Thursday, 2022-03-03

« Wednesday, 2022-03-02 Index Friday, 2022-03-04 »
*** dviroel|out is now known as dviroel01:30
*** dviroel is now known as dviroel|out02:02
opendevreviewTakashi Kajinami proposed openstack/openstack-ansible-os_tempest master: Ensure heat_stack_owner role exists before assigning it  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/83164008:26
opendevreviewPranali Deore proposed openstack/openstack-ansible-os_tempest master: Add the glance-tempest-plugin  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/83164910:21
noonedeadpunkmgariepy: I think we should merge https://review.opendev.org/c/openstack/openstack-ansible/+/831427 and then go to cherry-picks on W, X and master10:54
noonedeadpunkSo https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/831603/ is not that required then10:56
noonedeadpunk(but good to have anyway)10:56
*** dviroel|out is now known as dviroel11:15
noonedeadpunkcores, please let's review https://review.opendev.org/c/openstack/openstack-ansible/+/831427 and go in reverse order to master to fix upgrade jobs13:58
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Drop distributed_lock parameter  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/83178614:37
*** dviroel is now known as dviroel|lunch15:22
mgariepyhey.15:30
mgariepynoonedeadpunk, for the systemd_networkd stuff i saw a failure that's why i did the patch15:35
noonedeadpunkyeah, it would go away with adding utils collection15:39
mgariepywhen is the full path name of the filter needed and not needed ? i'm quite a bit confused lol15:39
mgariepyhttps://zuul.opendev.org/t/openstack/build/dec257dcc56549eb91ef386fe2c7d98a/log/job-output.txt#456515:43
noonedeadpunkso what basically happened - netcommon has dropped filter in favor of utils15:43
mgariepyhttps://review.opendev.org/c/openstack/openstack-ansible/+/83152515:43
noonedeadpunkwe pull in latest netcommon as it's dependency15:44
noonedeadpunkbut, for backport we'd rather set older version of netcommon15:44
noonedeadpunkand for master - use utils15:44
noonedeadpunkyes, upgrade fail, as to pass it - we need X, for X we need W, for W we need V...15:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Add ansible.utils collectoin requirement  https://review.opendev.org/c/openstack/openstack-ansible/+/83152515:46
mgariepyhttps://zuul.opendev.org/t/openstack/build/dec257dcc56549eb91ef386fe2c7d98a/log/job-output.txt#549915:48
mgariepyfor that check the utils collection was installed but the filter wasn't found by jinja15:48
noonedeadpunkbut it's upgrade job?15:48
mgariepyha.15:49
noonedeadpunkwhich runs X-master upgrade15:49
mgariepylol ok15:49
noonedeadpunkso for X we don't have that yet15:49
mgariepynow i get it.. less confused than i was.. 15:49
mgariepycan we do depends on for upgrade job ?15:54
noonedeadpunknope16:27
noonedeadpunkwell, we can, but only on current branch16:27
noonedeadpunkwe can't on M-116:27
*** dviroel|lunch is now known as dviroel16:27
opendevreviewMerged openstack/openstack-ansible stable/victoria: Bump ansible.netcommon version  https://review.opendev.org/c/openstack/openstack-ansible/+/83142716:29
mgariepyw is rechecking !16:35
*** dviroel__ is now known as dviroel16:56
noonedeadpunkawesome, thanks!17:07
jamesdentonnoonedeadpunk did you integrate Barbican w/ the Luna?17:31
noonedeadpunkyup17:31
jamesdentoncool cool. Working on nCipher at the moment, and a little lost. I might ping you :)17:32
noonedeadpunkI tested only with pkcs#11 and vault actually17:33
jamesdentonok, i will be using the pkcs#11 driver too17:33
noonedeadpunkah, then hopefully I can help if needed :)17:34
jamesdentoni'm just missing some details on the nCipher side (using their hosted service vs on-prem)17:34
noonedeadpunkI'd say basically you need client library. For luna it was pre-built driver and config file with token/auth stuff for their API17:35
noonedeadpunkShould be same stuff actually for everybody else as well..17:36
jamesdentoni have the library installed and can talk to the HSM, but i'm missing the passphrase (since i/we don't manage the device) and can't generate hmac or mkek keys at the moment17:36
jamesdentoni found the osa docs and assumed you wrote it, but also looking at upstream17:36
jamesdentonjust some holes to fill on my end17:36
jamesdentonare you using HSM in production w/ Octavia? Cinder?17:37
noonedeadpunkyup17:38
jamesdentonSweet. Like it?17:38
noonedeadpunkwell for Luna they have portal for hosted service17:38
jamesdentoni'm sure its the same here, i just don't have access (we're navigating this blindly, together)17:38
jamesdentonand by we i mean me and the vendor17:39
noonedeadpunkwell, there's a bug in octavia https://bugs.launchpad.net/keystone/+bug/195967417:39
johnsomIt's a bug in keystone... grin. Keystone 500's out 17:40
noonedeadpunkwell, ok:) but touches only octavia :)17:41
noonedeadpunkand for cinder things are a bit weird/slow. Also ephemeral encryption not implemented yet as well as glance encryption... so tons of gaps kind of17:41
johnsomYeah, that might be the case17:41
noonedeadpunkobject storage encryption also meh...17:41
jamesdentonis that just in general?17:41
johnsomSadly I don't know the inner workings on the keystone side to figure out which one of the three possibilities are the right fix.17:42
jamesdentonthe use case for us is primary octavia at the moment. simple crypto may be fine, just trying to vet this for now17:43
noonedeadpunkfor us it was data encryption and octavia as nice bonus17:45
johnsomjamesdenton Hi there. Let me know how nCipher goes for you. Most folks doing HSM like things with Octavia seem to be using Vault.17:46
jamesdentonwill do!17:46
noonedeadpunkI wonder how they do it, considering barbican/vault integration was broken since T till X I believe17:48
noonedeadpunkjust castellan directly to vault?17:48
noonedeadpunkbut then there's no multi-tenancy so kind of same simple_crypto...17:49
johnsomWe do allow a pure Castellan option. I'm pretty sure at least a few use that17:49
johnsomRight, it all goes into one bucket17:49
johnsomWe talked about how that could be fixed a few PTGs ago, but I don't know if it ever happened17:50
noonedeadpunkfor me sounds like overkill given what it provides but ok:)17:50
noonedeadpunkand that you also need to have enterprise to at least unlock vault safely...17:50
noonedeadpunkanyway17:50
mgariepywoohoo W  [ Status: Success ] :D18:55
mgariepyanyone here can push this one ?https://review.opendev.org/c/openstack/openstack-ansible/+/83142619:46
mgariepythanks jamesdenton 19:59
*** dviroel is now known as dviroel|out21:37
*** dviroel|out is now known as dviroel22:21
opendevreviewNeil Hanlon proposed openstack/openstack-ansible master: Add support for running on Rocky Linux  https://review.opendev.org/c/openstack/openstack-ansible/+/82357323:49
opendevreviewNeil Hanlon proposed openstack/openstack-ansible master: Add support for running on Rocky Linux  https://review.opendev.org/c/openstack/openstack-ansible/+/82357323:52
opendevreviewNeil Hanlon proposed openstack/openstack-ansible master: Add support for running on Rocky Linux  https://review.opendev.org/c/openstack/openstack-ansible/+/82357323:59
« Wednesday, 2022-03-02 Index Friday, 2022-03-04 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!