opendevreview | OpenStack Proposal Bot proposed openstack/openstack-ansible master: Imported Translations from Zanata https://review.opendev.org/c/openstack/openstack-ansible/+/948965 | 02:30 |
---|---|---|
noonedeadpunk | jrosser: so for config_template, I think most broken thing is handling a jinja tags: https://zuul.opendev.org/t/openstack/build/ad82ab55354948e48350838e4bdb2fe4/log/job-output.txt#1803-1823 | 07:12 |
noonedeadpunk | as I did indeed some "internal" hackery to make it work | 07:12 |
noonedeadpunk | and seamingly, it needs to be re-made | 07:12 |
jrosser | what am i missing there? | 07:15 |
jrosser | user content and expected content look very similar on the screen to me | 07:16 |
jrosser | oh wait the tasks are in an unexpected order? | 07:17 |
noonedeadpunk | not really | 07:18 |
noonedeadpunk | https://paste.openstack.org/show/bE5viVfeM3uunSCoT8D7/ | 07:19 |
noonedeadpunk | so this is not respected https://opendev.org/openstack/ansible-config_template/src/branch/master/tests/templates/test_raw_content.ini#L1 | 07:19 |
noonedeadpunk | pretty much the patch fixing it: https://review.opendev.org/c/openstack/ansible-config_template/+/881887 | 07:20 |
noonedeadpunk | (and also the one before it) | 07:21 |
jrosser | i wonder if it is supported to use that inside the template itself any more | 07:39 |
jrosser | as there is now this https://github.com/ansible/ansible/blame/devel/lib/ansible/plugins/action/template.py#L120-L130 | 07:39 |
jrosser | might be worth a quick test.yml thing without config_template just to see what happens in standard 2.19 | 07:44 |
noonedeadpunk | jrosser: yeah, I tested it and it worked with template | 07:54 |
jrosser | interesting | 07:54 |
jrosser | i expect we can look at the difference between how we call the underlying templar thing and changes made in the builtin template action plugin | 07:55 |
jrosser | it is also very interesting to see in the 2.19 porting guide that they now have addressed excessive recursive templating | 07:56 |
jrosser | m o s s b l a s s e r has been working on a profiler here for exactly that issue | 07:56 |
noonedeadpunk | https://paste.openstack.org/show/b0t7lL6AevxQCA6yxkUT/ | 07:57 |
noonedeadpunk | jrosser: they claim to have. but so far to actual proof that it works :D | 07:57 |
noonedeadpunk | https://forum.ansible.com/t/core-2-19-templating-changes-preview-and-testing/40759/11?u=noonedeadpunk | 07:58 |
noonedeadpunk | but again I recognize it's about amount and complexity of variables | 07:58 |
noonedeadpunk | so it's probably not what such test will show improvement on | 08:01 |
jrosser | you make a good point about ansible 3.0 there | 08:01 |
jrosser | *ansible-core | 08:02 |
jrosser | the versions of ansible do indeed get a major version bump every time in contrast...... | 08:02 |
damiandabrowski | is there something wrong with our CI today? | 10:00 |
damiandabrowski | https://zuul.opendev.org/t/openstack/build/6441ffde5f7b4a66aa8b71bac7bbc64d/log/job-output.txt#11689 | 10:00 |
damiandabrowski | no available installation candidate for mariadb-server=1:11.4.4* | 10:01 |
noonedeadpunk | it was fine yesterday | 10:10 |
noonedeadpunk | but also: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/948711 | 10:10 |
noonedeadpunk | I am actually also extremely surprised about https://review.opendev.org/c/openstack/openstack-ansible/+/948319 failures on ceph jobs for noble | 10:11 |
noonedeadpunk | and this happens only in gates | 10:11 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Fix SHA test scenario https://review.opendev.org/c/openstack/openstack-ansible/+/948319 | 10:11 |
derekokeeffe | Hi all, just looking at the docs for OSA to use certbot and letsencrypt. is it as simple as adding https://paste.openstack.org/show/bZfujzJzkIdoCbXy2XAr/ to my user_variables and re running the haproxy-install.yml role? | 10:19 |
noonedeadpunk | I'm not sure you actually need https://gerrit.citynetwork.eu/c/public/sto2/+/7395 but pretty much yes | 10:25 |
damiandabrowski | yeah....for some reason it looks like galera-server 11.4.4 disappeared from the repo, so bumping the version to 11.4.5 should help | 10:27 |
damiandabrowski | https://paste.opendev.org/show/b5Pt2g3sgPAmdn2q9DCH/ | 10:27 |
damiandabrowski | PS. you probably pasted the wrong link :D | 10:28 |
noonedeadpunk | lol | 10:28 |
noonedeadpunk | dah, I did | 10:28 |
noonedeadpunk | I did not mean to post a link - was trying to say `haproxy_ssl_letsencrypt_certbot_server` is not required either | 10:29 |
noonedeadpunk | wait... | 10:30 |
noonedeadpunk | that looks _very_ bad actually | 10:31 |
noonedeadpunk | they wiped all old versions from this repo | 10:32 |
noonedeadpunk | and left only last 2 versions | 10:32 |
noonedeadpunk | crap | 10:33 |
derekokeeffe | so remove this `haproxy_ssl_letsencrypt_certbot_server`, leave the others and re run haproxy? not sure if you're talking to me or not :) | 10:33 |
noonedeadpunk | derekokeeffe: yep, thats correct | 10:34 |
derekokeeffe | Perfect, thanks noonedeadpunk. Does that secure all endpoints or do I need to specify more for each? | 10:35 |
jrosser | derekokeeffe: letsencrypt can only really secure the external endpoint | 10:42 |
noonedeadpunk | damiandabrowski: hm, actually probably worth using 11.4.6 then even | 10:42 |
damiandabrowski | yeah, you may be right... | 10:42 |
derekokeeffe | Ok thanks noonedeadpunk | 10:42 |
jrosser | if you need SSL on the internal endpoint then the built-in PKI role can do that, or else you have to supply your own internal certificates for that | 10:42 |
noonedeadpunk | it;'s confusingly not here though: https://mariadb.org/mariadb/all-releases/#11-4 | 10:43 |
jrosser | noonedeadpunk: is it the horizon or keystone role you are interested in for ansible-role-httpd federation tests (or both) | 10:43 |
noonedeadpunk | patches are for both, but I most afraid of keystone | 10:44 |
noonedeadpunk | ok. well. so what should we do with mariadb now.... | 10:50 |
noonedeadpunk | jrosser: as horizon does not really need mod_oidc or anuything like that | 10:56 |
derekokeeffe | noonedeadpunk, where do I tell it the DNS name to obtain the cert for? It's using the IP address https://paste.openstack.org/show/b5zTclsDEYFHgrm7fcwC/ | 10:56 |
noonedeadpunk | it's using the external_vip_address | 10:57 |
noonedeadpunk | which is used to define keystone endpoints | 10:57 |
noonedeadpunk | so ideally - it needs to be fqdn | 10:57 |
noonedeadpunk | and then have keepalived and haproxy bind addresses | 10:58 |
jrosser | you need a proper dns entry for that IP | 10:58 |
noonedeadpunk | https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/openstack_user_config.yml.prod.example#L15-L21 | 10:58 |
jrosser | as LE have to resolve the name you give them back to your IP | 10:58 |
derekokeeffe | I have external dns there jrosser just need to tell it to use it rather than the IP | 10:58 |
derekokeeffe | We have a domain registered | 10:59 |
jrosser | right, so external_vip_address needs to be switched over to your fqdn | 10:59 |
derekokeeffe | Thanks noonedeadpunk, was going to change it but not doing anything anymore that could mess this up on me :) | 10:59 |
derekokeeffe | Will do jrosser, thanks | 11:00 |
jrosser | and also make sure that the service catalog gets updated to use that fqdn for all the services rather than the IP | 11:00 |
jrosser | else it will be SSL validation errors all over the place | 11:00 |
derekokeeffe | ooooh ok jrosser, thanks for that. The service catalog as in "openstack endpoint list" those? | 11:02 |
jrosser | yes, for the external ones | 11:02 |
derekokeeffe | Perfect, will do. Thanks both | 11:02 |
jrosser | all the tools (like the CLI) will look up the endpoint to connect to in the service catalog | 11:02 |
derekokeeffe | Ok thanks will update that as well | 11:10 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server stable/2024.2: Bump MariaDB to 11.4.5 https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/949023 | 12:12 |
noonedeadpunk | I somehow feel that we're closer and closer to start having mirrors on our repo hosts | 12:12 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 12:19 |
noonedeadpunk | jrosser: wdyt - https://ibb.co/1wKp4DH vs https://ibb.co/v43nd9nR | 12:38 |
noonedeadpunk | wrt https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 12:38 |
noonedeadpunk | or doesn't really matter ? :) | 12:39 |
jrosser | first one hurts my eyes less | 12:39 |
jrosser | oh wait | 12:39 |
jrosser | i mean the one with the grey at the top is better | 12:39 |
jrosser | -ETAB-ORDERING | 12:39 |
noonedeadpunk | orange is hurting my eyes, but no idea what can be done with it | 12:41 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 13:03 |
jrosser | noonedeadpunk: https://paste.opendev.org/show/bXY7MasUDd5im5pfHvCe/ | 13:32 |
jrosser | oh should that be `locations` instead of `options` perhaps | 13:32 |
derekokeeffe | I'm trying to get WEBSSO options on the horizon dashboard at the moment, when I put the config into local_settings.py on the horizon controller there's no dropdown options. It should be straight forward enough am I right? | 14:06 |
derekokeeffe | WEBSSO_CHOICES to be exact | 14:07 |
derekokeeffe | setting that HORIZON_CONFIG["disable_password_reveal"] = False to True dowsn't remove the eye icon for revealing the password (just as a test) | 14:09 |
derekokeeffe | Oh scratch that last bit the eye is gone now | 14:10 |
derekokeeffe | Sorry my bad, never enabled it | 14:17 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 14:20 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 14:49 |
opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: Compatibility Matrix - fix mistakes with layout https://review.opendev.org/c/openstack/openstack-ansible/+/948852 | 15:26 |
jrosser | noonedeadpunk: so i made federation work on an existing deployment which didnt have it before | 15:58 |
jrosser | using whats master of os_horizon and os_keystone + the ansible-role-httpd changes | 15:59 |
jrosser | some fixes needed in the os_keystone role | 16:07 |
damiandabrowski | this mariadb repo act really weird today, now some scenarios fail with error: | 16:23 |
damiandabrowski | E:The repository 'https://mirror.mariadb.org/repo/11.4/debian bookworm Release' does not have a Release file. | 16:23 |
mnasiadka | Yesterdays 10.11.12 broke all kolla-ansible jobs, so who knows what they are up to :) | 16:24 |
damiandabrowski | mnasiadka: ahh thanks for the info, nice to hear we're not the only ones having problems with this :D | 16:26 |
mnasiadka | We never did the jump to 11.x, I guess it's time in Flamingo ;) | 16:30 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!