| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Combine vars files for debian/ubuntu and ensure setuptools is present https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924692 | 06:15 |
|---|---|---|
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 06:16 |
| noonedeadpunk | yeah. current tacker version is not sqlalchemy 2.0 supported. | 07:33 |
| noonedeadpunk | but I think it should have been fixed upstream... at least I would expect so | 07:33 |
| noonedeadpunk | there's also trove borked on upgrades | 07:44 |
| noonedeadpunk | and manila and zun.... | 07:45 |
| noonedeadpunk | so quite some things | 07:45 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 08:26 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 08:26 |
| jrosser | so i think i pretty much got lxc working on noble | 08:36 |
| jrosser | by switching to use the `generated` apparmor profile by default for all OS | 08:37 |
| jrosser | though it's pretty unsure if this has any potential broken things later on, as i cannot find how to make our lxc-openstack apparmor profile work | 08:37 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_magnum master: Add test for high availability k8s control plane on unbuntu noble https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/924702 | 08:41 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_magnum master: Add test for high availability k8s control plane on unbuntu noble https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/924702 | 08:52 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_magnum master: Add test for high availability k8s control plane on ubuntu noble https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/924702 | 08:52 |
| noonedeadpunk | let's land what we can land I guess, and a bit later I will spawn a noble sandbox as well to think a bit on how to apply overrides we might need | 09:15 |
| noonedeadpunk | as extending generated is what we actually needed instead of own profile | 09:15 |
| noonedeadpunk | (I guess) | 09:16 |
| noonedeadpunk | jrosser: was you able to make a working haporxy map file, ie `domain.com/identity` (rather then `identity.domain.com`)? | 09:48 |
| noonedeadpunk | as feel like first one would need some kind of rewrite.... | 09:48 |
| jrosser | i had a plan to, but never got round to looking at it | 09:48 |
| jrosser | but rather was identity.domain.com as first idea | 09:48 |
| noonedeadpunk | so we were able to get identity.domain.com working | 09:49 |
| noonedeadpunk | as then keystone baing passed /identity and it replies with 404 | 09:49 |
| noonedeadpunk | so yeah.... | 09:49 |
| noonedeadpunk | ok, gotcha | 09:49 |
| jrosser | but really i didnt think about this at all | 09:49 |
| noonedeadpunk | I guess <service>.<external_lb_vip_address> is the only way kinda... | 09:52 |
| noonedeadpunk | or there should be an apache for the backend rewriting url | 09:53 |
| noonedeadpunk | (or nginx) | 09:53 |
| noonedeadpunk | oh... you can do smth with uwsgi :) | 09:53 |
| noonedeadpunk | https://uwsgi-docs.readthedocs.io/en/latest/InternalRouting.html#the-first-example | 09:54 |
| jrosser | btw it would be great if you could make a doc for what you did with the first form working | 09:55 |
| noonedeadpunk | yeah, I think this should be in damiandabrowski todo list... | 09:59 |
| noonedeadpunk | I will write otherwise a bit later when come to conclusion about second format :D | 10:00 |
| noonedeadpunk | crap, I clean forgot how to configure apache :D | 10:33 |
| noonedeadpunk | why in the world `ProxyPass / uwsgi://127.0.0.1:35358/` does not work, while `ProxyPass /identity uwsgi://127.0.0.1:35358/` does | 10:34 |
| noonedeadpunk | shouldn't `/` catch like * ? | 10:34 |
| noonedeadpunk | or maybe it;s not apache issue... | 10:36 |
| noonedeadpunk | so seems somehow this routing doesn't really work... | 10:53 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Use platform dependant sshd service name in restart handler https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/924719 | 11:01 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 11:02 |
| noonedeadpunk | so, somehow routing does not work at all in our uwsgi setup :( | 11:12 |
| noonedeadpunk | aha, so everywhere we have `!!! no internal routing support, rebuild with pcre support !!!` in uwsgi logs | 11:27 |
| damiandabrowski | noonedeadpunk: so my plan is to make it easier for users to enable "domain based endpoints" because currently it's required to override a lot of variables to get it working. | 11:28 |
| jrosser | ooh whats that i wonder | 11:28 |
| damiandabrowski | (I'm mainly talking about endpoint URLs and haproxy backends configuration) | 11:28 |
| noonedeadpunk | damn... | 11:28 |
| jrosser | damiandabrowski: i did wonder if there was a way to automatically use the service name to set that up | 11:28 |
| noonedeadpunk | we jsut needed `libpcre3-dev` for wheels build | 11:29 |
| damiandabrowski | jrosser: there are some information how we implemented it: https://paste.openstack.org/show/bIeaDbIzciMpzjqpdff7/ | 11:29 |
| damiandabrowski | for now, we don't use any automated way :/ it's just manual definition that keystone works under 'identity' subdomain etc. | 11:29 |
| noonedeadpunk | and to have {{ external_lb_vip_address }}/identity isntead of identity.{{ external_lb_vip_address }} you'd need to add https://paste.openstack.org/show/bUhkyL0U3ZZekJR48wco/ | 11:31 |
| noonedeadpunk | after we will fix the bug :D | 11:31 |
| noonedeadpunk | lol: https://bugs.launchpad.net/openstack-ansible/+bug/1742538 | 11:32 |
| jrosser | feels like each service needs some vars to know if it is on it's own unique host | 11:33 |
| jrosser | or if it has a unique suffix | 11:33 |
| noonedeadpunk | it needs just libpcre3-dev | 11:34 |
| noonedeadpunk | or well, depending to what you;re responding :D | 11:35 |
| jrosser | ok the happroxy thing :) | 11:35 |
| jrosser | was subject_alt_name not helpful for adding all the hostnames to the cert from PKI role? | 11:35 |
| damiandabrowski | we just decided to go with wildcard, but recently I learned an interesting feature that may solve this issue: | 11:37 |
| damiandabrowski | in haproxy config you can define a directory for SSL certificate and it should automatically pick suitable certificate from that directory(suitable = where certificate domain matches haproxy endpoint) | 11:38 |
| damiandabrowski | technically, it should allow to have separate certificate for each service | 11:38 |
| jrosser | ah interesting yes | 11:39 |
| damiandabrowski | https://www.haproxy.com/documentation/haproxy-configuration-tutorials/ssl-tls/#:~:text=You%20can%20also%20set,during%20the%20TLS%20handshake. | 11:39 |
| noonedeadpunk | well, the thing here is, that it has close to no sense to have non-SAN/wildcard in real life as that's just too expensive | 11:39 |
| noonedeadpunk | and for let's encrypt, I think, you can jsut define a list of domains to include | 11:39 |
| jrosser | yes thats right | 11:40 |
| jrosser | and wildcard is only possible for DNS based validation | 11:40 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/defaults/main.yml#L231-L232 | 11:40 |
| jrosser | so for internal vip with PKI role it should be possible to pass a list of names to put in the SAN | 11:41 |
| noonedeadpunk | we're not using any ACME right now though | 11:41 |
| noonedeadpunk | but yeah, it's interesting to have an option in the role to get certificates from the folder overall | 11:41 |
| jrosser | do we need to adjust the code to make that work? | 11:42 |
| noonedeadpunk | yeah, I think so | 11:43 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Add support for deploying mcapi control plane k8s on debian-12 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/923586 | 11:56 |
| opendevreview | Merged openstack/openstack-ansible-os_keystone master: Combine Ubuntu/Debian vars together https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/924146 | 12:19 |
| jrosser | aaand h/a kubernetes on noble https://zuul.opendev.org/t/openstack/build/77dcfaf363864924a738fed153e10b42 | 13:30 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 13:43 |
| opendevreview | Merged openstack/openstack-ansible stable/2024.1: Use UCA mirror in CI for ubuntu https://review.opendev.org/c/openstack/openstack-ansible/+/924602 | 13:44 |
| opendevreview | Merged openstack/openstack-ansible-os_placement master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/924638 | 14:13 |
| noonedeadpunk | ugh... I'm quite stuck with uwsgi wheel build... | 14:15 |
| noonedeadpunk | as apparently it's using weird profile... | 14:15 |
| opendevreview | Merged openstack/openstack-ansible-os_heat master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/924625 | 14:24 |
| opendevreview | Merged openstack/openstack-ansible-os_tempest master: Ensure tempest enclude/exclude lists are idempotent https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/924641 | 14:27 |
| opendevreview | Merged openstack/openstack-ansible-os_swift master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/924639 | 14:30 |
| opendevreview | Merged openstack/openstack-ansible-os_mistral master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/924632 | 14:31 |
| opendevreview | Merged openstack/openstack-ansible-os_barbican master: Move database configuration to it's own section https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/924649 | 14:32 |
| opendevreview | Merged openstack/openstack-ansible-os_barbican master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/924610 | 14:32 |
| opendevreview | Merged openstack/openstack-ansible-os_cloudkitty master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/924618 | 14:35 |
| opendevreview | Merged openstack/openstack-ansible-os_designate master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/924621 | 14:36 |
| opendevreview | Merged openstack/openstack-ansible-os_masakari master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/924629 | 14:37 |
| opendevreview | Merged openstack/openstack-ansible-os_gnocchi master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/924624 | 14:38 |
| opendevreview | Merged openstack/openstack-ansible-os_ironic master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/924626 | 14:41 |
| opendevreview | Merged openstack/openstack-ansible-haproxy_server master: Combine debian and ubuntu vars, adding support for Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/924345 | 14:44 |
| opendevreview | Merged openstack/openstack-ansible-openstack_hosts master: Add vars for Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/924344 | 14:45 |
| opendevreview | Merged openstack/openstack-ansible-os_magnum master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/924627 | 14:45 |
| opendevreview | Merged openstack/openstack-ansible-plugins master: Update plugins collection version https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/922723 | 14:52 |
| opendevreview | Merged openstack/openstack-ansible-os_nova master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/924636 | 14:56 |
| opendevreview | Merged openstack/openstack-ansible master: [doc] Fix Typo https://review.opendev.org/c/openstack/openstack-ansible/+/924569 | 15:00 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
| opendevmeet | Meeting started Tue Jul 23 15:00:41 2024 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
| opendevreview | Merged openstack/openstack-ansible master: Rename Container Network to Management https://review.opendev.org/c/openstack/openstack-ansible/+/924570 | 15:00 |
| noonedeadpunk | #topic rollcall | 15:00 |
| noonedeadpunk | o/ | 15:00 |
| mgariepy | half there | 15:04 |
| noonedeadpunk | #topic office hours | 15:04 |
| opendevreview | Merged openstack/openstack-ansible-lxc_hosts master: Fix incorrect copying of sources.list.d to container image https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/924309 | 15:04 |
| noonedeadpunk | so there was really a good progress for Ubuntu 24.04 support - thanks a lot Jonathan for putting efforts into this! | 15:05 |
| jrosser | o/ hello | 15:05 |
| jrosser | yeah i really wanted to see if the magnum stuff worked there | 15:06 |
| jrosser | and so far looks good | 15:06 |
| noonedeadpunk | and seems it does | 15:06 |
| damiandabrowski | hi! | 15:06 |
| noonedeadpunk | I had found some regression for uwsgi setup. now a bit confused about how wheels are built, or why I couldn't get them rebuilt in aio | 15:06 |
| noonedeadpunk | but patch should be pushed lately | 15:07 |
| noonedeadpunk | also we do have bunch of services borked | 15:09 |
| noonedeadpunk | potentially - updating shas might fix some of these | 15:09 |
| noonedeadpunk | and also I realized that I've missed to deprecate senlin/murano repositories | 15:11 |
| noonedeadpunk | will need to take that as action for the next week | 15:11 |
| jrosser | i saw we have a side effect of the openstack-resources role - no longer using the cached copy of the cirros image | 15:15 |
| opendevreview | Merged openstack/openstack-ansible-os_glance master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/924622 | 15:19 |
| opendevreview | Merged openstack/openstack-ansible-os_neutron master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/924635 | 15:22 |
| opendevreview | Merged openstack/openstack-ansible-memcached_server master: Use the netcat-openbsd package on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/924350 | 15:23 |
| opendevreview | Merged openstack/openstack-ansible-os_octavia master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/924637 | 15:38 |
| noonedeadpunk | #endmeeting | 15:44 |
| opendevmeet | Meeting ended Tue Jul 23 15:44:27 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:44 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-07-23-15.00.html | 15:44 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-07-23-15.00.txt | 15:44 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-07-23-15.00.log.html | 15:44 |
| frickler | more CVE fun in case anyone missed it https://security.openstack.org/ossa/OSSA-2024-002.html | 15:59 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-uwsgi master: Ensure uWSGI is built with pcre support https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/924754 | 16:00 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Use distribution specific name for ssh service in ssh_keypairs role https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924755 | 16:00 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Test on Ubuntu Noble https://review.opendev.org/c/openstack/openstack-ansible/+/924342 | 16:01 |
| noonedeadpunk | yup, thanks frickler | 16:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-python_venv_build master: Don't use local pip cache when re-building wheels https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/924761 | 16:25 |
| noonedeadpunk | so I finally made keystone to work as /identity (like devstack makes things for years now) | 16:32 |
| jrosser | is the idea to get all the services at example.com/<service> ? | 16:36 |
| opendevreview | Merged openstack/openstack-ansible master: Skip repo verification for distro install https://review.opendev.org/c/openstack/openstack-ansible/+/924384 | 16:55 |
| frickler | does osa support service.example.com already or is this changing from :5000 (just being curious viewing this from the outside ;) | 16:55 |
| jrosser | well kind of anything is possible with enough vars set :) | 16:57 |
| jrosser | but I think there is an intention to make that much easier to switch to some different url arrangements | 16:58 |
| noonedeadpunk | yeah, I'm trying to do example.com/<service> now | 17:14 |
| noonedeadpunk | but I do feel a lot of pain down that road frankly speaking | 17:14 |
| noonedeadpunk | while I see devstack doing it, it feels that services still willing to reply their href back wrongly | 17:14 |
| noonedeadpunk | if I'm using rewrites in uwsgi ofc | 17:15 |
| noonedeadpunk | frickler: yeah, we're running a region with service.example.com right now on Bobcat. But it indeed has quite some vars defined for that | 17:15 |
| noonedeadpunk | kinda main issue we do have, is that service type is not in the same context where LB endpoints are defined | 17:16 |
| noonedeadpunk | so you need to be explicit about each service... | 17:16 |
| noonedeadpunk | jrosser: wdyt about this one? https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/921779 | 17:29 |
| noonedeadpunk | I guess we need to make list of drivers configurable through a separate variable | 17:29 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Allow to nicely control list of L3 agent extensions https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/924769 | 17:51 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Use distribution specific name for ssh service in ssh_keypairs role https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924755 | 19:07 |
| opendevreview | Merged openstack/openstack-ansible-os_blazar master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/924611 | 19:26 |
| opendevreview | Merged openstack/openstack-ansible-os_ceilometer master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/924616 | 19:44 |
| opendevreview | Merged openstack/openstack-ansible-os_aodh master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/924609 | 19:44 |
| opendevreview | Merged openstack/openstack-ansible-os_cinder master: Ensure that first/last host detection is deterministic https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/924617 | 19:57 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!