| noonedeadpunk | hey! no, not really. Should work nicely | 07:27 |
|---|---|---|
| *** rpittau|afk is now known as rpittau | 07:55 | |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_placement master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/809981 | 09:16 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_placement master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/809981 | 09:52 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/809989 | 09:55 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/809995 | 10:08 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/810031 | 14:57 |
| spatel | noonedeadpunk are you around? | 15:02 |
| spatel | https://docs.openstack.org/openstack-ansible/wallaby/admin/upgrades/major-upgrades.html | 15:02 |
| spatel | I meant Upgrade host section - https://docs.openstack.org/openstack-ansible/wallaby/admin/upgrades/major-upgrades.html#upgrade-hosts | 15:03 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_nova master: Refactor galera_use_ssl behaviour https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/810034 | 15:03 |
| spatel | if i don't want my own CA then i can go with whatever example CA its going to generate right? | 15:03 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Set galera to use TLS for connections by default https://review.opendev.org/c/openstack/openstack-ansible/+/807880 | 15:05 |
| noonedeadpunk | spatel: um, yes | 15:06 |
| noonedeadpunk | but you can just provide ca-bundle details for cert which will be generated | 15:07 |
| noonedeadpunk | so eventually we anyway by default generate CA and don't require ppl to have their own as pre-requisitive | 15:08 |
| noonedeadpunk | But if we generate CA anyway, why don't provide valid details for it?:) | 15:08 |
| spatel | noonedeadpunk even i provide valid detail but its self-signed right? | 15:10 |
| noonedeadpunk | it depends on what you mean as self signed:) | 15:10 |
| noonedeadpunk | certs generated will be trusted on all osa hosts and containers | 15:10 |
| spatel | whatever OSA generating is self-sign (if i am not buying cert from authority) | 15:10 |
| noonedeadpunk | because root will be distirbuted and stored in system-trust store | 15:11 |
| noonedeadpunk | but outside of the deployment it won't be trusted | 15:11 |
| noonedeadpunk | so yeah, it's self-signed | 15:11 |
| spatel | Yes i got your point OSA will be trust authority | 15:11 |
| spatel | tell me how do i override on my lab now? | 15:12 |
| spatel | in lab i went with default.. but if i want to place correct values now | 15:12 |
| noonedeadpunk | you would need to override openstack_pki_authorities, openstack_pki_install_ca and openstack_pki_service_intermediate_cert_name variables. samples are here https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/ssl.yml | 15:13 |
| spatel | noonedeadpunk let me give it a try and see.. currently we are doing PKI just for RabbitMQ communication right? | 15:16 |
| noonedeadpunk | yes, but, you can safely enable haproxy_ssl_all_vips now | 15:18 |
| noonedeadpunk | because it's also used by haproxy role | 15:18 |
| spatel | I am using F5 load-balancer | 15:21 |
| spatel | noonedeadpunk in that case do i need to add cert in F5? | 15:21 |
| spatel | can i disable all SSL endpoint right now because i have F5 and don't want it to break stuff | 15:22 |
| noonedeadpunk | um, no ide | 15:24 |
| noonedeadpunk | I think you can just avoid touching haproxy_ssl_all_vips and openstack_service_adminuri_proto/openstack_service_internaluri_proto | 15:24 |
| spatel | what do you mean avoid touching? | 15:25 |
| spatel | is haproxy_ssl_all_vips default False? | 15:26 |
| noonedeadpunk | default is false | 15:26 |
| noonedeadpunk | we enable it just in CI | 15:26 |
| spatel | oh so i am good if default is false so i don't need to do anything with F5 | 15:27 |
| noonedeadpunk | yep | 15:27 |
| spatel | I am running private cloud so not much worried about security at present | 15:27 |
| noonedeadpunk | because you mustn't comply with gdpr haha | 15:28 |
| spatel | soon my next datacenter will be in Europe, so i have to force it everything to SSL :) | 15:30 |
| noonedeadpunk | well if it for the same company (non-eu) I'm not sure it matters | 15:31 |
| noonedeadpunk | otherwise you would need to deal with privacy shield thing as well.. | 15:31 |
| noonedeadpunk | https://www.privacyshield.gov/Program-Overview | 15:32 |
| spatel | +1 | 15:38 |
| spatel | noonedeadpunk is https://paste.opendev.org/ down? | 15:38 |
| noonedeadpunk | opens for me | 15:39 |
| spatel | try something and submit | 15:40 |
| noonedeadpunk | yeah.. worth to write to #opendev | 15:41 |
| noonedeadpunk | ah it has been already reported | 15:44 |
| spatel | cool | 15:45 |
| *** rpittau is now known as rpittau|afk | 16:00 | |
| mrf3 | hi! Im testing Openstack-Ansible for Wallaby, and getting "keystone_service-front-1/1: SSL handshake failure" at HAproxy | 16:49 |
| mrf3 | is there any issue related with SSL setups? | 16:49 |
| mrf3 | https://gyazo.com/face401990f26f2aad45e1d7b55da810 | 16:50 |
| spatel | mrf3 check using curl with no cert validation flag | 16:57 |
| spatel | bases on your screenshot failed to connect endpoint, not seeing any SSL related issue. | 16:58 |
| spatel | next-time post error log in pastebin or paste.openstack.org so its easy to search words | 16:59 |
| mrf3 | sorry spatel, im running again the playbook will post in paste . | 17:08 |
| spatel | jrosser are you around | 17:15 |
| spatel | noonedeadpunk jrosser i have created new CA and run rabbitMQ playbook but it didn't touch this file - /etc/rabbitmq/rabbitmq.pem | 17:43 |
| mrf3 | spatel if you have some time , can you check https://paste.openstack.org/show/809441/ ? | 17:44 |
| spatel | mrf3 are you deploying AIO ? | 17:46 |
| mrf3 | nop | 17:47 |
| mrf3 | 3 controllers, 3 networks, 1 compute , 1 nfs | 17:47 |
| spatel | try to curl http://172.16.1.20:5000/v3/auth/tokens | 17:48 |
| mrf3 | i got "response" {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}} | 17:49 |
| spatel | that means you can reach to keystone service | 17:49 |
| mrf3 | i tried again for the haproxy nodes | 17:50 |
| mrf3 | and got curl: (52) Empty reply from server | 17:50 |
| spatel | now try change that IP with haproxy VIP ip | 17:50 |
| mrf3 | 172.16.1.20 is the VIP of the Haproxy | 17:50 |
| mrf3 | i should check with the local nodes ips? | 17:51 |
| spatel | it should give you same reply try | 17:51 |
| spatel | try that from this contain - infra2_keystone_container-9d7516a1 | 17:52 |
| mrf3 | yes same response "unauthorized" | 17:52 |
| spatel | look like some library path is messed up.. OSA use utility container to add keystone endpoints | 17:54 |
| spatel | if you see in logs its sayin - venvs/utility-23.1.1/lib/python3.8/site-packages/keystoneauth1/session.py\", line 1149, in post\n return self.request(url, 'POST', **kwargs) | 17:54 |
| spatel | go to utility container and try "source openrc" | 17:55 |
| spatel | then run openstack endpoint list | 17:55 |
| mrf3 | Failed to discover available identity versions when contacting http://172.16.1.20:5000/v3. Attempting to parse version from URL. Failed to contact the endpoint at http://172.16.1.20:5000 for discovery. Fallback to using that endpoint as the base url. Not Found (HTTP 404) (Request-ID: req-23bd9060-9797-4152-b5f5-a4b440a5d6bf) | 17:56 |
| mrf3 | from the container | 17:57 |
| spatel | what OS you are running? | 18:08 |
| mrf3 | Ubuntu 20 | 18:09 |
| spatel | is this fresh installation or live environment? | 18:09 |
| mrf3 | fresh , virtualized in vmware for testing | 18:09 |
| spatel | assuming you are running openstack-ansible setup-openstack.yml playbook | 18:10 |
| mrf3 | correct | 18:10 |
| mrf3 | the last step following official guide | 18:10 |
| mrf3 | and ussing stable/wallaby repo | 18:10 |
| spatel | if you open setup-openstack.yml it has multiple playbooks | 18:10 |
| mrf3 | for openstack-ansible | 18:10 |
| spatel | first playbook is keystone.yml | 18:11 |
| mrf3 | yes | 18:11 |
| spatel | i would say check logs of keystone, look like something went wrong | 18:11 |
| spatel | check mysql is up or not | 18:11 |
| spatel | just do basic validation | 18:12 |
| mrf3 | ok will do | 18:12 |
| mrf3 | spatel now im testing redeploy all with haproxy_ssl: false to test it without ssl | 19:12 |
| spatel | give it a try | 19:12 |
| spatel | also post you user_variables.yml | 19:12 |
| mrf3 | my user variables and user_config | 19:22 |
| mrf3 | https://paste.openstack.org/show/809444/ | 19:22 |
| spatel | looks good so far, i believe by default SSL is off for HAproxy | 19:31 |
| spatel | you can check in haproxy.cfg file to see if endpoint configure for SSL or not | 19:32 |
| spatel | just check if internal endpoint configure for SSL or not | 19:33 |
| mrf3 | im running again the last step setup-openstack and right now looks smooth | 19:37 |
| spatel | nice | 19:59 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!