Wednesday, 2022-12-21

« Tuesday, 2022-12-20 Index Thursday, 2022-12-22 »
*** ChanServ changes topic to "Launchpad: https://launchpad.net/openstack-ansible || Weekly Meetings: https://wiki.openstack.org/wiki/Meetings/openstack-ansible || Review Dashboard: http://bit.ly/osa-review-board-v4_1"00:44
moha7jrosser: I still get the error on Ubuntu: http://ix.io/4jb7 by running `/opt/openstack-ansible/scripts/bootstrap-ansible.sh`07:08
moha7Also have an error on `openstack-ansible /opt/openstack-ansible/playbooks/setup-openstack.yml --syntax-check`: https://p.teknik.io/D8qoN07:09
noonedeadpunkmoha7: hm, I think I know what could be the reason08:39
jrossermorning08:39
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/zed: Unset OSA-defined variables for bootstrap  https://review.opendev.org/c/openstack/openstack-ansible/+/86827008:47
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/xena: Unset OSA-defined variables for bootstrap  https://review.opendev.org/c/openstack/openstack-ansible/+/86827108:48
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/zed: [doc] Fix document on dymanic_inventory tox usage  https://review.opendev.org/c/openstack/openstack-ansible/+/86827208:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Unset OSA-defined variables for bootstrap  https://review.opendev.org/c/openstack/openstack-ansible/+/86827309:11
noonedeadpunksorry moha7 I was side-pinged and got distracted09:12
noonedeadpunkI think that's the patch that should fix the issue you have https://opendev.org/openstack/openstack-ansible/commit/f933194813de9d18b89040fa8c5b80bcd0dd967c09:12
noonedeadpunkWe haven't released it yet. Likely I should prepare bump and release new version for Yoga09:13
jrosserdo we need to backport this https://review.opendev.org/c/openstack/openstack-ansible/+/86595209:16
noonedeadpunkgood question09:17
jrosseryes i think we do https://zuul.opendev.org/t/openstack/build/6e8c5d55e15d47e3a25849e7f0b5a6b309:17
noonedeadpunkI think yes? At least to Yoga? As I'm not sure we used integrated tests for zfs before09:17
jrosserthats from stable/yoga09:17
jrosserwas just looking at the outstanding stable branch patches if we are to make some releases09:18
opendevreviewJonathan Rosser proposed openstack/openstack-ansible stable/yoga: Install ZFS packages for bootstrap-host if needed  https://review.opendev.org/c/openstack/openstack-ansible/+/86827409:18
noonedeadpunkdamn, how to make both zuul and me happy :D09:28
noonedeadpunk(with regards to collection names)09:28
noonedeadpunkor maybe reject base on smth else....09:28
noonedeadpunkbut still merge should be done properly....09:29
jrosseri guess we could have condition: false09:30
jrosserbut maybe new/random keys will upset galaxy09:30
jrosserthats maybe not so bad actually, the pattern we use with zuul_item is quite nice to copy only some keys from input to output09:32
noonedeadpunkmaybe create mapping for zuul projects / collection names09:32
jrosserwe could have orig_item and omit condition: from both of them in the output09:32
noonedeadpunkWell. Then to override some collection location you need to list all current collections with condition and then define ones you want to have09:33
jrossermaybe this? https://paste.opendev.org/show/be2ubQdEzHPG4a9tkN1H/09:35
jrossercondition is optional09:35
noonedeadpunkbut in zuul we have quite finite number of collections, so maybe such mapping also not that bad...09:35
noonedeadpunkSo let me explain problem better maybe? So current situation is with input like that - https://paste.opendev.org/show/b6PdgQN1vSoR6I3k81q5/ our play will merge these 2 lists, and since we merge by name, and name is different, then it will try to install from both sources09:41
jrosserright, yes, so the first patch was to regularise 'name' and allow source to be different09:43
noonedeadpunkSo with condition you will need to mention every collection from  original file with `condition: false` and then add your sources, right?09:43
jrosseroh well i was thinking that the override of local collections would happen first09:43
jrosserso first replace the ones from the original list where "name" matches09:43
jrosserincluding local ones, and ones you want to condition: false09:44
noonedeadpunkah09:44
noonedeadpunkok09:44
noonedeadpunkgotcha09:44
noonedeadpunk(I think)09:44
jrosser:)09:44
jrosserso the first patch is good - to make 'name' be not the url09:45
noonedeadpunkwell, in https://paste.opendev.org/show/be2ubQdEzHPG4a9tkN1H/ there's a problem as you iterate only over zuul.results (basically find on localhost)09:46
noonedeadpunkso you can't set item.item.condition09:46
noonedeadpunkBut you still can rejectattr based on that09:46
noonedeadpunk(I think)09:46
noonedeadpunkok, yeah, need to check how galaxy is happy/unhappy if we'll  add another key09:47
jrosserok09:48
jrosseralso i wonder really if we should add another key, making it not be a standard galaxy requirements file09:49
noonedeadpunkyeah, that was kind of why I was thinking about using what we have....09:49
noonedeadpunkMaybe setting type: absent ?:)09:49
noonedeadpunkor better type: skip09:49
jrosserperhaps what this means is that we should have a completely standard requirements file for collections and roles09:50
jrosserbut somewhere else give a list of things to skip09:50
noonedeadpunkI'm not sure that for roles we do have as of today09:51
jrosserso then its maybe more a case of when: {{ item.name }} not in collections_to_skip09:51
noonedeadpunkalso, we skip roles from ansible-collection-requirements09:51
noonedeadpunkbecause we do that https://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/get-ansible-collection-requirements.yml#L7609:52
noonedeadpunkoh, I don't really want to have yet another file where to define what to skip tbh09:53
jrossercan this all be done here?09:54
jrosserhttps://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/get-ansible-collection-requirements.yml#L36-L4809:54
jrosserstep one takes the original list and removes anything overridden09:54
jrosserstep 2 adds in the overrides09:55
jrosserso if step 2 was conditional also on some key that would give the function you want?09:55
noonedeadpunkSo the problem that I want to skip roles that are added in step 1 by data that we iterate over in step 209:57
noonedeadpunkSo easiest thing would be to merge the lists and then remove data based on some condition imo09:58
jrosserhttps://paste.opendev.org/show/b7FvkXhHqbTSaniQSJfm/09:59
jrossertbh this is all a bit ugly with all the with_items as it is10:00
noonedeadpunkI don't want to skip what's in user-collection-requirements, I want to avoid isntalling what's in ansible-collection-requirements10:00
noonedeadpunkFor example - I don't want to have gluster collection10:00
jrosserbut you'd do that by making an entry in user-collection-requirements with condition: false10:00
noonedeadpunkBut that will only prevent the record from user-collection-requirements to be added to galaxy_collections_list10:01
noonedeadpunkit will not drop item from what's already in there10:01
noonedeadpunkas gluster is in required_collections and it's in galaxy_collections_list. And on step2 we only add user_collections (or not adding it)10:02
noonedeadpunkSo. rejectattr :)10:02
noonedeadpunkok, let me explain with some paste :)10:03
jrosser(i am assuming you use your first patch which makes name: be actually the name not the url btw)10:03
noonedeadpunkSo that's simplified input https://paste.opendev.org/show/bsL7o6fBae9lWNNbDKeB/10:06
jrosseryes10:06
noonedeadpunkAs a result I want to have only openstack.cloud with source from own git repo10:06
noonedeadpunkWell. Actually. Now thinking about it I wonder if that's gonna work at all....10:06
jrosserthis task takes out of the original list anything you override? https://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/get-ansible-collection-requirements.yml#L36-L4110:07
noonedeadpunkoh10:08
noonedeadpunknow I see10:08
jrosseri do wonder if we could do this more nicely10:08
jrosserif the 'name' field was not the url but actually the name then some of the ansible filters might be actually usable here10:09
noonedeadpunkSo if name in user requirements it won't be added, and then we also omit adding from user.10:09
noonedeadpunkyeah, true, you're right10:09
jrosseryeah10:09
jrosserand i think we can possibly improve the code to remove the loops as a second step10:09
jrosserbut i have not really thought too much about that10:09
noonedeadpunkBut well10:10
noonedeadpunkI t still doesn't resolve your comment about zuul :D10:10
jrosser!10:11
noonedeadpunkAs now for https://review.opendev.org/c/openstack/openstack-ansible/+/868205/1/ansible-collection-requirements.yml zuul won't apply override properly10:11
jrosserright - i was wondering how it worked at all10:11
noonedeadpunkhm10:11
noonedeadpunktrue....10:12
jrosseror maybe now it doesnt use the local zuul repos or something, but i was a bit surprised it didnt just fail completely10:12
noonedeadpunkTo be fair, I wasn't expecting to be stuck with isolated env that early for that long...10:14
noonedeadpunkIt's quite good practice though10:14
jrosseronce you get past this it should be much easier10:17
noonedeadpunkBut actually for skipping repos I'm not sure if the playbook won't fail because of missing collection here https://opendev.org/openstack/openstack-ansible/src/branch/master/playbooks/repo-install.yml#L48-L5510:17
noonedeadpunkWith inlcude I guess it should not....10:17
noonedeadpunkBut I haven't tried yet...10:17
noonedeadpunkSo maybe this idea is just useless10:17
jrosserthats the role from plugins though isnt it10:18
jrosseri wonder how far down it attempts to resolve all this10:18
noonedeadpunkwell, when checking setup-everything with verbose you see it tries to evaluate all include_vars at least for all playbooks in there10:19
noonedeadpunkso eventually it also checks for roles, but does it evaluate conditions....10:20
noonedeadpunkno idea10:20
jrosseri'm just testing what happens10:20
jrosseri think you will need the glusterfs collection10:25
noonedeadpunkyeah....10:29
noonedeadpunkThen likely second part can be jsut abandoned10:29
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define name for all collections in a-r-r  https://review.opendev.org/c/openstack/openstack-ansible/+/86820510:35
noonedeadpunkok, but ^ is easy/good enough I guess10:36
noonedeadpunkIt's sad though that tons of crap must be cloned/mainatained for no good reason10:37
jrosserwell, you already need a git mirror with * openstack service repos on for a isolated deployment anyway10:38
jrosserif thats automated then adding more repos to it's list should be ok10:38
noonedeadpunkyeah, true10:40
noonedeadpunkI just for some reason thought that there's space for improvement, but apparently it's not10:42
jrosserreally ansible misses some kind of preprocessor thing10:44
jrosser#ifdef GLUSTERFS10:45
noonedeadpunkyeah...10:51
noonedeadpunkalso I've spotted infinite loop (or smth like that) in dynamic inventory, if wrongly define used_ips (ie make used out of range for the network)10:55
noonedeadpunkhaven't looked depeer though10:55
*** dviroel|out is now known as dviroel11:01
noonedeadpunkAnd TOX_CONSTRAINTS_FILE that is used for bootstrap is a bit hard to maintain..11:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Prevent bootstrap failure when all roles/collections are overriden  https://review.opendev.org/c/openstack/openstack-ansible/+/86831212:41
noonedeadpunkone more nasty thing ^12:41
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Prevent bootstrap failure when all roles/collections are overriden  https://review.opendev.org/c/openstack/openstack-ansible/+/86831212:52
jrosserargh centos-9-stream has conflicting python packages12:59
noonedeadpunksweet.....12:59
jrosserall hitting RETRY_LIMIT13:00
noonedeadpunklooks like mirrors are out of sync or smth...13:01
noonedeadpunkI can recall switching mirrors for centos on infra side... I wonder if that has shoot again13:01
spateljamesdenton morning14:08
spatelping me if you around, i have ovn + neutron question 14:08
mgariepywhat's the questions ?14:09
mgariepymight not have the answer but.. i'm interested anyway :D14:09
spatelIn ovn i have assigned nic to ovn like physnet1:br-ex as a flat network (example br-ex map to eth1).  14:18
spatelNow i want to create vlan base provider and map with eth2 14:19
spatelThis is what i have currently in ovs - external_ids        : {ovn-bridge-mappings="physnet1:br-ex"14:20
spatelif i want to add second nic eth2 then how does that entry will looks ?14:20
spatelhttps://paste.opendev.org/show/beHSmvKZVlVzoBh7IoEr/14:22
spatelhow does ovn know about physnet2 and do does it add entry in ovn-bridge-mappings?14:22
mgariepyspatel, maybe it's covered in this patch i haven't had the chance to review it yet. https://review.opendev.org/c/openstack/openstack-ansible/+/86757714:29
spatelhmm14:32
*** dviroel is now known as dviroel|lunch15:03
noonedeadpunkI wonder how relevant this warning is: https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/user_secrets.yml#L16-L2015:19
noonedeadpunkAs I bet we do change passowrds in quite a while. Though roles might indeed be no adopted enough to minimize downtime when doing so15:19
mgariepythe comments are also lost on pw-gen irrc.15:23
noonedeadpunkyup15:24
mgariepyso it's probably never have been read. 15:24
jrosseri don't really know the internals of  the keystone client enough to know if it uses the username/password every time or if theres a token with some $lifetime created15:24
mgariepybeside by you ;p haha15:24
noonedeadpunkI wonder if we should set more pw length by default then 1615:24
noonedeadpunkfrom what I know it does ask for token with each command15:26
jrosserthats a bit unfortunate for rotating the password15:26
noonedeadpunkbut then we're talkign specifically about `keystone_auth_admin_password` that can't be rotated?15:26
noonedeadpunkor well, and galera_root_password15:27
noonedeadpunkall other service/db/rabbit might be rotated safely?15:27
jrosserwhy is `keystone_auth_admin_password` so hard?15:27
noonedeadpunkwell, it's used only during keystone bootstrap and then in openrc role15:28
noonedeadpunkSo you need to kind of manually rotate it, write to secrets.yml and run utility to place updated to the openrc/clouds.yaml15:29
jrosseryes indeed15:30
noonedeadpunkjrosser: if you asked about keystone_authtoken (or well, keystone client inside services), then they should cache tokens in memcached15:30
noonedeadpunkgiven they're properly configured and it's working as intended15:30
jrosserright so i was thinking if we rotate password for nova or something then do you have whatever the timeout is for those tokens to get it written to all the config files15:31
jrosserwell, between zero and timeout really15:32
noonedeadpunkbut still we kind of limit effect of that. So potential downtime for service will be between update for <service>_all[0] and until play will end <service>_all[0] and disable rest on haproxy.15:32
noonedeadpunkah, nova/neutron are good points15:32
noonedeadpunkBut after all I think we should have tag to run only service-setup, aren't we?15:32
jrosserif everything is using a cached token then you give it the new password, restart and it gets a new token?15:33
noonedeadpunk`common-service`15:33
noonedeadpunkI'd say it should, not sure how it identifies what's relevant and what's not though15:34
jrosserwould certainly be interesting to investigate in an AIO15:37
jrosserchanging the password for some services and seeing if/how they break15:37
*** dviroel|lunch is now known as dviroel16:29
spatelI had lots of issue when i changed admin password, i wish there is a tag which just touch all services and replace password and reload them 20:16
noonedeadpunkbut admin password is not used anywhere, except openrc files20:20
noonedeadpunkso it's only affecting utility container20:20
mgariepyhey, it's my last day for this year i'll be back in january20:21
noonedeadpunknice, have great holidays mgariepy!20:25
mgariepyyou too guys, try to take some time off as well :D20:26
mgariepyso see you guys in 2023!20:31
mgariepytake care.20:31
ElDuderinoRandom question, but years ago around kernel 3.13 there was that conntrack change, right? As a result, MH commented and worked on it with a reporter: https://bugs.launchpad.net/openstack-ansible/+bug/1579963/comments/6. My question is, 6 years later, should I still see 'net.netfilter.nf_conntrack_max' entries in sysctl if it's all 'br_netfilter' these days?21:05
*** dviroel is now known as dviroel|out21:26
noonedeadpunkElDuderino: I do remember that we handled that code somewhere in openstack_hosts role indeed, but dropped as no current distributions has kernel that old21:35
noonedeadpunkLike that https://opendev.org/openstack/openstack-ansible-openstack_hosts/src/tag/queens-eol/vars/redhat-7.yml#L2721:37
noonedeadpunkAnd there were some other bits somewhere21:37
noonedeadpunkBut I'm quite sure it's not relevant anymore21:37
ElDuderinogotcha, thanks @noonedeadpunk22:15
ElDuderino(thought so)22:15
« Tuesday, 2022-12-20 Index Thursday, 2022-12-22 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!