Monday, 2022-08-08

« Sunday, 2022-08-07 Index Tuesday, 2022-08-09 »
*** anskiy1 is now known as anskiy01:33
*** raukadah is now known as chandankumar04:51
*** ysandeep|PTO is now known as ysandeep05:38
noonedeadpunkmornings06:23
noonedeadpunkwe totally do have issue with logic in cinder-volume configuration :(06:24
jrosser_morning06:38
* jrosser_ reads ML06:39
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/yoga: Increase ControlPersist timeout to 300 seconds  https://review.opendev.org/c/openstack/openstack-ansible/+/85210706:40
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/xena: Increase ControlPersist timeout to 300 seconds  https://review.opendev.org/c/openstack/openstack-ansible/+/85210806:41
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/xena: Increase ControlPersist timeout to 300 seconds  https://review.opendev.org/c/openstack/openstack-ansible/+/85210806:41
*** ysandeep is now known as ysandeep|afk06:52
noonedeadpunkand I'm not really sure how we're gonna fix that07:08
noonedeadpunkys, we can jsut disable active/active if no etcd is present, but that would break deployments in a way07:09
noonedeadpunkor we can forcefully install etcd when it's enabled07:09
noonedeadpunkbut then install it only inside cinder_volume, which could be o bare metal as well...07:10
jrosser_well also designate for a long time says you need a coordinator07:33
jrosser_and we never did it for that either, which really should happen07:33
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Bind http and tftp services to the bmaas network  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85212207:53
noonedeadpunkwell, we kind of have etcd already in osa. With really low effort zookeeper can be added as well.07:55
jrosser_i think i've had to completely re-implement common-tasks/dynamic-address-fact.yml inside the ironic role07:57
noonedeadpunkyeah, looksl ike that...08:00
noonedeadpunkto be clear -I was not pushing to replace dynamic-address-fact.yml was wondering if doing the octavia way was enough and what way we should go08:01
noonedeadpunkironic looks more complicated I guess?08:01
noonedeadpunknot sure why though08:02
opendevreviewMerged openstack/openstack-ansible-plugins stable/yoga: Fix gluster play_hosts  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/85137908:29
jrosser_i think that the difference in ironic is the templates need the IP address and also the interface name08:38
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server stable/ussuri: Use cloudsmith repo for rabbit and erlang  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/85035008:47
noonedeadpunkSo if you say that's easier jsut to use dynamic-address-fact.yml - then let's just do that09:23
noonedeadpunkI really can't recall how did we fixed this nmap issue for centos 8....09:24
noonedeadpunkhttps://zuul.opendev.org/t/openstack/build/9ae9e53c4a104a5bbbdf7ab9295dca99/log/job-output.txt#1599009:24
noonedeadpunkconsidering we don't provide nmap version...09:25
noonedeadpunkwere these jsut broken infra mirrors....09:25
jrosser_maybe dynamic-address-fact needs converting to a tiny role or module09:31
jrosser_what is not so nice about what i have done (or what octavia role does) is that it needs to have container_networks be used inside the role09:32
*** ysandeep|afk is now known as ysandeep09:33
jrosser_my patch for this to ironic is still broken on metal so i make an AIO anyway just now for it09:33
admin1jrosser_ , i found that if the SSL expired and I had to only change the .pem and re-run haproxy playbook, that error popped up again ( failed 3 times for the 3 controllers and then was OK in the last run ) 09:35
jrosser_admin1: what error? you'll need to give some more context really09:38
admin1right .. sorry .. its about haproxy complaining that the pem does not exist while in the 2nd run, it would have created it .. there were also 2 more people talking about this before .. 09:41
admin1i think i had filed a bug report for it .. searching .. 09:41
admin1else  i will do a new one 09:41
jrosser_please include enough info to reproduce it09:42
opendevreviewMerged openstack/ansible-role-python_venv_build stable/yoga: Gather build hosts facts once.  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/84964009:43
opendevreviewMerged openstack/ansible-role-python_venv_build stable/yoga: Run wheels build for each unique distro/arch  https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/84900409:43
opendevreviewMerged openstack/openstack-ansible-lxc_hosts stable/yoga: Take account of lxc_apt_mirror in new debootstrap command  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/85138710:07
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Remove ironic_server from inventory  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85219910:17
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Bind http and tftp services to the bmaas network  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85212210:21
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Ensure ironic inspector dhcp server listen address is defined  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85217310:21
opendevreviewMalin Roth proposed openstack/openstack-ansible-os_keystone master: Add PKCE method for OIDC  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85239010:23
admin1jrosser_, this one  https://bugs.launchpad.net/openstack-ansible/+bug/197324210:26
admin1https://bugs.launchpad.net/openstack-ansible/+bug/1973242  -- updated with latest finding 10:32
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Install only the required dhcp config files for inspector  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85212110:32
jrosser_admin1: can you please add which certificate (yours or PKI role) and any vars that you have set for it?10:35
jrosser_and public / internal endpoint etc10:36
jrosser_also we need to see what the PKI role did when it was called from the haproxy role10:37
admin1the vars are there. starting in the first line 10:40
admin1internal endppint is always an ip ..  in the var ..  external is also in the var .. 10:41
admin1nothing else used 10:41
admin1it works .. just that it takes 4 tries n+1 retries .. where n = number of controllers ( haproxy ) 10:41
jrosser_the log is really needed for this https://github.com/openstack/openstack-ansible-haproxy_server/blob/b4a564795b8f8c684010f49eb6e222586f1c5432/tasks/main.yml#L40-L5710:42
admin1what is the best way .. run all again with -vvvv ? 10:45
admin1and submit the file ? 10:45
jrosser_no need really for -vvvv, just to see if the PKI role copies in your certificate or not10:46
jrosser_but it needs to be run in a way like it fails for you before10:47
jrosser_oh well maybe i see whats wrong10:51
jrosser_"cat: /etc/haproxy/ssl/haproxy_r2c2-172.29.236.9-ca.crt: No such file or directory10:51
jrosser_`-ca.crt` thats important10:52
jrosser_noonedeadpunk: do you use any self-supplied certificates for public endpoint?11:00
noonedeadpunkI do, yes11:00
noonedeadpunkwe run Xena top though11:00
noonedeadpunkwe actually run both for public and internal11:01
opendevreviewMerged openstack/openstack-ansible-galera_server stable/ussuri: Bump MariaDB version  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/85143911:01
jrosser_this looks like it assumes that the CA file is always given https://github.com/openstack/openstack-ansible-haproxy_server/blob/b4a564795b8f8c684010f49eb6e222586f1c5432/handlers/main.yml#L1811:01
jrosser_but this allows the CA to be optional https://github.com/openstack/openstack-ansible-haproxy_server/blob/b4a564795b8f8c684010f49eb6e222586f1c5432/vars/main.yml#L65-L7511:02
noonedeadpunkwell, that sounds like quite valid bug then11:11
jrosser_only thing i can think of is to have two handlers, with conditions11:12
noonedeadpunkor do complex bash11:14
noonedeadpunkas it;s already a shell module11:14
noonedeadpunkso we can add `[[ if -f {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '-ca.crt' }} ]]; then {{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item  ~ '-ca.crt' }}; fi` ?11:15
noonedeadpunkor smth even better....11:17
agemuend_Hi jrosser_, we propose https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/852390 to be able to enable PKCE (RFC 7636) for federated identity. Its e.g. required for one of the European Science Clouds (EGI FedCloud) (https://docs.egi.eu/providers/cloud-compute/openstack/aai/#changes-in-apache-configuration). 11:21
jrosser_agemuend_: this one? https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85239011:23
agemuend_Yes11:24
jrosser_looks reasonable, the tests should finish soon11:26
jrosser_is there a particular release you were wanting to use that with?11:27
agemuend_We patched locally, would just be nice to have it in future11:31
noonedeadpunkagemuend_: commented jsut one small nit there. We can totally backport that actually11:34
*** dviroel_ is now known as dviroel11:38
noonedeadpunkah, I know, we do provide ca-chain anyway12:04
jrosser_i guess when you go buy a commerical cert then you just need the key/crt as the CA should be in all the systems anyway12:06
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Do not add cacert when it does not exist  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85239912:09
noonedeadpunkyeah, ca is, but chain is usually still needed12:09
jrosser_admin1: ^ does this match what you are doing?12:11
jrosser_i.e where is the intermediate CA cert for your cert/key coming from?12:12
noonedeadpunkI think it might be part of the certificate in bunch of cases...12:18
noonedeadpunkreally depends on the input...12:19
noonedeadpunkso making CA file optional is valid thing I believe12:19
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Allow haproxy to bind on the interface  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85203912:20
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server master: Allow haproxy to bind on the interface  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85203912:25
admin1cert.pem has the cert, chain and root all in 1 file 13:20
noonedeadpunkthe question was if you have chain in .crt as you don't define haproxy_user_ssl_ca_cert13:23
admin1i do not have a haproxy_user_ssl_ca_cert defined 13:30
admin1haproxy_user_ssl_ca_cert is a new variable introduced  afaik13:31
noonedeadpunkI'm pretty sure it was there for quite a while...13:32
opendevreviewMerged openstack/openstack-ansible-os_ironic stable/yoga: Updated from OpenStack Ansible Tests  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/84677713:34
jrosser_admin1: haproxy_user_ssl_ca_cert is there all the way back to queens at least13:46
admin1is the error because haproxy_user_ssl_ca_cert is not there ? 13:54
admin1i will test 13:55
admin1and update 13:55
jrosser_it is because the code now expects that the CA cert is provided in it's own file13:55
jrosser_but thats not great for backwards compatibility13:55
jrosser_so you could try this patch out https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85239913:56
opendevreviewMerged openstack/openstack-ansible master: Duplicate centos 8/9 logic for Rocky Linux 9  https://review.opendev.org/c/openstack/openstack-ansible/+/85218114:07
opendevreviewMerged openstack/openstack-ansible master: Remove ironic_server from env.d  https://review.opendev.org/c/openstack/openstack-ansible/+/85218214:07
opendevreviewMerged openstack/openstack-ansible master: Remove neutron agents from ironic env.d file  https://review.opendev.org/c/openstack/openstack-ansible/+/85169914:19
opendevreviewMerged openstack/openstack-ansible master: Do not create {hostname}-host_containers group as child of other groups  https://review.opendev.org/c/openstack/openstack-ansible/+/85176414:19
opendevreviewMalin Roth proposed openstack/openstack-ansible-os_keystone master: Add PKCE method for OIDC  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85239014:25
jrosser_noonedeadpunk: did you see the ML thread about heartbeat_in_pthread?14:53
jrosser_i think we have some handling for this but there is talk of backporting a change which looks like it might affect our stable branches14:54
noonedeadpunkWell I saw thread but wasn't really following it. 15:16
jrosser_we handle the cases that it's needed to be False https://review.opendev.org/q/topic:bug%252F196160315:18
jrosser_and they propose to switch the default to False which means instead we have to add many more patches to keep it as True where we want that15:19
jrosser_and on stable branches as well15:19
jrosser_i am uncertain if this is just laziness in RH wanting to flip it so they don't have to do any actual work in RHSOP15:20
noonedeadpunkdo we really want to have that as true?15:20
noonedeadpunkI'm pretty sure that's the case15:20
jrosser_but we already have patches to deal with this so it's not new news15:20
jrosser_but changing the default would mean we would need to make loads of patches to have nothing change in existing deployments15:21
mrfHi!  https://paste.opendev.org/show/br1mjP6qVstCIrzMfAFp/   is not a minor error on the path?15:23
noonedeadpunkI mean - do we really track all changes in behaviour that's been backported?15:23
jrosser_well maybe thats the thing, that this sort of thing is generally not backported15:23
noonedeadpunkmrf: should not really matter, it's minor imo15:23
jrosser_which is why it's unfortunate that in the case of something that we actually have a workaround for someone proposes to mess with it15:24
noonedeadpunkjrosser_: I probably not understanding reall effect on deployments15:24
jrosser_oh well the non uwsgi agents get wedged up and break15:24
jrosser_given enough time / busyness15:24
noonedeadpunkbut that's with var set to true?15:24
noonedeadpunkif it's set to false for everything - how that affect uwsgi?15:25
jrosser_that i'm not so sure about15:25
jrosser_there is "don't worry it'll all be OK" in the mailing list thread15:25
noonedeadpunkSo our workaround is to not wedge services by setting new default they propose. And I was under impression, that disabling pthreads will actually be okeyish for uwsgi. Suboptimal, but okeyish15:26
jrosser_yeah, could be - i don't know enough about it tbh15:28
*** dviroel is now known as dviroel|lunch15:29
*** ysandeep is now known as ysandeep|out15:30
mrfIs this path correct? certs/certs? cat: /etc/openstack_deploy/pki/certs/certs/haproxy_haproxy02-192.168.1.100.crt: No such file or directory"15:31
jrosser_mrf there are certs/certs certs/csr and certs/private15:33
jrosser_distinct from roots/.....15:33
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Check the service status during bootstrap against the internal VIP  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85245115:58
*** dviroel|lunch is now known as dviroel16:38
admin1i have/had 2 cinder backends(ceph)  , and i added  3rd one (nfs) and now I get a strange error:  https://gist.githubusercontent.com/a1git/b0ddc0b718a3fb89d28b037d89f1583f/raw/34e0992495db81e7b591570946f4296981867a4e/gistfile1.txt  18:00
admin1Active-Active configuration is not currently supported by driver cinder.volume.drivers.nfs.NfsDriver 18:01
admin1is something active-active by default ? 18:01
jrosser_cinder can be active-active for rbd18:05
admin1ok .. 18:09
admin1not sure how to solve it though .. i can try to move it in the first block :D 18:10
admin1get it load first, and then get to cinder and get to active active .. if it reads 1 by 1 or fifo type 18:10
spatelhow to protect accidental vm deletion? I can see lock feature but any other policy or workaround ?18:36
spatelcan i create project admin user who has permission to create users/delete user for specific project?18:47
admin1jrosser_, as per #openstack-cinder , its due to cluster=ceph on line 12  https://gist.github.com/a1git/fbf329c3027ea51278ef3c3c599d0dfa  18:50
admin1set by cinder_active_active_cluster: "{{ cinder_backend_rbd_inuse }}" 18:53
admin1to disable it is to set cinder_active_active_cluster: false ? 18:54
admin1spatel, do the vm creation using CI ? 18:55
admin1or gitlab or some form of api/automation instead of giving direct access ? 18:55
admin1or a create-only api role 18:55
jrosser_admin1: this is slightly unfair imho18:56
jrosser_as you know openstack-ansible comes out-of-the-box with "sensible defaults"18:57
jrosser_and then on top of that it lets you write literally any config you like into any of the services with overrides18:57
admin1:) 18:59
admin1which is why we all love it 18:59
jrosser_but it means you have to do the homework on the services18:59
jrosser_so it's totally possible to make bogus configs by trying to use combinations of things which are mutually exclusive19:01
jrosser_openstack-ansible makes no claim to be able to resolve that for you19:01
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone master: Check the service status during bootstrap against the internal VIP  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85245119:07
opendevreviewMerged openstack/openstack-ansible stable/yoga: rabbitmq: default to using TLS for management user interface  https://review.opendev.org/c/openstack/openstack-ansible/+/85138019:24
*** tosky_ is now known as tosky19:25
spateladmin1 >19:39
spatel?19:39
*** dviroel is now known as dviroel|out21:22
« Sunday, 2022-08-07 Index Tuesday, 2022-08-09 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!