| derekokeeffe85 | Morning all, I installed an AIO yesterday to test Barbcan with Thales HSM. All has gone ok so far, Instances with volumes and connectivity, Barbican seems to be installed, user, service, secret store all there when checked on cli. Do I now need to take the generated Chrystoki.conf and other files required per the docs and put them in the locations specified in on the container?? Any help would be appreciated | 07:38 |
|---|---|---|
| jrosser | derekokeeffe85: did you see this? https://docs.openstack.org/openstack-ansible-os_barbican/latest/ | 07:54 |
| jrosser | specifically https://docs.openstack.org/openstack-ansible-os_barbican/latest/configure-barbican.html#configuring-barbican-with-thales-luna-hsm-backend talks about those files | 07:54 |
| derekokeeffe85 | jrosser, yep that's what I've been working from, have all I need just a little unsure if I did it right. I set up the lunaclient on the instance where I have my AIO. But do those files need to be on the barbican container or the instance? | 08:01 |
| jrosser | `barbican_user_libraries`lets you put things like the shared libraries and config file in your /etc/openstack_deploy directory on the deploy host | 08:03 |
| jrosser | then they will be copied to the given locations on the barbican containers/hosts during the deploy | 08:04 |
| jrosser | barbican uses PKCS11 to communitcate with the HSM so you need the vendor supplied pkcs11 shared library and a suitable config file | 08:05 |
| jrosser | you don't need the vendor specific client / tools | 08:05 |
| jrosser | you'll need those perhaps elsewhere to properly configure the HSM, but thats not really to do with the OSA deployment | 08:06 |
| derekokeeffe85 | Ah ok, that helps. Thanks as always jrosser | 08:12 |
| jrosser | no problem - i think noonedeadpunk has used thales HSM so if you get stuck might be able to help out with specifics | 08:13 |
| derekokeeffe85 | Perfect, thank you. I will probably give him a shout later so | 08:14 |
| depasquale | ciao everybody. regarding the problem I am facing in installing openstack with VLAN as provider network I am now in the situation reported here https://bugs.launchpad.net/openstack-ansible/+bug/2002897 | 08:46 |
| depasquale | I tryed to investigate the message admin1 sent my yesterday (provider network will not work because I have a tagged lan 40 on br-vlan) but I am now also experiencing exactly the point reported in the bug mentioned | 08:47 |
| depasquale | that's strange that if I use ovn I cannot indicate a flat net | 08:47 |
| jrosser | depasquale: have you got an OVN all-in-one built? | 08:50 |
| jrosser | depasquale: i'm a bit confused, that bug is "No type driver for tenant network_type: vxlan." but you are having trouble with the `flat` type? | 08:52 |
| depasquale | jrosser: I am still not able to deploy an AIO... I will work on it next week that I will be back in the office | 08:54 |
| jrosser | the reason i ask, is that OVN is the default in the AIO and i think it sets up a flat network as well as a vlan one | 08:55 |
| jrosser | so you should have a working example there of exactly what you are trying to do | 08:55 |
| jrosser | AIO == reference design | 08:55 |
| depasquale | uhm ok | 08:55 |
| jrosser | having said that you can and should customise what you see there to be appropriate for a real deployment | 08:56 |
| jrosser | and also, based on experience i would say that you should use a flat network only if you really have to | 08:56 |
| depasquale | I will investigate. but this is happening because it seems that with zed linuxbridge that was my previously used standard way of configuring network is marked as obsolete | 08:56 |
| depasquale | jrosser: I agree with you. I was trying to not use a flat net | 08:57 |
| jrosser | the neutron team say it is now "experimental" type support | 08:57 |
| depasquale | but I am not able to get internet from the vlan :) | 08:57 |
| jrosser | oh i am so confused then with the bug you posted :) | 08:58 |
| depasquale | the servers are working via br-vlan interfaces, but when I link this interface to VMs they will not get internet access | 08:58 |
| jrosser | did you fix the double vlan tagging? | 08:58 |
| depasquale | I mean I am able to ping internet at baremetal level (ping -I br-vlan www.google.com) but not from the VMs | 08:58 |
| depasquale | jrosser: doube vlan tagging? please can you give me some pointer to this? | 08:59 |
| jrosser | ok so for a `vlan` type network, neutron will tag/encapsulate the traffic in a .1q vlan tag on the interface | 09:00 |
| jrosser | so when you create your external network with neutron, you must say something like "segmentation_id: 1234" | 09:00 |
| depasquale | okok I did this | 09:00 |
| depasquale | this is my command for creating network | 09:01 |
| jrosser | then on your network switch, you must make vlan id 1234 for the corresponding port be your external network | 09:01 |
| depasquale | openstack network create --share --external --provider-physical-network provider --provider-network-type vlan --provider-segment 49 provider-vlan49 | 09:01 |
| jrosser | if you can ping google.com on br-vlan then that says that you've not done the switch side config? | 09:01 |
| depasquale | I confirm that tag 49 is a tag for all the switch ports | 09:02 |
| jrosser | as it still appears to be a `flat` type network | 09:02 |
| depasquale | uhm I have to better study this topic | 09:03 |
| jrosser | ping -I br-vlan www.google.com | 09:03 |
| jrosser | ^ do you think that should work? | 09:03 |
| depasquale | let me check | 09:03 |
| depasquale | from a controller node I am able to ping | 09:04 |
| depasquale | jrosser: by the way I will investigate further... unfortunately I can only work for short time per day because I am in a business travel with frequent meetings | 09:05 |
| jrosser | no problem | 09:05 |
| depasquale | sorry for being not so fast in providing feedbacks and answering back | 09:05 |
| depasquale | see you later with some news (hopefully) | 09:06 |
| jrosser | sure no worries | 09:06 |
| admin1 | depasquale, can you post your new netplan with the br-vlan | 09:25 |
| admin1 | is it still on vlan40 or is it removed now ? | 09:25 |
| jrosser | also the thing is that i don't believe that br-vlan is even needed | 09:34 |
| jrosser | the underlying interface/bond can be given to OVS | 09:34 |
| admin1 | yes .. i just wanted to know if he is running on top of a tagged interface | 09:53 |
| admin1 | he could be trying flat with that , but added type vlan | 09:53 |
| admin1 | so if tagged is still there, his command he pasted to create network on 49 will not work at all | 09:54 |
| derekokeeffe85 | jrosser, sorry I knew I had a question for you earlier. the libdpod.plugin plugin in the docs doesn't exist in my setup, there is however a libcloud.plugin is this just an updated version from the docs do you know or is the libdpod.plugin needed? noonedeadpunk might know if he's used it | 10:29 |
| jrosser | derekokeeffe85: i have no idea sorry, i've never used a thales hsm myself | 10:45 |
| jrosser | they do have a product which is a "cloud HSM" so you might have a library for that as well, no idea if it also covers the physical device | 10:46 |
| depasquale | admin1, jrosser you have received my last messages? my web interface refreshed | 10:50 |
| derekokeeffe85 | ok no worries jrosser | 10:57 |
| admin1 | depasquale, is it working now ( the network ) . .if not, want to see your config and netplan one more time | 11:26 |
| depasquale | admin1 I have just completed the re-execution of ansible to rework with this set of configs https://paste.opendev.org/show/bOOo6TBQFz38gYxlufux/ | 11:31 |
| depasquale | neutron crashes | 11:31 |
| depasquale | on haproxy I see the service is not online | 11:31 |
| admin1 | we need your netplan file in the compute/network nodes | 11:31 |
| depasquale | ok let me share compute | 11:32 |
| depasquale | one second | 11:32 |
| admin1 | this is like the ceiling is leaking .. but we need to get the foundations right first .. and then move way up to the ceiling :) | 11:32 |
| admin1 | don't know how else to put it .. so its a crude example | 11:32 |
| depasquale | https://paste.opendev.org/show/bDQrL67HPxgfb02JHcHB/ | 11:32 |
| depasquale | here one of the 3 computes | 11:32 |
| admin1 | will not work :) | 11:32 |
| admin1 | your config, the way br-vlan is done, will only work if you use a flat network | 11:32 |
| depasquale | I have 3 controllers, 3 computes, and 3 ceph nodes | 11:32 |
| admin1 | not br-vlan | 11:32 |
| admin1 | you cannot use a tagged interface for br-vlan and then add tagged network on top of it .. it will not work at all | 11:33 |
| depasquale | ok good to know | 11:34 |
| depasquale | so. even if I use vlan provider network I will not use a tagged vlan on switches | 11:34 |
| depasquale | so I will assign the ip addresses directly to provider0 interface (in my config) | 11:35 |
| depasquale | and leave br-vlan empty | 11:35 |
| depasquale | let me rework netplan and ask you to confirm the config | 11:35 |
| admin1 | in your netplan, you don't specify a provider network vlan ( like you are doing for provider0) .. | 11:35 |
| admin1 | you can do this | 11:35 |
| admin1 | you add provider0 under br-vlan .. nothing else .. | 11:35 |
| admin1 | and then you can use the tag because openstack/neutron will add 49 there directly | 11:35 |
| depasquale | I mean is this a valid configuration for you? https://paste.opendev.org/show/bYuURK4v1FbE6JXoX1kT/ | 11:36 |
| admin1 | remove br.40 . and then under br-vlan interfaces, add provider0 and it will then work | 11:36 |
| admin1 | remove br.40 as well | 11:36 |
| admin1 | there is no need to that .. | 11:36 |
| admin1 | openstack will send tagged packets..s o it will add 40 .49 etc when you create the network | 11:37 |
| admin1 | you don't specify that in the netplan | 11:37 |
| depasquale | ok ok I understand now | 11:37 |
| admin1 | so tomorrow in future ,etc whne you want to add new provider, you just add a new ext-network on a diff vlan | 11:37 |
| admin1 | and not have to touch netplan again | 11:37 |
| admin1 | also , the IPs | 11:38 |
| admin1 | instead of provider0 , move it to br-vlan | 11:38 |
| admin1 | this config looks more like how i setup opentack for hetzner servers | 11:38 |
| admin1 | where you get only 1 interface on eth0 and you need to run the whole osa with everything on top of it | 11:39 |
| depasquale | do you suggest something like this one https://paste.opendev.org/show/bn2D5wE8zXcXFCSONkdQ/ | 11:39 |
| admin1 | yes | 11:39 |
| depasquale | thank you so much. very appreciated | 11:40 |
| admin1 | now the provider0 , whereever it is connected to, need to allow tagged packets on the vlan you will add later on | 11:40 |
| depasquale | ok | 11:40 |
| admin1 | so if you in your earlier config added a vlan on id 49, the port where this provider0 is connected should allow tagged vlan 49 | 11:40 |
| depasquale | yes yes the switches are configured to accept 40-49 tagged vlan | 11:41 |
| depasquale | ok last question before to start with executing ansible | 11:41 |
| depasquale | https://paste.opendev.org/show/bOOo6TBQFz38gYxlufux/ | 11:41 |
| depasquale | in this confg part, I will remove the br-vlan with type "flat" | 11:41 |
| depasquale | righ? | 11:41 |
| depasquale | because with ovn I have the error that the driver for flat does not exist | 11:42 |
| depasquale | sorry for bothering you :) | 11:42 |
| admin1 | you have one provider network .. provider0 .. it can either be flat or vlan | 12:08 |
| admin1 | if ovh allows tagged vlans, then # out the flat part int he config | 12:09 |
| admin1 | but if ovh says you cannot use tagged, then you have to forget vlans and add flat | 12:09 |
| ncuxo | does the playbooks check if selinux is in enforcing mode? | 12:37 |
| ncuxo | my goal is to install on centos 9 stream, I have 3 servers and want them to have everything on them,and with the future I'll scale them out with the resources I need. But the initial 3 servers need to have all the services. | 12:47 |
| jrosser | ncuxo: there is info about selinux here https://docs.openstack.org/project-deploy-guide/openstack-ansible/latest/targethosts-prepare.html#configure-centos-rocky | 13:05 |
| jrosser | as far as i know the playbooks do not do any checking | 13:05 |
| jrosser | ncuxo: i would also think very very carefully before you base anything that you care about on centos stream | 13:06 |
| ncuxo | jrosser: what you mean? not sure I follow | 13:09 |
| jrosser | in the past (before centos stream), centos was a rebuild of RHEL and had the same level of stability | 13:10 |
| jrosser | now that is not the case, centos is what will/might go into RHEL next, and as a result is not particularly stable and might get arbitrarily broken | 13:11 |
| jrosser | we have seen this several times with the CI jobs we run for OSA where prospective changes land in centos and cause all sorts of breakage | 13:11 |
| ncuxo | https://docs.openstack.org/project-deploy-guide/openstack-ansible/latest/targethosts.html#configure-centos-rocky here they are talking about disabling selinux | 13:12 |
| jrosser | yes | 13:12 |
| jrosser | openstack-ansible does not have support for running with selinux enables | 13:13 |
| ncuxo | if the playbooks are not checking for selinux then I can add the policies on another playbook to add them | 13:15 |
| jrosser | ncuxo: the reason there is no official selinux support is that we do not have a contributor who has worked on that | 13:22 |
| jrosser | if you are going to make that all work and are able to contribute support for selinux, that would be great | 13:22 |
| ncuxo | Most people hate SELinux and I've assumed the reason why it is not supported is because most people don't care about it | 13:24 |
| mgariepy | i don't think ppl hate it so much, but most first steps in install guide is to disable it, i guess that's not helping for adoption. | 13:27 |
| ncuxo | exactly as soon as I see a guide like that I close the tab and search for another one | 13:29 |
| jrosser | ncuxo: in general we have fewer contributors using RH derived OS compared to debian derived | 13:29 |
| ncuxo | never used debian so if I do it will be a first :D | 13:30 |
| jrosser | but at the same time the features that get added are those which we get contributions for | 13:30 |
| jrosser | so if you want to see selinux support in openstack-ansible and have the skills to make it work, that is interesting | 13:30 |
| jrosser | there is no big vendor propping up openstack-ansible development, it's a tool mostly developed by operators, for operators | 13:31 |
| ncuxo | jrosser: but as you've said stream is breaking openstack installations, so now I'm wondering should I just do debian like everybody and figure it out | 13:31 |
| jrosser | you should look at Rocky Linux | 13:31 |
| ncuxo | rackspace no longer contributing | 13:31 |
| jrosser | we got some great input from NeilHanlon making that all work nicely | 13:31 |
| ncuxo | from my understanding they have started the thing? | 13:31 |
| jrosser | that is correct, openstack-ansible originated from rackspace and a few of the original folk still lurk here | 13:32 |
| ncuxo | lol just 37 roles :D it will take a while to get where what is done ... | 13:41 |
| jamesdenton | o/ | 14:02 |
| jrosser | o/ hello | 14:02 |
| jamesdenton | IRC lives on this other machine that I don't get to every day :| | 14:02 |
| jrosser | doh | 14:02 |
| jrosser | i tried to by a connectx-7 | 14:03 |
| jrosser | that is a very hilarious experience and i failed completely | 14:03 |
| jamesdenton | but your debit card said no? | 14:03 |
| jamesdenton | Hey, I managed to buy a BlueField-2 once | 14:03 |
| jrosser | oh well done | 14:03 |
| jrosser | seems they are so busy building big ML systems that everyone else comes second | 14:04 |
| jamesdenton | "supply chain issues" | 14:04 |
| jamesdenton | i'm busy with Tempest. Wish me luck | 14:05 |
| jrosser | oh indeed good luck :) | 14:05 |
| mgariepy | https://snapcraft.io/docs/keeping-snaps-up-to-date#heading--control | 14:18 |
| mgariepy | jrosser, you can now hold upgrade indefinitely | 14:18 |
| mgariepy | which is nice :D | 14:20 |
| jrosser | interesting | 14:21 |
| jrosser | still doesnt quite appear to let you specify a version to move to / from | 14:22 |
| mgariepy | microsteps ;) | 14:22 |
| jrosser | there are native .deb for LXD in debian now i think | 14:23 |
| mgariepy | i like being able to install different version on prod server vs my laptop | 14:24 |
| mgariepy | for me the snap doesn't break too often. | 14:25 |
| mgariepy | most time it's on my laptop and it's usually caused by some other factor :D hahaha | 14:25 |
| ncuxo | after cloning the https://opendev.org/openstack/openstack-ansible is there a script that should get the requirements or I have to use ansible-galaxy and point to the 3 requirement files in the base dir? | 14:58 |
| jrosser | ncuxo: see this https://docs.openstack.org/openstack-ansible/latest/user/aio/quickstart.html | 15:02 |
| jrosser | scripts/bootstrap-ansible.sh prepares the ansible runtime, roles and collections to the correct versions | 15:03 |
| jrosser | scripts/bootstrap-aio.sh prepares a "reference configuration" for an "all-in-one" build that is the same as the one we use for our CI tests | 15:04 |
| BobZAnnapolis | minor nit question/issue - i might have missed the answer somewhere else but figured you'd folks would know, is there any plans to change various git ostack component/project repo stable/2023.1 branches to stable/antelope ? | 16:26 |
| noonedeadpunk | BobZAnnapolis: um, no, branches are intend to be stable/2023.1 from now on for all openstack projects | 16:43 |
| noonedeadpunk | Just in case - we're having hybrid ptg now: https://etherpad.opendev.org/p/vancouver-june2023-os-ansible | 16:45 |
| noonedeadpunk | jrosser: ^ | 16:45 |
| lowercas_ | noonedeadpunk: where?! | 16:50 |
| lowercas_ | im here | 16:50 |
| *** lowercas_ is now known as lowercase | 16:51 | |
| lowercase | I'll be there | 16:53 |
| NeilHanlon | BobZAnnapolis: check out https://governance.openstack.org/tc/reference/release-naming.html | 17:36 |
| damiandabrowski | https://docs.openstack.org/openstack-ansible/latest/reference/inventory/understanding-inventory.html#understanding-host-groups-conf-d-structure | 18:20 |
| mgariepy | fun how neutron-ovn-metadata-agent fills rootdisk when something goes wrong. | 19:51 |
| mgariepy | https://paste.openstack.org/show/bt8CoCPvgNKEWBLuceGV/ | 19:53 |
| mgariepy | many many many times every few sec.. | 19:53 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!