Friday, 2024-07-12

« Thursday, 2024-07-11 Index Saturday, 2024-07-13 »
opendevreviewMerged openstack/openstack-ansible stable/2023.1: Bump SHAs for 2023.1  https://review.opendev.org/c/openstack/openstack-ansible/+/92396800:04
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_magnum stable/2024.1: Manage Magnum resources with the last play host  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/92403307:03
noonedeadpunkcnilesh: question - you're installing on metal, without LXC, right?08:30
noonedeadpunkfailed to work on your 2071952 yesterday - spawning sandbox now08:30
opendevreviewMerged openstack/openstack-ansible-os_nova unmaintained/yoga: Update .gitreview for unmaintained/yoga  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/90848110:15
cnileshnoonedeadpunk, yes yes , waiting for the workaround/patch10:47
cnileshno_container: true 10:48
cnileshnoonedeadpunk++ thank you sir10:51
noonedeadpunkyeah, will try to and let you know about results :)10:55
cnileshnoonedeadpunk++ thanks10:55
cnileshnoonedeadpunk, sorry for the late reply 10:55
f0oanyone know what could cause this error? https://paste.opendev.org/show/bwXThB2b9a8b1POsi1Lv/ - I tripple checked resolution and connectivity, deployer and 10.20.0.11 have connectivity and all ssh-keys are trusted13:42
noonedeadpunkf0o: have you tried to `export ANSIBLE_LOCAL_TEMP=/tmp`?13:44
f0oexact same error just with /tmp/ instead of /root/.ansible/tmp/13:45
noonedeadpunkand filesystem is not in RO I assume?:)13:46
f0othis is a fresh Ubuntu Jammy installation straight from the ISO - which is even weirder...13:46
f0ohaha nop, first thing I checked13:46
f0oit's also not full13:46
noonedeadpunkand that's for any random task, or just some specific one?13:47
f0oI'm failing to setup-hosts.yml so its hard to say if it fails for other tasks too13:48
noonedeadpunkand fails pretty much at the very-very beginning?13:48
f0oif it's guaranteed to be on the 10.20.0.11 host then I can just create a new VM; it has notihng on it other than ssh-keys13:48
f0oyep13:48
jrossernoonedeadpunk: isnt the "None/None" at the end of that error a pointer to wrong version of ssh connection plugin?13:50
jrosseri seem to remember seeing similar when finding this https://github.com/openstack/openstack-ansible-plugins/commit/bbaf62e9233bd240da2bd3d613062cdeb9b5101e13:50
noonedeadpunkI frankly don;'t remember, but can be13:51
jrossernoonedeadpunk: also, kind of doh here https://github.com/MariaDB/mariadb-docker/issues/59213:52
noonedeadpunkisn't it the same reason kinda?13:53
jrosserit's exactly the same13:53
noonedeadpunkas they right now not verifying only untrusted certs13:53
noonedeadpunkbut not ones for wrong DNS13:53
noonedeadpunkand I guess in docker they're also trusted...13:53
jrosserf0o: what version of openstack-ansible are you using?13:54
f0ocurrent master13:54
jrosserbecasue you want to do development work? :)13:55
f0osort of - still hunting down that OVS routing issue that I got13:55
f0oand want a reference AIO without my fancy stuff13:55
noonedeadpunkah, master...13:56
f0oI can switch to stable/2023.2 that I got in prod13:56
noonedeadpunkI think on master you'd need that https://review.opendev.org/c/openstack/openstack-ansible/+/92395113:56
jrossertry changing this to "master" https://github.com/openstack/openstack-ansible/blob/master/ansible-collection-requirements.yml#L1413:56
noonedeadpunkif it wasn't failing :D13:56
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible collection versions  https://review.opendev.org/c/openstack/openstack-ansible/+/92395113:57
jrosserf0o: you are encountering the thing i linked before https://github.com/openstack/openstack-ansible-plugins/commit/bbaf62e9233bd240da2bd3d613062cdeb9b5101e13:57
f0ofuin :D13:57
jrosserbut the version of the plugins collection you have there is pinned to a previous SHA, not tracking tip of master13:57
noonedeadpunkwell, master is smth that's under active development. and it might work in CI, but not yet out of it13:58
f0ouhm is scripts/bootstra-ansible.sh broken for stable/2023.2 ?13:58
f0ohttps://paste.opendev.org/show/bg4rXuTgNFKVUeE9J4eu/13:59
noonedeadpunkit should not be13:59
f0owhy is wget segfaulting O_O13:59
noonedeadpunkSegmentation fault for wget?13:59
noonedeadpunkyeah13:59
f0oneat... I guess whatever ISO I grabbed is FUBAR14:00
f0oapt reinstall wget; wget google -> segfault xD14:00
noonedeadpunkcnilesh: so... I was not able to catch a horizon issue in my AIO vm for 2023.1 :(14:02
jrosserright yes so as we merged the bump to ansible 2.17 yesterday we definatly need the plugins sha fixing14:02
noonedeadpunkit's working pretty much nicely14:02
cnileshnoonedeadpunk, ops14:09
cnileshbut 2/3 time its reproduced here in my testbed14:10
cnileshany inputs ?14:10
noonedeadpunkfrankly - no idea where to look even14:10
noonedeadpunkit's some Django thing14:10
noonedeadpunkHave you checked apache log regarding errors?14:10
cnileshhumn, which django file any guess 14:10
noonedeadpunkAs I'd assume it should be reported 14:10
cnileshonly the single line reported on the bz14:12
noonedeadpunkdoh, and no stack trace...14:13
cnileshno14:14
noonedeadpunkaha14:14
noonedeadpunkok14:14
noonedeadpunkI guess I know the issue14:14
noonedeadpunkFrankly - I've deployed with SSL and that's why I don't see the issue14:14
cnilesh;)14:14
cnileshyup yup14:14
noonedeadpunkI have a guess now14:14
cnileshwith ssl no issues14:15
cnileshcheck the teplates i shared on bz 14:15
cnileshi dnt think so thr is any issue in the template,14:15
noonedeadpunkI need to re-run all playbooks now to drop ssl :D14:16
cnilesh;(14:17
noonedeadpunkok, I've reproduced it14:46
noonedeadpunkcnilesh: try setting "horizon_external_ssl: False" and re-run os-horizon-install14:48
noonedeadpunkor better - openstack_external_ssl: False14:49
cnileshnoonedeadpunk, ok lte me run 14:53
cnileshnoonedeadpunk, one thing I also noticed, if I rerun the os-octavia-install.yml , it redownload the ampora 14:54
cnileshneed to skip this task if it is already in the glance14:54
noonedeadpunkyeah, probably. there's a variable to skip that iirc14:55
cnileshnoonedeadpunk, also , 2023.1 is installed on ubuntu22.04, while octavia is downloading focal i.e. 20.04 ampora image, we need to update that wll 14:57
jrosserits not about the target OS really14:57
jrosserit is about having the right amphora version for the release of openstack14:58
cnileshoh....14:58
noonedeadpunkcnilesh: eventually, you're supposedto build own version of amphora images and update ir regularly14:58
cnileshI thought it is aligned with OS14:58
jrossernope, it boots as a VM14:59
cnileshsure 14:59
noonedeadpunkas the thing we have defined as "default" image has "test-only" in it's name: https://opendev.org/openstack/openstack-ansible-os_octavia/src/branch/master/defaults/main.yml#L31614:59
jrosserso it coule be a different OS entirely to the cloud hosts14:59
jrossercnilesh: the octavia project give instructions on how to build your own amphora https://docs.openstack.org/octavia/latest/admin/amphora-image-build.html15:00
jrosserbut the ones we reference in the OSA role default are not intended for production use15:01
noonedeadpunk(though they're built in almost the same way)15:02
jrosserindeed15:02
noonedeadpunkok, I'm really unsure if we should drop `horizon_external_ssl` or not alike to keystone15:35
noonedeadpunk(talking about https://opendev.org/openstack/openstack-ansible-os_keystone/commit/e8d0f0db5f623f3a2ebbacca6b237f16f7d27202)15:35
noonedeadpunkmainly due to that: https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/templates/horizon_local_settings.py.j2#L52-L6015:36
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Use openstack.osa.install_defaults role instead of vars_files  https://review.opendev.org/c/openstack/openstack-ansible/+/92335815:37
jrossercnilesh: can you describe what you want to do with a "no ssl" deployment? is it correct that you have no https between haproxy and the backends, and no https between your browser and horizon?15:42
noonedeadpunkyeah - it's described here: https://bugs.launchpad.net/openstack-ansible/+bug/207195215:51
noonedeadpunkor well - https://paste.openstack.org/show/b5B8n0KLXBzWicWj0Ttn/15:51
jrosseryeah, but if the intention is to then put something like f5 on the front of haproxy to make it ssl, i dunno if any of this is valid15:52
noonedeadpunkI think it's just a POC and there were series of reports related to SSL15:54
noonedeadpunkas self-gen ssl was put in front of haproxy, but also in front of galera (and I think rabbitmq?) which didn't worked out (as it was same SSL)15:54
noonedeadpunkso I think what happened - decision to somplify setup by dropping TLS... but dunno15:56
jrosserso there is some quite good explanation of the error here https://docs.djangoproject.com/en/5.0/ref/settings/#secure-proxy-ssl-header15:57
noonedeadpunkyup16:01
noonedeadpunkand that's why I thought of the keystone patch16:01
noonedeadpunkbut frankly - I didn't understand fully the logic we should apply16:02
noonedeadpunkapparently - it's not ideal out of the box right now16:02
noonedeadpunklikely we also should drop https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/templates/openstack_dashboard.conf.j2#L45-L4916:02
noonedeadpunkbut keep SECURE_PROXY_SSL_HEADER ?16:03
noonedeadpunkso I can't say I understand 100% what we need to do in all of our usecases16:04
noonedeadpunkie - no-tls, only haproxy tls, all tls...16:04
noonedeadpunkso no-tls is kinda easy - we should omit SECURE_PROXY_SSL_HEADER16:05
noonedeadpunkhaproxy tls - likely add? But it also works nicely without it, just in case16:05
noonedeadpunkand then - full tls - we also don't need it?16:05
jrosserwell https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/defaults/main.yml#L251-L25216:05
noonedeadpunkI'm not sure that `horizon_secure_proxy_ssl_header` should exist at all...16:06
noonedeadpunkas it's used only in apache conf16:07
noonedeadpunkand we've jsut dropped same logic for keystone...16:07
noonedeadpunkso eventually, what I jsut did, set `horizon_external_ssl: false` while having tls on haproxy side. And I don't see any obvious issues...16:07
noonedeadpunkand it also works for no-tls case16:08
noonedeadpunkbut I can be missing what is broken obviously16:08
jrosseri am wondering if there is some real legacy usecase that is confusing things16:09
jrosserhttps://opendev.org/openstack/openstack-ansible-os_horizon/commit/4283200534eafa444efd9bb408ddcb5c98a1d44216:10
jrosserand just to make it more difficult it is haproxy > apache > uwsgi/django16:14
jrosserand at the same time we have maybe people trying to also point browser at the internal vip, that might be http or https16:14
noonedeadpunkit feels so, that there's legacy involved indeed16:16
noonedeadpunkbut not sure what that usecase is16:16
noonedeadpunkas we never changed how haproxy behaved16:16
noonedeadpunkbut changed haproxy<>apache16:16
jrosserno, but we may have confused things when adding ssl everywhere16:16
jrosserthat we did not quite account for what was already in horizon setup16:16
jrosseras the patch i linked seems to suggest horizon was forever doing ssl on it's own16:17
noonedeadpunk116:18
noonedeadpunkyeah as well as keystone16:18
noonedeadpunkit never worked for real though16:18
jrosseri feel we may be tripping over 2 from that list16:19
jrosserbut question is - where do we want to add the X-Forwarded-Proto?16:20
jrosserdjango docs say this should be stripped from incoming requests at the lb, added only for incoming requests at the lb which were https16:22
jrosserbut we also mess with this at apache, which could be wrong16:22
jrosserso this is kind of not aligned with what the django docs say, that we set the header unconditionally https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/templates/openstack_dashboard.conf.j2#L45-L4916:26
jrosserbut why "Your proxy sets the X-Forwarded-Proto header and sends it to Django, but only for requests that originally come in via HTTPS."16:31
cnileshhttps://bugs.launchpad.net/openstack-ansible/+bug/190258517:59
cnileshjrosser, yes no SSL at all 18:11
jrossercnilesh: look at the fix we made for uwsgi backlog, we made a place you can override that18:13
cnileshjrosser++ thank you sir18:14
cnileshalso may I know the significance of #reserved_host_disk_mb = 204818:14
cnilesh#reserved_host_memory_mb = 204818:14
cnilesh#reserved_host_disk_mb = 204818:14
cnilesh#reserved_host_memory_mb = 204818:14
jrossercnilesh: here is a useful tool for that kind of question https://codesearch.opendev.org/?q=reserved_host_disk_mb18:30
cnileshjrosser, thank you 18:31
cnileshso mch18:31
jrosserso thats a config option for nova18:31
jrosserand you'd find the reference guide for that here https://docs.openstack.org/nova/latest/configuration/config.html18:32
jrosseryou need to reserve enough ram on the compute host for everything else that you might run there18:32
jrosserotherwise you could end up either swapping or with OOM trouble when nova allocates all the ram it thinks it can to vm18:33
jrossermaybe you run monitoring agents, or converge ceph storage onto your computes, or gpu drivers.... so this may need tuning to be a suitable value for your deployment18:34
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Use openstack.osa.install_defaults role instead of vars_files  https://review.opendev.org/c/openstack/openstack-ansible/+/92335819:23
ccnileshnoonedeadpunk++ jrosser++ thank you so much 20:11
« Thursday, 2024-07-11 Index Saturday, 2024-07-13 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!