| noonedeadpunk | need another vote on backport to propose bumps: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/931192 | 04:55 |
|---|---|---|
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Document pretty endpoint namings https://review.opendev.org/c/openstack/openstack-ansible/+/934536 | 08:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Document pretty endpoint namings https://review.opendev.org/c/openstack/openstack-ansible/+/934536 | 08:12 |
| opendevreview | Merged openstack/openstack-ansible-ops master: Allow ELK7 roles to run with disabled ANSIBLE_INJECT_FACT_VARS https://review.opendev.org/c/openstack/openstack-ansible-ops/+/934547 | 09:16 |
| opendevreview | Merged openstack/openstack-ansible-ops master: Allow to supply custom kibana backend to roles https://review.opendev.org/c/openstack/openstack-ansible-ops/+/934548 | 09:16 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops master: Test all supported versions of k8s workload cluster with magnum-cluster-api https://review.opendev.org/c/openstack/openstack-ansible-ops/+/916649 | 09:17 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: [doc] Move all variables to group_vars https://review.opendev.org/c/openstack/openstack-ansible-ops/+/931556 | 09:18 |
| jrosser | ^ we should update that | 09:21 |
| jrosser | just needs to match up with whatever versions of the workload cluster images are available | 09:21 |
| opendevreview | Merged openstack/openstack-ansible-os_neutron master: [doc] Add description of the LR binded usecase https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/932616 | 09:21 |
| noonedeadpunk | are you about 916649? | 09:22 |
| noonedeadpunk | I was wondering if we need this first? https://github.com/vexxhost/ansible-collection-kubernetes/pull/137 | 09:23 |
| noonedeadpunk | or that's not about control cluster but workers | 09:24 |
| noonedeadpunk | *workload | 09:24 |
| noonedeadpunk | and 931556 gonna be in conflict with 916649 | 09:25 |
| noonedeadpunk | (probably?) | 09:25 |
| jrosser | hmm | 09:26 |
| jrosser | so ansible-collection-kubernetes is entirely for the controller | 09:26 |
| noonedeadpunk | yeah | 09:36 |
| jrosser | so the other thing is | 09:39 |
| jrosser | https://github.com/openstack/openstack-ansible-ops/blob/master/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml | 09:39 |
| jrosser | ^ this file is named specifically to be loaded after the user_variables_magnum that the regular bootstrap_aio script writes | 09:39 |
| jrosser | hence the 'z' | 09:39 |
| jrosser | ugly hack for sure | 09:40 |
| jrosser | moving things generally to group_vars is good, but might have some consequences | 09:40 |
| noonedeadpunk | that kinda worked for me, but indeed, I didn't have a mess in user_variables liek we have in aio | 09:53 |
| jrosser | iirc it is there to inhibit the images/flavors/whatever that come by default in the usual magnum aio | 09:55 |
| noonedeadpunk | so to override https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/templates/user_variables_magnum.yml.j2#L16-L50 basically | 09:59 |
| noonedeadpunk | so yeah. I guess makes sense to leave these there.... | 09:59 |
| jrosser | i could not thing of a nice way to do that | 10:05 |
| noonedeadpunk | you solution was fine actually | 10:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: [doc] Move all variables to group_vars https://review.opendev.org/c/openstack/openstack-ansible-ops/+/931556 | 10:11 |
| noonedeadpunk | as we don't need that part in docs anyway | 10:11 |
| noonedeadpunk | not sure though why rsync fails.... | 10:13 |
| noonedeadpunk | ah. because it should not be rsync... | 10:13 |
| noonedeadpunk | ok, and https://github.com/vexxhost/ansible-collection-kubernetes/pull/127 is still not merged.... | 10:16 |
| jrosser | i know /o\ | 10:16 |
| jrosser | its been a very long time | 10:16 |
| noonedeadpunk | can you maybe pull in https://github.com/vexxhost/ansible-collection-kubernetes/pull/136 ? | 10:17 |
| noonedeadpunk | as this is where group_vars failing | 10:17 |
| noonedeadpunk | or maybe rebase again.... | 10:18 |
| noonedeadpunk | as proposing as pr to your fork sounds like a hassle in github.... | 10:18 |
| jrosser | yeah let me take a look | 10:18 |
| jrosser | mnaser: we could _really_ use some help with the noble / virtualenv stuff re. https://github.com/vexxhost/ansible-collection-kubernetes/pull/127 | 10:19 |
| jrosser | it's like a couple weeks before we have to release OSA pointing to a fork of this and i'd really prefer not to do that | 10:20 |
| opendevreview | Merged openstack/openstack-ansible-rabbitmq_server master: Move RabbitMQ restart to handlers https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/931974 | 10:36 |
| opendevreview | Merged openstack/openstack-ansible master: Move healthcheck playbooks to the collection https://review.opendev.org/c/openstack/openstack-ansible/+/933611 | 10:51 |
| opendevreview | Merged openstack/openstack-ansible master: Remove HA queues defenition https://review.opendev.org/c/openstack/openstack-ansible/+/934042 | 10:51 |
| jrosser | ci reliability feels like it is a bit better recently | 10:52 |
| noonedeadpunk | yeah | 11:01 |
| noonedeadpunk | true | 11:02 |
| noonedeadpunk | feels like uc retries and rocky switching from mirrorlist helped a bit | 11:03 |
| noonedeadpunk | except yesterday, where apparently RHEL 9.5 was released | 11:03 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Replace default nginx config on rh-like systems https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/935773 | 11:40 |
| jrosser | noonedeadpunk: i rebased this https://github.com/jrosser/ansible-collection-kubernetes/tree/venv-support | 11:51 |
| jrosser | so i think that should now include the group_vars thing | 11:51 |
| noonedeadpunk | jrosser: what's the point of empty record for execstart? | 11:55 |
| noonedeadpunk | for ironic | 11:55 |
| jrosser | you can only have one ExecStart statment for a service which is !oneshot | 11:56 |
| jrosser | and there is one in the original service file, and with a dropin the statements are cumulative | 11:56 |
| noonedeadpunk | ah | 11:56 |
| jrosser | an entry like `ExecStart =` resets any existing instances so that you can then have a new one | 11:56 |
| noonedeadpunk | ok, didn't know that | 11:57 |
| jrosser | we have similar here https://opendev.org/openstack/openstack-ansible-ceph_client/src/branch/master/tasks/ceph_immutable_object_cache.yml#L42 | 11:57 |
| noonedeadpunk | ah. well, I haven;t noticed that one | 11:58 |
| noonedeadpunk | and it was easier to overlook :D | 11:59 |
| jrosser | i did have to wonder how this works tbh | 11:59 |
| opendevreview | Merged openstack/openstack-ansible master: [doc] Document requirement for RabbitMQ upgrade https://review.opendev.org/c/openstack/openstack-ansible/+/934828 | 12:06 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Update step-ca version https://review.opendev.org/c/openstack/openstack-ansible/+/935781 | 12:40 |
| noonedeadpunk | maybe worth backporting that to stable branches as well https://review.opendev.org/c/openstack/openstack-ansible/+/935362 | 12:50 |
| noonedeadpunk | fwiw, I'll be away until since tomorrow till Tuesday | 13:00 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_horizon master: Add FWaaS dashboard. https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/935796 | 14:05 |
| jrosser | ^ i just tested this dashboard and fwaas in an AIO and it seems to work for my very quick test, on lxb network though | 14:06 |
| * jrosser very surprised that it works with lxb | 14:06 | |
| noonedeadpunk | fwiw, I've been on a neutron meeting recently, and they are very dedicated to drop lxb for Epoxy | 14:08 |
| jrosser | i am not surprised | 14:08 |
| noonedeadpunk | main reason - eventlet | 14:08 |
| noonedeadpunk | so if someone solve it for lxb - they would be fine from what I got | 14:08 |
| noonedeadpunk | jrosser: we need to add neutron_fwaas_dashboard_git_repo and neutron_fwaas_dashboard_git_install_branch to integrated repo first | 14:09 |
| jrosser | that might be simpler task than do ovn migration perhaps | 14:09 |
| noonedeadpunk | and make this patch dependent on it | 14:09 |
| noonedeadpunk | yeah, they also think so | 14:09 |
| jrosser | which one? | 14:10 |
| noonedeadpunk | left a comment https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/935796/1/defaults/main.yml | 14:11 |
| jrosser | sure i'll fix that | 14:12 |
| noonedeadpunk | they also think that it's time for lxb -> ovn thing | 14:12 |
| noonedeadpunk | but I find it very complicated/close to impossible with certain kind of workloads | 14:12 |
| jrosser | tbh the migration is so terrifying that we just put it off as $gigantic job | 14:12 |
| jrosser | and we have some interesting things setup which would have to be tested quite a lot | 14:13 |
| noonedeadpunk | so there're some very core differences on how workloads behave in ovs/ovn even. | 14:13 |
| noonedeadpunk | very good example - are VIPs <-> FIPs bindings | 14:13 |
| noonedeadpunk | if one decided that it would be simpler to just disable port security to make VIP work, rather then define allowed address pairs - this won't fly on OVN | 14:14 |
| noonedeadpunk | as it requires security groups to be enabled as flows for VIP are build based on allowed address pairs | 14:15 |
| noonedeadpunk | I think this is biggest concern so far, as in fact there is no way for admin to know for sure, for which MAC VIP should be allowed | 14:16 |
| noonedeadpunk | and also what is VIP.... | 14:16 |
| jrosser | btw are you sure i need to add neutron_fwaas_dashboard_git_repo ? | 14:17 |
| noonedeadpunk | well, if we want to have fixed SHA for it - then yes? | 14:18 |
| opendevreview | Merged openstack/openstack-ansible master: Switch Ubuntu distro jobs to 24.04 https://review.opendev.org/c/openstack/openstack-ansible/+/935664 | 14:18 |
| jrosser | oh there isnt a vpnaas dashboard is there? | 14:19 |
| noonedeadpunk | there should be actually | 14:19 |
| jrosser | ah ok | 14:19 |
| jrosser | so i copied what we do for that :) | 14:19 |
| noonedeadpunk | oh you mean in integrated repo | 14:19 |
| jrosser | righht | 14:19 |
| noonedeadpunk | seems there's none.... | 14:19 |
| noonedeadpunk | I'd consider that as a bug rather then feature though | 14:20 |
| jrosser | we need to add them both then | 14:20 |
| noonedeadpunk | yeah | 14:20 |
| noonedeadpunk | btw, you've started fwaas now? | 14:21 |
| noonedeadpunk | *started using | 14:21 |
| jrosser | just adding it now | 14:22 |
| noonedeadpunk | I never could understand a usecase for it... As it looked always as security groups on router namespace level? | 14:22 |
| jrosser | we have things that you can (perhaps accidentally) add a port / FIP to which are not VM | 14:22 |
| jrosser | like hardware devices | 14:22 |
| jrosser | and then that is just totally on the internet with nothing in the way | 14:23 |
| jrosser | so yes in this case security group on the router port is exactly what we need | 14:24 |
| noonedeadpunk | okay, so basically you can tell - prohibit all access except from here to there on router level, and then regardless of FIP assignments - traffic will be blocked | 14:24 |
| noonedeadpunk | gotcha | 14:24 |
| noonedeadpunk | so it's quite niche, right? | 14:24 |
| jrosser | yeah, though also we will start having ironic nodes as magnum workers too | 14:24 |
| noonedeadpunk | it would be nice if there was some kind of WAF | 14:24 |
| jrosser | and those also are not VM | 14:25 |
| noonedeadpunk | that would totally justify such service | 14:25 |
| noonedeadpunk | aha, ok, ironic usecase indeed is where you want to have smth in front, sure | 14:25 |
| jrosser | for magnum it is not so much of a problem | 14:25 |
| jrosser | as the network is private | 14:25 |
| jrosser | but i do have some other thing where we had to make a provider network behind a physical firewall appliance becasue of ironic nodes | 14:26 |
| noonedeadpunk | gotcha | 14:26 |
| noonedeadpunk | we're doing some very complicated setup with VMs and then nested vxlan networks, where one vxlan marked as "public" and then these WAF act as gateways between "external" and realy external | 14:27 |
| noonedeadpunk | but these are indeed more then simple firewall | 14:28 |
| jrosser | this is some fancy L7 type inspection thing? | 14:28 |
| noonedeadpunk | yeah | 14:28 |
| noonedeadpunk | https://cleura.com/customers/clavister/ | 14:30 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Add neutron fwaas and vpnaas git and zuul repo definitions https://review.opendev.org/c/openstack/openstack-ansible/+/935798 | 14:37 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_horizon master: Add FWaaS dashboard. https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/935796 | 14:50 |
| noonedeadpunk | thanks! | 15:06 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Test all supported versions of k8s workload cluster with magnum-cluster-api https://review.opendev.org/c/openstack/openstack-ansible-ops/+/916649 | 16:22 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Test all supported versions of k8s workload cluster with magnum-cluster-api https://review.opendev.org/c/openstack/openstack-ansible-ops/+/916649 | 16:23 |
| opendevreview | Merged openstack/openstack-ansible stable/2024.1: Bump SHAs for 2024.1 https://review.opendev.org/c/openstack/openstack-ansible/+/935557 | 17:21 |
| jrosser | hmm https://zuul.opendev.org/t/openstack/build/b27b712b8e4a4eb9a27ad778d6a80be3/log/job-output.txt#2561 | 17:49 |
| noonedeadpunk | I somehow need to fix my bump script | 18:10 |
| noonedeadpunk | but I don't understand to issue | 18:11 |
| noonedeadpunk | https://opendev.org/openstack/octavia/commits/branch/stable/2023.2 looks totally fine | 18:11 |
| noonedeadpunk | as well as https://opendev.org/openstack/octavia/commit/82bc41811416f331a49f97e0e50406c077b09d7d | 18:11 |
| jrosser | it passed the check job which is very confusing | 18:37 |
| noonedeadpunk | ok, so we can't test modern k8s with https://review.opendev.org/c/openstack/openstack-ansible-ops/+/916649 | 21:03 |
| noonedeadpunk | as we need modern images | 21:03 |
| noonedeadpunk | and https://static.atmosphere.dev/artifacts/magnum-cluster-api/ is quite dynamic | 21:03 |
| noonedeadpunk | so we'd need to parse listing and find latest one in series and be very dynamic | 21:04 |
| jrosser | noonedeadpunk: we have some dib stuff to build the images | 21:33 |
| noonedeadpunk | suggest ask infra to build images with it for us? | 21:34 |
| noonedeadpunk | I'm not sure they will be happy | 21:34 |
| jrosser | or we could build them in our job | 21:34 |
| noonedeadpunk | well. | 21:34 |
| noonedeadpunk | I do have some code for that logic :D | 21:35 |
| noonedeadpunk | to fetch last successfully build artifact of the job | 21:35 |
| noonedeadpunk | and then periodically build images | 21:35 |
| jrosser | it would not be the worst thing if we had reference image building code in the collection in the ops repo | 21:35 |
| noonedeadpunk | true | 21:35 |
| noonedeadpunk | I would need to think that through and get some free time as well.... | 21:36 |
| noonedeadpunk | as it would be nice to make that part of image upload potentially... | 21:36 |
| noonedeadpunk | (not sure) | 21:36 |
| jrosser | else we make some job that uploads images to opendev tarballs server, like for octavia etc | 21:37 |
| noonedeadpunk | I'm not sure how lifecycle is made there tbh | 21:41 |
| noonedeadpunk | as artifacts lifetime is defined by the s3 policy | 21:42 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!