Tuesday, 2021-09-21

« Monday, 2021-09-20 Index Wednesday, 2021-09-22 »
opendevreviewBjoern Teipel proposed openstack/openstack-ansible-os_octavia master: Update amphora image creation  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/81013601:06
*** rpittau|afk is now known as rpittau07:24
*** frenzy_friday is now known as anbanerj|ruck10:36
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_blazar master: Clean up debian blazar_distro_packages  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/81018311:12
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_blazar master: Clean up debian blazar_distro_packages  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/81018311:13
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_blazar master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/80974611:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_cloudkitty master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/81018411:24
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_designate master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/81018511:29
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_gnocchi master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/81018711:33
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_heat master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/81018811:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_ironic master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/81021011:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_magnum master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/81021912:39
spatelnoonedeadpunk around12:39
spatelwho generate this certs? - /etc/openstack_deploy/pki/certs/certs/12:40
noonedeadpunkpki role?12:40
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible/src/branch/master/playbooks/certificate-authority.yml12:41
spatelI have deleted all certs in that directory and re-run playbook which did nothing 12:41
spatelreason i am asking because i made change in pki_authority here - https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/ssl.yml12:42
spateland re-run playbook which added RootCA in all nodes so that is good but rabbitmq still using same old cert which is ExampleCorp12:42
spateli want to force rabbit to re-generate new cert and signed with MyCompanyCA 12:42
spatelI didn't find anyway to re-generate node certs 12:43
noonedeadpunkyou would need to set `pki_regen_cert=true` while running rabbitmq role12:43
spatelhuh..12:43
noonedeadpunkbut there's a bug in pki role now which should be solved with https://review.opendev.org/c/openstack/ansible-role-pki/+/80802212:43
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_masakari master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/81022112:44
spatellet me try.. this is hidden bomb :) 12:44
spatelso it regenerate - rabbitmq_os-infra-1-rabbit-mq-container-180fd38b.crt and rabbitmq_os-infra-1-rabbit-mq-container-180fd38b.info 12:48
spatelbut no rabbitmq_os-infra-1-rabbit-mq-container-180fd38b-chain.crt12:48
spatelstill rabbitMQ using ExampleCorp 12:48
spatelopenssl s_client -connect 172.30.40.135:5671 -cert rabbitmq.pem -key rabbitmq.key -CAfile rabbitmq-ca.pem 12:48
noonedeadpunkbut you've re-generated root right?12:49
spatelyes, i can see RootCA got install in every node in OSA12:50
spatelnoonedeadpunk https://paste.opendev.org/show/809462/12:51
spatelyou can see I have both RootCA ExampleCorp and Vivox 12:51
noonedeadpunkum, yes, role doesn't drop old CA from trust stores...12:51
noonedeadpunkthat;'s true and fair12:52
spatelnow i want rabbitMQ generate /etc/rabbitmq/rabbitmq.pem cert using new RootCA12:52
spatelwhy do we need to drop old CA.. that is ok to have it 12:52
noonedeadpunkbut it's generated based on root that is stored on the deploy host in /etc/openstack_deploy/pki/12:52
spatelone interesting thing i found which is i removed RootCA from compute node but still compute node able to talk to RabbitMQ over SSL ( when you remove rootCA then it shouldn't trust right?)12:53
noonedeadpunkum, I guess yes12:55
spatelall i did remove RootCA from /etc/ssl/certs/ca-certificates.crt file from compute nodes, and restart compute nodes but still i am able to spin up VMs :)12:56
spatelafter i removed /etc/openstack_deploy/pki/certs/certs/rabbitmq_os-infra-1-rabbit-mq-container-180fd38b-chain.crt file  it work with `pki_regen_cert=true` while running rabbitmq role12:57
spateli can see RabbitMQ generate node certs and signed with MyCompany RootCA12:58
spatelhttps://paste.opendev.org/show/809463/12:58
noonedeadpunkI guess after reboot ca-certificates.crt  got re-generated?12:58
noonedeadpunkbased on the contents of /etc/ssl/certs/ ?12:59
noonedeadpunkbecause roots are placed as files there, and then with hook are added to ca-certificates.crt12:59
spatellet me give it a try to wipe out everything and see.. 12:59
spatelone more thing why i am not seeing compute node certs in /etc/openstack_deploy/pki/ anywhere 13:00
spateli thought cert should get generated for each node right?13:00
spatelnoonedeadpunk am i wrong here?13:06
spatelno compute nodes cert here - https://paste.opendev.org/show/809465/13:07
noonedeadpunkum, no, we generate certs only for hosts/containers that needs them13:16
noonedeadpunkusing tls for live migrations is smth not implemented yet13:16
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_mistral master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/81023413:20
spatelso no cert for compute node right ?13:21
noonedeadpunkyep13:21
spatelgood to know13:21
noonedeadpunkeventually we use currently only for haproxy and rabbitmq13:21
noonedeadpunkand now I'm pushing patches for galera13:21
spatelthat what i can see :)13:21
spatellet me play with compute node cert trust and see.. 13:22
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_manila master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/81023713:27
spatelnoonedeadpunk i have successfully remove RootCA from compute node which is located here - /usr/local/share/ca-certificates13:28
spateli have removed all file and now when i am running openssl client to validate its saying validation failed 13:29
spatelbut still able to spin up VM using that compute nodes so that is very odd.. 13:29
noonedeadpunkhm...13:30
noonedeadpunkmaybe smth is rolled back and cert verification is not required nowadays...13:30
noonedeadpunkweird though13:31
spatellook like 13:31
spatelrunning this command from compute node - openssl s_client -connect 172.30.40.135:5671 13:32
spateland seeing error - verify error:num=20:unable to get local issuer certificate13:32
spatelbut rabbitMQ client is happy 13:32
noonedeadpunkno idea really13:32
noonedeadpunkas I can;'t really recall now dependency that required that13:33
spatelThis is good to know, glad we did validation 13:34
spatelI am planning to upgrade my prod with OSA default cert this time.. :) i will change my own next time 13:35
spateli want to learn PKI before i push out anything case outage 13:35
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/81024614:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/81024714:08
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_senlin master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/81025014:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_sahara master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/81025214:18
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tacker master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/81025514:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_trove master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/81025714:28
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_zun master: Refactor galera_use_ssl behaviour  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/81025814:32
noonedeadpunkdamn, ironic role seem pretty broken...14:45
noonedeadpunkif you allow - I will skip todays meeting - feel super exhausted :(15:01
noonedeadpunkand don't have much to discuss, except pending reviews :)15:01
jrossergood idea - i'm pretty much the same15:02
fungijrosser: looks like we might have another osa site pulling updates directly from each node: http://cacti.openstack.org/cacti/graph.php?action=view&local_graph_id=66611&rra_id=all15:54
fungiwhat's the user agent string you added?15:54
fungisomeone seems to have turned something on right at 15:30 utc anyway, we're working to figure out what/who now15:55
jrosserit should go something like this https://github.com/openstack/openstack-ansible-openstack_hosts/commit/f2220c4fe05ac41c512280b9be2c586acdb9ddd315:56
fungithanks!15:56
*** rpittau is now known as rpittau|afk16:25
mgariepyhttps://cpaelzer.github.io/blogs/002-migration-with-changed-roms/17:08
mgariepyvery fun.17:08
*** sshnaidm is now known as sshnaidm|off17:22
spatelwhere is jamesdenton :)17:41
spatelwe are very behind in adding new networks stuff without you :) 17:41
spateljust realized OVN with DPDK support is broken in OSA and may need some work17:43
jamesdentonhi spatel 18:25
spatel:)18:25
jamesdentoni'm at negative cycles :D18:26
jamesdentonbut maybe i can find some time soon. what's up?18:26
spatelwhat is going on?18:26
spateltry to setup DPDK on ubuntu but having hard time18:26
jamesdentonOVS+DPDK?18:26
spatelyes18:26
spatelovs-vsctl add-port br-provider dpdk-0 -- set Interface dpdk-0 type=dpdk options:dpdk-devargs=0000:06:00.118:27
spatelovs-vsctl: Error detected while setting up 'dpdk-0': Error attaching device '0000:06:00.1' to DPDK.  See ovs-vswitchd log for details.18:27
spatelhttps://paste.opendev.org/show/809478/18:27
spateldo you have any idea ?18:28
jamesdentonhtm18:28
jamesdentonhrm, rather18:28
spateli believe you also tested DPDK with ubuntu, do you know what version of OVS did you used?18:29
jamesdentonnot offhand, no. it would've likely been xenial, maybe bionic18:30
jamesdentonwhat do you see with "dpdk-devbind.py --status"18:30
spatelI did with CentOS 7.x while ago but same method not working with ubuntu 18:30
spatelhttps://paste.opendev.org/show/809479/18:30
spateleverything looks correct 18:31
spatelhere i documented process last year with centos - https://satishdotpatel.github.io/openstack-ansible-add-compute-node-using-openvswitch-dpdk/18:31
jamesdentonIs this you? :D -- http://lists.openstack.org/pipermail/openstack-discuss/2020-November/018517.html18:35
jamesdentonerror looks the same, maybe there's something missing from the process?18:35
spatel:)18:37
spateldpdk and sriov is my thing so it must be me 18:37
spatelthere is no answer on that post18:38
jamesdentontrue - but that was on your centos 8 deploy. has it not been working at all?18:38
jamesdentoncentos or ubuntu?18:39
jamesdentoni've got a 2-node OVS Ussuri deployment here, lemme see if i can follow the guide and get it going18:41
jamesdentonthese also have ixgbe nics, but x54018:41
spatelsounds good 18:41
spatellets validate process.. 18:42
spatelyou don't need to deploy OSA 18:42
spateljust install openvswitch and enable dpdk 18:42
spatelthen create foo bridge and attach to DPDK interface18:42
spatellet me upgrade NIC driver and see if that help 18:46
jamesdentoncan you paste "ovs-vsctl show" too?18:48
jamesdentoni need to get my kernel setup and reboot, one sec18:48
spatelhttps://paste.opendev.org/show/809480/18:49
spateli didn't install any openstack stuff, i am just testing with lab box to attach dpdk with ovs port 18:50
spatelnot doing any OSA stuff until i figure out i can attach dpdk to ovs18:50
jamesdentonsure, i was just checking datapath18:51
spatelk19:01
spatelafter upgrading NIC driver still same issue 19:01
spateljamesdenton in lsmod | grep vfio_pci   is empty 19:06
spatellook like it didn't load vfio_pci not sure that is the issue or not19:06
spateljamesdenton my dmesg showing this message - vfio-pci 0000:06:00.1: DMAR: Device is ineligible for IOMMU domain attach due to platform RMRR requirement.  Contact your platform vendor.19:46
spatellook like something is wrong here19:46
jamesdentonthat looks familiar, i may have something on that19:46
jamesdentoni'm working thru the issue on my side19:47
spatelno worry19:56
spateljamesdenton i have to go but you can send me email if you find workaround 20:14
jamesdentoni'll ping you20:14
spateli may be offline in IRC :)20:14
jamesdentonFWIW i'm seeing the same thing. Been a while since i've messed with this20:14
spatelsomething is missing 20:14
spatelmake sure you have latest BIOS version20:14
spatelcheck this out - https://community.hpe.com/t5/ProLiant-Servers-Netservers/Disabling-RMRDS-RMRR-HP-Shared-Memory-features-on-Microserver/td-p/7105623#.YUo9qWZKjCw20:23
spatelgotta go 20:32
spatelsee you later20:32
« Monday, 2021-09-20 Index Wednesday, 2021-09-22 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!