Wednesday, 2025-05-07

opendevreviewOpenStack Proposal Bot proposed openstack/openstack-ansible master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/openstack-ansible/+/94896502:30
noonedeadpunkjrosser: so for config_template, I think most broken thing is handling a jinja tags: https://zuul.opendev.org/t/openstack/build/ad82ab55354948e48350838e4bdb2fe4/log/job-output.txt#1803-182307:12
noonedeadpunkas I did indeed some "internal" hackery to make it work07:12
noonedeadpunkand seamingly, it needs to be re-made07:12
jrosserwhat am i missing there?07:15
jrosseruser content and expected content look very similar on the screen to me07:16
jrosseroh wait the tasks are in an unexpected order?07:17
noonedeadpunknot really07:18
noonedeadpunkhttps://paste.openstack.org/show/bE5viVfeM3uunSCoT8D7/07:19
noonedeadpunkso this is not respected https://opendev.org/openstack/ansible-config_template/src/branch/master/tests/templates/test_raw_content.ini#L107:19
noonedeadpunkpretty much the patch fixing it: https://review.opendev.org/c/openstack/ansible-config_template/+/88188707:20
noonedeadpunk(and also the one before it)07:21
jrosseri wonder if it is supported to use that inside the template itself any more07:39
jrosseras there is now this https://github.com/ansible/ansible/blame/devel/lib/ansible/plugins/action/template.py#L120-L13007:39
jrossermight be worth a quick test.yml thing without config_template just to see what happens in standard 2.1907:44
noonedeadpunkjrosser: yeah, I tested it and it worked with template07:54
jrosserinteresting07:54
jrosseri expect we can look at the difference between how we call the underlying templar thing and changes made in the builtin template action plugin07:55
jrosserit is also very interesting to see in the 2.19 porting guide that they now have addressed excessive recursive templating07:56
jrosserm o s s b l a s s e r has been working on a profiler here for exactly that issue07:56
noonedeadpunkhttps://paste.openstack.org/show/b0t7lL6AevxQCA6yxkUT/07:57
noonedeadpunkjrosser: they claim to have. but so far to actual proof that it works :D07:57
noonedeadpunkhttps://forum.ansible.com/t/core-2-19-templating-changes-preview-and-testing/40759/11?u=noonedeadpunk07:58
noonedeadpunkbut again I recognize it's about amount and complexity of variables07:58
noonedeadpunkso it's probably not what such test will show improvement on08:01
jrosseryou make a good point about ansible 3.0 there08:01
jrosser*ansible-core08:02
jrosserthe versions of ansible do indeed get a major version bump every time in contrast......08:02
damiandabrowskiis there something wrong with our CI today? 10:00
damiandabrowskihttps://zuul.opendev.org/t/openstack/build/6441ffde5f7b4a66aa8b71bac7bbc64d/log/job-output.txt#1168910:00
damiandabrowskino available installation candidate for mariadb-server=1:11.4.4*10:01
noonedeadpunkit was fine yesterday10:10
noonedeadpunkbut also: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/94871110:10
noonedeadpunkI am actually also extremely surprised about https://review.opendev.org/c/openstack/openstack-ansible/+/948319 failures on ceph jobs for noble10:11
noonedeadpunkand this happens only in gates10:11
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Fix SHA test scenario  https://review.opendev.org/c/openstack/openstack-ansible/+/94831910:11
derekokeeffeHi all, just looking at the docs for OSA to use certbot and letsencrypt. is it as simple as adding https://paste.openstack.org/show/bZfujzJzkIdoCbXy2XAr/ to my user_variables and re running the haproxy-install.yml role?10:19
noonedeadpunkI'm not sure you actually need https://gerrit.citynetwork.eu/c/public/sto2/+/7395 but pretty much yes10:25
damiandabrowskiyeah....for some reason it looks like galera-server 11.4.4 disappeared from the repo, so bumping the version to 11.4.5 should help10:27
damiandabrowskihttps://paste.opendev.org/show/b5Pt2g3sgPAmdn2q9DCH/10:27
damiandabrowskiPS. you probably pasted the wrong link :D 10:28
noonedeadpunklol10:28
noonedeadpunkdah, I did10:28
noonedeadpunkI did not mean to post a link - was trying to say `haproxy_ssl_letsencrypt_certbot_server` is not required either10:29
noonedeadpunkwait...10:30
noonedeadpunkthat looks _very_ bad actually10:31
noonedeadpunkthey wiped all old versions from this repo10:32
noonedeadpunkand left only last 2 versions10:32
noonedeadpunkcrap10:33
derekokeeffeso remove this `haproxy_ssl_letsencrypt_certbot_server`, leave the others and re run haproxy? not sure if you're talking to me or not :)10:33
noonedeadpunkderekokeeffe: yep, thats correct10:34
derekokeeffePerfect, thanks noonedeadpunk. Does that secure all endpoints or do I need to specify more for each?10:35
jrosserderekokeeffe: letsencrypt can only really secure the external endpoint10:42
noonedeadpunkdamiandabrowski: hm, actually probably worth using 11.4.6 then even10:42
damiandabrowskiyeah, you may be right...10:42
derekokeeffeOk thanks noonedeadpunk10:42
jrosserif you need SSL on the internal endpoint then the built-in PKI role can do that, or else you have to supply your own internal certificates for that10:42
noonedeadpunkit;'s confusingly not here though: https://mariadb.org/mariadb/all-releases/#11-410:43
jrossernoonedeadpunk: is it the horizon or keystone role you are interested in for ansible-role-httpd federation tests (or both)10:43
noonedeadpunkpatches are for both, but I most afraid of keystone10:44
noonedeadpunkok. well. so what should we do with mariadb now....10:50
noonedeadpunkjrosser: as horizon does not really need mod_oidc or anuything like that10:56
derekokeeffenoonedeadpunk, where do I tell it the DNS name to obtain the cert for? It's using the IP address https://paste.openstack.org/show/b5zTclsDEYFHgrm7fcwC/10:56
noonedeadpunkit's using the external_vip_address10:57
noonedeadpunkwhich is used to define keystone endpoints10:57
noonedeadpunkso ideally - it needs to be fqdn10:57
noonedeadpunkand then have keepalived and haproxy bind addresses10:58
jrosseryou need a proper dns entry for that IP10:58
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/openstack_user_config.yml.prod.example#L15-L2110:58
jrosseras LE have to resolve the name you give them back to your IP10:58
derekokeeffeI have external dns there jrosser just need to tell it to use it rather than the IP10:58
derekokeeffeWe have a domain registered10:59
jrosserright, so external_vip_address needs to be switched over to your fqdn10:59
derekokeeffeThanks noonedeadpunk, was going to change it but not doing anything anymore that could mess this up on me :)10:59
derekokeeffeWill do jrosser, thanks11:00
jrosserand also make sure that the service catalog gets updated to use that fqdn for all the services rather than the IP11:00
jrosserelse it will be SSL validation errors all over the place11:00
derekokeeffeooooh ok jrosser, thanks for that. The service catalog as in "openstack endpoint list" those?11:02
jrosseryes, for the external ones11:02
derekokeeffePerfect, will do. Thanks both11:02
jrosserall the tools (like the CLI) will look up the endpoint to connect to in the service catalog11:02
derekokeeffeOk thanks will update that as well11:10
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server stable/2024.2: Bump MariaDB to 11.4.5  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/94902312:12
noonedeadpunkI somehow feel that we're closer and closer to start having mirrors on our repo hosts12:12
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout  https://review.opendev.org/c/openstack/openstack-ansible/+/94885212:19
noonedeadpunkjrosser: wdyt - https://ibb.co/1wKp4DH vs https://ibb.co/v43nd9nR12:38
noonedeadpunkwrt https://review.opendev.org/c/openstack/openstack-ansible/+/94885212:38
noonedeadpunkor doesn't really matter ? :)12:39
jrosserfirst one hurts my eyes less12:39
jrosseroh wait12:39
jrosseri mean the one with the grey at the top is better12:39
jrosser-ETAB-ORDERING12:39
noonedeadpunkorange is hurting my eyes, but no idea what can be done with it12:41
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout  https://review.opendev.org/c/openstack/openstack-ansible/+/94885213:03
jrossernoonedeadpunk: https://paste.opendev.org/show/bXY7MasUDd5im5pfHvCe/13:32
jrosseroh should that be `locations` instead of `options` perhaps13:32
derekokeeffeI'm trying to get WEBSSO options on the horizon dashboard at the moment, when I put the config into local_settings.py on the horizon controller there's no dropdown options. It should be straight forward enough am I right?14:06
derekokeeffeWEBSSO_CHOICES to be exact14:07
derekokeeffesetting that HORIZON_CONFIG["disable_password_reveal"] = False to True dowsn't remove the eye icon for revealing the password (just as a test)14:09
derekokeeffeOh scratch that last bit the eye is gone now14:10
derekokeeffeSorry my bad, never enabled it14:17
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout  https://review.opendev.org/c/openstack/openstack-ansible/+/94885214:20
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout  https://review.opendev.org/c/openstack/openstack-ansible/+/94885214:49
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout  https://review.opendev.org/c/openstack/openstack-ansible/+/94885215:26
jrossernoonedeadpunk: so i made federation work on an existing deployment which didnt have it before15:58
jrosserusing whats master of os_horizon and os_keystone + the ansible-role-httpd changes15:59
jrossersome fixes needed in the os_keystone role16:07
damiandabrowskithis mariadb repo act really weird today, now some scenarios fail with error:16:23
damiandabrowskiE:The repository 'https://mirror.mariadb.org/repo/11.4/debian bookworm Release' does not have a Release file.16:23
mnasiadkaYesterdays 10.11.12 broke all kolla-ansible jobs, so who knows what they are up to :)16:24
damiandabrowskimnasiadka: ahh thanks for the info, nice to hear we're not the only ones having problems with this :D16:26
mnasiadkaWe never did the jump to 11.x, I guess it's time in Flamingo ;)16:30

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!