| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Update AIO config before performing an upgrade https://review.opendev.org/c/openstack/openstack-ansible/+/885190 | 04:51 |
|---|---|---|
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: [WIP] Enable TLS on haproxy VIPs and backends by default https://review.opendev.org/c/openstack/openstack-ansible/+/885192 | 04:55 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: [WIP] Enable TLS on haproxy VIPs and backends by default https://review.opendev.org/c/openstack/openstack-ansible/+/885192 | 04:55 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: [WIP] Add 'tls-transition' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/885194 | 04:56 |
| anskiy | Regarding breaking `nova-api-os-compute` after running `os-nova-install`: I see, that this task: https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/service_setup/tasks/main.yml#L80 breaks it (by using `update_password: always`). I see this with Yoga and Zed versions of Nova. Turning off uwsgi for nova-api-os-compute doesn't help. Setting number of processes to 1 helps (both with uwsgi and withou | 08:43 |
| anskiy | After that, I can increase amount of threads so I wouldn't suffer performance penalty of running one worker, but I'm not sure if that's safe. Right now I'm trying to reproduce this in Zed AIO with LXC (no luck yet). | 08:46 |
| anskiy | oh, the error is: <class 'nova.exception.NeutronAdminCredentialConfigurationInvalid'> (HTTP 500) (Request-ID: req-bb917e0c-0240-47a0-8485-20cedba059a8), which fixes by restarting nova-api-os-compute until next playbook run | 08:47 |
| opendevreview | Merged openstack/openstack-ansible master: Allow to run only specific tags from bootstrap-host role https://review.opendev.org/c/openstack/openstack-ansible/+/885188 | 09:49 |
| mgariepy | hmm.. there is something weird with keystone with using ssl Ca from ca-certificate on a new deploy. is that something that anyone has seen ? | 13:02 |
| mgariepy | look like the ldaps connection won't use the system Ca store. | 13:04 |
| jrosser | mgariepy: feels like a interesting test scenario to add to the AIO - would not be terribly difficult to install a ldap server? | 13:14 |
| mgariepy | the issue is that it seems like keystone is not using the server truststore.. so it cannot validate the godaddy cert used. | 13:14 |
| mgariepy | installing a ldap server would probably test that ldap still works, i haven't had issue with ldap since a long while (last time was in kilo relase irrc) | 13:16 |
| mgariepy | https://github.com/openstack/ansible-role-uwsgi/blob/master/vars/debian.yml#L35 this is passed to the uwsgi | 13:24 |
| mgariepy | but it seems not to work for ldap... | 13:24 |
| jrosser | that is the system ca store | 13:24 |
| mgariepy | yep, the godaddy root is there. | 13:34 |
| mgariepy | i can validate with openssl s_client | 13:34 |
| mgariepy | ldapsearch is something else tho. what a mess haha | 13:34 |
| jrosser | no idea how keystone does that, does it call out with a cli for that, or use a python ldap library | 13:50 |
| mgariepy | it does use a python lib. | 13:53 |
| mgariepy | but even with ldapsearch it seems to be broken.. on 22.04. was working fine on 20.04.. | 13:53 |
| mgariepy | fun ldap integration. trace back on user list --domain AAA. | 14:10 |
| noonedeadpunk | anskiy: that looks like very valid bug | 16:03 |
| noonedeadpunk | can you kindly report that to launchpad so it won't get lost? | 16:04 |
| noonedeadpunk | As frankly speaking, that looks to me rather then weird nova behaviour, as it should re-try connecting rather then just fail | 16:04 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!