Thursday, 2023-08-31

« Wednesday, 2023-08-30 Index Friday, 2023-09-01 »
jamesdentonFWIW: Cisco ASAv flavor type defines throughput capabilities. The ASAv5 is 100Mbps, ASAv10 is 1Gbps, ASAv30 is 2Gbps for multi-protocol; those numbers drop w/ ipsec. Multiple iPerf streams might be used to fill the pipe, if necessary02:18
jamesdentonso even though a VM might be 10G capable, the ASA flavor will really bottleneck you02:18
NeilHanloncisco: only when i have to02:43
jamesdenton:D02:46
jamesdentoni live in it every day, for better or worse02:46
noonedeadpunkmornings06:17
noonedeadpunkdamiandabrowski: can you review https://review.opendev.org/c/openstack/ansible-role-pki/+/89324706:17
noonedeadpunkwoud be also great to land these https://review.opendev.org/q/parentproject:openstack/openstack-ansible+branch:%255Estable/zed+status:open+label:Verified06:30
noonedeadpunkI've also issued couple of rechecks due to diskfull for 2023.106:31
noonedeadpunkwanna do Zed bump to hopefully solve these diskfulls06:31
jrossermorning07:27
damiandabrowskihi07:42
damiandabrowskinoonedeadpunk: i see it's not needed anymore :D 07:42
jrosseris there a dependancy order with this https://review.opendev.org/c/openstack/openstack-ansible/+/87361807:50
jrosserlike do we have to land things in the roles before that one?07:51
noonedeadpunkno, not really. to land things in roles we need to be able to disable applying HA policy07:53
noonedeadpunkthat's basically why I've also pushed https://review.opendev.org/c/openstack/openstack-ansible/+/887850/ to check that things are working with quorum queues07:54
noonedeadpunkas 873618 is basically first thing to land in series07:54
jrosserand 873618 removes the HA policy completely?07:56
jrosseroh wait07:56
jrosserok yes i see now07:58
* jrosser too early07:58
opendevreviewMerged openstack/openstack-ansible-apt_package_pinning master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-apt_package_pinning/+/88817208:05
jrosseris this wrong? https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/openstack_user_config.yml.aio.j2#L11408:06
jrosserbr-lbaas perhaps?08:06
jrosserhow does the octavia role CI even work right now08:08
jrosseroh /o\ becasue its always a metal job08:08
jrosser`lxc-start aio1_octavia_server_container-f58e8ea4 20230831075959.932 ERROR    network - network.c:netdev_configure_server_veth:711 - No such file or directory - Failed to attach "f58e8ea4_eth14" to bridge "br-octavia", bridge interface doesn't exist`08:15
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89331508:19
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum  https://review.opendev.org/c/openstack/openstack-ansible/+/89324008:20
opendevreviewMerged openstack/ansible-role-pki stable/2023.1: Add defaults for owner/group/mode on pki_install_host  https://review.opendev.org/c/openstack/ansible-role-pki/+/89324708:36
opendevreviewMerged openstack/openstack-ansible-os_senlin stable/zed: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/88198809:01
derekokeeffe85mgariepy just scrolled back and saw it wasn't you :( haha. Just finished a support call with Thales and she doesn't know what the issue is either so I guess it's back to googling 09:29
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/zed: Fix wrong neutron_ml2_drivers_type  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/89235409:33
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Add HTTP/2 support for frontends/backends  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/89157209:37
opendevreviewMerged openstack/openstack-ansible-os_cinder stable/zed: Use v3 service type in keystone_authtoken config  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/88705809:41
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Fix linters issue and metadata  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/88814309:53
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Do not use notify inside handlers  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/88876210:03
opendevreviewMerged openstack/openstack-ansible-galera_server stable/zed: Add optional compression to mariabackup  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/88714310:46
noonedeadpunkwould be also awesome to land https://review.opendev.org/q/topic:cherrypick-osa/db_port-24yhx0eaik+status:open+label:Verified11:30
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_tempest master: Ensure test exclusion file is removed when there are no exclusions  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/89158611:44
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_magnum master: Add tag for creating magnum resources  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/89336212:00
opendevreviewMerged openstack/openstack-ansible-os_murano stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/89236013:36
opendevreviewMerged openstack/openstack-ansible-os_blazar stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/89246513:36
opendevreviewMerged openstack/openstack-ansible-os_barbican stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/89246913:39
noonedeadpunkthis is yet another rather important thing for 2023.1: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/88981113:42
noonedeadpunkand this one of latest for _member_ cleaning-out https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/89209513:43
opendevreviewMerged openstack/openstack-ansible-os_glance stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/89246314:06
derekokeeffeHMAC successfully generated! MKEK successfully generated! wooHoo :)14:20
jrosserwhat is the secret (no pun intended!)14:20
noonedeadpunk++14:28
derekokeeffeHaha, probably me being silly but I needed to put the safenet directory on the container (you probably though that's where I had it all along) :( 14:34
derekokeeffe*thought14:36
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_adjutant stable/zed: Revert "Install mysqlclient devel package"  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/89250514:46
noonedeadpunkderekokeeffe: yeah, eventually that's what would playbooks do I beleive...14:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_adjutant stable/2023.1: Use version mysqlclient<2.2.0  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/89127914:57
derekokeeffeAh well got that part over the line, now on to the next challenge :)14:58
*** dviroel_ is now known as dviroel14:59
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Install compatibility package for mariadb-dev  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/89340415:01
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_adjutant master: Install pkg-config package  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/88898515:01
noonedeadpunkderekokeeffe: but was you defining barbican_user_libraries ?15:03
noonedeadpunkJust wondering if it's enough or not to make things working for you15:04
derekokeeffeYep I had them in user variables but did'nt seem to work. It was also looking for the certs from the HSM setup15:04
noonedeadpunkvariable is around since victoria.... so I assume you should have it it...15:05
noonedeadpunkBut what has changed then?15:06
noonedeadpunkLike we have _only_ libCryptoki2.so libdpod.plugin and Chrystoki.conf files on barbican containers and this seems enough15:06
noonedeadpunkSo I'm really wondering what's different in your case and what specifically you did to make things working15:07
noonedeadpunkas it might be worth to udpate the doc, as we might be using some old HSM revision or smth....15:07
derekokeeffeI'm not sure what the issue was but I noticed that it was looking for the certs I had created when setting up the client on the controller so I copied those to the container and then it moved past the original error to something I can't remember so I dropped the entire /usr/safenet dir in the correct location and it generated the keys first try 15:08
noonedeadpunkhuh15:08
derekokeeffein the correct location on the container that is15:08
noonedeadpunkinteresting15:08
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum  https://review.opendev.org/c/openstack/openstack-ansible/+/89324015:13
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum  https://review.opendev.org/c/openstack/openstack-ansible/+/89324015:13
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Set correct language for docs  https://review.opendev.org/c/openstack/openstack-ansible/+/89340715:39
opendevreviewMerged openstack/openstack-ansible-os_tacker stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/89235915:40
opendevreviewMerged openstack/openstack-ansible-os_sahara stable/2023.1: Stop reffering _member_ role  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/89209515:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89331515:57
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Fix ansible_ssh_extra_args extra newline  https://review.opendev.org/c/openstack/openstack-ansible/+/89319115:58
opendevreviewMerged openstack/openstack-ansible-os_neutron stable/2023.1: Configure OVN NB and SB DB Connection probes  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/88981116:06
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Bump SHAs for 2023.1  https://review.opendev.org/c/openstack/openstack-ansible/+/89341316:18
noonedeadpunkdamiandabrowski: jrosser mgariepy ^ this is bump for 27.1.016:18
drarveseGreetings! Does OSA support doing an IPv6-only install of all the components? All of the docs use IPv4 examples, so I get the feeling I'm going to run into issues down the road.16:25
noonedeadpunkdrarvese: yeah, you most likely will. nobody ever worked or tested that, I would say16:28
noonedeadpunkTHough, if talk about "external" networks (which are internal/external vips) - it should be pretty much trivial. 16:29
jrosseryeah this depends what you mean16:29
noonedeadpunkBut if talking about networks for LXC containers and dynamic inventory - there might be some troubles16:29
jrosser"as far as the tenants/projects are concerned its an ipv6 only environment"16:30
jrosser^ not the same as environment is built only on ipv6 under the hood16:30
drarveseThis is for the containers and all the services on the management bridge16:30
noonedeadpunkI'm not actually sure I get the point of private ipv6 networks, but yeah.16:31
noonedeadpunkThis is smth we never tried16:31
noonedeadpunkor better - nobody was interested to invest time into that16:31
noonedeadpunkbut we'd be interested to get this supported16:32
jrosserdrarvese: this actually is it - we would need a contributor who has that use case to do the work16:32
jrosseralmost universally, contributions and therefore functionality in openstack-ansible comes from operators who contribute to the code16:33
jrosserit is an interesting problemm though16:35
drarveseYep, that makes sense16:35
jrosseri had already thought we could re-use the SLAAC algorithm to autogenerate ipv6 container interface addresses from the container macs16:35
noonedeadpunkI think most troublesome would be dynamic inventory16:35
jrosserand that would avoid having to deal with /64s in the inventory code16:36
noonedeadpunkbut then I kinda wonder how that would stack with things like octavia16:37
noonedeadpunkas I'm not sure that amphoras will be happy about ipv6 network16:37
noonedeadpunksame might go for magnum/trove16:37
jrosserdrarvese: is this just preference for ipv6, or is it a real hard requirement?16:38
drarveseIt's a hard requirement (gov mandate)16:38
jrosseras noonedeadpunk says it's perhaps a problem more widely scoped than just "can the dpeloy tool do it"16:38
noonedeadpunkdrarvese: and for public networks (for VMs) there will be dual stack or ipv6-only as well?16:39
drarveseThey'd be dual-stacked16:39
jrosserbah :)16:39
noonedeadpunkI jsut can recall some issues with that when we were implementing ipv6... there was non trivial to spawn ipv6-only things for sure... but I can't recall what exactly - was quite a while ago16:40
jrossercloud-init does not like it much16:40
noonedeadpunkdrarvese: if you go metal only (without LXC) - this can almost "just work"16:40
jrosserbecasue it tries really really hard to get it's data source ipv4 before falling back to ipv616:41
noonedeadpunkwell, you can use config drive for that...16:41
jrosserso boot time can get pretty long with unmodified images16:41
noonedeadpunkI think our issue was related to get ipv6-only L3 router for double-stack public network16:42
jrosserdrarvese: if you want to try this out and investigate, you'll get some help/guidance here16:43
noonedeadpunk++16:43
jrosserwe probably even patch things for you as they come up16:43
noonedeadpunk(but better to push patches yourself - they will land faster)16:44
jrosserlike a metal only deploy and a sprinking of ipwrap filter in the ansible and it probably mostly works16:45
jrosserthe most obvious thing will be making any use of : or :: safe in config files for things that are normally ipv4-address:port16:46
drarveseI'll have to try a metal only deployment and see how it goes.16:47
jrosseri would recommend starting here with the "all in one" https://docs.openstack.org/openstack-ansible/latest/user/aio/quickstart.html16:49
jrosserputting an ipv4 one alongside an attempt at ipv6 would be interesting16:50
jrosserfor comparison/debugging16:50
noonedeadpunkdrarvese: just out of interest - is there some NIST or ISO or anything like that to require internal IPv6?16:57
* noonedeadpunk wondering if we should prioritize that work regardless16:57
drarveseIt's from the US federal IPv6 mandate (OMB memo M-21-07).17:02
drarveseFor us, specifically, Department of Commerce policy17:03
noonedeadpunkaha, so there's goal to transition * until 202517:13
noonedeadpunkinteresting17:13
* noonedeadpunk still don't have an IPv6 in the meantime17:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/zed: Bump SHAs for Zed  https://review.opendev.org/c/openstack/openstack-ansible/+/89341917:15
noonedeadpunkthough I can't really commit to look into ipv6-only setup right now :( I wanna take time for Skyline and Debian 12 support in short-term perspective18:16
KarniI have launch two scenarios, one with multiqueue feature enabled on the Ubuntu image and the other one as usual without m.q. feature 21:36
KarniFor networking IO test, I use this command:21:36
Karni`iperf3 -c 10.1.1.10 -T s1 -t 90 -P 15 -p 5101 -A 1,1& iperf3 -c 10.1.1.10 -T s2 -t 90 -P 15 -p 5102 -A 2,2& iperf3 -c 10.1.1.10 -T s3 -t 90 -P 15 -p 5103 -A 3,3& iperf3 -c 10.1.1.10 -T s4 -t 90 -P 15 -p 5104 -A 4,4`21:37
noonedeadpunkI think these will launch just one after another21:37
noonedeadpunkor maybe not....21:37
noonedeadpunkanyway, and whats' the result?21:38
Karni(I rum some iperf3 in parallel beacause iperf3 is still single-threaded)21:38
Karnirun*21:38
noonedeadpunkI would just do that with xargs or in screen... But whatever21:38
Karni+121:38
noonedeadpunkso what you get?21:39
KarniIn scenario1 where multique is enabled, it touch 400000 KB/s21:39
KarniIn scenario2, without multiqueue: same result!21:39
noonedeadpunkWell, 400mbit means you're throtteled elsewhere21:40
Karni400000Kb/s*21:40
noonedeadpunkAs multiqueue is usually the bad guy, when you hit smth like 1.1-1.3 gbit/s21:41
noonedeadpunk(depending on CPU)21:41
noonedeadpunkas that's what you usually can do with a single core21:41
KarniI lost the conection for seconds. would you please repost your last messages, noonedeadpunk ?21:45
noonedeadpunkI said only that multiqueue is usually the issue when you hit 1.1-1.3 gbit/s, but not 400mbit. So I'd say you have bottleneck (or some QoS) elsewhere21:46
noonedeadpunkKarni: just in case - I assume that you just use virtio net? not some emulated e1000 or whatever else?21:47
noonedeadpunk(I know only how to check that only by checking resulted XML for domain on compute node)21:48
noonedeadpunksorry, it's almost midnight here, so I need to sign off :(21:48
KarniAnd, In scenario2 where multiqueue has not been enabled, does it make sence to bind an iperf3 to a specific vCPU using `-A` switch that is for CPU affinity rule? I mean iperf3_1 on vCPU1 and iperf3_2 on vcPU2 and so on,21:48
Karnivirtio net, andnot emulated e1000? what do you mean? I dealt with this statments when I was working on DPDK!21:50
KarniI just found this to run up to 5 processes in parallel (bash 4.3): `i=0 j=5; for elem in "${array[@]}"; do (( i++ < j )) || wait -n; my_job "$elem" & done; wait`22:14
johnsomnoonedeadpunk Octavia has no issues with IPv623:56
« Wednesday, 2023-08-30 Index Friday, 2023-09-01 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!