Tuesday, 2023-07-11

« Monday, 2023-07-10 Index Wednesday, 2023-07-12 »
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server stable/2023.1: Fix `regen pem` with `extra_lb_tls_vip_addresses`  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/88808408:28
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/rocky: Transition Rocky to EOL  https://review.opendev.org/c/openstack/openstack-ansible/+/88812209:29
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/rocky: Transition Rocky to EOL  https://review.opendev.org/c/openstack/openstack-ansible/+/88812209:51
noonedeadpunkwould be great if we could fast land ^10:17
jrosserdone10:47
opendevreviewMerged openstack/openstack-ansible stable/rocky: Transition Rocky to EOL  https://review.opendev.org/c/openstack/openstack-ansible/+/88812210:53
opendevreviewMerged openstack/openstack-ansible-plugins master: Skip updating service password by default  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88645812:01
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins stable/2023.1: Skip updating service password by default  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88815212:07
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins stable/zed: Skip updating service password by default  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88815312:07
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins stable/yoga: Skip updating service password by default  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88815412:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/88813212:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/88813212:40
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/88813212:48
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/88813212:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Bump ansible-core to 2.15.1 and collections  https://review.opendev.org/c/openstack/openstack-ansible/+/88652712:51
NeilHanlono/ gday folks. I'll be missing this week's meeting--have movers in the apartment right now to move my furniture to my new place.13:40
NeilHanlonwill read minutes later ☺ 13:40
mgariepygood luck with the moving part :)13:40
NeilHanlonthanks :) we've been cleaning and painting and moving for a week and still somehow have so much crap left. 13:41
mgariepylol. yep13:42
mgariepymoving to a house ?13:42
NeilHanlonyep! so I have so much more room to buy more crap!!13:42
mgariepyand accumulate them !13:42
NeilHanlonand hopefully never move 13:43
mgariepyhahah you'll let your kid do the cleaning in 60 years ;p13:43
NeilHanlonI just did the math on that and I don't like it 13:44
mgariepyhaha i really have no idea how old you are.. my guess was probably a bit low.. 13:45
NeilHanlonI'm only (?) 2813:55
NeilHanlonI feel old though, if that counts for anything 13:55
NeilHanlonas the kids today would say, I was born in the late 1900s13:56
mgariepylol.14:03
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Bump ansible-core to 2.15.1 and collections  https://review.opendev.org/c/openstack/openstack-ansible/+/88652714:11
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Bump ansible-core to 2.15.1 and collections  https://review.opendev.org/c/openstack/openstack-ansible/+/88652714:33
opendevreviewDanila Balagansky proposed openstack/openstack-ansible-os_ceilometer master: Enable Ceilometer resource cache  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/88803214:46
mgariepyhey jrosser 14:58
mgariepydid you had an idea how to template the multiple certs stuff for haproxy ?14:58
jrossero/ hello14:58
jrosserlike per frontend?14:59
mgariepymy use case is : 2 external vip for 2 differnt domaines 14:59
mgariepyone with api.example.com and the other with object.example.com15:00
jrosseryes i've never done that with just one haproxy15:00
jrosserwe have something very similar but on separate hosts15:00
noonedeadpunkI think you can place all certs in one file and haporxy then finds out which one is correct?15:01
jrosserah right if you bind to the fqdn it can parse them?15:01
mgariepynot sure the cert req will be on different domain name.15:01
noonedeadpunkas it treats this certs file as a keystore15:01
noonedeadpunkyeah, I think binding to fqdn has smth to do with that, but 100% sure15:02
noonedeadpunkit shouldn't really care which domain name it's on15:02
jrossermgariepy: is this a LE question, or a "how to pass two certs to haproxy role" question?15:02
noonedeadpunkjust try placing everything together :)15:02
noonedeadpunkoh, no idea about LE15:02
noonedeadpunk#startmeeting openstack_ansible_meeting15:03
opendevmeetMeeting started Tue Jul 11 15:03:03 2023 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:03
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:03
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:03
noonedeadpunk#topic rollcall15:03
noonedeadpunko/15:03
damiandabrowskimgariepy: FYI, not sure if it's exactly the same thing you want to achieve, but docs say it's not supported15:03
damiandabrowskihttps://docs.openstack.org/openstack-ansible/latest/user/security/index.html#:~:text=When%20enabled%20haproxy%20will%20use%20the%20same%20TLS%20certificate%20on%20all%20interfaces%20(internal%20and%20external).%20It%20is%20not%20currently%20possible%20in%20OpenStack%2DAnsible%20to%20use%20different%20self%2Dsigned%20or%20user%2Dprovided%20TLS%20certificates%20on%20different%20haproxy%20interfaces.15:03
damiandabrowskihi!15:03
mgariepyhey15:04
noonedeadpunkI actually have exactly same usecase as you mgariepy, or well, "I", I know folks who needs the same :)15:04
noonedeadpunk#topic office hours15:05
mgariepywe can talk after the meeting then ;)15:05
noonedeadpunkSO I worked a bit on quorum-queues, and things looks quite green15:05
noonedeadpunkBut I don't really like workarounds that had to take place for that15:05
noonedeadpunkespecially, for Nova15:06
noonedeadpunkas it appears we're messing up with template for cells, by adding extra `/`, as these got parsed out from config15:06
noonedeadpunklikely nova bug, but not sure if it was even reported15:07
noonedeadpunktalking about this https://opendev.org/openstack/openstack-ansible-os_nova/src/branch/master/tasks/nova_db_setup.yml#L5315:07
noonedeadpunkso had to add nasty logic with nova_migrate_cell_quorum_vhost: https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/887849/4/tasks/nova_db_setup.yml15:08
noonedeadpunkbut feel free to review that: https://review.opendev.org/q/topic:osa%252Fquorum_queues15:08
noonedeadpunkI will be able to push patches to rest of the roles during the week if this looks like fair approach15:09
noonedeadpunkNext thing I'm working on - update of linters, and that's /o\15:10
noonedeadpunkWas able to get 2/5 stars :D15:10
jrosserso many errors :(15:10
damiandabrowskinoonedeadpunk: this workaround isn't that bad IMO, maybe we can live with this :D 15:10
noonedeadpunkI also wonder how getting rid of leading / in vhost names will affect monitoring toolset in deployments15:12
noonedeadpunkAs I can easily assume things being hardcoded and being relied on this `/`15:12
noonedeadpunkyeah, there're plenty errors in linter, and really a lot of them are valid, to be fair15:13
noonedeadpunkI will invest some time in going through roles and patching them with new linter requirements, it's super time-consuming though...15:14
noonedeadpunkAlso I've spotted, that we're quite inconsistent in playbooks regarding haproxy-endpoints-manage, unbound-clients and prepare-lxc-containers (or smth)15:14
jrosserdo you run the linters tox job to work on this locally?15:14
noonedeadpunkNah, I just run ansible-lint against role folder, excluding tests15:15
jrosserahha ok15:15
noonedeadpunkbut I have collections installed locally as well - that kinda requirement15:15
noonedeadpunkAnd sourcing some things from openstack-ansible.rc15:16
noonedeadpunkso do smth like `ansible-lint ../haproxy_server/ --exclude ../haproxy_server/tests/`15:16
mgariepysounds simple enough.. 15:16
noonedeadpunkIt's not hard, it's time-consuming due to number of roles and issues15:17
jrossermaybe we can crowd-source this a bit15:17
noonedeadpunkthat would be nice15:17
mgariepycan we split via a etherpad or something ?15:17
noonedeadpunkwill create one15:18
spotz[m]o/15:18
noonedeadpunk#link https://etherpad.opendev.org/p/osa-6.17-linters15:21
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [DNM] Bump ansible-core to 2.15.1 and collections  https://review.opendev.org/c/openstack/openstack-ansible/+/88652715:22
noonedeadpunkanother good catch by damiandabrowski, is that not working triggering handlers from handlers is a bug, not a feature :)15:22
noonedeadpunkso with 2.15.2 this should be fixed15:23
noonedeadpunkas we use that more then just in galera role15:23
noonedeadpunkAh.... Also I've used my patch for 6.17.2 of ansible-lint, to overcome issue in integrated repo, where gather_facts can't be a variable. It's already merged to linters15:25
noonedeadpunkhttps://github.com/ansible/ansible-lint/pull/360615:26
noonedeadpunkI don't have any progress on PKI pipe thingy yet :(15:30
damiandabrowskiI have a question, where can we save etherpad describing TLS performance impact for a future reference? Just to not forget why we decided not to enable it by default :D 15:30
damiandabrowskihttps://etherpad.opendev.org/p/openstack-ansible-tls-performance-impact15:30
noonedeadpunkour wiki?)15:31
damiandabrowskii still can't login to wiki and INFRA team is not really willing to help :D can you do that please?15:31
damiandabrowski(but they confirmed that they saw this issue before and never fixed it)15:31
noonedeadpunkadded to https://wiki.openstack.org/wiki/OpenStack-Ansible#Etherpads15:32
damiandabrowskithanks!15:32
noonedeadpunkanything else we wanna to talk about?15:41
mgariepycan you had the steps to run the linter in the etherpad ?15:42
mgariepyjust to streamline the some sourcing and stuff a bit :D 15:43
mgariepythanks a lot.15:45
noonedeadpunkWill do that15:46
mgariepyit's all for me. :)15:47
noonedeadpunkok, will end up then slightly early15:48
noonedeadpunk#endmeeting15:48
opendevmeetMeeting ended Tue Jul 11 15:48:37 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:48
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-07-11-15.03.html15:48
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-07-11-15.03.txt15:48
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-07-11-15.03.log.html15:48
mgariepyhaproxy seems to be able to load certs from a directory !15:49
mgariepyi'll do some tests and submit a patch for haproxy LE stuff. 15:59
mgariepyafterlunch :D15:59
noonedeadpunk(I still can reall it was able to load just from single file as well)16:01
mgariepyyeah it was like that before they added support for the .d directory :D16:03
mgariepyhttps://discourse.haproxy.org/t/use-set-ssl-cert-with-cert-directory/5193/216:03
mgariepysomething like that would be nice tho16:03
mgariepyinstead of relaoding haproxy your probably can only do the 2 commands to update the cert. set ssl and commit.16:04
mgariepythen update the file for the restart/ reboot16:04
mgariepywe do have multiple pems files right now so i guess having a 3rd one won't be too bad anyway 16:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/88814316:54
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-memcached_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/88814617:31
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-memcached_server master: [doc] Document how to use "local" memcached  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/88814818:19
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone stable/2023.1: Fix SSL logic in keystone-httpd.conf.j2  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/88815818:23
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible stable/2023.1: Remove support for 'tls-transition' scenario  https://review.opendev.org/c/openstack/openstack-ansible/+/88786618:24
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Gather facts before including common-playbooks  https://review.opendev.org/c/openstack/openstack-ansible/+/88814919:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-apt_package_pinning master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-apt_package_pinning/+/88817219:20
opendevreviewAmy Marrich proposed openstack/openstack-ansible-memcached_server master: [doc] Document how to use "local" memcached  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/88814819:22
noonedeadpunkthanks Amy!19:31
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_nova master: Deprecate nova_ram_weight_multiplier  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/88817719:36
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_container_create master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/88817919:43
opendevreviewAmy Marrich proposed openstack/openstack-ansible-memcached_server master: [doc] Document how to use "local" memcached  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/88814819:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_hosts master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/88818019:56
opendevreviewAmy Marrich proposed openstack/openstack-ansible-memcached_server master: [doc] Document how to use "local" memcached  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/88814820:07
spotz[m]stupid lines too long:)20:07
mgariepyit needs to fit in a 80char terminal :P20:08
spotz[m]Yeah but it used to be if you were on the left side of the line in the editor you were good:)20:28
« Monday, 2023-07-10 Index Wednesday, 2023-07-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!