| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-os_keystone master: Re-distribute fernet keys when re-building the primary https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/907397 | 09:36 |
|---|---|---|
| noonedeadpunk | andrewbonney: I have a question to you as wasn't able to look into fernet stuff yet. One thing that was concerning me a bit - have you checked how rotation happens "normally"? As it feels we do rotation only on "main" controller and then distribute fernets elsewhere | 09:41 |
| andrewbonney | Yes that does appear to be how it works at the moment | 09:41 |
| noonedeadpunk | So my another concern was - while "main" control plane is down, I assume it possible that fernets get "outdated"? | 09:42 |
| noonedeadpunk | I'm not 100% sure that's actually a thing though | 09:42 |
| noonedeadpunk | But like, if you decide to proceed with "main" server resetup on Monday, means that whole weekends you're left without rotated fernets | 09:43 |
| andrewbonney | I can see that the tokens generated using the keys expire, but I'm not sure from the docs if the keys themselves can expire | 09:43 |
| noonedeadpunk | yeah, maybe they are not... | 09:43 |
| andrewbonney | I think this is the key statement: With staged keys the penalty of key rotation is low, allowing you to err on the side of security and rotate weekly, daily, or even hourly. Ultimately, this should be less time than it takes an attacker to break a AES256 key and a SHA256 HMAC. | 09:44 |
| jrosser | i guess relatedly https://opendev.org/openstack/kolla-ansible/commit/6c1442c385450004dd253f3f464fe4336194be99 | 09:44 |
| noonedeadpunk | yeah, ok, then, just wanted to say that aloud so we can check it's fine | 09:46 |
| andrewbonney | It would certainly be nice if they could all check if rotation is required in case of an extended outage | 09:47 |
| noonedeadpunk | gluster? :D | 09:48 |
| andrewbonney | Haha, it had crossed my mind, but I've had enough fun with re-clustering gluster programmatically to not go there yet | 09:49 |
| noonedeadpunk | heh | 09:51 |
| jrosser | noonedeadpunk: heres what we need to work on to merge capi stuff https://etherpad.opendev.org/p/osa-capi | 10:02 |
| noonedeadpunk | quite good summary (quite some todos as well) | 10:08 |
| noonedeadpunk | most concerning part is OCtavia I guess | 10:08 |
| jrosser | yeah some of it is pretty unrelated to capi | 10:08 |
| noonedeadpunk | we still run it with lxb? | 10:08 |
| jrosser | and some is obvious / easy to merge | 10:09 |
| jrosser | but some needs discussion | 10:09 |
| jrosser | i don't know acutally what we do in the octavia job | 10:09 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: [WIP] Add support for Octavia testing with OVS/OVN https://review.opendev.org/c/openstack/openstack-ansible/+/894811 | 10:14 |
| jrosser | ^ i think this needs fixing for RH os | 10:14 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/889879 | 10:15 |
| jrosser | i was going to take a look at https://bugs.launchpad.net/openstack-ansible/+bug/2048284 | 10:31 |
| jrosser | one option is to make a single breaking change everywhere and use https://docs.ansible.com/ansible/latest/collections/ansible/builtin/deb822_repository_module.html | 10:31 |
| jrosser | and unify the way we do this across all roles | 10:31 |
| noonedeadpunk | I think we should move to deb822_repository indeed | 10:41 |
| noonedeadpunk | Not sure if that *has* to be breaking change though | 10:41 |
| noonedeadpunk | But maybe you're right.... | 10:41 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Drop task that deletes old UCA repo https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/907433 | 15:14 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Manage apt repositores and keys using deb822_repository module https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/907434 | 15:14 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Manage apt repositores and keys using deb822_repository module https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/907434 | 15:47 |
| spatel | Where snapshots are located ? - https://paste.opendev.org/show/b0uaLV7QErEbFYAEV8h1/ | 15:53 |
| spatel | In which pool I meant.. I can't see them in any pool.. are they layer or something ? | 15:54 |
| mgariepy | lol. https://github.com/ansible-collections/dellemc.os10/blob/ca3b7c714298dda7af861c2bb3418cbc2bdbc111/roles/os10_interface/templates/os10_interface.j2#L231-L236 | 16:11 |
| mgariepy | how to get into the else? | 16:11 |
| mgariepy | haha | 16:11 |
| noonedeadpunk | mgariepy: you should not ask - that's dell.... | 16:18 |
| mgariepy | haha lol | 16:18 |
| noonedeadpunk | but jokiing aside - it should be False | 16:18 |
| noonedeadpunk | or null. but defined | 16:19 |
| mgariepy | i really hate configuring switches. | 16:19 |
| noonedeadpunk | dell switches should have their own circle in hell... | 16:20 |
| mgariepy | well i don't have money for arsista ;p | 16:20 |
| noonedeadpunk | fair enough | 16:27 |
| mgariepy | arista is way too expensive.. | 16:28 |
| jrosser | if you dont mind 10g copper then 7280TR are extremely cheap used | 16:46 |
| admin1 | z9100s are good | 16:57 |
| admin1 | but can also get good/cheaper juniper ex/qfx online | 16:57 |
| admin1 | 2nd hand though | 16:57 |
| noonedeadpunk | I was actually also about to think about juniper before recalled it's HPE now, so not that sure anymore | 17:09 |
| mgariepy | jrosser, these are 2 pairs of 100 and 25. | 17:11 |
| jrosser | we having quite the juniper trouble recently | 17:23 |
| noonedeadpunk | oh, I see | 17:24 |
| jrosser | some internal stuff saying “Junos quality declining” when comparing vendors | 17:24 |
| jrosser | but then, personally I would never touch virtual-chassis ever | 17:24 |
| noonedeadpunk | Yeah, haven't used them for like ... 4-5 years by now? So just good memories left | 17:25 |
| jrosser | I have a juniper router at home | 17:25 |
| jrosser | tonight’s job is to reboot it and work out wtf crazy state it is in :( | 17:26 |
| noonedeadpunk | for home I'm sticking with Mikrotik... For good or bad... | 17:27 |
| noonedeadpunk | wouldn't use that anywhere except home though | 17:28 |
| jrosser | that apt-key patch turned out pretty well I think | 17:28 |
| jrosser | need to look at upgrade path though as repo config is in different files | 17:29 |
| jrosser | need to also try it on a repo where we vendor the gpg key under files/ | 17:30 |
| noonedeadpunk | huh, ok, that;s interesting: https://zuul.opendev.org/t/openstack/build/15edbf3456d540ab9c2e8b1ef2f2976b/log/logs/etc/host/apt/sources.list.d/osbpo.sources.txt | 17:31 |
| noonedeadpunk | Somehow I though differently about it :D | 17:31 |
| noonedeadpunk | but that's ofc super breaking thing.... | 17:33 |
| jrosser | yeah, we’re you more thinking to make a backward compatible change using the new module? | 17:34 |
| jrosser | but it does seem to generate wildly different config to before | 17:34 |
| noonedeadpunk | Or at least somehow compatible | 17:34 |
| jrosser | and also handle repos and keys in the same task | 17:34 |
| noonedeadpunk | yes, super different config under different filename.... | 17:35 |
| jrosser | well I have put -W on that patch so it’s proof of concept and discussion point | 17:35 |
| noonedeadpunk | so cleanup was a good point of yours | 17:35 |
| noonedeadpunk | Like generally - I think that's the way to go. I kinda like this format even more potentially, except it's breaking my established mindset... | 17:36 |
| jrosser | if we just expose the whole functionality of the new ansible module through vars then it could be super flexible | 17:36 |
| jrosser | but the price to pay is no backward compat | 17:36 |
| noonedeadpunk | I do hope that pins work the same way... | 17:37 |
| jrosser | oh also I did submit an issue for the ansible upgrade trouble we had | 17:38 |
| noonedeadpunk | well. yes, sure. I totall get what you mean | 17:38 |
| jrosser | and there is some feedback on it that it’s a legitimate bug | 17:39 |
| noonedeadpunk | these are good news | 17:39 |
| noonedeadpunk | not sure that anybody will rush fixing it though | 17:40 |
| noonedeadpunk | but that's good overall | 17:40 |
| noonedeadpunk | sweet name for a gpg key :D https://opendev.org/openstack/openstack-ansible-openstack_hosts/src/branch/master/vars/redhat-9.yml#L73 | 17:49 |
| mgariepy | we have a bunch of melanox ones but now they we are unable to get them in reasonable time. | 17:59 |
| jrosser | buying used has been the only way I’ve been able to get anything for a while now | 18:02 |
| jrosser | the budget cycle I have is shorter than the lead time on stuff :/ | 18:04 |
| mgariepy | well for me policy doesn't allow to buy used. | 18:05 |
| opendevreview | Merged openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 21:02 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add tempest tests for Blazar https://review.opendev.org/c/openstack/openstack-ansible/+/904786 | 21:35 |
| *** tosky_ is now known as tosky | 23:14 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!