Monday, 2023-11-20

gokhani	hello folks, in tempest role it only runs keystone tempest plugin, how can we achieve running other services tempest tests automatically in this role? Is there any variable for this or we need to edit white list ?	07:36
noonedeadpunk	gokhani: you should just define list of tests you want to run using `tempest_test_includelist`	08:18
noonedeadpunk	based on the variable it would generate the includelist file	08:19
noonedeadpunk	or well, depending on version - whitelist	08:19
gokhani	thanks noonedeadpunk	09:11
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-ops master: WIP - Add collection to deploy magnum cluster-api with vexxhost driver https://review.opendev.org/c/openstack/openstack-ansible-ops/+/901450	10:27
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add cinderstore glance testing scenario https://review.opendev.org/c/openstack/openstack-ansible/+/901187	10:33
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	10:49
jrosser	noonedeadpunk: ^ this is a first attempt at putting the cluster api stuff in a collection	10:50
jrosser	lots of stuff can't be make external from the opensack-ansible repo though, like group vars and env.d stuff	10:51
noonedeadpunk	well, group_vars is kinda not a biggie I guess... Or well, depends of course	10:53
noonedeadpunk	as if create some noop inventory file along with another set of group_vars and add smth like `export ANSIBLE_INVENTORY="${ANSIBLE_INVENTORY},/opt/noop.ini"` to openstack_deploy/user.rc - you can have another set of group_vars (likely even inside collection since path to collection after bootstrap is known	10:56
noonedeadpunk	but that is crappy way of doing so,...	10:56
jrosser	anyway, just wanted to show that we can put a collection into the ops repo	10:57
jrosser	but reality is that it's not very clean and doesnt really externalise something thats supposedly out-of-tree	10:58
noonedeadpunk	yeah....	10:58
noonedeadpunk	I already see that :(	10:58
noonedeadpunk	and yeah, you're right about group_vars actually....	11:00
noonedeadpunk	also - should this be import be ideally before tempest? https://review.opendev.org/c/openstack/openstack-ansible/+/893240/23/playbooks/setup-openstack.yml	11:02
noonedeadpunk	I pretty much open for proposals to be frank of how make that comfortable to use....	11:03
jrosser	oh probably true on tempest	11:04
jrosser	tbh i did not even attempt tempest with this	11:04
jrosser	there is absolutely zero chance of making that work in an 8G CI node	11:04
noonedeadpunk	yeah, true	11:06
noonedeadpunk	jrosser: should set +w on that? https://review.opendev.org/c/openstack/openstack-ansible/+/900433	11:08
jrosser	noonedeadpunk: we can - i think it's low risk	11:25
jrosser	there are some other things i did on the same topic but those maybe wait for next cycle?	11:25
noonedeadpunk	yeah, let's do others after branching	11:27
noonedeadpunk	I'm just trying to wrap things we have left to branch roles.	11:27
noonedeadpunk	We obviously have broken zun and manila as of today though	11:27
noonedeadpunk	zun as it's also broken upstream for 2023.2 (fixed for master), and manila is ceph-ansible related - will try to look there	11:28
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible-ops master: WIP - Add collection to deploy magnum cluster-api with vexxhost driver https://review.opendev.org/c/openstack/openstack-ansible-ops/+/901450	11:28
noonedeadpunk	and also masakari looks utterly broken	11:28
noonedeadpunk	but it looks passing our CI (as we don't test masakari) at least...	11:29
jrosser	i did comment on the ceph-ansible PR asking for reviews	11:29
jrosser	maybe we have to fork ceph-ansible	11:36
noonedeadpunk	yeah, I saw that...	11:37
jrosser	oh and unrelatedly, see https://review.opendev.org/c/openstack/glance_store/+/885581	11:38
jrosser	this has been nasty outstanding bug for many many years now	11:38
jrosser	we are just applying a fix for this now	11:39
noonedeadpunk	oh, is that why we disable uwsgi for rbd today?	11:45
jrosser	hmm - wasnt that also tangled up with interoperable image upload	11:51
jrosser	or whatever it's called	11:51
jrosser	but perhaps yes	11:51
jrosser	we are using glance+uwsgi currently, and just applied a bunch of network optimisation	11:52
jrosser	which had the side effect of making that bug much much more apparent	11:52
noonedeadpunk	well, interoperable import is another thing, but it could be fixed for uwsgi couple of releases ago - not sure to be frank.	13:01
noonedeadpunk	But switching to non-wsgi helped us to not face it	13:02
noonedeadpunk	*uwsgi	13:02
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	13:07
NeilHanlon	morning folks.. do we know anything about python-etcd and/or python-ironicclient? both were orphaned in Fedora today	13:07
NeilHanlon	they don't ship in EPEL, so I kinda figure we are just getting from pip?	13:08
jrosser	python-etcd seems to be abandoned since 2017, expect for a whole bunch of patches a couple of weeks ago	13:12
NeilHanlon	yea i just noticed that, too 🤔	13:14
NeilHanlon	maybe a CVE?	13:14
noonedeadpunk	python-ironicclient should be a thing still I believe....	13:14
NeilHanlon	what's odd is, apparently, samba depends on both of them	13:14
noonedeadpunk	samba depends on python-ironicclient???? o_O	13:14
noonedeadpunk	I can hardly imagine what/why	13:15
jrosser	well precise names matter too, python-ironicclient would indeed be the pip package	13:15
NeilHanlon	samba-2:4.19.2-2.fc40.src requires python3-etcd = 0.4.5-29.fc39	13:15
jrosser	but python3-ironicclient would be the rpm?	13:15
* jrosser not sure which we are talking abot		13:16
NeilHanlon	I think ironicclient is a weak dep in rpm land	13:16
NeilHanlon	as I don't see it specifically required for samba	13:16
NeilHanlon	but python-etcd is 🤔	13:16
NeilHanlon	otoh, i now work with the Samba maintainer (Jeremy Allison).. so. I'll ask him lol	13:16
noonedeadpunk	My assumption would be that python-etcd should be replaced with etcd3gw	13:18
noonedeadpunk	at least in opendev world: https://docs.openstack.org/etcd3gw/latest/	13:18
NeilHanlon	makes sense to me.. i'll investigate a bit on that. I think the assertion I saw re: ironicclient and samba is just wrong	13:20
NeilHanlon	if anything, it'd be the opposite (ironicclient depends on samba)	13:20
noonedeadpunk	yeah, that I can imagine	13:21
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794	13:25
jrosser	are you sure about that?	13:25
jrosser	ironicclient surely is just a plugin to osc?	13:25
NeilHanlon	https://koschei.fedoraproject.org/build/16686222	13:26
NeilHanlon	Koschei (ostensibly) walks multi-level dep trees	13:26
NeilHanlon	(OTOH, it could be a subpackage I'm not looking at)	13:26
jrosser	oh i think i meant that it was a surprise there was a dep between ironicclient and samba	13:27
NeilHanlon	ah, I see what you're saying	13:28
NeilHanlon	sorry, more coffee needed :P	13:28
NeilHanlon	I replied to the fedora thread here -- https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/PLPPESFOSVQL4D757WCL3ZPE6R4RYCXY/	13:28
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	13:38
opendevreview	Merged openstack/openstack-ansible master: Use haproxy_service_setup playbook from plugins collection https://review.opendev.org/c/openstack/openstack-ansible/+/900433	13:51
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add openstack-resources playbook https://review.opendev.org/c/openstack/openstack-ansible/+/901460	13:54
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	13:58
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_resources role skeleton https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794	14:02
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible stable/2023.1: Fix incorrect release name https://review.opendev.org/c/openstack/openstack-ansible/+/901461	14:09
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible stable/yoga: Fix incorrect release name https://review.opendev.org/c/openstack/openstack-ansible/+/901462	14:12
NeilHanlon	I figured out the ironicclient thing.. ironicclient is a dep for neutronclient, which in turn is a dep for fence-agents,... pcs -> gluster -> samba	14:32
NeilHanlon	what a weird world we live in	14:32
jrosser	even that sounds...... wrong :)	14:37
NeilHanlon	quite :)	14:37
jrosser	a long time ago a hacked a thing that turned apt deps into graphviz	14:39
jrosser	and it was 8-O	14:39
NeilHanlon	need a plotter to print it? lol	14:43
jrosser	well you could give it a starting package	14:43
jrosser	otherwise i'm sure it would have generated extraordinary results	14:43
NeilHanlon	i remember doing something similar with Puppet digraphs at some point.. it was... scary	14:47
noonedeadpunk	why ironicclient depending on neutronclient....	14:53
noonedeadpunk	/o\	14:53
noonedeadpunk	don't want to start with neutronclient -> samba even	14:53
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	14:55
jrosser	`git+https://github.com/jrosser/openstack-ansible-ops#/mcapi_vexxhost,capi`	15:00
jrosser	^ this is a valid collection url	15:00
jrosser	and makes `scripts/get-ansible-collection-requirements.yml` suddenly a whole lot more exciting to write	15:01
noonedeadpunk	ugh....	15:56
jrosser	yeah, not totally sure how to make it pick up the repo from the zuul sources right now	15:57
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Allow installing collections from repos containing more than one https://review.opendev.org/c/openstack/openstack-ansible/+/901471	16:49
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	16:50
jrosser	oh thats just totally wrong /o\	17:17
jrosser	hmmm	17:17
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Adopt magnum test variables for openstack_resources https://review.opendev.org/c/openstack/openstack-ansible/+/901184	17:23
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: Allow installing collections from repos containing more than one https://review.opendev.org/c/openstack/openstack-ansible/+/901471	17:33
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Adopt magnum test variables for openstack_resources https://review.opendev.org/c/openstack/openstack-ansible/+/901184	17:37
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_magnum master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/901185	17:40
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_magnum master: Adopt for usage openstack_resources role https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/901185	17:41
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add cinderstore glance testing scenario https://review.opendev.org/c/openstack/openstack-ansible/+/901187	17:50
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Fix classic queues version policy https://review.opendev.org/c/openstack/openstack-ansible/+/901475	18:33
opendevreview	Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Disable RabbitMQ quorum queues by default https://review.opendev.org/c/openstack/openstack-ansible/+/901204	18:33
noonedeadpunk	ugh, seems I made a wrong call on changing classic queues to v2 when quorum queues are not used: https://review.opendev.org/c/openstack/openstack-ansible/+/895806	19:14
noonedeadpunk	as Ijust now spotted in the blogpost, that while using simple ha queues, v2 might be not beneficial....	19:15
noonedeadpunk	I guess, we might need to change the logic quite a lot, to separate ha queues with quorum queues and v2 classic queues somehow	19:16
noonedeadpunk	As while ha queues and quorum queues are correctly considered as one OR another, what we miss is - if one don't want to mirror queues at all.	19:16
noonedeadpunk	As then they should be able to leverage CQv2	19:17
noonedeadpunk	But, CQv2 is potentially useful even with quorum queues, like for transitient queues...	19:17
spatel	any haproxy expert here - [{"rel": "self", "href": "http://openstack.example.com:5000/v3/"}]	19:19
spatel	I have setup haproxy to expose my openstack API to public network using SSL	19:19
spatel	https://paste.opendev.org/show/brAuzocBieYmnlMLzb5r/	19:20
spatel	haproxy in respond changing https to http (it breaks my Terrafrom )	19:20
spatel	I have F5 proxy which works without issue and not messing with header	19:21
noonedeadpunk	Um, curl looks nicely, doesn't it?	19:22
jrosser	spatel: do you think haproxy changes the reponse to http	19:22
jrosser	or do you think that keystone puts an http thing into the response	19:22
noonedeadpunk	ah	19:22
spatel	Yes	19:23
spatel	why keystone does that?	19:23
noonedeadpunk	I see what you mean	19:23
spatel	I have other setup running on F5 that doesn't doing that	19:23
jrosser	probably because there is a misconfiguration	19:23
jrosser	look again at the response "[{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]"	19:24
spatel	openstack endpoint list is totally different for Public	19:24
jrosser	^ identity, this is coming from keystone	19:24
spatel	when i do curl https://openstack.example.com:9696 that is also changing it to http://	19:25
jrosser	sorry what is changing?	19:25
noonedeadpunk	So in our case, apache2 that's serving keystone does contain `RequestHeader set X-Forwarded-Proto "https"`	19:26
spatel	https://paste.opendev.org/	19:26
noonedeadpunk	spatel: that's what I have in AIO https://paste.openstack.org/show/bpDHsBagatPn9FrRglpi/	19:27
spatel	hmm	19:28
jrosser	spatel: your curl is successful against an https endpoint	19:28
jrosser	but the payload that comes back inside the https contains an http url	19:29
spatel	I have setup haproxy outside OSA	19:29
jrosser	imho that is not being changed by haproxy, but the backend is not configured correctly to understand that the outside is https	19:30
spatel	Let me see what is going on..	19:30
jrosser	look at the stuff in noonedeadpunk paste	19:30
spatel	let me run keystone in debug	19:30
jrosser	match that with the web server config in keystone	19:30
jrosser	no, check the web server config	19:30
jrosser	it's web server + flask	19:30
spatel	ok	19:31
spatel	I am checking that but little surprised with F5	19:33
spatel	I have similar setup I did with F5 and it just works without doing anything..	19:33
spatel	F5 handling things right way	19:33
spatel	This is my apache2 config - https://paste.opendev.org/show/b5NVQIJQuJnZtzuYsrJX/	19:35
jrosser	so you are missing `RequestHeader set X-Forwarded-Proto "https"`	19:37
spatel	I am running Xena release	19:37
spatel	does this thing not there?	19:38
jrosser	i think usual advice applies	19:40
jrosser	use an AIO from xena branch to see what the standard setup would have been for that release	19:41
jrosser	or you can dig around in one of the CI job logs from xena branch, like https://zuul.opendev.org/t/openstack/build/41bcec32ccab412fbad92a87c8eb5a30/log/logs/etc/host/apache2/sites-available/keystone-httpd.conf.txt	19:44
jrosser	and https://zuul.opendev.org/t/openstack/build/41bcec32ccab412fbad92a87c8eb5a30/log/logs/etc/host/haproxy/conf.d/keystone_service.txt	19:44
spatel	ok.. I will try to see what is going on	19:47
jrosser	i don't knwo if it matters but you are missing `option forwardfor` in your haproxy backend condig	19:47
jrosser	compared to what is in the AIO	19:48
spatel	hmm! really	19:51
spatel	let me try that first	19:51
spatel	jrosser no luck :(	19:52
spatel	I have added in both place frontend and backend	19:52
jrosser	well i don't know - the standard deployment in xena is with https on the public endpoint and it works just out of the box	19:54
spatel	Let me see what I can do in keystone to make it work	19:56
spatel	Thanks for the input	19:56
opendevreview	Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240	22:13

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!