Wednesday, 2022-02-23

« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »
opendevreviewMerged openstack/kayobe master: Revert "CI: drop jobs requiring kolla-ansible"  https://review.opendev.org/c/openstack/kayobe/+/83035000:31
opendevreviewJames Kirsch proposed openstack/kolla-ansible master: Add support for LetsEncrypt-managed certs  https://review.opendev.org/c/openstack/kolla-ansible/+/74134002:02
opendevreviewJames Kirsch proposed openstack/kolla-ansible master: Add support for LetsEncrypt-managed certs  https://review.opendev.org/c/openstack/kolla-ansible/+/74134004:26
opendevreviewwangxiyuan proposed openstack/kolla-ansible master: [WIP]Add openEuler Distro support  https://review.opendev.org/c/openstack/kolla-ansible/+/83011507:30
opendevreviewPierre Riteau proposed openstack/kayobe master: CI: test fact caching  https://review.opendev.org/c/openstack/kayobe/+/80821808:30
frickleryoctozepto: meh, gerrit should really give a warning when submitting a review and there has been another review while looking at the change08:36
yoctozeptofrickler: yup08:37
mnasiadkamorning09:07
opendevreviewMark Goddard proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427109:24
hrwyo09:26
opendevreviewMark Goddard proposed openstack/kayobe master: DNM: test TLS  https://review.opendev.org/c/openstack/kayobe/+/83056609:34
opendevreviewPiotr Parczewski proposed openstack/kolla-ansible master: Fix hard coded OIDC response type  https://review.opendev.org/c/openstack/kolla-ansible/+/83056909:57
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427110:10
mgoddardyoctozepto, mnasiadka, hrw, frickler: I wrote some thoughts on the letsencrypt patch: https://review.opendev.org/c/openstack/kolla-ansible/+/74134010:18
mgoddardif any of you are able to get up to speed on it, it would be nice to discuss in today's meeting10:19
fricklermgoddard: ack, I have some pretty devastating opinion on this, but happy to discuss10:26
mgoddardfrickler: tl;dr?10:33
fricklermgoddard: HTTP-01 is useless, I need DNS-01 for internal endpoints anyway10:40
mgoddardwell, correct10:41
mgoddardbut you could have an internal CA for internal endpoints10:42
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible stable/xena: CI: Bump Ceph to Pacific  https://review.opendev.org/c/openstack/kolla-ansible/+/82875710:42
fricklerbut why split it up and double the work? I also have most deployments not being public, so "public" endpoints also need DNS-01 for those. and I want wildcard certs for RGW.10:44
mgoddardfrickler: so use DNS-01. It's not always an option though10:53
opendevreviewMerged openstack/kolla-ansible stable/xena: [CI] Check fluentd errors  https://review.opendev.org/c/openstack/kolla-ansible/+/82865411:06
opendevreviewMerged openstack/kolla-ansible stable/wallaby: [CI] Check fluentd errors  https://review.opendev.org/c/openstack/kolla-ansible/+/82865511:13
sri_hi team,  When I enable prometheus in  xena release   I am running into this error  " {{ groups['prometheus'][0] }}]: FAILED! => {"msg": "The field 'delegate_to' has an invalid value, which includes an undefined variable. The error was: list object has no element" ,              also I am only seeing this error on multinode deployment .  11:25
sri_is there any known bug or am I doing something wrong ! 11:28
opendevreviewMerged openstack/kolla-ansible master: Remove classic queue mirroring for internal RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/82499411:43
priteausri_: you need hosts to be added to your monitoring group11:44
sri_priteau: oh, my bad.  Thanks Pierre  :) 11:46
opendevreviewJuan Pablo Suazo proposed openstack/kolla-ansible master: Adds services to log_rotate.  https://review.opendev.org/c/openstack/kolla-ansible/+/83043312:53
opendevreviewMerged openstack/kayobe master: Sync enable flag defaults with kolla ansible  https://review.opendev.org/c/openstack/kayobe/+/82911413:31
opendevreviewMichal Nasiadka proposed openstack/kolla master: docs: standard PTG topics list  https://review.opendev.org/c/openstack/kolla/+/83061313:41
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible stable/xena: CI: Bump Ceph to Pacific  https://review.opendev.org/c/openstack/kolla-ansible/+/82875713:45
opendevreviewMark Goddard proposed openstack/kayobe stable/xena: Sync enable flag defaults with kolla ansible  https://review.opendev.org/c/openstack/kayobe/+/83057813:58
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427114:09
opendevreviewVerification of a change to openstack/kayobe master failed: CI: enable libvirt TLS in TLS job  https://review.opendev.org/c/openstack/kayobe/+/82673914:14
opendevreviewMichal Nasiadka proposed openstack/kolla master: docs: standard PTG topics list  https://review.opendev.org/c/openstack/kolla/+/83061314:44
opendevreviewMerged openstack/kayobe-config-dev master: libvirt: Don't require Virtualisation Technology (VT)  https://review.opendev.org/c/openstack/kayobe-config-dev/+/82922514:53
mnasiadkamgoddard mnasiadka hrw egonzalez yoctozepto rafaelweingartne cosmicsound osmanlicilegi bbezak parallax Fl1nt frickler adrian-a - meeting in 6 minutes14:54
mnasiadka#startmeeting Kolla15:00
opendevmeetMeeting started Wed Feb 23 15:00:53 2022 UTC and is due to finish in 60 minutes.  The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'kolla'15:00
mnasiadka#topic rollcall15:01
yoctozeptoo/15:01
mnasiadkao/15:01
ohorecny2\o15:02
fricklero/15:02
mnasiadka#topic agenda15:04
mnasiadka* Announcements15:04
mnasiadka* Review action items from the last meeting15:04
mnasiadka* CI status15:04
mnasiadka* Release tasks15:04
yoctozeptomnasiadka gogo15:04
mnasiadka* Current cycle planning15:04
mnasiadka* Additional agenda (from whiteboard)15:04
mnasiadka* Open discussion15:04
yoctozepto:-)15:04
mnasiadka#topic Announcements15:04
mnasiadkaI booked the same PTG slots as last time - Mon-Wed (Wed for Kayobe) - 13-17UTC (13-15 UTC on Wed)15:05
mnasiadkaCreated etherpad15:05
mnasiadkahttps://etherpad.opendev.org/p/kolla-zed-ptg15:05
mnasiadka#url https://etherpad.opendev.org/p/kolla-zed-ptg15:05
mnasiadkaPlease put your topic proposals in there15:05
mgoddard\o15:06
yoctozepto(psst, it's #link)15:06
mnasiadkaah15:06
mnasiadka#link https://etherpad.opendev.org/p/kolla-zed-ptg15:06
mnasiadkathanks yoctozepto 15:06
yoctozeptoyw mnasiadka15:06
mnasiadka#topic Review action items from the last meeting15:06
mnasiadkamnasiadka post a patch for docs - standard topics that should be discussed over PTG and then revisited in mid-cycle15:06
mnasiadkamnasiadka to triage security bugs and update them with resolution plan (if needed)15:06
mnasiadkahrw to discuss with pynacl upstream to release binary wheel of 1.4.0 for aarch6415:06
mnasiadkadid first, a bit - patch posted15:06
mnasiadkahttps://review.opendev.org/c/openstack/kolla/+/83061315:06
mnasiadkasecond to be continued15:07
mnasiadka#action mnasiadka to triage security bugs and update them with resolution plan (if needed)15:07
mnasiadka#action hrw to discuss with pynacl upstream to release binary wheel of 1.4.0 for aarch6415:07
mnasiadkasince hrw is not here15:07
mnasiadka#topic CI status15:07
mnasiadkaHow is CI?15:07
mnasiadkaWhiteboard says Kayobe CI is RED due to ping issue?15:07
mnasiadka(probably outdated)15:08
yoctozeptok and k-a seem fine15:08
mgoddardkob fixed15:08
mnasiadkathanks mgoddard15:08
mnasiadka#topic Release tasks15:09
mnasiadkaRelease mgmt team has asked for Cycle highlights, I'll post up a patch and ask for reviews15:09
mnasiadka#action mnasiadka to post patch for cycle highlights15:09
mnasiadka#topic Current cycle planning15:10
mnasiadkamgoddard: you wanted to discuss Let's Encrypt?15:11
mnasiadkaWe can do that in the additional topics slot if you prefer15:11
mgoddardyes15:11
mgoddardeither is fine15:11
mnasiadkaOk - just a reminder: Kolla feature freeze: Mar 21 - Mar 2515:13
yoctozeptoit's going to be chilly in March!15:13
mnasiadkaSo let's go with Let's Encrypt15:13
yoctozeptolet's go and let's encrypt indeed15:13
mgoddardhas anyone reviewed the patch recently?15:13
yoctozeptoI did not have time to read the patch15:13
yoctozeptoI would love a tl;dr15:14
mgoddardI think we need a rethink.15:15
mgoddardI don't think we can expose the HAProxy admin socket unauthenticated via TCP15:15
mgoddardopenstack-ansible suggests they use separate certs for each load balancer. That would avoid the sync, and greatly simplify the design. We could also use a unix admin socket. See https://docs.openstack.org/openstack-ansible/latest/user/security/ssl-certificates.html#certbot-certificates and https://opendev.org/openstack/openstack-ansible-haproxy_server15:15
mgoddardwe need to store the certs on disk, as well as dynamically updating HAProxy. This would be a lot easier if we only had to update the local HAproxy15:15
mgoddardthe bootstrapping process seems clumsy, and it concerns me that a reconfigure doesn't work. A colleague suggested using certbot standalone mode to bootstrap when we don't have certificates.That could be fiddly, but either way, I'd like to see a clean, documented way to bootstrap this (that ensures we don't overwrite the LE certs with our own self-signed ones). It might involve getting15:15
mgoddardHAProxy running first to bootstrap LE, then running another deploy with everything else.15:15
mgoddardthe internal API support doesn't seem that useful to me, and if we're going to iterate the design then it might be easier to remove it15:15
mgoddardOverall, I'd like to see a written plan for the approach, that a few people can agree on - we should have enough context at this point to agree on a design.15:15
mgoddarda bit long for a tl;dr, but that was my summary comment15:15
yoctozeptoI was about to say that!15:15
* yoctozepto reading15:15
mnasiadkaOk, just to be clear - we're not going to support DNS-01? only HTTP-01 challenge?15:16
mgoddardcorrect15:16
mnasiadkaI'm not utterly happy about that.15:17
mgoddardat least for now15:17
mgoddardI don't know what's involved in DNS-0115:17
mnasiadkaa DNS server that can be ,,orchestrated'' or manual TXT entries in the domain15:18
mnasiadkaI'm just saying it might be even easier - and that's required for wildcard certificates15:18
mnasiadkaWe don't need to expose anything.15:18
mgoddardthat's about as much as I know about DNS-0115:19
yoctozeptothe problem with DNS-01 and k-a is that k-a does not care about the user's DNS server15:19
mgoddardwhat I don't know is whether we could provide any form of general support for it15:19
yoctozeptomgoddard paraphrased me15:20
mnasiadkaWith certbot and it's semi-broken support for any normal forms of DNS-01, it might be complicated.15:20
mgoddardit's proving difficult enough to implement HTTP-01. If you'd like to ask James to implement DNS-01 too he might not be wild about it15:22
yoctozeptowhat is the admin socket on tcp for?15:23
mgoddardto update the certs dynamically15:24
mnasiadkaSo, my problem is currently, that with the merged patch to Kolla - we're limiting ourselves to certbot (which in most cases won't work for most DNS-01 providers). I'm fine with first doing HTTP-01 and then DNS-01 (if it's possible to add later).15:24
mgoddardthis patch has been around for some time, and this is the first time I'm hearing a request for DNS-0115:25
fricklercouldn't the cert updates be done by a service container similar to e.g. keystone-fernet? that would need the admin socket neither via tcp nor on the host I think15:26
mgoddarddoes anyone know how many deployments would be likely to use HTTP-01 vs DNS-01?15:26
mgoddardfrickler: it was like that in a previous iteration15:26
mgoddardit seems that openstack-ansible just uses a different cert for each host, and avoids syncing15:27
mgoddardthat seems like a great simplifier to me15:27
mgoddardprobably we should look at their implementation15:27
mgoddard(we == headphoneJames)15:27
fricklerfor HTTP-01 vs. DNS-01, my deployments all would use the latter, but I also consider that to be out of the scope of k-a. I just need a nice interface to rotate the certs I refreshed outside of kolla15:28
yoctozeptoyeah, cert rotation is probably one thing to tackle15:28
fricklerfor a general survey, does it make sense to add that question to the openstack user survey? would be some time until we get results, though15:29
mgoddardprobably too long, although this patch has been around for some time15:30
mnasiadkayes, but from what I understand (from headphoneJames' email) HAProxy 2.2 is rejecting multi certificate pem files in the ''hot reload'' feature?15:30
mnasiadkamaybe frickler is right - we just need to focus on means to dynamically update certificates - who cares if a user is using certbot or not.15:31
fricklermnasiadka: do you have a link to that email?15:32
mnasiadkafrickler: no, that was shared private - I can forward15:33
fricklerah, that explains why I didn't see it ;)15:34
mnasiadkahttps://www.mail-archive.com/haproxy@formilux.org/msg40150.html15:35
mnasiadkaa bit related to single file with multiple certs ;-)15:35
mnasiadkaSo - is there any rough plan for that feature?15:37
headphoneJamesFyi, 2.2 did turn out to support dynamic reload15:38
mgoddardsorry, had to run - poorly child15:40
yoctozeptomgoddard: understandable! best wishes!15:41
mgoddardwhat do we mean by dynamic reload without certbot here though? how would new certs get placed?15:42
mnasiadkauser-provided mechanism, for those that don't want to use certbot ;-)15:43
mnasiadkajust a kolla-ansible command to update the certs to newly uploaded ones?15:43
mgoddardI suppose we could drop certs to /etc/kolla/haproxy/haproxy.pem, then provide a script to do the dynamic reload15:43
mnasiadkasounds good to me, that gives us some functionality we could merge this cycle?15:45
mgoddardpotentially15:45
mgoddardassuming headphoneJames is on board15:46
headphoneJamesWould we make cert bot available to kolla Ansible to generate certs?15:46
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427115:47
mnasiadkacertbot container patch is merged already15:48
mgoddardyes, but that's the easy part :)15:48
yoctozeptoyeah15:50
mnasiadkaas I said, I'm not a certbot user - I can understand it can fit some cases - but I'd like to also have the option of not using it - and having a separate mechanism delivering the certs to haproxy and just signalling that it should reload the cert ;-)15:50
headphoneJamesFrom what in reading, It sounded like the certificates would be generated during deployment instead of after container is deployed15:50
mnasiadkaif we can have reliable automation for the certbot part - I'm all in (but maybe these should be separate patches)15:51
mgoddardif someone can write up how dynamic reload would work in a way that would be generally useful, that would be helpful15:51
mgoddardis it still using certs on the deployment host and copying those across, or does it assume some process has put them into place on the haproxy hosts?15:52
mnasiadkaso, for dns-01 case, it would be nice if kolla-ansible would copy out the cert to nodes and update them in haproxy15:53
headphoneJamesI'm assuming the former based on this conversation15:54
mnasiadkafrickler: opinions?15:54
mgoddardthe former doesn't really work with HTTP-0115:54
fricklerI'm not sure how the dynamic update works15:54
mnasiadka#link https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/15:55
mnasiadkamgoddard: for http-01 we need to stand up a backend on each of the hosts that serve haproxy?15:55
mgoddardtypically, yes15:56
yoctozeptoafair, we were discussing that we need only https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/15:56
fricklerI was just wondering whether hitless reload wouldn't be good enough in our case15:57
yoctozepto(as the mnasiadka's linked post suggests to use if one does not have many many certs)15:57
yoctozeptoand that is what we discussed15:57
fricklerthe dynamic update seems a bit overkill15:57
mgoddardmakes sense15:57
yoctozeptothe issue was we did not have the possibility to reload15:57
yoctozeptoand still do not have15:57
yoctozeptoI mean, in k-a15:57
yoctozeptothe reason was the file copying15:58
yoctozeptoas the certs have to be first copied into the running container15:58
mgoddardtrue that15:58
yoctozeptoit seems the patch has grown much beyond the original plan15:58
mgoddardwell 1 minute to go15:59
fricklercan't we bindmount the certs in and update them on the host?15:59
mnasiadka1 minute to go, yes15:59
mnasiadkashould we have some dedicated meeting for this?15:59
yoctozepto5 sec15:59
yoctozeptoand go16:00
yoctozeptodedicated meeting ++16:00
yoctozeptothe PTG16:00
yoctozepto:D16:00
mnasiadkaprobably we would like to have something merged this cycle :D16:00
mnasiadkaok, let's discuss about the dedicated meeting after the official meeting :D16:00
yoctozeptoyeah, true that16:00
yoctozepto++16:00
mnasiadkathanks for joining, sorry for not covering all topics...16:00
mnasiadka#endmeeting16:00
opendevmeetMeeting ended Wed Feb 23 16:00:58 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/kolla/2022/kolla.2022-02-23-15.00.html16:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/kolla/2022/kolla.2022-02-23-15.00.txt16:00
opendevmeetLog:            https://meetings.opendev.org/meetings/kolla/2022/kolla.2022-02-23-15.00.log.html16:00
yoctozeptothanks mnasiadka16:01
mnasiadkamaybe a more interactive meeting like audio call beginning next week for the Let's Encrypt feature?16:01
mgoddardFWIW, here is the original spec: https://etherpad.opendev.org/p/kolla-ansible-letsencrypt-https16:02
headphoneJamesFyi I'm out until Thursday next week16:03
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427116:55
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427116:56
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427116:56
opendevreviewMerged openstack/kayobe master: CI: enable libvirt TLS in TLS job  https://review.opendev.org/c/openstack/kayobe/+/82673918:00
opendevreviewJuan Pablo Suazo proposed openstack/kolla-ansible master: Adds services to log_rotate.  https://review.opendev.org/c/openstack/kolla-ansible/+/83043320:10
opendevreviewRadosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Use Tenks in Ironic job  https://review.opendev.org/c/openstack/kolla-ansible/+/64427120:18
opendevreviewJuan Pablo Suazo proposed openstack/kolla-ansible master: Adds services to log_rotate. Fixes Bug 1961795.  https://review.opendev.org/c/openstack/kolla-ansible/+/83043322:23
opendevreviewJuan Pablo Suazo proposed openstack/kolla-ansible master: Adds services to log_rotate.  https://review.opendev.org/c/openstack/kolla-ansible/+/83043322:24
opendevreviewPierre Riteau proposed openstack/kayobe master: ntp: Remove removal of chrony container  https://review.opendev.org/c/openstack/kayobe/+/82748722:36
« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!