Wednesday, 2022-09-14

« Tuesday, 2022-09-13 Index Thursday, 2022-09-15 »
opendevreviewJames Denton proposed openstack/openstack-ansible-os_ironic master: Replace pxe_append_params with kernel_pxe_params in ironic.conf  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85659002:15
*** ysandeep|out is now known as ysandeep05:52
noonedeadpunkNeilHanlon: so in older releases we did symlink selinux inside venv. Though this was not required since yoga at least as ansible could work without it07:32
noonedeadpunkHere's how code looked like: https://opendev.org/openstack/openstack-ansible/src/branch/stable/victoria/scripts/scripts-library.sh#L89-L9207:32
noonedeadpunkAlso wondering how it worked locally for you and why it's not in CI07:33
noonedeadpunkthat's the patch that removed symlinking https://opendev.org/openstack/openstack-ansible/commit/a5b99ca742a95a7ce5af63fb54ec9269201f12b207:34
noonedeadpunkso maybe some other package is missing that not allow to use ctypes?07:34
noonedeadpunkThough ansible seems to have hardcoded library name: https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/compat/selinux.py#L1407:35
anskiyjamesdenton: that thing works as expected with LXC, as you will get different host names07:51
ThiagoCMCnoonedeadpunk, when installing OSA with limited Internet (only behind proxy), there's a need to manually add the following lines to `keystone_service_bootstrap.yml`, task "Wait for service to be up": `environment:\n    no_proxy: '{{ keystone_uwsgi_bind_address }}'` - Othewise, even if `no_proxy` is in `/etc/environment`, it fails.09:32
noonedeadpunkThiagoCMC: I guess I saw some related bug report recently. Do you want to send a patch for that?:)09:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_keystone stable/yoga: Check the service status during bootstrap against the internal VIP  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85748410:57
noonedeadpunkThiagoCMC: can you check if this works for you? ^10:57
opendevreviewEbbex proposed openstack/openstack-ansible-os_keystone master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85752111:03
opendevreviewEbbex proposed openstack/openstack-ansible-os_glance master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/85763411:03
opendevreviewEbbex proposed openstack/openstack-ansible-os_cinder master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/85763511:03
opendevreviewEbbex proposed openstack/openstack-ansible-os_nova master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/85763611:04
opendevreviewEbbex proposed openstack/openstack-ansible-os_placement master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/85763711:04
opendevreviewEbbex proposed openstack/openstack-ansible-os_neutron master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/85763811:05
opendevreviewEbbex proposed openstack/openstack-ansible-os_ironic master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/85763911:05
opendevreviewEbbex proposed openstack/openstack-ansible-os_designate master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_designate/+/85764111:10
opendevreviewEbbex proposed openstack/openstack-ansible-os_barbican master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/85764211:11
opendevreviewEbbex proposed openstack/openstack-ansible-os_heat master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/85764311:18
opendevreviewEbbex proposed openstack/openstack-ansible-os_horizon master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/85764411:18
opendevreviewEbbex proposed openstack/openstack-ansible-os_magnum master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/85764611:29
*** dviroel|brb is now known as dviroel11:37
opendevreviewEbbex proposed openstack/openstack-ansible-os_manila master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/85764711:38
NeilHanlonnoonedeadpunk yeah i feel we shouldn't need a symlink. python3-libselinux on EL9 uses Python 3.9, which appears to be the same executable that ansible is setting up. I'm a bit confused as to why it works for me, too :D 11:46
ThiagoCMCnoonedeadpunk, cool, I'll give it a try!11:46
opendevreviewEbbex proposed openstack/openstack-ansible-os_murano master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/85764911:49
opendevreviewEbbex proposed openstack/openstack-ansible-os_cloudkitty master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/85765011:52
opendevreviewEbbex proposed openstack/openstack-ansible-os_mistral master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/85765111:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Avoid ovs restart during package upgrade  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/85765211:58
opendevreviewEbbex proposed openstack/openstack-ansible-os_masakari master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/85765312:01
NeilHanlonnoonedeadpunk: do we install the `selinux` shim package? [1] or is the idea that ctype binding should avoid the need for such things? [1] https://github.com/pycontribs/selinux12:11
noonedeadpunkI think the idea of ctype is that you don't need to symlink or that selinux package12:12
opendevreviewEbbex proposed openstack/openstack-ansible-os_octavia master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/85765412:12
noonedeadpunkAnd I can recall we didn't install it before, as it's quite poorly maintained12:12
noonedeadpunkSo symlinking was better then this shim package12:13
NeilHanlonit does appear that the .so it's looking for is provided by a different package (libselinux), but that's already installed so we shouldn't be having this12:14
NeilHanlonI think my lab works because I disable selinux prior to running the bootstrap12:14
noonedeadpunkwould it be enabled in a dib image?12:15
opendevreviewEbbex proposed openstack/openstack-ansible-os_rally master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_rally/+/85765612:16
noonedeadpunkI think I'd need to spawn aio to check this out12:17
NeilHanlonyeah, it says it's installed in the zuul build12:17
NeilHanloni'm downloading the dib image and am going to try from there12:17
noonedeadpunkah, ok then12:17
opendevreviewEbbex proposed openstack/openstack-ansible-rabbitmq_server master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/85765812:21
opendevreviewEbbex proposed openstack/openstack-ansible-repo_server master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/85766412:23
anskiynoonedeadpunk: hey! What would happen to https://review.opendev.org/c/openstack/openstack-ansible/+/854235 this patch in the end? 12:36
noonedeadpunkanskiy: well... it has some issues I've commented. But overall I'd love to find better approach but too loaded with internal stuff now to sort out this feature12:37
anskiyso it would be merged eventually like it is now? 12:38
noonedeadpunkI still think we should have some common role that can be included after each role to create resources....12:38
noonedeadpunkBut as this idea was rejected, I need to re-evaluate how we should do that then12:39
noonedeadpunkas in current shape it's really one-task playbook which is weird imo12:40
anskiyokay, the reason I'm asking is this: I'm just trying to sort out which patches I need to wait, and I can have some use out of this one, if it lands.12:41
noonedeadpunkWell, I do want to have such resource creation being implemented as well, question is how we should handle and test this12:42
noonedeadpunkso I don't have defenitive answer to your question12:43
anskiyah, so it just depends on would this new approach be implemented in this change or not :)12:44
opendevreviewEbbex proposed openstack/openstack-ansible-os_senlin master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/85767212:50
anskiySecond try with Let's Encrypt question: I have this patch on haproxy_server role: https://paste.opendev.org/show/bM89LDRRKyMPRgJvrSKI/ to get Let's Encrypt certificate issue working. I have `external_lb_vip_address` set to hostname and `haproxy_bind_external_lb_vip_address` set to IP/PREFIX. Does anyone else use Lets Encrypt?12:50
opendevreviewEbbex proposed openstack/openstack-ansible-os_swift master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/85767312:52
mgariepyanskiy, i do.12:58
opendevreviewEbbex proposed openstack/openstack-ansible-os_tempest master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/85767412:58
mgariepyexternal_lb_vip_address: FQDN for the lb address in openstack_user_config12:59
mgariepyand haproxy_keepalived_external_vip_cidr: ipaddress/32 for the keepalived config13:00
opendevreviewEbbex proposed openstack/openstack-ansible-os_trove master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/85767513:01
anskiymgariepy: what do you have in `bind` directive in frontend sections of `haproxy.cfg`? Hostname?13:04
mgariepyyep13:04
anskiyahh, I see.13:04
mgariepyit needs to resolv on haproxy starts.13:05
opendevreviewEbbex proposed openstack/openstack-ansible-os_zun master: Remove redundant vars line  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/85767713:05
anskiyyeah, but I don't like this behavior :) Better set it to what it's supposed to be.13:05
mgariepyok ¯\_(ツ)_/¯ 13:07
anskiySo, I can actually safely submit my patch, as it shouldn't break your existing installation, if: `external_lb_vip_address` could only be FQDN or IP-address, `haproxy_keepalived_external_vip_cidr` could only be CIDR and `haproxy_bind_external_lb_vip_address` could only be IP-address.13:09
anskiymgariepy: thank you!13:09
noonedeadpunkanskiy: um, but you can totally set haproxy_bind_address explicitly13:10
noonedeadpunkI'm not using let's encrypt, but have external_lb_vip_address defined as fqdn and bind in haproxy is IP13:11
noonedeadpunkanskiy: as you can use `haproxy_bind_external_lb_vip_address`13:12
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/defaults/main.yml#L232-L23613:12
anskiynoonedeadpunk: yes, that's what I've set. And when you would enable Let's Encrypt, you would direct `certbot` to issue certificate for `haproxy_bind_external_lb_vip_address`, which is IP-address for you: haproxy_bind_external_lb_vip_address13:13
noonedeadpunkah, well, I see what you mean13:13
anskiyhttps://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/tasks/haproxy_ssl_letsencrypt.yml#L78 this, I mean13:13
noonedeadpunkyes, fair, ok13:13
noonedeadpunkbtw, question, was you thinking about this kind of binds? https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85203913:13
noonedeadpunkyes, your patch makes sense 13:14
*** ysandeep is now known as ysandeep|afk13:15
anskiynoonedeadpunk: I don't think I need that thing, at least, for now13:32
anskiyI'll submit my patch later, thanks for the help!13:32
*** ysandeep|afk is now known as ysandeep13:41
*** ysandeep is now known as ysandeep|out13:43
*** frenzyfriday is now known as frenzyfriday|lunch14:11
opendevreviewDanila Balagansky proposed openstack/openstack-ansible-haproxy_server master: Use `external_lb_vip_address` as argument for certbot `domains` option  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85771914:30
noonedeadpunkanskiy: I wonder if it would make sense to add a variable for certbot domains option?14:38
noonedeadpunkBut I gues it would be tricky to integrate with pki role14:39
noonedeadpunkor maybe not, as this https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/handlers/main.yml#L16-L24 is not triggered with let's encrypt14:40
opendevreviewMerged openstack/openstack-ansible-haproxy_server stable/xena: Do not add cacert when it does not exist  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85705515:00
anskiynoonedeadpunk: you mean like separate one? The only downside that I see, is that it would be 4th variable :) So we would have CIDR, definitely IP, FQDN or IP and list of FQDNs :)15:13
*** dviroel is now known as dviroel|lunch15:21
noonedeadpunkanskiy: I jsut thought you might want to get let's encrypt for www.domain.com while define external_lb_vip_address as just domain.com15:25
noonedeadpunkor well, not you personally, but anybody :D15:25
anskiynoonedeadpunk: AFAIR it does exactly this by default...15:27
noonedeadpunkah, well, ok then :D It just didn't quite some time ago15:27
anskiyor not, at least not that certificate that I have. I wonder, why'd I thought it was doing that...15:30
anskiyanyways, I think, I can add that15:31
noonedeadpunkiirc for that you would need to set --domain www.domain.com,domain.com or create some conf file for certbot15:34
noonedeadpunkBut don't really remember15:35
anskiyyeah, that's pretty much it15:46
*** frenzyfriday|lunch is now known as frenzyfriday15:55
opendevreviewDanila Balagansky proposed openstack/openstack-ansible-haproxy_server master: Add variable for setting certbot `domains` option  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/85771915:55
anskiybut I haven't tested that thing -_-16:09
anskiyI can split it, if you want16:10
BobZ_AnnapolisJust had our OPS team ask me a good question - if a user interacts with the dashboard and removes a Security Group - where is this action captured / logged / etc ? thx16:32
jamesdentonYou should see the HTTP request logged in the neutron-server logs, but AFAIK there is no audit trail built-in. Would love to be corrected on that, though16:37
jamesdentonYou might be better served implementing custom roles that disallow that action16:38
*** dviroel|lunch is now known as dviroel16:43
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone stable/xena: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85774917:55
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone stable/wallaby: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85775117:57
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone stable/victoria: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/85775217:58
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_barbican stable/xena: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/85775317:59
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_barbican stable/wallaby: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/85775418:00
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_barbican stable/victoria: Rename TLSv1.0 to TLSv1 in apache config  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/85775518:00
ThiagoCMCFolks, in ml2_conf.ini, my vni_ranges is empty, under [ml2_type_geneve], is it ok?18:23
jamesdentonThiagoCMC should be fine if you don't anticipate creating geneve networks, unless neutron-server expects some value there and won't start without it18:54
jamesdentonbut for that config to appear i would expect network_geneve_ranges to be defined and potentially have *some* value18:55
*** kleini_ is now known as kleini19:30
*** dviroel is now known as dviroel|afk20:26
opendevreviewMerged openstack/openstack-ansible-galera_server master: Add the ability to specify custom additional galera users  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/85709022:06
*** dviroel|afk is now known as dviroel22:12
*** dviroel is now known as dviroel|afk22:52
« Tuesday, 2022-09-13 Index Thursday, 2022-09-15 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!