| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Remove remove_container_journal common task file https://review.opendev.org/c/openstack/openstack-ansible/+/923366 | 09:29 |
|---|---|---|
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Remove dynamic-grouping common task file https://review.opendev.org/c/openstack/openstack-ansible/+/923367 | 09:29 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use haproxy_endpoint_manage role from osa collection rather than common-tasks https://review.opendev.org/c/openstack/openstack-ansible/+/923368 | 09:29 |
| jrosser | noonedeadpunk: so i did wonder if the need for apache in the horizon role was needed, as everywhere else we do tls in uwsgi for backends | 10:44 |
| jrosser | and the other thing you might want to use a real web server for, caching of static assets could also be done in haproxy | 10:45 |
| noonedeadpunk | so you mean we could use just uwsgi for horizon? | 10:46 |
| jrosser | there certainly seems to be support for that in the role | 10:46 |
| noonedeadpunk | cloudnull added it quite lately - I never tested it frankly speaking | 10:47 |
| noonedeadpunk | as haproxy can serve static content only on "localhost" only? | 10:47 |
| noonedeadpunk | It can't serve it on remote backend obviously | 10:47 |
| noonedeadpunk | and then - we need to sync static content generated by horizon to haproxy hosts, which is really weird flow... | 10:48 |
| jrosser | noooo https://www.haproxy.com/documentation/haproxy-configuration-tutorials/network-performance/caching/ | 10:48 |
| noonedeadpunk | yeah, but you still need web server on backend serving static content? | 10:48 |
| noonedeadpunk | so it could be cached? | 10:48 |
| jrosser | https://lincolnloop.com/insights/serving-static-files-uwsgi/ | 10:49 |
| noonedeadpunk | oh | 10:49 |
| noonedeadpunk | I thought it's not supported... | 10:49 |
| jrosser | so it is possible (from some years ago blog post.....) | 10:50 |
| noonedeadpunk | yeah. fair | 10:50 |
| jrosser | anyway - it is a choice we could make to have horizon role be more similar to the other service roles | 10:51 |
| jrosser | but also we can probably figure out if the current handing of headers in the apache setup is correct/wrong | 10:51 |
| noonedeadpunk | we have apache in skyline now as well..... | 10:52 |
| noonedeadpunk | but there're bunch of rewrites we need | 10:53 |
| noonedeadpunk | maybe we can do them on haproxy though.... | 10:53 |
| noonedeadpunk | but failed to make them working there | 10:54 |
| noonedeadpunk | yeah, I guess right now I'd rather drop unneeded parts from the role, and dropped nginx from repo_server, to have only apache... | 10:55 |
| jrosser | yes - simplification is good | 10:57 |
| noonedeadpunk | btw skyline is missing tls part - just noticed that... | 10:58 |
| noonedeadpunk | haproxy<>skyline part | 10:58 |
| opendevreview | OpenStack Release Bot proposed openstack/openstack-ansible unmaintained/zed: Update .gitreview for unmaintained/zed https://review.opendev.org/c/openstack/openstack-ansible/+/924139 | 11:14 |
| opendevreview | OpenStack Release Bot proposed openstack/openstack-ansible master: reno: Update master for unmaintained/zed https://review.opendev.org/c/openstack/openstack-ansible/+/924140 | 11:14 |
| gaudenz | Just noticed that https://review.opendev.org/c/openstack/openstack-ansible/+/921976 introduces a new " releasenotes" directory (with space as first character). This is probably not intended. Is this already known or should I submit a fix? | 11:34 |
| noonedeadpunk | oh, yes, that should be fixed | 11:41 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Remove incorrect ' releasenotes' directory https://review.opendev.org/c/openstack/openstack-ansible/+/924144 | 11:44 |
| jrosser | gaudenz: ^ there we go, that should fix it | 11:44 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Combine Ubuntu/Debian vars together https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/924146 | 12:34 |
| opendevreview | Merged openstack/openstack-ansible master: Use openstack.osa.install_defaults role instead of vars_files https://review.opendev.org/c/openstack/openstack-ansible/+/923358 | 12:46 |
| jrosser | mnaser: seems crazy we all have different websso keystoneauth plugins :( | 12:59 |
| mnaser | jrosser: I agree. I feel like this needs to live natively inside keystone, but I dont know if we can ever get that to merge lol | 13:05 |
| jrosser | mnaser: at the point we understood what we were doing with the plugin from IFCA i did try to do that, without success | 13:06 |
| mnaser | be nice to get started with https://review.opendev.org/c/openstack/keystone/+/893737 | 13:07 |
| mnaser | lolew | 13:07 |
| mnaser | lol* | 13:07 |
| noonedeadpunk | oh yes... | 13:07 |
| jrosser | oh /o\ yes | 13:07 |
| andrewbonney | ^ looks like that's being downvoted in favour of https://review.opendev.org/c/openstack/keystone/+/910337 at the moment | 13:07 |
| noonedeadpunk | but this is safer alternative I guess https://review.opendev.org/c/openstack/keystone/+/910337 | 13:07 |
| noonedeadpunk | yeah | 13:07 |
| noonedeadpunk | jsut a release note is missing | 13:08 |
| noonedeadpunk | I can write that... | 13:08 |
| jrosser | noonedeadpunk: for moving playbooks into openstack-ansible-plugins, do you have any good ideas for the zuul config? | 13:17 |
| jrosser | taking the example of haproxy-install.yml, which i was looking at first, seems there is not an easy way to use the zuul project-templates we already have | 13:18 |
| jrosser | because you'd want `files: playbooks/haproxy_install` to be the thing triggering the job, and as far as i can see we can only apply files: to a job defnition | 13:20 |
| cnilesh | https://bugs.launchpad.net/openstack-ansible/+bug/2073116 | 13:21 |
| noonedeadpunk | jrosser: do we have such jobs anywhere? that will trigger specific playbook by it's change? | 13:21 |
| jrosser | oh no, like when you make a review changing playbooks/haproxy-install.yml in the ops repo, we need to run suitable jobs for that | 13:22 |
| noonedeadpunk | but we don't have such jobs now? | 13:22 |
| noonedeadpunk | do we? | 13:22 |
| noonedeadpunk | so we should be able to define them in ops repo I guess... | 13:23 |
| jrosser | no we don't, but you kind of get "free" testing through the regular jobs on openstack-ansible repo | 13:23 |
| noonedeadpunk | yeah, gotcha | 13:23 |
| jrosser | and some like the validate and infra jobs are triggered on specific playbooks being edited | 13:23 |
| jrosser | we could totally do it, but right now it looks somewhat like duplicating a lot of jobs out of the integrated repo | 13:24 |
| noonedeadpunk | ok, yeah, you mean that https://opendev.org/openstack/openstack-ansible/src/branch/master/zuul.d/jobs.yaml#L315-L343 | 13:24 |
| noonedeadpunk | but we likely can just move that to ops repo. other way could be ofc to define such jobs in the zuul trusted repo, where you can trigger jobs in project X by changes in project Y... | 13:26 |
| jrosser | pretty much - my first thing i was looking at was the things in setup-infrastructure | 13:26 |
| noonedeadpunk | but not sure about that approach | 13:26 |
| jrosser | for example we need to be able to test a change to playbooks/designate-install.yml if we move it to the plugins repo | 13:27 |
| jrosser | anyway - i'm just wanting to avoid a big mess of job definitions in too many places | 13:28 |
| noonedeadpunk | as of today, I don't think we in fact testing much, rather then just linters for playbooks. | 13:33 |
| noonedeadpunk | but then, we kinda need to define a job per playbook with scenario, or smth like that | 13:33 |
| noonedeadpunk | or, finally do molecule testing | 13:33 |
| noonedeadpunk | which is slightly different topic... | 13:34 |
| noonedeadpunk | but yeah, I get the concern | 13:34 |
| noonedeadpunk | and it's very valid | 13:34 |
| noonedeadpunk | and yeah - would be nice to keep jobs in the same place.... | 13:35 |
| noonedeadpunk | and not create another "tests" repo... | 13:36 |
| noonedeadpunk | but other way would be to isntall integrated repo as a collection then.... | 13:36 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Improve regex matching for infra_lxc_validate job https://review.opendev.org/c/openstack/openstack-ansible/+/924155 | 13:55 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add haproxy-install playbook https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924156 | 13:56 |
| jrosser | ^ slightly unsure if the depends-on and cross repo `files: ....` will work | 13:57 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Improve regex matching for infra_lxc_validate job https://review.opendev.org/c/openstack/openstack-ansible/+/924155 | 13:58 |
| noonedeadpunk | so.. I was thinking if we should actually drop `install` part from playbook names | 14:06 |
| noonedeadpunk | as in fact - that is slightly confusing, since playbooks are designed also for day2 kinda, not only installation | 14:06 |
| jrosser | yes we could do that, and if my experiment with the haproxy one works we could have the same files: declaration work for both openstack-ansible and plugins repo | 14:07 |
| noonedeadpunk | like - wouldn't it be nicer to have just `openstack-ansible openstack.osa.haproxy`? | 14:07 |
| noonedeadpunk | yeah, and we can even define a new template then I guess | 14:07 |
| noonedeadpunk | that would be sweet | 14:08 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Update repo server service user https://review.opendev.org/c/openstack/openstack-ansible/+/924157 | 15:03 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-repo_server master: Replace Nginx with Apache2 https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/924162 | 15:07 |
| jrosser | noonedeadpunk: maybe an apache role would be nice too at some point | 15:21 |
| jrosser | code is probably mostly the same currently in horizon / keystone / repo / skyline | 15:21 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add haproxy-install playbook https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924156 | 15:40 |
| jrosser | ah cool ^ thats queued up all the *_infra_* jobs for the plugins repo change | 15:43 |
| opendevreview | Merged openstack/openstack-ansible master: Remove remove_container_journal common task file https://review.opendev.org/c/openstack/openstack-ansible/+/923366 | 15:46 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add variables and hook for high-availability k8s control plane test https://review.opendev.org/c/openstack/openstack-ansible-ops/+/923173 | 15:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add support for deploying mcapi control plane k8s on rocky linux https://review.opendev.org/c/openstack/openstack-ansible-ops/+/923447 | 15:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add support for deploying mcapi control plane k8s on debian-12 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/923586 | 15:54 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use haproxy_install playbook from openstack-ansible-plugins repo https://review.opendev.org/c/openstack/openstack-ansible/+/924168 | 15:58 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add haproxy-install playbook https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924156 | 16:36 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add infrastructure playbooks to openstack-ansible-plugins collection https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924171 | 16:40 |
| noonedeadpunk | jrosser: it's very different right now... but yes, rpobably it's a good idea | 18:49 |
| noonedeadpunk | even different in terms of mpm config - like horizon tries to use worker, while keystone does configure event.... | 18:58 |
| noonedeadpunk | So on metal right now it's gonna be huuuuge mess... | 18:59 |
| noonedeadpunk | and role should help indeed.... | 18:59 |
| noonedeadpunk | Though I wonder how to pass vhost template to such role basically | 18:59 |
| noonedeadpunk | so yeah, a role should help indeed | 19:03 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-repo_server master: Replace Nginx with Apache2 https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/924162 | 19:20 |
| noonedeadpunk | do you think I should come up with a role right away? | 19:21 |
| noonedeadpunk | and transition repo just to usage of the role? | 19:21 |
| jrosser | perhaps - like you say the vhost is a little bit interesting to template | 19:24 |
| noonedeadpunk | ofc it can be passed as a text.... but very meh | 19:25 |
| noonedeadpunk | or be quite creative and make a really nice apache role | 19:25 |
| noonedeadpunk | with complexity of haproxy level... | 19:25 |
| jrosser | i wonder if it is structured enough to make a yaml of | 19:26 |
| noonedeadpunk | but that would help to solve mpm mess at very least... | 19:26 |
| jrosser | because lots of it is <foo> stuff </foo> | 19:27 |
| noonedeadpunk | well, how to yaml that... https://opendev.org/openstack/openstack-ansible-os_skyline/src/branch/master/templates/skyline.vhost.j2#L33-L45 | 19:27 |
| noonedeadpunk | move generator to yaml? | 19:27 |
| noonedeadpunk | and then iter over locations in template.... | 19:27 |
| noonedeadpunk | yeah... | 19:27 |
| noonedeadpunk | and then keystone and sso - is just /o\ | 19:27 |
| noonedeadpunk | like - all is possible, just needs quite some effort/time. | 19:29 |
| noonedeadpunk | but that would make total sense... | 19:29 |
| noonedeadpunk | and, I guess, it's worth having own repo as well | 19:29 |
| noonedeadpunk | as such role gonna be quite generic I assume... | 19:29 |
| noonedeadpunk | or maybe just use default one... https://github.com/geerlingguy/ansible-role-apache | 19:30 |
| jrosser | so i guess the other alternative is to somehow let the role caller supply a template | 19:30 |
| jrosser | noonedeadpunk: i did also recently make an action plugin that called the python template/templar thing to generate something that was impossible with filters | 19:39 |
| jrosser | so there are lots of options | 19:40 |
| jrosser | this is odd https://zuul.opendev.org/t/openstack/build/78637cede4234d139c0d24bcdb43840d/log/job-output.txt#16534-16539 | 19:51 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Use haproxy_install playbook from openstack-ansible-plugins repo https://review.opendev.org/c/openstack/openstack-ansible/+/924168 | 19:54 |
| noonedeadpunk | what is weird, is that such failures now are falling under retry_limit... | 19:55 |
| noonedeadpunk | I wouldn't expect regular failures to be retried frankly speaking | 19:56 |
| noonedeadpunk | unless we somehow started executing main part in pre_run | 19:56 |
| NeilHanlon | fyi folks, i'll be out for the next couple weeks on holiday, beginning tomorrow. if you need anything rocky/infra related feel free to nag Sokel in irc.libera.chat:#rockylinux :) | 19:57 |
| noonedeadpunk | thanks for heads up - now we know who else to annoy :D | 20:14 |
| noonedeadpunk | have a good one! | 20:14 |
| jrosser | i have seen a whole buncy of retry failure this evening which i don't really understand | 20:15 |
| jrosser | *bunch | 20:15 |
| noonedeadpunk | so validate didn't pick up the required action: https://zuul.opendev.org/t/openstack/build/3d20b8284e6c4b5fa7c07e1d4a12837b/log/job-output.txt#3931-3933 | 20:26 |
| noonedeadpunk | or it does... | 20:28 |
| noonedeadpunk | one thing I've spotted is this: https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/vars/main.yml#L47 | 20:30 |
| noonedeadpunk | and integrated added here: https://opendev.org/openstack/openstack-ansible/src/branch/master/zuul.d/playbooks/pre-gate-scenario.yml#L51-L53 | 20:31 |
| noonedeadpunk | but wtf does validate do at all, lol | 20:31 |
| noonedeadpunk | though it seems to work otherwise :D | 20:32 |
| jrosser | well, “validate” was just a word for running sufficiently complex tests when we touched certain playbooks, which might not run galera/rabbit cluster but could totally break those | 20:43 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!