Wednesday, 2024-05-15

« Tuesday, 2024-05-14 Index Thursday, 2024-05-16 »
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Remove service-specific tags from service playbooks  https://review.opendev.org/c/openstack/openstack-ansible/+/91861507:44
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: docs: demonstrate quick method to move between HA/Quorum queues  https://review.opendev.org/c/openstack/openstack-ansible/+/91906207:44
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_keystone master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/91967008:14
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_barbican master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/91967108:14
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_placement master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/91967208:15
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_glance master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/91967308:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_cinder master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/91967408:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_heat master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/91967508:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_horizon master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/91967608:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_designate master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/91967708:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_swift master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/91967808:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_adjutant master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/91967908:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_gnocchi master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/91968008:16
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_ceilometer master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/91968108:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_aodh master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/91968208:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_cloudkitty master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/91968308:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_ironic master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/91968408:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_magnum master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/91968508:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_trove master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/91968608:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_octavia master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/91968708:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_tacker master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/91968808:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_blazar master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/91968908:18
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_masakari master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/91969008:18
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_manila master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/91969108:18
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_mistral master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/91969208:18
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_zun master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/91969308:19
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_skyline master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_skyline/+/91969408:19
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_nova master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/91861408:19
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_neutron master: Add tag to enable targeting of post-install config elements only  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/91969508:21
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Remove service-specific tags from service playbooks  https://review.opendev.org/c/openstack/openstack-ansible/+/91861508:27
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: docs: demonstrate quick method to move between HA/Quorum queues  https://review.opendev.org/c/openstack/openstack-ansible/+/91906208:27
semanticJust tried to install from master. Basic function work, but glance-api.service logs python trace ending with 'ERROR oslo_messaging.notify.messaging RuntimeError: Configuration Error: rabbit_stream_fanout need rabbit_qos_prefetch_count to be set to a value greater than 0.'08:43
andrewbonneyMight be worth fetching the latest changes. A patch to os_glance merged at half 5 yesterday: https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/91908708:48
andrewbonneyUnless you have done and there's some issue with that patch08:49
semanticAh, I see, thank you. Probably need to fetch latest then.08:53
noonedeadpunkinterestingly, mainly 2023.1 upgade jobs are timing out.08:55
noonedeadpunkwhat have we changed between 2023.1 and 2023.2 that can explain performance hit....08:56
noonedeadpunkbut then... looking at some jobs - openstack-ansible-upgrade-aio_metal-ubuntu-jammy 2h 21m 21s08:57
noonedeadpunkopenstack-ansible-upgrade_2023.1-aio_metal-ubuntu-jammy 2h 21m 31s08:58
noonedeadpunkso super close....08:58
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Deploy horizon by default with metal AIO scenarios  https://review.opendev.org/c/openstack/openstack-ansible/+/91600509:13
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Deploy horizon by default with metal AIO scenarios  https://review.opendev.org/c/openstack/openstack-ansible/+/91600509:14
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-rabbitmq_server master: Enable feature flags pre and post-upgrade  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/91970109:34
jrosser_so for manila i wonder where it tries to get nfs-ganesha-ceph=4.4-ubuntu1~jammy1 from09:34
jrosser_noonedeadpunk: ^ did you try any of this locally - i will if you've not?09:35
noonedeadpunkyeah. I was going to make an AIO to check. 09:35
noonedeadpunkcreated VM but not yet started09:36
jrosser_it kind of looks like a UCA-ish package09:36
noonedeadpunkit looks like there's no ganesha in community repo anymore09:36
jrosser_the package version there does not make sense for https://packages.ubuntu.com/jammy/nfs-ganesha-ceph09:36
noonedeadpunkbut well - why then UCA requires dependency that is only available on focal....09:37
noonedeadpunkthough, it doesn't contain dependency on liburcu at all?09:38
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-rabbitmq_server master: Enable feature flags pre and post-upgrade  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/91970109:38
noonedeadpunkah, nfs-ganesha does09:38
noonedeadpunkbut then it's liburcu8  https://packages.ubuntu.com/jammy-updates/nfs-ganesha09:38
jrosser_i still don't understand the version 4.4 at all09:39
jrosser_tbh i wonder how they even build the cephadm images for this09:40
noonedeadpunkcephadm images are only centos9s?09:41
jrosser_oh sure, but it's a pretty weird set of distros have the nfs ganesha stuff at all https://pkgs.org/search/?q=nfs-ganesha-ceph09:42
jrosser_so you kind of need a package (ideally) to install from when building the container image09:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Update cirros image for manila tempest  https://review.opendev.org/c/openstack/openstack-ansible/+/91970209:48
noonedeadpunkyeah, true....09:48
noonedeadpunkbut that also shows more or less native repos?09:49
noonedeadpunkas ceph could be coming from some StoreSIG09:49
noonedeadpunkhttps://sigs.centos.org/storage/09:49
noonedeadpunkwhich all consist of broken links....09:50
jrosser_https://github.com/ceph/ceph-container/blob/d4a0f93b06679a5c9148c9e9b367478b2a0d04e0/ceph-releases/ALL/centos/daemon-base/__DOCKERFILE_INSTALL__#L14-L1909:52
noonedeadpunkso we should be looking for ganesha 509:55
noonedeadpunkbut /o\, how I don't understand Docker and why ppl like it09:56
noonedeadpunkLike I close to never heard anything too adorable about bash being handy and convenient for developing things. But somehow Docker is...09:57
noonedeadpunknayway09:57
noonedeadpunkjust every time I look at Dockerfiles I can't stop thinking about "why"09:57
noonedeadpunkok, got AIO failure10:17
noonedeadpunkhttps://paste.openstack.org/show/btKnImhzDrWqYOk5GBZE/10:18
noonedeadpunkso it's not even UCA10:18
noonedeadpunkprobably... worth trying https://launchpad.net/~nfs-ganesha/+archive/ubuntu/nfs-ganesha-5 instead...10:19
noonedeadpunkyeah, switching to 5 works10:21
noonedeadpunkalso requires https://answers.launchpad.net/~nfs-ganesha/+archive/ubuntu/libntirpc-5/10:22
noonedeadpunkI guess it's ceph-ansible that does provide these...10:22
noonedeadpunk(or well, install)10:22
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Add variable to globally control notifications enablement  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/91811510:47
jrosser_hmm looks like the ceph-nfs role is removed?10:50
noonedeadpunkin latest?10:50
noonedeadpunkdoh10:50
noonedeadpunkit's not on the branch we're using yet 10:51
jrosser_https://github.com/ceph/ceph-ansible/commit/675667e1d60b7080dad7293f2954de23718c504210:52
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Implement variables to address oslo.messaging improvements  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/91811610:54
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Use NFS Ganesha 5  https://review.opendev.org/c/openstack/openstack-ansible/+/91971410:56
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_manila master: Add quorum queues support for service  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/89891410:57
noonedeadpunkhopefully this helps...10:57
jrosser_what is the status of adjutant?11:03
jrosser_i dont see the messaging patches for that role11:03
noonedeadpunkIt does not use messaging afaik11:10
noonedeadpunkabout status - somehow maintained I guess11:11
jrosser_oh well that would explaint it :)11:11
noonedeadpunkI tried to get it working, and it kinda did. partially... 11:11
noonedeadpunkbut I wasn't too dedicated 11:11
semanticOk, have reinstalled from master once again. Trying my test and facing similar problem. After i shutdown one of rabbit hosts, i cannot migrate live migrate instance from one compute host to another. nova-compute logs python trace with 'ERROR oslo_messaging.rpc.server oslo_messaging.exceptions.MessagingTimeout: Timed out waiting for a reply to message ID fdd459b5c152476386220255539d63a8' and instance becomes 'ERROR' 11:52
semanticstatused...11:52
semanticThough nova-compute service now does not repeat similar log constantly but just once...11:52
noonedeadpunkwell, it should kinda reconnect after that and retry operation...12:05
noonedeadpunkbut it weird it does just put instance into error state....12:05
andrewbonneyCould you put the full log somewhere? There's a chance it's a different issue12:08
semanticSure. Full log of what exactly? Nova-compute service?12:09
andrewbonneyYeah, any other error messages or tracebacks around the same time12:09
jrosser_paste.opendev.org is good for this12:09
semantichttps://paste.opendev.org/show/btRSEe7eP0wOwG9cj1br/12:38
semantichttps://paste.opendev.org/show/bTb5eJPQd2WlK7nAK0ua/12:41
semantichttps://paste.opendev.org/show/bOBo7mPbqfFM1Tu221mA/12:42
andrewbonneyI can't be certain, but that looks like what we've seen and reported in https://bugs.launchpad.net/nova/+bug/206093112:42
jrosser_semantic: if you want to determine if you are seeing the same bug, you can add this to your user_variables.yml https://paste.opendev.org/show/b8g4PK1CoR6Kef8cXJ9r/13:12
jrosser_semantic: though the branch of oslo.messaging that points to is for bobcat, so you could create your own fork for master and revert the patch mentioned in the nova bug report13:13
jrosser_the mechanism to apply a customised oslo.messaging for nova remains the same13:14
noonedeadpunkhave you talked with nova folks on irc about that? as it seems it's been a month without any ack...13:28
andrewbonneyI brought up three bugs yesterday. Spent most time on an online migrations one so may have to go back on that, but I'd really like to find a concrete test case as for me it takes time to occur13:29
noonedeadpunkI see13:30
noonedeadpunkI think I found another isuse with live migrations that was there forever and kinda follow-up of https://github.com/openstack/nova/commit/6a15169ed9f16672c2cde1d7f27178bb7868c41f13:30
noonedeadpunkbut this time, when MAC contains `-` as a separator13:31
noonedeadpunkwhich is kinda okay for netaddr.EUI but not when you try to live migrate, as domain xml always contain semicolon as separator13:32
lowercaseGood Morning, I'm encountering an issue on release `2023.1` during the `haproxy_server : 14:08
lowercaseRegenerate haproxy configuration` keeps applying `'option httpchk' : hiding headers or body at the end of the version string is deprecated. Please, consider to use 'http-check send' directive instead.` to the haproxy configuration. I know this is an issue because in haproxy 2.1 and higher, the config changes. https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/stable/2023.1/templates/service.j2 line 81 applies t14:08
noonedeadpunkhey14:10
noonedeadpunkI think, we pretty much get rid of that directive in 2023.1....14:10
noonedeadpunkbut this can be coming from services (or extra services) defenition14:11
noonedeadpunkie: https://opendev.org/openstack/openstack-ansible/src/branch/stable/2023.1/inventory/group_vars/keystone_all/haproxy_service.yml#L2414:11
lowercaseYep, that's the issue14:12
noonedeadpunkwe probably backported some fix for the service....14:12
lowercaseWell tbf, and totally to make this more complex.14:12
lowercaseyou ship haproxy 2.0 for this release.14:12
lowercaseI'm using the next lts because of some other issues we found.14:13
lowercase2.414:13
noonedeadpunkwe actually don't constrain proxy version. it's whatever shiped with the distro14:13
noonedeadpunkoh14:13
noonedeadpunkyou mean we've adjusted that for 2023.2 only14:13
noonedeadpunkBut I"m pretty much sure that 2023.1 should work nicely both for 20.04 and 22.0414:15
lowercaseSorry, give me a moment.14:15
noonedeadpunkas we're having both in production right now14:15
lowercaseI'm double checking if line 41 is the issue14:15
lowercaseI don't think that's the issue. This is what is throwing haproxy off `reqadd X-Forwarded-Proto:\ https`14:17
lowercaseAnd I modify that line to be haproxy >2.1 compliant with this line: http-request add-header X-Forwarded-Proto https14:17
jrosser_lowercase: what OS do you use? btw also the end of your original message maybe truncated14:27
lowercaseubuntu 20.0414:27
lowercaseWe have roadmap to take ubuntu 22.04 with Bobcat14:29
jrosser_so tbh i am a bit confused here14:29
jrosser_for example we have a 2023.1 job here which runs on both focal and jammy https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/917091?tab=change-view-tab-header-zuul-results-summary14:30
jrosser_and those both pass / nothing terrible in the haproxy log, you can look through all the logs for those jobs14:30
lowercaseMy boss is tagging me for an issue. I will look in about a minute14:32
jrosser_sure14:33
lowercaseSorry about that14:34
jrosser_so those jobs run focal with haproxy=2.0.33-0ubuntu0.1 14:34
lowercaseThis issue isn't OS related. I took Haproxy 2.4 early due to an issue with 2.0 failing to handle the complete connection of a tcp connection. We observed the haproxy load balancer was prematurely failing to route the whole connection and dropping the connection before fin14:35
jrosser_and jammy with haproxy=2.4.24-0ubuntu0.22.04.114:35
jrosser_my point is that we are running jobs with both haproxy 2.0 and 2.4 off of the same ansible code/vars for 2023.114:36
lowercasehmm.. well that is interesting14:36
jrosser_they happen to be on different OS for sure14:36
jrosser_but it surprises me a bit if something is fundamentally broken if you were to put haproxy 2.4 on focal14:37
lowercaseI think what I'm trying to communicate, is that I have focal haproxy 2.4, and the playbooks are laying down a 2.0 config.14:39
lowercaseIf the easy fix is to upgrade the os to 2.4 so the playbooks give me a 2.4 config. I'm okay with that.14:39
jrosser_but they don't change though?14:39
jrosser_there is nothing in the ansible code that adjusts the haproxy config written based on the version of haproxy14:40
lowercaseThe way http packet headers are added in haproxy is what changes betwen haproxy 2.0 and 2.414:40
lowercaseI'll provide some documentation.14:40
jrosser_please check the CI jobs14:41
jrosser_you can see the config files, the haproxy logs, the haproxy config all exactly as we test it14:41
andrewbonneyLooks like this changed well before 2023.1: https://github.com/openstack/openstack-ansible-haproxy_server/commit/ca76349e9f7c8aa9a6931222684b635a4096049c14:41
andrewbonneyPerhaps worth checking the haproxy role isn't old?14:41
lowercaseThe dates on the haproxy role are identical to all the other roles.14:45
lowercaseI'm still working through the ci jobs.14:45
lowercaseI also checked ~/.ansible/* for an haproxy role as well and didn't find one14:45
jrosser_is this the line you are concerned about? https://zuul.opendev.org/t/openstack/build/016ee3f4ca9f47c9b8b69a3b04fa1749/log/logs/etc/host/haproxy/haproxy.cfg.txt#4514:47
lowercaseand the plot thickens.14:47
lowercaseYes14:47
lowercaseOkay, the issue comes from RUNNING HANDLER [haproxy_server : Regenerate haproxy configuration] *****************************************************task path: /etc/ansible/roles/haproxy_server/handlers/main.yml:3714:50
jrosser_so the haproxy role writes a whole bunch of config fragments into /etc/haproxy/conf.d/<blah>14:51
jrosser_then they are all glued together to make the config file14:51
lowercasemake sense14:51
jrosser_also tbh the date on the haproxy role is not really what matters, it is the git sha that is checked out there which is critical14:52
lowercase* (HEAD detached at df2e7af) df2e7af Fix haproxy_stats SSL path defenition14:52
jrosser_ok so that is the tip of stable/2023.114:53
jrosser_you can check if you see the `reqadd` line in haproxy.conf, do you also see it in all the fragments in /etc/haproxy/conf.d/<...>14:54
jrosser_also can i check which playbook you are running which results in `[haproxy_server : Regenerate haproxy configuration] *****************************************************task path: /etc/ansible/roles/haproxy_server/handlers/main.yml:37`14:55
lowercaseinteresting, the only o that came back with the old styl was `keystone_admin`14:55
lowercase- /etc/haproxy/conf.d# grep reqadd *keystone_admin:    reqadd X-Forwarded-Proto:\ https14:56
lowercaseport 35357.. im not familar with this service?14:57
noonedeadpunkI think it should have been dropped for a while14:59
lowercaseIt appears since Newton15:00
lowercaseThis environment can be about that age.15:00
andrewbonneyhttps://github.com/openstack/openstack-ansible/commit/08dcc639eb678a167c62f14c56b0b5c76bf908c315:00
noonedeadpunkit was removed in stein from what I see15:01
noonedeadpunkmanila failure is now more cumbersome then befre: https://877821c6012ddcb237b8-1e695c46ce38568fe2b9076122bc0b06.ssl.cf5.rackcdn.com/898914/5/check/openstack-ansible-deploy-aio_metal-ubuntu-jammy/65b132d/logs/openstack/aio1-utility/stestr_results.html15:02
noonedeadpunklowercase: well, I guess I'd try to clean out /etc/haproxy/conf.d/ and re-run haproxy role15:02
jrosser_woah wait15:03
jrosser_2023.1 means you need to re-run all roles for that?15:03
noonedeadpunkoh15:04
noonedeadpunktrue15:04
noonedeadpunkI still can't get use to it...15:04
noonedeadpunkrun setup-openstack.yml --tags haproxy-service-config15:05
jrosser_it's not sufficient to just delete the out-of-date config fragment through15:06
noonedeadpunkoh?15:06
jrosser_becasue iirc that does not trigger the handler / assemble task15:06
noonedeadpunkhuh, I thought placing a fragment will cause change15:07
noonedeadpunkwhich will trigger assemble15:07
jrosser_you have to hit this https://github.com/openstack/openstack-ansible-haproxy_server/blob/stable/2023.1/tasks/haproxy_service_config.yml#L4815:07
noonedeadpunk(I was thinking to delete all fragments from /etc/haproxy/conf.d/)15:07
jrosser_or line 5415:07
jrosser_ooooh sorry yes i see15:08
jrosser_then re-run whole of setup-openstack with the tag, right15:08
jrosser_sorry my bad15:08
noonedeadpunkit was ery good call about setup-openstack15:08
jrosser_i also did look at manila a bit15:09
jrosser_and one of the fails is from basic server ops which makes me think there is something fundamental broken with updating the tempest cirros image15:09
noonedeadpunkah, yeah15:09
jrosser_but that did not make much sense though15:11
jrosser_one difference is the `visibility` here https://github.com/openstack/openstack-ansible-os_tempest/blob/master/vars/main.yml#L24-L3015:12
lowercaseAlright, nuking the /etc/haproxy/conf.d/* ended up cleaning up a lot o the errors.15:13
lowercaseWorking on the last ne.15:13
jrosser_excellent!15:13
noonedeadpunkyeah, default is private15:15
noonedeadpunkwhich won't fly15:15
noonedeadpunkgood catch15:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Update cirros image for manila tempest  https://review.opendev.org/c/openstack/openstack-ansible/+/91970215:16
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Use NFS Ganesha 5  https://review.opendev.org/c/openstack/openstack-ansible/+/91971415:16
lowercaseWow! Thanks for keepig me going for another release15:19
lowercaseI'm good to go.15:19
jrosser_no worries - there is some cool new stuff in 2023.1 about haproxy, we introduced support for "maps" there15:21
jrosser_https://www.haproxy.com/blog/introduction-to-haproxy-maps15:21
lowercaseWow, this could be game changing15:25
jrosser_i put very very generic code into the haproxy role15:26
jrosser_so i think it should be possible to construct anything that haproxy supports with maps, using the OSA vars15:26
lowercaseI was previously really against running k8s hosting all the containers. Now with this change. I don't see why I wouldn't do that.15:27
lowercaseI could do a whole release cycle this way15:27
jrosser_so as an example, here is a regex map defined for the "base" haproxy service (this 'base' thing is a new concept too and worth understanding) https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/haproxy/haproxy.yml#L91-L9615:28
jrosser_and then here is a service defined for serving security.txt https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/haproxy/haproxy.yml#L66-L6915:29
jrosser_that declares that it wants to put an entry into the map called "base_regex"15:29
lowercaseokay okay.. i see the pieces.15:32
lowercaseThis makes sense.15:32
jrosser_you could do rate limits via maps and dynamically update them, or connect compute.example.com straight to the nova api with a map too15:34
jrosser_lots of possibilities15:34
lowercaseOH SNAP15:35
lowercasedude this directly solves an issue with keystone I couldn't solve.15:35
lowercaseAs you just witnessed first hand, some of these environments are old old. One of the legacy choices were that the way keystone was bound to the AD requires that we specify each user for each project. This results in a very strict method of authenticating users. We have wanted to move to group based auth, but because of the legacy method we cannot15:37
lowercaseIf I could configure a seperate instance of keystone and horizon. New keystone would bind using group objects, I could have both. and eventually move everyone off...15:38
jrosser_so something that i've not yet had time to look at is some way to leverage all this maps stuff for deployments where you want all the different api on different hostnames, rather than ports15:40
jrosser_and if done right it would be no problem to also have multiple keystones or horizons or whatever else15:41
jrosser_(assuming of course that you don't then get a gigantic mess with service catalog etc, but thats a different matter again)15:43
lowercaseI think each keystone would have to know about each other. i.e. use the same fennet keys. I guess im thinking about this. If keystone queries nova. Keystone places a message on the MQ. Nova picks up the message and replies. How would nova know how to reply to the correct keystone?15:44
lowercaseHaving a Blue/Green environment is easy in that everyone is self contained. But if only two services are split. How would the reverse work15:46
lowercaseSomething to look into15:46
noonedeadpunk1. Kesytone does never query nova, it's vice versa15:47
noonedeadpunk2. all services interact with keystone only through API - no messaging between services15:47
noonedeadpunkunless these are notifications15:47
noonedeadpunkso basically - can define a new keystone group, do integration, all kind of things, and then point haproxy frontend to it pretty much15:48
noonedeadpunkor do jsut some kind of ACL thingy, where only specific things go to specific backends....15:50
jrosser_i probably miss something totally obvious but you cant bind to AD twice with different settings, like having two identity providers?15:51
jrosser_^ in the same keystone15:51
noonedeadpunkyeah, different domains15:51
lowercaseWell, I just discovered that when I removed all the configs in /etc/haproxy/conf.d/ it also removed all the other configs18:21
lowercaseAny chance there is a quick method of regen all the old configs?18:22
opendevreviewMerged openstack/openstack-ansible master: Enable rabbitmq distro installation for distro scenario  https://review.opendev.org/c/openstack/openstack-ansible/+/91714818:56
« Tuesday, 2024-05-14 Index Thursday, 2024-05-16 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!