| fridtjof[m] | noonedeadpunk: almost got it set up completely today, so (given i don't forget about it) i might bring up my first patch tomorrow then :) | 01:57 |
|---|---|---|
| *** odyssey4me is now known as Guest273 | 05:55 | |
| jrosser | morning | 07:05 |
| jrosser | noonedeadpunk: interesting thing with this ssl stuff is that it gets as far as cinder, i.e past keystone/glance/... | 07:05 |
| *** rpittau|afk is now known as rpittau | 07:07 | |
| jrosser | noonedeadpunk: this has got me past the trouble with cinder http://paste.openstack.org/show/806876/ | 07:41 |
| noonedeadpunk | jrosser: yeah urllib3 somehow fails with cionder | 07:43 |
| jrosser | my paste fixes it | 07:44 |
| noonedeadpunk | but when I was checking urllib3 manually, it was absolutely happy with system trusted certs even in venv... | 07:44 |
| noonedeadpunk | ah | 07:44 |
| jrosser | if you look at /proc/<pid-of-cinder>/environ then the content of /etc/environment is not present for that process | 07:44 |
| noonedeadpunk | ah, I see... | 07:45 |
| jrosser | so what is proper fix..... | 07:45 |
| noonedeadpunk | should we just add that to uwsgi role by default? | 07:45 |
| jrosser | we can add setting `env` to the template, and it's still overridable with config_template anyway | 07:46 |
| noonedeadpunk | ie throw it somewhere here https://opendev.org/openstack/ansible-role-uwsgi/src/branch/master/templates/uwsgi.ini.j2#L6 | 07:46 |
| noonedeadpunk | (as we need it only for venvs? | 07:46 |
| jrosser | and take the paths you put into openstack_hosts into vars/ so it picks the right ones for each distro | 07:47 |
| noonedeadpunk | yeah | 07:47 |
| jrosser | i'm not really sure its to do with venvs / not venvs | 07:47 |
| jrosser | i'll put a patch together | 07:47 |
| noonedeadpunk | should I think of better way to patch openstack-ansible-openstack_hosts ? | 07:49 |
| noonedeadpunk | or you already did that? | 07:50 |
| jrosser | oh i just did a big hack for the moment | 07:50 |
| noonedeadpunk | ok, gotcha | 07:50 |
| jrosser | i split the lineinfile task in two, one part for centos/systemd, and put another unconditionally in tasks/main.yml for requests ca | 07:51 |
| jrosser | i wonder if that env var stuff is still needed for centos-stream, felt like that really was a packaging bug | 07:52 |
| noonedeadpunk | we can try dropping it as follow-up | 08:05 |
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-uwsgi master: Use the system trust store for python requests rather than certifi https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/797600 | 08:11 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Don't set keystone URI as unsecure https://review.opendev.org/c/openstack/openstack-ansible/+/796809 | 08:12 |
| jrosser | i guess not everything runs under uwsgi, so theres more to check | 08:15 |
| jrosser | ah yes neutron is one of those | 08:22 |
| noonedeadpunk | uh... I wonder why neutron actually fails, as in CI of neutron it runs as uwsgi afaik | 08:35 |
| jrosser | did we ever switch that over? | 08:42 |
| jrosser | https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/486156 | 08:42 |
| noonedeadpunk | I meant for neutron CI itself, sorry https://zuul.opendev.org/t/openstack/build/c99eb7f07d8840e0a4fa807af3cbcbe8 | 08:52 |
| noonedeadpunk | well, loocking at logs, I have no idea how uwsgi is used/configured, considering that apache is installed... | 08:53 |
| noonedeadpunk | it's most likely not used though, but dunno... | 08:54 |
| noonedeadpunk | they don't really bother themselves with gathering configs for ci... | 08:55 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Set REQUESTS_CA_BUNDLE env var https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129 | 09:07 |
| noonedeadpunk | didn't come up to anything really decent :( | 09:07 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Drop CentOS overrides for systemd version https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797610 | 09:10 |
| jrosser | not sure on what is decent for neutron either, maybe like http://paste.openstack.org/show/806877/ | 09:30 |
| jrosser | i get it as far as tempest running and failing now | 09:31 |
| noonedeadpunk | I think we can follow the way of _neutron_rootwrap_conf_overrides ? | 09:41 |
| jrosser | hrrm we are going to need this *everywhere* | 09:50 |
| jrosser | nova-api is fine with the uwsgi patch | 09:50 |
| jrosser | but scheduler/conductor/.... are not | 09:51 |
| jrosser | an alternative approach is to set it system wide with DefaultEnvironment https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html | 09:52 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Implement uWSGI for neutron-api https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/486156 | 10:01 |
| jrosser | ok so this fixes nova-conductor http://paste.openstack.org/show/806878/ | 10:05 |
| noonedeadpunk | I like approach with system-wide env more tbh | 10:06 |
| noonedeadpunk | and we can do that with openstack-hosts | 10:06 |
| noonedeadpunk | not sure if makes much sense to add tasks to systemd_service role though | 10:06 |
| noonedeadpunk | except add and not include anywhere (run just with tasks_from in openstak_hosts) | 10:08 |
| noonedeadpunk | but too complex imo | 10:08 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Set REQUESTS_CA_BUNDLE env var https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129 | 10:35 |
| noonedeadpunk | does this look okeyish? ^ didn't want really to introduce config_template into the role, but it's cleanest way of doing... | 10:35 |
| jrosser | i had to create system.conf.d directory, so we probably need to handle that too | 10:43 |
| noonedeadpunk | yeah, fair | 11:33 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Set REQUESTS_CA_BUNDLE env var https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129 | 11:34 |
| noonedeadpunk | doh, buster starts failing with lxc :( | 11:50 |
| noonedeadpunk | at least several patches failed with apparmor profile issue | 11:50 |
| noonedeadpunk | https://zuul.opendev.org/t/openstack/build/a094100b93f7467391230dc182f7b126/log/job-output.txt#7073 | 11:51 |
| jrosser | we could use this merging https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/786982 | 13:06 |
| opendevreview | James Gibson proposed openstack/openstack-ansible-haproxy_server master: Add variable to disable stick-table https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/797642 | 13:11 |
| opendevreview | Jonathan Heathcote proposed openstack/openstack-ansible-os_tempest stable/victoria: Install py3-dev when not building wheels https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/797031 | 13:14 |
| jrosser | noonedeadpunk: evrardjp you wouldnt happen to know why a stick-table was introduced here would you? https://github.com/openstack/openstack-ansible-haproxy_server/commit/e86139506d87e0c797f2449835dd5418571fde8f#diff-ec1d0842e4fa06a711e64e4bf992eaab4e962c0247193639a082fd78f601ed45R71-R72 | 13:21 |
| noonedeadpunk | I'd say that maybe not to switch between servers during some big requests, like image upload process? | 13:24 |
| noonedeadpunk | now we balance based on ip source for glance, but it was not the case these days | 13:30 |
| jrosser | i mean, i guess i see the definition of the stick table and that it is to store src ip | 13:30 |
| jrosser | but not sure about where it says to use it | 13:31 |
| jrosser | unless that is implicit | 13:31 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-openstack_hosts master: Set REQUESTS_CA_BUNDLE env var https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129 | 13:33 |
| noonedeadpunk | personally I never used it, so have nothing to say here... | 13:34 |
| noonedeadpunk | it might be that it's just useless/not fully implemented atm | 13:34 |
| opendevreview | Jonathan Heathcote proposed openstack/openstack-ansible-os_tempest stable/victoria: Install py3-dev when not building wheels https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/797031 | 13:48 |
| opendevreview | James Gibson proposed openstack/openstack-ansible-haproxy_server master: Add variable to disable stick-table https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/797642 | 13:55 |
| opendevreview | Fridtjof Mund proposed openstack/openstack-ansible master: [doc] Fix compatability -> compatibility https://review.opendev.org/c/openstack/openstack-ansible/+/797673 | 15:05 |
| fridtjof[m] | \o/ noonedeadpunk i think i did it | 15:06 |
| noonedeadpunk | awesome work, thanks! | 15:07 |
| noonedeadpunk | jrosser: we're seeing that as well :( https://discuss.linuxcontainers.org/t/lxc-attach-lsm-lsm-c-lsm-process-label-set-at-174-operation-not-permitted-failed-to-set-apparmor-label-lxc-nginx-debian-var-lib-lxc-lxc-nginx-debian-var-lib-lxc-unconfined/11392 | 15:21 |
| noonedeadpunk | https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1809195.html | 15:22 |
| noonedeadpunk | well, seems we should set buster lxc jobs to nv... | 15:23 |
| mgariepy | https://github.com/lxc/lxc/issues/3872#issuecomment-864993587 | 15:26 |
| mgariepy | nv until we have the new kernel? | 15:27 |
| noonedeadpunk | I mean we can try to use workaround with unprivileged attach... but feels like might be simpler to wait for the new kernel that fixes the issue | 15:32 |
| noonedeadpunk | considering everybody is aware about it | 15:32 |
| mgariepy | i agree\ | 15:32 |
| evrardjp | jrosser: it was because I had a bug with federation IIRC | 15:35 |
| evrardjp | so I needed the clients to reach always the same nodes | 15:35 |
| evrardjp | but that's long ago ... so I am wondering if it wasn't a mariadb issue now. | 15:36 |
| opendevreview | Jonathan Heathcote proposed openstack/openstack-ansible-os_tempest stable/victoria: Install py3-dev when not building wheels https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/797031 | 15:39 |
| evrardjp | (from internal service reaching LB to get mariadb, and you want to have a relatively stable load ) | 15:39 |
| *** rpittau is now known as rpittau|afk | 16:08 | |
| *** frenzy_friday is now known as anbanerj|rover | 16:19 | |
| noonedeadpunk | I think for masriadb it's high time to replace haproxy with proxysql imo | 16:29 |
| noonedeadpunk | as there're all sort of weird stuff and nasty hooks with xinetd that's not as reliable as native proxy | 16:30 |
| mgariepy | do you have some patches around for that ? | 16:33 |
| noonedeadpunk | nope, not yet ( | 16:33 |
| *** sshnaidm is now known as sshnaidm|afk | 16:35 | |
| noonedeadpunk | jrosser: hm, setting `env = REQUESTS_CA_PATH=/etc/ssl/certs/ca-certificates.crt` for `/etc/uwsgi/cinder-api.ini` didn't helped in my case for some reason... | 16:46 |
| jrosser | noonedeadpunk: REQUESTS_CA_BUNDLE :) | 16:49 |
| noonedeadpunk | doh | 16:50 |
| jrosser | argh | 16:51 |
| noonedeadpunk | ah, well, I have `env = REQUESTS_CA_PATH=/etc/ssl/certs/ca-certificates.crt` dunne where I took REQUESTS_CA_PATH from | 16:51 |
| noonedeadpunk | I missed it again lol | 16:52 |
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-uwsgi master: Use the system trust store for python requests rather than certifi https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/797600 | 16:52 |
| jrosser | i messed up the patch totally :( | 16:54 |
| noonedeadpunk | well, I haven't spotted difference actually as well :( | 16:55 |
| noonedeadpunk | even after you told me ;( | 16:55 |
| opendevreview | Merged openstack/openstack-ansible-os_nova stable/victoria: Use version from repo_packages for SPICE HTML5 https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/797271 | 16:56 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-nspawn_hosts master: Deprecate OpenStack-Ansible nspawn repositories https://review.opendev.org/c/openstack/openstack-ansible-nspawn_hosts/+/797724 | 17:17 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-nspawn_hosts master: Deprecate OpenStack-Ansible nspawn repositories https://review.opendev.org/c/openstack/openstack-ansible-nspawn_hosts/+/797724 | 17:23 |
| opendevreview | Merged openstack/openstack-ansible-os_tempest stable/victoria: Set tempestconf centos-8 jobs as NV https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/786982 | 17:24 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-nspawn_container_create master: Deprecate OpenStack-Ansible nspawn repositories https://review.opendev.org/c/openstack/openstack-ansible-nspawn_container_create/+/797726 | 17:24 |
| opendevreview | Merged openstack/openstack-ansible-os_heat master: [goal] Deprecate the JSON formatted policy file https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/781516 | 20:36 |
| _jralbert | I've been working on getting keystone and horizon OpenID Connect web SSO integration working on centos 7 with OSA, and there are a few changes I've had to make that I'd like to figure out how to integrate with the project | 21:32 |
| _jralbert | in particular, the mod_auth_openidc that's available from the centos repos is really old (1.8.8) and doesn't work. I ended up manually installing it and its dependency cjose from https://github.com/zmartzone/mod_auth_openidc | 21:34 |
| _jralbert | how could we resolve that dependency gap? It seems less than ideal for OSA to refer directly to the packages from github, but I gather they're not conveniently available in a repo | 21:35 |
| *** gilou_ is now known as Gilou | 22:48 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!