Thursday, 2023-04-13

« Wednesday, 2023-04-12 Index Friday, 2023-04-14 »
rohit02hi team,we are trying to install kolla yoga openstack with nfs as cinder backend.we followed the official doc deployment went successful but when we run "openstack volume service list" command we are not seen any cinder volume serivce with nfs.is there anything we are missing.05:37
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018606:43
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018606:45
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018606:45
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018606:45
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018606:46
opendevreviewDr. Jens Harbott proposed openstack/kolla-ansible master: octavia: Fix hm-interface after bumping openstack collection  https://review.opendev.org/c/openstack/kolla-ansible/+/87820906:47
fricklermnasiadka: ^^ when I checked the held node, the rules in the amphora sec grp were gone, no idea how that could happen, added more logging now. pls also remind me of your ssh key06:48
mnasiadkamorning06:48
mnasiadkafrickler: hmm, maybe something wrong with the new openstack.cloud collection06:48
fricklermnasiadka: according to the neutron server log, the rules were all created initially as expected06:49
mnasiadkainteresting06:49
opendevreviewMerged openstack/kolla stable/wallaby: Test for unsafe files in tarfile.extractall  https://review.opendev.org/c/openstack/kolla/+/87776008:00
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018608:18
fricklermnasiadka: seems this code is dropping the just-created rules again https://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/roles/octavia/tasks/get_resources_info.yml#L34-L5408:23
mnasiadkaah, so we should move that to use security_group_info I guess08:23
fricklersee the "DELETE /v2.0/security-group-rules..." calls in the neutron server log08:23
mnasiadkanice debugging :)08:24
mnasiadka Do you have time to fix that play, or should I?08:24
fricklernot sure how that worked before, seems like it should be some regression with newer sdk from the timing08:25
fricklerif you can create a patch that'd be great08:25
fricklerI'm glad at least neutron is not acting weird, but just executing what it is being told to do08:28
mnasiadkalet me have a look08:30
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: octavia: Fix hm-interface after bumping openstack collection  https://review.opendev.org/c/openstack/kolla-ansible/+/87820908:34
opendevreviewEbbex proposed openstack/kayobe master: [DNM] ansible-role-interfaces NetworkManager test  https://review.opendev.org/c/openstack/kayobe/+/86997708:50
opendevreviewMatt Crees proposed openstack/kolla-ansible master: RabbitMQ: Add instructions for migrating to durable queues  https://review.opendev.org/c/openstack/kolla-ansible/+/88027408:59
SvenKieskeI missed that the malicious tarball commits yesterday where backports of https://review.opendev.org/c/openstack/kolla/+/877611 so I got a question: the mentioned launchpad bug is either non exitent, or what I suppose a limited viewable security bug, could that be pleased opened up by someone with the appropriate rights?09:07
SvenKieskebecause I have a hunch that the fix might be incomplete but it's hard to tell without details about the underlying vuln.09:08
opendevreviewMartin Hiner proposed openstack/kolla-ansible master: Add container engine option to scripts  https://review.opendev.org/c/openstack/kolla-ansible/+/86518209:24
opendevreviewMartin Hiner proposed openstack/kolla-ansible master: Add support of podman deployment  https://review.opendev.org/c/openstack/kolla-ansible/+/79922909:24
mnasiadkaSvenKieske: it's not public09:53
mnasiadkalet me have a look09:54
mnasiadkaSvenKieske: should be visible now09:54
SvenKieskemnasiadka: ty!09:55
mnasiadkaSvenKieske: feel free to follow up if needed09:55
opendevreviewMichal Nasiadka proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018609:57
SvenKieskeon a short glance the upstream python patch does things differently and explicitly calls out symlinks as an attack vector, but I have to double check the python implementation used in openstack first: https://bugs.python.org/issue104410:10
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: octavia: Fix hm-interface after bumping openstack collection  https://review.opendev.org/c/openstack/kolla-ansible/+/87820910:17
opendevreviewMaksim Malchuk proposed openstack/kolla stable/wallaby: Fix test malicious tarball fail  https://review.opendev.org/c/openstack/kolla/+/88018610:43
opendevreviewMaksim Malchuk proposed openstack/kolla stable/wallaby: Add multipath to cinder-volume  https://review.opendev.org/c/openstack/kolla/+/87918210:46
opendevreviewMaksim Malchuk proposed openstack/kolla stable/wallaby: nova-libvirt: Fix for missing libvirt-daemon-driver-nodedev package  https://review.opendev.org/c/openstack/kolla/+/88010010:46
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible master: Fix maximum width of the DIB Multiline-YAML  https://review.opendev.org/c/openstack/kolla-ansible/+/83363310:57
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: octavia: Fix hm-interface after bumping openstack collection  https://review.opendev.org/c/openstack/kolla-ansible/+/87820910:57
opendevreviewMaksim Malchuk proposed openstack/kayobe master: Fix maximum width of the DIB Multiline-YAML  https://review.opendev.org/c/openstack/kayobe/+/83363410:59
opendevreviewMaksim Malchuk proposed openstack/kolla master: Glance-api fails due to absent multipath tools  https://review.opendev.org/c/openstack/kolla/+/88028111:08
kevkofolks, some time ago i proposed macro for patching files inside container ... this was not merged https://review.opendev.org/c/openstack/kolla/+/829296 and abandoned .... now i have situation: i found that master merged patch for oslo.messaging and another is waiting for merge .... https://review.opendev.org/c/openstack/oslo.messaging/+/876318 and https://review.opendev.org/c/openstack/oslo.messaging/+/875615/4  .... as kolla installing 11:33
kevkolibraries depends on upper-constraints ..i cant patch oslo.messaging in my images ....how can i handle this situation if patch was not released in some oslo.messaging version ? via binary package i build and deb package with patch ...11:33
kevkoif kolla is only source build ...i cant do this ..11:35
kevkoi can provision my own pypi repository ..but what version i will release ? it will collid  with official version of oslo.messaging ... and also ..it's overkill11:36
kevkoi think this should be implemented if we want to give users a way how to pach their images ...11:37
kevkohrw ^ ?11:37
kevkomnasiadka ^11:37
hrwkevko: pester oslo.messaging to do a release, bump requirements/u-c11:38
kevkohrw: this can take days, weeks .. so you want to say this is bad idea and never implemented in kolla ?11:43
hrwkevko: I think I wrote comment in review about it11:43
kevkomoreover, there can be situation when you can't bump upper-constraints11:43
hrwkevko: that's what template overrides are for11:44
hrwyou can install version x.z.y and then apply patch 11:44
hrwinstall comes from image, patching from template override11:44
kevkoand why this can't be a feature ? 11:45
hrwfor me it is a duplicate of already existing one11:45
hrwmaking easy to shoot in own foot again. no people to support it11:46
kevkoit's only macro which finds a patch for image name ... if not exist not patching ...so if you will not place a patch inside kolla repo ..patch will not be applied ...11:47
kevkoit's simple code which don't need to be maintained ...11:47
kevkoanother situation would be that we as kolla will place patch files inside kolla repository ...but i am not discussing about this option ... i would like to just have this mechanism .. no provides patches by kolla team ...just to provide users straight way how to do it 11:49
kevkothis would be hard maintainable ... but just a bash macro which is doing something if find some patch file ? by default patches folder will be empty11:50
hrwalso next time please split patch into two: one for macros, second using macro11:53
hrw233 patched files make macros.j2 invisible11:54
hrwa. it is other patch already11:54
hrwwhere I already commented11:56
hrwso from my perspective: I will not review11:56
mnasiadkakevko: and why haven't you come to the PTG and discuss that again instead of jumping out of the blue on IRC (not mentioning that weekly meeting was yesterday)12:00
hrwand on PTG we had about 15 people online12:03
kevkomnasiadka: because unfortunatelly i didn't have a time ... we have new and new projects and i have less and less time ... but i always read a log 12:03
hrwit is not that PTG is announced a week before...12:04
mnasiadkaSo, basically I'm not a fan of patching files in containers, overriding install locations for pip packages - sure (like from a local git repo) - and as hrw pointed out - we have problems supporting the code base we have today, so not really happy with adding another functionality that is not tested in the CI and serves one person from the core team.12:06
kevkohrw: and what ? when i have hands-on and installing dev env ..prepro env ..production env  and i have several guys on call in these days ..it's hard to be on two meetings in one time...and also btw debugging problems we merged into kolla-ansible (rabbitmq) several days...and i also had a knife on my neck to meet deadlines12:07
hrwand can be done using existing functionality12:07
mnasiadkapatching files in images can be done outside of kolla if you need to, but I've worked in a company that did that approach, and I tried to stay hundreds of kilometers from it :)12:07
mnasiadkakevko: we can't help you with your employer having a knife on your neck - but I would say it's not a welcoming work environment :)12:08
kevko:D 12:08
kevkobut i hope you understand 12:08
kevkowe never had several new customers at once ..and i am preparing all envs ..and different versions :(12:09
kevkobtw, do you know that if you are installing new openstack with rabbitmq_high_availability = no ... in some time you have openstack not working ? (after some rabbitmq nodes restarts)12:10
mnasiadkaWe understand, but file patching is not going to fly upstream :)12:10
kevkoi didn't know :D 12:10
mnasiadkamattcrees: ^^ - maybe we should change the default in Antelope before it gets released?12:11
kevkoand for me it was also surprise that one option is turning on two features ... policy ha-all and also durable queues at once ... 12:12
kevkofor now i disabled durable queues via config override /etc/kolla/config/global.conf ... thanks god for this mechanism :)12:12
kevkomnasiadka: ok, understand .. i will implement it somehow in our ci-cd12:13
mnasiadkakevko: I don't think we've seen any issues with the current config of durable queues12:13
kevkodurable queues are fine ..but metadata is stored on harddrive instead of ram ... so i better didn't want to turn on 12:14
kevkobecause of performance12:14
kevkoi will wait for quorum queues :)12:15
kevkofor now 12:16
mattcreesI'm still on the fence on changing the default value of RabbitMQ HA. It can take several hours for larger systems to migrate to durable queues, and is currently not an automatic procedure, so it feels to me like it should still be opt-in. Plus, if we're able to switch to quorum queues as default soon that will be the same migration situation so it would double the impact on operators using the default values.12:33
kevkomattcrees: but new deployments are affected ...few rabbitmq restarts and openstack will not work ...12:38
mnasiadkaok then, but there are already people complaining on the ML about lack of HA (or lack of anything working when a host goes down)12:38
kevkomattcrees: maybe some wrapper tasks around which just check ...is rabbitmq deployed already (means new deployments/existing deployment) and depends on that make a decision ? 12:39
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: Fix deploy/genconfig in check mode  https://review.opendev.org/c/openstack/kolla-ansible/+/88031012:40
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Fix deploy/genconfig in check mode  https://review.opendev.org/c/openstack/kolla-ansible/+/88031112:40
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/xena: Fix deploy/genconfig in check mode  https://review.opendev.org/c/openstack/kolla-ansible/+/88031212:40
mattcreesI've proposed a patch to the docs describing the manual procedure to swap to durable queues. If this can be considered enough to go alongside enabling by default, then we could go for it. Or alternatively, I can prioritise automating the migration process?12:41
mnasiadkaMaybe what kevko suggests is not bad - add prechecks for checking if your deployment is multi-rmq but not HA (as in queues not replicated), and fail that you need to follow a guide from the docs12:43
mattcreesA check for new/existing deployments does sound useful12:43
hrwdo new stuff for new deploys, keep what is present for upgrades?12:46
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: Add flags for RabbitMQ message TTL & queue expiry  https://review.opendev.org/c/openstack/kolla-ansible/+/88031312:46
hrwthis way those who upgrade have same stuff and can migrate to new stuff if want/need?12:47
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: Add flags for RabbitMQ message TTL & queue expiry  https://review.opendev.org/c/openstack/kolla-ansible/+/88031312:47
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Add flags for RabbitMQ message TTL & queue expiry  https://review.opendev.org/c/openstack/kolla-ansible/+/88031412:48
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/xena: Add flags for RabbitMQ message TTL & queue expiry  https://review.opendev.org/c/openstack/kolla-ansible/+/88031512:48
opendevreviewMark Goddard proposed openstack/kolla stable/zed: ovsdpdk: add libdpdk-dev  https://review.opendev.org/c/openstack/kolla/+/88031612:52
opendevreviewMark Goddard proposed openstack/kolla stable/yoga: ovsdpdk: add libdpdk-dev  https://review.opendev.org/c/openstack/kolla/+/88031712:53
opendevreviewMark Goddard proposed openstack/kolla stable/xena: ovsdpdk: add libdpdk-dev  https://review.opendev.org/c/openstack/kolla/+/88031812:53
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: Add note about removing leading tabs in ceph.conf files  https://review.opendev.org/c/openstack/kolla-ansible/+/88032012:53
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Add note about removing leading tabs in ceph.conf files  https://review.opendev.org/c/openstack/kolla-ansible/+/88032112:53
mattcreesI think we can accomplish a similar thing as part of the precheck solution, where the operator would either opt out from HA or follow the manual procedure for now. I would like to automate the migration, but that will take me some time to develop and test.13:16
mattcreesWe enable HA by default, and on a new deployment it is just rolled out. On an existing deployment, we fail out of the precheck with a message pointing to the docs for the manual procedure. In here, we make sure to describe any drawbacks with switching to HA and suggest that they can override and disable the HA if they don't want it yet.13:16
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/xena: Add note about removing leading tabs in ceph.conf files  https://review.opendev.org/c/openstack/kolla-ansible/+/88032313:46
opendevreviewMichal Arbet proposed openstack/kolla-ansible master: Remove RabbitMQ ha-all policy when not required  https://review.opendev.org/c/openstack/kolla-ansible/+/87605313:58
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ansible: bump min to 2.13 and max to 2.14  https://review.opendev.org/c/openstack/kolla-ansible/+/87769714:10
opendevreviewMerged openstack/kolla-ansible stable/wallaby: Remove RabbitMQ ha-all policy when not required  https://review.opendev.org/c/openstack/kolla-ansible/+/87683314:47
opendevreviewMerged openstack/kolla-ansible master: Set RabbitMQ ha-promote-on-shutdown=always  https://review.opendev.org/c/openstack/kolla-ansible/+/87286315:05
fricklermnasiadka: confirmed the security group module issue in the ansible docs. the old version doesn't handle rules at all, so it would just ensure that the sg exists. https://docs.ansible.com/ansible/latest/collections/openstack/cloud/security_group_module.html15:41
fricklerthe new module has a rules parameter that allows to set up a group with rules in a single call (we should likely switch to that). it will explicitly drop all existing rules not listed for that parameter15:42
fricklerhttps://docs.ansible.com/ansible/devel/collections/openstack/cloud/security_group_module.html#parameter-security_group_rules15:42
mnasiadkaLooks like that, I've just booted a VM to get that tested, will update the patch tomorrow with a tested solution ;)15:44
sschmittquick question: is the OVS-DPDK option compatible with using OVN for your neutron driver?15:45
fricklersschmitt: not sure what "our neutron driver" is, likely you want to ask neutron people instead of kolla15:50
opendevreviewSimon Dodsley proposed openstack/kolla-ansible master: Update Pure Storage NVMe Cinder driver  https://review.opendev.org/c/openstack/kolla-ansible/+/87984416:37
opendevreviewMaksim Malchuk proposed openstack/kayobe master: Fix passwords.yml generation when parent directory doesn't exist  https://review.opendev.org/c/openstack/kayobe/+/85423616:41
opendevreviewSimon Dodsley proposed openstack/kolla-ansible master: Add Pure Storage FlashBlade as Manila backend  https://review.opendev.org/c/openstack/kolla-ansible/+/87984617:25
opendevreviewSimon Dodsley proposed openstack/kolla-ansible master: Add Pure Storage FlashBlade as Manila backend  https://review.opendev.org/c/openstack/kolla-ansible/+/87984617:48
opendevreviewMerged openstack/kayobe master: Fix kayobe_config_path description in globals.yml  https://review.opendev.org/c/openstack/kayobe/+/87922320:53
opendevreviewMaksim Malchuk proposed openstack/kayobe master: Adds support for custom Multipathd configuration.  https://review.opendev.org/c/openstack/kayobe/+/87919020:56
opendevreviewMaksim Malchuk proposed openstack/kayobe stable/zed: Fix kayobe_config_path description in globals.yml  https://review.opendev.org/c/openstack/kayobe/+/88036521:00
opendevreviewMaksim Malchuk proposed openstack/kayobe stable/yoga: Fix kayobe_config_path description in globals.yml  https://review.opendev.org/c/openstack/kayobe/+/88036621:00
opendevreviewMaksim Malchuk proposed openstack/kayobe stable/xena: Fix kayobe_config_path description in globals.yml  https://review.opendev.org/c/openstack/kayobe/+/88036721:01
opendevreviewMerged openstack/kolla-ansible master: RabbitMQ use maintenance mode on container restart  https://review.opendev.org/c/openstack/kolla-ansible/+/87724221:47
« Wednesday, 2023-04-12 Index Friday, 2023-04-14 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!