Tuesday, 2023-04-11

« Monday, 2023-04-10 Index Wednesday, 2023-04-12 »
jrossergood morning07:39
damiandabrowskihi!07:44
jrosserdid we break the distro jobs by updating ansible collection.....07:44
jrosserlike here https://zuul.opendev.org/t/openstack/build/18a33263c09d4702a5ba4a510e17c6c607:44
jrosserthis merged https://review.opendev.org/c/openstack/openstack-ansible/+/87877807:48
jrosserand then anything related to heat started breaking - that is suspicious as i think heat adds users/roles which may have modules changed07:49
noonedeadpunkmornings07:53
noonedeadpunkYeah, I found the reason why heat is breaking07:53
noonedeadpunkIt's due to supplying empty project here https://opendev.org/openstack/openstack-ansible-os_heat/src/branch/master/tasks/heat_service_setup.yml#L6007:54
noonedeadpunkand we do this to create a user with domain scope 07:55
noonedeadpunkIn identity_user module, and now they have condition like that `if default_project_name_or_id is not None` which treats empty string as true07:56
noonedeadpunkregarding distro - I think we will fix that with updating repos to track antelope instead of zed07:57
jrosseri think mgariepy left a comment on that patch07:59
noonedeadpunk"that"?08:02
opendevreviewJonathan Rosser proposed openstack/openstack-ansible-os_manila master: Remove unused variable  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/88002608:04
jrossersorry this one https://review.opendev.org/c/openstack/openstack-ansible/+/87823508:05
noonedeadpunkaha, yes, missed this one08:11
jrosserthen this is interesting https://github.com/noonedeadpunk/ansible-role-pacemaker_corosync/blob/master/templates/corosync.conf.j2#L1-L508:13
jrossersimilar sort of thing that i had in the os_swift role to look at08:13
jrosserand tbh this is one i find more surprising with how the fact vars work08:13
noonedeadpunkbtw for adjutant to unblock upgrade jobs we should start from yoga https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/87985908:15
noonedeadpunkyeah, I've fixed in some places usage of injects, but I missed templates...08:15
noonedeadpunkFor heat case I've pushed "trivial" thing to colelctions - https://review.opendev.org/c/openstack/ansible-collections-openstack/+/88002708:16
noonedeadpunkBut we still need to patch service_setup at least for now...08:17
noonedeadpunkAs I'm not really sure it will be merged at all08:18
jrosseri can imagine them saying to use omit08:19
noonedeadpunkyeah....08:19
jrosserso actually, we have most roles working, at least with small/understandable fixes08:21
jrosserfor the pacemaker role would be interested to see what you think if the code can be made compatible with inject vars true/false08:22
noonedeadpunkyeah, I already tried yestarday but obviously missed tempaltes https://github.com/noonedeadpunk/ansible-role-pacemaker_corosync/commit/855e21f42cac99dced3417395a0d2f37120830c008:23
noonedeadpunkI think I will adjust CI to ensure it works with no injected fact vars08:23
noonedeadpunkActually, I think that {} is treated in yaml as None, isn't it? Just wonder if there's easy way to trick module to think it's None08:25
noonedeadpunkor maybe null will do the trick...08:26
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Workaround failures when project is unset  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88002808:31
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Workaround failures when project is unset  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88002808:32
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_heat master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/87996308:32
noonedeadpunkwe probably should move corosync role to opendev one day08:41
noonedeadpunkI was just lazy doing so08:41
noonedeadpunkjrosser: hm, do you recall how to workaround when you need a remote host fact rather then inventory_hostname? like here https://github.com/noonedeadpunk/ansible-role-pacemaker_corosync/blob/master/templates/corosync.conf.j2#L4408:49
jrosseri'll have a look08:51
noonedeadpunkprobably I can access ansible_facts through hostvars08:55
noonedeadpunkOk, that worked indeed :)09:02
jrossernoonedeadpunk: like this https://paste.opendev.org/show/bA5tKoLoe98kguccK7gM/09:05
noonedeadpunkyeah, exactly...09:09
noonedeadpunkthanks for taking time!09:09
jrosseri think this is a breaking thing isnt it with ANSIBLE_INJECT_FACT_VARS09:10
jrosserhow to write code in the role that works both ways09:10
noonedeadpunkbut whatever works without injected facts works with them regardless09:11
noonedeadpunkso ansible_facts is always added?09:11
jrosseroh right i was confused09:12
jrosseri was not sure that ansible_facts['eth0'] was always there09:13
jrosserbut it is always there09:13
jrosserif thats the case we probably have places that we can simplify a little09:14
noonedeadpunkthough I'd start simplification from nova playbook :D09:14
noonedeadpunkbut yes :)09:14
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Install zuul-provided collections as directories  https://review.opendev.org/c/openstack/openstack-ansible/+/88003109:27
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Allow to manage more the one vhost with mq_setup  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/87539909:28
hamidlotfihttps://www.irccloud.com/pastebin/zczps5gf/09:40
jrosserhamidlotfi: rabbitmq is not using haproxy09:42
hamidlotfiOK right, why putted in the behind of haproxy ?09:43
jrosserhamidlotfi: the haproxy config here is for the rabbitmq managment console https://github.com/openstack/openstack-ansible/blob/master/inventory/group_vars/haproxy/haproxy.yml#L522-L53409:43
jrosserhamidlotfi: the rabbitmq service is not behind haproxy09:43
hamidlotfiOk, understand09:44
jrosserthe management console is loadbalanced with haproxy, the MQ themself is is a cluster without haproxy09:44
hamidlotfiohmmm, thanks for your response09:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_nova master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/88003309:54
noonedeadpunkhm, octavia looks weirdly off10:00
noonedeadpunkamphora get's stuck in `PENDING_CREATE`10:00
noonedeadpunkhttps://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_b88/879988/1/check/openstack-ansible-deploy-aio_metal-ubuntu-jammy/b88a24b/logs/openstack/aio1-utility/stestr_results.html10:00
jrosserhttps://zuul.opendev.org/t/openstack/build/b88a24b4bb914acdb7da08d08a0437a4/log/logs/openstack/aio1-utility/tempest_run.log.txt#1451-145210:02
noonedeadpunkseems like it can't attach port or smth like that10:04
noonedeadpunklike somewhere here https://zuul.opendev.org/t/openstack/build/b88a24b4bb914acdb7da08d08a0437a4/log/logs/host/octavia-worker.service.journal-18-33-15.log.txt#227910:05
noonedeadpunkjrosser: what you're reffering is teardown problem10:06
noonedeadpunkbut I don't see anything too off in nova logs10:11
noonedeadpunklooks like instance is spawned and no obvious issues there... so maybe there's some connectivity thing to reach amphora...10:14
noonedeadpunkhm, maybe it's because octavia_amp_image_owner_id is not set properly10:17
noonedeadpunkas it's empty https://zuul.opendev.org/t/openstack/build/ead159671dee47dca0748e3d0914f304/log/logs/etc/host/octavia/octavia.conf.txt#8310:17
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Adopt info modules fetch to collection 2.0  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/87998810:37
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_placement master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/88003610:42
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_senlin master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/88003710:43
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_senlin master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/88003710:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_sahara master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/88003810:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_swift master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/88004010:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_tacker master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/88004110:50
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_trove master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/88004210:53
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Install zuul-provided collections as directories  https://review.opendev.org/c/openstack/openstack-ansible/+/88003111:00
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_zun master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_zun/+/88004311:02
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_heat master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/87996311:11
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Define external_network_id in magnum_cluster_templates  https://review.opendev.org/c/openstack/openstack-ansible/+/88004712:00
damiandabrowskinoonedeadpunk:  when pushing osa/systemd_restart_on_unit_change patches you might have noticed that magnum gating is broken12:02
damiandabrowskithe above patch #880047 along with yours #880027 should hopefully fix it12:02
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server stable/zed: Switch rabbitmq repo back to packagecloud  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/87985512:05
noonedeadpunkdamiandabrowski: it's heat that is broken12:14
*** dviroel_ is now known as dviroel12:14
noonedeadpunkhttps://review.opendev.org/c/openstack/openstack-ansible-plugins/+/880028 should fix it 12:14
damiandabrowskiso do you think magnum isn't broken?12:22
damiandabrowskihttps://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/879922?tab=change-view-tab-header-zuul-results-summary12:22
damiandabrowskihttps://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/879970?tab=change-view-tab-header-zuul-results-summary12:23
noonedeadpunkdamiandabrowski: magnum does deploy heat before itself12:23
noonedeadpunkso if heat is broken - couple of other roles, like magnum, will also be12:23
noonedeadpunkboth of these patches fail before starting magnum12:23
noonedeadpunkor well12:24
noonedeadpunksecond is :D12:24
noonedeadpunkfirst one is different. and yeah... it's also related to collection 2.0, you're right12:24
damiandabrowskiat least on my aio I wasn't able to create magnum resources without https://review.opendev.org/c/openstack/openstack-ansible/+/88004712:24
damiandabrowskiso there may be 2 separate issues i think12:25
noonedeadpunkdamiandabrowski: also - you pushed https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/879922 before https://review.opendev.org/c/openstack/openstack-ansible/+/873092 was merged12:27
noonedeadpunkand 873092  could fix this specific issue 12:27
noonedeadpunkas issue there is in collection/sdk compatability that could be a result of old collection and too new sdk12:28
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_magnum master: [DNM] Test magnum gating  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/87992212:28
noonedeadpunkand that depends on won't work :)12:29
damiandabrowskiyeah, i was thinking about the same thing12:31
noonedeadpunkbecause depends-on for plugins repo don't work in general. Hopefully https://review.opendev.org/c/openstack/openstack-ansible/+/880031 will fix that, but I'm not 100% sure yet12:31
damiandabrowskilet's wait until we merge it hen12:31
noonedeadpunkIf https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/879963 will pass now - then it works)12:31
noonedeadpunkSo https://review.opendev.org/c/openstack/openstack-ansible/+/880031 works in general)13:18
noonedeadpunkhm, but seems upgrade now fails with `ERROR! Invalid play strategy specified: openstack.osa.linear`13:21
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Implement separated haproxy service config  https://review.opendev.org/c/openstack/openstack-ansible/+/87118913:26
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Rename openstack_haproxy_horizon_stick_table variable  https://review.opendev.org/c/openstack/openstack-ansible/+/87979113:28
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Add support for TLS backends  https://review.opendev.org/c/openstack/openstack-ansible/+/87908513:28
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server stable/yoga: Do not use 'always' tag in inappropriate places  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/87801613:28
noonedeadpunkSoooo.... I kinda wonder if it was really same to drop linear startegy, as seems that we're simply were installing 13:34
noonedeadpunkthat is really weird as we do have `unset ANSIBLE_STRATEGY`13:38
noonedeadpunkand also functional tests for centos is another annoying thing13:42
*** spotz_ is now known as spotz14:00
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_trove master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/88004214:32
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: [DNM] Run haproxy-install.yml normally during openstack upgrade  https://review.opendev.org/c/openstack/openstack-ansible/+/88005814:39
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_horizon master: Add PKI support to horizon backends  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/87951714:39
noonedeadpunk#startmeeting openstack_ansible_meeting15:00
opendevmeetMeeting started Tue Apr 11 15:00:18 2023 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:00
noonedeadpunk#topic rollcall15:00
noonedeadpunko/15:00
damiandabrowskihey!15:00
NeilHanlono/ hey folks15:03
noonedeadpunk#topic office hours15:03
mgariepyhalf there as usual :D15:03
noonedeadpunkSo, seems we have couple of broken things lately. 15:04
noonedeadpunkmainly due to collection version bump15:04
jrossero/ hello15:05
noonedeadpunk1. Heat role should be fixed with https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/88002815:05
noonedeadpunk2. trove/designate at very least - this topic covers it https://review.opendev.org/q/topic:osa%252Fansible-collection-215:06
noonedeadpunk3. We have weirdly broken Octavia - have close to no idea what's wrong with it15:06
jrosserbroken centos functional job on 880028 as well15:07
jrossermore gpg fun by the look of it15:08
noonedeadpunkwell. we've disabled centos lxc jobs for $reason, but that didn't touch functional ones15:09
noonedeadpunklikely this should be just patched or dunno15:09
noonedeadpunk(and replaced with rocky)15:09
noonedeadpunkI'm quite afraid to touch tests repo for that15:09
noonedeadpunkOn the good side - overall role health look decent accourding to this series of patches https://review.opendev.org/q/topic:osa/systemd_restart_on_unit_change15:10
noonedeadpunkAh, forgot.15:10
noonedeadpunk4. Adjutant has backported django version fix, so we should start merging patches since Y to fix upgrade jobs15:11
noonedeadpunkBut Octavia is the most concerning at the moment from all15:12
noonedeadpunkWe also had some progress on landing haproxy stuff15:13
damiandabrowskiregarding haproxy & internal-tls i have two things for today15:14
damiandabrowski1. https://review.opendev.org/c/openstack/openstack-ansible/+/879791/15:14
damiandabrowskiopenstack_haproxy_horizon_stick_table vs. horizon_haproxy_stick_table vs. haproxy_horizon_stick_table15:14
noonedeadpunkI was just looking at this one15:14
damiandabrowski2. do we still need this for Z-> A upgrade? https://opendev.org/openstack/openstack-ansible/commit/befd8424e2efd4e1bebe89b5085032bf120de14815:14
jrosserwe should not keep changing var names15:14
jrosserthey're like fixed, really, unless it's really really needing changing15:15
damiandabrowskiregarding var name, i don't really mind if we change it or not. 15:16
damiandabrowskiregarding upgrade process: after we implemented haproxy base service, we probably need to run haproxy-install.yml normally(in setup-infrastucture.yml): https://review.opendev.org/c/openstack/openstack-ansible/+/88005815:16
noonedeadpunkI tend to agree here, I don't really see necessity in renaming. At very least, if we want to rename we'd better introduce deprecation of old one and then drop after couple of releases15:17
noonedeadpunkSo at very least, I'd assume heaving `haproxy_stick_table: "{{ openstack_haproxy_horizon_stick_table| default(horizon_haproxy_stick_table) }}"`15:17
jrosserwhy does horizon affect tempest?15:17
damiandabrowskijrosser: https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/templates/user_variables_horizon.yml.j2#L1715:18
jrosseroh well that would do it :)15:19
noonedeadpunkregarding upgrade, I think that with separated config, we can revert that15:20
noonedeadpunkIIRC there was a bug, that haproxy was re-configuring galera backend, making it fully unavailable until run of galera role15:20
damiandabrowskiokok thanks, i'll check it15:21
noonedeadpunkwell, not a bug, but upgrade issue15:21
damiandabrowskiwas just curious if you see any blockers from top of your head15:21
noonedeadpunkBut since we run haproxy with galera almost at the same time - we can remove that process now15:21
noonedeadpunkthe only possible one would be case of upgrade from Y to A, but I think it will be still covered15:22
noonedeadpunkBtw, I've proposed patches for upgrade script to test Y->AA https://review.opendev.org/c/openstack/openstack-ansible/+/87988415:23
noonedeadpunkIt obviously fails, but in quite reasonable way15:23
noonedeadpunkalso right now we basically are testng Y->AA upgrade always, and we have Z->AA broken without that patch15:23
noonedeadpunkanother thing - we're about to move Xena to the EM15:30
noonedeadpunkIt should have been already done, but I bought some time to merge things we want for the last proper release15:30
jrosserhave we done that with earlier branches already?15:30
noonedeadpunkYes15:31
noonedeadpunkAll before xena is already in Extended Maintenance15:31
noonedeadpunkWith that, rocky should be EOLed (stable/rocky branch, not rocky linux)15:32
noonedeadpunkSo basically current blocker is rabbitmq patch https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/87985615:33
noonedeadpunkAfter that couple of rechecks can be made. That will also fix upgrade jobs for Y15:34
jrosseri just +W the Y version of that - trying to do them in order i guess15:34
noonedeadpunkDo we want to discuss anything about haproxy stuff or smth else maybe?15:39
damiandabrowskifrom my side everything is clear, I'll keep adding tls support to service roles15:40
jrosserfor haproxy i think james added a lot of complexity to the template to handle simultaneous http/https backends15:41
jrosserwhich we said we would revert once a migration is done15:41
jrosserif now we are going to not use that, we could remove it15:41
noonedeadpunkgood point15:42
damiandabrowskiso: with separated haproxy config we can keep downtime minimal during http->https transition(downtime will start after haproxy config and finish when first host is properly configured)15:44
damiandabrowskiif it's ok for us(i think it should be ok) then we can revert james' patches mainly because they are quite complex15:45
damiandabrowskibut if we want to provide literally zero-downtime http->https transition, we will still need them15:45
noonedeadpunkAre we leveraging them in any way? 15:47
damiandabrowskiAFAIK this feature is currently broken: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/86478415:48
noonedeadpunkdamiandabrowski: well, we can apply filter there, like `"{{ 'ansible_' ~ haproxy_bind_external_lb_vip_interface | replace('-','_') }}"`15:53
noonedeadpunkto gather facts only for interfaces of interest15:53
noonedeadpunklike we do for masakari for example https://opendev.org/openstack/openstack-ansible/src/tag/wallaby-em/playbooks/os-masakari-install.yml#L34-L3515:53
damiandabrowskiyeah, it will most likely help15:55
noonedeadpunk#endmeeting16:04
opendevmeetMeeting ended Tue Apr 11 16:04:19 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:04
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-04-11-15.00.html16:04
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-04-11-15.00.txt16:04
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-04-11-15.00.log.html16:04
opendevreviewMerged openstack/openstack-ansible master: Enable TLS frontend for repo_server by default  https://review.opendev.org/c/openstack/openstack-ansible/+/87642616:08
noonedeadpunkfolks, any thoughts on how that is possible? https://zuul.opendev.org/t/openstack/build/da1bc3c8cd32468d8fc6e2ad6a1d4b11/log/job-output.txt#1812416:41
noonedeadpunkgiven we do `unset ANSIBLE_STRATEGY` right before that16:42
noonedeadpunkhm, might be because of that https://zuul.opendev.org/t/openstack/build/da1bc3c8cd32468d8fc6e2ad6a1d4b11/log/job-output.txt#1735016:48
noonedeadpunkwhich gives ENV for bootstrap script...16:48
jrosserso we should bootstrap-ansible a second time, and that should remove the strategy?16:50
jrosserwell, though i guess if we are using our ansible to run the bootstrap, then the env vars from the first run will be present16:51
jrosserand it might then pick up that value to use in the second bootstrap16:51
noonedeadpunkI think this is what results https://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/gate-check-commit.sh#L25016:53
noonedeadpunkor well, we;re sourcing it 2 times16:54
noonedeadpunkin gate-check-commit before executing run-upgrade16:54
noonedeadpunkand then here in run-upgrade https://opendev.org/openstack/openstack-ansible/src/branch/master/scripts/run-upgrade.sh#L11816:54
jrosserisnt it this though? https://github.com/openstack/openstack-ansible/blob/stable/zed/scripts/openstack-ansible.rc#L5716:55
jrosserall those exports16:55
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Add support for TLS backends  https://review.opendev.org/c/openstack/openstack-ansible/+/87908517:01
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Install zuul-provided collections as directories  https://review.opendev.org/c/openstack/openstack-ansible/+/88003117:04
noonedeadpunkI wonder if that will help17:05
opendevreviewMerged openstack/openstack-ansible-galera_server stable/yoga: fix indentation for condition  https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/87947917:09
opendevreviewMerged openstack/openstack-ansible-rabbitmq_server stable/yoga: Switch rabbitmq repo back to packagecloud  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/87985717:10
noonedeadpunkso yes, every time we call scripts-library.sh - we load old openrc until ansible is bootstrapped. And we call it twice during upgrade process17:23
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Revert "Skip haproxy with setup-infrastructure for upgrades"  https://review.opendev.org/c/openstack/openstack-ansible/+/88009117:29
noonedeadpunkdamiandabrowski: are you sure we need to backport that? ^17:30
noonedeadpunkAs I think we don't17:30
damiandabrowskiah, you're right17:33
damiandabrowskiwhen you perform an upgrade from Z to A17:33
damiandabrowskiit's only necessary to have this fix included in A17:33
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_horizon master: Fix horizon_enable_ssl logic  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/87951417:37
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_horizon master: Rename horizon_enable_ssl to horizon_backend_ssl  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/87951617:37
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_horizon master: Add PKI support to horizon backends  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/87951717:37
noonedeadpunkyeah, exactly. As upgrade to Z still needs this17:44
noonedeadpunkI see 1 unresolved comment here https://review.opendev.org/c/openstack/openstack-ansible/+/871189/32?tab=comments 17:46
noonedeadpunkjrosser: ^17:46
jrosserwell it's nothing to do with horizon17:47
jrosserand it's not accessed via horizon either17:47
jrossersecurity.txt is served from the keystone web server because that is the only one that is guaranteed to exist in a horizon or !horizon deployment17:48
noonedeadpunkI think it should be in basic service now?17:49
jrosserand it's an ACL on the haproxy port 443 frontend to redirect the appropriate path to the keystone backend17:49
noonedeadpunkah, well, except that basic don't have a web server17:49
jrosserwell, base service has nothing17:49
jrosserall it can do is redirect elsewhere17:49
jrosseror "use backend <blah>"17:50
noonedeadpunkyeah, and acl for security should be likely there17:50
jrossertbh i have not looked in detail at how this should work in the new setup17:50
jrosserbut imho it "belongs" to haproxy17:50
noonedeadpunkyes, true, for sure not to horizon_all17:51
noonedeadpunkdamiandabrowski: ^17:52
noonedeadpunkThat really looks to me like good candidate for map file17:52
jrosseryes, though it's a new map file i think17:52
jrosserif we could do a "path_end" based one it could perhaps handle LE and security.txt in one map17:53
noonedeadpunkyeah, I was thinking that LE should be quite close to what we want to do with security17:54
noonedeadpunkexcept we need to have a real web server to serve 1 static file....17:55
opendevreviewMerged openstack/openstack-ansible-os_glance stable/yoga: Disable uWSGI if ceph is used as a store  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/87969817:55
noonedeadpunkWait a second....17:56
jrosserright - there is always keystone17:56
jrosseralways nginx there17:56
jrossersorry apache17:56
noonedeadpunkYou can serve txt file with just haproxy17:56
noonedeadpunkhttps://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/17:57
noonedeadpunkIt's a weird hack, but still it's doable17:57
noonedeadpunkSo we can leave security.txt just fully within haproxy context17:58
jrosserlike it does, sort of :)17:58
opendevreviewMerged openstack/openstack-ansible stable/yoga: Add documentation on refreshing hosts file  https://review.opendev.org/c/openstack/openstack-ansible/+/87948418:05
* damiandabrowski working on security.txt PoC(serving security.txt directly via haproxy)19:06
noonedeadpunkbtw https://review.opendev.org/c/openstack/openstack-ansible/+/880031 looks quite good now19:16
opendevreviewMerged openstack/openstack-ansible-os_swift master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/88004019:53
opendevreviewMerged openstack/openstack-ansible-os_tacker master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_tacker/+/88004119:53
opendevreviewMerged openstack/openstack-ansible-os_masakari master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_masakari/+/87997119:54
opendevreviewMerged openstack/ansible-role-uwsgi master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/87995519:54
opendevreviewMerged openstack/openstack-ansible-os_blazar master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/87995719:55
opendevreviewMerged openstack/openstack-ansible-os_nova master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/88003320:00
opendevreviewMerged openstack/openstack-ansible-os_senlin master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_senlin/+/88003720:01
opendevreviewMerged openstack/openstack-ansible-os_manila master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_manila/+/87997320:01
opendevreviewMerged openstack/openstack-ansible-os_cloudkitty master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/87995920:02
opendevreviewMerged openstack/openstack-ansible-os_mistral master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/87997220:06
opendevreviewMerged openstack/openstack-ansible-os_gnocchi master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/87996220:09
opendevreviewMerged openstack/openstack-ansible-os_barbican master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/87995620:18
opendevreviewMerged openstack/openstack-ansible-os_ironic master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/87996820:22
opendevreviewMerged openstack/openstack-ansible-os_placement master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/88003620:26
opendevreviewMerged openstack/openstack-ansible-os_aodh master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/87995420:31
opendevreviewMerged openstack/openstack-ansible-os_glance master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/87632820:37
opendevreviewMerged openstack/openstack-ansible-os_cinder master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/87987020:46
opendevreviewMerged openstack/openstack-ansible-os_ceilometer master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_ceilometer/+/87995821:01
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-haproxy_server master: Allow haproxy role to create security.txt file  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/88008821:06
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Change the order of horizon-back map entry  https://review.opendev.org/c/openstack/openstack-ansible/+/88008921:07
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Serve security.txt directly from haproxy  https://review.opendev.org/c/openstack/openstack-ansible/+/88011021:07
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Ensure service is restarted on unit file changes  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/87997721:07
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Change the order of horizon-back map entry  https://review.opendev.org/c/openstack/openstack-ansible/+/88008921:08
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible master: Serve security.txt directly from haproxy  https://review.opendev.org/c/openstack/openstack-ansible/+/88011021:08
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone master: Remove security.txt parts  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/88011121:09
opendevreviewDamian Dąbrowski proposed openstack/openstack-ansible-os_keystone master: Remove security.txt parts  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/88011121:09
noonedeadpunksooo, looks like you was able to make security.txt working without keystone :)22:10
« Monday, 2023-04-10 Index Wednesday, 2023-04-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!