| gokhani | Hello folks, I have created a non-ssl environment on public endpoint. I am getting certificates ssl very failed errors when trying to create a loadbalancer. how can we reslove this issue ? it is working on environments with ssl. | 07:17 |
|---|---|---|
| noonedeadpunk | gokhani: loadbalancer in terms of Octavia? | 07:59 |
| noonedeadpunk | also what's the error? | 08:00 |
| noonedeadpunk | eventually, as you might know, Octavia does still require to have TLS as authentication with Amphora happens through mTLS auth | 08:00 |
| gokhani | noonedeadpunk: yes ı mean octavia, octavia amphora driver could not connect to instance | 08:29 |
| gokhani | there is self certificate but it is not working | 08:29 |
| noonedeadpunk | gokhani: could it be that it got accidentally rotated ? | 08:31 |
| gokhani | noonedeadpunk: May be after upgrade it is rotated. I am checking now | 08:33 |
| noonedeadpunk | eventually, failovering loadbalancers should help if that is the case | 08:47 |
| noonedeadpunk | as client certificates are passed as metadata to amphora during spawn-up | 08:48 |
| noonedeadpunk | so once they're there - changing server certificate will lead to that situation | 08:48 |
| noonedeadpunk | loadbalancer failover does re-create VMs, so new certificate pair will be pulled | 08:49 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Switch service repos to track 2024.1 https://review.opendev.org/c/openstack/openstack-ansible/+/914188 | 09:05 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Switch service repos to track 2024.1 https://review.opendev.org/c/openstack/openstack-ansible/+/914188 | 09:06 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add trove tempest testing https://review.opendev.org/c/openstack/openstack-ansible/+/784379 | 09:08 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_trove master: DNM https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/915052 | 09:09 |
| gokhani | noonedeadpunk: I can not reach amphora instances with ssh. it requests password for login. | 09:30 |
| gokhani | may be it can not reach metadata service | 09:31 |
| noonedeadpunk | gokhani: so there should be an SSH key on the deploy host ideally | 09:33 |
| noonedeadpunk | in case `octavia_ssh_enabled` is set to True | 09:34 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible-os_octavia/src/branch/master/defaults/main.yml#L312-L314 | 09:34 |
| gokhani | noonedeadpunk: yes it is true. I am trying to ssh with this keypair. | 09:38 |
| gokhani | but instance requests password | 09:40 |
| gokhani | I think user is amphora or ubuntu | 09:40 |
| noonedeadpunk | ubuntu | 09:57 |
| noonedeadpunk | gokhani: does newly spawned LBs are also having the same issue? | 10:01 |
| noonedeadpunk | And have you tried just to failover LB? | 10:01 |
| gokhani | noonedeadpunk: I couldn't failover because it is in pending create state | 12:09 |
| gokhani | how can we refresh octavia certs | 12:09 |
| noonedeadpunk | gokhani: and can you failover just specific amphoras? | 12:19 |
| gokhani | noonedeadpunk: I solved issue, after remove octavia migration user variable file and running octavia install it is resolved | 12:36 |
| noonedeadpunk | huh | 12:53 |
| noonedeadpunk | ok | 12:53 |
| gokhani | noonedeadpunk: without deleting them it skips install server certificates | 12:55 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Filter out empty src/source from user-role/collection-requirements https://review.opendev.org/c/openstack/openstack-ansible/+/915074 | 14:45 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Document usage of user.rc file https://review.opendev.org/c/openstack/openstack-ansible/+/915076 | 15:25 |
| opendevreview | Merged openstack/openstack-ansible-os_designate stable/2023.2: Fix designate upgrades when internal RPC version changes https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/914875 | 15:56 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Rename extending-osa page https://review.opendev.org/c/openstack/openstack-ansible/+/915078 | 15:56 |
| noonedeadpunk | I will propose new 2023.2 bump as we've backported quite some new things lately... | 15:59 |
| noonedeadpunk | and I haven't proposed new minor releases yet | 15:59 |
| noonedeadpunk | wanna wait for this though: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/914885 | 16:00 |
| noonedeadpunk | jrosser_: capi fails weirdly now - https://zuul.opendev.org/t/openstack/build/a83cfacdfd664bc88c5b02ce0c3c101f/log/job-output.txt#27479 | 16:06 |
| noonedeadpunk | | status | CREATE_IN_PROGRESS | 16:06 |
| noonedeadpunk | "| status_reason | CAPI Cluster status: Provisioned: Cluster kube-2mplm is Provisioned. CAPI OpenstackCluster status reason: Successfulcreatemonitor: Created monitor k8s-clusterapi-cluster-magnum-system-kube-2mplm-kubeapi-6443 with id 9bfa0814-f0e6-414f-8ef6-c95a0f7d42c0 | | 16:06 |
| noonedeadpunk | which doesn't really add-up for me | 16:06 |
| jrosser_ | well - getting the cluster provisioning status to be transferred over to the status in magnum is a thing that has to go right | 16:13 |
| noonedeadpunk | just reason looks like it should be completed I assume? | 16:14 |
| noonedeadpunk | or maybe not fully | 16:15 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-uwsgi master: Add Debian 12 distro setup variable https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/915080 | 16:22 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Add distro infra jobs https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/914691 | 16:22 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Implement installation method selection for MariaDB role https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/914530 | 16:23 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Add distro infra jobs https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/914691 | 16:23 |
| jrosser_ | it’s going to be a week before I can take a look at that | 16:23 |
| opendevreview | Merged openstack/openstack-ansible-plugins master: Add check_hostname option to db_setup tasks https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/900217 | 16:44 |
| spatel | noonedeadpunk quick question, in horizon AVAILABLE_REGIONS option I can specify multiple region but how does auth will handle here if I have totally isolated clouds? | 16:45 |
| spatel | I have two individual cloud and I would like to manage them with single horizon UI | 16:46 |
| noonedeadpunk | there was another variable there | 16:46 |
| spatel | ? | 16:46 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/defaults/main.yml#L262-L264 | 16:46 |
| noonedeadpunk | Basically you can supply pair of keystone/region name | 16:46 |
| spatel | Yes but how does auth works? if I select different region then how there region auth or pass token? | 16:47 |
| noonedeadpunk | so AVAILABLE_REGIONS is actually list of mappings, where you provide keystone url and region name as second key | 16:47 |
| noonedeadpunk | it's not?:) | 16:47 |
| noonedeadpunk | or well, you need to auth towards proper regions/keystone | 16:48 |
| noonedeadpunk | if you have a valid token in cookies - probably you can switch back and forth | 16:48 |
| noonedeadpunk | (for each region) | 16:48 |
| noonedeadpunk | so you auth towards each region independently | 16:49 |
| noonedeadpunk | unless you've stretched keystone :) | 16:49 |
| spatel | I don't have stretched keystone :( | 16:50 |
| spatel | both cloud are isolated | 16:50 |
| spatel | That is why I am asking question how does multi-region will work here if both doesn't know about each other | 16:50 |
| noonedeadpunk | I mean, it's not really multi-region:) | 16:51 |
| noonedeadpunk | so you'd need to auth independently when switching regions | 16:52 |
| spatel | so we have to type password :) | 16:52 |
| spatel | yike.. | 16:52 |
| noonedeadpunk | or share keystone. or do federation | 16:54 |
| noonedeadpunk | s/share/stretch/ | 16:54 |
| spatel | is federation easy to manage? | 16:54 |
| noonedeadpunk | Um. Might be. I don't have positive experience yet though | 16:55 |
| spatel | or how about dump keystone table from A to B region using ansible :) | 16:55 |
| noonedeadpunk | I think I wrote about that lately, but scheme with strwetching a separate galera cluster cross-region for keystone - sounds appealing enough to me | 16:56 |
| noonedeadpunk | going to play with that in practice soonish | 16:56 |
| spatel | just sync keystone DB stuff? | 16:56 |
| spatel | I am thinking what if just dump user/pass/role etc instead entire DC | 16:57 |
| noonedeadpunk | yeah. and well - you'd need to sync also fernets through SSH in case of osa. But that's minor | 16:57 |
| noonedeadpunk | Tokens depend on fernets | 16:57 |
| spatel | its easy to do right? | 16:57 |
| noonedeadpunk | So if fernets are not in sync - tokens are not valid | 16:57 |
| opendevreview | Merged openstack/openstack-ansible-os_designate stable/2023.1: Fix designate upgrades when internal RPC version changes https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/914876 | 18:13 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins stable/2023.2: Do not log contents of installed keypairs by default https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/915016 | 20:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins stable/2023.1: Do not log contents of installed keypairs by default https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/915017 | 20:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix permissions for SSH private key for Ubuntu distro installations https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/915089 | 20:38 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix permissions for SSH private key for Ubuntu distro installations https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/915089 | 20:38 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Add distro infra jobs https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/914691 | 20:39 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!