Monday, 2022-12-19

noonedeadpunk	mornings	09:11
jrosser	good morning	10:08
noonedeadpunk	question - does anyone have a good idea on how to store private keys generated by PKI role encrypted? At least with ansible-vault?	10:55
noonedeadpunk	openssl_privatekey_pipe module....	10:57
noonedeadpunk	hm, how to adopt pki role for it....	11:05
kleini	noonedeadpunk: I noticed for my secondary Ceph connection, nova-compute does not need a keyring or ceph.conf in /etc/ceph at all. secret is stored in libvirt and all Ceph access information is stored in qemu instance xml file.	11:09
noonedeadpunk	I'm not sure if it's valid for spawning up new instances TBH	11:10
noonedeadpunk	As yes, nova does cache connection info on VM create. But I don't think it preserves it for new VMs	11:11
noonedeadpunk	Or well. It also depends on usage of ephemerals	11:11
noonedeadpunk	As for cinder-volume that might not be needed indeed.	11:12
kleini	I am testing now Cinder volumes in both Ceph instances. Attached two volumes one stored on Ceph A and one on Ceph B. And it works as long as the secrets are available in libvirt. Everything else does not seem to matter.	11:14
noonedeadpunk	yes, because cinder does pass all coonection info for volumes during attach to nova	11:15
noonedeadpunk	but for epehemral on ceph it would be needed	11:16
kleini	ah, okay. for ephemeral I have local qcow2 configured.	11:21
noonedeadpunk	well. it might make sense to add way to skip ceph.conf/keys deployment when nova doesn't use ceph for ephemerals	11:23
noonedeadpunk	That can complicate logic though. Needs a closer look for sure	11:24
admin1	kleini, i tried 2 cephs long time back and cinder supports it, nova does not	11:32
admin1	things changed ?	11:32
kleini	admin1: https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/867970	11:36
kleini	I extended the the ceph_client role, so I can deploy keyring from Ceph as libvirt secret. Everything else works out of the box.	11:37
jrosser	noonedeadpunk: i was thinking about if we can extend the PKI role `standalone` driver to have different storage backends	11:37
kleini	keyring from file	11:37
jrosser	like for example hashi vault	11:37
noonedeadpunk	Well, that all goes for lookups tbh?	11:38
noonedeadpunk	And openssl_privatekey_pipe would solve all that	11:38
jrosser	yes	11:38
noonedeadpunk	but there're not pipe modules for everything though	11:39
jrosser	well maybe i misunderstand what you want to do	11:39
noonedeadpunk	nah, I want to do exactly that	11:39
noonedeadpunk	I was looking at private keys specifically now	11:39
jrosser	we have a bunch of stuff like this `lxc_image_remote_password: "{{ lookup('pipe', 'vault read -field value secret/passwords/lxd-trust') }}"`	11:40
noonedeadpunk	(except still store on filesystem for now)	11:40
jrosser	so define the exact lookup to use and the path in a var	11:41
noonedeadpunk	yeah, that what I think we need to do for PKI as well	11:41
jrosser	and i was thinking we could have those sort of things for read / write to vault for private keys	11:41
jrosser	then those are trivial to override and have whatever lookup you want	11:41
noonedeadpunk	Question is if we want to do same for csr/public parts as well?	11:41
noonedeadpunk	The thing I hate about lookups is lazy loading... So when running against bunch of computes you will have quite a lot of requests...	11:42
jrosser	for things like that example i gave we put a bunch of them in pre_tasks	11:42
jrosser	but the PKI thing is a bit different to that	11:43
jrosser	you'd want to try to read the public key with some lookup	11:43
jrosser	if it's not present, create and write it	11:43
noonedeadpunk	well, openssl_privatekey_pipe module has action plugin. So it's executed always against localhost	11:43
noonedeadpunk	and writing it is a bit tricky I guess. As write part would strongly depend on the backend	11:44
noonedeadpunk	ie vault vs sops vs ansible-vault - all be different	11:44
noonedeadpunk	s/be/are	11:45
jrosser	yeah	11:45
noonedeadpunk	that's where I stuck with the idea atm	11:45
noonedeadpunk	I also wanted to create some simple tox config to generate certs on-purpose to do that locally and not during runtime (ie when creating new compute)	11:46
noonedeadpunk	That could solve creation part, kind of... If it would be easy to do ad-hoc way. But I haven't even started working on that as of today	11:47
noonedeadpunk	except of the idea in backlog	11:47
jrosser	there is also vault_write / vault_read modules these days so lookups are not necessary	11:52
jrosser	feels like we can try using hashi vault for storing private keys for CA without too much trouble	11:56
noonedeadpunk	well. we don't use hashi vault and not even looking at it atm to be fair	12:07
noonedeadpunk	but do in sops (that can also use hashi vault) or ansible-vault for now	12:07
noonedeadpunk	both these should be jsut fine with lookups	12:08
noonedeadpunk	so vault_write / vault_read is not very helpful for me unfortunatelly :(	12:08
jrosser	ah ok	12:16
jrosser	perhaps we need a prototype first here	12:17
jrosser	converting the existing code to using the _pipe versions of the modules would be a good first step	12:17
jrosser	to make a uniform `file` backend	12:17
noonedeadpunk	I was actually thinking about adding another block for _pipe and use current version as default, but maybe converting to pipe is also possible...	12:29
noonedeadpunk	this is going to add quite some complexity though...	12:30
noonedeadpunk	I can't really get to straight to this right now, I hope I will be able to work on that till end of the week	12:30
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Block unauthenticated Ironic API endpoints from untrusted networks https://review.opendev.org/c/openstack/openstack-ansible/+/868075	12:31
noonedeadpunk	as have quite some pile to sort out internally	12:31
jrosser	surprised noone did anything about those bits of ironic API before ^	12:31
noonedeadpunk	ugh	12:37
noonedeadpunk	seems we have ironic scoped out for next year at all :(	12:38
opendevreview	Merged openstack/ansible-role-pki stable/zed: Ensure CA privatekey permissions https://review.opendev.org/c/openstack/ansible-role-pki/+/867631	12:41
moha7	Hi \| OS: Ubuntu 22.04 \| Process: deployment step \| Error: 1: https://ibb.co/M5FHJNf 2: https://ibb.co/tm3W2PV	13:28
moha7	At the end of deployment, lxc containers are stopped and then I get the above errors (see links plz) saying "Failed to lxc-start"	13:30
noonedeadpunk	moha7: hey. Are you deploying Yoga or Zed release?	13:36
noonedeadpunk	you also wrote previously that lxcbr0 is down for you?	13:38
jrosser	maybe worth looking at the lxc-dnsmasq service for that and seeing if it is broken	13:40
noonedeadpunk	Well, I wonder if it can be related to changes I made to switch to systemd-networkd	13:41
moha7	I get that error both on master branch (Zed?) and the branch 25.2.0	13:42
noonedeadpunk	aha. ok, then it's not that change	13:42
noonedeadpunk	and for lxc-ls --active you don't have any VM?	13:43
moha7	noonedeadpunk: lxc-ls lists containers on target hosts, but lxcbr0 is down and I can not up it with `ip`	13:43
noonedeadpunk	*container	13:43
moha7	I use the multibond.example as the configuratio file with a major change: replacing _linuxbridge_ with _openvswitch_ across the file	13:44
jamesdenton	curious.. is br-mgmt a linux bridge or open vswitch bridge?	13:46
noonedeadpunk	oh	13:46
noonedeadpunk	yeah, I guess jamesdenton is on smth :)	13:46
jamesdenton	perhaps. perhaps.	13:46
admin1	br-mgmt is a linux bridge as far as i am aware of	13:46
moha7	I reverted snapshots and going to deploy again; I give you output of `lxc-ls --active`in 15 minutes.	13:46
admin1	should be *	13:46
jamesdenton	kk	13:47
admin1	moha7, what is the output of brctl-show ?	13:47
admin1	how does your bridges look ?	13:47
noonedeadpunk	btw I'm going to spawn an env with having bridges as ovs on controller. Not sure how good this idea is, but sounds appealing if ovs is used anyway everywhere	13:47
admin1	"brctl show" -- part of bridge-utils	13:47
jamesdenton	well, beware of ovs being masked	13:47
noonedeadpunk	admin1: you can set `container_bridge_type: openvswitch` in provider_networks fwiw	13:47
noonedeadpunk	hm. Do we mask it anywhere?	13:48
noonedeadpunk	Oh... we do....	13:48
noonedeadpunk	for neutron agents	13:48
noonedeadpunk	but we have net nodes speparately from controllers	13:49
noonedeadpunk	but it indeeds scary thing...	13:49
jamesdenton	i don't recall the details, but i remember wondering if it would impact openvswitch as the lxc bridge	13:49
jamesdenton	guess we'll find out	13:49
opendevreview	Jonathan Rosser proposed openstack/ansible-role-uwsgi master: Enable uwsgi to bind to multiple different IP addresses https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/868085	13:50
jrosser	jamesdenton: do you have real deployments of ironic on metal?	13:51
jamesdenton	most, if not all of them	13:52
jamesdenton	we don't use inspector, though	13:52
jamesdenton	and they're <= Victoria	13:52
jamesdenton	i have a Yoga one right here	13:52
jrosser	first surprise was this https://review.opendev.org/c/openstack/openstack-ansible/+/868075	13:53
jamesdenton	i saw that	13:53
jamesdenton	i don't think we expose ironic api to the world	13:53
jrosser	and that got me wondering about how to make the deployment network "safer"	13:53
jamesdenton	but even behind the firewall, i guess we don't worry too much about it (and i had no idea, anyway)	13:53
jrosser	and i was wondering what would happen for you given that it's routed	13:53
jrosser	like rules about source IP might not be meaningful	13:54
jamesdenton	for our prod environments, it tends to be a flat network since we don't have any switch plugins	13:54
jrosser	right	13:54
jamesdenton	are you wondering if the allowlist might be too restrictive?	13:55
jamesdenton	or, what's your concern	13:55
jrosser	well the allowlist in my patch is from the POV of the outside world hitting haproxy	13:55
jrosser	but there is also the opposite of that, like writing route rules in uwsgi	13:56
jrosser	"mgmt network may use all the API"	13:56
jrosser	"bmaas network may only use the callbacks"	13:56
jamesdenton	ok	13:56
jrosser	just interested to hear from some other use cases i guess	13:57
jamesdenton	yeah, good point. our case(s) haven't really called for that level of... security, i guess	13:57
jamesdenton	what is exposed at those endpoints w/o a token? anything concerning?	13:58
jamesdenton	and is there even a token involved?	13:58
jrosser	it's vauge	13:58
jrosser	i was going to ask in #ironic later, because there is an agent token these days	13:58
jrosser	i spent a short while trying to wget/curl something out of them and it wasnt clear wtf was going on	13:59
jamesdenton	:D	13:59
jamesdenton	i will say it is not heavily used by our fleet, so i don't have too many reps on it beyond what i do internally	14:00
jrosser	but i guess you can disable the agent token and also the /v1/lookup endpoint is optionally active all the time, rather than during specific deploy phases	14:00
jamesdenton	hmm	14:01
jrosser	feels like a lot of this is down to how much as an operator you trust who is using the ironic nodes	14:09
jamesdenton	agreed - i probably wouldn't deploy a public (untrusted) cloud without a bit of extra work	14:10
jrosser	and what might happen if the nodes were compromised whilst in the hands of your users	14:10
jrosser	even if you trust them it can go wrong	14:10
jamesdenton	now you just need some DPUs so you can set policies	14:12
jrosser	i could try that	14:12
jrosser	though not seen much about how you might make security groups start to work with something like that	14:13
jrosser	which would be the obvious first thing	14:13
jamesdenton	from what i read a while back, there has been some work done to support that. but you're essentially running ovs+ovn or ovs+agent on the dpu, and it's tied to that baremetal instance somehow	14:13
jamesdenton	i've got a BF2 in an Ironic node, waiting for time.	14:14
jrosser	yes, you give the IP of the dpu as the switch to meddle with i think	14:14
jrosser	i could maybe try something similar in the new year, i will have a spare BF2 then	14:15
spatel	what is BF2 ?	14:16
jrosser	a BlueField2 smartnic	14:16
jamesdenton	mellanox/nvidia Bluefield-2	14:16
jrosser	computer inside your computer	14:16
spatel	so what its capable of? assuming a lot but may i what you trying to get out of it?	14:20
spatel	offload ovn dataplane?	14:21
jamesdenton	among other things	14:21
jamesdenton	yes, notably that	14:21
spatel	that card looks very costly! good for small environment but not sure about scale :D	14:22
jamesdenton	https://specs.openstack.org/openstack/ironic-specs/specs/12.1/support-smart-nic.html	14:22
spatel	May be putting this card in few network nodes can help offload some work	14:22
moha7	Now it is being deployed, but this configuration file: http://ix.io/4j1g	14:24
jamesdenton	yeah, i'm not sure what it looks like with real world usage	14:24
spatel	$1,643 for that SmartNiC =.. yike...	14:25
jamesdenton	they can be found for less, but yeah, not much less	14:26
spatel	jamesdenton i am back to DPDK again because SRIOV is real pain :(	14:26
spatel	I am working with my developer team to add support in application to use dpdk in guest OS	14:27
jamesdenton	less of a pain than DPDK?	14:28
jamesdenton	more, rather	14:28
spatel	I believe if we compile our application with dpdk libs or support then we will get optimal performance	14:28
spatel	Last week we lost one of TOR1 switch and it was disaster :(	14:28
spatel	lost 50% of computes and 100s of VMs	14:29
jamesdenton	ahh, yeah. bummer	14:29
jamesdenton	have you considered bonding in the VM across two provider networks? One on SRIOVNIC1 and the other on SRIOVNIC2?	14:29
spatel	I wish SRIOV nic auto attach to other nic during failure...	14:29
jamesdenton	i've wondered how thatwould work	14:29
spatel	I was thinking about bonding inside VM but its not supported by terraform and technically not supported by openstack also	14:30
jamesdenton	"not supported"	14:30
jamesdenton	#YOLO	14:30
spatel	Its cumbersome method	14:30
jamesdenton	true	14:31
spatel	I can't offer end customer to use that method..	14:31
jamesdenton	just dipping my toes into terraform	14:31
jamesdenton	after our conversation about the state of MNAIO, i've spent some time working on an alternative. So far so good, but a bit resource heavy: https://github.com/busterswt/mnaiov2	14:32
spatel	This is other alternative of DPDK but kinda new tech - https://ltomasbo.wordpress.com/2022/01/10/openstack-with-bgp-accelerated-with-ebpf-xdp/	14:32
jamesdenton	ahh neat	14:32
noonedeadpunk	jrosser: for ssh address != management address you add another network to provider_networks which is set to is_container_address: false and is_ssh_address: true ? As I kind of unsure what sense is_ssh_address make for lxc containers which don't have ssh on them...	14:35
noonedeadpunk	and bare metal likely don't need that at all...	14:35
jrosser	noonedeadpunk: i'm not sure is_ssh_address really is doing anything? https://codesearch.opendev.org/?q=is_ssh_address	14:56
jrosser	but anyway, for separate ssh network i have not had to add any new network to provider_networks	14:57
jrosser	openstack deployment does not need to know about it at all	14:57
opendevreview	Merged openstack/openstack-ansible-rabbitmq_server master: Update the heartbeat and handshake timeout https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/855996	14:57
noonedeadpunk	`The key is_ssh_address has been removed from the `openstack_user_config.` <- yeah....	15:02
noonedeadpunk	where did I took it from.....	15:02
moha7	admin1, jamesdenton: `brctl show` --> https://p.teknik.io/nBSPT	15:02
jrosser	it is in some of my configs too	15:02
jrosser	i expect this is from historical things and should be cleaned out	15:03
moha7	openstack-ansible setup-hosts.yml: http://ix.io/4j1g	15:03
noonedeadpunk	yup, should be. Likely I've copy-pasted as well	15:03
jamesdenton	moha7 ip link show br-mgmt; ovs-vsctl show	15:03
jamesdenton	of you please	15:03
jamesdenton	*if	15:03
noonedeadpunk	it looks as ovs for me out of brctl	15:04
noonedeadpunk	or well	15:04
noonedeadpunk	out of whole output	15:04
jamesdenton	can you also share your netplan file? If you're using netplan	15:04
moha7	jamesdenton> openvswitch is not installed: https://p.teknik.io/Raw/q3Fu2	15:06
jamesdenton	oh, so br-mgmt is not a bridge?	15:07
moha7	netplan file: http://ix.io/4j1v (only br-mgmt and br-storage have access to internet)	15:07
jamesdenton	ahh, ok	15:07
jamesdenton	moha7 https://paste.opendev.org/show/b7zPt2hGW00C8ivSgj7G/	15:08
jamesdenton	you have to setup the bridges and include the proper interfaces	15:08
noonedeadpunk	well, lxcbr0 should be created I guess by the role?	15:08
jamesdenton	i jammed lxcbr0 into mine, as it was acting funny without, but i would try it without	15:08
jamesdenton	lxcbr0 should be managed automatically, yes	15:08
noonedeadpunk	and managed by systemd-networkd	15:08
jamesdenton	i wonder if it's a netplan thing? i dunno.	15:09
noonedeadpunk	Mmm... I wonder if it's some other bridge (like mgmt) that prevents LXC from starting	15:10
jamesdenton	hard to say.. i am not sure if lxcbr0 has to be up, but certainly if br-mgmt and br-storage, etc aren't bridges, then that would be an issue	15:10
noonedeadpunk	I wonder if bridge can be up without any interface in it?	15:12
admin1	it can be	15:12
jamesdenton	br-bmaas: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN	15:12
jamesdenton	netplan has not always been consistent, but it seems to work now. that's a 20.04 host	15:12
admin1	i use a lot of bridges in my dev env that work without any interface	15:13
*** dviroel is now known as dviroel\|lunch		15:14
moha7	jamesdenton: Woops, it can be deployed over only one physical interface! Can I use the example you send here exactly? but renaming br-overlay to br-vxlan; and br-bmass to br-vlan (as provider network, then unnumbered)?	15:15
noonedeadpunk	moha7: what is in lxc log? also can you try starting a container in foreground mode? Maybe it will tell you the reason why it's not happy	15:15
moha7	two* physical interface	15:16
jamesdenton	so, don't worry about a br-vlan	15:16
jamesdenton	we can tune that out with your openstack_user_config.yml	15:16
jamesdenton	it's a deprecated bridge	15:16
noonedeadpunk	Ie lxc-start --foreground -n <control01_utility>	15:17
jamesdenton	you can use two interfaces (preferred) or a single	15:17
noonedeadpunk	As it can be also a race condition we saw sometimes on nodes boot with tmpfs missing	15:17
jamesdenton	and yes, you can use my example, but modified for your interfaces and IPs. you may not be using vlan tags	15:18
jamesdenton	these infra/controller nodes are on ESX	15:18
moha7	noonedeadpunk> log file: https://p.teknik.io/k2blR	15:20
noonedeadpunk	`Failed to attach "0d28c931_eth1" to openvswitch bridge "br-mgmt"`	15:20
noonedeadpunk	but for that you should have had `container_bridge_type` defined	15:21
moha7	jamesdenton> mine is on ESX too, but I'm not familiar with VLANing in linux. Then I'll use 4 interfaces instead	15:22
jamesdenton	well, i think the intention is linuxbridge, it's just the interfaces themselves are not really bridges at all yet	15:22
jamesdenton	cool, 3-4 interfaces is fine to the respective port group	15:23
noonedeadpunk	so I'm wondering what you have in /var/lib/lxc/infra1_galera_container-0d28c931/eth1.ini ?	15:23
noonedeadpunk	ah	15:24
noonedeadpunk	aaaaaahhhhhh	15:24
noonedeadpunk	damn, I missed set-name in netplan lol	15:24
moha7	`container_bridge_type` in the openstack_user_config.yml ?	15:24
* noonedeadpunk dissapears in shadows		15:24
noonedeadpunk	moha7: disregard me, jamesdenton makes sense	15:25
jamesdenton	:D	15:25
jamesdenton	it's all good	15:25
moha7	Thnks	15:25
jamesdenton	if you use my netplan as a guide, fill in the blanks and send it over before you implement, we can check it out	15:25
jamesdenton	same with openstack_user_config.yml	15:25
moha7	If `br-vlan` is depricated, then how the networks goes out of the openstack?	15:25
moha7	jamesdenton> sure	15:26
jamesdenton	good question	15:26
jamesdenton	for your provider networks section, where you have "type: vlan", that will end up being used to construct a vlan-capable provider bridge. The "container_bridge" value for an OVS deployment will be used to create the OVS bridge. I name mine "br-ex"	15:29
jamesdenton	Change: host_bind_override: "bond1" to: network_interface: "bond1" and bond1 will get connected to br-ex for you	15:29
jamesdenton	https://paste.opendev.org/show/bpRDxzlwxRyPr17ldHCd/	15:30
jamesdenton	i don't have an OVS environment to show you at the moment	15:30
jamesdenton	moha7 if it's confusing, i'll admit, it is. there's some legacy cruft and a lot of ways to deploy. OSA supports a lot of deployment options and has supported upgrades with this stack as far back as Icehouse	15:33
admin1	br-vlan is being depricated ?	15:37
noonedeadpunk	Well, it shouldn't be vlan at least	15:38
noonedeadpunk	s/vlan/bridge	15:38
moha7	new netplan config: http://ix.io/4j1z openstack_user_config.yml: http://ix.io/4j1B @jamesdenton would you please review them	15:38
jrosser	admin1: remember that a lot of the AIO constructs are there for CI to "bodge" things to work in a single vm with a single interface	15:39
jamesdenton	since we don't do agents in containers anymore, br-vlan has sort of lost its purpose and is just an unnecessary hop IMO	15:39
jrosser	admin1: you are free to network however you like in production	15:39
jrosser	br-vlan is a bridge in CI really only to support hooking a veth onto it to provide a usable flat interface	15:40
jrosser	so really has no bearing on what you might do for real	15:40
jamesdenton	moha7 looks good, except you're not building bond1 in netplan, so you might consider changing it from bond1 to, well, that missing 4th interface	15:41
admin1	understood	15:41
admin1	has worked so far well	15:41
jamesdenton	sure, keep on keeping on, then	15:41
moha7	jamesdenton: Ah, the missing one, got it	15:48
jamesdenton	yeah, and with ESX that would need to be a port group that supports tagging (vlan 4095? IIRC) or if it is particular vlan tag, then neutron would only be able to support a single untagged (flat) network	15:49
moha7	jamesdenton> setting the interface directly there, right? --> network_interface: "ens256"	15:50
jamesdenton	yes	15:50
jamesdenton	when you get to the neutron playbooks, there's tasks that create the ovs bridge and plug ens256 into it	15:50
jamesdenton	this config assumes a homogenous environment. if you have baremetal compute nodes, then the interface names may be different, and things get trickier	15:51
moha7	At present, I'm dealing with it on a virtual lab on ESXi.	15:56
jamesdenton	kk	15:56
moha7	Thanks	15:56
*** dviroel\|lunch is now known as dviroel		16:25
opendevreview	Merged openstack/openstack-ansible master: Imported Translations from Zanata https://review.opendev.org/c/openstack/openstack-ansible/+/868031	16:45
damiandabrowski	grr, gating for xena is broken, again cloudsmith repo is the culprit	16:50
damiandabrowski	https://zuul.opendev.org/t/openstack/build/635d68a601d64235a6c5eaafa4737cbc/log/job-output.txt#12572	16:50
opendevreview	Damian Dąbrowski proposed openstack/openstack-ansible-rabbitmq_server stable/xena: Upgrade erlang version https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/868107	16:50
opendevreview	Damian Dąbrowski proposed openstack/ansible-role-pki stable/xena: Ensure CA privatekey permissions https://review.opendev.org/c/openstack/ansible-role-pki/+/867633	16:51
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Update ironic documentation https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/867547	16:55
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Update ironic documentation https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/867547	16:58
opendevreview	Merged openstack/openstack-ansible-lxc_hosts master: Ensure tar is installed on LXC host https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/867252	16:59
jrosser	jamesdenton: in your metal ironic deploy do you have a br-bmaas IP on the infra nodes?	17:25
jamesdenton	yes, but IIRC only because recent patches forced the issue	17:27
jrosser	oops sorry :)	17:27
jamesdenton	it's empty and has no ip	17:28
jamesdenton	yeah, no worries :D	17:28
jrosser	i was just looking at how to fix this https://github.com/openstack/openstack-ansible-os_ironic/blob/master/templates/ironic-ipxe.conf.j2#L4	17:28
jrosser	like more random 0.0.0.0 to get rid of	17:28
jrosser	one possiblity is to set it to this https://github.com/openstack/openstack-ansible-os_ironic/blob/master/defaults/main.yml#L127	17:29
jrosser	though i guess that is already making some assumption that it can grab an address from somewhere when is_metal is True	17:31
jamesdenton	let me see what my mine is	17:31
jamesdenton	well, in the case of my environment, since my provisioning network is routed, i think it's just coming in the front door on port 8051	17:34
jamesdenton	so, the mgmt ip (w/ default gateway)	17:34
jamesdenton	it's listening on 0.0.0.0:8051	17:34
jrosser	hmm	17:36
jrosser	in the latest version of the role there is a bunch of stuff taking the value of ironic_bmaas_address	17:37
jrosser	oh my	17:39
jrosser	https://codesearch.opendev.org/?q=ironic_http_url	17:39
jrosser	somehow thats not the ipxe utl	17:39
jrosser	*url	17:39
jrosser	looks like ironic_http_bind_address should be whats put in the nginx config, though i see that will probably break your deployment	17:40
jamesdenton	i'll have to look at this with fresh eyes; i have overrides in this deployment to work around older issues	17:43
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-os_ironic master: Update ironic documentation https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/867547	17:43
jrosser	sure no problem	17:44
jrosser	i feel like i'm doing a ton of tidying in this role but it is almost certain to break a bunch of stuff which has been working sort of accidentally	17:44
jamesdenton	scream test: pass	17:45
jrosser	it should be as simple as being able to tell it a different interface for all this	17:47
jrosser	"use mgmt interface on metal"	17:47
jrosser	and everything switch over	17:47
rgunasekaran	Hello Guys,	17:51
rgunasekaran	I want to contribute, can you help me picking out something to work on?	17:53
*** rgunasekaran_ is now known as rgunasekaran		17:56
jamesdenton	docs can always use help	17:57
spatel	jamesdenton +1	18:19
jrosser	rgunasekaran: do you already run openstack-ansible somewhere?	18:46
spatel	How to rename compute node name? I used to remove and re-add but if any other way to do then please let me know	19:01
rgunasekaran	@jrosser - not yet but I have bought a MacBook to setup a dev environment and start contributing upstream	19:09
rgunasekaran	Please guide me to setup a dev environment and I can start with my contribution	19:10
spatel	rgunasekaran i would say start from here - https://docs.openstack.org/openstack-ansible/latest/user/aio/quickstart.html	19:15
rgunasekaran	@spatel: Thank you I will start from here and reach out if I have any questions	19:21
jrosser	rgunasekaran: i'm not sure that we have deployments directly on a mac, you'd likley want a linux environment of some sort, a virtual machine is fine	19:55
jrosser	but it depends what you want to do, documentation can be done anywhere	19:55
admin1	spatel, if you can remove the instances from the compute node, just change hostname and hostname -f to new one and it will register itself as new	19:57
spatel	admin1 just did, 1. stop nova 2. remove node 3. rename compute host 4. start nova	19:59
spatel	jrosser does osa support multi-region deployment?	20:00
spatel	currently i am running multi-cloud in single DC. I have 3 distinct cloud running under single DC. its best deployment but now looking single horizon UI to access all the cloud	20:02
spatel	Technically i am saying region but its not actual region but just bunch of more racks in same DC	20:03
rgunasekaran	@jrosser: I can setup a Linux VM in my Mac... I will startup with the documentation and move on from there	20:16
rgunasekaran	For contributing with the documentation, should I start with Quickstart: AIO?	20:20
spatel	It's always good to learn first before writing doc	20:25
rgunasek_	ah okay, i thought documentation is an easy way to start contributing!!	20:26
spatel	Yes, if you already knows stuff then you can start anytime. or you can fix some existing doc/ format/ etc..	20:27
rgunasek_	okay!	20:28
rgunasek_	what do you mean by learn first before writing doc! please advise where to start ?	20:29
jamesdenton	the link jrosser sent is a good place to start with an all-in-one deployment. If the documentation is unclear or incorrect, feel free to submit a patch to make corrections. as you learn the components of OSA, and greater OpenStack, you can submit patches for issues you come across	20:40
*** dviroel is now known as dviroel\|out		21:00
moha7	Running the bash file scripts/bootstrap-ansible.sh on Ubuntu 22.04, I get this error: https://ibb.co/D1rBy1s (you can see a sed error there)	22:34
moha7	Someone on the Linux channel said that seems like a bug	22:35
moha7	I switched to a CentOS8 as the deployment machine, and the script ran successfully.	23:04

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!