*** whoami-rajat has joined #openstack-kolla | 00:09 | |
*** igordc has joined #openstack-kolla | 00:09 | |
*** KeithMnemonic has joined #openstack-kolla | 00:20 | |
*** KeithMnemonic has quit IRC | 00:47 | |
*** KeithMnemonic has joined #openstack-kolla | 00:49 | |
*** spsurya has joined #openstack-kolla | 01:05 | |
*** hamzy has joined #openstack-kolla | 01:17 | |
openstackgerrit | Merged openstack/kolla-cli master: Add group list command https://review.opendev.org/676201 | 01:20 |
---|---|---|
*** BjoernT_ has joined #openstack-kolla | 01:44 | |
*** BjoernT_ has quit IRC | 01:46 | |
*** BjoernT has quit IRC | 01:47 | |
*** KeithMnemonic has quit IRC | 02:17 | |
*** BjoernT has joined #openstack-kolla | 02:22 | |
*** whoami-rajat has quit IRC | 02:28 | |
*** BjoernT has quit IRC | 02:46 | |
*** strigazi has quit IRC | 03:09 | |
*** strigazi has joined #openstack-kolla | 03:10 | |
*** whoami-rajat has joined #openstack-kolla | 03:20 | |
*** gkadam has joined #openstack-kolla | 03:41 | |
*** gkadam has quit IRC | 03:41 | |
*** gkadam has joined #openstack-kolla | 03:43 | |
*** gkadam has quit IRC | 04:00 | |
*** absubram has quit IRC | 04:11 | |
*** absubram has joined #openstack-kolla | 04:30 | |
*** igordc has quit IRC | 05:02 | |
*** haria has quit IRC | 05:42 | |
*** cah_link has joined #openstack-kolla | 05:43 | |
*** absubram has quit IRC | 05:48 | |
mnasiadka | morning | 05:50 |
mnasiadka | cloudnull: would you have some time to look at https://review.opendev.org/#/c/675614/? Basically we are trying to bump up fluentd using TreasureData repo, but tripleo is removing all non-RedHat controlled repos. I guess it needs some another override on tripleo side? | 05:56 |
mnasiadka | and now I need to find a solution for cyclic dependency... | 06:00 |
yoctozepto | mornin | 06:05 |
yoctozepto | mnasiadka: yeah, for Kien's haproxy change too ;/ | 06:06 |
*** dpawlik has joined #openstack-kolla | 06:11 | |
*** luksky has joined #openstack-kolla | 06:18 | |
*** skramaja has joined #openstack-kolla | 06:18 | |
*** dpawlik has quit IRC | 06:20 | |
*** dpawlik has joined #openstack-kolla | 06:23 | |
*** gfidente has joined #openstack-kolla | 06:24 | |
*** cah_link has quit IRC | 06:26 | |
*** gfidente has quit IRC | 06:30 | |
*** cah_link has joined #openstack-kolla | 06:31 | |
mnasiadka | yoctozepto: unless we can gather version of fluentd and base k-a templating on this - I don't think there is a way ;) | 06:39 |
mnasiadka | and then there is still fluentd vs td-agent | 06:40 |
*** lemko has joined #openstack-kolla | 06:43 | |
*** egon^ has joined #openstack-kolla | 06:56 | |
*** ivve has joined #openstack-kolla | 06:59 | |
*** cah_link has quit IRC | 07:13 | |
*** shyamb has joined #openstack-kolla | 07:16 | |
*** cah_link has joined #openstack-kolla | 07:16 | |
*** janki has joined #openstack-kolla | 07:23 | |
shyamb | Hi | 07:23 |
shyamb | I need to mount a nfs share on nova_compute container | 07:24 |
shyamb | during openstack deployment | 07:24 |
shyamb | any ideas are welcome | 07:24 |
*** shyamb has quit IRC | 07:41 | |
*** hamzaachi has joined #openstack-kolla | 07:41 | |
*** gfidente has joined #openstack-kolla | 07:53 | |
*** shyamb has joined #openstack-kolla | 07:53 | |
openstackgerrit | Isaac Prior proposed openstack/kolla master: Install Monasca plugin for Grafana by default https://review.opendev.org/676185 | 07:58 |
*** rgogunskiy has joined #openstack-kolla | 08:00 | |
*** dougsz has joined #openstack-kolla | 08:00 | |
mnasiadka | shyamb: mount the nfs on host level and add it to extra volumes? | 08:01 |
shyamb | mnasiadka: Hi | 08:09 |
shyamb | if you have any document on extra volumes, please forward to me | 08:10 |
shyamb | Thanks | 08:10 |
shyamb | I am new to this | 08:10 |
*** jbadiapa has joined #openstack-kolla | 08:12 | |
*** rpittau|afk is now known as rpittau | 08:18 | |
*** hamzaachi has quit IRC | 08:20 | |
shyamb | Hi | 08:21 |
shyamb | How to apply minor updates on kolla containers? | 08:21 |
shyamb | like if some bug fixes came and we got new docker image on the dockerhub for kolla | 08:22 |
shyamb | What it takes to deploy new containers on existing openstack cloud? | 08:22 |
yoctozepto | mgoddard, mnasiadka: ok, I studied the problem, it seems we can attack the cyclic dependency problem using little Zuul reconfig | 08:27 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: move to new config format of fluent-plugin-rewrite-tag-filter https://review.opendev.org/676131 | 08:27 |
yoctozepto | meaning we want to actually have non-voting but gating jobs :-) | 08:27 |
*** dougsz has quit IRC | 08:27 | |
yoctozepto | both k and k-a share the same gate queue | 08:27 |
yoctozepto | k-a does all the tests, we w+1 that change because it's all green | 08:28 |
yoctozepto | then w+1 the kolla change | 08:28 |
yoctozepto | gating starts | 08:28 |
yoctozepto | profit | 08:28 |
yoctozepto | otherwise we have to play circles with any interdependency lock | 08:29 |
mnasiadka | yoctozepto: if ^^ this passes, we might solve this with simple symbolic link, and then remove it afterwards :) | 08:29 |
mnasiadka | if centos provided fluent-plugin-rewrite-tag-filter supports new format | 08:30 |
mnasiadka | (configuration file format) | 08:30 |
yoctozepto | mnasiadka: I don't like that because you have to remember to undo some wokaround | 08:31 |
yoctozepto | it also makes backporting tedious | 08:31 |
yoctozepto | and it can happen that workaround itself is tedious | 08:31 |
yoctozepto | then it's tedious squared :-) | 08:31 |
mnasiadka | if we can move to new config format in old plugin - that's at least one variable that we can rule out, and it's easy to backport it :) | 08:32 |
mnasiadka | and then we can think what to do next :D | 08:32 |
mnasiadka | second thing - we need to do it in a way that doesn't break anything | 08:32 |
yoctozepto | mnasiadka: this is obvious, I was re: the changing paths case | 08:32 |
mnasiadka | yeah, true | 08:33 |
*** luksky has quit IRC | 08:39 | |
*** dougsz has joined #openstack-kolla | 08:40 | |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Enable the Octavia panel in Horizon https://review.opendev.org/676176 | 08:43 |
*** janki has quit IRC | 08:44 | |
*** hamzaachi has joined #openstack-kolla | 08:45 | |
*** shyamb has quit IRC | 08:52 | |
*** factor has quit IRC | 08:58 | |
*** icarusfactor has joined #openstack-kolla | 08:58 | |
*** gfidente has quit IRC | 09:00 | |
*** jbadiapa has quit IRC | 09:03 | |
*** janki has joined #openstack-kolla | 09:06 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:13 |
*** luksky has joined #openstack-kolla | 09:13 | |
*** lemko has quit IRC | 09:13 | |
openstackgerrit | Radosław Piliszek proposed openstack/kolla master: CI: Gate on kolla-ansible jobs but make them not vote in check https://review.opendev.org/676377 | 09:16 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:18 |
hrw | elo | 09:18 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:19 |
yoctozepto | mnasiadka: it's not a Zuul project | 09:21 |
yoctozepto | clone as you would in real life | 09:21 |
yoctozepto | ;-) | 09:21 |
hrw | aarch64-- | 09:22 |
mnasiadka | yoctozepto: you can destroy any playground, right? ;) | 09:23 |
*** hamzaachi has quit IRC | 09:23 | |
yoctozepto | mnasiadka: no, I can save your sanity | 09:24 |
mnasiadka | yoctozepto: just laughing | 09:25 |
mnasiadka | yoctozepto: there was something like zuul-cloner in the past, right? or should I just do old school git clone? :D | 09:25 |
yoctozepto | mnasiadka: I believe they got rid of it | 09:26 |
yoctozepto | or at least deprecated it | 09:26 |
yoctozepto | you need to check | 09:26 |
*** ktibi has joined #openstack-kolla | 09:31 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:34 |
mnasiadka | yoctozepto, mgoddard: so the new config format for fluent-plugin-rewrite-tag-filter is not supported for the version available from CentOS opstools, so we're back to square one | 09:35 |
yoctozepto | mnasiadka: :-( ;-( | 09:37 |
*** janki has quit IRC | 09:40 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:41 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: move to new config format of fluent-plugin-rewrite-tag-filter https://review.opendev.org/676131 | 09:43 |
hrw | I am going to do something not popular | 09:43 |
hrw | aarch64 ci jobs need to be limited to some set of images | 09:43 |
hrw | I do not plan to make enemies in infra by saying 'we will bump linaro-london infra flavour to 24-48 vcpu' | 09:44 |
*** hamzaachi has joined #openstack-kolla | 09:45 | |
*** icarusfactor has quit IRC | 09:51 | |
*** icarusfactor has joined #openstack-kolla | 09:51 | |
yoctozepto | hrw: lol, is it that slow? are you able to pinpoint the slowness pain points maybe? | 09:51 |
hrw | yoctozepto: when I have whole machine for kolla build then (24 threads on 48 cores) I build all 1:37 | 09:52 |
hrw | yoctozepto: will dig in logs | 09:52 |
*** shyamb has joined #openstack-kolla | 09:52 | |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Add support for Swift S3 API https://review.opendev.org/676181 | 09:53 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Add support for Swift S3 API https://review.opendev.org/676181 | 09:55 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Bump up fluentd https://review.opendev.org/676131 | 09:55 |
*** hamzaachi has quit IRC | 09:58 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 09:59 |
hrw | (took 1:54:21.350122)openstack-base | 09:59 |
hrw | (took 1:30:53.922842)haproxy | 09:59 |
hrw | (took 1:25:51.163077)nova-libvirt | 09:59 |
hrw | (took 1:11:07.828314)ceph-base | 09:59 |
hrw | (took 0:54:00.665875)helm-repository | 09:59 |
hrw | wow. | 10:00 |
hrw | looks like completely i/o starvation | 10:01 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Fix idempotency of fluentd customisations https://review.opendev.org/676216 | 10:05 |
hrw | mailed linaro team | 10:10 |
hrw | (took 0:23:42.756531) openstack-base [0/1893] | 10:11 |
hrw | (took 0:22:35.261580) gnocchi-base | 10:11 |
hrw | (took 0:20:12.330347) neutron-base | 10:12 |
hrw | (took 0:19:54.850329) gnocchi-base | 10:12 |
hrw | ops | 10:12 |
hrw | (took 0:23:42.756531) openstack-base | 10:12 |
hrw | (took 0:22:35.261580) gnocchi-base | 10:12 |
hrw | (took 0:20:12.330347) neutron-base | 10:12 |
hrw | (took 0:19:54.850329) gnocchi-base | 10:12 |
hrw | (took 0:19:14.864279) dragonflow-base | 10:12 |
hrw | those are results from other machine. | 10:12 |
mnasiadka | you've got an SSA disk? :) | 10:12 |
*** ktibi has quit IRC | 10:12 | |
hrw | mnasiadka: ? | 10:13 |
mnasiadka | hrw: just laughing, it's been some time since SSDs are a commodity, so that difference is weird :) | 10:14 |
hrw | mnasiadka: those shorter ones are from machine with just HDD | 10:14 |
mnasiadka | hrw: yeah, so maybe your disk is some kilometers away in 1st case :) | 10:15 |
hrw | normal, plain sata drive | 10:15 |
hrw | (took 0:24:03.951729) gnocchi-base | 10:16 |
hrw | (took 0:10:18.461530) neutron-base | 10:16 |
hrw | (took 0:09:40.747166) nova-base | 10:16 |
hrw | (took 0:09:23.770550) horizon | 10:16 |
hrw | other HDD machine | 10:17 |
hrw | but cache did a lot in both situations | 10:17 |
hrw | have to do build with clean docker | 10:17 |
*** gfidente has joined #openstack-kolla | 10:27 | |
*** dougsz has quit IRC | 10:28 | |
shyamb | Hi | 10:28 |
shyamb | Do we have document to apply container updates? | 10:28 |
shyamb | not release upgrade | 10:29 |
shyamb | We just want to get latest containers from dockerhub and deploy on existing cloud | 10:30 |
shyamb | It's rocky ubuntu | 10:30 |
*** hamzaachi has joined #openstack-kolla | 10:32 | |
hrw | fresh build started on one machine with clear docker to compare | 10:33 |
hrw | shyamb: you reminds me to finally play with such | 10:34 |
*** shyamb has quit IRC | 10:35 | |
*** dpawlik has quit IRC | 10:41 | |
*** shyamb has joined #openstack-kolla | 10:42 | |
*** dougsz has joined #openstack-kolla | 10:44 | |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: HAProxy backend connection limits https://review.opendev.org/676232 | 10:44 |
hrw | and build on another | 10:45 |
shyamb | extra_volumes feature is not working | 10:46 |
*** hamzaachi has quit IRC | 10:46 | |
shyamb | I wanted to add extra mount to nova_compute | 10:46 |
shyamb | I added "nova_compute_extra_volumes: | 10:46 |
shyamb | - "/var/triliovault-mounts/MTkyLjE2OC4xLjMzOi9tbnQvdHZhdWx0:/var/triliovault-mounts/MTkyLjE2OC4xLjMzOi9tbnQvdHZhdWx0" | 10:46 |
shyamb | " | 10:46 |
shyamb | to globals.yaml | 10:46 |
shyamb | cleaned nova_compute container | 10:47 |
shyamb | and re-run kolla-ansible deploy command | 10:47 |
shyamb | I see nova_compute container does not have this extra mount | 10:47 |
shyamb | Am I missing anything? | 10:47 |
hrw | shyamb: nova_extra_volumes | 10:50 |
hrw | nova_compute_extra_volumes: "{{ nova_extra_volumes }}" | 10:50 |
*** priteau has joined #openstack-kolla | 10:50 | |
hrw | it will be added to each nova container | 10:50 |
shyamb | hrw: We just want to add this mount to nova_compute | 10:51 |
shyamb | not possible? | 10:51 |
hrw | shyamb: change ansible roles for nova then | 10:52 |
yoctozepto | <shyamb> Do we have document to apply container updates? | 10:52 |
yoctozepto | I don't remember if we do | 10:52 |
hrw | shyamb: as by default you should use 'nova_extra_volumes' | 10:52 |
yoctozepto | but it's simple as | 10:53 |
yoctozepto | kolla-ansible pull | 10:53 |
yoctozepto | kolla-ansible deploy | 10:53 |
hrw | shyamb: ansible/roles/nova/defaults/main.yml | 10:53 |
shyamb | hrw: okay | 10:53 |
shyamb | I will try nova_extra_volumes | 10:53 |
shyamb | this will work without changing nova role, right? | 10:54 |
shyamb | yoctozepto: Got it | 10:54 |
shyamb | thanks | 10:54 |
*** hamzaachi has joined #openstack-kolla | 10:55 | |
shyamb | hrw: In this case, if cloud is already deployed, do we need to clean the nova containers? | 10:55 |
shyamb | or just deploy with new globals.yaml will add the mount to existing containers? | 10:55 |
hrw | no idea, sorry | 10:56 |
shyamb | hrw: thanks | 10:59 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Ceph-Ansible CI https://review.opendev.org/676376 | 11:02 |
mnasiadka | shyamb: no, kolla-ansible will compare running containers, and restart those that need it | 11:03 |
shyamb | mnasiadka: okay, great | 11:05 |
shyamb | I am testing it | 11:05 |
shyamb | thanks | 11:05 |
mnasiadka | yoctozepto: so, come again - what do we do with those fluentd changes? :) | 11:05 |
yoctozepto | shyamb, mnasiadka: in case of pull that would be all containers though :-) | 11:06 |
yoctozepto | since all images WILL change | 11:06 |
yoctozepto | (unless you run pull right after pull) | 11:07 |
yoctozepto | (they don't change THAT fast) | 11:07 |
yoctozepto | mnasiadka: no idea, mgoddard blocked me a bit | 11:07 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Change fluentd to td-agent on CentOS https://review.opendev.org/676131 | 11:07 |
yoctozepto | we need some discussion around that | 11:07 |
mnasiadka | so let's wait for mgoddard :) | 11:07 |
*** dpawlik has joined #openstack-kolla | 11:09 | |
shyamb | mnasiadka: extra volumes not getting reflected if I do not clean existing containers | 11:10 |
shyamb | nova_extra_volumes: | 11:10 |
shyamb | - "/mnt/test-dir:/mnt/test-dir" | 11:10 |
shyamb | - "/var/triliovault-mounts/MTkyLjE2OC4xLjMzOi9tbnQvdHZhdWx0:/var/triliovault-mounts/MTkyLjE2OC4xLjMzOi9tbnQvdHZhdWx0" | 11:10 |
shyamb | cloud was already there | 11:11 |
shyamb | I just added extra volumes to global.yaml and re-run deploy command | 11:11 |
shyamb | this is not working | 11:11 |
*** kplant has joined #openstack-kolla | 11:15 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Use Docker healthchecks https://review.opendev.org/676389 | 11:16 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: WIP: CI: Zun jobs https://review.opendev.org/676390 | 11:21 |
hrw | mnasiadka, yoctozepto, mgoddard: https://review.opendev.org/#/c/672700/ (docker daemon.json) sits and waits | 11:26 |
hrw | ops, got comments. | 11:27 |
Blinkiz | Am not that familiar with OpenStack so am going to ask. I have the physical interface ens3f1 connected to all three control nodes. Neutron_external_interface is ens3f1. | 11:30 |
openstackgerrit | Marcin Juszkiewicz proposed openstack/kolla-ansible master: Modernize a way of configuring Docker daemon https://review.opendev.org/672700 | 11:31 |
Blinkiz | I now have configured on my switches so VLAN 1534 is delivered tagged to this interface ens3f1 on all control nodes. | 11:31 |
Blinkiz | What do I need to do now to get this as a network inside OpenStack? | 11:32 |
Blinkiz | It seems like ovs has configured the flat network physnet1. bridge_mappings is physnet1:br-ex | 11:32 |
Blinkiz | Should I discard the flat_networks = physnet1 and replace with network_vlan_ranges = physnet1:1000:4000? | 11:33 |
Blinkiz | Or am totally wrong for even looking at the ml2_conf.ini file? | 11:34 |
kplant | you could do something like: [ml2_type_vlan] network_vlan_ranges = physnet1 | 11:34 |
kplant | that would allow you to use any tag on physnet1 | 11:35 |
Blinkiz | kplant, Thank you for the answer. | 11:35 |
Blinkiz | kplant, So am at the right place anyway, ml2_conf.ini.. :) | 11:35 |
kplant | then you just add the provider network with tag 1534 in neutron | 11:35 |
*** skramaja has quit IRC | 11:36 | |
kplant | openstack network create some-netwrk --external --provider-physical-network physnet1 --provider-network-type vlan --provider-segment 1534 | 11:36 |
kplant | as long as: physnet1 -> br-ex -> ens3f1 | 11:36 |
kplant | that should work | 11:36 |
Blinkiz | kplant, great! | 11:37 |
yoctozepto | hrw: blessed you with a ton of comments | 11:37 |
hrw | yoctozepto: blessed you will be | 11:38 |
Blinkiz | kplant, Is there any reason to avoid defining all VLANs (leaving the range empty) because VLANs like network_interface, api_interface and such exist here also. | 11:38 |
yoctozepto | Blinkiz: security | 11:39 |
kplant | ^ | 11:39 |
Blinkiz | I guess not because I choose with --provider-segment but I ask anyway :) | 11:39 |
kplant | if you don't trust your operators | 11:39 |
yoctozepto | kplant: administrators* | 11:39 |
yoctozepto | you are operator :D | 11:39 |
Blinkiz | okay. Thanks for the answer :) | 11:39 |
kplant | and if someone gets access that shouldn't, they could snipe layer 2 traffic | 11:39 |
yoctozepto | in the official terminology | 11:39 |
kplant | yoctozepto: :-) | 11:39 |
Blinkiz | kplant, Thank you for the help. | 11:40 |
kplant | yw | 11:40 |
*** factor__ has joined #openstack-kolla | 11:41 | |
*** icarusfactor has quit IRC | 11:43 | |
*** shyamb has quit IRC | 11:45 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Use Docker healthchecks https://review.opendev.org/676389 | 11:51 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla master: Add OPENSTACK_RELEASE to before-rc1 https://review.opendev.org/675588 | 11:56 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: Add missing Octavia policy file to Horizon https://review.opendev.org/676176 | 12:01 |
*** shyamb has joined #openstack-kolla | 12:02 | |
*** factor__ has quit IRC | 12:02 | |
shyamb | extra_volumes feature is not working at all | 12:03 |
openstackgerrit | Marcin Juszkiewicz proposed openstack/kolla-ansible master: Modernize a way of configuring Docker daemon https://review.opendev.org/672700 | 12:06 |
hrw | yoctozepto: your comments addressed or replied | 12:08 |
cloudnull | mnasiadka on it | 12:10 |
mnasiadka | cloudnull: cool | 12:12 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla master: Change fluentd to td-agent on CentOS https://review.opendev.org/675614 | 12:12 |
mnasiadka | good I just realised I would break fluentd on CentOS arm64 completely :D | 12:12 |
shyamb | Logged this bug: https://bugs.launchpad.net/kolla/+bug/1840142 | 12:19 |
openstack | Launchpad bug 1840142 in kolla "kolla-ansible : service level extra_volumes feature not working" [Undecided,New] | 12:19 |
shyamb | for extra_volumes feature | 12:19 |
kplant | i occassionally get "Error response from daemon: No such container: mariadb" when trying to deploy an aio on centos7 from stable/stein | 12:22 |
kplant | anybody else get that? | 12:22 |
hrw | (took 0:56:20.985358) openstack-base | 12:23 |
hrw | that's look wrong but still better than 1:56 | 12:23 |
*** luksky has quit IRC | 12:24 | |
openstackgerrit | Merged openstack/kolla-ansible master: Add support for Swift S3 API https://review.opendev.org/676181 | 12:28 |
*** shyamb has quit IRC | 12:36 | |
mnasiadka | yoctozepto: https://review.opendev.org/676402 - it will work ;) | 12:40 |
yoctozepto | mnasiadka: you prefer this way? | 12:43 |
yoctozepto | you really like the play :D | 12:43 |
mnasiadka | yoctozepto: I prefer zuul retrying cloning than me doing it | 12:43 |
yoctozepto | mnasiadka: good point | 12:44 |
yoctozepto | though does it retry? | 12:44 |
yoctozepto | never checked | 12:44 |
mnasiadka | yoctozepto: zuul guys claim it does :) | 12:44 |
yoctozepto | hrw: cool, will see later :-) | 12:44 |
yoctozepto | mnasiadka: gr8 then | 12:44 |
yoctozepto | mnasiadka: ok, read that discussion, sounds promising to use | 12:45 |
*** KeithMnemonic has joined #openstack-kolla | 12:46 | |
mnasiadka | yoctozepto: yeah, especially depends-on | 12:46 |
*** priteau has quit IRC | 12:48 | |
*** luksky has joined #openstack-kolla | 12:52 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: WIP: Use Docker healthchecks https://review.opendev.org/676389 | 13:03 |
*** Blinkiz has quit IRC | 13:07 | |
yoctozepto | mnasiadka: exactly ;D | 13:09 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Add docker inspect output to docker_info logs https://review.opendev.org/676408 | 13:10 |
mgoddard | shyamb: extra volumes support was added in stein, not rocky | 13:17 |
*** BjoernT has joined #openstack-kolla | 13:19 | |
*** hamzaachi has quit IRC | 13:22 | |
*** BjoernT has quit IRC | 13:23 | |
*** BjoernT has joined #openstack-kolla | 13:23 | |
mgoddard | yoctozepto: is it this one I blocked you on: https://review.opendev.org/#/c/676377 ? | 13:24 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla master: Change fluentd to td-agent on CentOS https://review.opendev.org/675614 | 13:33 |
mnasiadka | mgoddard: well, I agree that nonvoting and failing on gates probably is not the best idea - but I think we need to come up with some approach/logic towards those changes, that can't be made in a proper way (like the fluent-plugin-rewrite-tag-filter...) | 13:37 |
mnasiadka | mgoddard: I was thinking about adding some steps that would extract the plugin version and base the logic on that | 13:38 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Wait for MariaDB to be accessible via HAProxy https://review.opendev.org/676219 | 13:38 |
mnasiadka | mgoddard: like add a LABEL to the docker image with version of the plugin and extract it using docker_container_facts (or similar) - probably the most straightforward option | 13:39 |
mgoddard | mnasiadka: I was just about to say that | 13:39 |
mgoddard | https://docs.docker.com/engine/reference/commandline/inspect/ | 13:39 |
mgoddard | you can get labels for an image | 13:39 |
mnasiadka | mgoddard: actually it would be awesome to have a LABEL with installed packages, but we would need to build the containers twice ;) | 13:40 |
mgoddard | ultimately, cyclic dependencies just show us a compatibility issue that our users will hit - we need to provide a smooth transition | 13:40 |
mnasiadka | somewhat true :) | 13:41 |
mgoddard | definitely - each time we break compat between images and ansible we get people asking questions in here for weeks or months | 13:41 |
mgoddard | and possibly lose some users | 13:41 |
mgoddard | I agree that having a standard pattern for handling this would be nice. Labels seem like an answer | 13:41 |
mgoddard | you probably want docker_image_info https://docs.ansible.com/ansible/latest/modules/docker_image_info_module.html#docker-image-info-module | 13:42 |
mgoddard | if we do find a way that works, let's write it up in the contributor guide, even if briefly | 13:43 |
mnasiadka | yeah, let me add the labels and adjust kolla-ansible in a set of changes | 13:45 |
mnasiadka | and then we will be able to merge the bump up (I hope) | 13:45 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla master: Add fluentd_binary and fluentd_version labels https://review.opendev.org/676411 | 13:47 |
mnasiadka | mgoddard: yeah, docker_image_info :) | 13:48 |
mnasiadka | mgoddard: well actually _facts, because _info showed up in 2.8 | 13:50 |
mgoddard | mnasiadka: ok | 13:50 |
openstackgerrit | Mark Goddard proposed openstack/kolla-ansible master: CI: Test accessing dashboard https://review.opendev.org/676412 | 13:54 |
openstackgerrit | Merged openstack/kolla-ansible master: Configure Telegraf to monitor Docker containers https://review.opendev.org/675421 | 14:00 |
kplant | ^ is there a process to backport that to stable/stein ? | 14:01 |
mgoddard | kplant: we normally only backport bug fixes | 14:02 |
kplant | ah okay - that makes sense | 14:03 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Use fluentd image labels https://review.opendev.org/676413 | 14:07 |
*** hamzaachi has joined #openstack-kolla | 14:07 | |
*** cah_link has quit IRC | 14:09 | |
stingrayza | anybody here used application credentials? | 14:13 |
*** absubram has joined #openstack-kolla | 14:15 | |
*** absubram has quit IRC | 14:19 | |
*** dpawlik has quit IRC | 14:20 | |
*** absubram has joined #openstack-kolla | 14:25 | |
*** michaelbarkdoll has joined #openstack-kolla | 14:31 | |
rouk | stingrayza: yeah, quite a bit. | 14:31 |
rouk | not sure this is the right place to talk about application creds though. | 14:31 |
*** chason has joined #openstack-kolla | 14:34 | |
*** BjoernT_ has joined #openstack-kolla | 14:35 | |
*** BjoernT has quit IRC | 14:36 | |
stingrayza | I suppose #openstack-keystone would be better :) or mind if I go direct? | 14:37 |
rouk | #openstack is the place, the project channels are generally for dev/bugs, not support. | 14:37 |
stingrayza | ah, right - didn't know the base channel was there, thanks. will try that | 14:40 |
michaelbarkdoll | Would kolla-ansible be alright with using a bond0 trunked nic for the following settings: network_interface = "bond0.10" and kolla_external_vip_interface = "bond.20" in /etc/kolla/globals.yml? | 14:42 |
michaelbarkdoll | Would kolla-ansible be alright with using a bond0 trunked nic for the following settings: network_interface = "bond0.10" and kolla_external_vip_interface = "bond0.20" in /etc/kolla/globals.yml? | 14:42 |
rouk | michaelbarkdoll: we use bonds for everything, it works fine. | 14:42 |
michaelbarkdoll | Thanks | 14:43 |
rouk | we bond, then make subinterfaces per vlan, and tie it to that. | 14:43 |
yoctozepto | <mgoddard> yoctozepto: is it this one I blocked you on: https://review.opendev.org/#/c/676377 ? | 14:46 |
*** kevinz has joined #openstack-kolla | 14:46 | |
yoctozepto | yeah but 'blocked' in positive sense | 14:46 |
*** priteau has joined #openstack-kolla | 14:50 | |
*** luksky has quit IRC | 14:51 | |
mgoddard | Meeting in 6 minutes | 14:54 |
mgoddard | ^ mgoddard mnasiadka hrw egonzalez yoctozepto rafaelweingartne | 14:54 |
michaelbarkdoll | Ok, odd question. If I put a subinterface say bond0.10 as my kolla_external_vip_interface but I also want to use that same vlan (10) for external vm traffic on a trunk defined in neutron_external_interface = "bond1.10" (seperate bond) would there be conflicts? | 14:57 |
yoctozepto | meeting in 1 minute | 14:59 |
yoctozepto | michaelbarkdoll: yes due to bridge br-ex capturing all traffic | 14:59 |
yoctozepto | since you most likely deploy controller with network on the same node | 14:59 |
*** scottsol has joined #openstack-kolla | 14:59 | |
michaelbarkdoll | Thanks, I'll have to avoid. Have a good meeting. | 14:59 |
yoctozepto | you could try using br-ex for vip_interface but I don't remember if the order of operations would allow that, probably not | 15:00 |
mgoddard | #startmeeting kolla | 15:00 |
openstack | Meeting started Wed Aug 14 15:00:19 2019 UTC and is due to finish in 60 minutes. The chair is mgoddard. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
*** openstack changes topic to " (Meeting topic: kolla)" | 15:00 | |
mgoddard | #topic rollcall | 15:00 |
openstack | The meeting name has been set to 'kolla' | 15:00 |
*** openstack changes topic to "rollcall (Meeting topic: kolla)" | 15:00 | |
yoctozepto | o/ | 15:00 |
mgoddard | \o | 15:00 |
yoctozepto | hrw, mnasiadka | 15:00 |
scottsol | o/ | 15:00 |
chason | o/ | 15:01 |
generalfuzz | o/ | 15:01 |
priteau | \o | 15:01 |
dougsz | o/ (sort of - in another meeting) | 15:01 |
mgoddard | #topic agenda | 15:03 |
*** openstack changes topic to "agenda (Meeting topic: kolla)" | 15:03 | |
mgoddard | * Roll-call | 15:03 |
mgoddard | * Announcements | 15:03 |
mgoddard | * Review action items from last meeting | 15:03 |
mgoddard | * Kolla whiteboard https://etherpad.openstack.org/p/KollaWhiteBoard | 15:03 |
mgoddard | * Kayobe Stein release status | 15:03 |
mgoddard | * Train release planning | 15:03 |
mgoddard | * Ceph ansible migration | 15:03 |
mgoddard | * Kolla Ansible TLS Internal API | 15:03 |
mgoddard | #topic announcements | 15:03 |
*** openstack changes topic to "announcements (Meeting topic: kolla)" | 15:03 | |
mgoddard | None from me. Anyone else? | 15:03 |
yoctozepto | no major | 15:04 |
mgoddard | #topic Review action items from last meeting | 15:04 |
*** openstack changes topic to "Review action items from last meeting (Meeting topic: kolla)" | 15:04 | |
mnasiadka | o/ (sorry for being late) | 15:04 |
mgoddard | mgoddard to ask infra about restarting gerrit | 15:04 |
mgoddard | mgoddard or someone else to check stable backports | 15:04 |
mgoddard | this week seemed to go very quickly, didn't do either | 15:05 |
mgoddard | #action mgoddard to ask infra about restarting gerrit | 15:05 |
mgoddard | #action mgoddard or someone else to check stable backports | 15:05 |
mgoddard | #topic Kolla whiteboard https://etherpad.openstack.org/p/KollaWhiteBoard | 15:05 |
*** openstack changes topic to "Kolla whiteboard https://etherpad.openstack.org/p/KollaWhiteBoard (Meeting topic: kolla)" | 15:05 | |
mgoddard | How is CI looking | 15:06 |
yoctozepto | mgoddard: never been greener when it comes to master/stein | 15:07 |
yoctozepto | did not check others | 15:07 |
mgoddard | that's what I like to hear | 15:07 |
mgoddard | Is everyone keeping their feature status up to date in the whiteboard? | 15:08 |
mgoddard | (in the priority list) | 15:08 |
yoctozepto | mine yeah, no progress since last meeting | 15:09 |
*** absubram has quit IRC | 15:09 | |
mgoddard | #topic Train release planning | 15:10 |
*** openstack changes topic to "Train release planning (Meeting topic: kolla)" | 15:10 | |
mgoddard | We covered this in detail last time, no need to go over it again IMO | 15:10 |
mgoddard | Please all just keep in mind the train release schedule | 15:10 |
mgoddard | #link https://releases.openstack.org/train/schedule.html | 15:11 |
mgoddard | (we will lag by 2+ weeks) | 15:11 |
mgoddard | #topic Kayobe Stein release status | 15:11 |
*** openstack changes topic to "Kayobe Stein release status (Meeting topic: kolla)" | 15:11 | |
mgoddard | priteau, dougsz: how are we looking? | 15:11 |
mgoddard | I'd like to cut a stable branch soon | 15:12 |
priteau | There are many patches that we could land soon | 15:12 |
mgoddard | quite a few patches with 1x +2 we could land before | 15:12 |
priteau | https://review.opendev.org/#/q/project:x/kayobe+is:open+branch:master+label:Code-Review%252B2 | 15:13 |
mgoddard | ok, let's get those patches in this week | 15:14 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Decrypt keyring files using ansible-vault https://review.opendev.org/676441 | 15:14 |
priteau | And also should we proceed with the rename before branching, so there is not too much to change in both master and stable/stein? | 15:14 |
mgoddard | if there are others without +2 we want in, please add review priority | 15:14 |
dougsz | sounds good, will try and spend some time on them later today | 15:15 |
mgoddard | priteau: https://review.opendev.org/#/c/674505/ ? | 15:15 |
mgoddard | I think we need to wait for infra to do the rename | 15:16 |
mgoddard | should only need to cherry pick that patch to stable/stein | 15:16 |
*** rgogunskiy has quit IRC | 15:16 | |
*** rgogunskiy has joined #openstack-kolla | 15:17 | |
priteau | OK | 15:17 |
mgoddard | thanks dougsz | 15:18 |
mgoddard | #topic Ceph ansible migration | 15:18 |
*** openstack changes topic to "Ceph ansible migration (Meeting topic: kolla)" | 15:18 | |
mgoddard | mnasiadka: you're up | 15:18 |
*** dave-mccowan has joined #openstack-kolla | 15:18 | |
mnasiadka | Well, I have started CI work and some docs work | 15:18 |
mnasiadka | Will continue next week (I’m off tomorrow and on Fri) | 15:19 |
mnasiadka | So I’ll have more to say/show on Wed | 15:19 |
mgoddard | Did you want to discuss the overall approach? | 15:20 |
mnasiadka | Yeah | 15:20 |
mnasiadka | We have two options: | 15:20 |
mnasiadka | 1) role with importong ceph-ansible roles like OSA does | 15:20 |
mnasiadka | 2) totally separate flow of ceph deployment | 15:21 |
goldyfruit | o/ | 15:21 |
mnasiadka | mgoddard: currently I’m leaning towards 1), but would like to hear comments | 15:21 |
kplant | OSA's approach is better imo, it's nice to have the familiar interface. vars being the same as ceph-ansible, etc. | 15:22 |
kplant | importing what already works and people may be familiar with | 15:22 |
yoctozepto | (2) seems more like us though | 15:22 |
yoctozepto | "outsource what we can" | 15:22 |
yoctozepto | maybe we could get something inbetween | 15:23 |
mnasiadka | yoctozepto: it’s still outsourcing, just we need to run preparation tasks (which we need to do in 2) as well) | 15:23 |
yoctozepto | like orchestrating the basic set of services | 15:23 |
mgoddard | how much of ceph-ansible would we need to reimplement in order to just use the roles? | 15:23 |
mnasiadka | And then importing role by role from ceph-ansible | 15:23 |
yoctozepto | ok, this way... | 15:23 |
mnasiadka | mgoddard: generate vars, reuse our inventory and import roles in correct order | 15:24 |
yoctozepto | seems reasonable | 15:24 |
yoctozepto | you have my blessing with (1) | 15:24 |
mgoddard | would we execute these roles as part of the normal deploy? | 15:25 |
yoctozepto | unless it gets super clumsy, I will +2 it once done | 15:25 |
mgoddard | one change in the workflow I like about 2 is that it cleanly separates ceph and openstack | 15:26 |
mnasiadka | mgoddard: we can, or we make it separate command | 15:26 |
*** dave-mccowan has quit IRC | 15:26 | |
mnasiadka | Or we can do both... | 15:26 |
yoctozepto | mgoddard: yeah, I originally thought this way | 15:26 |
mgoddard | you can't accidentally modify your ceph cluster during an openstack upgrade | 15:26 |
yoctozepto | exactly ^ | 15:26 |
yoctozepto | the very reason I have my ceph cluster deployed externally - more control, less worries | 15:27 |
mgoddard | I'm open to 1), but would like to see a PoC before committing | 15:27 |
yoctozepto | though people MAY like the simplicity | 15:27 |
openstackgerrit | Merged openstack/kolla-ansible master: Add missing Octavia policy file to Horizon https://review.opendev.org/676176 | 15:27 |
mgoddard | mnasiadka: do you have code you could throw at gerrit? | 15:27 |
yoctozepto | mnasiadka: ^ even not working | 15:28 |
priteau | How complex is each approach to maintain as Ceph-Ansible evolves? | 15:28 |
mgoddard | that's a good question | 15:28 |
openstackgerrit | Mark Goddard proposed openstack/kolla-ansible master: CI: Test accessing dashboard https://review.opendev.org/676412 | 15:28 |
mnasiadka | mgoddard: I have some, I can push but that’s halfway done | 15:29 |
mgoddard | 2 is very simple to maintain - we just point to ceph-ansible docs | 15:29 |
mgoddard | how will we access ceph-ansible code? git clone from within kolla-ansible? | 15:31 |
mnasiadka | And make a writeup on using generated keys, basically updating external ceph docs | 15:31 |
mnasiadka | mgoddard: in CI I’m cloning, because CentOS rpms are uninstallable :) | 15:31 |
mnasiadka | At least 4.0 for now | 15:32 |
yoctozepto | <mgoddard> 2 is very simple to maintain - we just point to ceph-ansible docs | 15:32 |
yoctozepto | lol | 15:32 |
yoctozepto | we need to make docs of our own anyway | 15:32 |
yoctozepto | we had some on-channel report about ceph-ansible being incompatible with our manual for external ceph | 15:32 |
*** kevinz has quit IRC | 15:33 | |
yoctozepto | something cinder/nova key not being separate related | 15:33 |
mgoddard | I think there was a bug too | 15:33 |
mnasiadka | Not really incompatible, just default config is incompatible :) | 15:33 |
michaelbarkdoll | I clone ceph-ansible currently. Interesting the 4.0 branch started to require a grafana-server section to be defined which resulted in docker version mismatch if a ceph node is also used as a os node. | 15:33 |
*** rgogunskiy has quit IRC | 15:34 | |
mnasiadka | michaelbarkdoll: true, but you can override grafana container name | 15:34 |
yoctozepto | modern ops ("infrastructure as code" blah) advocates cloning everything ;-) | 15:34 |
yoctozepto | as in "git everywhere" | 15:34 |
yoctozepto | mnasiadka: any idea on ceph-ansible dynamics? | 15:35 |
yoctozepto | re: supporting the (1) option ^ | 15:35 |
mnasiadka | yoctozepto: I doubt they will change all role names next release | 15:36 |
mnasiadka | It’s rather small now, but what do I know | 15:36 |
yoctozepto | and the options we want/have to use is probably a small set? | 15:36 |
mnasiadka | RDO surprises us every release | 15:36 |
yoctozepto | heh | 15:37 |
mnasiadka | yoctozepto: yeah | 15:37 |
mnasiadka | So I’m still thinking about improving docs so it matches today state | 15:37 |
yoctozepto | since (2) is about adapting docs | 15:37 |
yoctozepto | we should do at least (2) and most probably (1) as well | 15:37 |
mnasiadka | And then we can think if we do (1) | 15:37 |
mgoddard | that's a fair point | 15:38 |
yoctozepto | ok, then all agreed | 15:38 |
yoctozepto | move on, mgoddard | 15:39 |
mgoddard | #topic Kolla Ansible TLS Internal API | 15:39 |
*** openstack changes topic to "Kolla Ansible TLS Internal API (Meeting topic: kolla)" | 15:39 | |
mgoddard | scottsol, stackedsax, kklimonda, generalfuzz: you're up | 15:39 |
generalfuzz | we met yesterday for a bit | 15:39 |
generalfuzz | we discussed the "local-proxy" approach, which we all felt like be a good first step, and then as a second step we would switch services to use native tls via wgsi one at a time. | 15:40 |
mgoddard | if we add an intermediate step, we would need to support it | 15:41 |
mgoddard | which could complicate things long term | 15:41 |
yoctozepto | generalfuzz: can you elaborate on "local-proxy" | 15:42 |
priteau | Does every single openstack service support tls? | 15:42 |
*** ivve has quit IRC | 15:42 | |
yoctozepto | priteau: all APIs because of HTTP webserver in front | 15:42 |
mgoddard | priteau: rephrase: does every single openstack service support WSGI? | 15:42 |
yoctozepto | rabbitmq for communication also | 15:42 |
yoctozepto | mariadb checked | 15:43 |
mgoddard | I think they're just looking at internal API for now | 15:43 |
yoctozepto | mgoddard: yeah but answering priteau's doubts :-) | 15:43 |
scottsol | no this is why the intermediate step is being looked at | 15:43 |
scottsol | as a "catch all" | 15:43 |
mgoddard | generalfuzz: does the implementation of TLS on the frontend for the internal API offer an improvement in your view? | 15:44 |
scottsol | it may take some time to convince all projects to support wsgi | 15:44 |
yoctozepto | scottsol: please give an example for those not blessed with the knowledge :-) | 15:44 |
mgoddard | i.e. only https://review.opendev.org/#/c/663555 | 15:44 |
*** hamzaachi has quit IRC | 15:45 | |
generalfuzz | the "local-proxy" apporach Is to have a proxy server on every node that terminates TLS communication before communicating with the service. Currently HAProxy does the termination, and then communicates using http interally to services | 15:45 |
generalfuzz | mgoddard - I don't thinkso | 15:46 |
*** kevinz has joined #openstack-kolla | 15:46 | |
yoctozepto | generalfuzz: understood, thanks | 15:46 |
*** hamzaachi has joined #openstack-kolla | 15:47 | |
yoctozepto | I like the approach, it seems enough for me | 15:47 |
yoctozepto | no need to encrypt loopback traffic anyway | 15:47 |
*** absubram has joined #openstack-kolla | 15:48 | |
mgoddard | how do we prevent a port conflict between haproxy and the backend? | 15:48 |
mgoddard | backend listens on localhost? | 15:48 |
mgoddard | haproxy would need to listen both on the VIP and api_interface_address | 15:49 |
generalfuzz | ports would be defined as global variables | 15:49 |
generalfuzz | why the api_interface_address? | 15:50 |
mgoddard | if you need to access a particular haproxy instance, you can't use the VIP | 15:50 |
generalfuzz | I imagine the "local-proxy" to be a separate container from HAProxy, listening on a defined intermediary port to do SSL termination | 15:52 |
yoctozepto | ^ exactly what I understood too | 15:53 |
yoctozepto | you want to abuse haproxy for ssl termination | 15:53 |
mgoddard | it could be. that's not how the similar original design worked - it reused a singe haproxy | 15:53 |
mgoddard | what about using apache within the continer to do the same thing? | 15:54 |
mgoddard | then we could use wsgi where available, and just proxy otherwise | 15:54 |
generalfuzz | The advantage to having separate proxy containers is that It is simple to reroute haproxy Directly to service when they support SSL termination natively | 15:54 |
*** rpittau is now known as rpittau|afk | 15:55 | |
mgoddard | using apache to do this gives us a few things | 15:56 |
generalfuzz | using apache instead of HAProxy - Does it make any difference? | 15:56 |
mgoddard | we don't need to deploy haproxy on every node | 15:56 |
mgoddard | WSGI becomes an implementation detail | 15:56 |
yoctozepto | <generalfuzz> using apache instead of HAProxy - Does it make any difference? | 15:57 |
yoctozepto | yeah, we have extra apaches :-) | 15:57 |
mgoddard | so the architecture doesn't change when you switch | 15:57 |
yoctozepto | I like mgoddard's idea more | 15:57 |
mgoddard | and we don't need to add an intermediate design which we then have to support or deprecate and remove | 15:57 |
yoctozepto | especially if most are wsgi anyway | 15:57 |
mnasiadka | If most are wsgi, then it’s a simple fix? | 15:58 |
mnasiadka | And then let’s worry about the rest? | 15:58 |
yoctozepto | is there some wsgi/non-wsgi listing anywhere? | 15:58 |
generalfuzz | I believe kklimonda did a first pass at that list | 15:58 |
mgoddard | if people think the local-haproxy architecture is better, we could do that path instead. I'm just not so keen on doing both :) | 15:59 |
mgoddard | I thought the TCP passthrough idea was interesting. I assume we could still do it with apache? Would there be any certificate weirdness? | 16:00 |
scottsol | mgoddard - has there been any work done towards putting apache inside the container where wsgi does not already exist? | 16:00 |
mgoddard | scottsol: nope | 16:00 |
scottsol | I think that could be a good solution | 16:00 |
mgoddard | but a proxy config should be easy enough | 16:00 |
mgoddard | just configure the service to listen on localhost, then you don't get a port conflict | 16:01 |
mgoddard | we are out of meeting time I'm afraid | 16:01 |
mnasiadka | I don’t like that path to be honest... sounds like obfuscation and double work :) | 16:01 |
mgoddard | let's carry on in this channel though if people are available - it's good discussion | 16:01 |
mgoddard | #endmeeting | 16:02 |
*** openstack changes topic to "Topic for #openstack-kolla is: support: ask.openstack.org | New to Kolla: docs @ https://docs.openstack.org/kolla/latest/ | | Kolla IRC meetngs on Wednesdays @ 15:00 UTC - see agenda @ https://goo.gl/OXB0DL - IRC channel is *LOGGED* @ http://goo.gl/3mzZ7b" | 16:02 | |
openstack | Meeting ended Wed Aug 14 16:02:04 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
openstack | Minutes: http://eavesdrop.openstack.org/meetings/kolla/2019/kolla.2019-08-14-15.00.html | 16:02 |
scottsol | I'm happy to stick around | 16:02 |
openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/kolla/2019/kolla.2019-08-14-15.00.txt | 16:02 |
openstack | Log: http://eavesdrop.openstack.org/meetings/kolla/2019/kolla.2019-08-14-15.00.log.html | 16:02 |
generalfuzz | me too | 16:02 |
mgoddard | mnasiadka: which path don't you like? | 16:02 |
yoctozepto | I prefer the apache path too | 16:02 |
mnasiadka | Any internediate point of proxying the traffic once more :) | 16:02 |
mnasiadka | *intermediate | 16:03 |
*** michaelbarkdoll has quit IRC | 16:03 | |
yoctozepto | mnasiadka: did not notice typo until you corrected | 16:03 |
mgoddard | mnasiadka: I see your point | 16:04 |
mgoddard | would like to see that list of non-wsgi services | 16:04 |
generalfuzz | it would only be if the openstack deployment Is configured to run with TLS everywhere, and only for services that did not natively support TLS termination | 16:04 |
mgoddard | https://etherpad.openstack.org/p/kolla-internal-tls | 16:04 |
yoctozepto | horizon is wsgi 100% | 16:05 |
yoctozepto | why it has an x | 16:05 |
yoctozepto | ah, misread | 16:06 |
openstackgerrit | Kevin Carter (cloudnull) proposed openstack/kolla master: [DNM] Testing dependent review https://review.opendev.org/676449 | 16:07 |
mgoddard | looks like the major unknowns are designate, neutron, octavia | 16:11 |
yoctozepto | networking ;D | 16:12 |
*** gfidente has quit IRC | 16:13 | |
mgoddard | neutron and octavia are good | 16:14 |
generalfuzz | good meaning they have wsgi support? | 16:14 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: TrivialFix: remove unused template var https://review.opendev.org/676452 | 16:15 |
mgoddard | yes | 16:15 |
*** dave-mccowan has joined #openstack-kolla | 16:15 | |
mgoddard | I've updated the list | 16:15 |
yoctozepto | gr8 | 16:16 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Fix idempotency of fluentd customisations https://review.opendev.org/676216 | 16:16 |
mgoddard | at this point it might be easier to add support for wsgi to designate? | 16:17 |
mgoddard | or at least speak to the team and see what is involved | 16:17 |
yoctozepto | mgoddard: suddenly other services are not supported? :-) | 16:18 |
mgoddard | yoctozepto: they're more in the best effort category :) | 16:18 |
yoctozepto | mgoddard: so they can break after enabling tls? ;-) | 16:21 |
mgoddard | yoctozepto: no, they will just be clear text to the backend | 16:21 |
yoctozepto | they better be :D | 16:21 |
yoctozepto | goldyfruit: masakari, qinling - your turf I guess? | 16:22 |
yoctozepto | re: https://etherpad.openstack.org/p/kolla-internal-tls | 16:22 |
mgoddard | plan was to make backend tls optional per-service anyway | 16:22 |
yoctozepto | all righty | 16:22 |
goldyfruit | yoctozepto, yes | 16:22 |
yoctozepto | blazar, cyborg, dragonflow, senlin - these really look abandoned | 16:23 |
yoctozepto | goldyfruit: please help with their mod_wsgi status | 16:23 |
goldyfruit | qinling and masakari are fully wsgi supported | 16:23 |
mgoddard | scottsol, generalfuzz, stingrayza: wdyt to the direction discussed? | 16:23 |
yoctozepto | kuryr, zun - me interested, will check | 16:23 |
mgoddard | yoctozepto: priteau would not like to hear you say that about blazar | 16:23 |
scottsol | I was under the impression it was more than just designate that were going to cause issues | 16:24 |
yoctozepto | sorry priteau, don't read it please | 16:24 |
priteau | yoctozepto: I am hurt :( | 16:24 |
openstackgerrit | Gaëtan Trellu proposed openstack/kolla-ansible master: Add Masakari Ansible role https://review.opendev.org/615715 | 16:24 |
scottsol | but if thats the case maybe we should see what the designate team say about adding the functionality. Although, it would be good to have something in place for less mature services if we want to add them to KA in the future | 16:25 |
mnasiadka | kuryr libnetwork uses wsgi - maybe just not in Kolla? | 16:26 |
generalfuzz | I prefer the local proxy approach so we can immediately have secure internal communication, and then allows us to then to support services with WSGI piece meal | 16:26 |
mgoddard | generalfuzz: notd | 16:27 |
mgoddard | *noted | 16:28 |
yoctozepto | scottsol: apache is always there for http ssl termination | 16:28 |
mgoddard | at least both approaches share the frontend design, so that work need not be blocked | 16:30 |
mgoddard | scottsol: what are your thoughts? | 16:30 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Retry Elasticsearch synced flush during upgrade https://review.opendev.org/676456 | 16:30 |
*** kevinz has quit IRC | 16:32 | |
openstackgerrit | Gaëtan Trellu proposed openstack/kolla-ansible master: Testing Masakari role in gate https://review.opendev.org/616050 | 16:32 |
scottsol | I'm happy to go with either approach as long as everyone is on the same page | 16:32 |
mnasiadka | yeah, that's for sure important :) | 16:33 |
yoctozepto | we can run voting if implementers don't mind :-) | 16:34 |
generalfuzz | totally - I will work on whatever approach is decided. | 16:35 |
yoctozepto | mgoddard, priteau: for my defense I shall add I meant they look abandoned in terms of k and k-a commits in recent weeks ;-) | 16:37 |
scottsol | not having the intermediate container there will be less hassle in the long run we just need to make sure we have the bases covered as its best to have everything covered out of the box with KA | 16:37 |
*** hamzaachi has quit IRC | 16:37 | |
yoctozepto | not as upstream projects | 16:37 |
yoctozepto | who crossed out designate and what it was meant to mean | 16:38 |
yoctozepto | suspecting mgoddard | 16:38 |
scottsol | generalfuzz - is going to the Designate team something you and stackedsax could help with | 16:38 |
mgoddard | I didn't cross out designate | 16:38 |
yoctozepto | looking for other suspects | 16:39 |
mnasiadka | well, we can always put some blame on the suspects on openstack-discuss ML :) | 16:39 |
stackedsax | sorry I'm late -- just caught up with the discussion. thanks for updating the list. | 16:41 |
yoctozepto | ah-ha, the suspect has come | 16:41 |
stackedsax | scottsol: sure | 16:42 |
stackedsax | yoctozepto: it wasn't me! | 16:42 |
*** kevinz has joined #openstack-kolla | 16:42 | |
stackedsax | I mean, as far as crossing out designate | 16:42 |
stackedsax | I'm sure everything else was my fault | 16:42 |
yoctozepto | stackedsax: but how did you know I meant you and not mnasiadka? that's suspicious at least! :D | 16:43 |
yoctozepto | haha, just kidding, though it bugs me why nobody admitted to committing the crime | 16:43 |
yoctozepto | ;p | 16:43 |
* stackedsax starts whistling and tries to shuffle away slowly | 16:44 | |
goldyfruit | https://etherpad.openstack.org/p/kolla-internal-tls/timeslider#952 and https://etherpad.openstack.org/p/kolla-internal-tls/timeslider#953 | 16:47 |
goldyfruit | The crime has been done not very long ago | 16:47 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Use fluentd image labels https://review.opendev.org/676413 | 16:47 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: WIP: CI: Zun jobs https://review.opendev.org/676390 | 16:50 |
yoctozepto | goldyfruit: yeah, unfortunately etherpad does not blame for style changes | 16:50 |
*** spiette has quit IRC | 16:52 | |
openstackgerrit | Mark Goddard proposed x/kayobe master: Generate openrc files during control host bootstrap https://review.opendev.org/667451 | 16:53 |
openstackgerrit | Scott Solkhon proposed openstack/kolla-ansible master: Add missing when condition for swift config files https://review.opendev.org/676465 | 16:54 |
yoctozepto | mgoddard, mnasiadka : we got the meeting past the planned time but I would like to reraise the point of support matrix | 16:55 |
yoctozepto | current owner does not seem to actively maintain it | 16:55 |
yoctozepto | maybe we have someone to volunteer | 16:55 |
mnasiadka | yoctozepto: yeah, are you volunteering to start? | 16:56 |
mnasiadka | I think somebody just needs to start the ball rolling, and we can iterate | 16:56 |
yoctozepto | mnasiadka: yeah, I feel so too, unfortunately need to find a better tool to handle that than whiteboard | 16:56 |
mnasiadka | yoctozepto: the tool is Gerrit and kolla docs :) | 16:57 |
mnasiadka | or kolla-ansible, because that's where we test it | 16:57 |
yoctozepto | yeah, git and docs is a fine choice | 16:57 |
mnasiadka | mgoddard: kolla or k-a docs for that bloody support matrix? | 16:57 |
yoctozepto | kolla I guess | 16:57 |
yoctozepto | it is umbrella as well | 16:58 |
mgoddard | both IMO | 16:58 |
mgoddard | kolla for images, kolla-ansible for ansible | 16:58 |
yoctozepto | mgoddard: you mean we could have separate support matrices? | 16:58 |
mgoddard | yes - they're separate projects | 16:59 |
mgoddard | I'd expect them to be mostly the same | 16:59 |
mgoddard | but images would include things like X not on ARM | 16:59 |
mgoddard | only on centos | 16:59 |
mgoddard | ansible would be more about features | 17:00 |
mgoddard | make sense? | 17:00 |
mgoddard | putting all that in one place would be very busy | 17:00 |
yoctozepto | kind of | 17:00 |
mgoddard | :) | 17:00 |
mnasiadka | +1 | 17:00 |
mgoddard | open to alternative suggestions | 17:00 |
*** scottsol has quit IRC | 17:00 | |
yoctozepto | open to volunteers :-) | 17:00 |
mnasiadka | so, I can take the kolla one - but can start mid next week | 17:00 |
yoctozepto | gr8 | 17:00 |
mnasiadka | so that leaves k-a one for yoctozepto :D | 17:01 |
yoctozepto | indeed, will feel inspired by your work on k | 17:01 |
yoctozepto | ;-) | 17:01 |
mnasiadka | haha | 17:01 |
mnasiadka | ok, gotta pack - leaving for extended weekend tomorrow morning | 17:02 |
yoctozepto | seriously, I can take it on myself after pushing out IPv6 proposal for you to review | 17:02 |
yoctozepto | which I planned for this week because I now have more time for this hobby side of work :-) | 17:03 |
*** goldyfruit has quit IRC | 17:03 | |
yoctozepto | mgoddard tried using IUS to get python 3.6 on CentOS 7. Was able to get a kolla-ansible-centos-source job to pass | 17:04 |
yoctozepto | congrats ^ | 17:04 |
mgoddard | yoctozepto: thanks. Most changes will actually be discarded - just changing package names for python36u | 17:05 |
mgoddard | still, it's encouraging | 17:05 |
*** goldyfruit has joined #openstack-kolla | 17:06 | |
yoctozepto | mgoddard: yeah, it definitely is | 17:07 |
*** spiette has joined #openstack-kolla | 17:08 | |
yoctozepto | on similar note - basic zun seems to work on centos too | 17:08 |
yoctozepto | https://review.opendev.org/676390 | 17:08 |
stackedsax | if we could go back to the tls convo, I'm not sure what the consensus was in the end. | 17:08 |
yoctozepto | I'm adopting zun in our systems | 17:08 |
yoctozepto | stackedsax: to vote | 17:08 |
yoctozepto | but we did not vote finally | 17:08 |
yoctozepto | re: zun - now trying multinode | 17:09 |
mgoddard | stackedsax: I don't think we had consensus. | 17:09 |
stackedsax | fair enough. I also didn't quite understand the apache option (although I'm fine using whatever as an ssl-terminating-proxy) | 17:09 |
mgoddard | I thought there was general support for the apache approach, but generalfuzz preferred local-proxy | 17:09 |
yoctozepto | but agreed to accept vote results | 17:10 |
stackedsax | 'local-proxy' was our way of saying 'whatever-technology-as-a-proxy' | 17:10 |
yoctozepto | stackedsax: apache approach is simple | 17:10 |
mgoddard | stackedsax: the apache option is as described in the spec - backend TLS terminated by apache | 17:10 |
yoctozepto | add apache where it is not already there | 17:10 |
yoctozepto | and it is in most anyway | 17:11 |
stackedsax | so, going through each and every service, not setting up a proxy | 17:11 |
mgoddard | right | 17:11 |
yoctozepto | by the looks of the whiteboard | 17:11 |
yoctozepto | yeah | 17:11 |
mgoddard | it's certainly more work, but results in one less hop | 17:11 |
yoctozepto | no per-node-proxy | 17:11 |
yoctozepto | per-container-terminator | 17:11 |
yoctozepto | ;D | 17:11 |
yoctozepto | apache terminator | 17:12 |
yoctozepto | sounds like a movie title | 17:12 |
yoctozepto | apache tls terminator | 17:12 |
yoctozepto | who wants to be the producer | 17:12 |
stackedsax | part of our thinking came from Adam Harwell, who was of the opinion that having the option of a local proxy would help with adding future services | 17:12 |
stackedsax | future services that might not have added mod_wsgi support yet | 17:13 |
mgoddard | my comments in https://review.opendev.org/#/c/664516 were about making the apache config more general such that we can just import a role | 17:13 |
mgoddard | that is true. it's quite expensive to add an extra network hop to do it though | 17:13 |
yoctozepto | ^ +1 | 17:13 |
mgoddard | and we could make that hop using apache, if necessary | 17:14 |
stackedsax | our plan was a phased approach: start with the panacea, then start picking off all of the mod_wsgi-enabled services, then address the services that don't have mod_wsgi | 17:14 |
*** spsurya has quit IRC | 17:14 | |
stackedsax | we certainly don't want the extra hop if we don't have to | 17:15 |
mgoddard | my concern is that it's an architectural side step then back again. With the apache approach the topology remains the same - it's just a config change | 17:16 |
mgoddard | I hear what you're saying about getting to a solution quickly | 17:16 |
mgoddard | perhaps your downstream requirements pull you in that direction regardless? | 17:17 |
mgoddard | I'd really just like to end up with one approach for this in kolla-ansible | 17:20 |
stackedsax | no requirements driving our desires, just my preference to be able to get TLS working without having to go through every service | 17:20 |
openstackgerrit | Merged openstack/kolla-ansible master: CI: Sanity check that nodepool.private_ipv4 is assigned https://review.opendev.org/674898 | 17:21 |
mgoddard | stackedsax: there is always the option that you go for the intermediate approach downstream, then migrate to the other approach when complete | 17:23 |
stackedsax | I suppose we can still roll out TLS on the internal network service by service with the apache approach, but I think I would find that also confusing | 17:23 |
mgoddard | the frontend could be TLS everywhere | 17:24 |
mgoddard | it's just the backend that would be piecemeal | 17:24 |
stackedsax | maybe I'm still misunderstanding the suggestion, then | 17:24 |
mgoddard | maybe :) | 17:25 |
stackedsax | which spec were you referring to? | 17:25 |
mgoddard | https://review.opendev.org/#/c/663865/ | 17:25 |
mgoddard | this patch is all that's required for the frontends: https://review.opendev.org/#/c/663555/6 | 17:26 |
mgoddard | simples | 17:26 |
stackedsax | doesn't that use haproxy to terminate ssl? | 17:28 |
mgoddard | yes | 17:29 |
mgoddard | it's terminated twice | 17:29 |
mgoddard | at the backend also | 17:29 |
stackedsax | which, until the backend enables termination would still send over the internal network http? | 17:31 |
mgoddard | right | 17:31 |
stackedsax | ah, I see. that happens to be the one requirement which was driving our thinking. we would like even that traffic to be https, if possible. | 17:32 |
stackedsax | at least I understand the disconnect now, thanks | 17:33 |
mgoddard | stackedsax: yeah, understood. And that local-proxy gets you to fully encrypted faster | 17:35 |
openstackgerrit | Doug Szumski proposed openstack/kolla-ansible master: [WIP] Factor out nova-cell role https://review.opendev.org/675659 | 17:37 |
mgoddard | I think it's just a question of weighing up upstream vs internal requirements | 17:37 |
stackedsax | agreed. | 17:37 |
stackedsax | as for terminating twice, won't there be a penalty for that? | 17:37 |
*** priteau has quit IRC | 17:37 | |
mgoddard | either way, frontend only is an improvement - it pushes all clear text to the controllers | 17:38 |
mgoddard | there will be a penalty for double termination | 17:38 |
mgoddard | the tcp mode wasn't proposed when we discussed before, but I guess it could work with this approach too | 17:39 |
stackedsax | when we terminate at the backend, is there any reason not to remove the termination from the frontend? | 17:39 |
stackedsax | some logging capability or something that I'm not thinking about? | 17:40 |
mgoddard | it may depend on your certificates - it's basically a man in the middle, right? | 17:40 |
mgoddard | it could work for wildcard certs | 17:40 |
mgoddard | but if you connect to the API FQDN/VIP and get a cert that matches the backend, your client would (should) not be happy | 17:41 |
stackedsax | yeah. it feels like it might make cert updates trickier to have to do them in two places | 17:41 |
*** dougsz has quit IRC | 17:41 | |
mgoddard | I think we'd need to support double termination in either case | 17:42 |
stackedsax | howso? | 17:42 |
mgoddard | Perhaps there are setups where wildcard certs would allow for TCP passthrough option | 17:42 |
mgoddard | but mandating TCP passthrough would mandate wildcard certs, right? | 17:43 |
*** dpawlik has joined #openstack-kolla | 17:43 | |
yoctozepto | mgoddard: tcp only invalidates sni, hostname-based certs should still work though | 17:44 |
yoctozepto | (in theory) | 17:44 |
mgoddard | yoctozepto: really? user connects to api.example.org, which resolves to a VIP. The front haproxy passes through to local-haproxy or apache on a different host, which could have a cert matching its hostname or API interface IP address | 17:46 |
yoctozepto | yeah, the tls client (haproxy) in this case can do hostname-based verification as long as you configure backend using hostname and not IP address - but you can have certs on IP addresses | 17:49 |
yoctozepto | geez, I missed the "passthrough" | 17:49 |
yoctozepto | now I know why you are so astonished ;p | 17:50 |
mgoddard | we definitely need more diagrams of this stuff | 17:50 |
yoctozepto | passthrough is a no-no in this case | 17:50 |
*** chason has quit IRC | 17:50 | |
mgoddard | very easy to get confused with all the hops | 17:50 |
stackedsax | mgoddard: totally agreed :D | 17:50 |
yoctozepto | yeah, I missed one word and changed the meaning completely | 17:51 |
*** ivve has joined #openstack-kolla | 17:52 | |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: WIP: CI: Zun jobs https://review.opendev.org/676390 | 17:56 |
openstackgerrit | Mark Goddard proposed openstack/kolla-ansible master: update horizon configuration for python3 migrating https://review.opendev.org/674241 | 18:01 |
yoctozepto | goldyfruit: qinling zun support is gone? | 18:01 |
openstackgerrit | Mark Goddard proposed openstack/kolla-ansible master: CI: Test accessing dashboard https://review.opendev.org/676412 | 18:07 |
*** dpawlik has quit IRC | 18:15 | |
goldyfruit | yoctozepto, ? | 18:17 |
goldyfruit | Zun backend for Qinling ? | 18:18 |
goldyfruit | Never been there! | 18:18 |
yoctozepto | goldyfruit: yeah, I could not find other mention than https://medium.com/@n.neerja28/qinling-in-a-nutshell-6d9cf3537346 | 18:25 |
goldyfruit | yoctozepto, yeah :/ | 18:28 |
goldyfruit | In some videos too | 18:28 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla-ansible master: WIP: CI: Zun jobs https://review.opendev.org/676390 | 18:41 |
openstackgerrit | Merged x/kayobe master: Only run ncclient installation task once https://review.opendev.org/676222 | 18:56 |
openstackgerrit | Merged x/kayobe master: Sort overcloud inventory hosts and groups https://review.opendev.org/675994 | 18:56 |
*** scottsol has joined #openstack-kolla | 19:02 | |
openstackgerrit | Merged x/kayobe master: Add support for custom CloudKitty configuration https://review.opendev.org/673139 | 19:12 |
openstackgerrit | Merged x/kayobe master: Stop allocating network and broadcast addresses https://review.opendev.org/672317 | 19:12 |
openstackgerrit | Radosław Piliszek proposed openstack/kolla master: CI: Gate on jobs kolla-ansible already gates on https://review.opendev.org/676377 | 19:13 |
openstackgerrit | Merged x/kayobe master: Remove storage management network from controllers https://review.opendev.org/672482 | 19:15 |
openstackgerrit | Kevin Carter (cloudnull) proposed openstack/kolla master: [DNM] Testing dependent review https://review.opendev.org/676449 | 19:28 |
*** scottsol has quit IRC | 19:29 | |
*** kplant has quit IRC | 19:34 | |
openstackgerrit | Merged x/kayobe master: Restrict ncclient to 0.6.2 to avoid unknown host key issue https://review.opendev.org/675336 | 19:35 |
openstackgerrit | Merged x/kayobe master: Update links to docs and IRC for kolla governance https://review.opendev.org/674512 | 19:35 |
*** goldyfruit has quit IRC | 19:46 | |
*** goldyfruit has joined #openstack-kolla | 19:46 | |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Use fluentd image labels https://review.opendev.org/676413 | 19:48 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Use fluentd image labels https://review.opendev.org/676413 | 19:50 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla-ansible master: Use fluentd image labels https://review.opendev.org/676413 | 19:54 |
openstackgerrit | Michal Nasiadka proposed openstack/kolla master: Add fluentd_binary and fluentd_version labels https://review.opendev.org/676411 | 19:59 |
openstackgerrit | Merged openstack/kolla-ansible master: Add missing when condition for swift config files https://review.opendev.org/676465 | 20:07 |
*** luksky has joined #openstack-kolla | 20:07 | |
*** dpawlik has joined #openstack-kolla | 20:45 | |
*** dpawlik has quit IRC | 21:35 | |
*** luksky has quit IRC | 22:03 | |
*** ivve has quit IRC | 22:33 | |
*** BjoernT_ has quit IRC | 22:40 | |
*** absubram has quit IRC | 23:29 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!