Wednesday, 2025-10-01

« Tuesday, 2025-09-30 Index Thursday, 2025-10-02 »
gokhanHello kolks, container logs are under /openstack/log/ dir. There also journald logs of services. How do you manage rotation of these logs. For systemd-journald logs it seems we need to set configs in all of the containers. https://docs.openstack.org/openstack-ansible/latest/admin/maintenance-tasks/logging.html06:49
gokhan*folks06:49
noonedeadpunkgokhan: you actually don't have to06:59
noonedeadpunkthere are "reasonable" defaults on side of systemd-journald, which handles log rotation06:59
noonedeadpunkregarding /openstack/log/ - I'm not sure if it's much of a use these days07:00
noonedeadpunkcheck this out: https://www.freedesktop.org/software/systemd/man/latest/journald.conf.html#SystemMaxUse=07:00
noonedeadpunkso pretty much by default journald is capped at 4gb or smth07:01
noonedeadpunkbut you can tune it in a really flexible ways07:01
noonedeadpunkjrosser: damiandabrowski I kinda also would be using ternary instead of if/else but I assumed it's just what I got used to, so was not commenting in this regard. As functionally it's the same.07:03
noonedeadpunkunless talking about full-blown Jinja, where you can do some formatting07:04
jrosserI don’t really understand the point of the reflex either there07:04
jrosserregex07:04
jrosserI do I think for the backward compatibility case, but less so for the commented line which I assume to be what we put in when we only support ttl07:05
gokhannoonedeadpunk, it is about 342 gb /openstack/log https://paste.openstack.org/show/bFVA0cOxhhGKLyJnM7Oi/. Especially magnum and galera. we are using cluster api at magnum side 07:06
jrosserif there is a reason there should maybe be some explanation as the regex is unreadable to me basically07:06
noonedeadpunkjrosser: regex was my doing I believe :D07:15
noonedeadpunkbut prior way was string splitting, which I find a terrible idea, as there could be a wide variety of input uncluding spaces, tabs and whatsoever in between07:16
noonedeadpunkgokhan: ugh07:17
jrosserok well maybe the commit message the. just sends me to bit understanding it so all07:17
jrosserargh07:17
jrosserI basically am finding that patch impossible to review07:17
noonedeadpunkregexp specifically does this in a different way: https://review.opendev.org/c/openstack/ansible-role-pki/+/948880/8/tasks/standalone/create_ca.yml07:20
noonedeadpunkand yes, that I assume is for like backwards compatability07:21
noonedeadpunkgokhan: huh... interesting... what what is actually producing these 170G inside of the container? any specific log file?07:22
gokhannoonedeadpunk, for magnum it is running in debug mode, for galera there are mariadb check logs in syslog. syslog is producing 07:27
noonedeadpunkeven though it's running in debug mode, it should be logging to journald right?07:32
noonedeadpunksyslog should actually be rotated by the system as well afaik... but I obviously more concerned about reasons why magnum takes so much of diskspace07:35
noonedeadpunkjrosser: let me see if I can improve readability of this07:53
noonedeadpunkI personally was not voting as I'm actually on the fence with the idea itself07:53
noonedeadpunkIt's kinda fair that formats are different, and indeed ttl might make more sense...07:54
jrosseris this all really just .startswith()07:54
noonedeadpunkbut like we're chaning well established driver with quite some complexity to be in line with new driver approach07:54
noonedeadpunkyeah, kinda, except accounting for spaces/tabs in the beginning07:55
noonedeadpunkie https://regex101.com/r/r8sgEt/107:58
noonedeadpunkif match - do nothing, if does not match - add + at the beginning07:59
jrosseroh my08:01
damiandabrowskijrosser: the idea was to add "+" at the beginning when its not there - to make `selfsigned_not_after` work together with both `ttl` and `not_after` format, for a one release08:01
damiandabrowskioriginally it worked like this:08:01
damiandabrowskiselfsigned_not_after: "{{ ('+' if not (ca.not_after | default(ca.ttl))[:1] == '+' else '') + (ca.not_after | default(ca.ttl)) }}"08:02
damiandabrowskibut noonedeadpunk suggested regex08:02
noonedeadpunkYeah, I mentioned that it was my take :p08:02
jrossercan you then explain to me the commented out line (122)08:02
jrosserwhich i understand to be the line we will use after removing backward compat08:03
damiandabrowskiyeah, but now I wonder if it's correct, because after dropping backwards compatbility we probably won't need to have any logic there and always add leading +08:06
damiandabrowskiselfsigned_not_after: "+{{ ca.ttl }}"08:06
damiandabrowski^ so something like this may be enough08:06
noonedeadpunkyeah, I think it would make sense to do like that when we drop compatability08:09
noonedeadpunkbut we need to have some kind of upgrade check for dropping it08:09
noonedeadpunkas CA are being redefined for pretty much all production deployments, and it's super easy to forget to update them08:09
noonedeadpunkso I'm not really sure how to drop this compatability nicely08:10
jrosserperhaps we need a filter rather than doing this in native ansible08:18
jrosserthen it can be readable code with comments and error handling blah blah08:18
jrosser`(ca.not_after | default(ca.ttl)) | normalise_ttl()`08:19
gokhannoonedeadpunk, because of log rotation on magnum journald log size is only 3g. we also need log rotation on syslog 08:41
noonedeadpunkgokhan: what is being written to syslog though?08:44
noonedeadpunkalso are you running ubuntu?08:44
noonedeadpunkI think there should be native logrotate configuration for it tbh...08:45
noonedeadpunkie `/etc/logrotate.d/rsyslog` or smth08:46
gokhanI am using ubuntu 08:47
gokhanhttps://paste.openstack.org/show/bnFPjLMBodwXtiLVBJUD/ 08:48
gokhanwe need to add also for lxc containers 08:48
noonedeadpunkI wonder if `ForwardToSyslog=no` should be just set08:49
noonedeadpunkin `openstack_hosts_journald_config`08:49
noonedeadpunknot to duplicate journald to the syslog08:50
jrosser^ we did this here recently on all our hosts08:51
noonedeadpunkbut I'm not sure it's the case inside of LXC tbh08:51
noonedeadpunkI'm not having /var/log/syslog on some modern enough deployemtn08:52
noonedeadpunkhttps://paste.openstack.org/show/bp7xQMOdGDPcVCejb4v4/08:53
noonedeadpunkbut it's ubuntu 24.0408:54
noonedeadpunkso probably that is already solved in a way :D08:55
noonedeadpunkbut it feels reasonable to add this parameter to documentation08:55
gokhannoonedeadpunk, I am using ubuntu 22.04 and magnum send logs to syslog https://paste.openstack.org/show/bdIikjPbzP6i1CqPKRVH/09:07
gokhanhttps://paste.openstack.org/show/bCOcr7cRry6exj9rcKyn/09:08
noonedeadpunkyeah, this should be doing the trick I guess09:23
noonedeadpunkor well. at least prevent syslog from growing again09:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Switch OpenStack codename for 2025.2  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/96260013:12
opendevreviewMerged openstack/openstack-ansible master: Ensure releasing does not inject new lines  https://review.opendev.org/c/openstack/openstack-ansible/+/96233314:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Switch OpenStack codename for 2025.2  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/96260014:07
*** Guest28048 is now known as jotik17:33
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Use ttl instead of not_after in pki_authorities  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888019:01
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Add hashi_vault backend  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888119:01
opendevreviewDamian Dąbrowski proposed openstack/ansible-role-pki master: Add hashi_vault backend  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888119:02
« Tuesday, 2025-09-30 Index Thursday, 2025-10-02 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!