| noonedeadpunk | damiandabrowski: sleeping over with this keystone thing, I now think that this is real regression in keystone that should not have happened | 06:55 |
|---|---|---|
| noonedeadpunk | like you wrote, while we indeed can deal with services, we can't deal with users and that's real threat for upgrades atm | 06:56 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 07:04 |
| damiandabrowski | true, i also agree that's a weird decision to trim passwords to 54 chars. Trimming to 72 would be way more reasonable. | 07:16 |
| noonedeadpunk | And I kinda still think that our default should be crypt... as otherwise you sooner or later get to weird situation, when you realize that supplied password is not actually what is used, and worse if users discover that as well | 07:18 |
| noonedeadpunk | that can be really akward | 07:18 |
| noonedeadpunk | I'll reach keystone folks and have some talk with them | 07:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 07:47 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/889741 | 07:47 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 07:47 |
| anskiy | I'm running compute nodes for poor^W^Whyperconverged with Ceph OSDs and ceph.conf on them changes between running ceph-install and os-nova-install (ceph-client role) like this: https://paste.opendev.org/show/b9vjBbYN8kweFa51ByX5/. Which leads to restarting all OSDs :) | 08:38 |
| anskiy | One option, as was suggested by noonedeadpunk was setting `ceph_conf_file` in user_variables, but after careful considiration it looks like it's the worst one, because I lock myself from standard overrides to ceph.conf via `ceph_conf_overrides_custom` and would have to do them in two places. | 08:38 |
| anskiy | The other option was patching config_template to attach section-less comments to virtual section, which is kinda okay, along with removing some sections from generated ceph.conf, like this: https://paste.opendev.org/show/bEKCiuvVsg5AQz9Hucin/, so this patch does not fully work around this issue, especially because ceph.conf owner and group differ too between the roles. | 08:38 |
| anskiy | The quick fix thing on which I've settled for now is removing unnecessary sections via user_variables and patching ceph-ansible to fix owner/group. | 08:39 |
| anskiy | What I think could be the proper way to fix this is changing ceph_client role somehow to either do nothing if ceph.conf (with ceph.conf only, as it still needs to provide keys to libvirt) is already present, or if ceph-ansible is part of deployment (not sure how to detect the later one tho). | 08:39 |
| noonedeadpunk | anskiy: to be frank, the only thing that needs to be in ceph.conf on clients is cluster fsid and definition of monitors | 08:41 |
| noonedeadpunk | so ceph_conf_file should be really minimal and should not require overrides | 08:42 |
| noonedeadpunk | as you have both these things in context/inventory | 08:42 |
| noonedeadpunk | there's no reason to have default crush rule for clients - they even should not have permissions to leverage that | 08:43 |
| noonedeadpunk | I think we have it as short as 3-4 lines tops | 08:45 |
| anskiy | but you probably don't use integrated ceph-ansible: which results in two roles trying to manage one ceph.conf file, do you? :) | 08:46 |
| noonedeadpunk | but does ceph-ansible try to manage ceph.conf on clients? Why? | 08:47 |
| noonedeadpunk | ah, hyperconverged | 08:47 |
| noonedeadpunk | we don't have that :D | 08:47 |
| anskiy | yeah | 08:47 |
| * noonedeadpunk hates HCI | 08:48 | |
| anskiy | I totally get, that this is only my problem and such, but I was thinking about some solution that could be upstreamed | 08:48 |
| noonedeadpunk | well, technically you could run *everything* with --skip-tags ceph-config, but that's quite unrealistic I would say | 08:51 |
| anskiy | I can't -- secrets are deployed with this tag too | 08:51 |
| anskiy | from the separate task-file tho | 08:51 |
| noonedeadpunk | secrets you mean - ceph auth? | 08:52 |
| anskiy | yeah | 08:52 |
| noonedeadpunk | or `virsh secret-define`? | 08:52 |
| noonedeadpunk | yeah, ceph-auth as well | 08:53 |
| anskiy | ceph_auth.yml which is secret-define | 08:53 |
| anskiy | https://opendev.org/openstack/openstack-ansible-ceph_client/src/branch/master/tasks/ceph_auth.yml#L68 | 08:53 |
| anskiy | offtopic: so HCI case is the only requirement for ceph-install to be included in setup-infrastructure | 08:55 |
| noonedeadpunk | "changing ceph_client role somehow to either do nothing if ceph.conf is already present" -> you can't really do that. As once role will place ceph.conf once, it will stop managing it afterwards, as "it exists". So maybe we can have some variable to skip ceph_config.yml but then it makes sense to skip keyrings (maybe)? as well. | 08:57 |
| noonedeadpunk | Also this solution won't satisfy you in a year | 08:57 |
| noonedeadpunk | as in a year you won't have all computes running ceph, so you will want to still ceph_client role to distribute ceph.conf somewhere | 08:57 |
| anskiy | noonedeadpunk: this "in a year" POV sounds valid. And is kinda up for the quick fix route via ceph-ansible patch. Thank you! | 09:07 |
| noonedeadpunk | that's how all HCI end up after some time - being desynced and impossible to plan hardware purchases and then rack becomes a mess as well | 09:09 |
| anskiy | noonedeadpunk: well, that's kinda why I named it "compute nodes for poor" (as opposed to real HCI), as this is what I've had in here under the control of in-house "cloud" solution prior to deploying openstack | 09:21 |
| anskiy | anyways, thanks! | 09:21 |
| noonedeadpunk | anskiy: hm, I know that clusters are going to be depercated, but you still can try to leverage them | 09:21 |
| noonedeadpunk | then, ceph.conf will be placed under different name, and services will consume it (or original one) | 09:22 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible-ceph_client/src/branch/master/tasks/ceph_config.yml#L48 | 09:22 |
| noonedeadpunk | by ceph_client rol | 09:22 |
| anskiy | yeah, and I think that while prototyping multi-AZ ceph clusters I was probably using it | 09:23 |
| anskiy | so that would be another point in time where this thing would be reconsidered | 09:23 |
| noonedeadpunk | yup, me to... | 09:24 |
| noonedeadpunk | but that should kinda solve your usecase, as ceph.conf will be jsut 2 independant files | 09:24 |
| noonedeadpunk | not conflicting with each other | 09:24 |
| damnthem | gridthis10 | 09:26 |
| * noonedeadpunk almost hear how someone is rotating passwords | 09:28 | |
| * anskiy hears it loudly as damnthem sits next to him | 09:31 | |
| halali | Hi, on 24.6.1 https://paste.openstack.org/show/bNTmYiye5SArceHhOmEs/ and 27.0.1 https://paste.openstack.org/show/bQ3V9oOJvi6HMfDBZkfX/ utility complaining on metadata-generation-failed | 09:44 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/889741 | 09:47 |
| anskiy | halali: hey! The fix for that got merged after the release of 27.0.1: https://review.opendev.org/c/openstack/openstack-ansible-os_rally/+/887679 (so bootstrapping from stable/2023.1 should fix that problem), and for Xena there was no backport at all. | 10:17 |
| halali | anskiy thanks :) | 10:45 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 11:20 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_tempest master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/889741 | 11:20 |
| opendevreview | Danila Balagansky proposed openstack/openstack-ansible stable/yoga: Restore an ability for HAProxy to bind on interal IP https://review.opendev.org/c/openstack/openstack-ansible/+/887577 | 11:23 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Pin version of setuptools https://review.opendev.org/c/openstack/openstack-ansible/+/889022 | 11:40 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/yoga: Restore an ability for HAProxy to bind on interal IP https://review.opendev.org/c/openstack/openstack-ansible/+/887577 | 11:41 |
| noonedeadpunk | anskiy: we shouldn't merge anything with CI jobs being completely off | 11:42 |
| noonedeadpunk | at least to maintained branches | 11:42 |
| anskiy | noonedeadpunk: sorry, I guess, I've missed that thing | 11:54 |
| noonedeadpunk | nah, no worries, was mostly saying why I've rebased it again | 11:57 |
| anskiy | it looks like when neutron-server is being run from within uwsgi, it doesn't produce any debug logs | 13:05 |
| * anskiy was poking around the possibility of moving pyargv into uwsgi conf | 13:06 | |
| halali | anskiy did not help | 13:10 |
| anskiy | halali: could you please link the error again? | 13:11 |
| noonedeadpunk | halali: on top of that you'd need to pin setuptools I guess | 13:11 |
| noonedeadpunk | https://review.opendev.org/c/openstack/openstack-ansible/+/888332 | 13:12 |
| halali | anskiy https://paste.openstack.org/show/bkBbS8CPPTHLzoYuqHil/ | 13:12 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 13:35 |
| damiandabrowski | our rally-openstack patch got merged today \o/ | 14:00 |
| damiandabrowski | https://review.opendev.org/c/openstack/rally-openstack/+/887530 | 14:00 |
| noonedeadpunk | sweet | 14:05 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794 | 14:17 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_octavia master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/889879 | 15:11 |
| *** cloudnull4 is now known as cloudnull | 17:58 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!