| opendevreview | Merged openstack/openstack-ansible-os_glance master: Disable uWSGI if ceph is used as a store https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/879370 | 00:13 |
|---|---|---|
| opendevreview | Merged openstack/openstack-ansible stable/zed: Disable CentOS LXC jobs due to the bug in systemd packaging https://review.opendev.org/c/openstack/openstack-ansible/+/879399 | 00:18 |
| noonedeadpunk | NeilHanlon: yeah, and there's no direct flight between these... | 08:07 |
| noonedeadpunk | we'd need to land this to unblock Y https://review.opendev.org/c/openstack/openstack-ansible/+/879400 | 08:11 |
| noonedeadpunk | also for haproxy stuff next one seems to be this https://review.opendev.org/c/openstack/openstack-ansible/+/876851/9 | 08:14 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance stable/zed: Disable uWSGI if ceph is used as a store https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/879697 | 08:57 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance stable/yoga: Disable uWSGI if ceph is used as a store https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/879698 | 08:57 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_glance stable/xena: Disable uWSGI if ceph is used as a store https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/879699 | 08:57 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Switch rabbitmq repo back to packagecloud https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/879732 | 09:46 |
| noonedeadpunk | ok, gates broken again with centos :) | 09:54 |
| damiandabrowski | [*] | 10:10 |
| noonedeadpunk | I probably should focus on fixing upgrade for mariadb for rhel though... | 10:11 |
| noonedeadpunk | which is also broken due to gpg keys mess | 10:11 |
| noonedeadpunk | so during upgrade new key somehow is not imported | 10:12 |
| noonedeadpunk | NeilHanlon: don't you accidentally have some meetings with Storage SIG as well ? :D | 10:19 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible-os_neutron master: Add TLS support to neutron_server backends https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/873654 | 13:43 |
| damiandabrowski | hey folks, I have 2 questions. | 13:52 |
| damiandabrowski | 1. Currently we define something like `haproxy_backend_ssl: "{{ placement_backend_https | default(False) }}"` | 13:52 |
| damiandabrowski | Dmitriy suggested to rename `<service>_backend_https` to `<service>_backend_ssl` to be more consistent. Do you see any arguments against that? | 13:52 |
| damiandabrowski | 2. `playbooks/common-playbooks/haproxy-service-config.yml` is not aware of role defaults. So if we have this in service defs: | 13:52 |
| damiandabrowski | `haproxy_backend_ssl: "{{ glance_backend_https | default(False) }}"` | 13:52 |
| damiandabrowski | and this in role defaults: | 13:52 |
| damiandabrowski | `glance_backend_https: "{{ glance_use_uwsgi | ternary(openstack_backend_service_https | default(False), False) }}"` | 13:52 |
| damiandabrowski | Explicitly defining openstack_backend_service_https does not work. | 13:52 |
| damiandabrowski | The only way I see to fix it is to "duplicate" the logic twice(in role defaults and haproxy service definition), so: | 13:52 |
| damiandabrowski | `haproxy_backend_ssl: "{{ (glance_use_uwsgi | default(True)) | ternary(openstack_backend_service_https | default(False), False) }}"` | 13:52 |
| damiandabrowski | Do you see any more optimal way to get it working? | 13:52 |
| noonedeadpunk | for 1 I have really vague memories about some discussion that took place, so maybe we agreed to use _https, but I just forgot | 13:53 |
| noonedeadpunk | jrosser: can you recall anything regarding that? | 13:54 |
| jrosser | i cant remember anything specific | 13:55 |
| jrosser | but also on this generally i really do not like using role default values outside the scope of the role | 13:56 |
| jrosser | even though it might work when vars and stuff are "flattened" at runtime it is very confusing from a hierachy point of view | 13:56 |
| noonedeadpunk | well, the only way to avoid that is to call haproxy role from scope of service roles | 13:57 |
| noonedeadpunk | ie, include_role: haproxy_server \n tasks_from: haproxy_service_config_external.yml | 13:58 |
| noonedeadpunk | that would solve second question as well | 13:59 |
| jrosser | or we have a per service `openstack_glance_backend_service_https`defined in group_vars/all which drives down into both the glance role default and the haproxy_backend_ssl setting | 14:04 |
| jrosser | that would probably b my preference, to have extra vars with more obviousness/structure | 14:04 |
| jrosser | with what we proposed for using add_host i expect that 'global' setting might also work in group_vars/glance_all.yml | 14:08 |
| noonedeadpunk | I thought we're trying to reduce overall amount of variables as they slow down runtime | 14:08 |
| damiandabrowski | jrosser: how do you see role defaults then? | 14:08 |
| damiandabrowski | `glance_backend_https: "{{ glance_use_uwsgi | ternary(openstack_glance_backend_service_https | default(False), False) }}"` | 14:09 |
| damiandabrowski | ? | 14:09 |
| jrosser | i'm not sure i understand what you're asking, but i see a role default as a var that is used inside that role | 14:09 |
| jrosser | and set by the default value, or something outside the role | 14:09 |
| jrosser | but is really not referred to outside that role | 14:10 |
| noonedeadpunk | We did quite some work to clean-up group_vars and move stuff just to defaults, as these group_vars are not really obvious at all | 14:10 |
| noonedeadpunk | not saying they're not really documented | 14:10 |
| damiandabrowski | i'm asking how do we want to link glance_backend_https and openstack_glance_backend_service_https in this case, because they will be used differently but always need to have the same value | 14:11 |
| damiandabrowski | glance_backend_https will be responsible for configuring glance to handle TLS(configure uwsgi, create certs etc) | 14:12 |
| noonedeadpunk | and we'd need some top level var to rule them all as well then | 14:12 |
| damiandabrowski | while openstack_glance_backend_service_https will be used to tell haproxy to communicate with glance backends over TLS | 14:12 |
| jrosser | arent we all saying the same thing? :) | 14:13 |
| noonedeadpunk | I think I'm leaning towards just calling haproxy role from inside service roles.... | 14:13 |
| noonedeadpunk | Nah, I don't know, maybe we are :) | 14:13 |
| jrosser | me neither tbh | 14:13 |
| noonedeadpunk | give me a sec then | 14:14 |
| jrosser | i ws trying to say that openstack_glance_backend_service_https was a more widely scoped var that would be able to be used for both setting the glance role default and also to set the haproxy backend mode | 14:14 |
| damiandabrowski | so do you agree that in this case we should define this in glance defaults? | 14:15 |
| damiandabrowski | `glance_backend_https: "{{ glance_use_uwsgi | ternary(openstack_glance_backend_service_https | default(False), False) }}"` | 14:15 |
| damiandabrowski | (i just want to confirm we have the same idea) | 14:15 |
| jrosser | we could do that yes | 14:15 |
| noonedeadpunk | I think you mean smth like that? https://paste.openstack.org/show/bt3ecdvA6otEyi6RbCSJ/ | 14:16 |
| damiandabrowski | yes, except that glance_backend_https logic can't be that simple because TLS backend will not work without uwsgi :D | 14:17 |
| jrosser | yes - i admit it is an extra var | 14:17 |
| damiandabrowski | but that's an exception probably only for glance | 14:17 |
| noonedeadpunk | the problem here indeed is that we need to know about uwsgi from upper scope | 14:17 |
| noonedeadpunk | which is another level of mess, that can be solved only from role level to be frank. but yes, that's more of exception | 14:18 |
| damiandabrowski | or not and just write a appropriate comment in group_vars/glance_all | 14:18 |
| jrosser | and ultimately that is driven from something not to do with glance at all | 14:18 |
| jrosser | right at the start of this variable scope work i did think that we would just swap one kind of mess for another | 14:21 |
| jrosser | need to be mindful that ansible is not a programming language | 14:22 |
| jrosser | and it totally prefers flat structures rather than hierarchy for pretty much everything | 14:22 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server master: Define GPG key for repo https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/879680 | 14:29 |
| noonedeadpunk | sooo... what should we do with all that then ?:) | 14:45 |
| jrosser | it probably comes down to just accepting that for some things we can't tightly scope the vars and they need to be more global than is ideal | 14:48 |
| noonedeadpunk | damiandabrowski: maybe we should move glance uwsgi logic to group_vars/all or smth? or duplicate it indeed.... | 14:51 |
| noonedeadpunk | but yeah, we kinda moving mess from 1 place into multiple places | 14:52 |
| noonedeadpunk | and maybe it's worth re-evaluating how valuable it is to have group_vars applied for services rather then for haproxy | 14:53 |
| noonedeadpunk | while still configuring haproxy backends inside service playbooks rather then globally one time | 14:56 |
| noonedeadpunk | that would leave mess in 1 place and kind simplify couple of things | 14:56 |
| noonedeadpunk | to be frank I still don't quite get it, why to configure backend on haproxy hosts I should use glance group_vars... | 14:59 |
| noonedeadpunk | ok, I've re-read blueprint and it makes more sense now :D | 15:11 |
| NeilHanlon | noonedeadpunk: uh oh what is broken in storage 😅 | 15:11 |
| noonedeadpunk | NeilHanlon: same - gpg signature... | 15:12 |
| NeilHanlon | i'll go poke | 15:12 |
| noonedeadpunk | So what's in centos-release-gluster9 and https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Storage are different things | 15:12 |
| noonedeadpunk | and centos-release-gluster9 is sha-1 which's ignored | 15:13 |
| noonedeadpunk | *what is in | 15:13 |
| damiandabrowski | noonedeadpunk: haha great you were able to find an answer on your own :D I think we kind of agreed what to try now, I'll push some patches later today | 15:14 |
| damiandabrowski | but I need to leave now :D | 15:15 |
| jrosser | tbh i never really saw having tons of vars for groups/haproxy_all as actually a bad thing | 15:39 |
| jrosser | because they only exist when running plays against haproxy group, which is when you need them | 15:39 |
| jrosser | and i think this is why i was not in favour of conflating two things in the spec | 15:40 |
| jrosser | but anyway | 15:40 |
| noonedeadpunk | I think it's not ton of vars, but it's just confusing to define neutron_plugin_type in haproxy_all, so you instictively place such vars under proper group_vars and then see haproxy misbehaving | 15:51 |
| noonedeadpunk | but indeed | 15:57 |
| noonedeadpunk | If we implement out of role scope vars, like https://paste.openstack.org/show/bt3ecdvA6otEyi6RbCSJ/ - we may leave haproxy service definition in haproxy_all | 15:57 |
| noonedeadpunk | or not... | 15:57 |
| noonedeadpunk | ugh | 15:57 |
| jrosser | we can always split the patches up further | 16:02 |
| jrosser | merge the parts to do with configuring haproxy in each playbook if we’re happy with how that is | 16:02 |
| jrosser | and if the vars structure is not right we fix that as it’s own piece of work | 16:03 |
| noonedeadpunk | it's a bit more tricky to be frank | 16:05 |
| noonedeadpunk | as then we won't need this https://review.opendev.org/c/openstack/openstack-ansible/+/871189/27/playbooks/common-playbooks/haproxy-service-config.yml and you will need to patch all playbooks again to re-add it in another patch | 16:07 |
| noonedeadpunk | and that task will be quite different overall | 16:07 |
| noonedeadpunk | as you can simply pass `service_variable` directly to the role import with vars | 16:08 |
| noonedeadpunk | nothing too hard, but not sure why this extra work is really required | 16:08 |
| noonedeadpunk | I don't see any real flaws in https://review.opendev.org/c/openstack/openstack-ansible/+/871189 except some nits | 16:09 |
| noonedeadpunk | so, https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/879680 looks quite good. I wonder though, if we should simplify galera_gpg_keys format, as absent keys won't be respected there anyway, for example | 16:56 |
| noonedeadpunk | I tried to avoid changing behaviour, but rpm_key is just weird, as I can't really remove key with it | 16:57 |
| noonedeadpunk | and https://review.opendev.org/c/openstack/openstack-ansible/+/879671 is happy now as well) | 17:51 |
| jrosser | with 879671 we should probably demote centos to experimental in the compatibility matrix | 19:52 |
| jrosser | and add a note to the documentation | 19:52 |
| jrosser | follow on patch ^ | 19:52 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline for extended periods between 22:00 and 00:00 UTC for software upgrades and project renames: https://lists.opendev.org/archives/list/service-announce@lists.opendev.org/thread/VW2O56AXI4OX34CWDNRNZDCWJDZR3QJP/ | 21:04 | |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Enable TLS frontend for repo_server by default https://review.opendev.org/c/openstack/openstack-ansible/+/876426 | 21:24 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline for extended periods over the next two hours for software upgrades and project renames: https://lists.opendev.org/archives/list/service-announce@lists.opendev.org/thread/VW2O56AXI4OX34CWDNRNZDCWJDZR3QJP/ | 21:58 | |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Define GPG key for repo https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/879680 | 22:51 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Implement separated haproxy service config https://review.opendev.org/c/openstack/openstack-ansible/+/871189 | 23:02 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Add support for TLS backends https://review.opendev.org/c/openstack/openstack-ansible/+/879085 | 23:02 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: [DNM] Enable openstack_backend_service_https https://review.opendev.org/c/openstack/openstack-ansible/+/879501 | 23:02 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Rename openstack_haproxy_horizon_stick_table variable https://review.opendev.org/c/openstack/openstack-ansible/+/879791 | 23:02 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible-os_placement master: Add TLS support to placement backends https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/879380 | 23:16 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Implement separated haproxy service config https://review.opendev.org/c/openstack/openstack-ansible/+/871189 | 23:22 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Rename openstack_haproxy_horizon_stick_table variable https://review.opendev.org/c/openstack/openstack-ansible/+/879791 | 23:22 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: Add support for TLS backends https://review.opendev.org/c/openstack/openstack-ansible/+/879085 | 23:22 |
| opendevreview | Damian DÄ…browski proposed openstack/openstack-ansible master: [DNM] Enable openstack_service_backend_ssl https://review.opendev.org/c/openstack/openstack-ansible/+/879501 | 23:22 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!