Friday, 2021-06-18

« Thursday, 2021-06-17 Index Saturday, 2021-06-19 »
snadgeInvalid input for operation: Flat provider networks are disabled during tempest install00:00
snadgethats simple i don't have a flat network defined, i'll override it to vlan00:02
snadgeok so i uninstalled gcc on compute1, and TASK [os_nova : Install kvm pip packages] succeeded on compute1.. but if i log into it gcc isn't installed system wide, im assuming this is expected behaviour?04:54
*** rpittau|afk is now known as rpittau08:17
opendevreviewAndrew Bonney proposed openstack/openstack-ansible master: Rename black/white list variables  https://review.opendev.org/c/openstack/openstack-ansible/+/79663608:36
opendevreviewMerged openstack/ansible-hardening master: Remove references to unsupported operating systems  https://review.opendev.org/c/openstack/ansible-hardening/+/78106109:17
*** raukadah is now known as chandankumar09:26
opendevreviewMerged openstack/openstack-ansible-os_nova master: Drop CentOS 7 specific task  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/79683010:05
opendevreviewMerged openstack/openstack-ansible-openstack_hosts master: Don't fail when openstack_pki_install_ca not defined  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/79616310:11
opendevreviewMerged openstack/openstack-ansible-galera_server master: Replace systemd unit overrides with role  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/79604110:15
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Replace whitelist with allowlist naming  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79662910:19
opendevreviewMerged openstack/openstack-ansible master: [doc] Update wrapper path  https://review.opendev.org/c/openstack/openstack-ansible/+/79604210:30
opendevreviewArx Cruz proposed openstack/openstack-ansible-os_tempest master: Add tempest_test_extra_test variable  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/79681810:37
noonedeadpunkjrosser: andrewbonney mgariepy I think we should merge https://review.opendev.org/c/openstack/openstack-ansible/+/795851 as we can end up in broken CI 11:30
mgariepygood morning12:33
opendevreviewJonathan Heathcote proposed openstack/openstack-ansible master: [doc] Fix 'installing with limited connectivity' reference  https://review.opendev.org/c/openstack/openstack-ansible/+/79707512:36
opendevreviewMerged openstack/openstack-ansible stable/ussuri: Bump SHAs for stable/ussuri  https://review.opendev.org/c/openstack/openstack-ansible/+/79499912:37
mgariepyhow many retry do we need..12:44
mgariepynoonedeadpunk, can you review this one : https://review.opendev.org/c/openstack/openstack-ansible/+/79557212:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694012:50
noonedeadpunkdone12:55
jonheri noticed some repos are tracked on master in openstack_services.yml even on a stable branch like stable/victoria is there some logic behind why that is? i was about to backport some cloudkitty things to victoria which raises the question if i can track os_cloudkitty on master branch or if i should aim for fixes to be backported 12:58
jonherbest case scenario there would be some more activity there and branched would be maintained, but that's not much the case so figured i'd raise the question even though i think i know the preferred12:59
noonedeadpunkthere should be close to no services that follow master in openstack_services.yml on stable branches unless they're branchless (ie do not branch with openstack releases)13:00
noonedeadpunkand cloudkitty is for sure not one of these13:01
noonedeadpunkbut eventually, you can easily override cloudkitty version to any preffered one from any branch actually13:01
noonedeadpunkjust by defining cloudkitty_git_install_branch in user_variables13:02
opendevreviewJonathan Herlin proposed openstack/openstack-ansible stable/victoria: Integrate cloudkitty  https://review.opendev.org/c/openstack/openstack-ansible/+/79703013:08
opendevreviewJonathan Herlin proposed openstack/openstack-ansible stable/victoria: Integrate cloudkitty  https://review.opendev.org/c/openstack/openstack-ansible/+/79703013:09
opendevreviewJonathan Heathcote proposed openstack/openstack-ansible-os_tempest stable/victoria: Install py3-dev when not building wheels  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/79703113:10
opendevreviewJonathan Herlin proposed openstack/openstack-ansible-os_cloudkitty stable/victoria: Cloudkitty role cleanup and config updates  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/79703213:11
*** raukadah is now known as chandankumar13:13
opendevreviewJonathan Herlin proposed openstack/openstack-ansible-os_cloudkitty stable/victoria: Cloudkitty role cleanup and config updates  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/79703213:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694013:33
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694014:07
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694014:09
*** rpittau is now known as rpittau|afk14:09
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694014:11
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: WIP Generate self-signed SSL per listen IP  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/79694014:20
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Don't set keystone URI as unsecure  https://review.opendev.org/c/openstack/openstack-ansible/+/79680914:23
noonedeadpunkjrosser: no hurry, but do you know why in the world python inside venv doesn't consume installed root ca while default one does? http://paste.openstack.org/show/806768/14:31
noonedeadpunkdoh, found it :(14:32
noonedeadpunkdamn certifi14:34
noonedeadpunk`Certifi does not support any addition/removal or other modification of the CA trust store content`14:35
jrosserhah yes14:38
noonedeadpunkso question is - why we did all of that...14:38
jrosserREQUESTS_CA_BUNDLE=<system_ca_store>14:39
jrosserso that needs to be either in /etc/environment or equivalent environment setting in service units14:39
noonedeadpunkso we need to adjust /etc/environment?14:40
jrosseri would try the first one as it's easy14:40
jrosseropenstack_hosts already knows the path for this https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/debian.yml#L9714:40
noonedeadpunkbut we don't use it anywhere?:) https://codesearch.opendev.org/?q=openstack_host_ca_location&i=nope&files=&excludeFiles=&repos=14:41
jnamdarhi14:42
noonedeadpunkmoreover REQUESTS_CA_BUNDLE env var doesn't seem to work (14:42
noonedeadpunkah14:43
jnamdarI'm trying to launch a magnum cluster with the default template but I'm getting a really weird error in cinder14:43
jrosseroh right - looks like i used the pki role now in openstack_hosts?14:43
noonedeadpunkit works14:43
jrossercool14:43
noonedeadpunkyeah, now pki role is used. So I think we can clean that up?14:44
jrosserwell, maybe we want global setting of REQUESTS_CA_BUNDLE14:44
noonedeadpunkand maybe env setup should be performed by pki role as well during ca installation&14:44
jrosseryeah so thats kind of the question really, if we want the pki role to do any host level setup14:44
noonedeadpunkbut other then that have no idea about available root CAs?14:45
jnamdarbasically heat is deploying fine until it has to create cinder volumes, then it fails and I find this https://pastebin.com/1FQ7zVRu14:45
jrosseroh yes well i just wonder if its a pki or openstack_hosts kind of problem really14:45
jrosserbecasue setting REQUESTS_CA_BUNDLE is perhaps good anyway even without the pki role14:46
noonedeadpunkbut I mean openstack_hosts does call pki role to install CA?14:46
noonedeadpunkalso I wonder how to provide several values to REQUESTS_CA_BUNDLE...14:47
jrosseroh i don't think thats possible14:47
mgariepydon't you need to run update-ca-cert after installing a certificate ?14:47
noonedeadpunkREQUESTS_CA_BUNDLE should be path to specific file, not folder like `/usr/local/share/ca-certificates/`14:47
mgariepyso it's accepted system-wide?14:47
jrosseryes, but that file contains all the certs14:48
noonedeadpunkmgariepy: the problem that it's accepted sytem-wide except venvs....14:48
mgariepyho14:48
jrossererrr - well python though isnt it14:48
jrosserissue is that python uses requests, requests uses certifi, certifi is not the system CA store14:49
jrosserso you have to just "fix" requests to use the proper CA store14:49
noonedeadpunkif you look into http://paste.openstack.org/show/806768/ - system python is fine with cert, because certifi got updated there, but not actually venv one14:49
noonedeadpunkI actually wonder if we can symlink certifi storage from system...14:49
mgariepyisn't it caused by the ip stuff ?14:50
mgariepyi'm pretty sure i used systemwide certs in the past with keystone for ldap.14:50
noonedeadpunkoh, well. we can set `REQUESTS_CA_BUNDLE` to `/etc/ssl/certs/ca-certificates.crt`14:50
noonedeadpunkor indeed replace /openstack/venvs/utility-23.0.0.0b2.dev5/lib/python3.8/site-packages/certifi/cacert.pem with /etc/ssl/certs/ca-certificates.crt symlink14:51
jrosseri think this is what i try to say :)14:52
jrossermake the requests env var point the the CA store managed by the ca-certificates package, not the one from python3-certifi (apt) or certifi (pip)14:53
jrosserthen when we add a custom one and run update-ca-certificates (or whatever the command is), it should be good14:53
jrosserwe're doing that install/update already here https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/standalone/install_ca.yml#L25-L2814:55
noonedeadpunkyeah, I think the question if we want to set it via env var, or nasty symlinking....14:55
jrosseryeah indeed14:55
jrosserif it works in our services then /etc/environment is kind of neat as its hard to break14:56
jrossertbh i'd not looked at the internal SSL stuff at all, knew this needed doing14:57
jrosserbut good to fix it all14:57
noonedeadpunkWell, I'm not sure everything uses requests really... In terms that certifi might be leveraged not only with requests14:57
noonedeadpunk(no idea here)14:57
noonedeadpunkurllib3 does not require certifi14:59
noonedeadpunk(and works just out of the box14:59
jrosseri have an internal environment which sets that env var on all the hosts, but it's not https on the internal endpoint15:00
jrosserso it was good enough for accessing all the mirrors etc during deployment15:00
opendevreviewMerged openstack/openstack-ansible master: Rename black/white list variables  https://review.opendev.org/c/openstack/openstack-ansible/+/79663615:21
opendevreviewMerged openstack/openstack-ansible master: Unfreeze roles after RC1  https://review.opendev.org/c/openstack/openstack-ansible/+/79585115:23
opendevreviewMerged openstack/openstack-ansible master: add openvswitch to the log collect  https://review.opendev.org/c/openstack/openstack-ansible/+/79557215:23
noonedeadpunkjnamdar: sorry never tried to run things on lvm... but feels like issue with image format that has been created and used in lcuster template15:24
noonedeadpunkI mean glance image15:25
noonedeadpunkwhich I assume is `47548ecd-7bca-4713-953b-16c18ff5eccb`15:25
jnamdarnoonedeadpunk: yes that's the defautl fedora image15:27
noonedeadpunkwell, default fedora image can be shipped in different formats15:31
noonedeadpunkand might be compressed or not15:31
noonedeadpunkSo I'd try creating any random volume from it manually first to verify that image is fine15:31
noonedeadpunkbtw, it must be fedora-coreos image, not regular fedora15:32
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Set REQUESTS_CA_BUNDLE env var  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/79712915:33
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Don't set keystone URI as unsecure  https://review.opendev.org/c/openstack/openstack-ansible/+/79680915:34
jnamdarnoonedeadpunk: yep, I'll try that. i'll try with a more recent fedora core os image as well15:35
noonedeadpunkwell, iirc for V later then 31 doesn't work properly15:36
jnamdarwhat's weird is that heat successfully provisioned a volume in cinder (for the master node I think) but failed with another15:36
noonedeadpunkbut not 100% sure15:36
jnamdarand I specified the same images for both masters and workers15:36
noonedeadpunkhuh15:36
noonedeadpunkweird indeed15:36
jnamdaroh I just uploaded 34 :'(15:36
noonedeadpunkbut it's failing somewhere on later networking step15:37
noonedeadpunkwhen starting up cluster15:37
jnamdarkk I'll get a <3115:39
noonedeadpunk==31)15:40
jnamdarah15:41
jnamdari'm running ussuri btw15:42
jnamdarif that changes anyhthing15:42
noonedeadpunkum... might be... 15:42
noonedeadpunkI can't actually recall exactly, but I think for ussuri you need just old coreos15:42
jnamdaralso I can't seem to figure out how to download older releases of fedora coreos? https://getfedora.org/en/coreos/download?tab=metal_virtualized&stream=stable15:42
noonedeadpunkbut might be magnum backported fedora-coreos support - no idea15:42
noonedeadpunkhttps://builds.coreos.fedoraproject.org/prod/streams/stable/builds/31.20200210.3.0/x86_64/fedora-coreos-31.20200210.3.0-openstack.x86_64.qcow2.xz <- should be valid link15:44
jnamdarhow did you find that link? :O 15:44
jnamdarbtw I reproduced the error: I cannot create a cinder volume from my fedora coresos image15:44
noonedeadpunktook from CI) https://opendev.org/openstack/openstack-ansible/src/branch/stable/ussuri/tests/roles/bootstrap-host/templates/user_variables_magnum.yml.j2#L2115:45
jnamdarthx15:45
noonedeadpunkjnamdar: I think the isuse might be that you uploaded pached image (in .xz)15:45
noonedeadpunk*packed15:46
jnamdarI guess so too15:46
jnamdarbut I didn't do it manually15:46
jnamdarit was already there after the role finished15:46
noonedeadpunkah15:46
jnamdarso I guessed OSA put it there :D15:46
noonedeadpunkwell, role should do things properly I guess... but dunno...15:46
noonedeadpunkat least it works in CI as is...15:47
jnamdarsame error with your image :/15:49
jnamdarI uploaded it like this openstack image create fedora-coreos-31 --disk-format qcow2 --container-format bare --file fedora-coreos-31.20200210.3.0-openstack.x86_64.qcow2.xz15:49
noonedeadpunkI think you need to unpack image first15:50
jnamdarah15:50
jnamdarmy bad15:50
noonedeadpunkbut actually I think glance should be capble of doing that...15:50
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Change task ordering to perform smooth upgrades  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/78850115:51
jnamdargotta use unxz right?15:51
noonedeadpunkI used tar iirc15:51
noonedeadpunkbut whatever works I guess15:51
jnamdarmmh with the uncompressed version I get `ImageUnacceptable: Image a2cc0f37-b0b3-4e4f-94b1-f221614b9e61 is unacceptable: Image virtual size is 8GB and doesn't fit in a volume of size 2GB.`15:56
jnamdarI did provide 2GB in size when creating the volume15:56
jnamdarmight explain why it failed even with the compressed version? not sure, gonna try15:57
jnamdarto up the volume size to 10GB15:57
jnamdarmeh I changed the image to the uncompressed one, and upped the docker_volume_size to 10GB instead of 216:19
jnamdarthe first volume heat creates is ok, as it was before, this time with 10GB16:20
jnamdarbut the 2nd is still created with 2GB.. so I get the errorImage virtual size is 8GB and doesn't fit in a volume of size 2GB16:21
jrosserjnamdar: have you read the documentation for the os_magnum ansible role? https://github.com/openstack/openstack-ansible-os_magnum/blob/master/doc/source/index.rst16:36
jrosserthere is an example cluster template there16:36
jrosseralso the giant warning `Note that openstack-ansible deploys the Magnum API service. It is not in scope for openstack-ansible to maintain a guaranteed working cluster template as this will vary depending on the precise version of Magnum deployed and the required version of k8s and it's dependancies.`16:37
opendevreviewArx Cruz proposed openstack/openstack-ansible-os_tempest master: Add tempest_test_extra_test variable  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/79681816:49
jnamdarjrosser: thanks, I'll try to make the default one work for now, I'm getting further with the uncompressed fedora coreos image16:54
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Add ovn clustering support  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/79426617:01
mgariepyOMG it merged !17:42
mgariepyafter many many rechecks.17:43
opendevreviewMerged openstack/openstack-ansible master: Use openstack_repo_url for requirements_git_url  https://review.opendev.org/c/openstack/openstack-ansible/+/79682018:45
opendevreviewMerged openstack/openstack-ansible master: [doc] Fix 'installing with limited connectivity' reference  https://review.opendev.org/c/openstack/openstack-ansible/+/79707518:45
opendevreviewMerged openstack/ansible-role-python_venv_build stable/ussuri: Do not drop all wheels with venv_rebuild  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/77397119:03
« Thursday, 2021-06-17 Index Saturday, 2021-06-19 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!