Monday, 2021-11-22

« Saturday, 2021-11-20 Index Tuesday, 2021-11-23 »
*** odyssey4me is now known as Guest650610:03
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Drop Nginx webserver support  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/81739010:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Increase Apache thread limit for keystone  https://review.opendev.org/c/openstack/openstack-ansible/+/81873310:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/ussuri: Backported fixes for healthcheck playbooks  https://review.opendev.org/c/openstack/openstack-ansible/+/80392611:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano stable/wallaby: Fix murano role  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/81873411:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano master: Add variables for rabbitmq ssl configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/79172611:51
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano master: [reno] Stop publishing release notes  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/77203911:52
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano master: Use ansible_facts[] instead of fact variables  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/78065311:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano stable/wallaby: Updated from OpenStack Ansible Tests  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/79861711:57
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_ceilometer master: Updated from OpenStack Ansible Tests  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/78684512:10
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Ensure prettytable is present in the ansible-runtime virtualenv  https://review.opendev.org/c/openstack/openstack-ansible/+/77706112:12
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Remove provider_networks from neutron playbook  https://review.opendev.org/c/openstack/openstack-ansible/+/81791412:16
maaz012345Hi Captains .. 13:05
maaz012345Can I get some help here related to openstack-ansible deployment13:06
maaz012345https://bugs.launchpad.net/openstack-ansible/+bug/195167913:06
noonedeadpunkhey14:05
noonedeadpunkjrosser: well we replued same stuff there :D14:23
noonedeadpunk*replied14:23
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Include openstack_services for murano role  https://review.opendev.org/c/openstack/openstack-ansible/+/81873614:26
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Include openstack_services for murano role  https://review.opendev.org/c/openstack/openstack-ansible/+/81873614:27
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano stable/wallaby: Fix murano role  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/81873414:27
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/wallaby: Increase Apache thread limit for keystone  https://review.opendev.org/c/openstack/openstack-ansible/+/81873314:28
spateljrosser noonedeadpunk jamesdenton_alt  here is the POC for OVN SSL - https://satishdotpatel.github.io/ovn-ssl-setup-with-openstack/14:29
spatelnow i am going to see how we can wire up it with OSA/PKI 14:29
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-python_venv_build stable/ussuri: Revert "Set centos-7 jobs to non voting"  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/81725014:29
opendevreviewMerged openstack/openstack-ansible stable/train: Fix mistral DB row size  https://review.opendev.org/c/openstack/openstack-ansible/+/81763114:31
opendevreviewMerged openstack/openstack-ansible stable/train: add missing step to manual upgrade  https://review.opendev.org/c/openstack/openstack-ansible/+/81757214:31
spatelnoonedeadpunk does nova create crt for each node and sign or we are using single cert for every compute nodes?14:38
noonedeadpunktbh I wasn;'t digging much into patch details that we merged14:38
noonedeadpunkI would need to check code to answer14:39
noonedeadpunkfrom what I see it's unique per compute14:39
jrosserspatel: imho you should have the os_neutron role create it's own certificates14:42
jrosserif you re-use the nova ones you will then be in trouble when the host is not also a compute host14:42
spateljrosser sure, let me understand how does nova pki works and then i will create dedicated one for neutron role14:43
spatelnoonedeadpunk around?15:26
spateli need little advice related rabbitMQ 15:26
noonedeadpunkI can try at least :D15:27
spatelwe are getting lots of DDoS and that DDoS creating network blips that causing my RabbitMQ cluster partition and after that rabbitMQ not getting recover itself 15:27
spatelOSA default use pause_minority i believe15:27
spatelmy rabbitMQ nodes across multiple racks.. 15:28
spateldo you think changing from pasue_minority to autoheal should help?15:28
noonedeadpunkwell yes, by default it's `pause_minority` 15:29
noonedeadpunkbut it's pretty easily configurable with rabbitmq_cluster_partition_handling15:29
spatelBut look like its not helping me 15:29
spateli would like to try out autoheal if that fix my issue.. 15:29
spatelsetting rabbitmq_cluster_partition_handling: autoheal should work right in user_variables.yml15:31
noonedeadpunkhm, I'm wondering if we're missing quorum queues...15:31
noonedeadpunkyes it should15:31
spatelwhat do you mean quorum queue15:31
noonedeadpunkhttps://www.rabbitmq.com/quorum-queues.html\15:32
spatelPage not found :D15:32
noonedeadpunkdrop last `\`15:32
noonedeadpunkadded it accidentally15:32
noonedeadpunkso evenually it's new feature of 3.815:32
spatel:)15:32
noonedeadpunkand I haven't spend time reflecting defaults for these features15:33
spatelI am running 3.7.x release 15:33
spatelrabbitmq-server-3.7.28-1.el7.noarch15:34
noonedeadpunkoh, there're even streams in 3.9 hehe15:34
spateli am running stein release.. 15:34
noonedeadpunkthese looks like a good read...15:34
spatelcan i bump my rabbitMQ version without upgrading cluster ?15:34
noonedeadpunkyes, you can use newer rabbitmq version with overrides15:34
noonedeadpunkand just upgrade it15:35
spateloh even i am running stein release right? hope no dependency there15:35
noonedeadpunkbut don't forget to also upgrade erlang!15:35
spateli have noticed when you upgrade rabbitMQ it automatically upgrade erlang also15:35
noonedeadpunkum, not really15:36
spateldoes Quorum Queues feature default enabled or i need to do it manually?15:36
noonedeadpunkie we have it fixed here https://opendev.org/openstack/openstack-ansible-rabbitmq_server/src/branch/stable/stein/vars/debian.yml#L3915:36
spatelnice! i will take that code and upgrade my rabbitMQ to latest 15:37
noonedeadpunkI don't think it's default. And I'm not sure if osa even supports them atm15:37
noonedeadpunkNeed to have a read about that15:37
spateli will mess with it.. 15:37
noonedeadpunk`Quorum queues should be the default choice for a replicated queue type. Classic queue mirroring will be removed in a future version of RabbitMQ`15:38
spateloh! must better then 15:38
spateli have one more question related removing HA for all queue 15:39
noonedeadpunkoh, yes, it's the way better...15:39
spatelif i remove HA then how does all nodes will talk to rabbitMQ 15:39
spatelexample: compute config saying  x.x.x.x,y.y.y.y,z,z,z,z 15:40
spateldoes they randomly pick rabbitMQ node?15:40
noonedeadpunkwithout replication - kind of15:40
noonedeadpunkand messages might be lost in case of one member outage15:40
spateli don't care about lost mesg at this point :) i need stability 15:41
noonedeadpunkbut it's still cluster, so if yo uconnect to wrong member you still can be "routed" and read message you asked15:41
mgariepyif one server is out the whole queue will be unavailable. not only 1 message.15:42
mgariepyif it';s the hosting node.15:42
spatelif compute1 connect to rabbit1 first time then it will always stay there or do round-robin for each request ?15:42
spateli am thinking i can add haproxy in front of rabbit (non-HA cluster)15:43
spatelmgariepy -  if one server is out the whole queue will be unavailable. not only 1 message.  ----- all queues on that dead node right? but other two should be working, correct?15:44
noonedeadpunkit is bad idea15:44
spateladding haproxy?15:44
noonedeadpunkyep15:44
spatelah!15:44
noonedeadpunkrabbit is designed the way that you can connect to any cluster member15:45
noonedeadpunkbut all depends on mirroring settings then15:45
spatelif 3 node running in non-HA mirror and single node die.. (what is the impact here?)15:46
jrosserdo you have some shared network path between the controllers and compute which suffers with this DDOS?15:49
spatelWe have HP C7000 chassis and controller and computes are all mix in those chassis, we have 3 chassis in each racks. yes we have some short of shared network. when DDoS hit my network i noticed switch port buffer running out of capacity and start dropping packets.. for small time before DDoS mitigation kick in. 15:52
spatelDuring that period i have noticed error in rabbitMQ saying cluster partitions. (now interesting thing.. after that rabbit never get recover from that incident) 15:53
spateli have 300 compute nodes in this cluster and 1000 vms (not sure if this is higher number for rabbit)15:54
noonedeadpunkhm, feels like quorum is not supported by oslo yet?15:54
spatelsome article saying - We also know that rabbit before 3.8 may have some issues on clustering side, so you might consider running at least rabbitmq 3.8.x.15:54
spatelI am running 3.7.x (may be i need to upgrade to 3.8)15:55
spatelor get rid of HA15:55
noonedeadpunkbut fwiw - 3.8 is more stable according to my experience15:55
noonedeadpunkso with train a lot of rabbit related stuff has been solved for me15:55
spatel100% agreed, i have 3.8 running on other location which has zero issue.. (we are getting less DDoD there but)15:56
* noonedeadpunk still a bit upset that x-queue-type can't be set with oslo yet15:56
spatelreason i don't want to upgrade stein because its running centos7 and god knows  upgrade will work or not :(15:57
noonedeadpunkfrom other side it means there's nothing we can/should do now :D15:57
noonedeadpunkupgrade rabbit?15:57
noonedeadpunkit should since it's using independent repos provided by erlang15:57
spatelThat is what i am going to do. 15:57
noonedeadpunk*external repos15:58
spatelvm_memory_high_watermark: 0.2 16:00
spateldo you think i should add more memory ?16:00
mnaserrabbitmq cluster recovering?! good one.... :p16:01
noonedeadpunkhehe16:01
spatel:) wow! good to see you after long time16:01
mnaseri'm always lurking :)16:02
noonedeadpunkI'm actually eager to test out stream queues16:02
noonedeadpunkthey look like a suitable solution at glance16:02
spatelrabbit = no fun (100s of time i nuke my cluster since i build this cloud) 16:03
jrossermnaser: did you get cloud-init + ipv6 in the end?16:03
mnaseri really wish we start to get a fix for rabbitmq trobules16:08
mnasersince we use k8s world now,16:09
mnaserwe have a script called restart cloud16:09
mnaserwipes rabbitmq and reinit, and then restarts *16:09
mnaserjrosser: i didn't' hack on it yet16:09
spatelmnaser that is what i am going, ./rabbit-nuke.sh  crafted script to rebuild everything for me in 10 minute.. 16:10
spateldoing*16:10
jrossermnaser: for something like the ubuntu cloud image it's disabled by default, as you get a huuuuuuge timeout when theres no ipv6 metadata service available before it tries the ipv4 one16:11
spatelI think OVN can solve 50% issue of rabbitMQ 16:11
jrosserif you want to try v6 only with ubuntu you'd need to modify metadata_urls in the image here https://cloudinit.readthedocs.io/en/latest/topics/datasources/openstack.html16:11
jrosseror else config drive16:12
mnaserjrosser: ipv6 only images then?16:12
mnaseri feel like going to OVN is going to bubble up a whole boatload of other fun things lol16:12
jrosserif you really want ipv6 metadata then you need to at least make it dual stack16:12
jrosserand accept the boot delay for v416:12
jrosseror make v6 images16:12
mnaserjrosser: at that point, what's the point of dual stack heh16:12
jrosserit's kind of unpleasnat16:12
mnasersorry i mean16:13
mnaserwhats the point of v6 only if you're going to make it dual stack tog et metadata16:13
mnaseri've been burned a lot with force_config_drive=true16:13
jrosserit's just a bummer that the stock cloud images disable v6 metadata, but i kind of see why they do it16:13
mnaserjrosser: solution for all network issues is disable ipv6, amirite? :)16:14
mgariepysomething similar to the selinux stuff ;p16:15
spatelI believe only DoD using selinux.. lol 16:15
spatelbut trust me ipv6 getting real, now mobile carriers only providing ipv6 and apple and google won't let you add your apps if its not ipv6 certified 16:17
spateljust because of certification we are running dual stack ipv6 cloud 16:17
mnasernice16:18
mnaserthats good to hear16:18
mgariepyi sure hope that there will be some real push in canada for the ISP to deploy it.16:20
jrosserwe also run dual stack here though i'm not sure the users are doing much with it16:20
jrosserexcept for unknowingly accessing horizon over v6 if their ISP does it16:20
spatelhttps://www.internetsociety.org/blog/2016/05/starting-june-1-apple-requires-all-ios-apps-to-work-in-ipv6-only-networks/16:21
jrosserneutron bgp agent scheduling is a whole extra class of special behaviour though16:21
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Implement ironic_neutron_agent and baremetal driver  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/81301116:38
*** sshnaidm is now known as sshnaidm|afk16:45
noonedeadpunklet's merge https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/818577 to unblock W16:49
jrosserdone16:53
opendevreviewMerged openstack/openstack-ansible-os_ceilometer master: Remove references to deprecated python-ceilometerclient  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/81531716:54
opendevreviewMerged openstack/openstack-ansible-os_ceilometer master: Updated from OpenStack Ansible Tests  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/78684516:54
spatelnoonedeadpunk shouldn't we do vars/centos-8.yml instead of 8.5.yml ? (sorry if i am missing something)16:55
noonedeadpunkwe're trying to distinguish centos-8 vs centos-stream16:55
spatelhmm 16:56
noonedeadpunkwhile for ansible it's centos 8 stream is same centos-816:56
noonedeadpunkonly without minor version16:56
spatelCentOS Linux 8 will reach End Of Life (EOL) on December 31st, 202116:57
noonedeadpunkyep, it will...16:57
noonedeadpunkso nasty hack is everything we need here hehe16:57
jrosserEOL doesnt stop people having deployments and the code needing to work on older branches :/16:58
spatelhope stream will be smooth and not full of hacks 16:58
spatelEOL may decommission some upstream repo 16:58
noonedeadpunkwell, will see16:59
jrosserspatel: in ansible it is very difficult to distinguish between centos-8 and centos-8 stream, theres no way to do it except checking for version=8 -> stream, version=8.x -> not stream16:59
jrosserso when we have to do different things for stream and not-stream it gets hacky and unreadable code very fast16:59
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_murano stable/wallaby: Updated from OpenStack Ansible Tests  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/79861717:00
noonedeadpunkbtw, apache onyl keystone looks fair enough now I believe https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/81739017:01
jrosserthats why we need that vars/centos-8.<blah> to account for all the point releases of centos, and vars/centos-8.yml covers stream17:01
noonedeadpunkit needs https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/817390 though for upgrade jobs to pass17:01
jrosserand we need this https://review.opendev.org/c/openstack/openstack-ansible/+/81867417:02
jrosserand https://review.opendev.org/c/openstack/openstack-ansible/+/81873317:03
noonedeadpunkyeah - same but for master...17:03
noonedeadpunkoh, damn, I pasted wrong link17:03
jrossertime to merge all the things to release17:04
noonedeadpunkyep17:04
noonedeadpunkI was looking through changes now and I guess we can for sure make a beta now so that ppl could test for week or so17:04
noonedeadpunkI just started working on proxysql role..17:05
noonedeadpunkHopefully it won't take more then couple of days17:05
noonedeadpunkbut we'll release without it if not17:06
noonedeadpunkupsetting situation is with galera...17:06
noonedeadpunkI probably also will push bunch of patches to all roles to make config_template be usable as collection17:08
mgariepynoonedeadpunk, if you see galera hangs can you ask for a hold on the vm ?17:08
mgariepyor ping me to ask for it.17:08
noonedeadpunkmgariepy: the problem is that hold should be asked before it launched17:08
noonedeadpunkor maybe when it hang might be also fine?17:09
mgariepyif the check is not over.17:10
mgariepyyou can ask for a hold17:10
noonedeadpunkok, cool, I forgot it's an option. probably because when I see it failed it's too late ususally)17:11
mgariepymaybe we could add some stuff when the build fail17:11
mgariepylike mysql show processlist17:11
jrosserif your horizon is on the internet this may be of interest https://review.opendev.org/c/openstack/openstack-ansible/+/81853317:12
noonedeadpunkoh, I was looking at it17:12
noonedeadpunkI guess it might be applicable also for keystone?17:14
noonedeadpunkand actually all apis?17:14
jrosserthese are browser directives really17:14
jrosserbut if the browser in the future (skyline?) called the other API directly, that might be a factor17:15
*** sshnaidm|afk is now known as sshnaidm17:16
noonedeadpunkcommented17:27
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Update mariadb to 10.6.5  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/81738417:29
jrosserlooks like there are most of the ansible collections we need now available as required-projects in zuul jobs these days17:48
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: Fix inconsistency in haproxy_frontend_raw naming  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81772718:30
*** sshnaidm is now known as sshnaidm|afk19:26
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Update metering agent to use interface_driver alias  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/79991120:07
« Saturday, 2021-11-20 Index Tuesday, 2021-11-23 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!