Thursday, 2023-10-26

« Wednesday, 2023-10-25 Index Friday, 2023-10-27 »
jamesdentonnoonedeadpunk FWIW, here is a comparison of a standard AIO w/ the PAM patch you posted earlier, 899286. https://paste.openstack.org/show/b2fOoYTPBlPeqMTeH3c5/00:53
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM Disable wheels build  https://review.opendev.org/c/openstack/openstack-ansible/+/89931905:14
opendevreviewMerged openstack/ansible-role-pki master: Simplify PKI host directory creation  https://review.opendev.org/c/openstack/ansible-role-pki/+/89926905:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM Disable wheels build  https://review.opendev.org/c/openstack/openstack-ansible/+/89931905:16
noonedeadpunkthat looks like quite some difference06:21
noonedeadpunkjamesdenton: was that with the first patchset, which had UsePAM no (https://review.opendev.org/c/openstack/ansible-hardening/+/899286/1/vars/main.yml#433) or my second try https://review.opendev.org/c/openstack/ansible-hardening/+/899286/2/tasks/rhel7stig/sshd.yml ?06:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM: Try to tune SSH in pre-step.  https://review.opendev.org/c/openstack/openstack-ansible/+/89931806:28
noonedeadpunkI can't see what we're doing in our ssh connection plugin that can make it slower then original one for the bare metal hosts06:39
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM: Try to tune SSH in pre-step.  https://review.opendev.org/c/openstack/openstack-ansible/+/89931806:59
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-hardening master: Disable GSSAPIAuthentication for SSH  https://review.opendev.org/c/openstack/ansible-hardening/+/89928607:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM: Try to tune SSH in pre-step.  https://review.opendev.org/c/openstack/openstack-ansible/+/89931807:21
mnasiadkaNeilHanlon: thanks for doing that ;)07:31
jrossergood morning07:46
noonedeadpunko/07:52
jrosserzk role may be broken for bookworm https://zuul.opendev.org/t/openstack/build/f95e123a2f02478d80f34e526513371f/log/job-output.txt#1075807:53
noonedeadpunkyeah...07:58
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-hardening master: Disable dynamic motd message  https://review.opendev.org/c/openstack/ansible-hardening/+/89937008:25
damiandabrowskihey folks. Sorry that I couldn't attend to PTG, had a tough openstack upgrade this week :/08:48
noonedeadpunkjrosser: btw I didn't catch issue with rgw and your patch for tempest in AIO08:50
noonedeadpunkand tempest.scenario.test_object_storage_basic_ops passed08:51
jrossernoonedeadpunk: interesting, we see it fail in CI though don't we08:54
noonedeadpunkyup08:56
opendevreviewMerged openstack/openstack-ansible-os_nova stable/zed: Fix logic of discovering hosts by service  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89878009:01
opendevreviewMerged openstack/openstack-ansible-os_keystone stable/yoga: oidc: fix recognition of x forwarded headers from v2.4.11  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/89904609:17
noonedeadpunkand yes, I also see disabling dynamic mode saving like 7% of time alike to what jamesdenton posted09:35
opendevreviewMerged openstack/openstack-ansible-os_nova master: Cleanup upgrade to ssh_keypairs step  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89880209:54
opendevreviewMerged openstack/openstack-ansible-os_nova master: Add nova_libvirt_live_migration_inbound_addr to compute SAN  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89875109:58
opendevreviewMerged openstack/openstack-ansible stable/2023.1: Apply rate limit for journald in AIO builds  https://review.opendev.org/c/openstack/openstack-ansible/+/89877009:58
opendevreviewMerged openstack/openstack-ansible-os_keystone master: Cleanup upgrade to ssh_keypairs step  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/89880109:59
opendevreviewMerged openstack/openstack-ansible-os_masakari master: Fix example playbook linters  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/89893610:02
opendevreviewMerged openstack/openstack-ansible-os_senlin master: Fix linters for example playbook  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/89924810:07
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Replace deprecated httpchk with send  https://review.opendev.org/c/openstack/openstack-ansible/+/89938310:09
opendevreviewMerged openstack/openstack-ansible-os_octavia master: Add security rule for octavia healthmanager  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/89731610:09
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Ensure tempest include and exclude lists all use unique names  https://review.opendev.org/c/openstack/openstack-ansible/+/89396810:10
opendevreviewMerged openstack/openstack-ansible-os_octavia master: Drop Neutron oslomsg configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/89892310:17
opendevreviewMerged openstack/openstack-ansible-os_heat master: Fix example playbook linters  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/89924910:17
noonedeadpunkSo... Looks like not using our connection plugin is really improving things _a lot_10:17
noonedeadpunkin conjuction with disabling wheels we're really down to 1:10 for metal jobs10:18
noonedeadpunkhttps://review.opendev.org/c/openstack/openstack-ansible/+/89931910:18
anskiynoonedeadpunk: well, I'm either blind or stupid, but it seems that I only need to add `neutron_availability_zones` to the appropriate configs for OVS/LXB: dhcp_agent.ini or l3_agent.ini, as there are no other mentions of AZs in os_neutron except those I've added.10:18
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM: Try to tune SSH in pre-step.  https://review.opendev.org/c/openstack/openstack-ansible/+/89931810:19
noonedeadpunkanskiy: well, pretty much yes. this what we have to do to make AZs working as expected (for us) with ovs: https://paste.openstack.org/show/bGmyxv08ImtHSIcRa0dw/10:22
noonedeadpunkBut I guess I was concerned that you can't suply really a list to the config10:22
noonedeadpunkit should be 1 specific AZ which neutron agent serves in10:23
noonedeadpunknot sure though10:23
noonedeadpunkso I just didn't want to introduce variables with wrong types or without way forward for other options10:24
noonedeadpunkbut also didn't have time to think thoroughly about that :(10:24
anskiynoonedeadpunk: okay, so I just need to check that thing, thank you!10:26
opendevreviewMerged openstack/openstack-ansible-lxc_container_create master: Use FQCN for lxc_container module  https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/89912810:37
jrosseri would expect the connection plugin to be almost a no-op for a metal deploy as it just should call through to the base SSH class10:45
jrosserso if it's hurting performance in metal jobs then we have some fundamental thing to look at10:45
noonedeadpunkyes, I am exactly under same impression looking at code10:45
noonedeadpunkI was going to play now in multi-node sandbox a bit10:46
noonedeadpunkjust re-running setup-hosts against metal only - even though it doesn't make changes it should show some difference if it's there10:47
jrosserthe thing to be careful of too is that with pipelining not all modules use put_file / fetch_file10:52
jrosserneed to be using -vvvvv to see whats actually happening10:52
jrosserand for something like copy: it might use stat: first over the controlpersist connection to see if the file is already there10:52
jrosserso doing a benchmark with something like copy: where you make the content be a loop: index perhaps, so it's forced to change every iteration10:53
noonedeadpunkI'm actually not sure we're using pipelining at all.10:55
noonedeadpunkThat what I've spotted early in the morning10:55
noonedeadpunkhttps://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/connection/ssh.py#L584 we don't have that10:56
opendevreviewMerged openstack/openstack-ansible master: Drop ssh_keypairs_install_authorized_keys reference  https://review.opendev.org/c/openstack/openstack-ansible/+/89880410:56
opendevreviewMerged openstack/openstack-ansible master: Bump ansible version to 2.15.5  https://review.opendev.org/c/openstack/openstack-ansible/+/89925710:56
noonedeadpunkAnd I guess this part we override in the module10:56
noonedeadpunkNext thing is potentially use their retry....10:57
noonedeadpunkmaybe that's where we also loose time... But our version looks way more simple...10:57
jrosserwe should also check that the behaviour of ControlPath is correct for our LXC case10:58
opendevreviewMerged openstack/openstack-ansible-os_keystone stable/yoga: oidc: fix overloading of redirect_uri for cli client  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/89904110:59
noonedeadpunkyeah10:59
jrosseras we could be in a sitaution where every physical_host/container_name gets it's own connection10:59
jrosservs. one connection per physical_host10:59
noonedeadpunkI'm pretty sure it's what happening11:00
noonedeadpunkBut if we see penalty just for metal - I would try to fix that first11:00
jrosserabsolutely11:00
opendevreviewMerged openstack/openstack-ansible-os_nova stable/2023.1: Use internal endpoint for barbican API  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89904211:02
jrosserquestion maybe if this is actually necessary with more modern ansible https://github.com/openstack/openstack-ansible-plugins/commit/621c552e233473bca9ce220abe210025052c9ada11:05
noonedeadpunkyeah, so I guess we might be able to use original decorator for that. But I kinda not sure it's faster looking at it's code either11:13
jamesdentonnoonedeadpunk it was patchset 2 -  https://review.opendev.org/c/openstack/ansible-hardening/+/899286/2/11:13
noonedeadpunkjamesdenton: yeah, I also see like 6-9% improvement in execution speed11:13
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-hardening master: Disable GSSAPIAuthentication for SSH  https://review.opendev.org/c/openstack/ansible-hardening/+/89928611:15
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-hardening master: Disable dynamic motd message  https://review.opendev.org/c/openstack/ansible-hardening/+/89937011:15
noonedeadpunkthese should be covering it now ^11:16
jamesdentonnice find11:17
jrosserit's like two layers of retry though11:21
jrosserwe have one around exec_command in our plugin11:21
jrosserthen inside the native SSH plugin, exec_command uses _run which retries also.... https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/connection/ssh.py#L122311:21
noonedeadpunkoh, yes, true11:28
noonedeadpunkThat indeed looks wrong then11:28
opendevreviewMerged openstack/openstack-ansible stable/2023.1: Add gate_log_requirements function  https://review.opendev.org/c/openstack/openstack-ansible/+/89915811:37
opendevreviewMerged openstack/openstack-ansible-os_octavia master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/89892411:58
opendevreviewMerged openstack/openstack-ansible-os_trove master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/89893111:58
opendevreviewMerged openstack/openstack-ansible-os_cloudkitty master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/89881611:59
opendevreviewMerged openstack/openstack-ansible-openstack_hosts master: Switch codename to Bobcat  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/89929412:00
opendevreviewMerged openstack/openstack-ansible-os_senlin master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/89892612:02
opendevreviewMerged openstack/openstack-ansible-plugins master: Calculate if target is a container only once  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89916212:06
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-zookeeper master: Use jdk 17 for Zookeeper  https://review.opendev.org/c/openstack/ansible-role-zookeeper/+/89938612:07
opendevreviewMerged openstack/openstack-ansible-os_masakari master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/89891212:08
noonedeadpunkwell, on tasks that are not chaning things there's no difference with our connection plugin12:08
opendevreviewMerged openstack/openstack-ansible-os_heat master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/89890812:10
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/89890912:12
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-plugins master: Remove retries decorator from ssh plugin  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89939312:30
opendevreviewMerged openstack/openstack-ansible-os_nova stable/zed: Use internal endpoint for barbican API  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89904312:33
opendevreviewMerged openstack/ansible-hardening master: Disable GSSAPIAuthentication for SSH  https://review.opendev.org/c/openstack/ansible-hardening/+/89928613:45
jrossernoonedeadpunk: i guess we should backport some of these performance things so they take effect for the whole of an upgrade job?14:00
noonedeadpunkyeah14:01
opendevreviewJonathan Rosser proposed openstack/ansible-hardening stable/2023.1: Disable GSSAPIAuthentication for SSH  https://review.opendev.org/c/openstack/ansible-hardening/+/89932614:02
noonedeadpunkI kinda really thinking about diabling building wheels for metal deployments14:12
noonedeadpunkand test that in LXC only, where we can afford to run LXC14:13
noonedeadpunkas wheels on metal is kinda useless as well - some other role can easily provide requirements that not present in another one14:13
opendevreviewMerged openstack/openstack-ansible-plugins master: Remove nspawn container support  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89916314:27
opendevreviewMerged openstack/openstack-ansible-os_nova stable/yoga: Use internal endpoint for barbican API  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89904414:38
opendevreviewMerged openstack/ansible-hardening master: Disable dynamic motd message  https://review.opendev.org/c/openstack/ansible-hardening/+/89937014:50
opendevreviewJonathan Rosser proposed openstack/ansible-hardening stable/2023.1: Disable dynamic motd message  https://review.opendev.org/c/openstack/ansible-hardening/+/89932814:52
noonedeadpunkThese results look amazing to have that said: https://review.opendev.org/c/openstack/openstack-ansible/+/89931814:53
jamesdentonhow much did you shave off?14:57
noonedeadpunklooks like around 20mins 14:58
jamesdentonnot too shabby15:00
jrosserit's likley worth another pass across all the utility type roles to see if we can filter loops / remove tasks / reduce skipping etc15:00
jrossersystemd_service was bothering me as it deals with service / socket / timer in the same code path15:03
noonedeadpunkyeah, that is actually another thing to look into... 15:06
noonedeadpunkBut I wonder how to get to the same result without DNMs....15:08
noonedeadpunkWell. If we revert 1 patch that dropped SSH from all containers...15:09
noonedeadpunkWe could drop our connection plugin....15:09
jrosserthis must be able to be collapsed https://github.com/openstack/ansible-role-systemd_service/blob/master/tasks/main.yml#L16-L6915:09
jrosserwe can filter the list rather than when: https://github.com/openstack/ansible-role-systemd_service/blob/master/tasks/main.yml#L10015:10
jrossersame https://github.com/openstack/ansible-role-systemd_service/blob/master/tasks/main.yml#L11815:10
jrosseragain :) https://github.com/openstack/ansible-role-systemd_service/blob/master/tasks/main.yml#L13215:10
noonedeadpunkah, yeah, so have just 1 task placing templates15:15
noonedeadpunkor well. filter15:16
noonedeadpunkI was just thinking that list must for sure have at least 1 of these templates, so we can just loop with_together or smth like that... And then place tempalte only if condition is satisfied from the other one... But yeah, I guess filter is cleaner15:20
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: DNM: Try to tune SSH in pre-step.  https://review.opendev.org/c/openstack/openstack-ansible/+/89931815:24
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Tune SSH in pre-step setup  https://review.opendev.org/c/openstack/openstack-ansible/+/89931815:30
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Tune SSH in pre-step setup  https://review.opendev.org/c/openstack/openstack-ansible/+/89931815:30
opendevreviewMerged openstack/ansible-hardening stable/2023.1: Disable GSSAPIAuthentication for SSH  https://review.opendev.org/c/openstack/ansible-hardening/+/89932615:41
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Track stable/2023.2 SHAs for upstream projects  https://review.opendev.org/c/openstack/openstack-ansible/+/89743415:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_designate master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/89881816:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/zed: Define install_method default when hosts resolution depend on it  https://review.opendev.org/c/openstack/openstack-ansible/+/89807316:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Define install_method default when hosts resolution depend on it  https://review.opendev.org/c/openstack/openstack-ansible/+/89807416:18
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/xena: Define install_method default when hosts resolution depend on it  https://review.opendev.org/c/openstack/openstack-ansible/+/89807516:18
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Define install_method default when hosts resolution depend on it  https://review.opendev.org/c/openstack/openstack-ansible/+/89807416:19
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Map default value of rabbitmq_management_ssl to haproxy_ssl  https://review.opendev.org/c/openstack/openstack-ansible/+/89941616:28
opendevreviewMerged openstack/openstack-ansible-plugins master: Cosmetic tidy up of pid lookup function  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89916416:47
opendevreviewMerged openstack/openstack-ansible-plugins master: Remove extra container check  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89916516:47
opendevreviewMerged openstack/openstack-ansible-plugins master: Retrieve container name and physical host via get_options  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/89916616:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Tune SSH in pre-step setup  https://review.opendev.org/c/openstack/openstack-ansible/+/89931816:57
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Disable wheels build for metal AIO deployments  https://review.opendev.org/c/openstack/openstack-ansible/+/89931917:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Disable wheels build for metal AIO deployments  https://review.opendev.org/c/openstack/openstack-ansible/+/89931917:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Disable wheels build for metal AIO deployments  https://review.opendev.org/c/openstack/openstack-ansible/+/89931917:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Disable wheels build for metal AIO deployments  https://review.opendev.org/c/openstack/openstack-ansible/+/89931917:08
opendevreviewMerged openstack/openstack-ansible-haproxy_server stable/2023.1: Apply haproxy-service-config tag on include  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/89850017:23
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-zookeeper master: Add upgrade jobs for zookeeper  https://review.opendev.org/c/openstack/ansible-role-zookeeper/+/89775417:32
opendevreviewMerged openstack/ansible-hardening stable/2023.1: Disable dynamic motd message  https://review.opendev.org/c/openstack/ansible-hardening/+/89932817:33
opendevreviewMerged openstack/openstack-ansible master: Track stable/2023.2 SHAs for upstream projects  https://review.opendev.org/c/openstack/openstack-ansible/+/89743423:20
« Wednesday, 2023-10-25 Index Friday, 2023-10-27 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!