Thursday, 2025-04-10

« Wednesday, 2025-04-09 Index Friday, 2025-04-11 »
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686505:59
f0o^ this is more of a WIP right now, I need to test it first. It was a shameless ripoff of https://github.com/openstack/openstack-ansible-os_keystone/commit/19af9dabc83fda4f2e14b2cc8ab87b14c50fdc2d - I feel like I need to configure sshd to use sshca first06:00
f0o(also good morning!)06:00
noonedeadpunkgood morning :)07:03
noonedeadpunkf0o: I think that the `openstack.osa.ssh_keypairs` does configure sshd07:04
noonedeadpunkduring ca installation07:04
f0oCoolio07:05
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/ssh_keypairs/tasks/standalone/install_ssh_ca.yml#L32-L6707:05
f0owish I could test it but I'm currently at a coworking space because vattenfall is doing some maintenance in the neighborhood resulting in a loss of power07:05
f0obut should be done by lunch so I can give it a spin then07:06
noonedeadpunkwell, we can also wait for CI results :)07:08
f0owould the CI result even be conclusive here? even if the SSHCA fails to properly deploy, AIO will still pass.. Same as the issue with ssh-keygen being required before being installed, it worked because a previous service installed it07:09
noonedeadpunkwell CA is mnore fine grained  I guess as the key is specific to the swift user....]07:09
noonedeadpunkbut indeed in case of metal - it doesn't matter at all07:10
noonedeadpunkunless there's some obvious issue making code to fail07:10
f0oI meant more the conclusiveness/meaningfulness of the AIO CI in this regard. The SSHCA tasks might still pass (since they're 1:1 copypasta probably will pass) but they're not actually function-tested since the AIO wont use it07:13
f0oeither way, I'll toss it into our env once I'm back at home and got access07:13
f0oI've been looking into why the br-storage network wasnt found and honestly dont understand it. The facts should have it. I see the containers have the veth on the bridge and a correct IP. The hosts absolutely have the br-storage since they require it for nova<>cinder...07:16
f0oit's like ansible doesnt find the facts.. will have to compare the tasks with cinder or similar, maybe they diverged07:16
f0olike maybe the facts arent called the same anymore07:16
noonedeadpunkso I think it looks for the interface inside of the container07:33
noonedeadpunkmy guess would be that it should be `eth2`, not br-storage07:33
noonedeadpunkas you won't have `br-stoprage` fact for container07:34
f0othat's the funny part tho, it fails on the hosts and not inside a container.. swift-proxy container passes metal hx_y does not07:34
f0ounless the failing task is not the actual task that's failing but the failure is somewhere higher up and obscure07:35
f0oone thing I dont understand is the replacement of - to _, so br-storage becomes br_storage which is being looked at for ipv4.address facts07:36
f0ohttps://github.com/openstack/openstack-ansible-os_swift/blob/master/tasks/swift_calculate_addresses.yml#L37 and line 63 does the lookup07:36
noonedeadpunkf0o: so I'd guess we need to replace metal with LXC jobs at the very least for swift07:37
f0oso if that has changed from 2 years ago, then its an obvious failure07:37
noonedeadpunkor even create a several copies of swift-proxy containers for aio?07:37
noonedeadpunkas we can do that :)07:37
f0operhaps but swift-proxy hosts are not failing here07:38
f0oit's the swift-hosts (storage hosts) that are failing with missing interfaces07:38
f0oand those should be metal because the container has no access to the /dev/sdX07:38
f0oor am I mistaken here?07:38
noonedeadpunkwell, I was about ssh part still 07:38
f0oaaaaah07:38
f0oyes in the ssh regard yes07:38
f0oI've got too many mental and browser tabs open, apologies for jumping around07:39
noonedeadpunkand about br-storage - I think indeed we might jsut be missing facts07:39
f0oit looks to me that i can freely set the IPs directly instead of defining the network interface and it will bypass that lot07:40
noonedeadpunkie - smth like that is missing for the playbook? https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/playbooks/ceph_install.yml#L46-L5807:40
f0oswift_hosts>hx_y>swift_vars>repl_ip for instance seems to be accept and replaces the swift>replcation_network entry entirely07:41
f0ogather_extra_facts is not defined anywhere in os_swift07:41
noonedeadpunkit kind of is, but only hardware factrs: https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/playbooks/swift.yml#L20-L2307:42
noonedeadpunkas that is the default https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/all.yml#L139-L14007:43
f0oso then extending that to the network and ipv*_addresses like you linked in ceph should solve that?07:43
f0oor does the fact structure itself also change and we need to touch that calculate_addresses tasks?07:44
f0oI know too little of that structure unfortunately07:44
noonedeadpunkum, not sure what you mean about fact structure, but it should be the same. So at least trying to add alike to ceph into swift playbook might be just enough07:48
f0ocall me odd but I always get suspicious when there are text transformations and then access to that transformed key07:55
f0olike br-storage becoming br_storage07:56
f0ofeels like a source of problems as it could be a legacy thing that might have been changed sicne the 2 years of its introduction but forgotten to apply here07:56
f0obecause that replace screams workaround for me07:56
derekokeeffe85Morning all, noonedeadpunk anymore suggestions on what could be causing or how to fix my mariadb issue? 07:57
darkhackerncmorning all, 07:58
darkhackerncnoonedeadpunk, any thought on https://bugs.launchpad.net/openstack-ansible/+bug/2106625 and https://bugs.launchpad.net/openstack-ansible/+bug/210671507:58
f0o2106715 doesnt seem to be an ansible related issue tho, reads to me like an openstack cli issue08:00
f0oso I think 2106715 should be in cinder or python-cinderclient projects08:04
jrosserisnt that replace just an artefact of how ansible has to transform the interface names 08:04
f0ojrosser: possibly, I do see that plugins/ceph does similar replace for the monitor_interface08:05
f0oit was just something that struck me at a first glance08:05
jrosserthe facts about interfaces always have _ iirc08:05
jrosserregardless of what the name of the interface actually is on the system08:06
f0ogood to know!08:06
jrosserthe same goes for `:` i think08:08
jrosserdarkhackernc: 2106715 really is not about the deployment tool at all08:10
darkhackerncjrosser++ yes, that is an cinder-cli operations part08:12
jrossercinder won't see that with the bug assigned to openstack-ansible though08:13
jrosserderekokeeffe85: can you remind what your mariadb issue is?08:14
derekokeeffe85Will do jrosser, let me capture the error and do a paste of it for you08:15
derekokeeffe85fails on the setup_openstack playbook with this https://paste.openstack.org/show/bqyekQF7IOJP9rt3RQGG/ when I run mysql or mariadb on the utility container it's not there08:17
f0o`Lost connection to MySQL server during query` reads like MTU issue to me; can you verify that all interfaces (galera container, haproxy, keystone container) use the same MTU?08:22
f0oif my memory is correct, the traffic goes keystone_container -> host bridge -> haproxy interface/s -> host bridge -> galera_container08:22
f0oso that's 5-6 interfaces that could have MTU mismatches08:22
f0oonly reason I mentioned this is because I had very similar intermittent issues when I set up all interfaces to jumbo and missed one08:23
jrosserwell and your switches could have mtu touble too08:24
f0ooh yeah those too good point08:25
jrosserderekokeeffe85: that task is run from the utility container and it tries to connect to the db via the loadbalancer08:25
jrosserthere is a mysql/mariadb client installed for you already on the utility container and you could try some interaction with the db manually using that08:26
jrosserif that doesnt work properly, the ansible wont either08:26
jrosseryou could also have ip routing issues with traffic accidentally exiting a large mtu interface when you didnt intend it to08:27
derekokeeffe85when I run mysql or mariadb on the utility container it's not installed. I did have MTU and UFW issues at the start but I'm fairly sure they're resolved now. I re ran the playbooks after I sorted that issue and both completed fully but still this issue. I set the IPs of all the nodes to their br-ext IP in openstack_user_config rather than the container network, would that be playing a part in it?08:31
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686508:43
derekokeeffe85Sorry I never tagged you in the reply jrosser but you can see it above08:45
jrosserderekokeeffe85: you should have a /usr/bin/mariadb binary on the utility host08:49
jrosserand a ~/.my.cnf on the same host with the db connection details08:49
derekokeeffe85Yep I have this https://paste.openstack.org/show/bBP0fnh9HOmTMSaYcz6f/ jrosser08:52
derekokeeffe85The IP address is that of the controller node br-mgmt08:53
jrosserso you should be able to use the mariadb client on the utility container to connect to the db i think08:53
derekokeeffe85Ok I can try that. Do you have an example off the top of your head by any chance?08:54
jrosserat the very simplest you can try `show databases;`08:56
derekokeeffe85Says mariadb and mysql services are not found :(08:56
derekokeeffe85Not sure if this helps but I can't telnet to the utility container on 3306 from the controller so maybe it couldn't install it?? Trying 172.29.239.232...08:58
derekokeeffe85telnet: Unable to connect to remote host: Connection refused08:58
jrosseri'm confused08:58
jrosserwhy to the utility container on 3306?08:59
jrosserthe database runs in the galera containers, and the connection to the database goes via the haproxy loadbalanver08:59
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686508:59
jrosserso in your my.cnf you have 172.29.236.6 as the address for the database, which should be your internal vip?08:59
f0ojrosser: how can I restart the CI? will it happen automatically on the new commit?09:00
jrosserf0o: yes a new revision of the patch will cancel the previous job and start a new one stright away09:01
f0ocoolio! so nothing to do :)09:01
f0othe copypaste errors you mentioned are also in keystone btw heh09:01
jrosseroh no :(09:01
f0oI'll make a patch for it09:01
f0ojust need to walk the doggo first09:02
jrosserexcellent that super helpful, we are a bit short on reviewers currently so that makes it easier09:02
derekokeeffe85jroser internal_lb_vip_address: 172.29.236.6. That's the Ip of my br-mgmt on the controller node. Is that correct?09:07
jrosseri think you only have one controller? is that right?09:09
noonedeadpunkiirc we left at stage, that haproxy marks mariadb backend as down, right?09:17
noonedeadpunkdarkhackernc: can you remind me the paste you sent yesterday from haproxy stat?09:25
noonedeadpunksorry, derekokeeffe85 ^09:25
noonedeadpunkmiss-pinged09:25
noonedeadpunkdarkhackernc: frankly, I have never seen anything like you're describing in https://bugs.launchpad.net/openstack-ansible/+bug/210662509:26
noonedeadpunkdon't you accidentally have `package_state: latest` or `nova_package_state: latest` defined somewhere together with running CentOS/Rocky linux?09:27
noonedeadpunknah, you run ubuntu09:27
noonedeadpunkderekokeeffe85: what's the oputput of `curl http://$(lxc-ls -1 | grep galera):9200`?09:49
noonedeadpunkor it's getting stuck?09:49
noonedeadpunkif it's getting stuck - I'd suggest checking from which IP request is coming from the control plane to galera09:50
noonedeadpunkas you've changed the VIP - you might need to re-run the galera role, if you didn't do that yet09:50
noonedeadpunkok, forget that ^09:52
noonedeadpunkbut basically you'd need to check, that haproxy goes to the galera from one of the allowed IP addresses09:54
noonedeadpunkyou can check currently allowed ones as `systemctl cat mariadbcheck.socket` from galera container09:54
noonedeadpunkor, set galera_monitoring_allowed_source: 172.29.236.0/22 galera_server_proxy_protocol_networks: 172.29.236.0/2209:58
noonedeadpunkderekokeeffe85: ^09:58
derekokeeffe85Sorry jrosser and noonedeadpunk I was called away. Yep I only have one controller. I'll do the other suggestions now10:10
f0ojrosser: it doesnt seem like CI was restarted for my change 94686510:33
jrosserf0o: https://zuul.opendev.org/t/openstack/status?change=94686510:34
jrosseryou can see that the lint has already failed so thats probably something to look at immediately10:35
f0oannoying that it complains about files that werent touched in the change10:36
f0oso this is going to feature-creep10:36
derekokeeffe85jrosser noonedeadpunk thank you so much!!!!! :) It passed that task. I added  galera_monitoring_allowed_source: 172.29.236.0/22 galera_server_proxy_protocol_networks: 172.29.236.0/22 to user_variables and re ran the playbooks. setup_openstack is still running now10:37
derekokeeffe85https://paste.openstack.org/show/bRNE6hdoDcJgxMg7C2Bm/10:38
jrosserf0o: you can always make a separate patch for fixing linters10:38
jrosserit doesnt have to be in the same change, ideally it wouldnt be10:38
f0oI'm not 100% sure how to fix 'no-handler: Tasks that run when changed should likely be handlers. (warning)'10:40
f0otasks/swift_pypy_setup.yml:38 Task/Handler: Setup local pypy10:41
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686510:41
f0obut I think I've addressed all other linting issues10:41
jrosseri kind of have no odea10:42
jrosseridea10:42
jrosserultimately the swift role needs a maintainer really10:43
f0ohehe10:43
jrosseri.e someone who is wanting to use swift and understand it sufficiently to keep the ansible relevant10:43
f0oI'm a bit on the fence whether I should go swift or go ceph... for us it really depends what the resource steal/overhead of ceph is. We would like to run the object storage on the same hosts as compute does just to use the local disks for cheap object storage. Cinder volumes is all NFS appliances so we cant reuse that gear for ceph and have no requirement for ceph to do10:45
f0oblockstorage10:45
f0oI remember from way back (Mitaka times) swift was super low overhead - I have no experience with Ceph other than knowing that Proxmox uses it as HCI storage10:45
noonedeadpunkf0o: warning is not why it's failing10:54
noonedeadpunkas warnings are not treated as errors there10:54
f0ooh ok then I just fixed a few pipefail warnings for nothing10:54
f0o:D10:54
f0obut I did also fix the indents and nother things it complained about10:54
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686510:56
noonedeadpunkthere's a stack trace on loading yaml....10:56
f0oyeah I fat fingered the last patchset10:57
noonedeadpunkah, indent here on L2610:57
f0oyep10:57
noonedeadpunkok, sorry :D10:57
f0oslowly but surely I'm getting used to gerrit and zuul navigation :D10:58
f0olinting passes now - at least one less thing to worry about. Vattenfall on the other hand... they seem to have left for lunch and while the apartments have power, the building does not so by extension the internet is still down11:09
f0oVattenfall just flipped the power on for the building and I have internet again - Great Success!11:17
f0onow I can checkout the os_swift role locally and toss it against the env11:17
f0o:)11:17
f0oI'm just going to assume they're done for today and hopefully wont get a powercut mid deploy11:18
noonedeadpunkf0o: it's not that distant from getting loving it comparing to github :D11:36
f0ohaha I still feel very much at home with GH after 20 odd years of using it11:37
f0oSSH-CA patchset works11:38
f0olet me push the patch for all_addresses facts in ansible-plugins11:39
noonedeadpunkwell, depends-on and series of patches are really nice things. And that fork->PR->clean-up flow is smth I do hate now...11:39
f0oheh just skip the cleanup xD11:40
noonedeadpunkor when you see stale PR that owned by someone else, which you can't do anything with, except open the new one...11:40
f0othey changed that tho, you can now push into other's PRs if you're a maintainer11:40
noonedeadpunkyeah. if you own the project - it's simpler.11:41
noonedeadpunksure11:41
noonedeadpunkbut if you need to contribute to smth you don't own - it's painful imo. Especially painful smth like helm chart couple of years ago11:41
noonedeadpunkwhere each feature needs to increment a version number inside of the PR, resulting in constant conflict between everything11:42
noonedeadpunkanyway:)11:42
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-plugins master: Add all_addresses facts to os_swift playbook  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/94689111:43
f0ooh yeah those things are pain, you can use GH Actions now but its also a pain11:43
noonedeadpunk`stderr: '/bin/sh: 1: set: Illegal option -o pipefail'`11:44
noonedeadpunkhttps://zuul.opendev.org/t/openstack/build/fbd95331f81b4d839c5dd12ea5e70990/log/job-output.txt#11689-1170311:44
f0oone step forward... two steps back...11:45
f0o:|11:45
f0obut I guess the pipefail linting were all warnings so I can just revert it11:45
noonedeadpunkyeah11:45
noonedeadpunkhttps://opendev.org/openstack/openstack-ansible/src/branch/master/.ansible-lint#L911:45
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686511:46
f0oos_swift seems to require crontab; what's the policy here? install cron or try to migrate the recon job to systemd timers?11:49
noonedeadpunksystemd timers....11:50
f0oezpz I'll staple that onto my current change11:51
noonedeadpunkI think this is a good example of it: https://opendev.org/openstack/openstack-ansible-os_cinder/src/branch/master/tasks/main.yml#L286-L30311:51
f0ooh awesome11:52
noonedeadpunkit's really better to make series of smaller changes11:52
noonedeadpunkunless their merge is blocked11:52
f0ofair11:52
f0othey all sort of depend on eachother11:52
noonedeadpunkso you can make jsut 2 commits in same branch and `git review` them independently11:52
f0oalso the sshca does not work.. just got asked for a password11:52
noonedeadpunkas gerrit dfistinguished patches by their `Change-Id`11:53
noonedeadpunkso any commit with the same change-id will result in placing content in place, as a patchset11:54
inakotiHi. Quick question: The ansible roles under openstack-ansible have no stable 2025.1 branch(Epoxy) yet. Will it be coming later? Thanks in advance11:56
noonedeadpunkNeilHanlon: so... things went relatiively well... Until faced cinder: https://zuul.opendev.org/t/openstack/build/d85f551fd67f44a68dc6aeef0a91892311:57
jrosserinakoti: deployment tooling projects always release later than the service projects in openstack, its basically chicken/egg otherwise11:57
noonedeadpunkinakoti: yes, sure it will come later. OSA has a trailing release model, meaning we have 2 month after coordinated release to adopt and release 11:57
jrosseryou can see the official release schedule here https://files.openstack.org/project/releases.openstack.org/flamingo/schedule.html11:58
noonedeadpunkJun 02 is the deadline for us11:58
jrosserso epoxy for deployment projects gets released ~10 weeks into the Flamingo dev cycle for the rest of openstack11:59
noonedeadpunkNeilHanlon: so I was kinda wondering about `libzstd(x86-64) >= 1.5.5` part.... 11:59
noonedeadpunkNeilHanlon: or you think it's worth to get python3-zstd from epel instead?11:59
noonedeadpunkjust what your suggestion would be on solving the conflict?12:00
noonedeadpunkinakoti: but hopefully we get a beta release next week12:00
jrossersoo much to merge though :(12:01
noonedeadpunkI'd say for beta we can have jsut https://review.opendev.org/c/openstack/openstack-ansible/+/946083 ?12:01
jrosseryou mean make the branch?12:01
noonedeadpunkit will hopefully pass in next 30m12:01
noonedeadpunknah12:01
noonedeadpunkbranch is made with RC12:01
noonedeadpunknot beta12:01
jrosseryeah ok sure12:02
jrosserf0o: you should be able to compare the ssh setup that got made with your swift changes to what you have for keystone/nova12:03
noonedeadpunkbeta is pretty much a milestone (which back in the days when evrardjp was PTL) that potentially should be even before coordinated release...12:03
f0ojrosser: the issue is that the synchronize module used to distribute the rings uses the root user while the sshca was set up for the swift user - I'm going to use the rsync command from the fernet keys distribution - funny enough the comment states that this should be moved to synchronize module. But synchronize does not support setting a user it seems12:05
jrosserhmm synchronise is tricky12:06
noonedeadpunkcan't you `become_user` for it? not sure, but it might work if `swift` has a shell12:06
noonedeadpunkbut yeah, it can be super tricky indeed12:07
jrosserit might be better to remove use of it totally12:08
inakotiThanks noonedeadpunk and jrosser. Will 2024.2 stable be compatible with 2025.1 openstack service projects? (We have a deliverable where we intend to upgrade standalone baremetal service to Epoxy by end of May)12:08
jrosserinakoti: possibly - sometimes you can run services from future versions, but you would need to test quite significantly and take steps to ensure that the future versions of services used the future set of upper-constraints12:10
noonedeadpunkyes, most likely. But then I guess I'd suggest to try out beta...12:10
noonedeadpunkand report back what is broken :D12:10
inakotiFor sure :)12:11
inakotiThanks again guys for the quick info12:11
jrosserdo you mean ironic when you say baremetal service?12:12
inakotiyes12:13
noonedeadpunkI'd hope by mid May to release an RC already TBH12:14
f0onoonedeadpunk: top of your head, how can I manually verify that sshca works?12:14
f0oshould I just be able to ssh from a swift-user into a different host?12:14
noonedeadpunkonly to one, which has swift as allowed principal 12:15
noonedeadpunkand from one which has a private key issued by the ca12:15
noonedeadpunkor smth like that....12:15
noonedeadpunkso generally it should be swift <-> swift ssh12:16
f0othen sshca does not work12:16
f0oyeah /etc/ssh/auth_principals/ is missing the swift_principals on one of my swift storage hosts12:17
f0oit does exist in the swift-proxy lxc container 12:17
f0owonder what went wrong there12:17
f0ohttps://paste.opendev.org/show/bT7aq9SzKsaHFWk76Xgj/ << I think that's the issue12:25
f0owhy would the trusted_ca be missing on the lxc_containers...12:25
jrosseryou could re-run the swift playbook with `--tags swift-key`to check exactly what happens for that part12:30
noonedeadpunkyeah, it's hard to guess without some output12:31
f0oSo it places OpenStack-Ansible-SSH-Signing-Key into /etc/ssh/trusted_ca.d12:31
f0ois the config supposed to reference that instead of /etc/ssh/trusted_ca ?12:33
noonedeadpunkthere should be a handler: https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/ssh_keypairs/handlers/main.yml#L16-L2012:34
noonedeadpunkwhich combines all /etc/ssh/trusted_ca.d/ to /etc/sshd/trusted_ca12:34
f0o'Regenerate trusted_ca file' is not being executed12:35
noonedeadpunkso it should be called here https://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/ssh_keypairs/tasks/standalone/install_ssh_ca.yml#L32-L4212:35
f0othat is being executed but then it goes immediately to 'Remove sshd trusted authorities for absent CA'12:36
noonedeadpunkyeah, handler is executed closer to the end of the play12:37
f0owhich ironically also calls the regenerate but that is not being executed anywhere in the logs12:37
f0oit ends with: TASK [openstack.osa.ssh_keypairs : Copy ssh keys to target] ********************12:37
f0othen comes osa.mq_setup12:37
f0oh1_2-swift-proxy-container-a9384c07 : ok=24   changed=0    unreachable=0    failed=0    skipped=24   rescued=0    ignored=012:37
f0ois there like a wgetpaste somewhere?12:37
noonedeadpunkhttps://paste.openstack.org/ ? or?12:38
f0ohttps://paste.opendev.org/show/bM4hdSYDdufIJV4g8CJx/12:40
f0oonly had to scp it around a billion times heh12:40
noonedeadpunkso handler only exevutes if task is `changed`12:41
noonedeadpunkand it's not if all content already there12:41
f0oso if I delete the file and rexec it, it should generate it?12:42
noonedeadpunkthere can be a corner case where things were placed, but the host failed and handler not executed as a result of failure12:42
noonedeadpunkyeah, if you delete and re-exec it should generate it12:42
f0olet's see, deleted12:42
f0oyou're right it did it12:43
f0owouldnt it be safer to always regenerate it?12:43
f0oit seems like a nobrainer operation12:43
opendevreviewMerged openstack/ansible-role-frrouting master: Remove become blocks from tasks  https://review.opendev.org/c/openstack/ansible-role-frrouting/+/94611512:44
opendevreviewMerged openstack/ansible-role-frrouting master: Use FQCN for module calls  https://review.opendev.org/c/openstack/ansible-role-frrouting/+/93827312:44
opendevreviewMerged openstack/ansible-role-frrouting master: Use OSA_TEST_REQUIREMENTS_FILE for molecule job  https://review.opendev.org/c/openstack/ansible-role-frrouting/+/93930012:44
noonedeadpunkwell... I'd rather did a variable flag to force paste12:44
noonedeadpunklike clean-up all auth providers before placing new ones12:44
f0oI have rings!12:45
noonedeadpunkawesome!12:45
f0oyes almost there :D12:46
f0othe systemd unit expects the rings to be elsewhere, this might be a distro specific thing12:46
noonedeadpunkso, https://review.opendev.org/c/openstack/openstack-ansible/+/946083 has just passed CI, so let's land it and a follow-up change right away12:46
noonedeadpunkAnd I'll propose beta with that :)12:47
noonedeadpunkmgariepy: damiandabrowski ^12:47
f0onow that I know that sshca works, I'll switch back to synchronize and give the become:swift a try12:50
opendevreviewDmitriy Rabotyagov proposed openstack/ansible-role-systemd_service master: Remove quotes from conditional statements  https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/94194612:51
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add openstack_user_config verification playbook as healthcheck  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/93898012:52
f0onoonedeadpunk: synchronize does not seem to care about become:true;become_user:swift13:02
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686513:07
jrosserf0o: how many files are there in the swift rings definition?13:11
f0o{account,container,object}.builder {account,container,object}.ring.gz and a few object-N.ring.gz13:12
f0oI guess the N is the zones. at least it matches to the 3 zones I got13:12
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Ensure that failures are fatal for upgrade_check  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/94623413:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Fix quorum/stream queues if they're below minimal size  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/94626813:15
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Execute rabbitmq post_upgrade hook  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/94627013:15
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686513:26
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686513:33
*** noonedeadpunk_ is now known as noonedeadpunk13:35
opendevreviewDaniel Preussker proposed openstack/openstack-ansible-os_swift master: Migrate role to use SSH CA  https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/94686513:39
f0otried to be smart to merge two tasks into one. failed miserably. so it stays at two13:39
jrosserdont be afraid to make several small commits, they can be easier to review13:41
f0othese do all tie into the sshca thing tho, maybe the timers could be split out13:41
jrosserif you make several commits locally all on top of each other and then do `git review` at the top one, they will get submitted as a series with the concept that they stack on each other being preserved13:42
jrosseryes its fine, just giving pointers for the future :)13:42
f0ooooh13:42
f0ogood to know13:42
jrosserits particularly important if you find a bug and want it backported to a stable branch13:42
f0oI'm very new to gerrit13:42
jrosserso this is a thing that you basically can't do with github workflow13:43
f0othat is true13:43
jrosserif you look at this one https://review.opendev.org/c/openstack/openstack-ansible/+/94604313:43
jrossersee the box "relation chain", thats got 4 patches stacked up on each other in order13:44
jrosserthose are all patches in the same repo13:44
jrosserand then in the commit message there are two "Depends-On" lines13:44
jrosserthose say that "this other patch in another repo must be applied when testing this one"13:45
jrosserand by extension, "this other patch in another repo must merge before this one"13:45
opendevreviewMerged openstack/openstack-ansible-os_blazar master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-os_blazar/+/94132513:47
f0oI cannot get the regeneration of trusted_ca to trigger reliably13:48
*** frickler_ is now known as frickler13:48
f0oI got 3 hosts that wont get it, even if I remove the trusted_ca.d/* like I did before13:48
f0odo I need to remove the trusted_ca.d/* from all hosts in the group for the handler to retrigger correctly?13:49
jrosserfor a handler, you need to find the condition that triggers it13:49
jrosserand when that task is "changed" the handler will run13:49
f0ohttps://opendev.org/openstack/openstack-ansible-plugins/src/branch/master/roles/ssh_keypairs/tasks/standalone/install_ssh_ca.yml#L32-L4213:49
f0othat is run, the file is placed into trusted_ca.d but no regeneration is triggered13:50
f0onvmd. It was triggered at the very end of the playbook - after everything has been already failing since it cant copy the rings13:50
f0ocan I somehow force it to run the handler a bit earlier?13:50
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Remove lxb driver support from the role  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/94614513:52
noonedeadpunknot really afaik13:52
f0ohow do I solve this chicken-egg issue then?13:53
f0oI cant copy the rings because the trust isnt setup until after the rings are being attempted to be copied13:53
jrosserhandlers always run at the end of the play13:55
jrosseri think that there is a similar situation in keystone perhaps13:55
noonedeadpunkf0o: you can flush_handlers13:55
noonedeadpunkhttps://docs.ansible.com/ansible/latest/collections/ansible/builtin/meta_module.html13:56
opendevreviewMerged openstack/openstack-ansible-os_barbican master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-os_barbican/+/94132213:56
noonedeadpunkmaybe it makes sense to add this to the end of ssh_keypairs tasks/main.yml13:56
noonedeadpunkbut it can actually trigger unexcpected thingfs as well13:57
jrosseri would worry about flush_handlers13:57
jrosserkeystone is https://github.com/openstack/openstack-ansible-os_keystone/blob/master/tasks/main_pre.yml13:57
jrosserand https://github.com/openstack/openstack-ansible-plugins/blob/master/playbooks/keystone.yml#L53-L6113:57
f0oso keystone solved it by running the sshkeygen in a different playbook before the actual installation13:59
f0oI mean I can do the same, swift doesnt have that but I can make a patch for it14:00
f0ojust seems like this is adding more and more creep14:00
f0osoon I touched every bit of it :D14:00
noonedeadpunkhehe14:00
noonedeadpunkand you said you're not that good in ansible :D14:00
f0oI'm not I'm just smashing buttons and copypasta and it somehow works :D14:01
jrosseri think that whats happening is that we've come across similar problems in the other roles, and there are good patterns you can lift14:01
opendevreviewMerged openstack/openstack-ansible-os_aodh master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-os_aodh/+/94132014:02
jrosserits just very hard to keep on top of all the roles, particularly if you're not using them personally14:02
opendevreviewMerged openstack/openstack-ansible-memcached_server master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-memcached_server/+/94150414:12
noonedeadpunkomfg, I've started looking at image decompressing code....14:13
noonedeadpunkquite some complexity has build up in image upload, I'd say14:14
jrosserthis is in glance itself?14:15
noonedeadpunkand specifically around checksums....14:15
noonedeadpunknah, it's all possible different scenarios14:15
noonedeadpunkwhat if a path supplied, what if it's url, what if there's a checksum14:15
noonedeadpunkand not with compresion - there's an archive checksum and decompressed image checksum14:16
noonedeadpunk*now with14:16
noonedeadpunkand then there's gz, xz, etc...14:16
noonedeadpunkand then what to do if archive checksum does match, but decompressed image checksum does not match with what is supplied14:21
opendevreviewMerged openstack/openstack-ansible-os_horizon master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/94144514:24
noonedeadpunkjrosser: do you remember if glance verifies checksum provided by user comparing to what it recieves as image? I think yes, right?14:44
jrosseri think so?14:45
jrosserand doesnt that also get used perhaps by nova or something later if the image is moved to a compute14:45
* jrosser not sure14:45
noonedeadpunkyeah, but glance calculates checksum if it's not provided I think... not sure14:46
noonedeadpunkbut just decided to double-check14:46
noonedeadpunkas a bit /o\14:46
jrosserbut then there is also image signing stuff thats more complicated again14:47
noonedeadpunkyeah, that requires barbican iirc14:49
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add ability to decompress images for upload  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/94691814:55
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define parameters to decompress magnum image before upload  https://review.opendev.org/c/openstack/openstack-ansible/+/94691915:04
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-os_magnum master: Use libxslt1-dev package instead of unversioned one  https://review.opendev.org/c/openstack/openstack-ansible-os_magnum/+/94656015:04
noonedeadpunkI guess it will break terribly...15:04
opendevreviewMerged openstack/openstack-ansible master: Freeze roles for 31.0.0.0b1 release  https://review.opendev.org/c/openstack/openstack-ansible/+/94608315:21
noonedeadpunkrelease proposed: https://review.opendev.org/c/openstack/releases/+/94693715:54
noonedeadpunkhm.... .wtf https://zuul.opendev.org/t/openstack/build/cac47b4a97ce4ea18c2cc899f2a3b088/log/job-output.txt#11694-1172917:41
noonedeadpunkah17:42
noonedeadpunkfairt enough17:42
noonedeadpunkno, not at all....17:45
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add ability to decompress images for upload  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/94691817:57
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add ability to decompress images for upload  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/94691817:57
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-plugins master: Add ability to decompress images for upload  https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/94691818:00
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: forgot dot in releases info  https://review.opendev.org/c/openstack/openstack-ansible/+/94696121:24
opendevreviewIvan Anfimov proposed openstack/openstack-ansible master: docs: forgot dot in releases info  https://review.opendev.org/c/openstack/openstack-ansible/+/94696121:26
opendevreviewMerged openstack/openstack-ansible-os_neutron master: Auto-fix usage of modules via FQCN  https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/94137822:21
« Wednesday, 2025-04-09 Index Friday, 2025-04-11 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!