Monday, 2022-02-21

« Sunday, 2022-02-20 Index Tuesday, 2022-02-22 »
*** frenzy_friday is now known as frenzyfriday|ruck03:59
*** frenzyfriday|ruck is now known as frenzyfriday|rover04:00
*** prometheanfire is now known as Guest204:59
*** Guest2 is now known as prometheanfire05:09
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_nova master: Implement nova direct RBD image retrieve  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/82889707:43
*** sshnaidm|afk is now known as sshnaidm08:55
opendevreviewMerged openstack/openstack-ansible-openstack_hosts stable/wallaby: Enable powertools/crb repository for the repo server  https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/82978709:14
opendevreviewJames Gibson proposed openstack/openstack-ansible-specs master: Add proposal for enabling TLS on all internal communications  https://review.opendev.org/c/openstack/openstack-ansible-specs/+/82285009:41
opendevreviewJames Gibson proposed openstack/openstack-ansible-specs master: Add proposal for enabling TLS on all internal communications  https://review.opendev.org/c/openstack/openstack-ansible-specs/+/82285009:58
noonedeadpunkmornings10:12
jrossermorning10:17
opendevreviewMerged openstack/openstack-ansible-galera_server stable/wallaby: Use unix socket while granting access for the backup service  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/82926010:57
*** dviroel_ is now known as dviroel11:16
noonedeadpunkandrewbonney: do we need to adjust heartbeat_in_pthread anywhere/everywhere in OSA?11:26
andrewbonneyI had a chat with jrosser this morning. I'm going to test a little more and then might do a set of patches so we can have a global override in OSA config11:27
jrosseris there a bug for that?11:36
andrewbonneyNot for OSA directly, just https://bugs.launchpad.net/oslo.messaging/+bug/194996411:37
noonedeadpunkJust for conclusion of https://bugs.launchpad.net/oslo.messaging/+bug/1934937 was use-cases for execution outside of mod_wsgi. I guess that uwsgi should still be fine then without heartbeat_in_pthread?11:52
noonedeadpunkwhich leads me to thought that splitting of config must be required for api/scheduler as example?11:53
andrewbonneyI've been confused by where the issue applies and where it doesn't so I was hoping a little more testing might help with that. Certainly our worst offender to date has been nova-compute12:05
opendevreviewJames Gibson proposed openstack/openstack-ansible master: WIP: Add support for enabling TLS to Glance backends in OSA  https://review.opendev.org/c/openstack/openstack-ansible/+/82109012:11
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Return Erlang distribution port mgmt binding  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/83015112:12
admin1hi all .. for those who migrated from rocky (xenial ) -> bionic and up .. at which point or how do  you upgrade ceph nodes ( its a ceph+osa integrated deployment ) .. .. and is it safe to do a ubuntu upgrade on ceph ( in place upgrade) and then re-run the playbooks ? 12:14
jrossernot knowing the answers to that sort of stuff was why i never ran it like that :)12:26
admin1:) 12:32
noonedeadpunkgenerally in-place upgrade is fine if you have simmilar version available for both distros12:33
noonedeadpunkso might be that you need to do minor ceph upgrade to get latest version for release just to be extra safe12:33
noonedeadpunkAs I can recall issues here and there between minor versions12:34
opendevreviewJames Gibson proposed openstack/openstack-ansible master: WIP: Enable TLS on haproxy VIPs and backends by default  https://review.opendev.org/c/openstack/openstack-ansible/+/82993712:37
*** arxcruz|ruck is now known as arxcruz12:38
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Verify if hosts file already managed with OSA  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/82892912:43
opendevreviewMerged openstack/openstack-ansible-os_zun master: Use common service setup tasks from a collection rather than in-role  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/82437213:06
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Remove affecting rabbitmq hosts record  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/83017213:59
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Add note regarding 127.0.1.1 removal  https://review.opendev.org/c/openstack/openstack-ansible/+/83017514:10
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Migrate apache ssl certificate generation to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83017914:28
jrosserJamesGibo: I took a go at using what you'd done in the glance role to move os_keystone to the PKI role ^14:29
jrosseralso this looks like it needs rebasing https://review.opendev.org/c/openstack/openstack-ansible/+/82993714:30
jrossernot sure it is testing quite what you think just now14:30
noonedeadpunkjrosser: we also have same IDP-based stuff like https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/keystone_idp_self_signed_create.yml14:53
noonedeadpunkSeems you've not covered that?14:53
noonedeadpunk* https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/keystone_idp_setup.yml14:53
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/pike: EOL Pike branch  https://review.opendev.org/c/openstack/openstack-ansible/+/82695614:57
jrosserwtf is that even doing :)15:00
jrosseroh wow it uses memcached rather than slurp/register15:03
jrosseri have no idea if this still is valid / working, setting up keystone as an IdP is for k2k?15:11
jrosseri think i don't know if we just rip all of that out rather than move it to the PKI role tbh15:11
jrossernoonedeadpunk: do you have any k2k stuff?15:12
noonedeadpunknope, we have just plain basic keystone setup15:12
noonedeadpunklooking at keycloack though15:12
jrosseri don't see really how that IdP code supports anything except a self-signed cert15:13
noonedeadpunkk2k sounds valid though if you want multi region with shared keystone though?15:13
noonedeadpunkand if you don't have anything centralized...15:14
noonedeadpunkbtw yes, I was quite impressed with memcached usage as well:)15:14
noonedeadpunkthat's not really bad pattern, is it?15:14
noonedeadpunkuseless when you have everything on deploy host thoug15:15
jrosserself_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"15:16
jrosseris there some distant history where keystone web server was public?15:16
noonedeadpunkfor k2k they still should talk through haproxy I believe15:18
jrosseroh right this is saml isnt it15:21
jrosserand googling suggests there is a signing key/certificate which is independant of the haproxy one15:21
* jrosser never done anything with saml15:21
noonedeadpunkwe were concidering saml as alternative, but well, I never did any deep dive15:23
*** dviroel is now known as dviroel|lunch15:26
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Add flag to conditionally create certificate authorities.  https://review.opendev.org/c/openstack/ansible-role-pki/+/83022115:54
opendevreviewMerged openstack/openstack-ansible-lxc_hosts master: Generalise redhat variables to handle any distro and major release  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/82910616:12
opendevreviewMerged openstack/openstack-ansible-lxc_hosts master: Clean up bionic variables  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/82811416:12
*** dviroel|lunch is now known as dviroel16:26
jrossernoonedeadpunk: i am having brain fail on the comment here https://review.opendev.org/c/openstack/ansible-role-pki/+/830221/1/tasks/main_ca.yml#4116:30
noonedeadpunk'True' vs True16:32
noonedeadpunk'True' is str16:32
noonedeadpunkTrue is bool16:32
noonedeadpunkResult is kind of same though...16:32
noonedeadpunkSo I'm not really -1 it, just commented :D16:33
jrosserooooh16:37
jrosseri wonder if the keystone memcached thing is done because of keystone always running the [0]'th host then all the rest in two batches16:41
noonedeadpunkhuh, can be...16:46
noonedeadpunkthen it makes trouble to pki role as well I believe?16:47
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Migrate apache ssl certificate generation to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83017916:57
jrosserthat might do it16:57
jrosserlooks like the IDP cert is a CA cert16:57
jrosserhttps://github.com/openstack/openstack-ansible-os_keystone/blob/master/tasks/keystone_idp_self_signed_create.yml#L3016:58
jrosserreally not sure how to test this though16:58
opendevreviewJonathan Rosser proposed openstack/ansible-role-pki master: Add flag to conditionally create certificate authorities.  https://review.opendev.org/c/openstack/ansible-role-pki/+/83022117:01
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Migrate apache ssl certificate generation to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83017917:02
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Tidy IDP setup task files  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83026017:06
opendevreviewMerged openstack/openstack-ansible master: Add test of used SHAs  https://review.opendev.org/c/openstack/openstack-ansible/+/82986817:18
opendevreviewMerged openstack/openstack-ansible master: Add infra zuul job with reduced required_projects  https://review.opendev.org/c/openstack/openstack-ansible/+/77580917:19
opendevreviewMerged openstack/openstack-ansible master: Add hosts zuul job with reduced required_projects  https://review.opendev.org/c/openstack/openstack-ansible/+/77581217:19
opendevreviewMerged openstack/openstack-ansible master: Do not install extra repos with the zuul configure-mirrors role  https://review.opendev.org/c/openstack/openstack-ansible/+/82911117:24
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Improve bump patch readability  https://review.opendev.org/c/openstack/openstack-ansible/+/83027118:19
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump SHAs for master  https://review.opendev.org/c/openstack/openstack-ansible/+/83027318:29
noonedeadpunkjrosser: would be good to hear wdyt about such change in terms of HEAD date for each SHA vs one per file18:30
*** dviroel is now known as dviroel|out21:52
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Migrate apache ssl certificate generation to the PKI role  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83017923:26
« Sunday, 2022-02-20 Index Tuesday, 2022-02-22 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!