876639 | 08:40 |
| noonedeadpunk | jrosser: btw, have you managed to find out wtf with that compute deploy? | 08:51 |
| jrosser | i will check with stuart later - he started digging deeper into it yesterday | 08:52 |
| noonedeadpunk | aha | 08:52 |
| noonedeadpunk | Just I'm super eager to know :-) | 08:52 |
| jrosser | we also need to fix ansible-hardening for aarch64 | 08:52 |
| jrosser | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening#proc_setting-up-audit-to-monitor-software-updates_auditing-the-system | 08:53 |
| noonedeadpunk | And not only for aarch64, but in general | 08:53 |
| jrosser | `Pre-configured rule files cannot be used on systems with the ppc64le and aarch64 architectures.` | 08:53 |
| noonedeadpunk | it's suuuper outdated | 08:53 |
| jrosser | well indeed it is | 08:53 |
| jrosser | noonedeadpunk: btw it would be great if you could have a look at this https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876749 | 08:54 |
| noonedeadpunk | I did and realized I have no idea about map files | 08:54 |
| jrosser | this is the idea i have https://etherpad.opendev.org/p/osa-horizon-map | 08:55 |
| noonedeadpunk | So I'd need to dig into haproxy docs deeper to understand that | 08:55 |
| noonedeadpunk | I know our storage folks used them to provide rgw websites | 08:55 |
| jrosser | i think it is going to be useful for the haproxy separated config | 08:56 |
| jrosser | because at the moment the frontend handling https has to understand if there is horizon or not right from the start, in order to set the backend | 08:57 |
| noonedeadpunk | Yeah I was thinking to read/implement that one day but never had time for that | 08:57 |
| jrosser | and there is catch-22, if you define the main frontend to use the horizon backend, but thats not yet configured haproxy will not start | 08:58 |
| jrosser | so my idea is to tell the frontend to use some maps, which can be empty so long as the file exists | 08:58 |
| noonedeadpunk | Is assemble is recursive? | 08:59 |
| jrosser | and then we run horizon install which generates an entry in one of the maps, and the backend starts being used | 08:59 |
| jrosser | i hope not :) | 08:59 |
| noonedeadpunk | Ah, ok, missed what all_changed_results is. | 09:01 |
| jrosser | this way we can completely decouple frontend from backend config | 09:01 |
| jrosser | and then it also becomes easy to write different maps to use dashboard.example.com / compute.example.com | 09:01 |
| jrosser | i was a bit concerned that the filters on those tasks were all quite complex | 09:02 |
| noonedeadpunk | That is very interesting concept | 09:03 |
| noonedeadpunk | Do you want to create empty maps everywhere or jsut for "default" service on 443/80? | 09:03 |
| jrosser | by default there would be none | 09:05 |
| noonedeadpunk | I think main question I had was - do we really need nested directories inside /etc/haproxy/map.conf.d/ ? | 09:05 |
| noonedeadpunk | As that would really simplify assemble in handlers | 09:05 |
| jrosser | i wanted to support multiple maps | 09:06 |
| jrosser | as you need a different map per 'type', like one for regex match, one for host match etc etc | 09:06 |
| jrosser | and maybe one for rate limit matching URL and so on | 09:06 |
| noonedeadpunk | But it's still be named after service, so it's matter of taking care of supplying order when more then 1 map exists per service | 09:07 |
| jrosser | ah well i think that maps are kind of global | 09:07 |
| jrosser | lets say you wanted to have everything on port 443 | 09:08 |
| jrosser | in the config for horizon you'd define part of the host map that said "dashboard.example.com horizon" | 09:08 |
| noonedeadpunk | aha, ok, I think I started getting it | 09:08 |
| jrosser | and in the config for nova it would be "compute.example.com nova-api" | 09:09 |
| jrosser | and so on | 09:09 |
| jrosser | then when we move to separated haproxy config these things all get added in incrementally as the playbooks run through | 09:09 |
| jrosser | this solves the catch-22 we have today i think with damians patches | 09:09 |
| jrosser | i put an example actually in defaults https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876749/1/defaults/main.yml | 09:11 |
| noonedeadpunk | Yeah, I don't think you can really simplify these | 09:11 |
| noonedeadpunk | (these - filters) | 09:11 |
| noonedeadpunk | It looks and sounds quite fair to me | 09:12 |
| admin1 | "Add a /etc/hosts entry for the external IP of an AIO" -- finally :) | 10:25 |
| jrosser | admin1: really interesting to know what thats been difficult for before.... | 10:44 |
| admin1 | basically it was something very small ( 1 liner ) but it always prevented the haproxy to bind to the internal vip ( while the actual vip pointed to the external ip) | 10:45 |
| admin1 | so it was not big enough to complain, but one of those small things :) | 10:45 |
| jrosser | i'm not sure i really follow that | 10:58 |
| jrosser | because today it binds to both internal and external vip as IPs | 10:58 |
| admin1 | if my cloud.domain.com is pointed to A.B.C.D ( public) and A.B.C.D is 1:1/DST NAT to E.F.G.H ( internal VIP) , then this /etc/hosts entry is needed .. -- though I think we are now talking about diff scenarios | 11:18 |
| admin1 | because in config, cloud.domain.com is the public endpoint, and then in /etc/hosts in all controllers ( or when a internal dns server is used and not 8.8.8.8 ) , point cloud.domain.com to E.F.G.H | 11:20 |
| jrosser | all this patch does is add a /etc/hosts entry for the local IP on the AIO node, it doesnt know about any nat | 11:28 |
| admin1 | understood .. I was talking about this in /etc/hosts haproxy_keepalived_external_vip_cidr (without the cidr) external_lb_vip_address ( if its not an IP but a FQDN ) | 11:39 |
| Elnaz | Installing ELK, it goes to install some plugins: https://paste.ubuntu.ir/rrenh | 12:20 |
| Elnaz | Would you please check these links: | 12:20 |
| Elnaz | https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingesachment-linux-x86_64-7.15.2.zip | 12:20 |
| Elnaz | https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-attachment/ingest-attachment-linux-x86_64-7.15.2.zip | 12:20 |
| Elnaz | I need to know if it's an issue with my connection to elastic servers or those files are lost | 12:21 |
| opendevreview | Merged openstack/openstack-ansible-haproxy_server stable/zed: Serialise initial issuing of LetsEncrypt certificates https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876684 | 12:22 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use certbot to generate SSL cert for the external VIP in 'stepca' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/876639 | 12:23 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use a map file to select haproxy horizon backend from the base frontend https://review.opendev.org/c/openstack/openstack-ansible/+/876851 | 12:23 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Collect hardware facts for elastic data nodes https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876852 | 12:24 |
| jrosser | Elnaz: ^ there is the patch for your facts gathering issue yesterday | 12:25 |
| Elnaz | Thank you | 12:28 |
| jrosser | Elnaz: this is interesting https://www.elastic.co/guide/en/elasticsearch/plugins/7.17/ingest-attachment.html | 12:32 |
| jrosser | there is a link there which is working, https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-attachment/ingest-attachment-7.17.9.zip | 12:33 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Update beat version for latest release of ELK7 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876855 | 12:37 |
| jrosser | Elnaz: ^ can you try that please? | 12:38 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Update beat version for latest release of ELK7 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876855 | 12:40 |
| jrosser | something zuul wierd perhaps https://zuul.opendev.org/t/openstack/build/32f20b053b9b473aa23f2712ba37006e | 12:44 |
| jrosser | noonedeadpunk: is it right we also try to bring in all the stuff for backend ssl here https://review.opendev.org/c/openstack/openstack-ansible/+/871189/23/inventory/group_vars/repo_all.yml | 12:54 |
| jrosser | becasue that breaks right now | 12:54 |
| jrosser | well - specifically that one breaks, but the patch doesnt just move the haproxy service definitions around, they all change at the same time too | 12:55 |
| noonedeadpunk | So my thinking was thatcovering repo with SSL is optional but preferrable as end result mostly for consistency. | 12:56 |
| jrosser | oh agreed totally | 12:56 |
| noonedeadpunk | So we it making troubles - we can skip that and iterate over later | 12:56 |
| jrosser | but can be a followup i think | 12:56 |
| noonedeadpunk | I told Damian the same thing | 12:56 |
| noonedeadpunk | Yes, totally, it can be done even for next release | 12:57 |
| jrosser | i was going to rebase it on top of my map file stuff | 12:57 |
| jrosser | buuuuutttt..... | 12:57 |
| noonedeadpunk | But also we need to change the way how common-playbook is included to your finding - I still haven't done that | 12:57 |
| jrosser | ah ok | 12:57 |
| jrosser | so i did an example for how i think horizon should work https://review.opendev.org/c/openstack/openstack-ansible/+/876851 | 12:58 |
| *** odyssey4me is now known as odyssey4me_ | 13:05 | |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Ensure python3-pexpect is installed on Ubuntu Bionic https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876870 | 13:28 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Collect hardware facts for elastic data nodes https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876852 | 13:55 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Update beat version for latest release of ELK7 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/876855 | 13:56 |
| opendevreview | Merged openstack/openstack-ansible-haproxy_server stable/yoga: Serialise initial issuing of LetsEncrypt certificates https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876685 | 14:18 |
| Losraio | Hi | 14:44 |
| Losraio | It's me | 14:44 |
| Losraio | again.. | 14:44 |
| Losraio | I've got a problem with bridging. The moment I apply a bridge configuration I lose all internet connectivity | 14:46 |
| Losraio | Here's my netplan configuration: | 14:46 |
| mgariepy | please use paste.openstack.org | 14:53 |
| mgariepy | or other paste service :D | 14:53 |
| Losraio | https://paste.openstack.org/show/bgrshN9wOyFNf9FmrkAu/ | 14:53 |
| Losraio | Yes, I know that I am not using VLANs, but I am just testing right now | 14:54 |
| noonedeadpunk | Losraio: you can't have address on interfaces that are part of the bridge | 14:55 |
| mgariepy | why you set an ip to the interface that is in the bridge ? only set it to the bridge | 14:55 |
| noonedeadpunk | IP address must be on bridge and never on the bridge slave | 14:55 |
| Losraio | Oh | 14:56 |
| Losraio | Nobody has ever told me that :D | 14:57 |
| Losraio | So should the address on the ens19 interface be like 0.0.0.0? | 14:58 |
| noonedeadpunk | Well. That kind of first thing of l2 bridges... | 14:58 |
| noonedeadpunk | There should be no address | 14:58 |
| Losraio | right | 14:58 |
| Losraio | Not even DNS servers and default route? | 14:58 |
| noonedeadpunk | https://netplan.io/examples#configuring-network-bridges | 14:59 |
| noonedeadpunk | Sure not | 14:59 |
| noonedeadpunk | Like there should be nothing except defining master (where applicable), mac address and interface name | 14:59 |
| noonedeadpunk | And ip addresses/dns/routes/gateway are applicable to bridges | 15:00 |
| noonedeadpunk | It's true for any operating system I'm aware of | 15:01 |
| Losraio | Alright | 15:03 |
| Losraio | Let's try this then: | 15:03 |
| Losraio | https://paste.openstack.org/show/b36Vgeo9C6wQM6jJnqPB/ | 15:05 |
| Losraio | Ooops | 15:05 |
| Losraio | Disregard that, wrong paste | 15:05 |
| Losraio | https://paste.openstack.org/show/bslWH18aZwrEUjs6L97R/ | 15:06 |
| Losraio | That's it, and it seems like it's working! | 15:06 |
| Losraio | Thanks | 15:07 |
| spatel | Do you guys use manual evacuation when compute machine die or auto ? | 15:13 |
| spatel | what is the best way? | 15:13 |
| spatel | Trying to understand or setup HA environment. what do you think about masakari and its scalability | 15:28 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use a map file to select haproxy horizon backend from the base frontend https://review.opendev.org/c/openstack/openstack-ansible/+/876851 | 15:32 |
| noonedeadpunk | spatel: I'm about to deploy masakari and used that previously in other deployments | 15:34 |
| noonedeadpunk | Scalabiltiy sucks, but there're workarounds | 15:34 |
| noonedeadpunk | Like splitting into different segments | 15:34 |
| noonedeadpunk | I think with pacemaker-remote you can have 54 computes in a single segment or smth | 15:35 |
| noonedeadpunk | 64 - sorry, power of 2 :) | 15:36 |
| spatel | Hmmm! | 15:37 |
| spatel | I was thinking to deploy on 100 compute but you scared me :) | 15:37 |
| spatel | You are saying that deploy in small environment and that would work fine.. | 15:38 |
| noonedeadpunk | Well yeah, most scalability issues come down to choice of pacemaker... | 15:40 |
| noonedeadpunk | Which is not great by design for that amount of hosts in cluster | 15:41 |
| noonedeadpunk | But yeah, small environments works perfectly | 15:41 |
| spatel | Hmmm good tips | 15:42 |
| opendevreview | Merged openstack/openstack-ansible-haproxy_server stable/zed: Fix tags usage for letsencrypt setup https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876681 | 15:58 |
| noonedeadpunk | jrosser: wdyt about trying out these https://opendev.org/openstack/devstack/src/branch/master/lib/databases/mysql#L179-L187 ? | 16:15 |
| jrosser | i think i know what that is without even clicking it :) | 16:16 |
| noonedeadpunk | for gate-only scenario | 16:16 |
| noonedeadpunk | yeah, set of ini settings, that nova and neutron folks report like decreasing ram consumption in gates | 16:16 |
| jrosser | yeah we should certainly try that | 16:16 |
| jrosser | does config_template make that trivial for us? | 16:16 |
| noonedeadpunk | Yup, pretty much | 16:17 |
| jrosser | huh galera_my_cnf_overrides or something | 16:17 |
| jrosser | would be nice to know before/after somehow | 16:17 |
| noonedeadpunk | I think we have ram consumption graphs now :) | 16:18 |
| jrosser | oh the dstat alternative? | 16:19 |
| noonedeadpunk | yeah, but I again don't see it..... | 16:20 |
| noonedeadpunk | Doh | 16:20 |
| noonedeadpunk | Ok, it's again condition that is broken | 16:20 |
| noonedeadpunk | `GATE_EXIT_RUN_DSTAT=false` | 16:21 |
| noonedeadpunk | doh | 16:21 |
| opendevreview | Merged openstack/openstack-ansible-haproxy_server stable/yoga: Fix tags usage for letsencrypt setup https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876682 | 17:49 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Add support for haproxy map files https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/876749 | 18:04 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Update ironic documentation https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/867547 | 18:12 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Update ironic documentation https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/867547 | 18:13 |
| *** odyssey4me_ is now known as odyssey4me | 18:56 | |
| *** odyssey4me is now known as odyssey4me_ | 19:04 | |
| *** odyssey4me_ is now known as odyssey4me | 19:04 | |
| *** odyssey4me is now known as odyssey4me_ | 19:22 | |
| *** odyssey4me_ is now known as odyssey4me | 19:22 | |
| *** odyssey4me is now known as odyssey4me_ | 19:31 | |
| *** odyssey4me_ is now known as odyssey4me | 19:32 | |
| *** odyssey4me is now known as odyssey4me_ | 19:37 | |
| *** odyssey4me_ is now known as odyssey4me | 19:37 | |
| *** odyssey4me is now known as odyssey4me_ | 20:15 | |
| *** odyssey4me_ is now known as odyssey4me | 20:15 | |
| *** odyssey4me is now known as odyssey4me_ | 20:17 | |
| *** odyssey4me_ is now known as odyssey4me | 20:17 | |
| *** odyssey4me is now known as odyssey4me_ | 20:47 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!