Wednesday, 2024-07-17

« Tuesday, 2024-07-16 Index Thursday, 2024-07-18 »
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Improve regex matching for infra_lxc_validate job  https://review.opendev.org/c/openstack/openstack-ansible/+/92415507:18
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Use hosts setup playbooks from openstack-ansible-plugins repo  https://review.opendev.org/c/openstack/openstack-ansible/+/92425907:50
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-ops master: Add support for deploying mcapi control plane k8s on rocky linux  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/92344707:56
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-ops master: Add support for deploying mcapi control plane k8s on debian-12  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/92358607:56
jrossercould do with this merged https://review.opendev.org/c/openstack/openstack-ansible/+/92336807:56
* noonedeadpunk checking08:03
noonedeadpunkone thing to notice - is that tags: -always won't work without proper apply08:04
noonedeadpunkwhich, I think, is crucial in this case08:04
noonedeadpunkor pre_tasks are always executed?08:07
noonedeadpunkok, let's fix that in a follow-up08:14
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Update ssh service name for modern debian based systems.  https://review.opendev.org/c/openstack/openstack-ansible/+/92430608:26
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Update ssh service name for modern debian based systems.  https://review.opendev.org/c/openstack/openstack-ansible/+/92430608:29
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-plugins master: Add infrastructure playbooks to openstack-ansible-plugins collection  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/92417108:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Properly apply `always` tag to haproxy_endpoint_manage  https://review.opendev.org/c/openstack/openstack-ansible/+/92430708:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Skip importing haproxy_service_config with no haproxy hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/92430808:51
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Fix incorrect copying of sources.list.d to container image  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/92430909:04
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Add libpython entry for Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/92431009:04
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Permit Ubuntu Noble for deploy host and targets in requirements checks  https://review.opendev.org/c/openstack/openstack-ansible/+/92431109:11
jrossernoonedeadpunk: i already did look a small amount at noble support as soon as it was released09:20
jrosserbut i did not get very far with LXC on noble unfortunately09:21
jrosseri tried again just now and these are the patches that get to failure to start the lxc https://review.opendev.org/q/topic:%22osa/noble%2209:21
jrosserlike this https://paste.opendev.org/show/bspOKueFnRNtFOOMxcKF/09:27
jrosseroh [ 4728.019644] audit: type=1400 audit(1721208370.799:1246): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=74697 comm="(sd-gens)" flags="rw, rslave"09:29
noonedeadpunkI can recall that they did updated smth for apparmor quite recently (like week or 2 ago)09:39
noonedeadpunkto be slightly less restrictive09:39
jrosserlooks like this https://discuss.linuxcontainers.org/t/failed-to-fork-off-sandboxing-environment-for-executing-generators-protocol-error/19521/309:40
noonedeadpunkhttps://www.omgubuntu.co.uk/2024/06/apparmor-update-fix-coming-ubuntu09:40
noonedeadpunkyeah, ok09:41
jrosserand the apparmor file i have installed in my vm here is different from https://github.com/lxc/lxc/blob/lxc-5.0.3/config/apparmor/abstractions/start-container.in09:41
jrosserso somehow this is all messy09:42
noonedeadpunkand here's a blog: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces09:42
noonedeadpunkI wonder if `sysctl -w kernel.apparmor_restrict_unprivileged_userns=0` would help?09:42
noonedeadpunkbut lxc shouldn't use unconfined profile on ubuntu iirc09:43
noonedeadpunkmaybe it's different though09:43
jrosserhuh `lxc.apparmor.profile = generated`12:52
noonedeadpunkhuh....12:54
jrosserso what i did was download and boot the upstream 24.04 image12:55
jrosser*lxc image12:55
jrosserand that line is in the config file, but missing from ours12:56
noonedeadpunkwe have that: https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all_containers.yml#L1912:58
noonedeadpunkwhich I'd assume should end up in container config?12:58
noonedeadpunkand that's the profile: https://opendev.org/openstack/openstack-ansible-lxc_hosts/src/branch/master/templates/lxc-openstack.apparmor.j213:00
noonedeadpunkso apparently, smth is just missing there13:00
jrosserdoesnt that get put in the config after the first start of the container?13:00
jrosserthe issue i have is that the very first time they are started it all goes bad and they fail13:00
noonedeadpunkI think it should be put on creation13:01
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-lxc_container_create/src/branch/master/tasks/lxc_container_config.yml#L17-L2613:01
jrosserat the point of creation i have https://paste.opendev.org/show/boQ7IQNNU7qMZwktdhPk/13:01
noonedeadpunkwell, at least I'd expect that to happen before first startup13:08
jrosserhttps://paste.opendev.org/show/bIkSSS2ROb0vOZS17mOL/13:08
jrosserultimate lxc_container_create.yml is run before lxc_container_config.yml13:14
jrosserultimately*13:14
noonedeadpunkyeah, true13:16
noonedeadpunkthough it's kinda weird...13:16
noonedeadpunkeven see it here https://opendev.org/openstack/openstack-ansible-lxc_container_create/src/branch/master/tasks/main.yml#L70-L9013:17
jrosseri think that until you lxc-start it (or via the ansible module) the things in /var/lib/lxc/<container> dont exist13:18
jrosserso we do start -> configure -> restart13:18
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-lxc_container_create/src/branch/master/tasks/lxc_container_create_dir.yml#L2313:18
noonedeadpunkbut we also supply a config there13:19
noonedeadpunkwhich is this by default: https://opendev.org/openstack/openstack-ansible-lxc_hosts/src/branch/master/templates/lxc-openstack.conf.j213:20
noonedeadpunkso adding some profile there might help....13:21
jrosseryeah just trying13:21
jrosserthanks for the pointer - i was trying to figure out where the startup config came from13:22
jrosser\o/ thats working13:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Respect defined interface for external VIP with LE  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/92433313:26
jrosserok this now fails later on our lxc-openstack apparmour profile13:26
jrosseri wonder why we need that above the system one13:27
noonedeadpunkwe templated there some custom paths...13:28
noonedeadpunkbut not sure13:28
noonedeadpunkwe could jsut do override of system profile if needed, I guess13:28
noonedeadpunkand also - that "just worked" and was never touched for years now...13:28
noonedeadpunkcould be that system one was insufficient somewhere at 16.04....13:29
jrosseryes, i'm just trying without that now and see what happens13:31
jrosserthere was some historical hack for debian to run them unconfined which is not great13:31
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Skip importing haproxy_service_config with no haproxy hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/92430815:18
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Install systemd-resolved into container base image for Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/92433915:21
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-lxc_hosts master: Use generated apparmor profile by default in lxc base config  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/92434015:26
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Ensure haproxy_service_config targets right host group  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/92434115:33
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434215:47
noonedeadpunkevery time I try to deploy smth more then a sandbox - I hit quite /o\ bugs....15:55
jrosseri know what you mean15:56
jrosserlike every time we do a lab install after a release theres a slew of things to fix15:56
noonedeadpunkmakes me think if it's our codebase that bad or it's just our awareness of capabilities keep pushing limits?15:56
jrossercomplexity management maybe15:57
noonedeadpunkyeah, might be...15:57
jrosserlike all these with / without ssl questions, i cant keep the model of all that in my head15:57
jrosseroverall, simplifying would be good where we can15:58
jrosserhas that haproxy env.d thing been there forever?15:59
jrosseroh right yes haproxy in containers15:59
jrosseri literally never did that15:59
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Permit Ubuntu Noble for deploy host and targets in requirements checks  https://review.opendev.org/c/openstack/openstack-ansible/+/92431116:09
noonedeadpunklike it feels code is getting better and more stable overall, but seeing so many things kinda sucks... so somehow got low on morale today :(16:11
jrosseri've found it good to keep a list of all the broken things16:11
jrosserthen move them to a list of fixed things when i sort them out16:11
jrossershows progress ratehr than just feeling like * is broken16:12
jrosserbecause omg the magnum stuff is like patch the whole world just to land small changes16:12
jrosserso i did get a 24.04 vm to get through the container setup16:14
jrosserthere is some issue with the name of the netcat package in haproxy16:14
jrosserneed to wipe it and start again as i don't trust the apparmor setup any more after hacking on it16:14
jrosserbtw the thing i find most bad for morale is the situation with the unmaintained branches16:18
jrosserit does not seem possible to find time to fix the total breakage from the branch renaming, for something that was pretty much working beforehand16:19
jrosserits kind of some form of vandalism :(16:19
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-openstack_hosts master: Add vars for Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/92434416:35
noonedeadpunkoh, yes, unmainatained is really sucks...16:35
noonedeadpunkAnd I don't feel that motivation behind change really justifies the change itself16:36
noonedeadpunkbut I felt kinda better when Yoga and Zed passed CI lately16:37
noonedeadpunkand frankly - it wasn't _that_ horrible on paper...16:37
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Combine debian and ubuntu vars, adding support for Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/92434516:41
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434216:43
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Rename haproxy_hosts to load_balancer_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/92434816:45
noonedeadpunkdunno how much sense this makes... but see no other good outcome ^16:45
noonedeadpunkas while https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924341 fixes the immediate issue, it's really very easy to shoot yourself into the leg with this...16:46
jrosseri thought we had a similar thing with ironic16:49
jrosserwhere the groups were all mixed up16:49
jrosseror anyway, i'm sure weve had it that the containers/physical hosts were confused somewhere else, and there was an inventory fix for it16:50
noonedeadpunkyeah, and likely haproxy not the only place still16:52
noonedeadpunkand yes, I think it was Ironic indeed16:52
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Rename haproxy_hosts to load_balancer_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/92434816:54
jrosseri was just looking for the patch16:54
jrosseri think i also made a subltle mistake in the k8s env.d file initially that had very similar outcome16:54
jrosseryeah so your patch 924348 does what i'd expect, have two names haproxy and loadbalancer, just like we have keystone and identity for example16:58
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Rename haproxy_hosts to load_balancer_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/92434817:03
noonedeadpunkyeah, but keeping ability to use haproxy_hosts still17:03
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-memcached_server master: Use the netcat-openbsd package on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/92435017:11
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Combine debian and ubuntu vars, adding support for Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/92434517:12
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434217:13
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434217:13
jrossernoonedeadpunk: actually if you make something working with containerised haproxy we could test that in the infra jobs17:36
jrosserbecasue right now i think we never ever deploy keepalived in any tests17:36
noonedeadpunkyeah, I'm writing some doc around that right now17:37
noonedeadpunkit's a bit... messy I'd say...17:37
noonedeadpunkBut totally doable17:38
noonedeadpunkand assumes at least https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924341  being present17:38
noonedeadpunkand yeah, actually that's a good idea to have keepalived deployed17:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add documentation on spawning HAProxy inside LXC  https://review.opendev.org/c/openstack/openstack-ansible/+/92435318:16
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Use mirror.mariadb.org to install packages from  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/92435418:16
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Remove installation of libaio1  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/92435518:16
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add documentation on spawning HAProxy inside LXC  https://review.opendev.org/c/openstack/openstack-ansible/+/92435318:16
noonedeadpunkhere it goes ^18:16
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434218:17
noonedeadpunkabout mariadb... I think infra is mirroring from downloads ?18:17
noonedeadpunkalso - mirror.mariadb.org contains confusingly small amount of releases?18:18
jrosseryes and no18:19
jrosserthey are all here https://mirror.mariadb.org/repo/10.11/ubuntu/pool/main/m/mariadb/18:19
noonedeadpunkah18:20
jrosserfor some reason they also have a top level dir for whatever the latest release it, but that just looks like a bad idea as it will change18:20
jrosseryou are right we need to update system-config for the mirror location18:21
jrosseri think it will break currently as we use the mirror but the path will be wrong18:21
noonedeadpunkwait. but we also used to add repo specifically for the minor release?18:23
noonedeadpunkespeciually for rhel results will be very different?18:24
noonedeadpunkis "http://{{ galera_repo_host }}/MariaDB/mariadb-{{ galera_major_version }}.{{ galera_minor_version }}" giving specific major/minor, while http://{{ galera_repo_host }}/yum/{{ galera_major_version }}/{{ansible_facts['distribution'] | lower }} will give always latest from major?18:25
jrosseroh because pinning is not a thing there?18:25
noonedeadpunkyeah18:25
jrosserdoh18:25
noonedeadpunkwell... there might be some plugin for dnf implementing pinning...18:25
noonedeadpunkbut I think that was the reason for selecting downloads.mariadb.com before18:25
jrossercould be - though it looks like totally different content now18:26
jrosserooooh hold on18:27
noonedeadpunkbut there's noble as well? https://downloads.mariadb.com/MariaDB/mariadb-11.4.2/repo/ubuntu/18:27
jrosserhere too https://downloads.mariadb.com/MariaDB/mariadb-10.11.8/repo/ubuntu/dists/18:27
jrosseri'll redo this18:27
noonedeadpunkyeah18:27
jrosserwhat we actually need to do is update to 10.11.818:27
noonedeadpunkyeah, makes sense until 11.4 is fixed18:29
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Remove installation of libaio1  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/92435518:30
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-galera_server master: Update to version 10.11.8  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/92435718:30
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble  https://review.opendev.org/c/openstack/openstack-ansible/+/92434218:31
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add documentation on spawning HAProxy inside LXC  https://review.opendev.org/c/openstack/openstack-ansible/+/92435318:31
noonedeadpunkjrosser: ubuntu 24.04 has libaio1t6418:33
noonedeadpunkbut not sure what's needed....18:33
noonedeadpunkor well, why it's mneeded18:33
jrosserwhen you say "For instance, running these services on bare metal assumes that a default route for hosts should be set via Public API gateway" - this is actually meaning you need your bare metal hosts to have an address in a subnet with a default route?18:33
jrosserAPI gateway is kind of odd term that suggests some fancy enterprise product :)18:34
noonedeadpunkYeah, wording is awful...18:34
noonedeadpunkBut what I meant, is that default route should be in haproxy_keepalived_external_vip_cidr?18:35
jrosseryes with libaio1 it worked here on 24.04 vm without that, so i figure this is some legacy thing18:35
noonedeadpunkcould be18:35
noonedeadpunkI'd need to draw that I guess....18:35
jrossereven with haproxy/keepalived in lxc you still need a default route in the container though?18:36
noonedeadpunkyes, sure18:36
noonedeadpunkbut it;s less of an issue?18:36
noonedeadpunkit doesn't mess up with way of accessing host, for instance18:36
noonedeadpunkthere's no ssh inside container, so on18:37
jrosseroh yes i totally agree18:37
jrosserit makes it really very similar to having dedicated haproxy nodes but without extra hardware18:37
noonedeadpunkbut I somehow have a bias, that on bare metal host, especially if it's like regular controller, having default route to public network is quite meh18:37
noonedeadpunkyeah18:37
noonedeadpunk(I even kinda wondered why it wasn't a default)18:38
jrosserme too, we don't have default route anywhere except network nodes and haproxy nodes18:38
noonedeadpunkyou're not obliged to have it on net nodes either, do you?18:38
jrossermaybe not, will take another look at that18:39
noonedeadpunkfeel free to re-phrase things there 18:40
jrosseractually you are right, we don't have default route on the network nodes18:41
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add documentation on spawning HAProxy inside LXC  https://review.opendev.org/c/openstack/openstack-ansible/+/92435319:41
jrosseri am seeing quite a lot of jobs failing to bring up keystone db19:58
jrossernoonedeadpunk: this might be interesting for your haproxy thing - i had a way to provide static IP to containers here https://github.com/jrosser/openstack-ansible-ops/commit/ba8636bc51bb61ee784e2453820173e6ec6ea0ae#diff-56970b5c834ccc0b5640e6b6ab4e6e6aaa513d57ef4128281efffd8376daa40320:09
jrossertbh i would do it with host_vars to define the IP specifically for each host instead, but you can totally insert a custom static interface20:10
jrosseryou might indeed want to know what the public IP are, as theres quite likley iptables or some hardware firewall involved as well that you need to put config into20:12
spotz[m]Hi my name is spotz and I love the new suggest edit feature in gerrit:)21:00
« Tuesday, 2024-07-16 Index Thursday, 2024-07-18 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!