| noonedeadpunk | jrosser: well, the thing is, that it's broken even when require_secure_transport is disabled | 07:26 |
|---|---|---|
| noonedeadpunk | so it feels it's client who tries to do SSL wherever possible | 07:27 |
| noonedeadpunk | I tried asking in irc yesterday but with no luck - seems would need to make a zulip account instead | 07:29 |
| andrewbonney | noonedeadpunk: I've added a note to your octavia keypair patch. Happy to try and find a fix, but thought it would be useful to write down the current state first | 07:35 |
| noonedeadpunk | yeah, I guess upgrade hook to move keys might be easier here indeed | 07:36 |
| andrewbonney | We'd need it in the future too though as it could get lost when rebuilding a utility container | 07:37 |
| andrewbonney | Unless we view that as a necessary manual step | 07:37 |
| noonedeadpunk | and drop ${HOME} with that | 07:37 |
| noonedeadpunk | or, adjust openstack_resources role.... | 07:38 |
| noonedeadpunk | we indeed can do multiple things here | 07:39 |
| noonedeadpunk | then in fact we can try delegating to localhost this one: https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/openstack_resources/tasks/keypairs.yml#L26 | 07:46 |
| andrewbonney | Do we still need a way to set the python interpreter explicitly or do you think it would work without that? | 07:48 |
| andrewbonney | Yeah, delegation plus setting of python interpreter so it doesn't try to use the path from the utility container ought to work | 07:53 |
| noonedeadpunk | we'd need cryptography installed | 07:53 |
| noonedeadpunk | in terms of python | 07:54 |
| andrewbonney | It seems to be installed for us, not sure if another deploy host dependency brings it in | 07:55 |
| noonedeadpunk | it should be in /opt/ansible-runtime at least | 07:55 |
| noonedeadpunk | but not sure about default python on deploy host | 07:55 |
| andrewbonney | Ah yes, the version is much more current in there | 07:56 |
| andrewbonney | I must be doing something stupid. Trying to override the python interpreter for that task always seems to fall back to the container host path | 08:35 |
| andrewbonney | Ah, variable precedence fun | 08:40 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-plugins master: Enable use of alternative host for keypair generation and storage https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/922919 | 08:50 |
| andrewbonney | ^ that appears to work, but variable precedence makes it messier than I'd like | 08:51 |
| noonedeadpunk | I'm really not sure about defaults you've set... As not to break upgrades, it should kinda point to loclahost/ansible-runtime venv? | 09:13 |
| andrewbonney | That's fine, those are certainly what I've used as overrides when testing it, I just wasn't sure whether to maintain old or new behaviour by default | 09:15 |
| noonedeadpunk | but as you said - we need to "backup" the key regardless? | 09:19 |
| jrosser | noonedeadpunk: for the mariadb client i found also some stuff in the docs about client-mariadb section | 09:19 |
| jrosser | which would be specific config only for the cli client | 09:19 |
| jrosser | it might be that it inherits "always ssl" from some other part of the config | 09:19 |
| jrosser | our config file templates probably need updating to be more specifically targetting the cli client | 09:20 |
| andrewbonney | noonedeadpunk: I don't think backup is needed once we have the delegation | 09:20 |
| noonedeadpunk | yeah, but by default now it's set to delegate to utility still? | 09:21 |
| andrewbonney | Ah yes, I was going to change that to localhost if you think that's suitable. If so we don't need extra tasks | 09:21 |
| noonedeadpunk | or we can pass openstack_resources_deploy_host during role include in octavia specifically | 09:22 |
| andrewbonney | Happy to go with either preference. The only unfortunate thing about changing the default is having the ansible-runtime path directly in the plugins repo, but it has to go somewhere | 09:24 |
| noonedeadpunk | yeah..... | 09:25 |
| jrosser | ansible_playbook_python ? | 09:25 |
| jrosser | that should be the path to the interpreter on the ansible host | 09:26 |
| andrewbonney | Ah I didn't think that would work with all the overriding going on, but it does appear to | 09:28 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible-plugins master: Enable use of alternative host for keypair generation and storage https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/922919 | 09:33 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Update mariadb to 11.4.2 https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/922377 | 11:05 |
| noonedeadpunk | jrosser: frankly - I'm not sure how to change client configuration in a sufficient way | 11:05 |
| noonedeadpunk | as then there's also a debian-start that defines defaults-file for client explicitly | 11:06 |
| noonedeadpunk | and that's kind of /o\ default to begin with | 11:07 |
| opendevreview | Merged openstack/openstack-ansible-os_nova stable/2024.1: Update conditions for kernel statoverride https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/922712 | 11:42 |
| opendevreview | Merged openstack/openstack-ansible-os_nova stable/2023.2: Update conditions for kernel statoverride https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/922713 | 15:58 |
| opendevreview | Merged openstack/openstack-ansible-plugins master: Enable use of alternative host for keypair generation and storage https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/922919 | 16:13 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!