| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:00 |
|---|---|---|
| opendevmeet | Meeting started Tue Dec 10 15:00:17 2024 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:00 |
| noonedeadpunk | #topic rollcall | 15:00 |
| noonedeadpunk | o/ | 15:00 |
| noonedeadpunk | #topic repo state | 15:07 |
| noonedeadpunk | murano/senlin/sahara repos are still on TC table for retirement | 15:07 |
| noonedeadpunk | they were not included in our dalmatian release just in case | 15:08 |
| noonedeadpunk | repo for Apache role has been created by Infra team and I think we can already start working on it | 15:08 |
| noonedeadpunk | #link https://opendev.org/openstack/ansible-role-httpd | 15:08 |
| jrosser | o/ hello | 15:08 |
| noonedeadpunk | it wasn't approved as official project by TC though | 15:08 |
| noonedeadpunk | (still waiting for votes) | 15:09 |
| noonedeadpunk | #topic release state | 15:10 |
| noonedeadpunk | our dalmatian stable release is out | 15:10 |
| noonedeadpunk | but I still haven't checked on rabbitmq upgrade failures in case of TLS usage | 15:10 |
| noonedeadpunk | as it seems that running -e rabbitmq_upgrade on Dalmatian (after upgrade to 4.0) simply fails | 15:10 |
| noonedeadpunk | so patch for Epoxy is not passing CI so far | 15:11 |
| jrosser | yes i saw that the upgrade jobs looked unhappy | 15:11 |
| noonedeadpunk | I will really try to look into that this week, but so far it might be tough a bit... | 15:11 |
| noonedeadpunk | end of year - everyone went crazy somehow | 15:11 |
| noonedeadpunk | we actually can unblock gate jobs, by not testing upgrade from Dalamatian -but keep Caracal upgrade | 15:12 |
| noonedeadpunk | and then do the switch here; https://review.opendev.org/c/openstack/openstack-ansible/+/936659/2 | 15:12 |
| noonedeadpunk | but probably better to address this sooner then later | 15:12 |
| noonedeadpunk | Also I still due to work on patch for rabbitmq force_bootstrap flag | 15:12 |
| noonedeadpunk | it could be a proper backport target | 15:14 |
| noonedeadpunk | interestingly, that non-tls upgrade does work... | 15:16 |
| noonedeadpunk | oh well, vice versa | 15:16 |
| noonedeadpunk | I wonder if rabbitmq 4 doesn't support non-encrypted setups... | 15:16 |
| noonedeadpunk | #topic office hours | 15:17 |
| noonedeadpunk | so, we're coming very close to Christmas and potentially need to cancel couple of meetings | 15:17 |
| jrosser | yes next week maybe OK but then miss some? | 15:18 |
| noonedeadpunk | yeah. I will be mainly away next week, but can show-up on meeting | 15:18 |
| noonedeadpunk | but Dec 24 and 31 are highly unlikely to happen at all | 15:19 |
| jrosser | indeed, thats ok i think | 15:19 |
| noonedeadpunk | yup. But I guess I will send a ML early so that if anyone want to show up this year, they had a chance | 15:20 |
| noonedeadpunk | but I think I don't have anything else so far | 15:26 |
| jrosser | no, me neither | 15:28 |
| noonedeadpunk | ok, then let's conclude the meeting early :) | 15:28 |
| noonedeadpunk | #endmeeting | 15:28 |
| opendevmeet | Meeting ended Tue Dec 10 15:28:42 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:28 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-12-10-15.00.html | 15:28 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-12-10-15.00.txt | 15:28 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2024/openstack_ansible_meeting.2024-12-10-15.00.log.html | 15:28 |
| jrosser | i will do a bit more on the mcapi stuff to fix the list of supported versions | 15:28 |
| noonedeadpunk | I'd really wish to get more modern version of control cluster tbh... But https://github.com/vexxhost/ansible-collection-kubernetes/pull/137 seems to get stuck with progress | 15:32 |
| sykebenX | Hello, I'm running into a strange issue where https://opendev.org/openstack/openstack-ansible-lxc_container_create/src/commit/3a5f7651e9eb297fe3393ad843365032bad33092/tasks/lxc_container_config.yml#L61 is failing with an error trying to attach to the LXC containers | 17:25 |
| sykebenX | What should I be looking for - I have tried rebuilding the host and also recreating all the containers. Seems to always fail at this stage | 17:26 |
| sykebenX | Paraphrasing (since I don't have access to logs on this device: It fails with Connection Refused - Failed to get init PID - Failed to get attach context | 17:27 |
| sykebenX | Running lxc/stable on 5.0.0-1+b1 | 17:28 |
| sykebenX | 5.0.2-1+deb12u2 * | 17:29 |
| noonedeadpunk | hey | 17:29 |
| noonedeadpunk | sykebenX: can you please paste some more output from the running playbook? | 17:30 |
| noonedeadpunk | also - does container runs? | 17:31 |
| noonedeadpunk | what does `lxc-ls --active` say? | 17:31 |
| sykebenX | noonedeadpunk: Is there a specific part of the run that you'd like to see? I unfortunately am running in a protected environment so I'm not really allowed to export the whole thing without redacting the sensitive stuff | 17:34 |
| sykebenX | lxc-ls --active shows the names of all the containers normally | 17:34 |
| noonedeadpunk | and you can lxc-attach to the container that fails? | 17:35 |
| sykebenX | The containers are running and I can attach to them when I am connected to the control host by doing `lxc-attach <container_name>` | 17:35 |
| noonedeadpunk | are you running roles as root? | 17:35 |
| sykebenX | I am | 17:35 |
| noonedeadpunk | huh | 17:36 |
| noonedeadpunk | does the task fails for all containers or only some specific one? | 17:37 |
| noonedeadpunk | also - if you run `ansible -m setup $container_name` - I assume it also fails? | 17:38 |
| sykebenX | Seems to fail for all containers | 17:38 |
| sykebenX | I will try running the setup that way too - give me a couple to try - also thanks for your help! | 17:39 |
| noonedeadpunk | so either smth is with permissions or with apparmor | 17:39 |
| noonedeadpunk | but I'm not sure if this always an issue, as we're running CI against Debian and latest tests are passing | 17:40 |
| noonedeadpunk | ie https://zuul.opendev.org/t/openstack/build/ef0b368bc62a4985b1f112ea3b5ee376 | 17:40 |
| noonedeadpunk | so unless smth changed in last week - it should work... | 17:40 |
| noonedeadpunk | (and unlikely I'd be able to reproduce the issue) | 17:41 |
| sykebenX | Yeah I figured that it would be impossible for you to reproduce. This gives me some direction though. I do suspect you're right and it's either perms or apparmor since I can (as root) attach to the containers no problem when I'm connected to the control host directly | 17:42 |
| noonedeadpunk | so, how osa works - it actually also does SSH to the control host and then execute lxc-attach | 17:43 |
| noonedeadpunk | this happens due to our custom connection plugin | 17:43 |
| noonedeadpunk | https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/plugins/connection/ssh.py#L381-L387 | 17:44 |
| noonedeadpunk | that is why I was kind of confused about you being able to execute things | 17:44 |
| noonedeadpunk | I wonder if that could have something to do with https://opendev.org/openstack/openstack-ansible-plugins/commit/52c710ae91235d8f4e3778c1c16da084575933cc | 17:46 |
| jrosser | sykebenX: you can perhaps use also just the ansible `ping` module and increase the verbosity a lot to see where it gets stuck | 18:19 |
| jrosser | `ansible -m setup $container_name -vvvvv` | 18:20 |
| jrosser | if you are able to share just the error that would be helpful | 18:20 |
| sykebenX | I am running openstack-ansible for a different environment using the same deployment host that is using the non-root (https://docs.openstack.org/openstack-ansible/latest/user/security/non-root.html) setup. Could there be some conflicts between the two since I am running this environments deployment using root? | 19:36 |
| sykebenX | to be clear, not root on the deployment host itself. I have two users setup (one for dev and one for prod) each has their own openstack_deploy folder with user_variables, user_secrets, openstack_user_config, etc... but I have a user.rc file in each that sets some environment variables for logging and also the ANSIBLE_REMOTE_USER which in prod I have set to a non-root user and in dev I have set to 'root' | 19:38 |
| noonedeadpunk | oh, yes, there could be quirks related to lxc for sure.... | 19:40 |
| noonedeadpunk | I've also seen one bug in our connection plugin related to this... | 19:40 |
| sykebenX | So would the recommendation be to have two distinct deployment hosts? | 19:40 |
| noonedeadpunk | that;s the bug I was talking about: https://bugs.launchpad.net/openstack-ansible/+bug/2044229 | 19:41 |
| noonedeadpunk | ideally - the approach you describe should work | 19:42 |
| noonedeadpunk | and no, there should not be conflicts if you set OSA_CONFIG_DIR for each user | 19:43 |
| noonedeadpunk | this part works nicely | 19:43 |
| jrosser | you can also play with local vs remote user in ssh config | 19:43 |
| noonedeadpunk | have you also check existance of https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/plugins/connection/ssh.py#L381-L387 ? | 19:44 |
| noonedeadpunk | sorry, meant https://opendev.org/openstack/openstack-ansible-plugins/commit/52c710ae91235d8f4e3778c1c16da084575933cc | 19:44 |
| noonedeadpunk | as this was only included for 2024.2 | 19:45 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!