| *** cshen has joined #openstack-ansible | 00:09 | |
| *** cshen has quit IRC | 00:14 | |
| *** rh-jelabarre has quit IRC | 01:40 | |
| *** rh-jelabarre has joined #openstack-ansible | 01:40 | |
| *** cshen has joined #openstack-ansible | 02:10 | |
| *** cshen has quit IRC | 02:14 | |
| *** rh-jelabarre has quit IRC | 02:28 | |
| *** rh-jelabarre has joined #openstack-ansible | 02:47 | |
| *** rh-jelabarre has quit IRC | 02:52 | |
| *** gyee has quit IRC | 03:13 | |
| *** cshen has joined #openstack-ansible | 04:10 | |
| *** spatel has joined #openstack-ansible | 04:13 | |
| *** cshen has quit IRC | 04:14 | |
| *** evrardjp has quit IRC | 04:33 | |
| *** evrardjp has joined #openstack-ansible | 04:33 | |
| *** sakharkar has quit IRC | 04:52 | |
| *** djhankb has quit IRC | 05:49 | |
| *** djhankb has joined #openstack-ansible | 05:50 | |
| noonedeadpunk | mornings! | 06:09 |
|---|---|---|
| noonedeadpunk | can I have extra vote on soma patches? https://review.opendev.org/#/q/owner:noonedeadpunk%2540ya.ru+label:Verified+status:open | 06:10 |
| *** cshen has joined #openstack-ansible | 06:10 | |
| noonedeadpunk | also would be great to have https://review.opendev.org/#/c/742105/ merged | 06:25 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-tests master: Make focal and centos 8 functional tests voting https://review.opendev.org/749186 | 06:34 |
| *** akahat is now known as akahat|rover | 07:05 | |
| *** andrewbonney has joined #openstack-ansible | 07:13 | |
| *** tosky has joined #openstack-ansible | 07:21 | |
| *** djhankb has quit IRC | 08:01 | |
| *** djhankb has joined #openstack-ansible | 08:02 | |
| *** sshnaidm|bbl is now known as sshnaidm | 08:36 | |
| openstackgerrit | Merged openstack/openstack-ansible-lxc_container_create master: Remove obosletd lxc_container_interface variable https://review.opendev.org/738934 | 08:38 |
| *** SecOpsNinja has joined #openstack-ansible | 08:54 | |
| openstackgerrit | Merged openstack/openstack-ansible-os_cloudkitty master: Use the utility host for db setup tasks https://review.opendev.org/747180 | 08:57 |
| *** viks____ has joined #openstack-ansible | 09:02 | |
| openstackgerrit | Merged openstack/openstack-ansible-ceph_client master: Fix ceph-client deployment for Ubuntu Focal https://review.opendev.org/748128 | 10:02 |
| openstackgerrit | Merged openstack/openstack-ansible-plugins master: Replace deprecated imp module with importlib https://review.opendev.org/748840 | 10:19 |
| *** mgagne has quit IRC | 10:39 | |
| openstackgerrit | Jonathan Rosser proposed openstack/openstack-ansible-ceph_client stable/ussuri: Fix ceph-client deployment for Ubuntu Focal https://review.opendev.org/749242 | 11:07 |
| openstackgerrit | Daniel Meloy proposed openstack/openstack-ansible-haproxy_server master: Add haproxy_backend_only flag to service template https://review.opendev.org/747391 | 11:15 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_ironic master: [DNM] test patch https://review.opendev.org/727067 | 11:37 |
| mgariepy | good morning | 11:41 |
| noonedeadpunk | o/ | 11:41 |
| mgariepy | what's up ? | 11:41 |
| noonedeadpunk | I guess we're mosntly in nternal stuff nowadays:) | 11:42 |
| noonedeadpunk | and I unlearned how to type | 11:42 |
| noonedeadpunk | but generally things seem pretty nice:) | 11:43 |
| mgariepy | end of summer is hard for everybody. | 11:43 |
| noonedeadpunk | how was your vacation?:) | 11:43 |
| mgariepy | way too short | 11:43 |
| noonedeadpunk | I head really big one this year, but it still feels like too short :) So I don't know if enough time of rest actually exist :p | 11:44 |
| mgariepy | haha ;) yep. | 11:44 |
| mgariepy | it's easy to get used to be on vacation. | 11:45 |
| noonedeadpunk | just there's so many things you always put on the shelf because of the lack of the time.... | 11:45 |
| mgariepy | for ovn tests, i'd wait to see the ovn tests succeed for a while before we make it in the gate job. | 11:48 |
| *** chenhaw has quit IRC | 12:00 | |
| *** oyrogerg has quit IRC | 12:02 | |
| *** rh-jelabarre has joined #openstack-ansible | 12:03 | |
| *** rh-jelabarre has quit IRC | 12:04 | |
| *** rh-jelabarre has joined #openstack-ansible | 12:04 | |
| openstackgerrit | Merged openstack/openstack-ansible-ceph_client master: Remove trailing '/' from ceph_apt_repo_url https://review.opendev.org/736977 | 12:07 |
| openstackgerrit | Merged openstack/openstack-ansible-os_cloudkitty master: Add CentOS 8 and Ubuntu Focal support https://review.opendev.org/748476 | 12:16 |
| jrosser | hmmm theres centos-7 stuff failing all over patches on mater | 12:23 |
| jrosser | *master | 12:23 |
| openstackgerrit | Merged openstack/openstack-ansible-tests master: Make focal and centos 8 functional tests voting https://review.opendev.org/749186 | 12:24 |
| jrosser | wierd nova-compute stack traces https://zuul.opendev.org/t/openstack/build/a038834887194c4ab6f94dec06d5ab91/log/logs/host/nova-compute.service.journal-10-42-23.log.txt#2729 | 12:25 |
| jrosser | and another the same error https://zuul.opendev.org/t/openstack/build/ee7cb39658044384ad335e0edcbc75e7/log/logs/host/nova-compute.service.journal-11-57-52.log.txt#2747 | 12:32 |
| *** dave-mccowan has joined #openstack-ansible | 12:33 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_barbican master: Updated from OpenStack Ansible Tests https://review.opendev.org/749258 | 12:34 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_blazar master: Updated from OpenStack Ansible Tests https://review.opendev.org/749259 | 12:35 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_cinder master: Updated from OpenStack Ansible Tests https://review.opendev.org/749260 | 12:35 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_cloudkitty master: Updated from OpenStack Ansible Tests https://review.opendev.org/749261 | 12:35 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_glance master: Updated from OpenStack Ansible Tests https://review.opendev.org/749263 | 12:36 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_heat master: Updated from OpenStack Ansible Tests https://review.opendev.org/749264 | 12:36 |
| jrosser | ^ these are all wrong | 12:37 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_ironic master: Updated from OpenStack Ansible Tests https://review.opendev.org/749265 | 12:37 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_keystone master: Updated from OpenStack Ansible Tests https://review.opendev.org/749266 | 12:37 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_magnum master: Updated from OpenStack Ansible Tests https://review.opendev.org/745851 | 12:38 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_manila master: Updated from OpenStack Ansible Tests https://review.opendev.org/749267 | 12:38 |
| *** dave-mccowan has quit IRC | 12:38 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_masakari master: Updated from OpenStack Ansible Tests https://review.opendev.org/749268 | 12:38 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_mistral master: Updated from OpenStack Ansible Tests https://review.opendev.org/749269 | 12:38 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_neutron master: Updated from OpenStack Ansible Tests https://review.opendev.org/749270 | 12:40 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_nova master: Updated from OpenStack Ansible Tests https://review.opendev.org/749271 | 12:40 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_octavia master: Updated from OpenStack Ansible Tests https://review.opendev.org/749272 | 12:40 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_placement master: Updated from OpenStack Ansible Tests https://review.opendev.org/749273 | 12:41 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_sahara master: Updated from OpenStack Ansible Tests https://review.opendev.org/749274 | 12:41 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_tacker master: Updated from OpenStack Ansible Tests https://review.opendev.org/749275 | 12:42 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_trove master: Updated from OpenStack Ansible Tests https://review.opendev.org/749276 | 12:42 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_zun master: Updated from OpenStack Ansible Tests https://review.opendev.org/749277 | 12:43 |
| *** spatel has joined #openstack-ansible | 12:58 | |
| noonedeadpunk | NOT MERGING THIS:) | 13:02 |
| jrosser | noooooooo | 13:02 |
| noonedeadpunk | jrosser: I think it's time to merge your patch | 13:02 |
| jrosser | that would certainly fix this proposal bot stuff | 13:03 |
| noonedeadpunk | but I think we need to abandon these though.... | 13:03 |
| jrosser | its this? https://review.opendev.org/#/c/671454/ | 13:04 |
| jrosser | afaik it keeps re-proposing on top of whatever outstanding changes there already are | 13:04 |
| jrosser | or something...... | 13:04 |
| noonedeadpunk | but then no changes will be made in patch... and I'm afraid that may break git review | 13:05 |
| noonedeadpunk | or bot script | 13:05 |
| noonedeadpunk | yeah, that's it | 13:05 |
| *** chenhaw has joined #openstack-ansible | 13:05 | |
| spatel | noonedeadpunk: good morning | 13:09 |
| spatel | i have noticed senlin repo got created | 13:09 |
| spatel | lets me know where you want me to upload senlin playbook and i will do that.. i have few more question which i ask you in 1 hour because right now i am driving :) | 13:10 |
| noonedeadpunk | I'm pretty sure it did not yet | 13:11 |
| noonedeadpunk | We need this https://review.opendev.org/#/c/748683/ to get repo created | 13:11 |
| *** spatel has quit IRC | 13:11 | |
| noonedeadpunk | And we need mnaser's vote on it at the moment:) | 13:12 |
| mnaser | ill give you a +2 instead of a +1 :) | 13:12 |
| noonedeadpunk | That totally works a well :D | 13:14 |
| *** chenhaw has quit IRC | 13:18 | |
| *** cshen has quit IRC | 13:21 | |
| openstackgerrit | Erik Berg proposed openstack/openstack-ansible-ceph_client stable/ussuri: Remove trailing '/' from ceph_apt_repo_url https://review.opendev.org/749282 | 13:22 |
| SecOpsNinja | im trying to enable magnum but im always getting SSL handshake failure in haproxy when magnum tryies to comunicate with keystone. any ideas qhat i could be doing wrong? i was thinking of enabling openstack_service_adminuri_proto and openstack_service_internaluri_proto for https but i think i will get more errors (and i would probably need to enalbe ssl in all modules that is going to give m | 13:29 |
| SecOpsNinja | 0ore problems) | 13:29 |
| jrosser | SecOpsNinja: you should not need to put SSL on the internal endpoint for magnum | 13:29 |
| jrosser | can you describe what the issue is? | 13:30 |
| SecOpsNinja | th e problem is for what im seging in magnum.conf it alwasu used the public endpoitn fof keystone | 13:30 |
| jrosser | are you seeing an issue with the magnum container contacting keystone public endpoint? | 13:31 |
| jrosser | or are you seeing an issue with the heat agent / cloud-init stuff in a magnum VM contacting the keystone public endpoint? | 13:32 |
| SecOpsNinja | jrosser, when i try to use openstack coe cluster list --insecure i always get SSL exception connecting to https:// (HTTP 500) and followiung the logs the haproxy is the one that delisvers that error with "keystone_service-front-1/1: SSL handshake failure" | 13:32 |
| SecOpsNinja | the problems is comunicating with keystone from what i seasing in haproxy logs | 13:32 |
| SecOpsNinja | and in os_magnum ansible roles the magnum.conf.j2 alsways uses {{keystone_service_publicurl }} that ius https | 13:34 |
| SecOpsNinja | i normaly have problems in utility container when comunicating with openstack client and i need to add the --insecure flag | 13:35 |
| SecOpsNinja | but i think its because we openstack-asnbile is useing and self signed certificate | 13:35 |
| *** pcaruana has quit IRC | 13:36 | |
| SecOpsNinja | and if i use curl to got to keystone public endpoitn it works correctly so i supose its in the way that magnum connects with the keystone endpoint but cant understand what im missing | 13:36 |
| *** pcaruana has joined #openstack-ansible | 13:36 | |
| *** chenhaw has joined #openstack-ansible | 13:37 | |
| jrosser | SecOpsNinja: you can put --debug on the openstack cli to see exactly what is being called | 13:38 |
| SecOpsNinja | jrosser, hum ok that is easier to troublesshoot. ok from what im seasing is magnum endpoint returnign 500 in GET /CLUSTER and the reason is SSL exception connecting to https://x.x.x.x:5000/v3/auth/tokens: HTTPSConnectionPool(host='x.x.x.x', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'tls_process_server_cer | 13:43 |
| SecOpsNinja | tificate', 'certificate verify failed' | 13:43 |
| jrosser | SecOpsNinja: what version of openstack is this? | 13:44 |
| SecOpsNinja | 21.0.0 | 13:44 |
| SecOpsNinja | jrosser, this what im getting http://paste.openstack.org/show/797328/ | 13:49 |
| jrosser | SecOpsNinja: do any of the other coe commands work, like show a template? | 13:51 |
| SecOpsNinja | jrosser, no because all comunication that magnum tries to make with keyston allways return keystone_service-front-1/1: SSL handshake failure | 13:54 |
| *** cshen has joined #openstack-ansible | 13:54 | |
| SecOpsNinja | and locking to haproxy andn the SSL handshake failure where in keystone_service-front-1/1 eather from magnum or another comunicação from infra host | 13:57 |
| *** cshen has quit IRC | 13:58 | |
| *** cshen has joined #openstack-ansible | 14:26 | |
| *** spatel has joined #openstack-ansible | 14:30 | |
| spatel | noonedeadpunk: i am here now | 14:30 |
| spatel | so what is this patch about https://review.opendev.org/#/c/748683/ | 14:32 |
| *** sshnaidm has quit IRC | 14:34 | |
| noonedeadpunk | it's creating repo for os_senlin | 14:45 |
| *** mgariepy has quit IRC | 14:48 | |
| spatel | noonedeadpunk: just trying to learn process, 1. create repo, 2. upload playbooks on those repo? | 14:51 |
| noonedeadpunk | yep) | 14:51 |
| *** mgariepy has joined #openstack-ansible | 14:51 | |
| *** sshnaidm has joined #openstack-ansible | 14:53 | |
| jrosser | SecOpsNinja: i don't have anything totally helpful for you right now as I don't have a magnum deployment to investigate with | 14:54 |
| jrosser | but trying to reproduce this in an AIO would be useful | 14:55 |
| SecOpsNinja | i have capture the magnum tls comunication with haproxy and see if i can find what is causing this... | 14:55 |
| jrosser | i think this comes down to deciding if it is 1) error in magnum.conf 2) bug in magnum | 14:56 |
| SecOpsNinja | because from what i saw in haproxy documentation they all say that SSL handshake error is a problem in the ssl comunication and need to check client and server settings to see what is causing it... | 14:56 |
| SecOpsNinja | regarding magnum.conf the only way is for me to disable https/ssl for keystone public domain and see if it resolves because i can't find anymore settings available in magnum role | 14:57 |
| jrosser | i am not sure the haproxy log is really too useful | 14:57 |
| jrosser | the magnum api log will be the place that error is generated | 14:57 |
| noonedeadpunk | spatel: https://opendev.org/openstack/openstack-ansible-os_senlin created:) | 14:57 |
| SecOpsNinja | the magnum log reports the error returned by haproxy ssl handshake error | 14:58 |
| SecOpsNinja | that is what is reported by openstack client | 14:58 |
| jrosser | the error comes from magnum | 14:58 |
| SecOpsNinja | it comes from magnum after not being able to comunicate with keystone by its public endpoint... let me put the log of magnum here | 14:59 |
| SecOpsNinja | jrosser, this is what the magnum api returns http://paste.openstack.org/show/797340/ | 15:01 |
| spatel | noonedeadpunk: +1 | 15:02 |
| spatel | jrosser: look like this is same magnum issue i was talking about last week, they don't have valid cert so they failed to connect. | 15:02 |
| SecOpsNinja | jrosser, regarding that log my conclusion is that an SSL problem regarding mangnum client and haproxy | 15:03 |
| jrosser | spatel: your issue was from the heat agent in the VM wasnt it? | 15:03 |
| jrosser | spatel: this is from magnum api -> keystone | 15:03 |
| spatel | magnum and heat work together so i have to disable cert validation on both | 15:03 |
| spatel | client---ssl--->magnum ---ssl---> heat | 15:04 |
| SecOpsNinja | in wireshark one interesting part is that magnum send and tlsv1.2 package to keystone public endpoint saying level:fatal: Description: Unknown CA | 15:04 |
| jrosser | this is all getting a bit circular :) | 15:04 |
| openstackgerrit | Merged openstack/openstack-ansible-plugins master: Use templated jobs instead of setting independent set https://review.opendev.org/748847 | 15:04 |
| jrosser | ideally the magnum api would talk to keystone on the internal endpoint | 15:05 |
| jrosser | then this problem would not happen | 15:05 |
| SecOpsNinja | yep in os magnum is using the publuc endpoint for keystone and authtoken | 15:06 |
| spatel | jrosser: Yes | 15:06 |
| jrosser | SecOpsNinja: the trouble is that there are mixed concerns here | 15:06 |
| spatel | jrosser: majority time to solve this issue i use my company valid certificate so i never this this issue. | 15:06 |
| jrosser | magnum api is communicating with things that are external to the cloud, and internal | 15:07 |
| spatel | jrosser: this is only AIO problem if you running openstack in production i am assuming people go with valid certs | 15:07 |
| jrosser | no it is more of a problem than that | 15:07 |
| spatel | hmm. | 15:07 |
| SecOpsNinja | atm we are using openstack in a testeb behind a VPN so no need for valid certificate | 15:07 |
| jrosser | there are several people deploy OSA with mgmt networks that cannot talk to the external endpoint | 15:07 |
| jrosser | i am one of those | 15:08 |
| jrosser | so if a service (like magnum) chooses the wrong endpoint, it's game over | 15:08 |
| jrosser | if you NAT the mgmt network to the external network and allow traffic with whatever firewall rules then all this internal->external traffic is magically working | 15:09 |
| *** waxfire has quit IRC | 15:09 | |
| *** waxfire has joined #openstack-ansible | 15:10 | |
| spatel | jrosser: what do you mean deploy OSA with mgmt network? | 15:10 |
| SecOpsNinja | but my external endpoint is a vip in themgmt network and we aren't using AIO | 15:10 |
| jrosser | SecOpsNinja: ok thats no problem, but that doesnt make it correct for the magnum service to be trying to connect to the external endpoint | 15:11 |
| spatel | I have lab machines with single NIC and i just run deploy script of AIO. (is there any other method to avoid this SSL disaster?) | 15:12 |
| SecOpsNinja | yep but that the problem its in there https://github.com/openstack/openstack-ansible-os_magnum/blob/master/templates/magnum.conf.j2 where you use the public url to keystone forn auth and auth token | 15:13 |
| openstackgerrit | Merged openstack/openstack-ansible-tests master: Add _oslodb_login_host to db_setup tasks. https://review.opendev.org/671454 | 15:13 |
| SecOpsNinja | because the majority is configured with the variable keystone_service_publicurl | 15:13 |
| SecOpsNinja | so it i change this to internaluri it probably works? | 15:14 |
| spatel | SecOpsNinja: yes it should work then many time i change openstack endpoint --set to internal to avoid this issue. | 15:15 |
| *** zerozephyrum has joined #openstack-ansible | 15:17 | |
| SecOpsNinja | spatel, i didn't understand tthe openstack endpoint set part. how do you avoid the ansible configurations? | 15:19 |
| *** spatel has quit IRC | 15:21 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_aodh master: Updated from OpenStack Ansible Tests https://review.opendev.org/749335 | 15:23 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_designate master: Updated from OpenStack Ansible Tests https://review.opendev.org/749336 | 15:23 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_gnocchi master: Updated from OpenStack Ansible Tests https://review.opendev.org/749337 | 15:23 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_magnum master: Updated from OpenStack Ansible Tests https://review.opendev.org/745851 | 15:24 |
| *** cshen has quit IRC | 15:24 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_murano master: Updated from OpenStack Ansible Tests https://review.opendev.org/745856 | 15:24 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_panko master: Updated from OpenStack Ansible Tests https://review.opendev.org/749338 | 15:24 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/openstack-ansible-os_rally master: Updated from OpenStack Ansible Tests https://review.opendev.org/749339 | 15:24 |
| SecOpsNinja | jrosser, so to confirm atm the magnum.conf should be pointing to the internaluri instead of the public right? regarding the ssl the problem seems to be in the selfsigned certificate wirgth? so i can try to make the change to internaluri and if it works i can try to make a patch but ofc this would resolve the SSL problem is all enable https and ssl in internal and admin uri | 15:25 |
| jrosser | i keep trying to explain that its 'complicated' | 15:26 |
| jrosser | the magnum api needs to talk to keystone/heat/whatever in order to function, and that must happen over the internal endpoint | 15:27 |
| jrosser | magnum must also respond correctly when you use openstack cli from the utility container | 15:27 |
| jrosser | and also when one of your users interacts with the magnum API externally, who cannot contact the internal endpoints | 15:27 |
| SecOpsNinja | jrosser, sorry for all the questions but if i understand correctly, all the internal comunication betwwen each openstack should be using the internal one, and only external clients to the openstack should be using the public uri right? so whats the problem? or its something that the openstack componenets need to access that is only exposed in public uris and not on the internal uris? | 15:34 |
| *** waxfire has quit IRC | 15:34 | |
| *** waxfire has joined #openstack-ansible | 15:35 | |
| SecOpsNinja | because i dont have my openstack instalation public available i can try to disable the https/ssl in all endpoints but i would like to use the https in publci uri to detect all this possible errors in configurations | 15:36 |
| jrosser | you are seeing the magnum service try to use keystone | 15:38 |
| jrosser | and it connects to the external endpoint and fails due to the untrusted cert | 15:38 |
| jrosser | ideally when magnum *itself* contacts keystone it would use the internal endpoint so there would not be a problem | 15:39 |
| *** spatel_ has joined #openstack-ansible | 15:41 | |
| spatel_ | Damn IRC chat kicking me out from channel | 15:41 |
| SecOpsNinja | so what do you recomend to try bypass this issue? patch os_mangum role to use the internaluri, for the configuration of the public endpoint to use a valid cert or disable the ssl in keystone + heat + magnun (i understand that this change would aply only to the https endpoints that this moment is only the public one) | 15:49 |
| *** sshnaidm is now known as sshnaidm|bbl | 15:50 | |
| jrosser | like i said earlier.... | 15:51 |
| jrosser | jrosser> i think this comes down to deciding if it is 1) error in magnum.conf 2) bug in magnum | 15:51 |
| jrosser | and i don't know which of those this is | 15:51 |
| jrosser | there are some big deployments using OSA with magnum so i'm suspecting that with a valid certificate things are more straightforward | 15:52 |
| jrosser | having the internal and external VIP on the same network also introduces a degree of "everything can talk to everything" which may not be representative of a production deployment | 15:55 |
| jrosser | it would be good to make your testbed be structurally as similar to your intended production deployment as possible in this respect in order to catch issues early | 15:56 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 16:00 |
| openstack | Meeting started Tue Sep 1 16:00:44 2020 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:00 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:00 |
| *** openstack changes topic to " (Meeting topic: openstack_ansible_meeting)" | 16:00 | |
| openstack | The meeting name has been set to 'openstack_ansible_meeting' | 16:00 |
| noonedeadpunk | #topic office hours | 16:00 |
| *** openstack changes topic to "office hours (Meeting topic: openstack_ansible_meeting)" | 16:00 | |
| noonedeadpunk | So, the main thing that needs to be announced, is that we have os_senlin repo https://opendev.org/openstack/openstack-ansible-os_senlin | 16:01 |
| jrosser | spatel_: push a patch for senlin! | 16:02 |
| noonedeadpunk | And spatel_ has previously volunteered to get the role for senlin project | 16:02 |
| noonedeadpunk | yeah! | 16:02 |
| jrosser | i was wondering about all these failing jobs for centos-7 on master | 16:02 |
| noonedeadpunk | I guess it needs also https://review.opendev.org/#/c/748693/ | 16:02 |
| noonedeadpunk | oh, yeah, that's also great question.... | 16:03 |
| jrosser | two possible things we can do there - investigate with nova/oslo becasue it's the same error in lots of jobs | 16:03 |
| jrosser | or we drop the centos-7 jobs | 16:03 |
| noonedeadpunk | I also noticed that centos8 functional for galera fails, which means that probably cluster would be broken | 16:04 |
| noonedeadpunk | and we're good only for aio deployments... | 16:04 |
| noonedeadpunk | worth placing just noop task though... | 16:05 |
| noonedeadpunk | as maybe it's related to 10.5 only... | 16:06 |
| spatel_ | noonedeadpunk: fyi, i am running centos8 with 3 controller nodes and my 3 node galera cluster (10.4) working fine. | 16:06 |
| noonedeadpunk | btw returning to galera, I think we need to decide the desteny of galera_client role | 16:06 |
| noonedeadpunk | spatel_: ok, good to know) | 16:07 |
| noonedeadpunk | than may be really related to 10.5 which is quite another question | 16:07 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-galera_server master: [DNM] noop https://review.opendev.org/749354 | 16:07 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible-os_cloudkitty stable/ussuri: Add CentOS 8 and Ubuntu Focal support https://review.opendev.org/749355 | 16:08 |
| noonedeadpunk | jrosser: we can also add this single test to the blacklist as well | 16:12 |
| noonedeadpunk | but tbh worth dropping centos7 | 16:12 |
| noonedeadpunk | I think we've almost finished cherry-picking everything to U | 16:13 |
| admin0 | my aio stops at this error: os_ceilometer : Initialize Gnocchi database by creating ceilometer resources .. is that normal ? | 16:13 |
| admin0 | its an AIO | 16:13 |
| noonedeadpunk | admin0: not really.... | 16:13 |
| jrosser | noonedeadpunk: what do you think of this https://zuul.opendev.org/t/openstack/build/86acf3990e094afaa2648c894a67e71d/log/logs/host/nova-compute.service.journal-14-17-08.log.txt#2781-2783 | 16:19 |
| jrosser | it is outside the venv, is that to be expected? | 16:19 |
| noonedeadpunk | libvirt may generate this.... | 16:22 |
| noonedeadpunk | we symlink bunch of things into venv.... | 16:22 |
| noonedeadpunk | so such request may be kind of valid... | 16:23 |
| noonedeadpunk | hm, but we don't symlink for centos7... | 16:23 |
| noonedeadpunk | we do for 8 and ubuntu | 16:24 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Decrease amount of jobs and update distros https://review.opendev.org/746881 | 16:25 |
| noonedeadpunk | I've updated ^ to remove centos-7 jobs | 16:25 |
| noonedeadpunk | but not sure I can just drop jobs.... | 16:27 |
| openstackgerrit | Dmitriy Rabotyagov (noonedeadpunk) proposed openstack/openstack-ansible master: Decrease amount of jobs and update distros https://review.opendev.org/746881 | 16:27 |
| noonedeadpunk | they can be used somewhere directly.... | 16:27 |
| jrosser | yes, need to do this http://codesearch.openstack.org/?q=openstack-ansible-deploy-aio_metal-centos-7 | 16:29 |
| jrosser | then a bunch of patches to undo all those | 16:29 |
| jrosser | for each job we want to delete worth a check with codesearch | 16:29 |
| noonedeadpunk | since we need quick fix reight now, let's drop them from template to unblock some things, and then will leave jobs removal for cleanup | 16:30 |
| jrosser | i have some patches for the remainder of removing centos-7 and suse as well | 16:31 |
| jrosser | should rebase those and get them in order to merge | 16:31 |
| noonedeadpunk | Yeah, I guess it's about time to start this | 16:32 |
| jrosser | i am kinda concerned about all this magnum endpoint stuff keeps coming up | 16:32 |
| noonedeadpunk | (despite being pretty loaded now because of some incidents | 16:32 |
| jrosser | seems to be recurring, cost us may weeks of debugging here | 16:32 |
| jrosser | *many weeks | 16:33 |
| noonedeadpunk | I was facing some issue but it was due to missing passing X-Forwarded-For in haproxy endpoint | 16:35 |
| noonedeadpunk | As heat unlike all other services really rely on the output of endpoint root (ie 172.29.238.100:5000) so if he see there http, it will ignore keystone's endpoint and will ask for http | 16:37 |
| noonedeadpunk | and answer there depends on proto passed | 16:37 |
| noonedeadpunk | s/X-Forwarded-For/X-Forwarded-Proto/ | 16:37 |
| *** gyee has joined #openstack-ansible | 16:38 | |
| *** sshnaidm|bbl is now known as sshnaidm | 16:46 | |
| noonedeadpunk | sorry need to leave, so will end meeting 10 mins earlier | 16:50 |
| noonedeadpunk | #endmeeting | 16:50 |
| *** openstack changes topic to "Launchpad: https://launchpad.net/openstack-ansible || Weekly Meetings: https://wiki.openstack.org/wiki/Meetings/openstack-ansible || Review Dashboard: https://bit.ly/2SAcGAn" | 16:50 | |
| openstack | Meeting ended Tue Sep 1 16:50:07 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:50 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2020/openstack_ansible_meeting.2020-09-01-16.00.html | 16:50 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2020/openstack_ansible_meeting.2020-09-01-16.00.txt | 16:50 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2020/openstack_ansible_meeting.2020-09-01-16.00.log.html | 16:50 |
| *** sshnaidm is now known as sshnaidm|afk | 17:11 | |
| openstackgerrit | Satish Patel proposed openstack/openstack-ansible-os_senlin master: First commit of os_senlin role https://review.opendev.org/749365 | 17:12 |
| spatel_ | noonedeadpunk: jrosser here i pushed os_senlin - https://review.opendev.org/#/c/749365/ | 17:13 |
| noonedeadpunk | spatel_: you should drop releasenotes at least xd | 17:16 |
| spatel_ | whole director? | 17:16 |
| spatel_ | let me empty them | 17:17 |
| noonedeadpunk | um not really directory, just older branches | 17:17 |
| noonedeadpunk | just leave unreleased | 17:17 |
| noonedeadpunk | (and drop references in https://review.opendev.org/#/c/749365/1/releasenotes/source/index.rst) | 17:18 |
| spatel_ | ok | 17:18 |
| *** cshen has joined #openstack-ansible | 17:19 | |
| openstackgerrit | Satish Patel proposed openstack/openstack-ansible-os_senlin master: Removing older releasenote. https://review.opendev.org/749367 | 17:22 |
| spatel_ | hold on, let me delete that patch and re-submit, i messed up something and git is angry on me. | 17:23 |
| *** cshen has quit IRC | 17:23 | |
| mgariepy | spatel_, git commit --amend | 17:24 |
| spatel_ | i missed that first time but then i did again so i created new patch https://review.opendev.org/749367 | 17:24 |
| spatel_ | is that normal ? | 17:24 |
| jrosser | if you miss the --amend first time it will create a new patch | 17:25 |
| jrosser | there are as many patches as you have things in git log | 17:25 |
| spatel_ | jrosser: look like it did create new patch (do you think i should delete and re-commit fresh one?) | 17:26 |
| spatel_ | let me do fresh one anyway this is new project so what can go wrong. | 17:27 |
| jrosser | you should fix up the first one | 17:27 |
| mgariepy | you added a patch on top of your first one and when you hit review, it will create a new one with the parent set as the other patch. | 17:27 |
| jrosser | this would be a superb time to learn about git rebase -i | 17:27 |
| jrosser | if you do 'git rebase -i' | 17:28 |
| spatel_ | let me do that | 17:28 |
| jrosser | then in the editor put 'squash' against the new patch | 17:28 |
| jrosser | quit the editor | 17:28 |
| jrosser | should be done | 17:28 |
| -spatel_- [spatel@os-osa openstack-ansible-os_senlin]$ git rebase -i | 17:28 | |
| -spatel_- Successfully rebased and updated refs/heads/master. | 17:28 | |
| jrosser | oh sorry | 17:28 |
| jrosser | git rebase -i <sha of first commit> | 17:29 |
| spatel_ | jrosser: how do i find sha of first commit? | 17:30 |
| jrosser | git log | 17:30 |
| -spatel_- [spatel@os-osa openstack-ansible-os_senlin]$ git rebase -i fd0afb07a08c3d9c777ab6ace7271958e2e63f7a | 17:31 | |
| -spatel_- Successfully rebased and updated refs/heads/master. | 17:31 | |
| spatel_ | do i need to do git review? | 17:32 |
| mgariepy | jrosser, have you played with the new focal auto-install preseed stuff ? | 17:32 |
| jrosser | spatel_: you need to check that you've squashed the two commits together | 17:32 |
| mgariepy | it's kinda neat, it's a bit easier to debug than the d-i preseed | 17:32 |
| jrosser | and that you've got the change-id of the original still | 17:32 |
| jrosser | mgariepy: hmm no, not looked at that yet | 17:33 |
| mgariepy | the downside it the way you need to boot the servers, it needs to download the whole 900M iso | 17:33 |
| spatel_ | jrosser: "git rebase -i fd0afb07a08c3d9c777ab6ace7271958e2e63f7a" put me in editor. do i need to do anything there? (sorry i am not very good at git except commit/review :(0 | 17:34 |
| jrosser | on the line of the commit you want to squash into the previous one, change the first word to "squash" | 17:35 |
| jrosser | then quit the editor | 17:35 |
| spatel_ | it has these two line | 17:39 |
| -spatel_- pick a9383aa First commit of os_senlin role | 17:39 | |
| -spatel_- pick b0fbe3d Removing older releasenote. | 17:39 | |
| jrosser | change 'pick' to 'squash' on the second line | 17:39 |
| jrosser | then quit the editor | 17:39 |
| spatel_ | ok | 17:39 |
| jrosser | it should then show you both commit messages in an editor | 17:40 |
| jrosser | delete the bits that are not needed | 17:40 |
| spatel_ | oh crap i just save file and exit out | 17:40 |
| jrosser | so you now have just one commit but a bad commit message? | 17:41 |
| spatel_ | This is what it did - http://paste.openstack.org/show/797346/ | 17:42 |
| SecOpsNinja | one question its considered safe to explose the public endpoints to the internet? i think to resolve the magnum solution the easier solution would to enable the public endpoint vip to the internet and see it if resovles. regarding the internal vip it shouldn't be in the same br-mgmt? | 17:42 |
| jrosser | spatel_: that looks fine as now the releasenotes are deleted | 17:43 |
| mgariepy | spatel_, on a quick glance it's seems fine. | 17:44 |
| jrosser | i think you have merged the two commits together | 17:44 |
| jrosser | just check that the commit message is good | 17:44 |
| jrosser | and if not, fix it with git commit --amend | 17:44 |
| *** djhankb has quit IRC | 17:44 | |
| *** dirk has quit IRC | 17:44 | |
| *** alvinstarr has quit IRC | 17:44 | |
| jrosser | SecOpsNinja: a public cloud would expose the public https endpoint to the internet, otherwise users could not use the cloud | 17:45 |
| jrosser | but it is up to you to decide how you architect that, there is no fixed way that should be | 17:45 |
| jrosser | the openstack management network (br-mgmt) should not be accessible from the internet | 17:46 |
| *** djhankb has joined #openstack-ansible | 17:46 | |
| *** dirk has joined #openstack-ansible | 17:46 | |
| *** alvinstarr has joined #openstack-ansible | 17:46 | |
| *** djhankb has quit IRC | 17:46 | |
| spatel_ | jrosser: you are saying commit message showing two commit so fix that? | 17:46 |
| SecOpsNinja | ok i was cjhecking another solution and that was in this https://docs.openstack.org/magnum/latest/configuration/sample-config.html to put verify_ca = true to disable the validadtion of the self sifgned of jkeystone | 17:46 |
| *** djhankb has joined #openstack-ansible | 17:47 | |
| jrosser | spatel_: i don't know what you did :) git rebase -i will (i think) show you both commit messages and you choose the bits that you want in the editor | 17:47 |
| openstackgerrit | Satish Patel proposed openstack/openstack-ansible-os_senlin master: First commit of os_senlin role https://review.opendev.org/749365 | 17:47 |
| SecOpsNinja | yep the br-mgmt its inst acesseble from the internet. i only put the external vip and internal vip there for easy acess but that is acessed but firewall rules and vpn acesss | 17:47 |
| *** noonedeadpunk has quit IRC | 17:48 | |
| jrosser | SecOpsNinja: verify_ca = 'Indicates whether the cluster nodes validate the Certificate Authority' | 17:48 |
| spatel_ | jrosser: even i am also confused, now this is what i am seeing - https://review.opendev.org/#/c/749365/ | 17:48 |
| jrosser | this is the VM created by heat on behalf of magnum | 17:48 |
| jrosser | not the magnum service itself | 17:49 |
| jrosser | spatel_: it looks ok | 17:49 |
| spatel_ | can i delete? - https://review.opendev.org/#/c/749367/1 | 17:49 |
| SecOpsNinja | :( | 17:49 |
| jrosser | spatel_: yes | 17:49 |
| SecOpsNinja | jrosser, but atm i think the problem in the comunication of manugum with opestack api and i think that verify_ca = false would resolve. ofc the public endpoint of its service would be served by haproxy cert (that in the future can be a valid one) | 17:51 |
| SecOpsNinja | even if i create a private CA e would need to fill the openstack_ca_file opetion, right? | 17:52 |
| spatel_ | jrosser: done, and thank you for helping me out :) | 17:52 |
| jrosser | spatel_: git rebase -i is really cool | 17:52 |
| jrosser | it means you can make many small commits as you go | 17:52 |
| jrosser | kind of without too much worry, fix typo here, bug there, reformat blah blah | 17:52 |
| jrosser | then when you are done you can reorder and merge all the little commits together into something clean and ready to push | 17:53 |
| jrosser | just changing the order of the lines in the editor that git rebase -i puts up re-orders your local git history | 17:53 |
| jrosser | SecOpsNinja: again i think that openstack_ca_file is for the benefit of the VM created by heat for magnum | 17:54 |
| jrosser | that is when you need to insert the specific CA into the magnum worker VM so that they can trust the external endpoint | 17:55 |
| SecOpsNinja | im testing that atm | 17:55 |
| jrosser | to make magnum itself trust a private CA you need to insert it into the system CA store and adjust the magnum systemd unit to set REQUESTS_CA_BUNDLE environment variable to point to that rather than the one from certifi | 17:56 |
| SecOpsNinja | ok so the solution for what im seeing it expose the public endpoint or disable https if i dont want to expose. | 17:58 |
| SecOpsNinja | again thanks for the help jrosser and spatel_ i will try tomorow to exposoe it | 17:59 |
| jrosser | or you can keep it private with a genuine certificate | 17:59 |
| SecOpsNinja | when you say genuine certificate is using a private CA and generating certificates for each of the public domains, right? | 18:01 |
| jrosser | you can buy a certificate | 18:04 |
| jrosser | so long as your DNS points to the right thing you are good | 18:04 |
| jrosser | but this is a long way from OSA stuff | 18:04 |
| jrosser | but also private CA is possible, i have a cloud like that but it is quite involved to get everything right | 18:05 |
| SecOpsNinja | yep im seing that.... | 18:05 |
| SecOpsNinja | the cheaper solution would be to use lets encrypt | 18:06 |
| jrosser | yes, that is supported | 18:06 |
| SecOpsNinja | ok tomorow i wil test it. gain thanks for your help in troubleshotting this | 18:07 |
| *** SecOpsNinja has left #openstack-ansible | 18:19 | |
| *** d34dh0r53 has joined #openstack-ansible | 18:23 | |
| spatel_ | jrosser: we also need to patch /opt/openstack-ansible to add senlin inventory and secrets. do you want me to cut that patch? | 18:24 |
| jrosser | spatel_: yes that would be good | 18:31 |
| spatel_ | jrosser: doing it | 18:38 |
| spatel_ | jrosser: what branch/topic i should be using for this? | 18:39 |
| jrosser | you can make one up, osa-senlin for example | 18:39 |
| spatel_ | ok | 18:39 |
| *** d34dh0r53 has quit IRC | 18:49 | |
| openstackgerrit | Merged openstack/openstack-ansible-haproxy_server master: Add haproxy_backend_only flag to service template https://review.opendev.org/747391 | 18:51 |
| *** cshen has joined #openstack-ansible | 19:00 | |
| jrosser | admin0: i managed to boot an nvidia vgpu on an ubuntu compute node :) | 19:04 |
| *** cshen has quit IRC | 19:04 | |
| mgariepy | jrosser, gamers on or a real hpc one ? | 19:06 |
| jrosser | a T4 | 19:06 |
| mgariepy | gamers one are kinda tricky. | 19:06 |
| mgariepy | in passthrough? | 19:07 |
| jrosser | it's just "RHEL ONLY" all over the documentation | 19:07 |
| jrosser | so i was using a T4 as a way of validating that i could do vgpu/ubuntu before getting something really £££££ | 19:07 |
| mgariepy | or in ""vgpu"" split stuff ? | 19:07 |
| mgariepy | ok. | 19:07 |
| jrosser | not passthrough, actual vgpu | 19:07 |
| mgariepy | the issue with that is the driver on host and in vm need to be kinda sync. | 19:08 |
| jrosser | i've just booted a vm with 1/16th of the T4 in it | 19:09 |
| *** jbadiapa has quit IRC | 19:10 | |
| mgariepy | that's nice tho. i have some colleage that are doing it on osa+centos7 | 19:12 |
| mgariepy | how tricky was it ? do you have some notes on your process ? | 19:12 |
| jrosser | http://paste.openstack.org/show/797348/ | 19:13 |
| jrosser | i registered for an eval licence for vgpu on the nvidia site, and dowloaded the RHEL+KVM installer | 19:14 |
| jrosser | which is a big zip and you need NVIDIA-Linux-x86_64-440.107-vgpu-kvm.run and NVIDIA-Linux-x86_64-440.107-grid.run from it | 19:15 |
| jrosser | for ubuntu the only fix i needed to do was create /usr/lib64 directory and make a /etc/ld.so.conf.d/nvidia.conf pointing to that dir | 19:16 |
| jrosser | run the installers and the i had to manually copy the .so from the unpacked installer into /usr/lib64, run ldconfig and it's working | 19:17 |
| jrosser | so just a minor libraries directory difference beteen rhel<>debuntu | 19:17 |
| jrosser | theres a change it'll work directly with the installer if the /usr/lib64 dir is created beforehand, but i've only got this on one test node | 19:18 |
| jrosser | then this for nova https://docs.openstack.org/nova/latest/admin/virtual-gpu.html | 19:19 |
| *** openstackgerrit has quit IRC | 19:21 | |
| mgariepy | nice. | 19:23 |
| *** openstackgerrit has joined #openstack-ansible | 19:23 | |
| openstackgerrit | Satish Patel proposed openstack/openstack-ansible master: Adding os_senlin role support to osa. https://review.opendev.org/749379 | 19:23 |
| mgariepy | the migration / upgrade of driver nightmare would not be super fun tho. | 19:24 |
| jrosser | no, but although an A100 GPU is gigantically expensive, you can carve it 7 ways | 19:25 |
| jrosser | and each of those 1/7ths is 2x the performance of a T4 | 19:25 |
| jrosser | so for the equivalent GPU performance you are winning if you have a lot of T4 shaped workloads | 19:26 |
| mgariepy | yep indeed. | 19:28 |
| *** viks____ has quit IRC | 19:28 | |
| *** renich has joined #openstack-ansible | 19:52 | |
| renich | good day, everyone! o/ | 19:52 |
| admin0 | jrosser, how many hours you spent on making this work :) ? | 19:52 |
| renich | I was wondering, is there a way to install only a subset of the components with the openstack ansible playbook? I'd like to install horizon, keystone and swift only. | 19:53 |
| jrosser | admin0: half of today :) | 19:53 |
| jrosser | I downloaded the driver this morning | 19:53 |
| admin0 | renich, cat setup-openstack.yml and you can see that all it does is call individual playbooks | 19:53 |
| admin0 | that you can run in its own | 19:53 |
| admin0 | for example: root@/opt/openstack-ansible/playbooks# openstack-ansible os-keystone-install.yml | 19:54 |
| renich | thanks admin0 | 19:55 |
| jrosser | renich: in openstack_user_config only assign hosts for the set of services you need | 19:56 |
| renich | jrosser: OK, thanks! ;D | 19:56 |
| jrosser | that will empty out the ansible groups for the rest | 19:56 |
| jrosser | and make sure you only get the endpoints you want in haproxy | 19:56 |
| jrosser | admin0: did your gpu node work out with a different OS ? | 19:59 |
| admin0 | as per cloudnull notes, he used diff controllers for the os he supports, so i am in the process to nuke 1 controller and set it up as centos | 19:59 |
| admin0 | but with your news, i might drop that idea and retry with ubuntu | 20:00 |
| jrosser | there’s a flag on the vgpu-kvm installer to unpack but not install | 20:01 |
| jrosser | that’s how I got the .so out to put in the right place | 20:01 |
| *** spatel_ has quit IRC | 20:16 | |
| *** andrewbonney has quit IRC | 20:18 | |
| *** BlackFX has joined #openstack-ansible | 20:25 | |
| *** spatel has joined #openstack-ansible | 20:28 | |
| *** spatel has quit IRC | 20:38 | |
| BlackFX | Hi, I am running through the process of setting up with openstack-ansible, however it is failing while setting up the LXCs. It looks like the veths are not being created in the containers, no IPs are added to /etc/hosts and then it fails trying to gather facts from the containers with an unreachable error. Anyone have any pointers? | 20:44 |
| admin0 | yeah .. i spent a few days like that BlackFX .. turned out i had an issue with my lxc-dnsmasq process | 20:45 |
| admin0 | check that one out | 20:45 |
| BlackFX | thanks | 20:45 |
| admin0 | is it not being created, or being created, but no ip address ? | 20:45 |
| BlackFX | not being created | 20:46 |
| BlackFX | lxc-dnsmasq seems to be running happily | 20:46 |
| admin0 | then issue would like somewhere else .. what is the error message ? | 20:46 |
| BlackFX | fatal: [infra1_cinder_api_container-3a7b835f]: UNREACHABLE! => {"changed": false, "msg": "Data could not be sent to remote host \"infra1_cinder_api_container-3a7b835f\". Make sure this host can be reached over ssh: ssh: connect to host infra1_cinder_api_container-3a7b835f port 22: Connection timed out\r\n", "unreachable": true} | 20:47 |
| BlackFX | I get that for every container in the gathering facts step | 20:48 |
| admin0 | lxc-ls -f .. are any containers created ? | 20:48 |
| admin0 | ip link inside the containers to check if they show any net interface | 20:48 |
| admin0 | and are you by any chance on master branch ? | 20:48 |
| BlackFX | they are created and if I lxc-attach the only interface in them is loopback | 20:49 |
| BlackFX | yes using master | 20:50 |
| openstackgerrit | Merged openstack/openstack-ansible-ceph_client stable/ussuri: Fix ceph-client deployment for Ubuntu Focal https://review.opendev.org/749242 | 20:51 |
| prometheanfire | this the right way to define a non-default nova AZ? https://gist.github.com/prometheanfire/d4983eebcc6644589d4472debf963350 | 20:51 |
| prometheanfire | per host vars in ansible, yay | 20:51 |
| BlackFX | is there a better branch to use than master? | 20:53 |
| prometheanfire | whatever is stable | 20:53 |
| prometheanfire | in this case stable/ussuri iirc | 20:53 |
| BlackFX | thanks, trying that now | 20:55 |
| jrosser | BlackFX: have you built an all-in-one yet? | 20:58 |
| BlackFX | an all-in-one? | 20:58 |
| redkrieg | Hi all, I'm currently preparing to upgrade my infra from rocky to stein and I'm getting an error that /etc/ceilometer is not empty, so ansible refuses to convert it to a symlink for os_ceilometer : Create ceilometer dir. I didn't see anything in a search for the error: http://paste.openstack.org/show/797354/ | 20:59 |
| prometheanfire | I think I need to add it within host vars | 21:00 |
| prometheanfire | yep, found it in https://docs.openstack.org/openstack-ansible/queens/reference/configuration/using-overrides.html#overriding-conf-files | 21:00 |
| *** cshen has joined #openstack-ansible | 21:00 | |
| BlackFX | Still the same using stable/ussuri | 21:03 |
| *** cshen has quit IRC | 21:04 | |
| jrosser | BlackFX: this is an all-in-one https://docs.openstack.org/openstack-ansible/latest/user/aio/quickstart.html | 21:11 |
| jrosser | it puts an entire openstack into a single VM as a test/development environment | 21:11 |
| BlackFX | Oh right, no haven't done that - we are trying to deploy to 7 machines | 21:12 |
| jrosser | there are several reasons i would recommend that as a first step - the config is autogenerated and widely understood by folk here, it is the exact same thing that we use to validate openstack-ansible in CI dozens of times a day, and maybe for you best thing is you would end up with a miniature environment you could compare against your 7 nodes to look for differences / broken things | 21:13 |
| BlackFX | Okay - I will build one | 21:20 |
| jrosser | theres quite a lot of detail on that page | 21:22 |
| jrosser | but simplistically its 8core / 8G ram / 60G disk, clone the repo, checkout the branch/tag you want, scripts/bootstrap-ansible.sh, scriipts/bootstrap-aio.sh, then playbooks | 21:24 |
| jrosser | the rest described there is very much optional things | 21:24 |
| *** zerozephyrum has quit IRC | 21:28 | |
| *** cshen has joined #openstack-ansible | 21:48 | |
| *** cshen has quit IRC | 21:53 | |
| *** tosky has quit IRC | 22:43 | |
| *** renich has quit IRC | 23:07 | |
| *** renich has joined #openstack-ansible | 23:24 | |
| *** djhankb has quit IRC | 23:27 | |
| *** djhankb has joined #openstack-ansible | 23:27 | |
| *** cshen has joined #openstack-ansible | 23:49 | |
| *** cshen has quit IRC | 23:54 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!