| jrosser | f0o: i looked at the haproxy role docs a bit, and actually i think that they are correct | 10:40 |
|---|---|---|
| jrosser | the haproxy role is a reusable role that can be used by openstack-ansible, or used outside openstack-ansible as needed | 10:41 |
| jrosser | so there are two different things 1) the role defaults and docs that explain how to use the haproxy role in the general case 2) how that role is used specifically by openstack-ansible | 10:41 |
| jrosser | the haproxy role docs tell you how to configure haproxy + LE when using the role standalone, so you have to set the vars up correctly and also provide some correct haproxy_service_configs to make it work | 10:43 |
| jrosser | for openstack-ansible, the correct stuff is already setup for the letsecrypt haproxy backend in the OSA group vars | 10:44 |
| jrosser | there is docs here for openstack-ansible itself which shows how to enable letsencrypt https://docs.openstack.org/openstack-ansible/latest/user/security/index.html | 10:47 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_gnocchi master: Drop default policy file location https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/913244 | 11:25 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Move RGW setup right after Keystone https://review.opendev.org/c/openstack/openstack-ansible/+/913556 | 11:29 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_gnocchi master: Drop default policy file location https://review.opendev.org/c/openstack/openstack-ansible-os_gnocchi/+/913244 | 11:33 |
| jrosser | noonedeadpunk: swift is not completely necessary for ironic, theres a ton of options there | 11:50 |
| jrosser | i think the defaults we have make the image be downloaded from glance to the conductor | 11:50 |
| noonedeadpunk | well. I guess I was just struggling with making aio work with ironic but without swift, but with ceph | 11:51 |
| noonedeadpunk | as ironic role just fails trying to connect to swift when it's not there | 11:52 |
| jrosser | i would say that the ironic aio should work totally without needing ceph | 11:52 |
| noonedeadpunk | well, atm it requires swift | 11:52 |
| jrosser | huh interesting | 11:52 |
| jrosser | well anyway - for the purposes of minimal AIO that can be changed if you want to | 11:52 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/vars/main.yml#L51-L53 | 11:53 |
| noonedeadpunk | which is completely other problem I guess | 11:53 |
| noonedeadpunk | and for some reason swift in my aio also fails.... | 11:54 |
| jrosser | i just took a look at our lab user_variables for ironic and i don't see anything relatig to object storage | 11:55 |
| jrosser | instinct tells me that this is another place that internal/public endpoints can get totally confused | 11:56 |
| noonedeadpunk | I'm not sure... | 11:57 |
| jrosser | and particularly in public cloud you might want to be pretty careful about the cleaning and provisioning networks and what they can access | 11:57 |
| noonedeadpunk | I think it tries to use swift whether ironic_enable_web_server_for_images is enabled | 11:58 |
| noonedeadpunk | or well, vice versa https://opendev.org/openstack/openstack-ansible-os_ironic/src/branch/master/templates/ironic.conf.j2#L84-L90 | 11:58 |
| jrosser | right - when that is false the images have to be elsewhere | 11:59 |
| jrosser | == swift | 11:59 |
| noonedeadpunk | but isn't that glance.... | 11:59 |
| noonedeadpunk | like why it has to be swift | 11:59 |
| jrosser | i see that we set that to `true` and the images get copied out of glance onto the conductor, where there is a web server running | 11:59 |
| noonedeadpunk | to have direct url? | 11:59 |
| noonedeadpunk | we don't in aio though | 12:00 |
| jrosser | well - aio is pretty much untested for this | 12:00 |
| jrosser | anyway its no issue, you'd just end up with a much lighter weight AIO with `ironic_enable_web_server_for_images: true` | 12:01 |
| jrosser | and yes it's because you need an http url for the image during PXEboot | 12:02 |
| noonedeadpunk | so should we then enable by default? | 12:02 |
| jrosser | if you want to keep the ironic AIO as simple/minimal as possible, yes | 12:03 |
| jrosser | and remove the need for object storage in that scenario | 12:03 |
| noonedeadpunk | I'm not sure what I really want right now :D But decreasing runtime sounds reasonable | 12:58 |
| jrosser | noonedeadpunk: imho the most useful thing would be getting virtualbmc working | 13:13 |
| noonedeadpunk | I'm not that far into ironic _yet_ | 13:15 |
| noonedeadpunk | but kinda running ceph-rgw right after keystone made some sense to me... | 13:25 |
| noonedeadpunk | like there're quite some things potentially that could use it except ironic | 13:25 |
| noonedeadpunk | maybe same applicable for swift though... | 13:25 |
| noonedeadpunk | so worth packing them together... | 13:25 |
| f0o | dumb question but what is Zookeeper used for? I read that Nova supports it for coordination but I cant see it configured anywhere in OSA - seems like OSA only configures it for Ceilometer/Gnochi, is that right? | 13:37 |
| jrosser | f0o: some openstack services need a "coordination service" (distributed locks etc), and there are several potential backends you can use for that. zookeeper is the most sensible choice for that backend | 13:40 |
| jrosser | an example would be https://github.com/openstack/openstack-ansible-os_designate/blob/master/defaults/main.yml#L67-L75 | 13:42 |
| f0o | any reason why nova isn't configured in the same regard? | 13:42 |
| jrosser | for some services it is mandatory | 13:43 |
| f0o | ah makes sense | 13:43 |
| f0o | so the optional nova would be up to my _overrides to configure it | 13:43 |
| jrosser | do you have a link to the nova docs about that? | 13:44 |
| f0o | https://blueprints.launchpad.net/nova/+spec/tooz-for-service-groups | 13:44 |
| noonedeadpunk | f0o: huh, nova supports it? | 13:44 |
| f0o | I'm just digging around but there's a blueprint and a spec dating back to Liberty talking about tooz coordination | 13:45 |
| f0o | https://opendev.org/openstack/nova-specs/src/commit/cc46a73a37b2446e562adc2ad78f6db0fe0c1573/specs/liberty/approved/service-group-using-tooz.rst like this beauty | 13:45 |
| jrosser | is it real though? https://review.opendev.org/q/topic:%22bp/servicegroup-api-control-plane%22 | 13:46 |
| noonedeadpunk | there's quick way to check I guess | 13:46 |
| noonedeadpunk | so, it's used only for ironic driver: https://codesearch.openstack.org/?q=tooz&i=nope&literal=nope&files=&excludeFiles=&repos=openstack/nova | 13:47 |
| noonedeadpunk | I guess we can add config indeed when ironic is enabled... | 13:47 |
| noonedeadpunk | but I can't say that it's really required, like it's for cinder-volumes to act in Active/Active or Designate or valuable as for Octavia... | 13:49 |
| f0o | no you're right it's not a requirement just an optional gimmick | 13:49 |
| f0o | I was just curious is all | 13:50 |
| noonedeadpunk | only if you have ironic | 13:50 |
| f0o | yeah | 13:50 |
| noonedeadpunk | but yeah, maybe worth checking on that, so it's good point | 13:50 |
| noonedeadpunk | jrosser: I need some input on one OVN thing. So ovn-nbctl and ovn-sbctl CLI tools require to explicitly define tons of crap like --db, --certificate, --ca-cert, --private-key for each command. You can define an env variable to ease your being. But here's where I'm not sure | 14:48 |
| noonedeadpunk | Should it be /etc/environment, or some kind of openrc file | 14:48 |
| noonedeadpunk | Especially, given that these tools are not on utility container... | 14:48 |
| noonedeadpunk | I can take a look what it would take to place them there as well, but it's +1 certificate | 14:49 |
| noonedeadpunk | really annoying part, is that weird requirement of certs for client... | 14:49 |
| jrosser | well thats interesting | 14:50 |
| jrosser | /etc/environment can be problematic in some cases | 14:50 |
| jrosser | are these possible env vars containing secrets? | 14:51 |
| jrosser | on the one hand this is a bit similar to the galera_client things we have for the database | 14:51 |
| jrosser | were it's needed to have a cli tool and a config file | 14:51 |
| noonedeadpunk | no, they're not in fact | 14:53 |
| noonedeadpunk | but like command to get list of routers look like this: ovn-nbctl --db=ssl:10.21.8.247:6641,ssl:10.21.8.182:6641,ssl:10.21.8.243:6641 -p /etc/openvswitch/neutron_ovn.key -c /etc/openvswitch/neutron_ovn.pem -C /etc/openvswitch/neutron_ovn-ca.pem list Logical_Router | 14:53 |
| noonedeadpunk | which is /o\ | 14:53 |
| jrosser | one option would be to make a wrapper | 14:54 |
| noonedeadpunk | well, alias was another option | 14:54 |
| noonedeadpunk | but I somehow not sure it's worth it | 14:54 |
| noonedeadpunk | as env vars can handle that | 14:54 |
| noonedeadpunk | OVN_NB_DB=ssl:10.21.8.247:6641,ssl:10.21.8.182:6641,ssl:10.21.8.243:6641 and OVN_NBCTL_OPTIONS=-p /etc/openvswitch/neutron_ovn.key -c /etc/openvswitch/neutron_ovn.pem -C /etc/openvswitch/neutron_ovn-ca.pem | 14:55 |
| noonedeadpunk | so alias feels a bit hacky | 14:55 |
| noonedeadpunk | *dirty | 14:55 |
| noonedeadpunk | maybe indeed just install ovn-common to utility.... | 14:56 |
| noonedeadpunk | and put some openrc there... | 14:56 |
| noonedeadpunk | but that can bring in quite some dependencies.... | 14:57 |
| mgariepy | why not connecting to ovn-northd container for debugging purpose ? | 14:57 |
| noonedeadpunk | actually - not much https://packages.ubuntu.com/jammy/ovn-common | 14:57 |
| noonedeadpunk | mgariepy: but it's same there? | 14:57 |
| jrosser | i was just looking at the same | 14:58 |
| jrosser | ovn-common looks quite lightweight | 14:58 |
| mgariepy | i think it read the /etc/default/stuff ? | 14:58 |
| noonedeadpunk | only service does | 14:58 |
| noonedeadpunk | or you need to be lucky and get to the current "master" | 14:58 |
| noonedeadpunk | or I'm doing smth completely wrong :D | 14:59 |
| noonedeadpunk | as I get just `ovn-nbctl: unix:/var/run/ovn/ovnnb_db.sock: database connection failed ()` | 14:59 |
| jrosser | so we would define `OVN_SBCTL_OPTIONS` as example? | 15:00 |
| noonedeadpunk | yeah, and "same" for NBCTL | 15:00 |
| jrosser | ok so it seems that figuring out the correct CLI is quite some barrier for new people to OVN | 15:02 |
| noonedeadpunk | but kinda agree that maybe we don't need to touch utility and just tell to use neutron-ovn-northd-container | 15:02 |
| noonedeadpunk | oh, yes | 15:02 |
| noonedeadpunk | nb vs sb is just totally another story | 15:02 |
| mgariepy | # ovn-nbctl --no-leader-only show | 15:02 |
| mgariepy | the option --no-leader-only does the trick for me. | 15:03 |
| mgariepy | from northd container | 15:03 |
| noonedeadpunk | that works :D | 15:03 |
| mgariepy | no needs for hacky stuff then :) | 15:04 |
| noonedeadpunk | as long as ppl find that option :D | 15:05 |
| noonedeadpunk | (I failed) | 15:05 |
| noonedeadpunk | ofc I can just add a documentation bit | 15:07 |
| noonedeadpunk | but potentially it's good to query leader actually.... | 15:08 |
| mgariepy | https://paste.opendev.org/show/bPQOhFzMdGnR8diMCDrV/ | 15:10 |
| mgariepy | some randoms notes i had in a txtfile.. | 15:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Configure northd clients to connect to NB/SB leader https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/913582 | 16:07 |
| jrosser | i guess i am a bit uncertain about putting config in global env vars | 16:16 |
| jrosser | those are very low hanging fruit for accessing maliciously | 16:17 |
| noonedeadpunk | so the thing is, that if you're on correct node - you don't need any of these | 16:24 |
| noonedeadpunk | but then leader for sb and nb db are different | 16:25 |
| noonedeadpunk | so there's usually no single host where you can run things and they move with service restarts | 16:25 |
| noonedeadpunk | but well, given there's no auth or anything like that - how much it affects security | 16:26 |
| noonedeadpunk | and how problematic is that | 16:26 |
| noonedeadpunk | but I don't see issues placing that as openrc either | 16:26 |
| noonedeadpunk | and documenting if you feel it's best | 16:27 |
| jrosser | yeah so i guess for openrc you have to be root to be able to read it | 16:28 |
| noonedeadpunk | depends on permissions :D | 16:28 |
| noonedeadpunk | but yes | 16:28 |
| noonedeadpunk | but again - there's nothing in these env vars | 16:28 |
| jrosser | and in general that will mean that you need to escape some less privileged service and then subsequently do some priv escalation | 16:28 |
| noonedeadpunk | like I don't think it even uses certificates for any kind of auth.... | 16:28 |
| noonedeadpunk | as I tried to place there jsut random cert from different host and it worked | 16:29 |
| noonedeadpunk | but ok, let me re-do this for openrc file under /root | 16:29 |
| jrosser | worst case is if things in /etc/environment end up inside a service just by fact of it running | 16:30 |
| jrosser | then most trivial exploit can read them back | 16:30 |
| jrosser | however it should be restrcited only to login shell i think | 16:31 |
| noonedeadpunk | systemd services should not do that | 16:31 |
| noonedeadpunk | iirc | 16:31 |
| noonedeadpunk | but yeah, I guess you're right overall | 16:32 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Create an openrc for nb/sb clients https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/913582 | 16:41 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: [doc] Expand documentation on OVN useful commands https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/913588 | 17:35 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: [doc] Expand documentation on OVN useful commands https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/913588 | 17:41 |
| noonedeadpunk | mgariepy: I've taken some things from your paste to this if you don't mind :) ^ | 17:42 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Use container setup role from plugins repo https://review.opendev.org/c/openstack/openstack-ansible/+/905004 | 18:49 |
| hamburgler2 | Hey hey, curious regarding Octavia flavors/avalability zones (I know there is a centralized resource management role coming) but right now unless I am unaware of this, it doesn't look like loadbalancer flavor profiles, flavors and azs get created anywhere in os_octavia. Is this intended, as the os_octavia role essentially limits amphora to a single default compute flavor type, not loadblancer flavors | 19:19 |
| hamburgler2 | (which get mapped to compute flavors if configured through profiles). Right now I have an OpenStack Resource configuration role, much like the one that is being added, but have integrated these shared vars with OSA as well. I realize there isn't a module to handle loadbalancer profile/flavor creation so it is done with tasks. Full view of configs etc https://paste.openstack.org/show/b1SCoLdffRyt8FgWg0C | 19:19 |
| hamburgler2 | G/ and then we can have: https://drive.google.com/file/d/1I8R1YbRyva8wfRXPUxTqoO9k22OStfsa/view. Seems like this is a missed or missing feature to me? | 19:19 |
| hamburgler2 | Shoot sorry PB split over multiple lines: https://paste.openstack.org/show/b1SCoLdffRyt8FgWg0CG/ | 19:23 |
| noonedeadpunk | o/ | 19:33 |
| noonedeadpunk | hamburgler2: iirc, octavia flavors is smth that end-user can create/manage, so they're not limited to admin-only | 19:33 |
| noonedeadpunk | we've already landed there role btw, but yeah - it doesn't take care of octavia things today | 19:34 |
| noonedeadpunk | that's the role: https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/openstack_resources/defaults/main.yml | 19:35 |
| noonedeadpunk | and as usual - it's pretty much open to contributions :) | 19:35 |
| noonedeadpunk | so feel free to push things over there | 19:36 |
| hamburgler2 | noonedeadpunk: will look through it :) would be happy to use that as we have ours separate that is ran after osa, hmm yeah, I suppose users would be able to list public flavors and map their loadbalancer profiles to those, then create a loadbalancer flavor from there, I think from user experience end it would be simpler to offer that without them having to worry about managing that workflow on their | 19:50 |
| hamburgler2 | end, but yes will take a look :) ty | 19:50 |
| noonedeadpunk | yeah, sure | 19:53 |
| noonedeadpunk | we actually just added what we do in different places in a unique way and added that to a role, but obviously we wanna expand that functionality with all such usecases, that ppl do independently | 19:54 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!