| opendevreview | Ke Niu proposed openstack/ansible-config_template master: setup.cfg: Replace dashes with underscores https://review.opendev.org/c/openstack/ansible-config_template/+/881784 | 01:23 |
|---|---|---|
| opendevreview | Merged openstack/openstack-ansible-os_heat master: Add TLS support to heat backends https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/879916 | 02:10 |
| opendevreview | Merged openstack/openstack-ansible-os_murano master: Add TLS support to murano backends https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/880646 | 02:39 |
| jrosser | good morning | 07:32 |
| jrosser | damiandabrowski: i asked in the swift weekly meeting last night about TLS - see here https://meetings.opendev.org/meetings/swift/2023/swift.2023-05-03-21.00.log.html | 07:40 |
| jrosser | the answer seems to be https://hitch-tls.org/ | 07:40 |
| noonedeadpunk | mornings | 08:12 |
| noonedeadpunk | so swift listening to 127.0.0.1 and then hitch and then haproxy? | 08:12 |
| jrosser | thats what i think (nvidia?) are using | 08:13 |
| jrosser | but i guess anything that does https on one side and proxy v1 protocol on the other would be ok | 08:13 |
| jrosser | having said this there is aparrently a load of backend traffic too in swift, but i'm not particularly familiar with the architecture | 08:14 |
| noonedeadpunk | I wonder if this silly frontend that rgw is using might be good fit as well | 08:16 |
| jrosser | rgw has its own internal webserver | 08:16 |
| jrosser | https://www.boost.org/doc/libs/1_80_0/libs/beast/doc/html/index.html | 08:17 |
| jrosser | and we do this in ceph.conf `rgw frontends = beast ssl_endpoint=[::]:443 ssl_certificate=/etc/ssl/private/rgw.pem` | 08:19 |
| damiandabrowski | hi! | 08:22 |
| damiandabrowski | thanks for reaching them out jrosser | 08:23 |
| jrosser | it was just complete luck that i noticed the meeting in progress when i was at irc | 08:24 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_nova master: Ensure ipxe-qemu is always installed https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/882244 | 09:14 |
| opendevreview | Merged openstack/openstack-ansible-os_trove stable/zed: Add variables for rabbitmq ssl configuration https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/882053 | 12:18 |
| damiandabrowski | jrosser: regarding your msg from yesterday, why do think this is incorrect? | 12:28 |
| damiandabrowski | https://zuul.opendev.org/t/openstack/build/349c75d805ae41e4b1fbc3e0b10e8b52/log/logs/etc/openstack/aio1_ceph-rgw_container-2cce9944/ceph/ceph.conf.txt#19 | 12:29 |
| damiandabrowski | looks ok to me, considering haproxy config: | 12:29 |
| damiandabrowski | https://zuul.opendev.org/t/openstack/build/349c75d805ae41e4b1fbc3e0b10e8b52/log/logs/etc/host/haproxy/haproxy.cfg.txt#225 | 12:29 |
| opendevreview | Merged openstack/openstack-ansible-galera_server stable/zed: Define backup randomized delay in defaults https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/882056 | 12:33 |
| noonedeadpunk | so yes, since internal TLS is part only of specific job, internal keystone endpoint should be http | 12:36 |
| jrosser | well i think what i mean is that i've not seen any work yet on the ceph deployment for TLS | 12:42 |
| jrosser | and i looked in the wrong job i think which doesnt have tls enabled, so it should indeed be http in that case | 12:42 |
| damiandabrowski | oh you're right, i'll check what can we do in terms of haproxy<>rgw backends communication | 12:57 |
| jrosser | rgw has keystone endpoint in its config, which might work out ok depending what var we use for that | 12:57 |
| damiandabrowski | I also need to find out why proxy job fails here :| | 12:58 |
| damiandabrowski | https://review.opendev.org/c/openstack/openstack-ansible/+/881967 | 12:58 |
| damiandabrowski | yeah, but I don't know yet how to tell RGW to listen on TLS :D | 12:58 |
| jrosser | oh well i pasted something for that earlier | 12:59 |
| jrosser | `rgw frontends = beast ssl_endpoint=[::]:443 ssl_certificate=/etc/ssl/private/rgw.pem` | 12:59 |
| jrosser | ^ thats for ipv6 so will maybe need ssl_endpoint being a bit different | 12:59 |
| damiandabrowski | ack | 13:00 |
| NeilHanlon | noonedeadpunk: i started looking at how to integrate the new ovs/ovn i built, but I ran into an issue. It looks like in the openstack_hosts role, we are excluding OVS/OVN from the RDO repositories, which are different than the plain CentOS NFV SIG repos.. e.g., those are named `rdo-openvswitch...` whereas mine are just openvswitch. I (think) that | 13:23 |
| NeilHanlon | the packages prefixed with rdo are just "meta" packages, but I wanted to get your thoughts | 13:23 |
| NeilHanlon | basically i have ovs3.1 and ovn22.12 installable on Rocky, but want to try and test it with OSA | 13:24 |
| noonedeadpunk | NeilHanlon: so they're not plain "meta", but they do isntall ones frm NFV SIG by requirements | 13:25 |
| noonedeadpunk | To be frank I'm not sure if they're "required" or optional... | 13:25 |
| noonedeadpunk | But rdo- ones used to work for Rocky as well | 13:26 |
| NeilHanlon | i'll chat with NFV sig lead about it.. see if they have any suggestions and/or context | 13:26 |
| NeilHanlon | hope your visa gets sorted btw! not sure if you saw my message last night but it looks like i'm definitely going to Vancouver | 13:27 |
| opendevreview | Merged openstack/openstack-ansible-os_barbican master: Add TLS support to barbican backends https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/879917 | 13:32 |
| noonedeadpunk | NeilHanlon: I haven't but that's sounds awesome! | 13:34 |
| noonedeadpunk | NeilHanlon: maybe worth to chat with rdo folks? | 13:35 |
| noonedeadpunk | as they're doing that for some reason | 13:35 |
| NeilHanlon | noonedeadpunk, yep.. in this case the RDO folks are the same person as the NFV sig, so... two birds, one stone | 13:35 |
| noonedeadpunk | aha :) | 13:36 |
| opendevreview | Merged openstack/openstack-ansible master: Limit blazar processes on AIO https://review.opendev.org/c/openstack/openstack-ansible/+/880653 | 13:39 |
| jrosser | really? https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/844687 | 14:59 |
| jrosser | its branchless /o\ | 14:59 |
| opendevreview | Merged openstack/ansible-config_template master: setup.cfg: Replace dashes with underscores https://review.opendev.org/c/openstack/ansible-config_template/+/881784 | 15:00 |
| jrosser | thats why 882012 is broken | 15:00 |
| noonedeadpunk | and we don't pin tempest plugins in Y yet? | 15:01 |
| opendevreview | Merged openstack/openstack-ansible-os_cloudkitty stable/yoga: Ensure service is restarted on unit file changes https://review.opendev.org/c/openstack/openstack-ansible-os_cloudkitty/+/882014 | 15:02 |
| noonedeadpunk | shouldn't this be respected? https://opendev.org/openstack/openstack-ansible/src/branch/stable/yoga/playbooks/defaults/repo_packages/openstack_testing.yml#L23 | 15:02 |
| noonedeadpunk | or we're just consuming zuul version.... | 15:02 |
| jrosser | well https://zuul.opendev.org/t/openstack/build/80c978e4a7dc44ceb626a89569a31c1f/log/job-output.txt#14598 | 15:07 |
| noonedeadpunk | yeah, i see.... | 15:08 |
| noonedeadpunk | maybe this file is not inlcuded or smth... | 15:08 |
| noonedeadpunk | would need to dig there... | 15:08 |
| opendevreview | Merged openstack/openstack-ansible-os_trove stable/yoga: Add variables for rabbitmq ssl configuration https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/882054 | 16:34 |
| NeilHanlon | noonedeadpunk: after chatting with rdo folks, it seems all we should have to do is change the repos underneath the rdo repos, and they (should) "just work". so i will try a couple patches to neutron and nova roles to swap out the repos as a test, as well as remove the exclusion from openstack_hosts role | 17:06 |
| noonedeadpunk | yeah, so right now we install nfv repo like that https://opendev.org/openstack/openstack-ansible-os_neutron/src/branch/master/vars/redhat.yml#L16-L17 | 17:08 |
| noonedeadpunk | but I think you've already found that | 17:09 |
| noonedeadpunk | and yeah, it's both in neutron and nova. but for nova it was braught by requirement of neutron-libs or smth, so eventually IMO it should not be in nova role.... | 17:09 |
| noonedeadpunk | but rdo was packed in a way that they require it by some weird dependency | 17:10 |
| noonedeadpunk | but in fact there's nothing that should be required for nova | 17:10 |
| noonedeadpunk | thus it gets installed only for distro path and not for source | 17:11 |
| NeilHanlon | that's a bit annoying lol | 17:20 |
| noonedeadpunk | I can apply this to many things in rhel world lol | 17:34 |
| NeilHanlon | yeah but it keeps me employed, i guess 😂 | 17:34 |
| noonedeadpunk | fair enough :D | 17:35 |
| opendevreview | Merged openstack/openstack-ansible-os_trove stable/xena: Add variables for rabbitmq ssl configuration https://review.opendev.org/c/openstack/openstack-ansible-os_trove/+/882055 | 21:24 |
| opendevreview | Merged openstack/ansible-config_template master: Add support for start/end_string arguments https://review.opendev.org/c/openstack/ansible-config_template/+/881879 | 23:07 |
| opendevreview | Merged openstack/openstack-ansible-os_nova master: Use include instead of import for conditional tasks https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/874947 | 23:12 |
| opendevreview | Merged openstack/openstack-ansible-os_ironic master: Add driver type for redfish https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/881450 | 23:13 |
| opendevreview | Merged openstack/openstack-ansible-os_octavia master: Switch default provider to amphorav2 https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/881382 | 23:22 |
| opendevreview | Merged openstack/openstack-ansible master: Add drain option to haproxy-endpoint-manage https://review.opendev.org/c/openstack/openstack-ansible/+/882124 | 23:42 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!