Monday, 2025-07-21

« Sunday, 2025-07-20 Index Tuesday, 2025-07-22 »
f0oMoving the v6 onto a vlan made me notice that OVN-DHCP does not really work well when there are no OVN Routers attached to the network05:49
f0obut at least (external) SLAAC will always work05:49
f0ore DHCP I found that there were no dhcp-options set on the LRPs05:50
noonedeadpunkgood morning06:34
noonedeadpunkhm, I indeed can't recall how dhcp does behave without router....06:35
noonedeadpunkjrosser: do you mind proposing your venv patch to the fork https://github.com/adriacloud/ansible-collection-kubernetes ?08:20
noonedeadpunkspent some time yesterday on bumping versions and tested OS as well08:21
noonedeadpunkas it's been a week after our previous discussion and pings...08:21
opendevreviewDmitriy Chubinidze proposed openstack/openstack-ansible master: Deprecate br-vlan bridge usage  https://review.opendev.org/c/openstack/openstack-ansible/+/95545709:16
opendevreviewDmitriy Chubinidze proposed openstack/openstack-ansible master: Deprecate br-vlan bridge usage  https://review.opendev.org/c/openstack/openstack-ansible/+/95545709:27
noonedeadpunkfolks, should we try out and go ahead with https://review.opendev.org/c/openstack/openstack-ansible/+/949497 ?09:31
jrossernoonedeadpunk: i made a PR for the venv patch - not even looked at the code to see if we need to fix/improve it at all though13:05
noonedeadpunkhm, why I didn't got any email for that...13:07
noonedeadpunkI merged and tagged the repo13:31
jrosserwe should be able to switch the ops repo stuff over to point to that?13:47
noonedeadpunkyeah, totally13:47
noonedeadpunkthough namespace should be changed in playbooks...13:47
noonedeadpunkI didn't play enough with azimuth driver though...13:49
noonedeadpunkwill propose patch though13:50
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Switch to using vexxhost.kubernetes fork  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95547614:02
jrosserdamiandabrowski: are we talking about two completely different things about private keys in https://review.opendev.org/c/openstack/ansible-role-pki/+/95423914:12
damiandabrowskihmm maybe, what did you have in mind? :D 14:14
jrosserwell, just that if we were doing this all again from scratch, the private key would have never been on the pki host14:15
jrosserwe would (should) have generated the private key on the target server and signed the CSR on the pki host14:15
jrosserso if we did a v2 of the standalone backend, thats how it should work14:16
jrossermy question really for the vault backend is if we are trying to follow the same semantics as the standalone backend, or follow best practice for the private key14:17
damiandabrowskiokay, but now we're not talking about my comment in https://review.opendev.org/c/openstack/ansible-role-pki/+/954239 but hashi_vault concept in general?14:18
damiandabrowskii.e. you want to clarify if we want to generate a CSR and issue cert with this (using vault) or just obtain a certificate and key from vault directly14:19
damiandabrowskii picked the latter because it's just simpler and I don't see any drawbacks. The key is not stored either on deploy host or in vault14:20
damiandabrowskiand I don't think that this approach is against best practices. Vault's docs explain it as an advantage14:22
damiandabrowski"The PKI secrets engine generates dynamic X.509 certificates.14:22
damiandabrowskiWith this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete."14:22
damiandabrowskihttps://developer.hashicorp.com/vault/docs/secrets/pki14:22
noonedeadpunk`No matching distribution found for ansible-core==2.18.6` huh14:24
noonedeadpunkoh, `osa-ubuntu-jammy-32GB`14:24
jrosserthere might be more appropriate nested virt labels with the new zuul image changes14:28
jrosserbut we need nested virt + 32G for sure14:28
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Switch CAPI jobs to noble  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95547914:30
noonedeadpunkI _think_ I saw 16G ones as well recently...14:30
jrosserah those might work - not sure14:30
noonedeadpunkwhich could be fine as well14:30
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Switch to using vexxhost.kubernetes fork  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95547614:30
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Switch to using vexxhost.kubernetes fork  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95547614:31
opendevreviewDamian DÄ…browski proposed openstack/ansible-role-pki master: Add hashi_vault backend  https://review.opendev.org/c/openstack/ansible-role-pki/+/94888114:32
jrosserdamiandabrowski: how would we deal with an improved standalone v2 backend if the handler to build the key/cert bundle was removed from the roles?14:33
damiandabrowskiyeah, from the perspective of "standalone v2 backend" it may be problematic :/14:42
damiandabrowskibut current behavior may be problematic as well14:42
damiandabrowskiLet's imagine that someone uses ansible-role-pki with some custom software that also expects cert+key combined in a single file.14:42
damiandabrowskiThey would need to prepare that file outside ansible-role-pki(like we do with this 'regen pem' handler) which just doesn't look optimal to me.14:43
damiandabrowskiso idk...maybe there is no perfect solution14:43
noonedeadpunkjrosser: btw there was another thing about networkd and proxy and chicken-egg situation15:07
jrosseryeah i saw /o\15:08
noonedeadpunkas using different values depending on lxc/metal does not work as expected when things are delegated15:08
noonedeadpunkI guess we'd need to use delegate_facts, but ugh15:08
jrossertbh different values is probably something noone ever wants to do15:08
noonedeadpunkyeah15:09
jrosserso the danger is making the test case somehow wierd that doesnt match reality15:09
noonedeadpunkyeah15:12
noonedeadpunkbut I really don't know good solution at this point15:12
noonedeadpunkexcept accepting that containers will be able to comminicate with public VIP.15:12
noonedeadpunkwhich we do not want to do to test that everything is communicating over internal one15:13
noonedeadpunkor make exeption for proxy job and br-mgmt and make it the only case which is provisioned in aio15:15
noonedeadpunkor just give up on this specific thing15:15
jrosserwell or maybe its just that we are missing some IP on the host thats set up right at the start, purely for test fixtures15:22
jrosserand it's just never part of the openstack deployment, maybe only a route to it15:22
noonedeadpunkI am not sure I catched the idea tbh15:49
noonedeadpunkas all hosts are coming with a single interface/ip on it15:50
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Switch to using vexxhost.kubernetes fork  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95547616:04
noonedeadpunkit seems we don't really consume/respect depends-on for ops repo nowadays16:05
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-ops master: Drop vexxhost.kubernetes from requirements  https://review.opendev.org/c/openstack/openstack-ansible-ops/+/95549316:05
noonedeadpunkor well... partially at least16:06
noonedeadpunkas https://zuul.opendev.org/t/openstack/build/80d65747972b431d99cddcac45321076 is really off a bit16:06
noonedeadpunkas while collection is no longer installed, playbok references are old16:06
opendevreviewMerged openstack/openstack-ansible-os_horizon master: Remove outdated option (SAHARA_AUTO_IP_ALLOCATION_ENABLED) and updated outdated URLs  https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/95542516:22
jrossernoonedeadpunk: i think what i mean is having some other IP on the host (maybe a dummy interface?) tht we just configure right at the start16:26
jrosserthat gives squid/step-ca/whatever an IP to bind to16:27
jrosserthen we could keep all the benefits of being able to configure the host networking that you've done in your patch16:28
jrosserbut make the CI / AIO specific bits seperate from that16:28
noonedeadpunkjrosser: and then make it reachable via route?16:30
jrosseryeah, that seems the compromise in the middle of all this16:31
noonedeadpunkok16:31
jrosseri like what you have done with your patch for configuring hosts completely16:31
jrosserand it does seem a shame to lose that for the sake of a test case which actually would not happen in the same way outside CI16:31
noonedeadpunkI'm not sure if step-ca needs that tbh, as we can do setup setp-ca after setup-hosts easily, as it;s needed only for setup-infrastructure16:31
noonedeadpunkso it can be a hook easily16:31
noonedeadpunkbut proxy is very annoying thing :D16:32
noonedeadpunkI'll check what can be done there16:46
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Serve proxy on a standalone interface  https://review.opendev.org/c/openstack/openstack-ansible/+/95549817:21
noonedeadpunkhuh. it adds third test to the list - which are static routes inside of LXC...17:21
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Serve proxy on a standalone interface  https://review.opendev.org/c/openstack/openstack-ansible/+/95549817:23
jrosseroh thats cool - we still have the dummy interfaces early on17:24
noonedeadpunkwell. that was the thing I was trying to get rid off haha17:25
noonedeadpunkbut will leave this speacial proxy case I guess17:25
noonedeadpunkas there's really no way around it17:25
noonedeadpunkif it works ofc17:26
noonedeadpunkand it does not :(17:33
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Serve proxy on a standalone interface  https://review.opendev.org/c/openstack/openstack-ansible/+/95549817:35
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Serve proxy on a standalone interface  https://review.opendev.org/c/openstack/openstack-ansible/+/95549817:48
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Serve proxy on a standalone interface  https://review.opendev.org/c/openstack/openstack-ansible/+/95549818:48
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Offload network provisionment for AIO to openstack_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/95357019:00
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Offload kernel module management to openstack_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/95368519:02
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define losetup devices statically rather then dynamically  https://review.opendev.org/c/openstack/openstack-ansible/+/95377019:04
opendevreviewMerged openstack/openstack-ansible stable/2023.2: Bump SHAs for EOL-ing 2023.2  https://review.opendev.org/c/openstack/openstack-ansible/+/95089319:09
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Offload network provisionment for AIO to openstack_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/95357019:27
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Offload kernel module management to openstack_hosts  https://review.opendev.org/c/openstack/openstack-ansible/+/95368519:28
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible master: Define losetup devices statically rather then dynamically  https://review.opendev.org/c/openstack/openstack-ansible/+/95377019:28
« Sunday, 2025-07-20 Index Tuesday, 2025-07-22 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!