Tuesday, 2022-02-08

jrosser	noonedeadpunk: do you have a better idea for filtering these zulul repos? https://paste.opendev.org/show/812575/	09:05
jrosser	*zuul	09:05
noonedeadpunk	mornings)	09:10
* noonedeadpunk needs some coffee first...		09:11
noonedeadpunk	isn't it easier just to move zj_repos to role defaults through vars like we do?	09:13
noonedeadpunk	then it should be easily overridable?	09:13
jrosser	rather unfortunately the roles are designed kind of different to ours	09:14
jrosser	like OS specific tasks files which include the repo lists	09:14
noonedeadpunk	But they still have https://opendev.org/zuul/zuul-jobs/src/branch/master/roles/configure-mirrors/vars/CentOS.yaml ?	09:15
noonedeadpunk	it's probaly more question how maintainers ready to remove that complexity from tasks and leave jsut vars :)	09:15
noonedeadpunk	as if you check diff for centos tasks, they are quite same...	09:16
noonedeadpunk	but dunno...	09:17
noonedeadpunk	maybe you're right	09:18
noonedeadpunk	it's just hacky a bit	09:18
jrosser	maybe would end up just rewriting the whole thing, even the .j2 templates are all pretty identical	09:20
jrosser	which really does defeat the point of templates	09:20
noonedeadpunk	well it looks like if we want to make it somehow adjustable, we will indeed have to re-work it. but for me it doesn't really make sense to hardcode such things in common zuul jobs...	09:25
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/xena: Ensure that the legacy network-scripts package is present https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828235	09:27
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/wallaby: Ensure that the legacy network-scripts package is present https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828236	09:28
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/victoria: Ensure that the legacy network-scripts package is present https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828237	09:28
jrosser	perhaps there is a middle ground without rewriting the whole thing	09:34
jrosser	like you say put the data in vars and override using defaults	09:34
jrosser	noonedeadpunk: actually i think overrides doesnt work	09:52
jrosser	well, what i mean is we'd need to make OS specific versions of our base job with different overrides for the mirrors to use	09:53
noonedeadpunk	oh, well...	09:53
noonedeadpunk	we can't use var-files there I believe indeed...	09:53
noonedeadpunk	damn	09:54
jrosser	it's really messy	09:54
noonedeadpunk	then likely we jsut need to continue messing up in https://opendev.org/openstack/openstack-ansible/src/branch/master/zuul.d/playbooks/pre-gate-cleanup.yml	09:55
jrosser	for example in 8-stream PowerTools is added, but in 9-stream crb is not	09:56
noonedeadpunk	thankfully, for centos you can remove repo via it's name	09:57
noonedeadpunk	for debian it's much worse as you need to provide exact url iirc	09:58
jrosser	with yum_repository?	09:58
noonedeadpunk	yep	09:58
jrosser	ok let me hack something up	09:58
*** dviroel\|out is now known as dviroel\|ruck		10:05
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Remove unwanted repositories installed with the zuul configure-mirrors role https://review.opendev.org/c/openstack/openstack-ansible/+/828267	10:08
jrosser	this is interesting https://review.opendev.org/c/openstack/octavia/+/805955	10:29
noonedeadpunk	huh, yes, we might want to implement this as well?	10:32
noonedeadpunk	as sounds like good idea	10:33
noonedeadpunk	from other side I haven't seen any issues without this	10:33
noonedeadpunk	`member with an ERROR operating_status may be updated to ONLINE after updating a load balancer` > this kind of frighten me	10:35
jrosser	i wonder if we ever reload	10:35
jrosser	or just restart	10:35
noonedeadpunk	we do https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/handlers/main.yml#L49	10:38
noonedeadpunk	actually we only reload...	10:39
noonedeadpunk	what I'd really love to have is https://review.opendev.org/c/openstack/octavia/+/558962 but dont have time to work properly on that (	10:46
noonedeadpunk	as well as some bgp support for instance as keepalived replacement...	10:46
jrosser	for the osa loadbalancer?	10:52
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - Add support for running on Rocky Linux https://review.opendev.org/c/openstack/openstack-ansible/+/823573	10:59
noonedeadpunk	for octavia :)	11:35
noonedeadpunk	but maybe for osa loadbalancer as well...	11:35
noonedeadpunk	As we want to have a controller per AZ which likely won't have l3 connection	11:36
jrosser	it would be great to do for radosgw as i have some gigantic spec haproxy boxes running active/standby there which feels wasteful	11:40
admin1	hi jrosser, thank you for replying on the other channel .. let me pastebin all my configs and versions	11:52
jrosser	tbh it feels like permissions	11:54
noonedeadpunk	oh yes. for rgw it's also the case for sure	12:04
jrosser	https://blog.plessis.info/blog/2020/02/11/haproxy-exabgp.html	12:08
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-repo_server master: Use ssh_keypairs role to generate keys for repo sync https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/827100	12:16
noonedeadpunk	oh, yes, that looks relevant to what we're looking for :)	12:16
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_nova master: Use ssh_keypairs role to generate cold migration ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/825306	12:17
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add ssh_keypairs role https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/825113	12:27
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Use ssh_keypairs role to generate fernet sync ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/827090	12:33
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Create ssh certificate authority https://review.opendev.org/c/openstack/openstack-ansible/+/825292	12:35
opendevreview	Bhagyashri Shewale proposed openstack/ansible-config_template master: Move zuul jobs layout to centos9 only for master branch https://review.opendev.org/c/openstack/ansible-config_template/+/828295	12:35
admin1	hi jrosser, error message and relevant config info here: https://gist.githubusercontent.com/a1git/78761a5346aef2e5db732b0c838b72ff/raw/72fbb5a60ee6a10d3fa9bb0a4bdf2f0ce115725e/gistfile1.txt	12:39
admin1	tag 24.0.1 and ceph-pacific ( deployed using ceph-ansible)	12:39
jrosser	well, `swift list` is working	12:41
admin1	via horizon, when i click, it logs me out immediately	12:42
jrosser	have you tried `swift list --debug`	12:42
jrosser	i don't have /swift/ anywhere in the urls	12:44
noonedeadpunk	we have /swift to be able to have S3 apis enabled	12:53
noonedeadpunk	otherwise rgw will jsut reject to start if both swift and s3 enabled and swift not suffixed	12:54
jrosser	the deployment i have here is kind of complicated	13:03
jrosser	we've got 'internal' rgw serving just swift that horizon uses	13:04
jrosser	however, thats not realy related, as this all passes in ceph ci jobs for osa	13:05
jrosser	admin1: you've pretty much just got to enable debug and step through all the things	13:05
jrosser	forget horizon until you get the CLI working	13:05
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Remove unwanted repositories installed with the zuul configure-mirrors role https://review.opendev.org/c/openstack/openstack-ansible/+/828267	13:36
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Remove unwanted repositories installed with the zuul configure-mirrors role https://review.opendev.org/c/openstack/openstack-ansible/+/828267	13:41
noonedeadpunk	yeah, I guess lineinfile is most simple thing	13:49
* noonedeadpunk trying to understand why used apt_repository for that		13:49
jrosser	figuring out the repo name seems really tricky	13:50
jrosser	name / url	13:50
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-repo_server master: Use ssh_keypairs role to generate keys for repo sync https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/827100	13:55
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Use ssh_keypairs role to generate fernet sync ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/827090	13:55
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-openstack_hosts stable/victoria: Assume centos version is at least 8.3 https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/828346	14:18
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/victoria: Ensure that the legacy network-scripts package is present https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828237	14:19
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/wallaby: Replace CentOS 8 with Stream jobs https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/827966	14:25
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-lxc_hosts stable/xena: Replace CentOS 8 with Stream jobs https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828095	14:26
Guest2040	For anyone who was in Berlin last time, looks like the conference center is near the Hofbrau where we had the team dinner	14:34
Guest2040	Hrm...	14:36
*** Guest2040 is now known as spotz		14:37
spotz	That's better:)	14:37
*** akaha\|rover is now known as akahat\|dinner		14:55
* noonedeadpunk missed team dinner last time		15:01
noonedeadpunk	(or was not invited yet :D)	15:01
noonedeadpunk	#startmeeting openstack_ansible_meeting	15:01
opendevmeet	Meeting started Tue Feb 8 15:01:58 2022 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.	15:01
opendevmeet	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	15:01
opendevmeet	The meeting name has been set to 'openstack_ansible_meeting'	15:01
noonedeadpunk	#topic rollcall	15:02
noonedeadpunk	o/	15:02
damiandabrowski[m]	hey guys! sorry I wasn't very active lately, performing distribution upgrades in several regions during Q1	15:03
damiandabrowski[m]	but i'll try to contribute as much as I can ;) things should get better in Q2	15:04
noonedeadpunk	hopefully :)	15:05
noonedeadpunk	so	15:05
noonedeadpunk	#topic bug triage	15:05
noonedeadpunk	#link https://bugs.launchpad.net/openstack-ansible/+bug/1960175	15:06
noonedeadpunk	Obviously our doc is broken.	15:06
noonedeadpunk	Question is - how we want to fix that?	15:06
noonedeadpunk	We can just update the doc and say you should use like cluster_network: "{{ (container_networks['storage_address']['address'] ~ '/' ~ container_networks['storage_address']['netmask']) \| ansible.netcommon.ipaddr('network/prefix') }}"	15:06
noonedeadpunk	which is kind of... meh...	15:07
noonedeadpunk	well, for monitor address we can jsut avoid monitor_address_block and replace with monitor_address	15:08
jrosser	o/ hello	15:08
noonedeadpunk	but for cluster_network we still need network	15:08
damiandabrowski[m]	hmm, isn't this bug report about https://bugs.launchpad.net/openstack-ansible/+bug/1960175	15:10
noonedeadpunk	so I was thinking if we should add cidr_networks as var somehow... or just add network to container_network stanza?	15:10
noonedeadpunk	damiandabrowski[m]: yeah, I literally mentioned it 6 messages before :p	15:10
damiandabrowski[m]	https://review.opendev.org/c/openstack/openstack-ansible/+/823796	15:10
damiandabrowski[m]	sorry, wrong link	15:10
*** dviroel\|ruck is now known as dviroel\|ruck\|lunch		15:11
jrosser	cidr_networks can get complex	15:11
jrosser	look at the L3 pods example	15:12
NeilHanlon	👋hey folks, am around. and thank you again jrosser if i didn't say it yesterday for your time looking at rocky with me	15:12
jrosser	NeilHanlon: hi there - i amended your patch with the ansible path btw	15:12
NeilHanlon	oh, thank you :)	15:12
jrosser	noonedeadpunk: does this help with finding the ceph ip? https://github.com/openstack/openstack-ansible/blob/master/playbooks/common-tasks/dynamic-address-fact.yml	15:15
jrosser	though it wants the cidr though i guess, so not really	15:16
noonedeadpunk	damiandabrowski[m]: huh	15:16
noonedeadpunk	should we jsut backport it then and ask user to test out?	15:17
jrosser	seems we should have backport that patch anyway?	15:18
damiandabrowski[m]	yeah, i think we should	15:19
noonedeadpunk	jrosser: yes, indeed we need cidr there...	15:22
noonedeadpunk	and I agree that making cidr_networks will likely be tricky	15:22
jrosser	i'm not sure i see value in bringing it into accessible vars really	15:23
noonedeadpunk	but considering we have cidr_networks in docs that makes me think there was there one day	15:23
noonedeadpunk	but agree. we have container networks defined there	15:24
noonedeadpunk	so maybe jsut try to add cidr as an element?	15:24
jrosser	yes, or maybe the ceph user_variables example was just always wrong	15:24
noonedeadpunk	I can't reject such possibility :)	15:24
jrosser	this also ignores that i think the ceph AIO networks are really all scrambled up too	15:25
noonedeadpunk	oh yes, storage network just not used in aio	15:25
noonedeadpunk	but that's different topic :)	15:26
jrosser	indeed	15:26
noonedeadpunk	(we should fix it yeah)	15:26
jrosser	next bug? :)	15:26
noonedeadpunk	I don't think we have anything new	15:26
noonedeadpunk	#topic office hours	15:27
noonedeadpunk	So there's already a PTG schedule for April available	15:27
noonedeadpunk	#link https://ethercalc.openstack.org/7yxdas7suqnd	15:28
noonedeadpunk	I took kind of responsibility to fill same time slots as for previous PTG	15:29
noonedeadpunk	would be great if you could check it and provide some feedback if that is fine or we should re-arrange and do proper voting	15:29
noonedeadpunk	So 2H slots 15-17 UTC on Tuesday and Wednesday	15:30
damiandabrowski[m]	it's ok for me	15:30
noonedeadpunk	(april 5 and april 6)	15:30
jrosser	yes ok for me	15:32
noonedeadpunk	we almost done with centos-8 removal	15:32
noonedeadpunk	and there big work done with Rocky?:)	15:32
jrosser	i think that NeilHanlon patch is very very close for metal deploys	15:33
jrosser	and i think that the selinux trouble and probably also the lxc python lib problems will go away with it now using the system python on the targets	15:33
noonedeadpunk	sounds good enough	15:34
jrosser	really we wait on the dib patch to merge and getting nodes available	15:34
noonedeadpunk	regarding ubuntu 22.04 support. I think I'd try to release without it if we will be ready with other things	15:35
jrosser	and i think also we have to clean up these zuul job repos as that has causes confusion	15:35
noonedeadpunk	oh yes	15:35
noonedeadpunk	I;m not sure what it will take to land all keyston-related system scope and project tokens stuff	15:36
noonedeadpunk	Or we'd rather delay intentionally to get ubuntu 22.04?	15:36
noonedeadpunk	probably it's topic for ptg though as there will be more details around by this date (like dib and ci images)	15:37
jrosser	whats the release date?	15:38
noonedeadpunk	March 30	15:38
noonedeadpunk	+2 month iirc	15:38
noonedeadpunk	to technically we can fit	15:39
noonedeadpunk	btw... Have I missed how Z will be named ?:) As just realized I have no idea what's the name it will have...	15:39
jrosser	22.04 is released April 21, 2022 though? so it's not in this cycle?	15:40
noonedeadpunk	well, it's not. but I'd say all depedns on how much we want it:) and when CI images will appear.. If that will with some beta in March and we will be able to start working on it before release...	15:41
noonedeadpunk	it's doable I guess	15:41
jrosser	for ubuntu usually one or two days hacking gets most of it sorted unless there is a major problem	15:42
noonedeadpunk	But yes, historically we were holding ubuntu lts to autumn	15:42
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Remove unwanted repositories installed with the zuul configure-mirrors role https://review.opendev.org/c/openstack/openstack-ansible/+/828267	15:46
jrosser	^ zuul runs older ansible - doh	15:47
jrosser	also i an pretty much done on the ssh keypairs stuff	15:50
noonedeadpunk	I will review this shortly	15:51
jrosser	though somehow i've constructed the patches / depends-on all backwards and it won't pass	15:51
noonedeadpunk	I did quick look through and things look pretty much good	15:51
jrosser	i think it was a mistake to try to bring all the role patches as depends-on the main one to openstack-ansible	15:51
noonedeadpunk	at least openstack-ansible should depends on plugins?	15:52
noonedeadpunk	ah yes. I mean - nova/keystone should depend on integrated repo	15:53
noonedeadpunk	and repo	15:53
noonedeadpunk	and integrated only depend on plugins	15:53
jrosser	correct, that would work fine and would be mergeable	15:54
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Create ssh certificate authority https://review.opendev.org/c/openstack/openstack-ansible/+/825292	15:55
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-repo_server master: Use ssh_keypairs role to generate keys for repo sync https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/827100	15:55
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_nova master: Use ssh_keypairs role to generate cold migration ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/825306	15:56
noonedeadpunk	and regarding plugins CI - I haven't looked into it - ENOTIME	15:56
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Use ssh_keypairs role to generate fernet sync ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/827090	15:56
jrosser	i only looked a little at molecule and saw it was pretty docker centric which is tedious for the docker rate limits	15:57
noonedeadpunk	yep	15:57
noonedeadpunk	and with nodepool we don't even need this	15:57
noonedeadpunk	#endmeeting	16:01
opendevmeet	Meeting ended Tue Feb 8 16:01:06 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	16:01
opendevmeet	Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-02-08-15.01.html	16:01
opendevmeet	Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-02-08-15.01.txt	16:01
opendevmeet	Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2022/openstack_ansible_meeting.2022-02-08-15.01.log.html	16:01
opendevreview	Merged openstack/openstack-ansible-lxc_hosts stable/victoria: Drop CentOS 8 jobs https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828096	16:05
*** dviroel\|ruck\|lunch is now known as dviroel\|ruck		16:06
damiandabrowski[m]	btw. guys, I'd really appreciate reviews here: https://review.opendev.org/q/topic:tempest-damian-2021-12	16:41
jrosser	what do we think about this? https://b607583e4f021c8f07a7-9b48d8c7e57d0c594fcc7dac0e7e023c.ssl.cf1.rackcdn.com/827483/1/check/openstack-ansible-deploy-aio_ovs_lxc-ubuntu-focal/a16f441/job-output.txt	16:43
noonedeadpunk	there was a comment for https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/825157/3/templates/tempest.conf.j2 and tons of stuff is on top of it	16:43
jrosser	looks like neutron tempest plugin on victoria is just broken	16:44
noonedeadpunk	have we fixed it version there?	16:44
noonedeadpunk	https://opendev.org/openstack/openstack-ansible-os_tempest/src/branch/master/defaults/main.yml#L118	16:45
jrosser	https://github.com/openstack/openstack-ansible-os_tempest/commit/06add17f32a65904b9f075dbd808f02b7eb6f9e5	16:45
noonedeadpunk	oh I haven't switched branch	16:45
jrosser	ah the commit message references just the thing that is failing	16:46
jrosser	interesting	16:46
noonedeadpunk	maybe tempest got dropped from u-c for V as well	16:48
jrosser	oh	16:48
jrosser	[aio1_utility_container-d69d229a] => (item={'branch': 'master', 'name': 'neutron-tempest-plugin', 'repo': 'https://opendev.org/openstack/neutron-tempest-plugin'})	16:48
jrosser	wtf	16:49
noonedeadpunk	some depends on from master branch?	16:49
noonedeadpunk	during cherry-pick?	16:49
jrosser	its this https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/827483	16:50
jrosser	which is just like RED :)	16:50
noonedeadpunk	I have a guess	16:50
noonedeadpunk	here we go https://opendev.org/openstack/openstack-ansible/src/branch/stable/victoria/tests/roles/bootstrap-host/templates/user_variables_neutron_ovn.yml.j2#L26	16:51
noonedeadpunk	same for ovn https://opendev.org/openstack/openstack-ansible/src/branch/stable/victoria/tests/roles/bootstrap-host/templates/user_variables_neutron_ovs.yml.j2	16:51
jrosser	ah nice one	16:51
noonedeadpunk	no idea why we need to override there	16:53
jrosser	i wonder if we don't enable neutron tempest tests normally	16:54
jrosser	just basic server ops covers go/no-go	16:54
noonedeadpunk	we suck with test enablement indeed. We have cinder volume iscsi broken for ages I believe with defaults	16:56
noonedeadpunk	but basic server catches networking issues as it's includes ssh to it	16:57
noonedeadpunk	well, some of them at least	16:57
jrosser	is this needed at all? https://opendev.org/openstack/openstack-ansible/src/branch/stable/victoria/tests/roles/bootstrap-host/templates/user_variables_neutron_ovn.yml.j2#L23-L26	17:04
noonedeadpunk	nope	17:04
noonedeadpunk	or at least I don't see why it would... Maybe to save up time and not install all other plugins...	17:05
jrosser	becasue the neutron plugin should be enabled anyway https://github.com/openstack/openstack-ansible-os_tempest/blob/stable/victoria/defaults/main.yml#L191	17:05
*** akahat\|dinner is now known as akahat\|rover		17:05
jrosser	this feels like a good time to use a pattern matched variable	17:06
jrosser	tempest_test_includelist_<anything>	17:06
jrosser	to build up incrementally the things that are tested rather than having to override the whole lot	17:07
noonedeadpunk	it's kind of like that anyway? https://opendev.org/openstack/openstack-ansible-os_tempest/src/branch/master/vars/main.yml#L58	17:08
jrosser	well, enabling / installing plugins is one thing	17:09
jrosser	but if they do anything at all is kind of here https://github.com/openstack/openstack-ansible/blob/e697bed2cea5ea5e49ae7f03c10650b8aec77bc8/inventory/group_vars/utility_all.yml#L77-L102	17:09
jrosser	and thats the exact same var we override in user_variables_<scenario>.yml	17:12
jrosser	so this is totally going to go wrong when we have a combination scenario, like maybe octavia+barbican	17:13
*** sshnaidm is now known as sshnaidm\|afk		17:18
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible stable/victoria: Remove enablement of neutron tempest plugin in scenario templates https://review.opendev.org/c/openstack/openstack-ansible/+/828386	17:50
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_neutron stable/victoria: Remove legacy centos-8 jobs https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/827483	17:53
noonedeadpunk	well yes, with barbican + octavia only octavia I guess will be tested	17:53
noonedeadpunk	as vars files load in aplhabetical order so https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/templates/user_variables_octavia.yml.j2#L13 will be used...	17:54
jrosser	thats by luck because 'o' is after 'b', if they both override tempest_test_includelist	17:54
jrosser	anyway.....	17:54
noonedeadpunk	but yeah, I do agree this must be done better	17:56
noonedeadpunk	a pity that you can't just append to variable from different files	17:57
noonedeadpunk	like $TEMPEST_VAR="${TEMPEST_VAR}:new_test"	17:57
jrosser	evrey day there are people in #ansible asking kind of similar things	17:58
jrosser	wanting to squash together the same var from several places	17:58
noonedeadpunk	I bet I saw something like that	17:59
noonedeadpunk	likely somewhere in our code even :D	17:59
noonedeadpunk	like constructing variable out of hostvars with selectattr by regexp...	18:00
jrosser	yes, i have that in the pki role	18:00
noonedeadpunk	ah, indeed!	18:00
noonedeadpunk	that was the code I could hardly read!	18:00
jrosser	oh well it's stolen from logan iptables role	18:01
jrosser	which is magical	18:01
noonedeadpunk	when you try to install just defined certs	18:01
jrosser	https://github.com/logan2211/ansible-iptables	18:01
jrosser	^ worth checking out how amazinly flexible that is	18:01
jrosser	i need to look again at how we do that in the pki role	18:02
noonedeadpunk	damiandabrowski[m]: ^	18:02
damiandabrowski[m]	yes? :D	18:03
noonedeadpunk	(I'm a bit facepalming comparing how we manage iptables)	18:03
jrosser	having this if/else around the clever part feels wrong https://github.com/openstack/ansible-role-pki/blob/master/vars/main.yml#L18	18:03
jrosser	we use that iptables role on all our OSA deployments now	18:03
noonedeadpunk	was just FYI kind of about iptables :)	18:03
damiandabrowski[m]	ahh, i was wondering what should i do with this now :D but agree, this repo looks cool	18:04
noonedeadpunk	(and we kind of was about to rework our stuff)	18:05
noonedeadpunk	well I'd say in PKI we should just expand list, but well	18:05
jrosser	that role lets you spread the iptables config across your group vars	18:07
jrosser	so you can put into some all/all.yml the things you need to admin ssh or whatever	18:07
jrosser	then in more specific groups you can put the service specific rules	18:07
jrosser	then it all gets mashed together when the role runs to resolve the entire iptables config for the host	18:08
noonedeadpunk	yeah that seems really nice thing	18:13
jrosser	have to be super careful on network nodes and compute nodes though	18:15
jrosser	otherwise stuff installed by neutron can be removed	18:15
noonedeadpunk	not sure it has ipv6 support?	18:15
jrosser	https://github.com/logan2211/ansible-iptables/blob/master/tasks/iptables_rule_facts.yml#L40	18:22
jrosser	we put this in the most general group vars for "deny all" https://paste.opendev.org/show/812607/	18:23
jrosser	then everything else builds up from that	18:24
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Use ssh_keypairs role to generate fernet sync ssh keys https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/827090	18:30
noonedeadpunk	ah nice. I just thought about separate file for ipv6 but it's indeed not a requirement	18:33
noonedeadpunk	well we have really decent firewalling but the way it organized and complexity it has comparing to that role...	18:36
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/xena: Fix additional facts gathering in ceph-install.yml https://review.opendev.org/c/openstack/openstack-ansible/+/828392	19:13
opendevreview	Merged openstack/openstack-ansible-lxc_hosts stable/xena: Ensure that the legacy network-scripts package is present https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/828235	19:13
noonedeadpunk	do you think we should backport https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/786381 ?	19:35
prometheanfire	was there an upgrade note I missed for horizon, I can boot an instance via command line but not via the horizon UI	20:05
prometheanfire	horizon kicks back a bunch of errors like this	20:05
prometheanfire	Policy os_compute_api:servers:start failed scope check.	20:05
noonedeadpunk	is that on... Xena?	20:11
noonedeadpunk	I can imagine that's regarding system/project scopes that horizon hasn't adapted in their policies...	20:11
prometheanfire	xena, ya	20:12
noonedeadpunk	we just recieved https://bugs.launchpad.net/openstack-ansible/+bug/1960342 btw...	20:13
noonedeadpunk	not sure if related...	20:13
noonedeadpunk	but sounds like it is	20:13
prometheanfire	sounds like it could be	20:13
* noonedeadpunk wasn't using horizon for a while so need to recall all that		20:14
prometheanfire	lol	20:14
prometheanfire	I can pull up project/user/group/role stuff	20:15
noonedeadpunk	we don't really deploy it nowadays :(	20:16
noonedeadpunk	well, it's good then :) likely smth with folks deployment then)	20:16
prometheanfire	probably, ya	20:16
* noonedeadpunk installing horizon in sandbox		20:16
prometheanfire	looking at details of a project does show some issues (can't view user/group within a project)	20:18
noonedeadpunk	hm	20:21
noonedeadpunk	got horizon from 24.0.0 see no issue at least with user creds	20:22
noonedeadpunk	let me check against master then....	20:22
prometheanfire	horizon can spin up an instance with another flavor, just not the other one	20:25
noonedeadpunk	oh	20:25
prometheanfire	both flavors uses aggregate_instance_extra_specs, and command line works for both	20:25
prometheanfire	works with both flavors via cmdline, works in horizon with just one of the two flavors	20:26
prometheanfire	it's wierd...	20:26
noonedeadpunk	is one of these flavors shared with specific projects only?	20:27
noonedeadpunk	btw I can reproduce bug	20:27
prometheanfire	nice	20:28
prometheanfire	you test with horizon master or xena tag?	20:28
prometheanfire	the flavor that works in horizon is shared with a particuar project only	20:29
noonedeadpunk	on master. But bug I was refferencing before - don't see issues with VM creation though	20:29
prometheanfire	the flavor that does not work is available everywhere	20:29
noonedeadpunk	and you're using tenant credentials?	20:30
prometheanfire	I use the same user, who is a member of multiple projects	20:30
noonedeadpunk	ok, non admin	20:30
prometheanfire	right	20:31
prometheanfire	a user who is a member of a single project reported the inability to create an instance via horizon, so multi-project user issues shouldn't be it	20:31
* prometheanfire really thinks it's horizon that needs updating...		20:32
prometheanfire	The token used to make the request was domain scoped but the policy requires ['system', 'project'] scope. (via horizon logs)	20:32
noonedeadpunk	nah, can't really reproduce on master...	20:34
noonedeadpunk	and on 24.0.0 it works for me as well	20:34
prometheanfire	works? as in you can reproduce with 24?	20:34
noonedeadpunk	was able to reproduce https://bugs.launchpad.net/openstack-ansible/+bug/1960342	20:35
prometheanfire	https://bugs.launchpad.net/horizon/+bug/1955674	20:35
noonedeadpunk	but not yours :(	20:35
prometheanfire	heh	20:35
noonedeadpunk	with domain scoped user as well	20:35
noonedeadpunk	didn't have private flavors though...	20:36
prometheanfire	private flavor worked in horizon, public did not (both with the aggregate instance extra specs)	20:36
noonedeadpunk	there was literally no backports to Xena	20:37
noonedeadpunk	https://opendev.org/openstack/horizon/commit/34a0159d1a65dbf8dd3ff3bc2cb156bdcf37a814 sounds related	20:38
noonedeadpunk	damn I really need to play with scopes and soon enough. As I feel like in OSA we don't do things right atm...	20:41
prometheanfire	ya, looks like it	20:41
prometheanfire	(system scope being fetched in that commit	20:42
noonedeadpunk	but I'm not sure why system scope would be a requirement for using shared flavor...	20:42
noonedeadpunk	as how then tenants with project scope supposed to interact...	20:43
prometheanfire	no clue	20:47
prometheanfire	is there a way I could try to deploy horizon-20 (wallaby) to verify the issue?	20:48
noonedeadpunk	sure thing! You can set `horizon_git_install_branch` to any SHA, tag or branch you like. and then re-run os-horizon-install.yml -e venv_rebuild=true.	20:50
prometheanfire	cool	20:50
noonedeadpunk	with that I'd suggest also setting `requirements_git_install_branch` to W for valid constraints	20:50
prometheanfire	well, I have the old venv around so I can edit the apache config to point to it	20:51
noonedeadpunk	which in turn might require re-runing repo-install	20:51
noonedeadpunk	ok, then wait :)	20:51
prometheanfire	yep	20:51
noonedeadpunk	to have old venv around, I'd also say that set `horizon_venv_tag` to smth different as otherwise it will be installed in same venv	20:52
prometheanfire	heh, didn't work	20:52
noonedeadpunk	and eventually instead of `requirements_git_install_branch` then jsut set `horizon_upper_constraints_url: https://releases.openstack.org/constraints/upper/wallaby`	20:53
noonedeadpunk	ah	20:53
noonedeadpunk	I misunderstood you a bit	20:53
noonedeadpunk	but you can try "master" horizon that way as well :)	20:53
noonedeadpunk	to check if patch solves the issue	20:54
noonedeadpunk	so basically 3 things: horizon_upper_constraints_url, horizon_venv_tag and horizon_git_install_branch	20:54
noonedeadpunk	sorry, I need to run, it's pretty late here already :(	20:55
prometheanfire	it's fine, I can play a bit	20:56
*** prometheanfire is now known as Guest0		20:56
Guest0	master had the same issue, so am reverting	21:55
* Guest0 sighs		21:56
*** Guest0 is now known as prometheanfire		21:56
*** dviroel\|ruck is now known as dviroel\|ruck\|afk		22:02
prometheanfire	failed in wallaby too, giving up	22:11
NeilHanlon	:) DIB merged https://review.opendev.org/c/openstack/diskimage-builder/+/825957	22:42
opendevreview	Neil Hanlon proposed openstack/openstack-ansible master: WIP - Add support for running on Rocky Linux https://review.opendev.org/c/openstack/openstack-ansible/+/823573	23:02
jrosser	NeilHanlon: you need to get nodepool configured to have rocky-8 nodes available next https://docs.opendev.org/opendev/system-config/latest/nodepool.html	23:07
NeilHanlon	yep chatting in #opendev now about that	23:07
jrosser	ah i see you starting that....	23:07
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add ssh_keypairs role https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/825113	23:36

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!