opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder master: Remove cinder v2 references https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/934593 | 08:03 |
---|---|---|
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_cinder master: Remove cinder v2 references https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/934593 | 08:14 |
jrosser | noonedeadpunk: i was just looking at the haproxy bind patches - do you expect this? https://codesearch.opendev.org/?q=haproxy_vip_binds | 08:27 |
noonedeadpunk | jrosser: yeah, I just was taking this into account: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/934553/1 | 08:31 |
noonedeadpunk | (if it makes sense) | 08:31 |
jrosser | ooooh i see | 08:31 |
jrosser | we do have some use of `extra_lb_tls_vip_addresses` but that likley could be refactored | 08:32 |
jrosser | it is to add an ipv6 address to the external vip as well as a v4 | 08:32 |
noonedeadpunk | oh yes, we have. And we also have extra_lb_vip_addresses | 08:32 |
noonedeadpunk | and that all is very confusing | 08:32 |
noonedeadpunk | yeah | 08:33 |
jrosser | i agree that the haproxy role could really do with a cleanup | 08:33 |
noonedeadpunk | but I would expect we can add these with haproxy_vip_binds or smth from what I saw | 08:33 |
jrosser | andrewbonney: ^ | 08:33 |
noonedeadpunk | But I didn't manage to finilize all that yesterday | 08:34 |
noonedeadpunk | as `extra_lb_tls_vip_addresses` anyway end up being part of _haproxy_tls_vip_binds as of today | 08:35 |
noonedeadpunk | https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/vars/main.yml#L22-L23 | 08:35 |
noonedeadpunk | and all rest are mainly just checks if vip in vips | 08:35 |
noonedeadpunk | same with extra_lb_vip_addresses kinda but in different place: https://opendev.org/openstack/openstack-ansible-haproxy_server/src/branch/master/templates/service.j2#L18 | 08:36 |
noonedeadpunk | but i can easily may miss a very valid need for these... | 08:36 |
noonedeadpunk | but all these patches were mainly to achieve that part: https://review.opendev.org/c/openstack/openstack-ansible/+/934536/4..6/doc/source/user/prod/pretty_endpoint_naming.rst | 08:36 |
noonedeadpunk | also not sure if `type` makes much sense... but it might be for let's encrypt as logic today does issue only for external endpoints | 08:39 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add variables to control HSTS records https://review.opendev.org/c/openstack/openstack-ansible/+/934620 | 10:23 |
opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Deny access to any paths including /. for console proxies. https://review.opendev.org/c/openstack/openstack-ansible/+/934640 | 12:02 |
gokhan_ | hello folks, I am trying to use netapp and ceph cinder backends together. But cinder volumes services which manage netapp backend will be deployed on metal and cinder volume which manage ceph backend will be deployed on containers. is it possible to seperate is_metal property with host vars ? | 12:15 |
noonedeadpunk | gokhan_: I guess I would jsut create another groups for both, but still making them part of cinder_volumes | 12:16 |
noonedeadpunk | and yes you can do that with env.d I believe | 12:16 |
jrosser | question could be does the netapp stuff actually need to be on metal, or can it be in a container with the ceph backend? | 12:16 |
noonedeadpunk | at least I we did have same setup with ceph and NFS, where ceph was on LXC and NFS on bare metal | 12:16 |
noonedeadpunk | though there was no reason to have NFS on metal to be frank, except historical ones | 12:17 |
jrosser | iirc this all comes about with things like nfs and lvm where in the past you could not serve nfs/iscsi from inside the container | 12:17 |
jrosser | but thats really not the same issue as managing some other device that provides the actual backend on nfs/iscsi | 12:17 |
gokhan_ | jrosser, there are some problems with active/active settings. for example netapp can not support active/active, we can not install together on same cinder volume service | 12:19 |
jrosser | huh https://kb.netapp.com/Cloud/OpenStack/Cinder_Driver%3A_Active%2F%2FActive_High_Availability_Support_for_iSCSI%2F%2FFCP | 12:21 |
jrosser | so it's not really a question of metal vs container | 12:22 |
jrosser | more one of needing a set of cinder-volume for active-active, and another for everything else | 12:24 |
noonedeadpunk | so you can also spawn another series of containers | 12:25 |
noonedeadpunk | I think I had a sample for rabbitmq | 12:25 |
noonedeadpunk | https://docs.openstack.org/openstack-ansible-os_trove/latest/configure-trove.html#use-stand-alone-rabbitmq | 12:25 |
gokhan_ | noonedeadpunk, you made for trove rabbitmq if I recall correctly | 12:25 |
jrosser | then you would be able to have two sets of group_vars, one for each to make the overrides that you want | 12:26 |
noonedeadpunk | gokhan_: but from inventory view-point, rabbitmq and cinder are kinda same ;) | 12:27 |
noonedeadpunk | just need to put correct names | 12:27 |
gokhan_ | thanks noonedeadpunk jrosser I am deploying now. | 12:32 |
gokhan_ | noonedeadpunk, I write like this https://paste.openstack.org/show/byWmKvM88uf4ixwIUzel/. do I need to redefine ciner_volume on component skel | 12:56 |
gokhan_ | ? | 12:56 |
noonedeadpunk | So I usually do have openstack_deploy folder somewhere in Git and I run all changes locally on a laptop to track changes and see if it's doing what I actually want | 12:57 |
noonedeadpunk | https://docs.openstack.org/openstack-ansible/latest/reference/inventory/generate-inventory.html#running-with-tox | 12:57 |
noonedeadpunk | I think `cinder_volume` should be in belongs_to of component_skel | 12:59 |
noonedeadpunk | also don't name `container_skel` alike to `physical_skel` | 12:59 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Allow ELK7 roles to run with disabled ANSIBLE_INJECT_FACT_VARS https://review.opendev.org/c/openstack/openstack-ansible-ops/+/934547 | 13:07 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Allow to supply custom kibana backend to roles https://review.opendev.org/c/openstack/openstack-ansible-ops/+/934548 | 14:19 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Document pretty endpoint namings https://review.opendev.org/c/openstack/openstack-ansible/+/934536 | 14:29 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add variables to control HSTS records https://review.opendev.org/c/openstack/openstack-ansible/+/934620 | 14:44 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: [doc] Document pretty endpoint namings https://review.opendev.org/c/openstack/openstack-ansible/+/934536 | 14:45 |
spotz[m] | noonedeadpunk: at Kubecon this week I’ll look at your patch when I have some free time! | 15:01 |
noonedeadpunk | ah, sure! | 15:05 |
noonedeadpunk | no urgency there | 15:06 |
spotz[m] | Thanks! | 15:08 |
noonedeadpunk | ok, so now I don't see issue with u-c for repo container | 15:46 |
noonedeadpunk | though they're still appear for rally now | 15:46 |
noonedeadpunk | ie https://zuul.opendev.org/t/openstack/build/ba4f41978bec422ea2a0b42449ceea03 | 15:47 |
noonedeadpunk | I hope https://review.opendev.org/c/openstack/openstack-ansible-os_rally/+/934144 might get things better... | 15:47 |
noonedeadpunk | I wonder if a "simple" fix might be to use github instead of gitea.... | 15:47 |
*** Adri2000_ is now known as Adri2000 | 16:17 | |
opendevreview | Merged openstack/openstack-ansible master: Deny access to any paths including /. for console proxies. https://review.opendev.org/c/openstack/openstack-ansible/+/934640 | 17:32 |
opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Deny access to any paths including /. for console proxies. https://review.opendev.org/c/openstack/openstack-ansible/+/934686 | 19:06 |
mgariepy | hmm, this patch is not complete | 19:57 |
mgariepy | @noonedeadpunk, @jrosser , wget -O - https://172.29.236.101:6080/%2F.git/HEAD | 19:57 |
jrosser | oh | 20:08 |
jrosser | mgariepy: patches welcome :) | 20:08 |
mgariepy | didn had the time to test it this morning. | 20:08 |
mgariepy | i'm looking into it. | 20:08 |
jrosser | alternative js something more complex that places a non git copy of the novnc repo | 20:09 |
jrosser | a difficulty is that this is served by websockify and that’s very basic | 20:10 |
mgariepy | yep maybe git --work-tree=/path/to/outputdir checkout blabla | 20:13 |
mgariepy | let me do a couple of tests. | 20:17 |
jrosser | can we pass the path through this? https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7.3.1-url_dec | 20:27 |
mgariepy | feels like we would be chasing issues, we could checkout in a dir and only a worktree in the other directory | 20:36 |
jrosser | possibly `"http-request deny if { path,url_dev -m sub /. }" | 20:39 |
jrosser | possibly `"http-request deny if { path,url_dec -m sub /. }"` | 20:39 |
mgariepy | fixes the %2F | 20:45 |
jrosser | i do think that placing the directory without .git would be pretty hard to make idempotent and robust for upgrades | 20:48 |
mgariepy | yep probably | 20:54 |
mgariepy | jrosser, do you want to pathc master or do you want me ? | 20:57 |
jrosser | i'm away from my work computer right now, so if you can make a patch that would be good | 20:58 |
mgariepy | ok will do thanks | 20:59 |
opendevreview | Marc Gariépy proposed openstack/openstack-ansible master: Fix encoded url bypass https://review.opendev.org/c/openstack/openstack-ansible/+/934693 | 21:03 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!