| anskiy | Hello. I've been upgrading our deployment from 25.2.0 to 25.4.0 and while running `setup-infrastructure` with `rabbitmq_upgrade=true`, OSA stopped all rabbitmq services on all nodes at once for upgrade -- is this the way it should work? The reason I'm asking is after this, all `nova-compute` services end up being broken, until I manually restart them, because they couldn't restore rabbitmq connections | 07:34 |
|---|---|---|
| hamidlotfi_ | Hi there, | 07:41 |
| hamidlotfi_ | I want to install ZED again in the new env for test in Ubuntu 22.04 but show me this error | 07:41 |
| hamidlotfi_ | https://www.irccloud.com/pastebin/QWUSW36B/ | 07:41 |
| hamidlotfi_ | please help me | 07:41 |
| hamidlotfi_ | @jrosser | 07:41 |
| hamidlotfi_ | @admin1 | 07:41 |
| hamidlotfi_ | @noonedeadpunk | 07:42 |
| hamidlotfi_ | note: in the syslog infra alert /etc/haproxy/haproxy.cfg not found! | 07:46 |
| admin1 | paste the config and generated haproxy also | 07:54 |
| admin1 | and also check if during copy/paste if you got some special characters in the file hamidlotfi_ | 07:54 |
| hamidlotfi_ | please say to me more detail | 07:58 |
| hamidlotfi_ | If there are special characters in the file, is the error not displayed? | 08:01 |
| anskiy | hamidlotfi_: as far as I can tell, the error is: `bind openstack.stage.abramad.com:443' : unable to load certificate from file '/etc/haproxy/ssl/haproxy_infra01-openstack.stage.abramad.com.pem` | 08:02 |
| hamidlotfi_ | This file is exist | 08:02 |
| hamidlotfi_ | but dont understand | 08:02 |
| jrosser | it can't both be true, that the file exists and the error says it doesnt | 08:09 |
| jrosser | if it does exist then you could look at the permissions and see if they make sense | 08:09 |
| hamidlotfi_ | What permission should it have? jrosser | 08:12 |
| jrosser | it should be readable by the user that the haproxy process run as | 08:16 |
| jrosser | anskiy: the rabbitmq should not be all shut down at once https://github.com/openstack/openstack-ansible/blob/master/playbooks/rabbitmq-install.yml#L68 | 08:18 |
| hamidlotfi_ | two cert files have-rw-r--r-- permission, isn't it correct? | 08:18 |
| anskiy | jrosser: well, there is this comment: https://github.com/openstack/openstack-ansible/blob/master/playbooks/rabbitmq-install.yml#L43, so I guess this works as intended. | 08:19 |
| jrosser | oh ok, right | 08:19 |
| anskiy | but it should leave one node running... | 08:20 |
| jrosser | well i don't know what is happening there, but surely we would have a heap of bug reports if that happened to everyone :/ | 08:21 |
| jrosser | and rabbitmq_upgrade=true on a minor upgrade, is that becasue of the rabbitmq/erland repos moving around? | 08:22 |
| noonedeadpunk | mornings | 08:22 |
| anskiy | that's from the docs :) | 08:22 |
| anskiy | but yeah, it was reinstalling in from novemberrain repos | 08:22 |
| noonedeadpunk | yeah, I think we messed up with rabbit repos a lot lately, so it makes sense to me to run with rabbitmq_upgrade=true But it's kinda "safe" to do so - we still run with this flag from time to time whenever we hit weird issue with rabbit, as it's the fastest way to recover | 08:23 |
| anskiy | got it, gonna try to reproduce this thing | 08:25 |
| jrosser | hamidlotfi_: i think you have to just debug what is wrong with haproxy, if the file is there thats OK, if the permissions are reasonable thats OK, but the contents might be somehow broken | 08:25 |
| jrosser | you can validate the .pem file with the openssl command line tools, or you can delete it and re-run the haproxy playbook which should put them back into place | 08:26 |
| hamidlotfi_ | let me check it | 08:27 |
| jrosser | as usual, comparing with an all-in-one build is a quick way to sanity check | 08:27 |
| halali | noonedeadpunk iirc rabbitmq playbook with rabbitmq_upgrade = true it keep rabbitmq cluster up and running while upgrading the other node, unless all cluster nodes is DOWN | 08:35 |
| damiandabrowski | halali: rabbitmq_upgrade brings all nodes down before starting them | 08:44 |
| damiandabrowski | https://opendev.org/openstack/openstack-ansible-rabbitmq_server/src/branch/master/tasks/rabbitmq_post_install.yml#L73 | 08:44 |
| damiandabrowski | https://opendev.org/openstack/openstack-ansible-rabbitmq_server/src/branch/master/tasks/rabbitmq_restart.yml | 08:44 |
| damiandabrowski | https://opendev.org/openstack/openstack-ansible-rabbitmq_server/src/branch/master/tasks/rabbitmq_stopped.yml | 08:44 |
| damiandabrowski | we do that because: "Rolling upgrades are possible only between compatible RabbitMQ and Erlang versions." | 08:46 |
| damiandabrowski | https://www.rabbitmq.com/upgrade.html#rolling-upgrades | 08:46 |
| noonedeadpunk | halali: nah, I think at some point it completely shuts down the cluster | 08:49 |
| noonedeadpunk | but that triggers services to re-connect and re-create queues | 08:53 |
| anskiy | control plane services were absolutely fine with that | 08:54 |
| anskiy | and they've done as you described | 08:54 |
| damiandabrowski | as we talked some time ago, I did some TLS performance tests and created etherpad containing my findings | 09:08 |
| damiandabrowski | https://etherpad.opendev.org/p/openstack-ansible-tls-performance-impact | 09:08 |
| damiandabrowski | please have a look when you have some time so maybe we can discuss it during the meeting | 09:09 |
| halali | OK, I see | 09:12 |
| noonedeadpunk | damiandabrowski: actually http/2 is really interesting | 09:20 |
| noonedeadpunk | it seems that the only way to use http/2 in python is via hyper though :( | 09:26 |
| damiandabrowski | :/ | 09:30 |
| noonedeadpunk | oh, hyper is deprecated... | 09:30 |
| noonedeadpunk | well, basically because http/2 requires async as well... | 09:33 |
| noonedeadpunk | it's httpx now instead I believe... But still, that will require really _a lot_ of refactoring in each project to get this implemented | 09:36 |
| kleini | I am stumbling over https://bugs.launchpad.net/designate/+bug/1982252 after upgrade to Yoga. There is no response in that bug for a whole year now. | 09:56 |
| kleini | dnspython used here was upgraded from 1.16.0 (Xena) to 2.1.0 (Yoga). Checking, if that causes the issue. | 09:59 |
| noonedeadpunk | well, dnspython is part of the upper-constraints, and it's pinned to 2.1.0 there. | 12:02 |
| noonedeadpunk | So I'd say it's on designate to fix that... | 12:02 |
| noonedeadpunk | johnsom: maybe you have any idea about this? ^ | 12:03 |
| adivya | hi Team | 13:21 |
| adivya | had a query regarding the upgrade, Do we have any upgrade document for OS upgrade before doing the actual Open stack upgrade | 13:22 |
| adivya | for ex i am trying to search but do ubuntu 18.04 supports wallaby openstack version | 13:22 |
| adivya | and if i have to upgarde ubuntu 18.04 to ubuntu 20.04 , Do we need to keep anything in mind or any link provided | 13:23 |
| NeilHanlon | adivya: https://docs.openstack.org/openstack-ansible/latest/admin/upgrades/distribution-upgrades.html | 13:26 |
| adivya | Thankyou | 13:32 |
| admin1 | hi adivya .. upgrade is straightforward | 13:37 |
| admin1 | as in the docs works and nothing fancy . upgrade, run playbooks .. | 13:44 |
| lowercase | should be noted that when an upgrade is performed, it is expected post-reboot that the service in the venv will no longer work until the playbooks are run again | 13:47 |
| lowercase | and | 13:47 |
| lowercase | Clearing out stale information | 13:47 |
| lowercase | Removing stale ansible-facts | 13:47 |
| lowercase | section of the docs is quite mandatory | 13:47 |
| jrosser | lowercase: "it is expected post-reboot that the service in the venv will no longer work until the playbooks are run again" <- do you mean when doing an in-place OS version upgrade? | 13:51 |
| jrosser | ^ just need to be specific because it's also quite acceptable to reinstall the new OS completely | 13:52 |
| adivya | ok got you | 14:00 |
| jamesdenton | deploying stable/2023.1 with ansible_hardening: false, and hitting an error w/ these pam vars that are actually defined. Seen anything like that? https://paste.opendev.org/show/beE9qzoEIPqXNFuOI2f9/ | 14:08 |
| jamesdenton | deploying on Jammy, too. | 14:08 |
| noonedeadpunk | I would move ansible_hardening somehwere else... like to hardening playbook and skip running role at all if it's defined | 14:29 |
| jamesdenton | well, this is normal setup_hosts.yml play w/ apply_security_hardening set to false. Lemme set to True and see what changes | 14:31 |
| jamesdenton | the role should be skipped but all tasks are executed anyway (but skipped). | 14:32 |
| jamesdenton | When set to True, tasks execute successfully | 14:34 |
| noonedeadpunk | jamesdenton: aha, well, then `when` is likely not applicable here https://opendev.org/openstack/openstack-ansible/src/branch/master/playbooks/security-hardening.yml#L40 | 14:44 |
| noonedeadpunk | So it should be `tasks: include_role: ansible-hardening when: apply_security_hardening | bool` | 14:45 |
| jamesdenton | ok, i can try that | 14:45 |
| jamesdenton | i will spin up an AIO to test that | 14:45 |
| jamesdenton | thank you | 14:45 |
| noonedeadpunk | I guess smth has changed with recent ansible versions | 14:46 |
| noonedeadpunk | and everyone runs this hardening, so... | 14:46 |
| jamesdenton | maybe.. i used this configuration fairly recently w/ Zed on 22.04, i thought anyway | 14:46 |
| jamesdenton | yes, i disable it for labs since it adds time | 14:47 |
| jamesdenton | it's strange that it couldn't find the vars, though | 14:47 |
| noonedeadpunk | well, it's not, as these vars are included inside role | 15:00 |
| noonedeadpunk | this is not in defaults or vars/main | 15:00 |
| noonedeadpunk | and all tasks are skipped ,so vars/debian.yml simply not loaded | 15:00 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
| opendevmeet | Meeting started Tue Jun 27 15:00:54 2023 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
| noonedeadpunk | #topic rollcall | 15:00 |
| noonedeadpunk | o/ | 15:01 |
| damiandabrowski | hi! | 15:01 |
| jrosser | o/ hello | 15:03 |
| NeilHanlon | o/ | 15:03 |
| NeilHanlon | sorta around. doing some errands | 15:03 |
| noonedeadpunk | #topic office hours | 15:04 |
| mgariepy | o/ | 15:05 |
| noonedeadpunk | I don't have big agenda for today. I guess mainly we should land some backports to 2023.1 and make new bugfix release https://review.opendev.org/q/parentproject:openstack/openstack-ansible+branch:%255Estable/2023.1+status:open+ | 15:06 |
| noonedeadpunk | As most nasty thing is that I forgot to update openstack-ansible-plugins version in a-c-r | 15:06 |
| noonedeadpunk | so heat is going to fail | 15:06 |
| noonedeadpunk | also gnocchi is known to be broken, but I have no idea what we can do with thta | 15:06 |
| noonedeadpunk | as constraints are not respected when project has pyproject.toml | 15:07 |
| jamesdenton | o/ | 15:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder stable/2023.1: Use v3 service type in keystone_authtoken config https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/887057 | 15:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder stable/zed: Use v3 service type in keystone_authtoken config https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/887058 | 15:09 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder stable/yoga: Use v3 service type in keystone_authtoken config https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/887059 | 15:09 |
| jrosser | we need to clean up the cinder role | 15:10 |
| jrosser | lots of v1/v2 stuff in there | 15:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Ensure management_address is used instead of ansible_host https://review.opendev.org/c/openstack/openstack-ansible/+/887060 | 15:11 |
| noonedeadpunk | yup - that's really good call | 15:12 |
| noonedeadpunk | and I guess we kinda needs to review patches for making tls/internal tls as default | 15:14 |
| noonedeadpunk | I personally reluctant to vote on that, because I don't really have any strict opinion on that | 15:14 |
| noonedeadpunk | I'm not sure if it's good default or not | 15:14 |
| damiandabrowski | #link https://etherpad.opendev.org/p/openstack-ansible-tls-performance-impact | 15:15 |
| noonedeadpunk | and this is actually good work and smth to think about | 15:15 |
| damiandabrowski | after my benchmarks, i also don't have a strong opinion | 15:15 |
| noonedeadpunk | I will add the topic for next TC meeting (not the one that will be in 2 hours, but next week) | 15:15 |
| noonedeadpunk | To see what they think about http/2 and if it's time for openstack to adopt it | 15:16 |
| noonedeadpunk | but I see tremendeus amount of work that would be required, which is probably the main blocker | 15:17 |
| noonedeadpunk | and yeah, not having TLS on internal VIP have quite big difference comparing to enabled TLS on it | 15:18 |
| noonedeadpunk | and like almost 30% difference between current default and suggested one, if I'm right? | 15:18 |
| noonedeadpunk | 60s vs 88s | 15:19 |
| jrosser | idk what the other tools do for this | 15:19 |
| jrosser | if we are different by having tls or by not having it | 15:19 |
| damiandabrowski | noonedeadpunk: yeah, but I can't explain why enabling TLS on backend doesn't make any difference while for haproxy it does | 15:20 |
| noonedeadpunk | jrosser: not sure I got your point? as I guess as long as we test both we should be good? | 15:22 |
| spatel | Folks! I am trying to run OSA stack inside lxd container for lab/stage/testing but look like it doesn't support, hit this error when running setup-host.yml - https://paste.opendev.org/show/bsBRasNMflOnflDb68bm/ | 15:23 |
| spatel | any workaround ? | 15:24 |
| jrosser | i mean if the default for the other tools is to do TLS then that says that the lower performance might be seen as acceptable already | 15:25 |
| noonedeadpunk | does kolla enforce internal tls? | 15:25 |
| noonedeadpunk | (I don't know to be frank) | 15:26 |
| jrosser | me neither - thats why it would be interesting to see what the other perspectives are | 15:26 |
| noonedeadpunk | spatel: do you know how things are with tls in kolla world?:) | 15:27 |
| jrosser | spatel: in an LXD you can't do anything with the kernel really, so you need to disable those tasks, look at the code and the vars to make some overrides | 15:28 |
| noonedeadpunk | regarding your question - this specific issue can be overcomed by defining `openstack_host_specific_kernel_modules: []` but I think you will fail in soooo many places, that I don't find it being feasable to run inside container | 15:28 |
| spatel | I mostly keep TLS disable but it does has support to encrypt all traffic using haproxy - https://docs.openstack.org/kolla-ansible/latest/admin/tls.html | 15:28 |
| noonedeadpunk | jrosser: default is `no` https://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/group_vars/all.yml#L834-L840 | 15:29 |
| spatel | jrosser just disabled that task and re-running it.. Hope we can make it variable to make it workable on LXD playground | 15:29 |
| mgariepy | spatel, lxc --vm ? | 15:30 |
| spatel | Yes, running whole stack inside LXD to mimic production | 15:30 |
| noonedeadpunk | yeah, lxd can manage LVM | 15:30 |
| noonedeadpunk | brrrrrrr | 15:30 |
| mgariepy | vm.. lvm meh | 15:30 |
| noonedeadpunk | *KVM | 15:30 |
| spatel | Its quick to spin up and testing | 15:30 |
| noonedeadpunk | spatel: yeah, but it can be proper VM rather then lxc container | 15:31 |
| spatel | LVM for cinder correct but we can use physical host for LVM support we don't need that inside LXD | 15:31 |
| spatel | currently my dev/stage environment running inside VMware VMs which is very hard to setup and destroy.. I want something quick and automation way and LXD is very quick and easy | 15:32 |
| noonedeadpunk | the problem with lxc containers, is that you can't manage a lot of things, including time, kernel modules, firewall?, devices | 15:33 |
| noonedeadpunk | (probably you can have firewall ifproper modules are loaded though) | 15:34 |
| noonedeadpunk | spatel: https://ubuntu.com/blog/lxd-virtual-machines-an-overview | 15:34 |
| noonedeadpunk | so spawning proper KVM VM is quite as trivial as lxc container IMO | 15:35 |
| spatel | Hmmm! | 15:35 |
| damiandabrowski | maybe we just found a volunteer who can work on https://github.com/openstack/openstack-ansible-ops/tree/master/multi-node-aio ? :D | 15:36 |
| noonedeadpunk | returning back to tls - I would leave default as is, but improve testing whenever possible | 15:36 |
| noonedeadpunk | hehe | 15:36 |
| mgariepy | only need to add --vm to your lxc launch command | 15:36 |
| noonedeadpunk | exactly ^ | 15:36 |
| spatel | lol | 15:37 |
| damiandabrowski | okay, so keep tls disabled for now but implement 'tls-transition' scenario anyway, right? | 15:37 |
| spatel | mgariepy let me try.. --vm | 15:38 |
| noonedeadpunk | yeah, we must test it anyway imo | 15:39 |
| noonedeadpunk | maybe also document better on how to enable/switch to TLS and possible performance degradation? | 15:40 |
| jrosser | i think i will be switching to tls | 15:40 |
| mgariepy | i'll too. | 15:41 |
| damiandabrowski | we will switch to tls as well(at least in some regions) | 15:41 |
| jrosser | it's just on * everywhere here so my openstack is a pretty big outlier | 15:41 |
| mgariepy | but i'm pretty low on api calls so i don't expect it to cause much issue | 15:41 |
| noonedeadpunk | but I kinda feel extra complexity by this as default especially for beginners or who doesn't care a lot as network is internal | 15:42 |
| noonedeadpunk | so it kinda pretty much depends on usecases and regulations | 15:42 |
| damiandabrowski | but if we see ~30% degradation on rally, maybe it's indeed better to keep it disabled by default | 15:42 |
| noonedeadpunk | (and existance of quantum computers) | 15:42 |
| spatel | mgariepy that works!! --vm | 15:43 |
| noonedeadpunk | I don't think we have too much complexity with our implementation which we don't want to carry for some period of time | 15:45 |
| noonedeadpunk | since now we just rely on haproxy configuration at playbook runtime, this extra complexity for tcp is not gigantic anymore | 15:47 |
| damiandabrowski | but this '--vm' parameter is interesting(didn't know about it before) | 16:03 |
| damiandabrowski | do I understand correctly that if we implement LXD support at some point, it will be much easier to spin up multi-node-aio? | 16:03 |
| damiandabrowski | as we can skip all virsh/pxe tasks then | 16:06 |
| spatel | damiandabrowski let me spin up my lab and i will give you feedback how it goes but agreed with you LXD is must faster and easier if works with OSA | 16:14 |
| opendevreview | Merged openstack/openstack-ansible stable/2023.1: Remove other releases from 2023.1 index page https://review.opendev.org/c/openstack/openstack-ansible/+/884921 | 16:16 |
| damiandabrowski | i'm not sure if it's faster, but for ex. it has a proper tooling for image management. But I think that requirement to install LXD from snap successfully prevented us from switching to it so far | 16:17 |
| damiandabrowski | noonedeadpunk: endmeeting? ;) | 16:18 |
| noonedeadpunk | #endmeeting | 16:18 |
| opendevmeet | Meeting ended Tue Jun 27 16:18:34 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:18 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-06-27-15.00.html | 16:18 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-06-27-15.00.txt | 16:18 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2023/openstack_ansible_meeting.2023-06-27-15.00.log.html | 16:18 |
| noonedeadpunk | yes... | 16:18 |
| noonedeadpunk | sry | 16:18 |
| opendevreview | James Denton proposed openstack/openstack-ansible master: Use include_role in task to avoid lack of access to vars https://review.opendev.org/c/openstack/openstack-ansible/+/887082 | 16:25 |
| spatel | How do i used br-mgmt for vxlan tunnel | 16:58 |
| spatel | I don't want to create br-vxlan dedicated bridge | 16:58 |
| noonedeadpunk | you don't need to | 16:58 |
| noonedeadpunk | eventually, you need just consistent interface name for vxlan | 16:59 |
| noonedeadpunk | with IP on it | 16:59 |
| spatel | ? | 17:00 |
| spatel | I have only two interface so thinking br-mgmt I can use for vxlan | 17:00 |
| spatel | and br-vlan for provider network | 17:01 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Add optional compression to mariabackup https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/886180 | 17:34 |
| opendevreview | Merged openstack/openstack-ansible-ceph_client stable/2023.1: Fix retrievement keyrings from files https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/886477 | 17:46 |
| opendevreview | Merged openstack/openstack-ansible-ceph_client stable/2023.1: Fix permissions for ceph cache directories https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/886471 | 17:46 |
| admin1 | spatel, you can use kvm with the openstack backign image ( just like how nova does it ) to quickly bring up dev boxes | 18:13 |
| admin1 | backing ! | 18:13 |
| admin1 | my dev one takes less than 1 min to boot, and it has all the networks etc ready .. ips are pre assigned via vyos | 18:13 |
| admin1 | all i need to do is run one small post-install ansible and the netplan is populated with the right bridges etc | 18:14 |
| admin1 | in less than 5 mins, the whole dev env is ready for a new openstack build | 18:14 |
| spatel | give me recipe of KVM and spin up environment | 18:14 |
| admin1 | let me do some cleanup and put it in github | 18:15 |
| spatel | cool | 18:17 |
| admin1 | https://gist.githubusercontent.com/a1git/871420b52587c609b5d2d24d6e204869/raw/960ffa9f595133ed34709a1353f12eb1869cca9d/gistfile1.txt -- something like this | 18:23 |
| admin1 | jammy.img is the same image you download for customers for openstack | 18:23 |
| admin1 | you can rewrite the mac to make it anything to get the same IP from dhcp, or remove it to get diff ones | 18:24 |
| spatel | admin1 Thanks! but what about setting up networking for br-mgmt/br-vlan/br-vlan etc.. | 18:44 |
| spatel | we need internal bridge to communicate between multiple VM for multi-node deployment | 18:44 |
| spatel | AIO is easy but multi-node setup not | 18:46 |
| admin1 | yes, you create netplans on the host and the guest | 18:58 |
| spatel | how does vxlan will talk to other vm | 18:59 |
| admin1 | in you host, you just add host-vxlan as bridge | 18:59 |
| admin1 | and then pass that as interface on br-vxlan to the hosts | 18:59 |
| spatel | we have to create bridge etc.. and connect vm to those bridge to make communication work | 18:59 |
| admin1 | yes | 18:59 |
| spatel | that short of example I am looking for :) | 19:00 |
| admin1 | this is an old verison, but you get the idea | 19:01 |
| admin1 | https://gist.githubusercontent.com/a1git/c15ecbc87738d9d8390e6477d497c4c0/raw/032de84cee842201ecdc09bf47cb8e148f0df5e3/gistfile1.txt | 19:01 |
| jamesdenton | there doesn't need to be a vxlan bridge, necessarily, or a dedicated vlan for vxlan traffic. Only an IP on each host that can be used for point-to-point vxlan traffic | 19:06 |
| jamesdenton | that could be the IP on br-mgmt if you wanted it to | 19:06 |
| jamesdenton | it's just that the reference architecture uses a dedicated VLAN/IP for overlay (vxlan) traffic, and a bridge exists because of legacy reasons, connecting the old neutron-agent container to the host | 19:07 |
| admin1 | in my case, i wanted to test cloud-connect feature | 19:08 |
| admin1 | which is a vpn for customer to directly plug into their vxlan | 19:09 |
| admin1 | which is why i put a host bridge | 19:09 |
| admin1 | also to tcpdump from host and check for traffic, sflow testing | 19:09 |
| jamesdenton | because it needs to be reachable by some other external host? | 19:09 |
| admin1 | this is an all in one dev setup where i test various secnarious | 19:09 |
| admin1 | and one is cloud-connect | 19:09 |
| jamesdenton | ok | 19:10 |
| jamesdenton | not familiar w/ that | 19:10 |
| admin1 | which is you offer vpn to customer or their own l2 connect which will plugin to their internal networks directly | 19:10 |
| lowercase | guys im getting, 0x80244017 | 19:12 |
| lowercase | wrong chat sry | 19:12 |
| spatel | jamesdenton you are saying if i don't have br-vxlan then it will use br-mgmt for vxlan? | 19:12 |
| jamesdenton | IIRC it may default to ansible_host, which is likely br-mgmt | 19:13 |
| jamesdenton | you can certainly try it. Ultimately, the IP srt at local_ip in the ml2/ovs/lxb config files is what is used | 19:14 |
| jamesdenton | *the IP used in local_ip | 19:14 |
| spatel | jamesdenton I will give it a try | 19:14 |
| jamesdenton | so, the playbooks do their best to determine what that needs to be based on the overrides and openstack_user_config | 19:14 |
| spatel | I didn't know that br-vxlan is optional | 19:14 |
| spatel | +1 | 19:15 |
| jamesdenton | Well, don't want to say it's optional but it's not necessarily required? Opposing statements, I know | 19:15 |
| spatel | I know for production its important but for test/lab its not | 19:16 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Add 'tls-transition' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/885194 | 20:55 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Allow to update AIO config prior to an upgrade https://review.opendev.org/c/openstack/openstack-ansible/+/885190 | 21:05 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible stable/2023.1: Add support for 'tls-transition' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/887118 | 21:12 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Add 'tls-transition' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/885194 | 21:18 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Add 'tls-transition' scenario https://review.opendev.org/c/openstack/openstack-ansible/+/885194 | 21:26 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!