Tuesday, 2026-06-02

opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server master: Upgrade RabbitMQ to 4.2.7  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98962500:12
opendevreviewMerged openstack/openstack-ansible-galera_server master: Refactor compressed backup creation  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/96038700:41
opendevreviewMerged openstack/openstack-ansible-galera_server master: Remove galera_disable_privatedevices  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/98431200:41
opendevreviewMerged openstack/openstack-ansible-repo_server master: Filter upper-constraints content  https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/98997902:01
opendevreviewOpenStack Proposal Bot proposed openstack/openstack-ansible master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/openstack-ansible/+/99100804:07
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Fix hosts healthcheck  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/99101605:51
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-lxc_hosts master: Ensure ubuntu_virt hook not passed to LXC  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/99007005:52
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: Use openstack_hosts_apt_pinned_packages in user_variables  https://review.opendev.org/c/openstack/openstack-ansible/+/97788105:57
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-plugins master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/99080705:58
opendevreviewMerged openstack/openstack-ansible master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/openstack-ansible/+/99100806:01
noonedeadpunkmornings - I think we need also https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/991016 to unblock hosts scenario06:06
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Fix hosts healthcheck  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/99101606:07
opendevreviewMerged openstack/openstack-ansible-memcached_server master: Remove memcached_disable_privatedevices  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/98428208:04
f0ois there a bug within extra_lb_tls_vip_addresses and certbot? I get an error that 'dict object' has no attribute 'interface'\n\nThe error appears to be in '/etc/ansible/roles/haproxy_server/tasks/haproxy_ssl_letsencrypt.yml' - I have it set to extra_lb_tls_vip_addresses: [ "1:2:3:4::5" ]09:24
noonedeadpunkum, I haven't used that for ipv6 for a while...09:29
opendevreviewMerged openstack/ansible-role-pki master: Enable openbao job for ansible-role-pki  https://review.opendev.org/c/openstack/ansible-role-pki/+/98994709:33
f0onoonedeadpunk:what's the preffered way? swap the external IP for v6 and use extra_lb for v4?09:34
noonedeadpunkf0o: I would say in general I'd just used `haproxy_vip_binds` instead: https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/defaults/main.yml#L295-L30409:38
noonedeadpunkBut I'm not sure why you hit the issue tbh09:38
f0oI had the feeling vip_binds would be harder to maintain but I guess its just a matter of adding both externals and the single internal with interface mapping right>09:39
f0ohaproxy_vip_binds seems to have worked great 10:08
opendevreviewMerged openstack/openstack-ansible-plugins master: Allow to reset peer during it's re-install  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/96611710:12
opendevreviewMerged openstack/openstack-ansible-plugins master: Add .py extension to modules  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/98814710:26
f0oHrm I'm just in the process of adding a new HAProxy host; and out of the blue I'm struck with haproxy_nova_spice_console_service not being set. Not sure how that happened or what it supposed to be. I'm pretty sure I'm on the same git-commit that I've always been on with osa10:33
f0ocould be related to https://bugs.launchpad.net/openstack-ansible/+bug/2122778 - just odd that I'm hitting it now and not earlier10:35
f0oor maybe not10:36
f0onvmd turns out I cant do -l on nova without breaking it11:15
noonedeadpunkhaproxy_nova_spice_console_service should have been fixed12:44
noonedeadpunkwe had bunch of patrches around that, but not sure what and if all of them were backported12:44
noonedeadpunkas it required quite some refactoring to untackle that\12:44
noonedeadpunkf0o: ^12:44
noonedeadpunkjrosser: andrewbonney mgariepy damiandabrowski can we quickly merge this one? https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/99101612:45
noonedeadpunkand then close these topics12:46
noonedeadpunkhttps://review.opendev.org/q/topic:%22osa/resolute%22+status:open12:46
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server master: Upgrade RabbitMQ to 4.2.7  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98962512:51
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: Use openstack_hosts_apt_pinned_packages in user_variables  https://review.opendev.org/c/openstack/openstack-ansible/+/97788113:00
f0onoonedeadpunk: could be I'm just on a very old commit (2024.2) to not introduce changes - or well, more changes haha13:08
f0onoonedeadpunk: haproxy_vip_binds seems to be implied TLS; our internal IP doesnt use TLS however, is there a way to disable TLS for the type:internal13:19
noonedeadpunkf0o: that is really good question....13:21
f0oor is internal tls now always the case, if so what's the migration - I dont recall this being the case prior13:21
f0ointeresting, it seems that it has it all backwards13:22
f0olet me paste13:22
noonedeadpunkit should not be required now... but indeed, I don't see a logic which would allow to skip the tls for haproxy_vip_binds13:22
noonedeadpunkI wonder how it wasn't implemented13:23
noonedeadpunkwe're discussing the requirement for internal tls going forward though13:23
f0ohttps://paste.opendev.org/show/bAPuiwPfHRElyEKX3YuG/13:24
f0oI think theres a broader issue13:24
noonedeadpunkThe thing is that extra_lb_tls_vip_addresses does also populate haproxy_vip_binds13:24
f0oJust confused why only one of the frontends has the TLS but not the other13:26
f0olet me see if I can fully revert the vips one to what I had prior13:26
f0oreason I even stumbled on it was that I wanted to switchover to the new Haproxy node with the dualstack but it all just exploded because it started requiring TLS for the internal VIP13:28
noonedeadpunkso smth is off apparently13:29
noonedeadpunkso logic right now also relies on order of things indeed13:31
noonedeadpunktry that https://paste.openstack.org/show/bSy7hTXCVikeFkgmrTQU/13:32
f0othat was my next Q since it looked like the first was always TLS'd; will give it a shot13:33
noonedeadpunk`(loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false)`13:33
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/templates/service.j2#L5613:33
noonedeadpunkI want to refactor all that for 2 cycles now13:34
f0othe haproxy templates gives me headaches haha13:35
noonedeadpunkI want to get rid of all these extra_lb_tls_vip_addresses/extra_lb_vip_addresses/haproxy_bind_external_lb_vip_address etc13:37
noonedeadpunkjust in fwavor of haproxy_vip_binds and have a separate key to control tls13:37
f0owell this has sortof fixed it but only one of my externals have TLS now haha13:41
f0oI gues that's fine, I just FW off the other as well13:41
f0osince we ideally only care for traffic matching the service hostnames on 44313:42
noonedeadpunk[e]I will try to work on that on upcoming weekends... And make changes backprotable somehow13:58
noonedeadpunk#startmeeting openstack_ansible_meeting15:00
opendevmeetMeeting started Tue Jun  2 15:00:15 2026 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:00
noonedeadpunk#topic rollcall15:00
noonedeadpunko/15:00
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server master: Install rabbitmq for 26.04 from distro repos  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98993315:00
opendevreviewMerged openstack/openstack-ansible-plugins master: Fix hosts healthcheck  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/99101615:02
noonedeadpunk#topic releasing15:05
noonedeadpunkSo, we should be having quite healthy CI right now15:05
noonedeadpunkmost of important changes are merged already15:05
noonedeadpunkone thing that escaped attention is mistral15:07
noonedeadpunk#link https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/95051315:07
noonedeadpunkwe never merged wsgi module there15:07
noonedeadpunkthis is the last patch in the topic15:07
noonedeadpunkeventually mistral is gonna be non-functional without it15:08
noonedeadpunkand apparently we don't do any tempest tests there 15:08
damiandabrowskihi! sorry for joining late15:10
noonedeadpunkno worries15:11
noonedeadpunkThere are also bunch of outstanding patches for manila actually15:11
noonedeadpunk#link https://review.opendev.org/q/project:openstack/openstack-ansible-os_manila+status:open15:12
noonedeadpunkthought they're all dependent on v1 removal, which just failed gates (15:12
damiandabrowskiyeah, for the second time it passed check pipeline but failed on gates...15:13
noonedeadpunkout of magnum topic only couple of patches left15:14
noonedeadpunk#link https://review.opendev.org/q/topic:%22osa/k8s-mcapi%22+status:open15:14
noonedeadpunkout of hashi vault patches only manila and zun left15:15
noonedeadpunk#link https://review.opendev.org/q/topic:%22osa_hashi_vault%22+status:open15:15
noonedeadpunkI believe zun is still broken on horizon plugin15:15
noonedeadpunkso I'd say let's backport it once it get fixed...15:15
noonedeadpunkI think we also need to merge galera version bump as it's having 3CVEs one with 10 score15:16
noonedeadpunk#link https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/99081115:16
noonedeadpunkwe should just restore CI fisrt15:16
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-galera_server master: Upgrade MariaDB to 11.8.8  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/99081115:17
noonedeadpunkand I guess that's pretty much it15:19
noonedeadpunkI was already pinged on branching requirement, so we're on a borrowed time now15:19
noonedeadpunkI think this is most important topic we have right now15:20
noonedeadpunk#topic office hours15:20
noonedeadpunkI don't have much to discuss here15:21
noonedeadpunkso if there're no more topics - I'd finish early :)15:21
damiandabrowskiokok, thanks Dmitry!15:24
noonedeadpunk#endmeeting15:29
opendevmeetMeeting ended Tue Jun  2 15:29:41 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:29
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2026/openstack_ansible_meeting.2026-06-02-15.00.html15:29
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2026/openstack_ansible_meeting.2026-06-02-15.00.txt15:29
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2026/openstack_ansible_meeting.2026-06-02-15.00.log.html15:29
drarveseHello. I've got a fresh 2025.2 deployment and Horizon is failing to load the CSS files, returning a 500 error on the requests. It seems to be an issue with haproxy, since requests to the individual containers work. 15:32
drarveseI've used the same haproxy & Horizon settings on a number of previous deployments with no issues. I compared the haproxy configs with a 2025.1 install and nothing's changed between the two.15:32
drarveseI was able to get the CSS files to load by removing "connect-src 'self' our-fqdn:* wss://our-fqdn:6083" from haproxy's Content-Security-Policy-Report-Only header, but that setting is present on our other deployments so I'm not sure if that's the right solution...15:33
noonedeadpunkthere were changes in horizon dependencies afaik15:33
noonedeadpunkthere were series of patches to horizon plugins to get in line with this15:33
drarveseHere's a paste of the relevant user_variables.yml settings: https://paste.opendev.org/show/bQ9NDllQQGfI4Fx3lBsF/15:34
noonedeadpunkso if you set `haproxy_security_headers_csp_report_only: true` does this solve the horizon issue?15:36
drarvesethat's already set15:36
noonedeadpunkSo I would assume that the issue you is having is not in deployment, but in horizon version or plugins15:37
noonedeadpunkI am fully aware there were issues on 2026.1 which were fixed only by patches15:41
drarveseI'm installing 32.1.1 if that makes any difference15:49
noonedeadpunkI would need to spawn a test environment to check on that15:49
noonedeadpunklike things like https://review.opendev.org/c/openstack/magnum-ui/+/98375115:52
noonedeadpunkbut I would really guess that the reason is in horizon/individual dashboards16:02
f0onoonedeadpunk: seems like `Set haproxy service state` doesnt honor -l params, I currently have it set to 'all:!n2_2' but it still tries to connect to n2_2 which is currently offline and the task fails16:12
noonedeadpunkNo it does not, as it's designed to pass when your're limiting to the service hosts16:13
noonedeadpunkie - when you do -l control01-nova-api-container you still got it disabled on all haproxies16:13
f0oguess I get to edit the haproxy files by hand until tomorrow :S16:13
noonedeadpunkI guess you could do --skip-tags common-haproxy16:14
f0othe sed -i was quicker - heh16:15
noonedeadpunkbut if haproxy is unavailable, why not to drop it from the inventory?16:15
f0oits only unavailable temporarily16:15
noonedeadpunkwell, still?16:15
f0owouldnt that cause all sorts of issues when I re-add it?16:15
noonedeadpunkI don't think it should?16:16
noonedeadpunkor well keepalived potentially can failover vip16:16
noonedeadpunkah16:17
noonedeadpunkyou can also try overriding `haproxy_target_hosts`16:17
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/haproxy_endpoint_manage/tasks/main.yml#L2916:17
noonedeadpunkadd that to user_variables.yml and explicitly state hosts that are reachable16:17
noonedeadpunkdrarvese: I am spawning a sandbox now to check, but will likely able to get back to you only tomorrow with results16:29
drarveseThanks, I appreciate it16:29
f0onoonedeadpunk: thanks for all the pointers, I'm gonna check out for today17:00
opendevreviewMerged openstack/openstack-ansible-os_mistral master: Switch from wsgi script to wsgi module  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/95051317:09
opendevreviewMerged openstack/openstack-ansible-lxc_hosts master: Ensure ubuntu_virt hook not passed to LXC  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/99007017:31
noonedeadpunkdrarvese: I deployed an AIO with 32.1.1 and horizon looks like working as expected :(18:23
noonedeadpunkAt least I don't see any issues right away18:24
noonedeadpunkso probably some more detauls on the error/logs is needed18:24
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Add certbot package variable for RHEL based systems  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/96719519:08
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-haproxy_server stable/2025.2: Add certbot package variable for RHEL based systems  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/99121019:45
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-haproxy_server stable/2025.1: Add certbot package variable for RHEL based systems  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/99121119:45
opendevreviewDmitriy Chubinidze proposed openstack/openstack-ansible-os_trove master: docs:wip  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/99122921:48
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: wip: add information about Ubuntu 26.04 support  https://review.opendev.org/c/openstack/openstack-ansible/+/98909522:31
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: wip: add information about Ubuntu 26.04 support  https://review.opendev.org/c/openstack/openstack-ansible/+/98909522:31
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: wip: add information about Ubuntu 26.04 support  https://review.opendev.org/c/openstack/openstack-ansible/+/98909522:31
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: wip: add information about Ubuntu 26.04 support  https://review.opendev.org/c/openstack/openstack-ansible/+/98909522:34
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: Add information about Ubuntu 26.04 support  https://review.opendev.org/c/openstack/openstack-ansible/+/98909522:35
opendevreviewDmitriy Chubinidze proposed openstack/openstack-ansible-os_trove master: docs: clarify deployment configuration examples  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/99122923:11
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server master: Add erlang package repository providing packages for arm64  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98873323:24
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server stable/2025.2: Add erlang package repository providing packages for arm64  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/99124523:53
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server master: Upgrade RabbitMQ to 4.2.7  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98962523:53
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server master: Upgrade RabbitMQ to 4.2.7  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98962523:53
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server master: Upgrade RabbitMQ to 4.2.7  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/98962523:54
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server stable/2025.2: Add erlang package repository providing packages for arm64  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/99124523:56
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server stable/2025.1: Add erlang package repository providing packages for arm64  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/99124623:57
opendevreviewIvan Anfimov proposed openstack/openstack-ansible-rabbitmq_server stable/2025.1: Add erlang package repository providing packages for arm64  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/99124623:58

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!