opendevreview | Michal Arbet proposed openstack/ansible-collection-kolla master: Add Podman support https://review.opendev.org/c/openstack/ansible-collection-kolla/+/852240 | 06:40 |
---|---|---|
SvenKieske | "morning" (it's 11:08 here) :D | 09:08 |
SvenKieske | has anyone in here ever heard about https://salsa.debian.org/extrepo-team/extrepo-data/-/tree/master/repos/debian ? | 09:09 |
SvenKieske | that should be the canonical link I guess: https://salsa.debian.org/extrepo-team/extrepo-data | 09:09 |
SvenKieske | mhm, seems to be a perl script, basically: https://salsa.debian.org/extrepo-team/extrepo | 09:11 |
kevko | Extrepo is doing same thing as Ansible templates 🤣 | 09:19 |
kevko | SvenKieske we are using it in our Kolla images | 09:19 |
SvenKieske | ah, we are? I was not aware of that, so why do we use it for everything? | 09:20 |
SvenKieske | *not | 09:21 |
kevko | Because this is Debian stuff | 09:21 |
SvenKieske | okay, I mean "everything" in the sense: "for everything that wants to use stuff from http://osbpo.debian.net"? | 09:22 |
SvenKieske | because that is debian stuff, I think? :) | 09:22 |
kevko | We used to use that repo when we had binary support | 09:24 |
kevko | But python3-podman is not in stable | 09:24 |
kevko | So I've built and add to repo which I have control | 09:24 |
kevko | And it's Openstack repo used for Kolla images | 09:24 |
SvenKieske | ah okay; I'm still learning about this osbpo server, so bascially anybode can throw their binaries there? | 09:24 |
SvenKieske | anybody* | 09:25 |
kevko | Debian policy don't allow new packages to be in stable if it was not migrated from unstable during the release | 09:25 |
kevko | No | 09:25 |
kevko | Only me and zigo | 09:25 |
kevko | As we are Debian developers | 09:25 |
kevko | And I used to build all Openstack packages some time ago | 09:25 |
SvenKieske | bottom line is: I really don't like importing key material via insecure http links and I was trying to find a better way..seems it's unnecessary complex :/ | 09:26 |
kevko | With zigo | 09:26 |
kevko | As Debian has 2 year cycle ..and Openstack half year ..you need to have separate repo | 09:26 |
SvenKieske | yeah and zigo pointed me at "extrepo" over in #opendev | 09:27 |
zigo | SvenKieske: I very much do not agree with you, extrepo is *extremely* simple. | 09:27 |
SvenKieske | so it seems I'm running in circles | 09:27 |
SvenKieske | zigo: I was not referring to extrepo with that comment, seems like a fairly simple perl script. just the integration situation in kolla seems complex for not yet truly understood reasons - to me. | 09:28 |
kevko | SvenKieske: ok, situation is simple, if we want to podman support to be merged in kolla-ansible - we need python3-podman package (debian bookworm don't allow install pip package without venv) to be installed system wide ... but bookworm pool for apt is frozen ... so i built that package for debian and ask zigo to include in his repo ... | 09:33 |
SvenKieske | sure, I already understood that part :) | 09:33 |
kevko | maybe it can be uploaded to bookworm backports ..but it takes some time ... | 09:34 |
kevko | and we don't have a time | 09:34 |
SvenKieske | my problem is, and I fear that seems to be again a very controversial topic(TM) - where it really should not be - that it would be very very good if we can install software in a secure way. | 09:34 |
SvenKieske | is that at least a shared goal? Because my understanding is, that it doesn't matter to most, but that might be a misunderstanding. | 09:35 |
kevko | secure way ? :D so you will be ok if i will create a package with harmfull code and you will download it via https ? :D | 09:37 |
SvenKieske | and it should be fairly trivial to import a gpg key in a secure way, no? Well I'm actually not really sure, key handling is hard, and outside packaging gpg usage is sharply declining. | 09:37 |
SvenKieske | kevko: If you're not interested in discussing this topic in a reasonable manner that's fine for me, but than we don't have any discussion. this is not about https or gpg. | 09:37 |
kevko | The best would be if we will not rely on any external apt/yum repository and have control | 09:38 |
kevko | we can add package to git repository and install via dpkg ...is this safer for you ? | 09:39 |
SvenKieske | sure, I'm only commenting on proposed solutions, not on some hypothetical "best solution" that doesn't exist in reality :) so if the "best" solution we can come up with is blindly importing gpg keys over insecure channels straight from the internet, there we go I guess. | 09:40 |
SvenKieske | it's only marginally more secure - or not at all - then the venerable "curl $foo | sudo bash" | 09:41 |
SvenKieske | sorry I'm half joking also. it's just really really frustrating. | 09:41 |
zigo | SvenKieske: The secure way is *SUPER* easy: hardcode the osbpo gpg key in your ansible code. | 09:43 |
zigo | End of the story. | 09:43 |
zigo | There's no reason that I change the osbpo key... | 09:43 |
SvenKieske | I was actually about to suggest that, yeah | 09:43 |
zigo | I see no issue if you do that, though extrepo is probably nicer. | 09:44 |
zigo | Also, I'd strongly suggest that you arrange for an osbpo mirror in the OpenStack CI. | 09:44 |
zigo | I know wikimedia has a mirror, but that'd be the only one... | 09:44 |
SvenKieske | well yeah, in my dream world the openstack CI would've got a mirror, or at least a pull through cache of everything installed during CI, but that's not the world I live in. | 09:45 |
kevko | Yep, hardcode gpg is another way | 09:45 |
kevko | Definitely it's not that world ..and I am afraid that it never will be 🤣 | 09:46 |
SvenKieske | last time I asked about a simple pypi mirror and it was declined, because it takes too much space and apparently nobody can pay for that. | 09:46 |
SvenKieske | I wonder where all that openinfra money goes | 09:46 |
zigo | openinfra money != space sponsored by the CI sponsors | 09:47 |
SvenKieske | last time I asked about _that_ the disturbing reply was "website redesign" | 09:47 |
zigo | root@osbpo:/home/ftp/debian# du -sh . | 09:47 |
zigo | 22G. | 09:47 |
SvenKieske | yeah, I guess that answer is part of the problem and not part of the solution ;) | 09:47 |
zigo | We're talking about 22 GB of data for ALL of osbpo, meaning from jessie-kilo all the way to bookworm-bobcat ... | 09:48 |
SvenKieske | I guess the pypi mirror is more demanding, about some terabytes? also not very much imho, but alas, here we are. | 09:48 |
zigo | That's a ridiculous SMALL amount of data... | 09:48 |
SvenKieske | agreed, so it might be worth to pester fungi about it, when he's awake | 09:48 |
opendevreview | Pierre Riteau proposed openstack/kayobe master: Revert "CI: Disable bare metal testing on RL9/c9s" https://review.opendev.org/c/openstack/kayobe/+/897260 | 10:11 |
fungi | SvenKieske: when did you ask for a simple pypi mirror (as opposed to the caching proxies we currently have in the opendev collaboratory), but more importantly, what led you to believe mirroring pypi is "simple"? https://pypi.org/stats/ | 12:05 |
fungi | (this isn't just guessing either, we used to mirror pypi, but had to stop when actors like tensorflow started putting multi-gigabyte nightly snapshots in it and our servers simply couldn't keep up with the flood of new data) | 12:06 |
mnasiadka | I had problems mirroring pypi metadata downstream, poor pulp server did not keep up with that nightly :) | 12:07 |
fungi | also, the budget for the openinfra foundation is public. everyone is free to look at where the money is spent | 12:07 |
SvenKieske | fungi: I did ask a couple of weeks/month ago why it wasn't mirrored - I think that's the equivalent action of asking it to be mirrored - and as we can see that's only 17.1 TB of data. I don't know every openinfra project, but assuming that maybe not every package in there might be used in openinfra, an incomplete mirror without those tensorflow packages would suffice? | 12:10 |
SvenKieske | fungi: that was in the context when we had various problems with external pypi mirrors, that ended up reducing upstream mirrors, because those seemed unreliable to the pypi mirror team itself | 12:11 |
SvenKieske | I still think it's simple, I also recognize openinfra doesn't seem to be able to cough up the necessary resources. so to clarify: I think it is "simple" from the perspective that all it takes are network, i/o etc bandwith. mirroring is not exactly complicated tech. It's "only" hard if you don't have the resources. | 12:12 |
fungi | we do also mirror a subset of pypi, specifically we pre-build wheels for commonly-used packages that don't already provide them, so that job nodes don't spend extra time rebuilding them on every run | 12:13 |
SvenKieske | and that's cool :) I don't know the details, maybe that subset could get expanded? I don't know. | 12:14 |
fungi | right now all the resources we (the opendev collaboratory) have are donated by public cloud providers. attaching 17+tb of block storage to a virtual machine is nontrivial and fragile. putting a mirror of pypi on object storage would require someone to develop a glue layer for that | 12:14 |
fungi | also, it would be tough to guarantee we as a small team of a few volunteers would be able to run a mirror of pypi that is more stable than pypi itself (even cloud providers suffer major outages form time to time), we'd at best just move where the outages people complain about are | 12:16 |
SvenKieske | sure, but to give you some more credit: you are way better reachable than upstream :) also the openinfra infrastructure I could even maybe debug myself (to a certain extend). | 12:17 |
fungi | if we had to run pypi we might not be nearly as available either ;) | 12:17 |
SvenKieske | tbf I was able to reach the pypi people rather fast, but all they did was not fix the problem but shut off the offending server :D | 12:18 |
SvenKieske | all I know is that "locally" mirrored repos tend to bring down CI failures by a lot, which might relax otherwise constrained CI resources. do you disagree? | 12:20 |
SvenKieske | of course "locally" could be a stretch for 17 TB | 12:20 |
fungi | but anyway, aiui the real question was a few gigabytes for the debian-openstack team's third-party package repository. it seems to me that it would be about the same as how we already mirror the "ubuntu cloud archive" (uca), 22gb is well within the available space on our afs fileservers: https://grafana.opendev.org/d/9871b26303/afs | 12:21 |
SvenKieske | then again I'd say almost no openstack project probably needs AI frameworks mirrored locally | 12:21 |
fungi | i'll add osbpo mirroring to tomorrow's opendev sysadmins meeting agenda to double-check with the team, but the request is because kolla wants to use them in ci jobs? | 12:22 |
fungi | just making sure i have the details right | 12:22 |
SvenKieske | from what I know we currently already use it somewhere. My initial problem was retrieving gpg keys via unencrypted internet traffic, which let to the suggestion "why don't we just mirror that?" | 12:23 |
SvenKieske | a classic tale of "why do you solve problem X? solve Y instead!" as is typical in IT xD | 12:24 |
* SvenKieske feels like a character in the british comedy show "the it crowd" | 12:24 | |
fungi | why is retrieving gpg keys over an unencrypted channel a problem? is it because you're unable to check the signatures? also why are jobs retrieving signing keys at all? in our (opendev's) jobs, we serialize the public keys we expect to sign things into the job data so it's never retrieved | 12:25 |
fungi | when writing jobs we look up the public keys, check the signatures on them, then put them into the job so that one ansible task is "add this key to the package manager's keychain" | 12:26 |
SvenKieske | I didn't come up with these schemes, I only reviewed them :) so please ask kevko - he's probably gone mad from the questions already, and I can't even blame him - because everybody suggests a different method on "how to handle things correctly(TM)" | 12:26 |
fungi | not "download a key from somewhere on the internet and add it to the keychain" | 12:26 |
SvenKieske | that was another suggestion if you scroll back, just hardcode the key | 12:27 |
fungi | it's the safest method, in my opinion | 12:27 |
fungi | also the most straightforward and least prone to meet with intermittent network issues | 12:28 |
SvenKieske | again I agree - I don't really care really which option get's used - transmit cryptographic keys via avian carriers - if it can be done securely, that is. | 12:28 |
SvenKieske | that's a reference to the famous april fools rfc regarding tcp/ip over avian carriers, just in case I'm being taken way to serious :) | 12:29 |
SvenKieske | still it might be good to mirror this stuff, it would probably also relax some external network traffic and increase build speed (assuming near local connections are faster), but I'm not senior enough on our build chains to comment on potential performance improvements. at least reliability might go up (but I have never witnessed reliability issues with the debian server myself) | 12:31 |
opendevreview | Jakub Darmach proposed openstack/kolla-ansible stable/yoga: OpenSearch migration - prune old Kibana indices https://review.opendev.org/c/openstack/kolla-ansible/+/897667 | 12:56 |
opendevreview | Jakub Darmach proposed openstack/kolla-ansible stable/yoga: OpenSearch migration - prune old Kibana indices https://review.opendev.org/c/openstack/kolla-ansible/+/897667 | 13:06 |
hrw | SvenKieske: there are at least 3 rfc related to avian carriers. And some of them were even implemented. | 13:50 |
hrw | SvenKieske: when it comes to mirroring pypi - it does not make sense. There are jobs already which fetch, build, mirror, host those python packages which are in openstack/requirements project. | 13:51 |
hrw | SvenKieske: opendev CI does them for x86-64 and aarch64, for/on debian/centos/ubuntu iirc (been a while since last time I had to look there) | 13:52 |
hrw | SvenKieske: adding 'yet another repo' was often a struggle. "we need to check is there a space on AFS" was common answer. usually followed by discussion 'what we can remove' | 13:53 |
hrw | SvenKieske: https://review.opendev.org/c/opendev/system-config/+/881952 for example added Debian 'bookworm' mirroring | 13:54 |
hrw | SvenKieske: read comments there | 13:55 |
SvenKieske | hrw: thanks for the information provided. also: I did even review that patch, if you have read it yourself you could have noticed that :) thanks for the reminder. but your statements are at least partly conflicting with fungis above. | 13:57 |
SvenKieske | hrw: I can't parse this: "when it comes to mirroring pypi - it does not make sense. There are jobs already which fetch, build, mirror, host those python packages which are in openstack/requirements project." it's contradicting | 13:59 |
hrw | SvenKieske: s/pypi/whole pypi/ | 13:59 |
SvenKieske | yeah, I already agreed to that if you read the whole discussion. I certainly don't need tensorflow mirrored :) | 14:00 |
hrw | SvenKieske: wheel cache present on opendev CI does a bit more than just mirroring part of pypi | 14:01 |
hrw | sorry, some comments I was writing during reading | 14:01 |
SvenKieske | it's appreciated, though the original problems still persist: network calls can and will fail, introducing CI errors and inevitable performance overhead. | 14:02 |
* SvenKieske sounds like a broken record at this stage. | 14:02 | |
hrw | SvenKieske: we do not live in perfectly round world ;( | 14:03 |
SvenKieske | and of course the tiny problem of supply chain attacks, which every engineer I know who works in software supply chains likes to pretend do not exist :) | 14:04 |
SvenKieske | hrw: I violently agree :) | 14:04 |
SvenKieske | I just try everyday to make it a little more round, often failing, but still trying :) | 14:04 |
hrw | SvenKieske: there are 3rdparty repos we never asked to mirror cause we fetch not that much from them. and they fail from time to time | 14:05 |
SvenKieske | hrw: sure. I ran CI pipeline for.. idk 3-10 years at some companies. | 14:05 |
hrw | I build software since 2004 ;D including whole embedded distros at some time | 14:06 |
SvenKieske | in my round world I have a local mirror of everything in my build graph and only sync the parts with the outer internet that need an update. | 14:06 |
hrw | SvenKieske: happy person | 14:06 |
SvenKieske | it's my imaginary round world, please let me be happy at least there :) | 14:07 |
opendevreview | Martin Hiner proposed openstack/kolla-ansible master: Fix podman logs https://review.opendev.org/c/openstack/kolla-ansible/+/893187 | 14:15 |
opendevreview | Martin Hiner proposed openstack/kolla-ansible master: Add support of podman deployment https://review.opendev.org/c/openstack/kolla-ansible/+/799229 | 14:15 |
greatgatsby | are there any docs for rebooting (after a system upgrade) computes and controllers? I'm looking for things like VM migration strategies, amphora, HA services, etc. | 14:19 |
mnasiadka | In Kolla? I don't think so | 14:20 |
greatgatsby | I'm using kolla-ansible, and so far I haven't found anything about rebootin/shutting-down a node. I don't think the answer is to simply issue a `shutdown -r now` and hope for the best, but I can't find any docs that address this. | 14:22 |
hrw | greatgatsby: compute nodes should be handled by nova so existing instances have a chance of migration | 14:25 |
jangutter | greatgatsby - for compute nodes (hypervisors) you should follow the nova guide on how to evacuate and disable the compute service on the hypervisor. Note that "evacuate" has got multiple meanings and there's important nuance! | 14:25 |
jangutter | once the hypervisor is empty and disabled, rebooting it should be fine and won't disrupt your cluster. once the services are healthy, you can re-enable it. | 14:26 |
jangutter | for the controllers, we usually stop the containers, first stop the keepalived container, verify that the VIP has migrated, then stop the backend containers. | 14:28 |
SvenKieske | it also depends a bit on your deployment specifics. e.g. if you use ironic you might want to use ironic for server (re)boots, depending on what you want to do. e.g. if you want to shut off a server for maintenance and ironic manages it's power state you should of course do the necessary stuff in ironic (shut off the machine). | 14:28 |
greatgatsby | Thanks for the replies. Right now I'm building an ansible role for controller/compute shutdown but I feel I'm just making it up as I go | 14:29 |
jangutter | It's possible to do it more gracefully by telling haproxy to drain the backends, but there's also sql involvement, etc. | 14:29 |
SvenKieske | fwiw, you _can_ pull the plug if you have a correctly setup ha env. you will lose in flight requests of course, but especially the control plane is pretty robust. | 14:30 |
greatgatsby | yes, exactly, I'm doing or considering doing things like draining haproxy/rabbitmq/mysql on controllers, etc, just wondering if there's docs or if there's a product I could take some best practises from | 14:30 |
SvenKieske | I'm also not aware of any docs. It might be nice to write some for some generic/"most of the time right" use cases. | 14:31 |
greatgatsby | something like that would be great. Just when I (we) think we've covered everything, there's another, "oh, we could also do XYZ" | 14:31 |
jangutter | It all boils down to the request rate and number of failures you can tolerate. | 14:31 |
greatgatsby | for us, keeping thing as fault tolerant as possible is top priority. We don't want to disrupt client workloads at all, so we're trying to keep the cluster happy as a controller or compute is shutdown/rebooted | 14:32 |
SvenKieske | these are the closest links to what you want I think: https://docs.openstack.org/kolla-ansible/latest/user/operating-kolla.html#upgrade-procedure and https://docs.openstack.org/kolla-ansible/latest/user/adding-and-removing-hosts.html | 14:32 |
jangutter | You can go completely and utterly paranoid, _but_ the system is pretty much designed to handle "unexpected" failures gracefully. | 14:32 |
SvenKieske | greatgatsby: that again depends on the workload: If your workload is from the "cloud native" kind where k8s does thousands of requests per minute to the openstack api, customers _will_ notice | 14:33 |
SvenKieske | at least I wasn't able so far to make the APIs sufficiently HA to always answer any request. should be possible in theory with haproxy draining etc. | 14:34 |
jangutter | Yes - in our case, we tolerate failures of _up to one minute_ but, we have the luxury of very low api rate during certain time periods. | 14:35 |
SvenKieske | tbh I didn't really try _that_ hard. a cloud api that can't deal with a temporary network failure - which can happen anytime - is broken itself imho. | 14:35 |
SvenKieske | especially k8s should've retry logic all over the place, but I have seen that fall apart as well. | 14:36 |
SvenKieske | e.g. if k8s retries an operation that openstack does not support to be retried, and openstack just returns a 400 API error because you can't just retry this api call and then k8s just happily retries again :D | 14:37 |
greatgatsby | SvenKieske: thanks, the "removing hosts" docs are along the lines of what I'm looking for. Just trying to ensure I've done everything possible to make the whole process as fault tolerant as possible. | 14:38 |
SvenKieske | for low api call envs it doesn't really matter imho, you can reboot whole clusters without customers noticing. you should only watch out for rabbitmq health and in flight live migrations of VMs | 14:38 |
greatgatsby | rabbitmq always seems to be the trouble-maker, no matter what we do. | 14:38 |
SvenKieske | greatgatsby: sure! happy to help. it's always nice to see people caring for this stuff and not just blow up production :D | 14:38 |
greatgatsby | :-) | 14:39 |
SvenKieske | well at first you might want to check what's your settings there for HA deployment, because if the cloud is upgraded afaik we still do not set everything up for HA. | 14:39 |
SvenKieske | I just had one or two cases where that was partly a problem, I still need to write some docs for that. | 14:39 |
SvenKieske | you might want to check, as a beginning, this: https://docs.openstack.org/kolla-ansible/latest/reference/message-queues/rabbitmq.html#high-availability | 14:40 |
jangutter | greatgatsby: if you have a test environment, be sure to experiment. It might be counterintuitive, but draining _could_ be more error prone and slower than a reboot on a controller. | 14:40 |
greatgatsby | yeah we've scraped every rabbitmq HA doc from various OS vendors we could find to try to tune it, still not 100% it's as resilient as possible | 14:40 |
greatgatsby | jangutter: thanks, never considered that | 14:41 |
SvenKieske | newer rmq versions are better, on which release are you, if I may ask? | 14:41 |
greatgatsby | yoga, hopefully zed in the next few months | 14:41 |
SvenKieske | huh | 14:41 |
SvenKieske | so the last rmq problems I saw was especially that upgrade :/ | 14:41 |
SvenKieske | do you know how to monitor/check the rmq queues and exchanges and rmq cluster state? there are never "hard" errors there, but they are pervasive, most of the time easy to fix, when you know where to look | 14:42 |
SvenKieske | I really need to write those docs :) | 14:43 |
jangutter | SvenKieske: oooh you triggered me. I've recently had issues in victoria with Neutron exchanges getting "stuck" when adding a new controller to the cluster.... | 14:43 |
mnasiadka | the rmq gui is a bit useful, rabbitmqctl cluster_status is usually useless and logs are misleading :) | 14:44 |
SvenKieske | jangutter: well the quickfix is: delete the exchange/queue and restart neutron | 14:44 |
jangutter | SvenKieske: bwahahaha, that's EXACTLY what my mitigation script does. Do you have a way to detect whether the exchange is broken? | 14:44 |
greatgatsby | mnasiadka: thanks, yeah, we check the cluster_status periodically and it almost always reports everything is ok, even when the cluster is imploding | 14:44 |
SvenKieske | mnasiadka: these days you can also list|filter all the queues via cli. it's a little bit easier in some setups because you need to first proxy the gui through ssh most of the time.. | 14:45 |
mnasiadka | basically I haven't seen a lot of RMQ issues after we implemented HA everywhere | 14:45 |
opendevreview | Michal Arbet proposed openstack/ansible-collection-kolla master: Add Podman support https://review.opendev.org/c/openstack/ansible-collection-kolla/+/852240 | 14:45 |
SvenKieske | jangutter: depends, if you have rabbitmq HA it might be the case that just some queue is out of sync, you could filter for that and simply resync it and if you're lucky it works then :) should be faster then neutron restart. | 14:46 |
opendevreview | Michal Arbet proposed openstack/ansible-collection-kolla master: Add Podman support https://review.opendev.org/c/openstack/ansible-collection-kolla/+/852240 | 14:46 |
SvenKieske | but I've only really experience with problems in HA with the old (pre)3.8 rmq release if memory serves correctly. these were rather problematic. | 14:47 |
SvenKieske | then again that 3.11 setup from yoga to zed was somehow also butchered.. but it wasn't HA. | 14:47 |
SvenKieske | they just went nuclear and redeployed the complete rabbitmq service, did also work..so..yeah | 14:48 |
SvenKieske | sadly you can't debug what is already deleted, would've been interesting, I still wait for feedback from another deployment where they try to recreate the problems in dev. | 14:49 |
jangutter | So that's good news then, we're planning our migration to yoga + rmq3.9 | 14:49 |
SvenKieske | pay attention to the erlang version, there was a very recent fix afaik to the erlang release used in yoga | 14:50 |
SvenKieske | deployment seemed to be completely broken, at least for some users | 14:50 |
SvenKieske | that one: https://review.opendev.org/c/openstack/kolla/+/897352 | 14:51 |
jangutter | yeah, we're centos 9 stream, not debian.... we got "different" issues :-p | 14:51 |
SvenKieske | well you already wrote you use stream :D | 14:52 |
mnasiadka | jangutter: you deliberately chose stream? uh | 14:53 |
SvenKieske | mnasiadka: any idea why this could still probably fail? I'm starting to become clueless :/ https://zuul.opendev.org/t/openstack/build/ca7a2a6f88924b458ec32b79d007611b/log/primary/logs/build/000_FAILED_fluentd.log | 14:54 |
jangutter | mnasiadka: heh, yeah, long story. | 14:54 |
SvenKieske | I left all the wisdom I could extract in the linked changeset as a comment. the files seem fine, but fail to download from two completely separate cloud providers. | 14:55 |
mnasiadka | SvenKieske: oh boy, haven't seen that, but I'm not the APT expert here ;) | 14:55 |
mnasiadka | SvenKieske: tried to built locally somewhere instead OpenDev? | 14:55 |
SvenKieske | maybe I am only having bad luck and I should try thrice. | 14:55 |
SvenKieske | mnasiadka: not yet, I always fear that step :D I have PTSD from using devstack in the past.. I guess I could "just" run the kolla build container somehow. | 14:56 |
kevko | oh, i missed very interesting discussion about gpg and apt :D :D :D | 14:56 |
SvenKieske | kevko: no no, please let's have an end with that :) now I have problems downloading with apt. seems apt doesn't like me today. | 14:57 |
kevko | Unable to load bucket: packages.treasuredata.com | 14:57 |
SvenKieske | I already see me reading apt-get source code to track down this error code, stackoverflow is really not helpful here. | 14:57 |
kevko | just open the url ? :D | 14:57 |
SvenKieske | yeah, but when I manually navigate to the file it works? | 14:58 |
SvenKieske | mhm need to double check the URLs, I mean it's provided by fluentd folks.. | 14:58 |
kevko | https://td-agent-package-browser.herokuapp.com/lts/5/ubuntu/jammy/dists/jammy | 14:58 |
kevko | https://s3.amazonaws.com/packages.treasuredata.com/lts/5/ubuntu/jammy/dists/jammy/InRelease | 14:58 |
kevko | :D | 14:58 |
kevko | i would say they have something broken :) | 14:59 |
SvenKieske | oh come on, I hate this | 14:59 |
SvenKieske | but thanks! | 14:59 |
SvenKieske | at least I can now go file a bug.. | 14:59 |
SvenKieske | classic case of staring too long at a problem and missing the forest for the trees.. | 14:59 |
SvenKieske | mhm, could I just use that aws URL? I highly doubt it.. | 15:00 |
SvenKieske | but how does this work for anyone? I used the upstream provided URLs, with apt-get, I mean how broken can stuff be? | 15:02 |
kevko | did you try to build it locally ? | 15:02 |
mnasiadka | he's afraid :) | 15:03 |
SvenKieske | ok ok I'll try, but I fear I'll be in a whole new rabbitwhole when trying to run kolla-build manually :D I use it through CI exclusively since 3 years or some such.. | 15:04 |
kevko | SvenKieske: https://td-agent-package-browser.herokuapp.com/lts/5/debian/bookworm << are u sure that this is repo ? :D | 15:06 |
kevko | package-browser ? | 15:06 |
mnasiadka | https://docs.fluentd.org/installation/install-by-deb#step-1-install-from-apt-repository | 15:07 |
mnasiadka | here are the links to APT repos | 15:07 |
mnasiadka | (in the script) ;) | 15:07 |
kevko | no, there is a url of debian package which is installed directly with dpkg :D | 15:10 |
kevko | :D | 15:10 |
kevko | aaaa ..that debian package is installing repo probably | 15:10 |
SvenKieske | yes | 15:12 |
SvenKieske | I'm fairly certain I extracted the correct URL string from that, but let me double check | 15:13 |
SvenKieske | mhm it's not matching | 15:15 |
SvenKieske | it should be https://packages.treasuredata.com/lts/5/ubuntu/jammy/ | 15:15 |
SvenKieske | the thing is, if you open that link it's a 404 | 15:15 |
kevko | let me check it :) | 15:15 |
SvenKieske | I guess that is how I originally ended up with the herokuapp.com link | 15:16 |
SvenKieske | the deb package from the installer at least installs this sources file in /etc/apt/sources.list.d/ with the above 404 link | 15:17 |
SvenKieske | maybe that is also some webserver magic which provides a 404 if your user agent doesn't match apt-get | 15:17 |
kevko | why you are trying to instal apt repo via deb package as they are mentioning in doc ? | 15:19 |
kevko | i think it's enough to just copy key and render apt sources list | 15:19 |
frickler | it doesn't matter if the base link has a 404, apt doesn't access that link, but just ./dists/jammy/InRelease behind it | 15:21 |
frickler | this is s3 storage, not usual web directory browsing | 15:22 |
SvenKieske | yeah, but I don't do what kevko said. I don't install that deb, I just took the URL, anyway I'll provide the original URL and see if that works | 15:23 |
opendevreview | Sven Kieske proposed openstack/kolla master: bump td-agent lts from v4 to v5 https://review.opendev.org/c/openstack/kolla/+/894948 | 15:25 |
SvenKieske | I'm fairly certain it will work, thanks guys :) | 15:28 |
kevko | SvenKieske: it will | 15:29 |
kevko | because in that deb package is this | 15:29 |
kevko | root@pixla:/home/michalarbet/ultimum/git/upstream/kolla# cat /etc/apt/sources.list.d/fluent-lts.sources | 15:29 |
kevko | Types: deb | 15:29 |
kevko | URIs: https://packages.treasuredata.com/lts/5/ubuntu/jammy/ | 15:29 |
kevko | Suites: jammy | 15:29 |
kevko | Components: contrib | 15:29 |
kevko | Signed-By: /usr/share/keyrings/fluent-lts-archive-keyring.gpg | 15:29 |
kevko | (pgp is downloaded from URL in kolla ..so everything should work) | 15:30 |
SvenKieske | yep :) | 15:30 |
SvenKieske | I miss the old web where you could browse to any URL and not interact with weird S3 gateways :D | 15:31 |
SvenKieske | guess I'm getting old | 15:31 |
kevko | SvenKieske: and you fixed only one occurence | 15:33 |
kevko | michalarbet@pixla:~/ultimum/git/upstream/kolla$ git show 9e4c14fc3 | grep -i browser | 15:33 |
kevko | + url: "https://td-agent-package-browser.herokuapp.com/lts/5/debian/bookworm" | 15:33 |
kevko | + url: "https://td-agent-package-browser.herokuapp.com/lts/5/debian/bookworm" | 15:33 |
kevko | + url: "https://td-agent-package-browser.herokuapp.com/lts/5/ubuntu/jammy" | 15:33 |
SvenKieske | ah right | 15:34 |
SvenKieske | thanks, will follow up | 15:34 |
SvenKieske | there was also another error I think | 15:36 |
opendevreview | Sven Kieske proposed openstack/kolla master: bump td-agent lts from v4 to v5 https://review.opendev.org/c/openstack/kolla/+/894948 | 15:37 |
mnasiadka | have fun guys, I started the extremely interesting season of moving all customers from CentOS 8 Stream to Rocky Linux 9... | 15:38 |
SvenKieske | that sounds way more fun than fixing wrong mirror urls :D | 15:39 |
kevko | mnasiadka: it's for kids, try it from centos to debian :) | 15:41 |
mnasiadka | no thanks, that's why you're using centos libvirt on debian :) | 15:41 |
kevko | :D :D :D | 15:41 |
kevko | mnasiadka: yeah, that's the last piece :D ..but this is only one case ..because we adopted very old cloud ... another clouds are just debian :) | 15:42 |
mnasiadka | yeah, but I remember RH likes to ,,vendor'' their libvirt | 15:42 |
kevko | yep ! exactly :) | 15:43 |
mnasiadka | so no live migration from centos to ubuntu/debian | 15:43 |
kevko | exactly :) | 15:43 |
greatgatsby | is the rocky 9 base the most tested, or considered the most stable? We're using ubuntu in yoga, but would consider switching if rocky 9 would conform better to the defaults | 15:43 |
mnasiadka | well, there's the rpm vs deb barricade | 15:43 |
mnasiadka | you're either rpm or deb lover I guess | 15:44 |
kevko | yep | 15:44 |
kevko | greatgatsby: nothing is tested :D | 15:44 |
greatgatsby | hahahaha | 15:44 |
mnasiadka | the only thing you tested is tested | 15:44 |
kevko | greatgatsby: well, we are not running rally or tempest against our various images | 15:45 |
greatgatsby | so is it better to have the container distro match the baremetal distro? We're an ubuntu shop really | 15:45 |
kevko | it doesn't matter ..but let's say yes, it's the best option | 15:45 |
greatgatsby | thanks, ok | 15:45 |
mnasiadka | matters only when RH backports libvirt features that require kernel features (that they also backport) - so you need to have these in sync - but I don't think it happened recently | 15:47 |
kevko | for example we are using debian (or some customers ubuntu) ..because of debian, package system, release cycle, python version , and no potentional problems as it is sometimes with rhel derivatives ( closed yum repos and similar) | 15:47 |
mnasiadka | and matters when you want some security certifications (don't remember which ones) | 15:47 |
kevko | yep | 15:48 |
kevko | amen | 15:49 |
SvenKieske | I remember vividly some ubuntu backport breaking live migrations. personally I like the rpm format more. But I only use debian/ubuntu based openstack installs so far. | 15:50 |
kevko | sometimes it depends which distro has nicer stickers for your laptop | 15:51 |
kevko | SvenKieske: when ? | 15:51 |
SvenKieske | "btw, have you heard of arch linux?" <- this is a meme where I live :D | 15:51 |
kevko | :d | 15:52 |
kevko | https://qph.cf2.quoracdn.net/main-qimg-cd9326d4d6a641ca3f0eb83cdbb92d65-lq | 15:53 |
SvenKieske | kevko: sorry misremembered it was a linux kernel source backport: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1887490 | 15:56 |
SvenKieske | and canonical even claimed "It's not a regression because there is a workaround"..I'm still angry when reading such hyperbole | 15:57 |
SvenKieske | here is the relevant part where the regression is noticed: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1887490/comments/53 | 15:58 |
SvenKieske | you can't just add new cpu flags mid release and expect everything to still work. | 15:58 |
SvenKieske | just canonical things I guess | 15:58 |
kevko | RUN LINE_TO_REMOVE=$(grep -in "feature name='mpx'" /usr/share/libvirt/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | awk -F ':' '{print $1}') && \ | 15:58 |
kevko | sed -i "${LINE_TO_REMOVE}d" /usr/share/libvirt/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 15:58 |
kevko | this i have in my libvirt for example | 15:58 |
SvenKieske | lol | 15:59 |
SvenKieske | poor libvirt I guess :) | 15:59 |
SvenKieske | yeah all those cpu bugs where quite fun.. and they keep on coming | 15:59 |
SvenKieske | have you read about the latest where booting with "mitigations=off" miscompiles some stuff? :D | 16:00 |
kevko | SvenKieske: check this :D | 16:01 |
kevko | https://paste.openstack.org/show/bYBE7AjrOT6Ls6hol3Gg/ | 16:01 |
SvenKieske | what is OVMF? | 16:02 |
SvenKieske | regarding mitigations=off: https://lore.kernel.org/lkml/D99589F4-BC5D-430B-87B2-72C20370CF57@exactcode.com/ | 16:03 |
kevko | uefi firmware | 16:07 |
kevko | Open Virtual Machine Firmware (OVMF) | 16:10 |
-opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily while we restart it for a combined runtime and platform upgrade | 16:33 | |
opendevreview | Verification of a change to openstack/kolla-ansible master failed: Fix podman logs https://review.opendev.org/c/openstack/kolla-ansible/+/893187 | 17:25 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!