noonedeadpunk | mornings | 06:41 |
---|---|---|
jrosser | good morning | 07:15 |
derekokeeffe | Morning guys, so I striped it all back yesterday to where I was after the instructions and stopped there as not to confuse anyone. If you jrosser or noonedeadpunk would have a few minutes during the day at some point to take a look at this and give any feedback I would appreciate it. No rush, just when you have a few min free please https://paste.openstack.org/show/bolQAYv7qaz7Riauu3GH/ | 07:29 |
noonedeadpunk | derekokeeffe: I guess... I guess... You might need different destination for your plugins? | 07:33 |
noonedeadpunk | also you pasted barbican.conf twice there | 07:34 |
jrosser | yes missing Chrystoki.conf | 07:37 |
jrosser | if they somehow hardwire paths into the libraries expecting /usr/safenet/lunaclient/plugins then you'd have to follow that | 07:37 |
jrosser | the use of /opt/barbican in the container is not mandatory, the destination path can be anything you need | 07:38 |
jrosser | the idea is that the ansible is flexible enough to deal with whatever "mess" the vendor gives you to deal with | 07:38 |
noonedeadpunk | derekokeeffe: also. We have edited our Chrystoki.conf to reffer to correct directory | 07:39 |
noonedeadpunk | Like `PluginModuleDir = /opt/barbican/libs/plugins` and `LibUNIX64 = /opt/barbican/libs/libCryptoki2.so` | 07:39 |
derekokeeffe | Ah sorry for pasting twice. Chrystoki.conf https://paste.openstack.org/show/bm8Yk4z8BADFKSYDvoqa/ | 07:44 |
jrosser | thats all still referring to `/usr/safenet/lunaclient` ? | 07:45 |
derekokeeffe | Hmm ok, so do you suggest moving the plugin dierectory to the container and changing the path in Chrystoki? that worked in getting rid of the errors for the key generation but then as I mentioned the hsmusers group doesn't exist | 07:46 |
derekokeeffe | Yep jrosser, Ithought the barbican container would somehow be able to reference those dirs on the host | 07:46 |
derekokeeffe | but Ineed those all on the container? | 07:47 |
jrosser | no not at all, consider it to be like a different host entirely, like a VM really | 07:47 |
derekokeeffe | Actually do I just install the whole client on the container? | 07:47 |
derekokeeffe | hsm client that is | 07:47 |
derekokeeffe | set up my keys & certs etc.. from the brbican container? | 07:48 |
jrosser | i dont know - i've never used one of these | 07:48 |
jrosser | but barbican only wants the pkcs11 interface to your HSM | 07:48 |
jrosser | if the client contains a bunch of other stuff, you don't need that | 07:49 |
jrosser | i'm not sure why the hsmusers group matters at all in the container either | 07:49 |
jrosser | it's just unix permissions, the barbican service needs to be able to open the pkcs11 shared library, which in turn needs to read it's config etc etc | 07:50 |
noonedeadpunk | derekokeeffe: I think you need either to update Chrystoki.conf to reffer to directories you've defined in user_variables or vice versa | 07:50 |
derekokeeffe | hmmm, ok. Sorry guys my head is melted haha. Ok so the Chrystoki.conf was generated I need to updte barbican user_variables.yml to match that? | 07:52 |
noonedeadpunk | We've dropped most of the stuff from Misc section - left only PluginModuleDir, PE1746Enabled and ToolsDir | 07:52 |
noonedeadpunk | let me paste how ours looking like... | 07:52 |
derekokeeffe | Thanks noonedeadpunk | 07:52 |
noonedeadpunk | https://paste.openstack.org/show/bbtWXQ3xtg3ZTHhDmGpn/ | 07:52 |
noonedeadpunk | derekokeeffe: would be awesome if you could propose docs change once you will get it working :p | 07:54 |
derekokeeffe | Thanks for that, if I ever get it working :) Ok I'll strip it out and make sure the paths are pointing to the correct locations. Two questions and I'll leave you bot alone. does it matter that I don't have libdpod.plugin and only libcloud.plugin. And finally, I only need libCryptoki, the plugin and Chrystoki.conf on the container when I finish running the playbook? | 07:56 |
noonedeadpunk | That's what I needed | 07:59 |
noonedeadpunk | Regarding plugin - I guess it depends on client or vendor or smth like that... | 07:59 |
noonedeadpunk | Not sure - maybe you need smth more, but for minimal deployment I think this should be enough | 07:59 |
derekokeeffe | Perfect, let me try that and I'll let you guys know later. Much appreciated | 07:59 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Add tags to PKI include https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/896612 | 08:01 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Fix example playbook linters https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/896613 | 08:13 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_aodh master: Add quorum support for service https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/895690 | 08:14 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_ceilometer master: Add quorum support for service https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/895696 | 08:14 |
jrosser | noonedeadpunk: there is a few more of those linter things i think | 08:15 |
jrosser | blazar certainly | 08:16 |
noonedeadpunk | yeah... | 08:20 |
jrosser | oh rabbitmq too | 08:20 |
jrosser | doh | 08:20 |
noonedeadpunk | That totally slipped my attention when patching things :( | 08:21 |
jrosser | ansible-lint should come with free developer effort :( | 08:21 |
noonedeadpunk | As I didn't check examples explicitly | 08:21 |
noonedeadpunk | NeilHanlon: seems another infra issue? https://zuul.opendev.org/t/openstack/build/ac31abd1b0b54dfd8cadeb029a2b287c | 08:29 |
noonedeadpunk | "please report to repository maintainer" | 08:30 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Define install_method default when hosts resolution depend on it https://review.opendev.org/c/openstack/openstack-ansible/+/891697 | 09:08 |
jrosser | tbh i wonder why we don't define `openstack_service_setup_host` in group_vars/al | 09:12 |
jrosser | l | 09:12 |
jrosser | becasue it's the same thing for both source and distro installs | 09:12 |
noonedeadpunk | That is very-very good question | 09:23 |
noonedeadpunk | though interpreter is still different? | 09:23 |
noonedeadpunk | but it could be working as expected.... | 09:24 |
noonedeadpunk | Yeah, might be worth just moving openstack_service_setup_host isntead indeed | 09:27 |
jrosser | really the whole of this vars file including could be got rid of entirely | 09:30 |
jrosser | seems like we have a bunch of complexity for the sake of a couple of ternary() and a few of the source install vars being always defined but not used for distro path | 09:31 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Gather extra networking facts for keepalived https://review.opendev.org/c/openstack/openstack-ansible/+/896634 | 09:31 |
noonedeadpunk | jrosser: however, 891697 is way more backportable then getting rid of these files. | 10:23 |
noonedeadpunk | (I guess) | 10:23 |
jrosser | sure yes, we can fix and backport | 10:37 |
jrosser | but also think about how it should be for the future | 10:37 |
amarao | I found that openstack-ansible is writing pipeline for ceilometer to /openstack/venvs/ceilometer-27.0.1/lib/python3.9/site-packages/ceilometer/pipeline/data/pipeline.yaml without any links from /etc/ceilometer. I think it's because in ceilometer_core_files there is no dest_f, and if there is no dest_f, file is been written back (which is "{{ ceilometer_lib_dir }}/ceilometer/pipeline/data/pipeline.yaml"). Is this a bug (to repo | 10:58 |
amarao | rt) or this is a feature? If this is a feature, why not /etc/ceilometer/data? | 10:58 |
noonedeadpunk | amarao: I think it's because there was no documented way to place pipeline overrides elsewhere | 11:06 |
noonedeadpunk | and nobody was tracking that since implementation as it works as well | 11:06 |
amarao | So, it's a feature for openstack-ansible, and not a bug? I can live with it, I just wondered if this is a bug, to report (or fix) it. | 11:11 |
NeilHanlon | noonedeadpunk: yeah. looking. :\ | 11:12 |
noonedeadpunk | amarao: if there's a possibility to overwrite default pipeline.yaml in other better way - would be great to use it | 11:12 |
NeilHanlon | should be set now noonedeadpunk :\ I can help rechecks if you need | 11:30 |
kleini | Is it somehow possible to influence, which is the primary Galera node, the primary RabbitMQ, the primary log host? I have very high IO load on my primary infra node and second and third are somewhat idle. | 12:34 |
noonedeadpunk | kleini: well... that's because haproxy is bad balancing solution for SQL | 12:34 |
noonedeadpunk | haproxy sends all trafic for mysql towards single node | 12:35 |
kleini | yes, I know. Can I influence the order of Galera nodes in haproxy? | 12:35 |
noonedeadpunk | Sorry I'm really very heavily multitasking | 12:47 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Define tempest config overrides in unique variables per service https://review.opendev.org/c/openstack/openstack-ansible/+/894763 | 12:49 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 12:49 |
kleini | thanks. will try to find a way by reading OSA roles | 12:50 |
noonedeadpunk | kleini: so.. On Antelope... :) | 12:52 |
noonedeadpunk | You can define https://paste.openstack.org/show/bUC1CfE3sfZFDpoz6vnF/ | 12:54 |
noonedeadpunk | or whatever | 12:54 |
kleini | thank you very much! | 13:03 |
derekokeeffe | noonedeadpunk & jrosser: what's this link linking? Is it the etc/Chrystoki.conf on the host to the /opt/barbican/Chrystoki.conf on the container? | 13:25 |
derekokeeffe | ansible -m file -a "src=/opt/barbican/Chrystoki.conf dest=/etc/Chrystoki.conf state=link" barbican_all | 13:25 |
derekokeeffe | or is it supposed to be creating it on the container? | 13:25 |
derekokeeffe | Oh nevermind it did it on the container | 13:26 |
derekokeeffe | sorry | 13:26 |
jrosser | derekokeeffe: are you doing this in an AIO? | 13:27 |
derekokeeffe | Yep | 13:27 |
jrosser | ok so just remember that this "link on the host into the container" business is all a bit bogus | 13:27 |
jrosser | becasue in a real deployment you will likely have a deployment host thats completely separate from your infra hosts | 13:27 |
jrosser | so it must be a copy from deploy host to barbican container on the infra hosts | 13:28 |
jrosser | it just happens than in an AIO that is all collapsed into the same physical host | 13:28 |
noonedeadpunk | iirc it was a bit different though.... But not sure... I think it was a link, because plugin was expecting to see config file in /etc and barbican accrodign to chrystoky in /opt/barbican | 13:29 |
noonedeadpunk | so it either was needed to be copied twice or symlinked, or be in /etc from the beginning | 13:29 |
derekokeeffe | Ok thanks for that. Think I need to step away for a while anyway cause I'm not understanding myself at this point :) | 13:29 |
noonedeadpunk | but then you need to place plugin/library in a relative path to Chrystoky or smth | 13:30 |
noonedeadpunk | it was a mess iirc | 13:30 |
jrosser | yeah, so you can make a symlink with the barbican vars | 13:31 |
jrosser | but ultimately the thing to link has to get there somehow | 13:31 |
jrosser | its very enterprise | 13:31 |
derekokeeffe | I have a physical OSA test environment, I might give it a try there and see can I get it working. Thanks again and maybe chat next week | 13:33 |
jrosser | i don't think that this really is any different | 13:38 |
derekokeeffe | Ha ok well I might just take a break from it so :) | 13:39 |
jrosser | you have your "source" files in /etc/openstack_deploy, and write vars to instruct the barbican playbook to put them where needed | 13:39 |
jrosser | generally if it was me i'd get it all working manually first by copying/editing things inside the barbican container | 13:39 |
jrosser | then set up ansible to re-create that working thing | 13:39 |
derekokeeffe | Yeah I have all the source files and they are being copied to the correct locations, the config files are pointing to the correct paths but it just doesn't work. the only way I can get the keys to generate is to copy across the entire /usr/safenet/lunaclient dir to the container, then point the conf files to that location and it works first time. The creation of secrets doesn't though or encrypted vols. I even changed permissions on all the | 13:45 |
derekokeeffe | relevant files to 777 just in case. Thales support told me to delete the libcloud plugin and I asked what plugin should I use and they said just libCryptoki2_64.so. Anyway I think I need a break from it :) but I will try the manual way you have suggested | 13:45 |
noonedeadpunk | Ok, we need to somehow parallize pki generation for computes.... It takes infinity to generate them... | 14:35 |
noonedeadpunk | * parallelize | 14:36 |
noonedeadpunk | damn, I can't recall what was neutron-related bug that was reported in IRC but never ended up in launchpad... It was smth related to having no ovn gateway nodes or smth, and logic was broken somewhere due to that... | 14:56 |
noonedeadpunk | Maybe that was in the ML where jamesdenton also replied... | 14:56 |
noonedeadpunk | And there was ML and IRC chat... | 14:56 |
* noonedeadpunk notes has been lost with old laptop | 14:57 | |
jamesdenton | there was this one: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/893924 | 14:58 |
noonedeadpunk | huh. ok. | 14:59 |
noonedeadpunk | I was under impression that there was smth else that needed attention.... | 14:59 |
noonedeadpunk | but it could be it indeed... | 15:00 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 16:21 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Ensure systemd-resolved is present in debian container images https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/894555 | 16:28 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Ensure systemd-resolved is present in debian container images https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/894555 | 16:29 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Sync additional apt config from the host to the container base image https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/894556 | 16:29 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Add ca-certificates into debian base image during debootstrap. https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/894557 | 16:29 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Switch to native systemd-resolved from resolv.conf https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/894558 | 16:29 |
spatel | Hello World :) | 16:56 |
spatel | jamesdenton around? | 16:56 |
spatel | I have question, how does I give one single floating IP to foo project? | 16:57 |
spatel | I was looking at RBAC policy for neutron but it apply to entire network. | 16:57 |
spatel | I found this question but its not answered - https://stackoverflow.com/questions/74689236/how-to-create-a-policy-to-limit-which-and-how-many-floating-ip-projects-can-assi | 17:00 |
noonedeadpunk | create /32 network? :p | 17:15 |
jamesdenton | i think the floating IP is associated with the project that procures it? | 17:52 |
jamesdenton | but a floating IP network is shared amongst all by default, or with rbac you can limit it, maybe reduce quota? not sure | 17:53 |
mgariepy | hmm why this endup there: https://zuul.opendev.org/t/openstack/build/df3bef4ff5dd44329990defdd6cf19b8/log/logs/host/syslog.txt#6365 | 19:01 |
mgariepy | https://github.com/openstack/openstack-ansible-haproxy_server/blob/master/tasks/haproxy_post_install.yml#L29-L42 | 19:02 |
mgariepy | do we still need it here : https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/ubuntu-22.04.yml#L68 | 19:14 |
opendevreview | Marc GariƩpy proposed openstack/openstack-ansible-openstack_hosts master: Remove rsyslog since we should use journald instead https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/896722 | 19:17 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!