Friday, 2022-08-12

« Thursday, 2022-08-11 Index Saturday, 2022-08-13 »
*** dviroel|afk is now known as dviroel00:26
*** ysandeep|out is now known as ysandeep01:53
*** ysandeep is now known as ysandeep|breakfast03:14
*** ysandeep|breakfast is now known as ysandeep|afk03:35
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/xena: Bump keepalived role back  https://review.opendev.org/c/openstack/openstack-ansible/+/85293404:42
*** ysandeep|afk is now known as ysandeep05:35
noonedeadpunkfwiw centos 9 seems to be fixed now07:21
noonedeadpunkhttps://zuul.opendev.org/t/openstack/build/f43ea70f8e0d439fa11ebd1363495fc107:21
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Set the number of threads for processes to 2  https://review.opendev.org/c/openstack/openstack-ansible/+/85094207:24
noonedeadpunksnadge: regarding aodh issue it's caused with this commit if you're interested https://opendev.org/openstack/aodh/commit/0564e94c50f327a36ab686c6a96dd653fe4eceb407:25
noonedeadpunkI already proposed revert of it and patch u-c as alternative07:25
*** ysandeep is now known as ysandeep|lunch07:31
*** ysandeep|lunch is now known as ysandeep08:34
opendevreviewMerged openstack/openstack-ansible-lxc_hosts stable/yoga: Prevent lxc.service from being restarted on package update  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/85249708:43
noonedeadpunkok, I have recalled what I tried to cover with keystone X-forwarded-Proto08:44
noonedeadpunkbasically case when haproxy http -> keystone https, as then we need to set proto http and not https08:45
noonedeadpunkThat's why or won't work08:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix keystone_secure_proxy_ssl_header logic  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85294308:55
noonedeadpunkjrosser_: please, check this assumption out ^08:55
noonedeadpunkdamn, formating went nasty (08:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix keystone_secure_proxy_ssl_header logic  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85294308:57
noonedeadpunkthis one  ;) ^08:57
noonedeadpunkwell, I see how logic can be simplified now08:58
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix keystone_secure_proxy_ssl_header logic  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85294308:59
andrewbonneynoonedeadpunk: would it be better to fix this in haproxy? That already covers the https case which Apache seems happy to forward if it's not explicitly set. We could explicitly set 'http' as an 'else' for this condition: https://github.com/openstack/openstack-ansible-haproxy_server/blob/master/templates/service.j2#L7309:01
noonedeadpunkI don't think it's enough?09:03
noonedeadpunkAs here apache is yet another proxy basically09:04
noonedeadpunkor well, we need to pass X-Forwarded-Proto that it recieves in request 09:04
andrewbonneyYeah, I assumed it was doing that by default, but perhaps it doesn't09:04
noonedeadpunkI tried to use expr=%{REQUEST_SCHEME} there but I can remember you need to teach apache 09:05
noonedeadpunklet me try again, I guess I've recalled smth09:05
* noonedeadpunk haven't really worked with apache for last 4 years09:05
andrewbonneyEither way I think the fix you're suggesting will work09:06
noonedeadpunkAh, you needed smth like Real_ip module to get X-Forwarded-* respected09:07
noonedeadpunkand probably we don't want that09:08
noonedeadpunkor maybe we do....09:08
noonedeadpunklike https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html#remoteipproxyprotocol09:09
noonedeadpunkbut that's completely different story I guess09:12
noonedeadpunkand nah, it does not really respect X-Forwarded-Proto09:12
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone master: Fix keystone_secure_proxy_ssl_header logic  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85294309:13
*** ysandeep is now known as ysandeep|bbl10:05
opendevreviewMerged openstack/openstack-ansible-os_keystone master: Check the service status during bootstrap against the internal VIP  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85245110:48
opendevreviewMerged openstack/openstack-ansible-os_keystone master: tls1.2: update ciphers to latest recommendations  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85224610:55
opendevreviewMerged openstack/openstack-ansible-lxc_hosts master: Define coherent safe default for package state  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/85256911:00
opendevreviewMerged openstack/openstack-ansible-os_cinder master: Remove oslo_policy section from cinder.conf  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/85251511:12
*** ysandeep|bbl is now known as ysandeep11:16
opendevreviewMerged openstack/openstack-ansible-os_keystone master: Add PKCE method for OIDC  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85239011:30
opendevreviewMerged openstack/openstack-ansible-os_horizon master: tls1.2: update ciphers to latest recommendations  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85224711:41
opendevreviewMerged openstack/openstack-ansible-os_horizon master: Add support for websso http referer variable added in yoga  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85196012:00
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-os_horizon stable/yoga: Add support for websso http referer variable added in yoga  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85295212:03
opendevreviewMerged openstack/openstack-ansible master: Remove ironic_compute container from ironic_all  https://review.opendev.org/c/openstack/openstack-ansible/+/85219712:19
opendevreviewMerged openstack/openstack-ansible master: tls1.2: update ciphers to latest recommendations  https://review.opendev.org/c/openstack/openstack-ansible/+/85224412:19
*** ysandeep is now known as ysandeep|afk12:55
*** ysandeep|afk is now known as ysandeep13:52
*** ysandeep is now known as ysandeep|out14:04
opendevreviewMerged openstack/openstack-ansible master: Stop NetworkManager on RHEL  https://review.opendev.org/c/openstack/openstack-ansible/+/85066714:13
opendevreviewMerged openstack/openstack-ansible master: Deprecate openstack_hostnames_ips  https://review.opendev.org/c/openstack/openstack-ansible/+/85136314:13
*** dviroel is now known as dviroel|out14:31
noonedeadpunkSo, if https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/852943 works - we should beackport it to Yoga as well, as it's quite valid bug15:20
noonedeadpunkah, and this one https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85295215:23
opendevreviewMerged openstack/openstack-ansible-haproxy_server master: tls1.2: update ciphers to latest recommendations  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85224516:00
opendevreviewBurkhard Ott-Langer proposed openstack/openstack-ansible-memcached_server master: bugfix: memcache template variable memcached_file_limits  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/85300917:00
jrosser_watch out for https://bugs.launchpad.net/nova/+bug/1951656 if you update to yoga17:35
opendevreviewMerged openstack/openstack-ansible stable/xena: Increase ControlPersist timeout to 300 seconds  https://review.opendev.org/c/openstack/openstack-ansible/+/85210817:43
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_keystone stable/yoga: Add PKCE method for OIDC  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85295917:47
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_cinder stable/yoga: Remove oslo_policy section from cinder.conf  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/85296017:48
opendevreviewMerged openstack/openstack-ansible-os_horizon stable/yoga: Add support for websso http referer variable added in yoga  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85295218:42
spateljrosser_ good to know that19:08
spatelGood news! i have upgraded openstack wallaby running ovn deployment to Xena without any hiccups 19:09
spatellook like OSA ovn deployment is stable enough now 19:09
opendevreviewMerged openstack/openstack-ansible-os_keystone master: Fix keystone_secure_proxy_ssl_header logic  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85294319:15
jamesdentonnice work19:36
spateljamesdenton are you doing any other experiment with ovn?19:52
spatelwhat next :)19:52
jamesdentonnothing substantial, no. I am looking to test the latest OVN+DHCP patches for ironic, though19:53
jamesdentonkindof a pain to run legacy dhcp agent, too19:53
jrosser_we never did finish ssl for the OVN stuff properly19:55
opendevreviewMerged openstack/openstack-ansible stable/xena: Bump keepalived role back  https://review.opendev.org/c/openstack/openstack-ansible/+/85293419:59
spateljrosser_ yes we didn't :( 20:00
spatelmy bad... 20:00
spatelnext month deploying ovn for large scale VDI solution 20:01
spatelfor VDI i need good networking solution so picking OSA+OVN 20:01
spatelusing DVR20:02
spateljrosser_ I will see if i can find some slot or time to look into SSL deployment. 20:02
spatelif you have time then i can give you recipe because you are most SSL expert here :) 20:03
spatelIn my case i need to understand OSA PKI 20:03
jrosser_hopefully it is easy :)20:09
jrosser_there are lots of examples in the code now20:09
spateljrosser_ I am sure you will figure out, here i created blog about OVN SSL - https://satishdotpatel.github.io/ovn-ssl-setup-with-openstack/20:12
opendevreviewMerged openstack/openstack-ansible stable/wallaby: Set zuul post-timeout to 3 hours  https://review.opendev.org/c/openstack/openstack-ansible/+/84799122:00
« Thursday, 2022-08-11 Index Saturday, 2022-08-13 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!