| *** odyssey4me is now known as Guest7196 | 05:47 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump OpenStack-Ansible master https://review.opendev.org/c/openstack/openstack-ansible/+/808775 | 08:19 |
|---|---|---|
| *** odyssey4me is now known as Guest7209 | 10:02 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump OpenStack-Ansible master https://review.opendev.org/c/openstack/openstack-ansible/+/808775 | 12:03 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump OpenStack-Ansible master https://review.opendev.org/c/openstack/openstack-ansible/+/808775 | 12:17 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Set galera to use TLS for connections by default https://review.opendev.org/c/openstack/openstack-ansible/+/807880 | 12:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump OpenStack-Ansible master https://review.opendev.org/c/openstack/openstack-ansible/+/808775 | 12:38 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Set galera to use TLS for connections by default https://review.opendev.org/c/openstack/openstack-ansible/+/807880 | 12:38 |
| spatel | noonedeadpunk around? | 14:22 |
| noonedeadpunk | yep | 14:23 |
| spatel | external_lb_vip_address: 10.30.40.10 | 14:23 |
| spatel | internal_lb_vip_address: 172.30.40.10 | 14:23 |
| spatel | I have that config in openstack_user_config.yml but keepalived not setting up them | 14:23 |
| spatel | do i need to tell it interface name? | 14:24 |
| spatel | may be this is missing - haproxy_keepalived_external_interface: br-host | 14:25 |
| spatel | let me try and see | 14:25 |
| spatel | noonedeadpunk that was it.. i don't know how did i miss that.. thank you | 14:28 |
| noonedeadpunk | lol | 14:29 |
| noonedeadpunk | I love that kind of questions :) | 14:29 |
| mgariepy | haha :D | 14:29 |
| spatel | hehe.. as soon as i see you guys i get idea itself :) | 14:29 |
| spatel | noonedeadpunk i am planning to add SSL to OVN so may hit you with PKI question :) | 14:30 |
| noonedeadpunk | last week I realized that I suck | 14:35 |
| noonedeadpunk | because I spent whole day figuring out why intermediate cert is not fine for mysql client... | 14:35 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Define missing options for ssh connection wrapper https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/807657 | 14:47 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible version to 2.11.4 https://review.opendev.org/c/openstack/openstack-ansible/+/807316 | 14:47 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
| opendevmeet | Meeting started Tue Sep 14 15:00:27 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
| noonedeadpunk | #topic rollcall | 15:00 |
| noonedeadpunk | \o/ | 15:00 |
| jrosser | o/ hello | 15:05 |
| noonedeadpunk | #topic office hours | 15:06 |
| noonedeadpunk | So. Recently I was working on pki for galera and it should eventually work now. | 15:06 |
| noonedeadpunk | The question there how fine to provide ca-file to the system trust store? | 15:07 |
| jrosser | doesnt the openstack-hosts role do that? | 15:09 |
| noonedeadpunk | it does.. the question here is to pymysql code | 15:10 |
| noonedeadpunk | which for me looks weird... | 15:10 |
| jrosser | ah ok | 15:10 |
| noonedeadpunk | so here code that parses connection https://github.com/PyMySQL/PyMySQL/blob/main/pymysql/connections.py#L266-L284 | 15:10 |
| noonedeadpunk | and it feels the only way to enable ssl is to provide ca-file | 15:10 |
| noonedeadpunk | regardless it is installed to system trust store or not | 15:11 |
| noonedeadpunk | because it's stupid - `if ssl_ca` and next line - "ca": ssl_ca | 15:12 |
| noonedeadpunk | so it would be just namerror | 15:12 |
| jrosser | that is really odd code | 15:13 |
| jrosser | oh well its default to None? | 15:14 |
| noonedeadpunk | ah, indeed it is | 15:14 |
| noonedeadpunk | so we can kind of just define ssl_verify_cert ? | 15:15 |
| noonedeadpunk | then more relevant question | 15:15 |
| noonedeadpunk | do we want to patch all roles for that ?:) | 15:15 |
| noonedeadpunk | because we have that connection string literally everywhere https://opendev.org/openstack/openstack-ansible-os_glance/src/branch/master/templates/glance-api.conf.j2#L39 | 15:16 |
| jrosser | oh my | 15:17 |
| jrosser | seems we should refactor that | 15:18 |
| noonedeadpunk | so right now basically https://review.opendev.org/c/openstack/openstack-ansible/+/807880/8/inventory/group_vars/all/infra.yml solves the issue | 15:18 |
| noonedeadpunk | another thing that I worked on was upgrade of ansible version. I hope it should pass now, but not 100% sure. At least ssh plugin seems to be fixed now | 15:24 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible version to 2.11.5 https://review.opendev.org/c/openstack/openstack-ansible/+/807316 | 15:24 |
| noonedeadpunk | Regarding next thing that I think we should do - is to work on nova role integration with PKI | 15:25 |
| noonedeadpunk | because iirc live migration with tunneling is going to be droped in X | 15:26 |
| noonedeadpunk | so we must have tls in place to release | 15:26 |
| jrosser | that hopefully is not to difficult, as we kind of practice a bit now with the PKI role | 15:32 |
| noonedeadpunk | and I do super dump istakes :( | 15:32 |
| noonedeadpunk | *mistakes | 15:32 |
| noonedeadpunk | *dumb | 15:32 |
| noonedeadpunk | regarding reviews - I'd love to push a bit merge of murano fix https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/781239 | 15:36 |
| noonedeadpunk | and if we're fine with https://review.opendev.org/q/topic:%22bp%252Fprotecting-plaintext-configs%22+(status:open%20OR%20status:merged) as poc? | 15:37 |
| spatel | anyone has any experience with server.com to renting servers for openstack? | 15:48 |
| spatel | i am planning to build datacenter in EU and found these guys | 15:49 |
| spatel | sorry if meeting is continue. | 15:50 |
| noonedeadpunk | #endmeeting | 15:50 |
| opendevmeet | Meeting ended Tue Sep 14 15:50:13 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:50 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-09-14-15.00.html | 15:50 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-09-14-15.00.txt | 15:50 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-09-14-15.00.log.html | 15:50 |
| noonedeadpunk | also seems that there're some caveats with shallow-since... | 16:07 |
| noonedeadpunk | damn... I had to take into account timezones.... | 16:31 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Fix ceph-ansible shallow_since date https://review.opendev.org/c/openstack/openstack-ansible/+/808999 | 16:34 |
| noonedeadpunk | can we quickly merge that? ^ | 16:34 |
| jrosser | yep | 16:39 |
| noonedeadpunk | yes, seems we would need to refactor how SSL is used wrt galera everywhere | 16:51 |
| noonedeadpunk | but good news is that https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/807717seems okeyish | 16:51 |
| spatel | noonedeadpunk i can safely upgrade 22.1.2 to 23.1.0 right? | 17:21 |
| spatel | jrosser ^ | 17:29 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!