Wednesday, 2021-11-03

*** amoralej|off is now known as amoralej07:26
JermaHello Team08:02
JermaAny idea on how to enable multi domain in openstack wallaby deployed with kolla-ansible 08:02
JermaI have read the keystone and Horizon Documentation but with no much luck408:10
EugenMayeryoctozepto i ditched freezer. I was not aware that it is agent based. For an agent based solution it is way to broken, dead. I rather would use Bacula which is made dedicated and also is agent based. 09:09
opendevreviewMaksim Malchuk proposed openstack/kolla master: Unify curl use (customisation options)  https://review.opendev.org/c/openstack/kolla/+/80564009:23
hrwmnasiadka, mgoddard: https://review.opendev.org/c/openstack/kolla/+/816374 for morning coffee?10:22
fricklerhrw: do you have a link to a job where that issue is being seen? /me is curious11:04
hrwfrickler: sure, moment11:15
hrwfrickler: https://zuul.opendev.org/t/openstack/build/e3386788a250465b8d03b986900f0451/logs11:16
opendevreviewMerged openstack/kolla master: Remove InfluxDB data source Grafana plugin  https://review.opendev.org/c/openstack/kolla/+/81250511:55
opendevreviewMark Goddard proposed openstack/kayobe master: Ubuntu: add support for Apt repository configuration  https://review.opendev.org/c/openstack/kayobe/+/81636412:34
*** amoralej is now known as amoralej|lunch13:08
*** kmasterson is now known as Guest481113:13
opendevreviewMichal Nasiadka proposed openstack/kayobe master: disable-selinux: Set to permissive  https://review.opendev.org/c/openstack/kayobe/+/81366113:29
opendevreviewMichal Nasiadka proposed openstack/kolla master: docs: weekly meetings page  https://review.opendev.org/c/openstack/kolla/+/81549413:52
EugenMayerWhen deploying tls, there is only a path to the certificate, but not the private key. How is that supposed to work?14:10
*** amoralej|lunch is now known as amoralej14:14
mgoddardEugenMayer: concatenated14:23
EugenMayerwhat? the private key and the certificate?14:24
EugenMayerwell i found it https://docs.openstack.org/kolla-ansible/latest/admin/tls.html#back-end-tls-configuration14:24
EugenMayeri guess the backend certificate (a wildcard for me) is used for the kolla_internal_fqdn_cert too, right14:25
mgoddardEugenMayer: you're probably looking for https://docs.openstack.org/kolla-ansible/latest/admin/tls.html#tls-configuration-for-internal-external-vip14:30
EugenMayermgoddard might be yes, depends if the horizon service is not considered a backend, why so ever14:34
EugenMayermgoddard in your linked configuration it is still unclear how to provide the private key14:35
mgoddardEugenMayer: backend is relative to haproxy. HAProxy VIP is the frontend, horizon container is the backend14:35
mgoddardusers only connect to the VIP. backend is just belt & braces14:36
mgoddard(explained at the top of the page)14:36
mgoddardcat cert.pem key.pem > haproxy.pem14:36
mgoddardchecking that there is suitable newlines between them14:37
EugenMayerthat's the first time ever i have seen concat certs with private keys14:48
EugenMayerholy moly :) Is that haproxy specific? Cannot remember doing that in haproxy when i was using it. Nowdays it is all Traefik for me14:48
yoctozeptoEugenMayer: yes, it's just how haproxy likes it14:49
jingvar:)14:49
mnasiadkamgoddard mnasiadka hrw egonzalez yoctozepto rafaelweingartne cosmicsound osmanlicilegi bbezak parallax Fl1nt frickler adrian-a - meeting in 1014:50
EugenMayeryoctozepto not going to aks how i would no need add the bundle chain if needed14:51
yoctozeptoEugenMayer: the same way (-:14:51
EugenMayerso cert first, chain later, key last?14:51
EugenMayerscary stuff14:51
yoctozeptoI think it can actually figure it, concatenated pem files is something generally understandable14:52
EugenMayerpem files in terms of certs, yes, keys - never have seen that before (mabye not)14:55
mnasiadkayoctozepto: https://review.opendev.org/c/openstack/kolla/+/815494 - changed language to 'none' ;-)14:56
mnasiadkaBut I guess it would make sense to go through all code blocks to make sure highlighting looks properly14:56
mnasiadka#startmeeting kolla15:00
opendevmeetMeeting started Wed Nov  3 15:00:02 2021 UTC and is due to finish in 60 minutes.  The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'kolla'15:00
mnasiadka#topic rollcall15:00
mnasiadkao/15:00
mgoddard\o15:02
adrian-ao/15:02
parallax\o15:03
fricklero/15:04
yoctozeptoo/15:05
yoctozeptomnasiadka: remember about the extra agenda in etherpad :-) 15:05
mnasiadka#topic agenda15:05
mnasiadka* Announcements15:06
mnasiadka* Review action items from the last meeting15:06
mnasiadka* CI status15:06
mnasiadka* Release tasks15:06
mnasiadka* Yoga cycle planning15:06
mnasiadka* Security bugs to squash15:06
mnasiadka* Switch docs to recommend installing from git repo; re: https://review.opendev.org/c/openstack/kolla-ansible/+/81504315:06
mnasiadka* New core-reviewer15:06
mnasiadka* Open discussion15:06
mnasiadka#topic Announcements15:06
mnasiadkaI'm off next week, any volunteer to run the meeting next Wed?15:06
yoctozeptolet me check15:07
yoctozeptook, I'm available15:07
mnasiadkaOk then15:07
mnasiadka#action yoctozepto to run the meeting next week15:07
mnasiadkaThanks!15:07
yoctozeptoyw :-)15:07
mnasiadka#topic Review action items from the last meeting15:07
mnasiadkaSeems none last week15:08
mnasiadka#topic CI status15:08
mnasiadkaseems green15:09
mnasiadkaKayobe is amber on Wallaby (disk issues)15:09
mnasiadkachange was merged, should we update back to green?15:09
mnasiadkaI'll check history later and see if it's green again (and check with priteau)15:10
mnasiadka#topic Release tasks15:10
mnasiadkamgoddard, yoctozepto: is it time to cut RC2?15:10
mgoddardsure15:10
mnasiadkahttps://review.opendev.org/c/openstack/kolla-ansible/+/814942 this was merged (mentioned on last weeks meeting)15:11
mnasiadkaand I think we reverted the problematic patch15:11
mnasiadkaok then15:11
yoctozeptowhat about mariadb patch?15:11
mnasiadkawhich one?15:11
yoctozeptothe one I mentioned yesterday15:11
yoctozeptohttps://review.opendev.org/c/openstack/kolla-ansible/+/81427615:11
mnasiadkaAh, I did not look into that, since mgoddard reviewed that earlier - so I waited for him to act upon it ;-)15:12
mgoddardI'll try to have a look later15:13
yoctozeptoso wait for this for rc215:13
yoctozeptothis should get mariadb to its regular glory15:13
mnasiadkaadded rc2-blocker hashtag and will keep an eye for that15:13
mnasiadkaand once it merges (and is backported) will post rc2 releases patches15:13
mnasiadkaok, let's move on15:14
mnasiadka#topic Yoga cycle planning15:14
mnasiadkaI haven't been able to populate Priorities on the whiteboard yet15:14
mnasiadkaBut will do at latest tomorrow15:15
mnasiadkaAny other things that we need to consider at this point?15:15
yoctozeptonothing specific from me15:17
mnasiadkaOther day I was thinking if we shouldn't follow what some other projects do - post ,,bugs'' with [RFE] prefix and target them to Yoga milestone in Launchpad - but I think priorities on the whiteboard worked quite OK15:18
mnasiadkayoctozepto, mgoddard: opinions? (sometimes I feel the whiteboard is a bit ,,overcrowded'')15:19
mgoddardmnasiadka: you're basically reintroducing the blueprints that we dropped the other week?15:20
mnasiadkanot really reintroducing, but fair point - let's stick to whiteboard for now :)15:21
mnasiadka#topic Security bugs to squash15:21
mnasiadkayoctozepto: do we have any?15:21
adrian-aWhiteboard is crashing Chrome on Android :) and some prefixes or tags (in a similar idea like in Gitlab https://ibb.co/RpRjNng ) could be useful15:22
yoctozeptomnasiadka: we do15:22
yoctozeptomnasiadka: this topic to make you look at them15:23
mnasiadkawell, where do I find them in launchpad?15:24
yoctozeptogimme a sec15:24
yoctozeptokolla https://bugs.launchpad.net/kolla/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.informat15:25
yoctozeptoion_type%3Alist=PRIVATESECURITY&field.information_type%3Alist=USERDATA&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_15:25
yoctozeptobranches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on15:25
yoctozeptokolla-ansible https://bugs.launchpad.net/kolla-ansible/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONS15:25
yoctozeptoE&field.information_type%3Alist=PRIVATESECURITY&field.information_type%3Alist=USERDATA&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.15:25
yoctozeptoused=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on15:25
yoctozeptoI'm open to explaining/discussing mine in there if you need more details15:26
yoctozeptoas for the others, I guess we should decide whether not to open them15:26
yoctozeptoor close entirely (-:15:26
mnasiadkaoh boy, nice links - I'll make some shortened urls and look through them ;-)15:26
yoctozeptothat's launchpad for ye15:27
mnasiadkaok, the first two (haproxy and horizon dir listings) seem self explanatory15:27
mnasiadkado we have any volunteers to work on those?15:27
yoctozeptoyeah, need to check if they happen still15:28
yoctozeptoI hoped you could spend some resources :-) I'm overloaded these days15:28
mnasiadkaand the last time seems not so trivial, because we would need to skim the logs in search of those passwords15:28
adrian-ayoctozepto, can you please shorten that URL? I can't concat it to something meaningful15:28
mnasiadkaOk, let me at least triage those - and get back with some updates to those bugs.15:29
mnasiadkaadrian-a: it's a private list, I don't think you have access.15:29
adrian-ao, mkay15:29
yoctozeptoyeah, he does not15:29
mnasiadka#action mnasiadka to triage security bugs and update them with resolution plan (if needed)15:29
yoctozeptogreat, mnasiadka :-)15:30
mnasiadka#topic Switch docs to recommend installing from git repo; re: https://review.opendev.org/c/openstack/kolla-ansible/+/81504315:30
mnasiadkayoctozepto: that's yours?15:30
yoctozeptomnasiadka: always mine15:30
yoctozeptothere is some discussion as to how to handle the recommendation on the source of kolla-ansible code15:30
yoctozeptoI argue we are better off recommending git15:31
yoctozeptoas this is what we test and I guess also run in production as we don't release often enough15:31
yoctozeptomoreover, the versioning is confusing15:31
yoctozeptoeach component has a different version so hard to tell what has been installed from the version only15:32
yoctozeptounless reading renos15:32
yoctozeptowhich folks don't do (-:15:32
yoctozeptoor at least not often enough to make me glad they do15:32
mnasiadkawell, from one perspective I'm ok with that, from other - maybe we should do releases more often15:33
mnasiadkabut it's fine for the docs to point to git instead of pypi15:34
mnasiadkaany other voices of reason?15:34
adrian-asounds good15:34
mnasiadkamgoddard, frickler?15:35
mgoddardfine by me15:35
fricklergit is good15:36
mnasiadka#agreed to recommend installing from git repo in the docs15:36
yoctozeptofrickler: I'll print that quote and frame it15:36
yoctozepto"git is good"15:36
mnasiadkayoctozepto: are you going to follow up?15:36
yoctozeptoyeah, action me on that to keep this flowing on15:37
mnasiadkawell, I think the author is adrian-a, right?15:37
adrian-aI'll add a comment to the review and link to IRC log and I'll complete the commit with git15:37
mnasiadkagreat, case solved15:37
mnasiadkalet's move on15:38
mnasiadka#topic New core-reviewer15:38
mnasiadkaI think it's time to add a new core reviewer - especially if that person is outside of StackHPC - out of the list of contributors - I think kevko is a good candidate (with proper review stats and good knowledge of kolla/kolla-ansible code)15:39
yoctozeptoadrian-a: many thanks!15:40
adrian-ayoctozepto, yw :)15:40
mnasiadkaIf there are no objections - I'll propose him through the mailing list.15:40
mnasiadkaAnd the question is - first kolla or kolla-ansible or both?15:40
mgoddardboth15:40
yoctozeptomnasiadka: both15:40
frickler+2 ... oh wait, I can only +1 ... ;)15:41
mnasiadkaok then, both15:41
yoctozeptofrickler needs to work a bit more to gain the core title :-)15:41
frickleryes, I plan on doing that, but that'll take some time I agree15:42
yoctozeptono rush, quality over quantity :-)15:42
mnasiadkayup15:42
mnasiadka#topic Open discussion15:43
mnasiadkaPhew, we made to open discussion this time ;-)15:43
yoctozeptooh noez15:43
yoctozeptolet's check if we have not missed some point in the agenda (-:15:43
yoctozeptoc'est impossible !15:44
yoctozeptowe have gone through all of 'em15:44
yoctozeptocongrats mnasiadka15:44
mnasiadkaok, no open discussion points from anybody? ;-)15:46
yoctozeptoc'est impossible aussi !15:48
headphoneJameswell, I have a FYI that I'm trying to make a minimal change for switching over service configs in keystone_authtoken from project scoped tokens to system scope.15:49
headphoneJamesshould be ready soon15:49
adrian-aI see 3 options on this (last comment), what do you think? https://review.opendev.org/c/openstack/kolla-ansible/+/816076 15:49
yoctozeptoheadphoneJames: sounds wonderful15:50
mgoddardadrian-a: A2 or C15:50
mnasiadkayoctozepto: haven't we tried to get rid of init-runonce from tools/ at some point? 15:51
mgoddardwhere C is pip install python-openstackclient -c <upper constraints URL>15:51
yoctozeptomnasiadka: we did15:51
yoctozeptomgoddard: ++, in docs only though15:51
yoctozeptoadrian-a: ^15:51
yoctozeptomnasiadka: I guess we should then hurry15:52
yoctozeptoand amend the docs not to recommend that as something necessary15:52
mnasiadkaWell, hurry or not - I think we should discuss if init-runonce is the toolset we want to maintain and if users should be really running it ;-)15:52
mgoddardwell, it kind of works, and we recommend against running it in production15:53
mgoddardbut we need something like it for testing15:53
yoctozeptomnasiadka: let's discuss then - we should not recommend it :D who objects?15:53
yoctozeptono objections15:55
mnasiadkaI think we already recommend against it, I'm fine in adding a message to post-deploy to install python-openstackclient (and some other clients - preferably in a venv ) or in docs15:55
mnasiadkabut not really to automate that part15:55
yoctozeptoaction me to hide it properly15:55
yoctozeptoand go-go-go15:55
mnasiadka#action yoctozepto hide properly init-runonce15:56
mnasiadka(whatever that means)15:56
adrian-aSo should I leave pip install python-openstackclient + maybe add a note this installs the latest stable client and some example pip commands with git URL and tags for other releases?15:56
yoctozeptolol15:56
adrian-a*in docs (leave)15:56
yoctozeptoadrian-a: see mgoddard's message about -c 15:56
EugenMayermnasiadka since i really automated a lot of this in the last 3 weeks. I find installing the client is entirely mandatory since openstack is useless with GUI only. init-runonce i ack that it is just not the right thing and instead of running it (what i did in the start) i did something like15:56
EugenMayerhttps://github.com/EugenMayer/openstack-lab/blob/stable/ovn/README.setup.md15:56
mnasiadkaleave in docs, add upper constraints15:56
adrian-ayoctozepto: I haven't found a '-c' flag in pip, not sure what that does15:56
yoctozeptoadrian-a: constrains versions15:57
yoctozeptoit will do the right thing (TM)15:57
adrian-aand it's not documented? haven't found it, e.g. https://manpages.debian.org/stretch/python-pip/pip.115:57
mgoddardyoctozepto: kayobe uses init-runonce, so at a minimum please add a symlink to avoid breaking us15:57
mnasiadkaEugenMayer: sure, but it depends on users environment - we can fix the example in docs how to install the openstack client - but I don't think we should be automating that in post-deploy15:57
yoctozeptomgoddard: oh my, you mean in CI, right?15:58
yoctozeptoRIGHT?! :D15:58
EugenMayermnasiadka: i would say, that installing the openstack client,when using kolla, on the deployer is an key concept. It cannot be really optional IMHO15:58
mgoddardyoctozepto: well, testing, yes15:58
yoctozeptomgoddard: ok15:58
mnasiadkaEugenMayer: but we can't cover all cases, and sometimes you don't use the deployment host as the client host, I still prefer docs :)15:58
mnasiadkaok then, I think it's enough for today15:59
yoctozeptoEugenMayer: it can, the deployment machine might not ever be used as the client15:59
mnasiadkaThanks for attending!15:59
yoctozepto;-)15:59
mnasiadka#endmeeting15:59
opendevmeetMeeting ended Wed Nov  3 15:59:19 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:59
opendevmeetMinutes:        https://meetings.opendev.org/meetings/kolla/2021/kolla.2021-11-03-15.00.html15:59
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/kolla/2021/kolla.2021-11-03-15.00.txt15:59
opendevmeetLog:            https://meetings.opendev.org/meetings/kolla/2021/kolla.2021-11-03-15.00.log.html15:59
yoctozeptothanks mnasiadka for chairing15:59
yoctozepto:-)15:59
yoctozeptoenough of kolla!15:59
* yoctozepto off15:59
EugenMayermnasiadka: i started with kolla about 2 or 2.5 weeks, so i'am a newcomer by defintion. My experience with the quickstart guide was fairly nice. In terms that it had it all lined up. There were a couple of mistakes but all over - it was a full sequential guide which really showed me a lot. 16:00
EugenMayerSo i'am full all in for the docs for sure, but the docs should have a 'best practice optionion' when it is called a quickstart guide16:00
adrian-aEugenMayer, what mistakes?16:00
EugenMayerif you are a veteran, you will pick what you need anyway (and maybe not read the quickstarter at all)16:01
adrian-a(besides latest kolla-ansible currently having a command to install ver. 9 now :P)16:01
hrwforgot that meeting is hour earlier now...16:01
EugenMayeradrian-a some frickler has already fixed (pip3 vs pip on pyenv installation), some are still inside (missing -i a couple of times, makes you entire miss the inventory and the commands will start doing strange things)16:02
adrian-ahrw, yeah new winter time here too :-)16:02
EugenMayeradrian-a the current docs aree not fit to install wallaby e.g., they are xena only. But the way the docs are written, you cannot install xena. One of the hazzles for starters16:03
adrian-ayou're talking about this, right? https://docs.openstack.org/kolla-ansible/latest/user/quickstart.html16:03
EugenMayerso the cli interface used is xena only, but using `pip install kolla` will install the stable (wallaby) and that will not work16:03
EugenMayeradrian-a absolute that one (i really liked it)16:03
adrian-ayeah, will update it with pip install from git url with tags like @master or stabe/wallaby16:04
adrian-ait's on the way https://review.opendev.org/c/openstack/kolla-ansible/+/81607616:04
EugenMayerthe problem with all that is, that is easy as pie for anybody here, since it becomes obvious if you used kolla a couple of times16:04
EugenMayerbut for starters those things kind of are bigger then they seem16:05
EugenMayergreat! I found the quickstart guide one of the docs that gave me the most in the beginning. They are really worth any word and we should polish and cherrish them16:06
EugenMayerwho ever worked on them - i thank you :)16:06
adrian-ayes, it's good, I'm just doing some polishing to not scare newcomers :)16:07
adrian-aok, then, have a great evening / day; see you16:07
*** amoralej is now known as amoralej|off16:17
EugenMayernice. Deployting TLS after one has deployed it without just works. Nice work! 17:09
EugenMayerany way to easily have an redreict from controller.fqdn:80 to :443 out of the box (just pure luxury)17:10
EugenMayeris it possible to change all the passwords of a kolla deployment?17:46
EugenMayerseen https://bugs.launchpad.net/kolla-ansible/+bug/1793323 not sure it is the current way of doing this17:48
EugenMayernot sure this could be used https://bugs.launchpad.net/kolla-ansible/+bug/179332317:49
mnasiadkaUssuri getting EM, probably we should check Ussuri branch for patches and transition to ussuri-em18:17
EugenMayerEM? extended maintenance?18:33
EugenMayermnasiadka is it allowed to regenerate the passwords and run reconfigure or deploy to apply those?18:34
EugenMayeror will that render the cluster brroken?18:34
EugenMayer(since the users have been created already and changing the passwords is something else18:34
dmsimardFYI, upstream EOL of ansible 2.9 and ansible-base 2.10 have been announced: https://groups.google.com/g/ansible-announce/c/kegIH5_okmg/19:04
opendevreviewAdrian Andreias proposed openstack/kolla-ansible master: docs: Get release name dynamically  https://review.opendev.org/c/openstack/kolla-ansible/+/81658221:15
opendevreviewAdrian Andreias proposed openstack/kolla-ansible master: docs: Get release name dynamically  https://review.opendev.org/c/openstack/kolla-ansible/+/81658221:35

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!