Thursday, 2022-03-31

« Wednesday, 2022-03-30 Index Friday, 2022-04-01 »
*** rlandy|bbl is now known as rlandy|out01:17
*** queria is now known as Guest80902:25
*** queria is now known as Guest81102:31
*** soniya29 is now known as soniya29|rover04:19
ironfootjamesbenson: do you mean like this? https://docs.openstack.org/kolla-ansible/latest/reference/storage/external-ceph-guide.html#radosgw08:24
ironfootnote the "ceph_rgw_swift_compatibility" option if you want full swift API compatibility 08:26
*** soniya29|rover is now known as soniya29|rover|lunch10:08
*** rlandy|out is now known as rlandy10:25
*** soniya29|rover|lunch is now known as soniya29|rover10:27
*** soniya29|rover is now known as soniya29|rover|afk11:18
*** soniya29 is now known as soniya29|rover12:07
jamesbenson@ironfoot, yes, but I'm trying to figure out what needs to be done on ceph side as well. I've enabled that option, specified my ceph_rgw_internal/external_fqdn, and ceph_rgw_port but swift still doesn't connect properly. I'm wondering if there are other configs I need either in kolla or in ceph.12:52
ironfootoh, yes, you need to configure you rgw clients13:58
ironfootjamesbenson: this in your ceph.conf : https://paste.openstack.org/show/bDHUimGO6oCKtRqgVwW3/13:59
ironfootjamesbenson:  the [client] header would work, but better if it's replaced with the client name (in my case for example [client.rgw.openstack-ceph1] )14:01
ironfootif you have multiple clients (rgw running in multiple nodes) you need to add one block like that for each14:01
jamesbenson@ironfoot.  Okay, those configs are different than what I used: https://paste.ubuntu.com/p/y5jyW7QBqy/ (this was a test environment, destroyed nightly so not worried about passwords, etc)14:13
ironfootoh, you used ceph_rgw_keystone_password ? i went with keystone_admin_password and it worked. I don't know which one is right though14:15
ironfootI assume you saw this: https://docs.ceph.com/en/latest/radosgw/keystone/14:16
jamesbensonyes, should I use the [client] header or [client.radosgw.gateway] in the ceph.conf14:17
ironfootis better the full name, but using [client] is handy to get things working14:17
jamesbensonI used the latter, yours had the former14:18
jamesbensonokay, so maybe it was just the password that was breaking things.14:18
ironfootyes, this is a copy from when I was testing things recently14:18
ironfootcan you, from the ceph node that has radosgw running, run `curl https://192.168.1.63:35357` ?14:19
ironfootI bet the answer is no, cause I don't think you can do https on an IP14:20
jamesbensonAnd you update the ceph.conf with `sudo ceph config assimilate-conf -i /etc/ceph/ceph.conf -o /tmp/bad.conf`14:21
jamesbensoncurl: (60) SSL certificate problem: unable to get local issuer certificate14:22
ironfootso, that's the problem. Have you configured your cloud with "kolla_enable_tls_internal1 or "kolla_enable_tls_external" ?14:24
ironfootif not, then you could try to run `curl http://192.168.1.63:35357`14:25
ironfootand if that works, then just replace https with http in your configuration14:25
ironfootthen restart the radosgw service, and check the logs :)14:25
jamesbensonkolla_enable_tls_internal kolla_enable_tls_external kolla_enable_tls_backend rabbitmq_enable_tls all yes.14:25
ironfootare they self-signed certificates?14:28
ironfootyou need to use the fqdn then, should be set in `kolla_external_fqdn`14:29
ironfootbut if it's self-signed it will be more complicated, you will need to install the CA certificate generated14:29
jamesbensonyes, self signed :-(14:30
jamesbensonI do have kolla_copy_ca_into_containers enabled14:31
ironfootwell, yes, but that won't copy the CA into your ceph cluster14:32
ironfootin summary, you need to be able to run `curl` agains the url you set in "rgw keystone url"14:32
ironfoot against*14:32
jamesbensonI do have `ceph config set mgr mgr/dashboard/ssl false`14:33
ironfootbut this is about your ceph nodes being able to talk to keystone14:34
jamesbensontrue14:34
ironfootwith the current configuration, it can't, and we can see that by using `curl`14:34
jamesbensonyeah, would we need to do something like this? https://documentation.suse.com/ses/7/html/ses-all/dashboard-initial-configuration.html#cert-sign-CA14:36
ironfootno14:38
ironfootyou need to take your CA certificate (normally called ca.crt), and install it on your ceph nodes14:38
ironfootnot in ceph, but in the node OS14:38
jamesbensonit's a hyperconverged case here, ceph lives on all of my compute/controller nodes14:39
ironfootthen easier14:39
ironfoothow did you generate these certificates14:39
jamesbensonkolla14:39
ironfootright, can you locate them?14:39
ironfootand I assume you run debian?14:39
jamesbensonyeah, default locations.  I'm using ubuntu as host os, and cent for kolla images14:40
ironfootsomething like `sudo cp ca.crt /usr/local/share/ca-certificates`14:41
ironfootand then `sudo update-ca-certificates`14:41
ironfootas explained here: https://ubuntu.com/server/docs/security-trust-store14:41
ironfoot(you may need to do that on multiple nodes, of course)14:42
ironfootonce that's done, you should be able to `curl http://{{ kolla_external_fqdn }}:35357`14:43
jamesbensoncool14:44
jamesbensonI'm thinking it'll be the external.crt?  https://pasteboard.co/PZrJK3kLNPvF.png14:48
jamesbensonor maybe copy all of them on ^_^14:50
jamesbensonit curls!  Thank you for the help!14:54
ironfootcool!15:00
ironfootnow you are one step closer15:00
jamesbenson@ironfoot, how do you update the ceph cluster once everything has been updated?16:05
ironfootafter ceph.conf has been modified?16:06
ironfootyou only need to restart the radosgw services16:06
jamesbensonok16:08
*** rlandy is now known as rlandy|rover16:09
jamesbenson@ironfoot, what's your timezone?  I'm UTC/GMT -5 hours (CST)16:56
rezabojnordiHI guys i have question19:10
rezabojnordiHI guys i have question?19:10
*** rlandy|rover is now known as rlandy|out23:08
« Wednesday, 2022-03-30 Index Friday, 2022-04-01 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!