Wednesday, 2023-09-06

« Tuesday, 2023-09-05 Index Thursday, 2023-09-07 »
opendevreviewMerged openstack/openstack-ansible-os_keystone master: Install distro_packages in pre-main  https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/88993400:04
opendevreviewMerged openstack/openstack-ansible-os_nova master: Config has changed for pci passthrough.  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89379700:10
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Fix linters and metadata  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/88872900:31
opendevreviewMerged openstack/openstack-ansible-os_aodh master: Fix linters and metadata  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/88847100:37
jrossergood morning07:39
jrossercan we merge this without updating ansible first? https://review.opendev.org/c/openstack/openstack-ansible/+/89237307:43
jrosseror should i make a patch to separately bump the plugins repo SHA07:43
noonedeadpunko/07:44
noonedeadpunkjrosser: we can't as is, so yeah, we need a separate patch to just update plugins07:45
jrosserok07:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89376707:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/zed: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89376807:45
noonedeadpunkwe actually just need to fix adjutant to merge the patch in topic07:46
noonedeadpunkans core bump itself07:46
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Bump SHA for openstack-ansible-plugins collection  https://review.opendev.org/c/openstack/openstack-ansible/+/89383507:48
noonedeadpunkhm, I wonder why we still have diskfull on rocky upgrade... I hoped it to be fixed with ovs upgrade that landed on zed07:48
jrosserfor adjutant we were needing some upgrade job fixes as i recall?07:48
noonedeadpunkYeah, and we can do that now07:48
noonedeadpunkas fix for 2023.1 landed now07:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Update Adjutant and Neutron SHAs  https://review.opendev.org/c/openstack/openstack-ansible/+/89383707:56
noonedeadpunk^07:56
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible-core to 2.15.3 and ansible-lint  https://review.opendev.org/c/openstack/openstack-ansible/+/89237107:59
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible collection versions  https://review.opendev.org/c/openstack/openstack-ansible/+/89237308:01
noonedeadpunkhm.... somehow it's still ovs 2.17 that's installed on zed....08:15
noonedeadpunkbut in aio I get 3.109:42
noonedeadpunkhm09:42
noonedeadpunkare we upgrading from yoga then.....09:43
noonedeadpunkthat should be a separate job though09:43
jrosserlooks like we are missing some calls to `log_instance_info`09:46
jrosserthere are a few through the job but unhelpfully not one at the end09:47
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Fix typo for  vpnaas_custom_config distribution  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/89385610:06
farbodHello, Can somebody help me in deployment?10:43
farbodI will be very thankful10:47
jrosserfarbod: just ask :)10:48
farbodOK :)10:48
farbodi am stuck at openstack-ansible setup-openstack.yml step.10:49
farbodhere is the error:10:49
farbodTASK [openstack.osa.mq_setup : Add RPC RabbitMQ user] ****************************************************************************************************************10:49
farbodfatal: [infra1_glance_container-9054d3f8 -> infra1_rabbit_mq_container-ace2411f(172.29.236.151)]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}10:49
jrosserplease use paste.opendev.org10:49
jrosserfor anything large10:49
farbod🆗️10:50
farbodI searched a lot and didn't find any answer10:50
farbodI changed no_log: true in the playbooks/rabbitmq-install.yml but nothing changed10:51
jrosserno_log: true will make there be no log10:52
jrosserand the actual task failing is in the openstack-ansible collection, not in the playbook10:52
farbodi changed it to false. but still there is no log 10:52
farbodwhere can i find that collection10:53
jrosseryou can see that becasue the task is openstack.osa.mq_setup10:53
jrosserfarbod: can i ask which release you are running?10:53
noonedeadpunkfarbod: what version?10:53
noonedeadpunkyeah :)10:53
jrosser:)10:53
farbodi am following documentation for deploying and using  git clone -b master https://opendev.org/openstack/openstack-ansible /opt/openstack-ansible for deployig on debian 11 with two nodes10:55
noonedeadpunkaha, master10:55
noonedeadpunkwe have a bug on master :)10:55
jrosserok, so 'master' is the development branch10:55
jrosserthis is where we/you could do work for the next stable release10:55
noonedeadpunkthis patch is needed there https://review.opendev.org/c/openstack/openstack-ansible/+/89383510:55
farbodohom i get it10:56
noonedeadpunkI would suggest to use stable/2023.1 10:56
jrosserif you want to instead test for a production deployment then one of the stable branches is probably what you want10:56
jrosser^ like that10:56
farbodwhere to pull that stable version?10:56
jrosserthey are different branches in the same repo10:56
farbodthere is nothing in openstack-ansible deployment versioning in documenation10:56
farbodoh i found the branch10:57
jrosserthe documentation is also branched rather than one document for all branches10:57
jrosserhttps://docs.openstack.org/openstack-ansible/latest/user/aio/quickstart.html10:57
jrosser^ latest really refers to master branch there10:57
farbodi see10:57
jrosserthis would be the most recent stable branch https://docs.openstack.org/openstack-ansible/2023.1/user/aio/quickstart.html10:57
farbodthanks 10:57
farbodlet me check it10:58
jrosserwe are about to make a significant bugfix release on 2023.1 so if you run into any difficulty please ask10:58
farbodThanks10:59
jrossernoonedeadpunk: more fun with member role https://github.com/ceph/ceph-ansible/blob/main/profiles/rgw-keystone-v3#L1611:04
jrossernot a problem for OSA deployed ceph i think, but anyone who takes the ceph-ansible examples and uses them will have trouble, it seems thats case sensitive11:04
noonedeadpunkyeah, true11:15
noonedeadpunkworth pushing a PR for that11:15
jrosseri have memory of admin1 maybe getting difficulty with something like this11:17
opendevreviewMerged openstack/openstack-ansible stable/2023.1: Do not add all computes as OVN gateways  https://review.opendev.org/c/openstack/openstack-ansible/+/89354711:25
farbodso by changing the branch my last problem solved! Thanks a lot.11:59
farbodbut now there is another problem 12:00
farbodhttps://paste.opendev.org/show/balXyfhEWLNXp3kbk9C3/12:00
farbodtake a look at this12:00
farbodmy first node interfaces config: https://paste.opendev.org/show/bSmIAu2x5ynAldyT9R45/12:08
farbodsecond node interfaces config: https://paste.opendev.org/show/bu6XRfsGmVbHDCt2gR1D/12:08
farboduser config yml file: https://paste.opendev.org/show/bVbYmvqpzPDmjU5VvDBv/12:08
noonedeadpunkjrosser: regarding mariadbcheck@ - eventually from what I got from systemd docs - they recommend not to use `accept` for newly designed applications12:12
noonedeadpunkso if that would be a proper daemon that does not require accept - we could remove template12:12
noonedeadpunkit's matter of refactoring and using dummy flask or aiohttp or smth like that...12:13
noonedeadpunkso that's by far best alternative...12:13
noonedeadpunkfarbod: huh, I _really_ saw that 3 times in last 2 weeks... We should finally update docs to reflect OVN setup...12:14
farbodis the problem with br_vlan?12:14
noonedeadpunkfarbod: I think main issue is with openstack_user_config12:14
noonedeadpunkthe config you've made is valid for OVS/LXB drivers, but not for OVN12:15
farbodi dont understand the role of this br_vlan bridge :)12:15
noonedeadpunkAnd there're 2 ways around that: 1. Add override to use OVS 2. Fix config to be applicable for OVN12:15
farbodi am kinda noob in these things :) can you explain more?12:15
noonedeadpunkFor the first thing - you need to add this to user_variables: https://paste.openstack.org/show/bEJxwE5J3z3SZ4YPnO6T/12:17
noonedeadpunkfor the second it needs slightly more effort12:17
noonedeadpunkfarbod: so neutron does have quite some network dirvers, that are conceptually different12:17
noonedeadpunkmost popular ones are OVS and OVN12:18
farbodi have these two servers connected together with Hetzner vswitches. So VLAN IDs like 4020 are for that. What should i fo in addition to these configuration?12:20
noonedeadpunkwe have switched default to OVN lately, but didn't update docs to reflect that yet12:20
noonedeadpunkSo I would suggest checking what you actually want. If you don't mind any option - you can stick with default OVN and I can guide you through configuration for that12:21
farbodyes it doesnt matter for me to what it should be12:21
farbodi am trying to learn and work with Openstack12:21
noonedeadpunkok, then I'd suggest OVN. While we have limited experience here, "it's future"12:24
farbodok12:25
noonedeadpunkGive me couple of mins to adjust your config12:25
farbodThanks a lot.12:25
*** dviroel_ is now known as dviroel12:27
noonedeadpunksmth like that might work https://paste.openstack.org/show/b2mRNxVFs2X9Pvh6nKBT/12:28
farbodThank you12:29
farbodbut my question is what is br_vlan network?12:29
farbodand why we should use it?12:29
noonedeadpunkyou can skip it if it's not needed in your usecase12:31
noonedeadpunkBut generally it's to allow having multiple external networks12:32
farbodOn the other hand, is there a need to change the user variables file?12:32
noonedeadpunkand you can also skip flat network from other side and always use jsut vlans12:32
noonedeadpunkSo your current openstack_user_config is valid only for linuxbridges12:32
noonedeadpunkif you want to have OVS or OVN instead - it must be changed12:32
farbodLet me test it12:33
noonedeadpunkif you're fine with linuxbridges - then you should add an override to use them instead of OVN that is default12:33
farbodi don't understand. Now with your config what shoyld user variables be?12:34
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Retry applying OVN connection settings  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/89366712:34
noonedeadpunkThough, changes to openstack_user_config would require to re-generate (or better wipe) inventory, which is kind of - start from scratch approach, since containers should be also deleted when inventory is fully wiped12:34
noonedeadpunkwith my adjustments it should work for OVN12:34
noonedeadpunkwith variavbles I've pasted here https://paste.openstack.org/show/bEJxwE5J3z3SZ4YPnO6T/ - for linuxbridges and ovs12:35
noonedeadpunkas I said - there're multiple things you can do12:35
farbodSorry for taking your time12:36
farbodbut12:36
farbodImagine i have a subnet assigned to one of the hosts12:37
farbodhow can i set this IPsfor Openstack instances?12:37
farbodi mean a public subnet12:37
opendevreviewMerged openstack/openstack-ansible stable/2023.1: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89376712:41
noonedeadpunkfarbod: so. you need to create a network in neutron. When creating a network - you can supply if it's flat network or vlan. And tell that it is external network12:43
noonedeadpunkIf it is vlan - you will be able to supply tag id12:43
noonedeadpunkif it's flat - then interface will be taken and added to bridge12:43
farbodI get it. Thanks!12:43
noonedeadpunkfor vlan neutron will create an interface with required tag id and add it to the bridge as well12:44
noonedeadpunkso, you can't have same interface defined for vlan and flat network, jsut in case12:44
noonedeadpunkas if flat is part of the bridge, neutron will fail to create a vlan interface12:45
farbodaha12:45
farbodalso you said i have to delete inventory and containers12:45
farbodhow to do that12:45
farbodi deleted the inventory .json file in /etc/openstack_deploy12:46
farbodand delete containers with openstack-ansible lxc-containers-destroy.yml12:46
farbodbut i encounter errors in setup hosts step12:46
noonedeadpunkum12:46
noonedeadpunkyou first delete containers, then delete inventory....12:47
noonedeadpunkif you've already dropped containers....12:47
noonedeadpunkthen maybe try smth like that `for cont in $(lxc-ls -1); do lxc-stop -n ${cont}; lxc-destroy -n ${cont}; done`12:48
opendevreviewMerged openstack/openstack-ansible-os_adjutant stable/2023.1: Use proper galera port in configuration  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/89247412:48
farbod👍️12:48
noonedeadpunkalso - before running playbooks again - can you share new inventory, or better output of /opt/openstack-ansible/scripts/inventory-manage -G12:49
farbodyes, wait12:49
opendevreviewMerged openstack/openstack-ansible-os_adjutant stable/2023.1: Stop reffering _member_ role  https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/89209912:54
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Update Adjutant and Neutron SHAs  https://review.opendev.org/c/openstack/openstack-ansible/+/89383712:55
farbodnoonedeadpunk: I didn't find the file12:59
noonedeadpunkwhat file?12:59
farbodthis /opt/openstack-ansible/scripts/inventory-manage it says it doesnt exist13:00
noonedeadpunkah, it;s inventory-manage.py13:00
farbodhttps://paste.openstack.org/show/bMqFGo8u7htfTk79Kxss/13:01
noonedeadpunkum... output of execution with flag `-G`13:02
noonedeadpunk`/opt/openstack-ansible/scripts/inventory-manage.py -G`13:02
farbodhttps://paste.openstack.org/show/bN0tP6uEYCtORa6EAWk2/13:03
noonedeadpunkdo you have `network-gateway_hosts` in openstack_user_config?13:04
farbodnetwork-gateway_hosts:13:05
farbod  compute1:13:05
farbod    ip: 172.29.236.1213:05
noonedeadpunkJust in case - I was reffering to this doc for OVN configuration: https://docs.openstack.org/openstack-ansible-os_neutron/latest/app-ovn.html13:05
farbodyes13:05
noonedeadpunkok, can you try to run /opt/openstack-ansible/inventory/dynamic_inventory.py and the check output of inventory-manage.py -G again?13:05
farbodyes13:06
noonedeadpunkAs I don't see compute there at all for some reason13:06
opendevreviewMerged openstack/openstack-ansible stable/zed: Fix container bridge name for octavia  https://review.opendev.org/c/openstack/openstack-ansible/+/89376813:09
farbodThis time only this error: TASK [os_neutron : Setup Network Provider Bridges] *******************************************************************************************************************13:18
farbodfatal: [compute1]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: list object has no element 1\n\nThe error appears to be in '/etc/ansible/roles/os_neutron/tasks/providers/setup_ovs_ovn.yml': line 55, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Setup Network Provider Bridges\n  ^ here\n"}13:18
jamesdentonhi farbod did you happen to share your openstack_user_config.yml and user_variables.yml already?13:20
farbodi changed it. let me share it again13:20
farboduse config: https://paste.opendev.org/show/bHpUizqytme2CVxNv62q/13:20
jamesdentonand the other?>13:21
opendevreviewMarc Gariépy proposed openstack/openstack-ansible-os_nova stable/2023.1: Config has changed for pci passthrough.  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89377313:21
opendevreviewMarc Gariépy proposed openstack/openstack-ansible-os_nova stable/zed: Config has changed for pci passthrough.  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/89377413:21
farboduser variable: https://paste.opendev.org/show/bP8FTleM8igiUuXzuOVw/13:21
jamesdentonok13:21
jamesdentonthanks13:21
jamesdentonso, in openstack_user_config.yml you are missing the neutron provider bridge definition. That section of the config is a little tricky, as 'provider_network' is a misnomer.. but essentially, you want to use that spot to add what will become "br-ex" or "br-provider" for OVS13:22
jamesdentonone sec13:22
farbodalso my network configs is up there13:23
jamesdentonok, check this out: https://paste.opendev.org/show/bjw3b5ncP6dbhj34ltJU/13:26
jamesdentoni added a section and added comments13:26
jamesdentonyou can change as values to fit your environment13:26
jamesdenton*change the values13:26
farbodcan you explain it more?13:27
farboddid you check my network configs?13:27
jamesdentoni';m not sure :D13:28
jamesdentonone sec13:28
noonedeadpunkjamesdenton: but I guess it fails on br-vxlan?13:28
noonedeadpunkas it can't fail on smth that is not defined13:28
jamesdentoni wouldn't expect br-vxlan to be eligible13:29
jamesdentonneed to look at that task13:29
noonedeadpunkit's failing here basically farbod: container_interface should be a valid interface13:30
jamesdentonfarbod you are hampered by the use of a single interface on each node13:30
farbodunfortunately yes. i only have one interface13:30
noonedeadpunkfarbod: I would add `host_bind_override` to br-vxlan network, that would be a proper interface on the host13:31
jamesdentonthat's only for linuxbridge13:31
jamesdentonand container_interface isn't needed without lxc13:31
noonedeadpunkjamesdenton: we have _exact_ same query on our ML from yesterday fwiw13:31
jrosserthis is all virtualised, right? `farbod> i have these two servers connected together with Hetzner vswitches`13:32
farbodservers are baremetal13:32
farbodbut connections are on vswtiches13:32
jrosserbut the environment limits you to one interface?13:32
farbodyes13:32
noonedeadpunkjamesdenton: I tried t look into our code yestarday, and bridge_mapping (where it fails) https://opendev.org/openstack/openstack-ansible-os_neutron/src/branch/master/tasks/providers/setup_ovs_ovn.yml#L64-L7413:33
jamesdentonlooking at that now, too13:33
noonedeadpunkwas produced by net['network']['net_name'] and net['network']['container_bridge']13:33
jamesdentonneutron_provider_networks.network_mappings is defined13:33
jrosserright so thats another factor to take into account when designing this, as probably some stuff is required that would not otherwise be for "real" servers/switches13:33
noonedeadpunkOR net['network']['host_bind_override']13:33
noonedeadpunkfarbod: and can you have vlans?13:34
farbodvswitches are on vlans right now13:34
farbodhttps://paste.opendev.org/show/bSmIAu2x5ynAldyT9R45/13:35
farbodlook at this infra node network config13:35
jamesdentonyou can try to add the bits i suggested, just remove the network_interface line13:35
noonedeadpunkyeah, so you just need to have couple of them - one for mgmt network, another for public and preferably for internal tenant networks (vxlans)13:35
jamesdentoni think that might get it working, just need to look at the logic to confirm13:35
farbodjamesdenton: sorry i didnt understand:) what changes?13:36
jamesdentonhttps://paste.opendev.org/show/bjw3b5ncP6dbhj34ltJU/13:36
jamesdentonLine 2213:37
jamesdentonjust remove lines 24 and 2613:37
farbodlike this? https://paste.opendev.org/show/bY40y4SUzN6xI9JIhTgd/13:38
jamesdentonyes. might wanna remove the comments, too13:39
farbodok13:39
farbodbut whats the purpose of this?13:40
farbodit's not in documentation13:40
farbodi am kinda noob sorry :)13:40
noonedeadpunkjamesdenton: if you have a minute, can you kindly check this ML as well:) as apparently I've missed br-ex there as well: https://lists.openstack.org/pipermail/openstack-discuss/2023-September/034956.html13:40
jamesdentoni absolutely will13:40
jamesdentonfarbod it's possible the documentation needs to be updated13:40
jamesdentonor the logic needs to not assume a provider network bridge is defined13:40
farbodok let me test it13:41
farbodfor another deployment i need to delete containers and inventory only?13:42
jamesdentonyou should just re-run os-neutron-install.yml13:42
farbodno need to change network configs?13:43
jamesdentoni am testing on my side, too13:44
jamesdentonno other changes, the goal is just to get the playbook to finish13:44
jamesdentonbut there will be other changes ultimately needed13:44
jamesdentonok, i as able to replicate13:45
farbod?13:45
jamesdentonok, there's a logic difference between ovs and ovn. noonedeadpunk https://github.com/openstack/openstack-ansible-os_neutron/blob/master/tasks/providers/ovs_config.yml#L27 vs https://github.com/openstack/openstack-ansible-os_neutron/blob/master/tasks/providers/setup_ovs_ovn.yml#L7413:48
jamesdentonfarbod you can proceed with that change13:48
noonedeadpunkugh13:48
farbodOK i am testing13:48
noonedeadpunkjamesdenton: checking length sounds reasonable13:48
jamesdentoni will push a change in a sec13:49
noonedeadpunkI can answer a ML if you want :)13:49
noonedeadpunk(but you're the knowledgable one so appriciated if you have a minute to do that)13:50
jamesdentonsure, i don't mind13:50
farbodOh boy13:51
farbodit's a huge project13:51
farbodhow you guys 13:51
jamesdentonlots of moving pieces, but with time and experience comes knowledge,. it's not so bad :)13:51
farbodHow do you guys handle it?13:51
farbodyes I became interested in it13:52
jamesdentonwell, this is how you do it.13:52
jamesdentoninstall it. break it. fix it. do it again13:52
farbodyes13:52
farbodI would love to reach your level so that I can at least contribute to the project13:53
opendevreviewJames Denton proposed openstack/openstack-ansible-os_neutron master: Check length of network_mappings  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/89392413:54
jamesdentonfarbod the change you made will help get the playbook to finish, but it will not result in a completely functional setup. You might be able to create VMs and attach the vxlan networks, but without a provider network you can't use floating IPs13:55
farbodyou mean i need a NIC to be able to assign public IPs?13:57
jamesdentonyou would need a VLAN that has a subnet that's useable for external floating IPs14:00
jamesdentonpublic or private14:00
jamesdentonin a lab, that network might be 192.168.1.0/24 and routable from within your home/work, and the vm network might be 172.16.0.0/24 that isn't. The router assigns a 1:1 NAT from the floating IP network -> tenant network14:01
jamesdentonthere are some fundamental openstack concepts that need to be looked at before diving into the actual deployment processes14:02
farbodSo if i add another VLAN with provided Vswitch like enp8s0.4040 i can assign IPs from that network?14:02
jamesdentonyou could, potentially.14:02
farbodHow configs would be?14:03
jrosserjamesdenton: whilst you're around i could do with some advice on AIO+octavia with OVN14:05
jamesdentonyeeeeah, hadn't thought about that one14:06
jrosseror rather AIO(lxc)+octavia14:06
jamesdentonwhat are we doing now for OVS?14:06
jrosserwell i'm not totally sure :)14:06
jamesdentonlol14:06
jrosseryeah14:06
jamesdentonbut it's working? maybe?14:06
jrosserdeal with these other things is you're in the middle of it ^^^^14:07
jamesdentonis this the need to make sure the lbaas mgmt network is reachable?14:07
jrosseri think so14:07
jrosserthere is also this https://review.opendev.org/c/openstack/openstack-ansible/+/89331514:07
jrosseri guess i'm just uncertain atm if the LXC AIO works for octavia14:08
jrosseras all we test is metal14:08
jamesdentonare there actually functional tests?14:09
jrosseri think so https://github.com/openstack/openstack-ansible/blob/master/tests/roles/bootstrap-host/templates/user_variables_octavia.yml.j2#L1414:09
jrosserthough i am running a very complicated AIO config just now and we know that the role tempest tests trample all over each other14:10
jrosserso i think that the alphabetically last user_variables* will be the one which has tests that actually run14:10
jrosserbut regardless14:11
jamesdentonok, i'll prob need to roll an AIO/OVS w/ LXC and Metal to compare what works and doesn't14:11
jrosseri think i just try to undertstand how br-lbass is supposed to be with OVN14:11
jamesdentonand try to get OVN going, too. 14:11
jamesdentonIIRC there was an IP on a provider bridge for lbaas that allowed the octavia worker to hit those VMs14:11
jrosseras it has to be hooked to the containers but also a neutron flat network via OVN14:12
jamesdentonright, it's a little convoluted. I think it will end up working the same way, ultimately, as OVS14:12
jrosserhmm i see14:12
jamesdentoni need to refresh my memory, been a very long time14:14
jrosserindeed14:14
jamesdentonbut is the aio_lxc_octavia scenario enough?14:14
jrosseri beleive so yes14:14
jrosseri am still totally with my head in linuxbridge unfortunately14:14
jrosserso still trying to grok all the OVS/OVN parts14:14
jamesdentonunderstandable14:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Update Adjutant and Neutron SHAs  https://review.opendev.org/c/openstack/openstack-ansible/+/89383714:21
farbodYou guys saved my life14:24
farbodit finally finished14:24
farbodand i accessed the dashboard14:25
farbodThanks a lot14:25
jamesdentonwoot14:25
jamesdentonyou found a bug, so thank you14:25
farbodActually, I was surprised by all the support14:27
farbodyou guys are perfect14:28
jrosserfarbod: the networking really is one of the most complicated bits to understand14:28
noonedeadpunk++14:28
farbodyeah14:28
noonedeadpunkespecially for the long run14:29
jrosserbecasue there are so many options and possible use cases, and everyone has different requirements14:29
jrosserand all of the possiblities in openstack we try to expose through openstack-ansible14:29
farbodso what that br-ex bridge did exactly?14:29
jrosserbut that can make the config appear a bit abstract in order to support all these things14:29
farbodwhat if i wanted to use a a network with IPs on it for assigning them to instances?14:30
jrosserfarbod: you mean some already existing network that you want to connect to your openstack?14:32
jamesdentonthe provider bridge (br-ex) exposes neutron resources to the physical network. For the self-service model, a tenant creates a tenant network (vxlan), creates a VM and attaches to the tenant network. The tenant creates a vRouter, attaches the tenant network on one side (LAN) and connects router to the provider network to the (WAN) side14:32
farbodis this br-ex same as br-vlan?14:34
jamesdentonnot quite? it's complicated :D14:34
jrosserfarbod: ^ this is another great thing to think about "For the self-service model...." <- if you are building a cloud for many users and projects who all create virtual networks / routers / etc themselves this is great, and you design for it14:34
jamesdentonfor openstack-ansible, there are a set of LINUX bridges used to connect LXC containers to the physical network and other hosts. But if you're not using LXC, then br-vlan and other linux bridges like it are less important14:35
jrosseron the other hand if you are doing something like telco perhaps where network performance is key and there is no multitenancy, you might make very different choices14:35
jamesdenton+114:35
jamesdentonwe don't really call out those differentiators very well in the docs14:35
farbodaha14:36
farbodunderstand14:36
jrosserprobably good to consider openstack a bit of a toolbox14:36
jrosserso some learning the parts then assembling what you need to meet a specific use case well is a good aproach14:37
jrosseror take some advice from people with similar goals14:37
farbodso imagine i have a enp8s0.4040 along side other VLANS. How to connect it to the br-ex to use the IPs on that network? 14:37
jamesdentongood question.14:38
jamesdentonNeutron can handle VLAN tagging for you. When you create a provider network is gets a VLAN ID. When br-ex contains enp8s0, OVS/OVN can tag traffic as 4040 for that provider network, and 4041 for another, etc14:38
jamesdentonif br-ex contains enp8s0.4040 directly, then you are limited to only vlan 4040 and neutron won't tag. It would then be a FLAT provider network vs a VLAN provider network14:39
farbodOK14:39
jamesdentondoable, but less flexible14:39
farbodand how to set it in user conf .yml file?14:39
jamesdentonfarbod https://paste.opendev.org/show/bpaUpXY1t64vx1TSzQZk/14:44
jamesdentoni recommend looking around for openstack networking essentials to get an idea of what it looks like14:44
farbodYes i surly do 14:45
farbodNow as a test how to run an instance?14:46
jrosserjamesdenton: https://paste.opendev.org/show/bmAtcVVQ7aCiN1LcPHGv/14:46
jamesdentonjrosser i'm guessing br-lbaas exists as a linux bridge already?14:46
jrosseryes it does, that created by the boostrap-aio things14:46
jamesdentonand also an ovs bridge14:46
jrosserindeed14:47
jamesdentonwhich might be why it was called br-octavia14:47
jamesdentonfor ovs14:47
jrosserargh14:47
jrosserok well that blew up in a different way14:47
admin1don't osa workaround was to add br-lbaas as a vtep to br-vlan ? 14:47
jamesdentonthere is some veth shenanigans iirc14:47
admin1and initialized via rc.local 14:47
jrosserjamesdenton: oh well my patch might be totally bogus fix then14:47
admin1i still use those .. in absense of a better way 14:47
jamesdentonjrosser which scenario was failing?14:48
jrossersomething like aio_lxc_octavia broke locally for me14:48
jamesdentonadmin1 in prod make the lbaas mgmt network routable, but thats trickier in aio14:48
jrossertherefore the comment in my patch that we don't test the LXC scenario14:48
jamesdentonok, and thats LXC+OVN now, right?14:49
jrosserit is14:49
jamesdentonkk14:49
jamesdentoni will look at that today14:49
jrosserawesome thanks14:49
admin1i do have lxc + ovn + with dual lb providers .. octavia and ovn .. both work 14:49
admin1ovn is all manual setup via cli only 14:49
admin1ovn lb 14:49
admin1just below my desk is signed book from jamesdenton :D 14:50
jamesdentonas a foot rest, i hope14:50
admin1you need to do a new book covering ovb for the next summit jamesdenton .. 14:50
jamesdentonkeeps the desk from wobbling14:50
farbodSorry, Another question. There is nothing to show in the dashboard as images or flavors for creating an instance. even there is not an active network14:50
admin1farbod , that is by default 14:51
farbodSo how to test it out?14:51
jamesdentonfarbod thats because you need to upload images, create flavor and network14:51
admin1you need to do all those yourself, as those differ per providers14:51
jrosserthe tempest role would load up cirros and make some tiny flavors?14:51
jamesdentoni recommend the all-in-one14:51
jrosserbut in general this is the point where something external is expected to set stuff up14:52
admin1farbod https://docs.openstack.org/install-guide/launch-instance.html14:52
jrosserwhich can be as simple as you clicking around horizon14:52
jrosseror as complicated as some bunch of further automation14:52
farbodAha Thanks14:52
jrossera whole load of things also might not be possible through horizon14:52
jrosserso it's worth getting familiar with the command line tools that get installed into the "utility" host14:53
admin1farbod , and more -> https://docs.openstack.org/glance/pike/admin/index.html14:54
farbod👍️14:54
admin1sorry .. ignore the pike, use the latest version you have installed14:54
admin1https://docs.openstack.org/operations-guide/14:55
jrosserjamesdenton: from memory the octavia lxc fails to start because it cannot find attach to br-octavia14:57
jrossersomething like that14:57
admin1jamesdenton, jrosser, are you trying to fix/setup br-octavia without veth and in an automated way ? 14:58
jrosseradmin1: i want to the AIO to work out of the box for octavia+OVN14:58
jrosserwith LXC14:58
admin1aha .. that means 1 more dedicated network just for octavia ? 14:59
jrosserwell, i understand how it used to be for linuxbridge15:00
jrosserbut not how it should be for OVN15:00
farbodcan i upload images from URL?15:01
noonedeadpunkYou can with interoperable import feature15:02
noonedeadpunkthere's a web-download method: https://docs.openstack.org/glance/latest/admin/interoperable-image-import.html#image-import-methods15:03
noonedeadpunkthough you'd need to define some overrides for that15:03
noonedeadpunkYou can define `glance_glance_image_import_conf_location` as absolute path on localhost with config for interoperable import 15:04
noonedeadpunkalso likely you'd need to set `glance_use_uwsgi: false`15:04
farbodhow to change the configs to be able to download it from dashboard?15:05
johnsomjrosser Not sure if this is helpful or not, but here is the neutron devstack setup for the lb-mgmt-subnet on OVS/OVN: https://github.com/openstack/neutron/blob/master/devstack/lib/octavia15:05
johnsomMaybe that will give some hints/ideas15:06
admin1jrosser, this still works , even for ovn -> https://www.openstackfaq.com/openstack-octavia/15:06
admin1i am still using this same method for ovs as well as ovn 15:07
jamesdentonthanks15:07
jamesdentonultimately might end up doing the same thing, not sure what's busted, yet15:07
farbodhow to use this openstack command for management?15:08
noonedeadpunkthere's `--import` flag for openstack image create command15:09
farbodyes i found it15:09
noonedeadpunkBut I'm really not sure if all options are possible15:10
farbodbut how to use openstack command15:10
farbodwhere to use it15:10
farbod?15:10
noonedeadpunkas IIRC you;d need to supply an url...15:10
noonedeadpunkwe pre-install all clients inside utility container15:10
noonedeadpunkso you need to lxc-attach -n <utility_name> 15:10
admin1farbod, in order ... create flavors ..  create images ..       .. with this 2, u should be able to launch vms that acn talk to each other ( with correct security group applied) .. for vms -> internet, you need to add provider network that can route 15:10
noonedeadpunkthen `source /root/openrc` 15:10
noonedeadpunkand feel free to use openstack command15:10
farbodwhich utility container has this connection to cluster?15:11
farbodoh oh15:11
farbodi found it15:11
farbodsorry :)15:11
admin1neutron_lbaas_octavia: true -- also needs to be set .. without this, ovn will be detected 15:11
admin1and used 15:11
jamesdentonjohnsom https://github.com/openstack/octavia/blob/master/devstack/plugin.sh#L475 looks like this will be helpful, too. thanks15:11
admin1dual providers for octavia -> https://gist.github.com/a1git/725599d5b08994766a5a5bab25ad43da  ( but not yet in osa yet ) .. would love to  do it in osa also 15:21
jrosseradmin1 why can’t you do that in osa?15:22
jamesdentonbecause this needs to be addressed: https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/86846215:25
jamesdenton(my fault)15:25
farbodThank you guys for today. I finally deployed a test cluster with the help of you. I really appreciate that. Thanks a lot and Goodbye.15:27
jamesdentongood luck!15:27
admin1do you plan to address it soon jamesdenton ? 15:29
jamesdentonuhhhhh15:29
jamesdentoni will take a fresh look at it15:30
admin1thanks jamesdenton .. 15:30
jrosseroh hmm yes that patch has some unusal choices for variable names15:40
jamesdentoni think i was trying to leverage existing neutron-generated certs15:41
jamesdentonfor reasons i can't remember15:41
jrosseri wonder if it has to talk directly to OVN cluster15:42
jamesdentonoh yeah, octavia needed the ovn certs/keys in its config15:42
jrosserimho that needs to be all made *much* clearer what is going on15:44
opendevreviewJames Denton proposed openstack/openstack-ansible-os_neutron master: Fix l3 agent group determination for vpnaas  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/89393815:44
jrosseras this is an interesting example, a thing that is not part of OVN as such but needs to interact with it via SSL15:44
jamesdenton+1 certainly can be made better. have to context switch a bit to get back there15:45
opendevreviewJonathan Rosser proposed openstack/openstack-ansible master: Ensure tempest include and exclude lists all use unique names  https://review.opendev.org/c/openstack/openstack-ansible/+/89396816:30
admin1is trove working good with osa ? 16:30
jamesdentonlet us know :D16:32
admin1:) 16:32
admin1ok 16:32
jamesdentonjrosser do you recall offhand where the lxc configuration files live?16:34
jrosseri think its /var/lib/lxc/*/config16:35
jamesdentonthanks16:36
jamesdentonso i don't think i'm crazy... https://paste.opendev.org/show/bFIzyhZTi6BEjLaBDpL4/20:50
MohaTo mitigate security risks on the provider network should we put each customer to a PVLAN? If yes, how this feature can be used with OVN/Openflow? 20:54
Mohajamesdenton: ^20:54
jamesdentontenant networks can be of vlan or geneve type; either provides segmentation between workloads/tenants unless those are "shared" networks20:55
jamesdentonmeaning... the default network segmentation behavior is 1:1 network:tenant, which is probably as secure as its going to get20:56
jamesdentonMoha i think PVLAN might be doable with OVS but am not aware of any Neutron integration. You might be able to simulate the behavior w/ sec groups, depending on what you're trying to allow/disallow21:02
MohaSome ref: https://access.redhat.com/solutions/472674121:06
Mohahttps://wiki.openstack.org/wiki/Isolated-network21:07
jamesdenton"At no point can we assume that tenants will do the right thing with regards to security groups." <- that's the issue :D21:07
jamesdentonand they're not wrong21:07
MohaIn the current OVN configuration, by a simple scanning, all of the MAC addresses that exist in the provider network are visible from any instance that resides on that provider network!21:09
jamesdentonnoonedeadpunk re: glance - https://paste.opendev.org/show/bvJxtyalBK2pKi1T21u5/ - vhost is being added as [{'name': '/glance', 'state': 'absent'}, {'name': 'glance', 'state': 'present'}]21:10
jamesdentonMoha yes, that is the nature of Layer 2, unfortunately21:11
jamesdentonyou might consider routing NFS traffic vs using a shared network21:11
jrosserjamesdenton: you need a newer SHA for openstack-ansible-plugins21:31
jamesdentonahhh21:32
jamesdentonhttps://opendev.org/openstack/openstack-ansible-plugins/commit/9f13a58e2b8596ae43b11dd1b112be8522868c9021:32
jamesdentonlol21:32
jamesdenton"Allow to manage more the one vhost with mq_setup"21:32
jamesdentonthanks :D21:32
jrossertheres a bit of a banana skin that in CI it uses master of that collection21:39
jrosserbut pins to the SHA in ansible-collection-requirements.yml for a local run21:39
jrosserhence https://review.opendev.org/c/openstack/openstack-ansible/+/89383521:40
jamesdentonthanks jrosser. need to re-run setup-hosts now or bootstrap-ansible?21:43
jrosserwhich release do you try?21:44
jrosserbecasue it would be great if you could test drive this https://review.opendev.org/c/openstack/openstack-ansible/+/89323021:44
jamesdentonjust wanna make sure i get that collection updated21:44
jrossersure21:45
jrosserbootstrap-ansible does a ton of stuff21:45
jamesdentonoh, since you're up...21:45
jrosser893230 makes it so you can `openstack-ansible scripts\get-ansible-collection-requirements.yml`21:46
jamesdentonsetup-hosts is failing because it wants to connect the octavia lxc container to the "provider" bridge, which is an OVS bridge, which doesn't exist yet because OVS isn't installed until os-neutron-install21:46
jamesdentonso, i installed OVS and created the bridge and now that is happy21:46
jrosserand that will just sort the collections without messing with anything else21:46
jamesdentonand trying to get setup-openstack to finish to test tempest21:46
jrosserright so we have a bit of a catch-22 to think about then21:47
jamesdentonack 89323021:47
jamesdentonyes, we do need to think about that (if this does indeed work)21:47
jrosserdunno if that points back to making a 2nd bridge and wiring them together21:48
jrosser+/- eth1421:49
jamesdentonit's bridges all the way down21:50
« Tuesday, 2023-09-05 Index Thursday, 2023-09-07 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!