Friday, 2024-03-08

« Thursday, 2024-03-07 Index Saturday, 2024-03-09 »
opendevreviewMichal Nasiadka proposed openstack/kolla master: Fix aarch64 builds  https://review.opendev.org/c/openstack/kolla/+/90991506:00
mnasiadkamorning07:05
mnasiadkajovial: that was probably rackspace mirror issue?07:05
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: Fix glance not running after upstream cache changes  https://review.opendev.org/c/openstack/kolla-ansible/+/91203007:07
opendevreviewMichal Arbet proposed openstack/kolla-ansible master: Fix creation of ovs bridges  https://review.opendev.org/c/openstack/kolla-ansible/+/91159107:07
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: Fix glance not running after upstream cache changes  https://review.opendev.org/c/openstack/kolla-ansible/+/91203008:04
opendevreviewMichal Nasiadka proposed openstack/kolla master: Remove setuptools pin  https://review.opendev.org/c/openstack/kolla/+/90182808:07
kevkomorning08:15
mnasiadkakevko: updated your patch, Kolla's documented philosophy says we don't want to own defaults unless it's required - and it seems to pass without setting cache driver08:19
opendevreviewMichal Arbet proposed openstack/kolla-ansible master: Fix creation of ovs bridges  https://review.opendev.org/c/openstack/kolla-ansible/+/91159108:20
kevkomnasiadka: okay, no problem ...it was hell to debug :D ... i had a feeling that it's needed to be set for now ... I wrote it to commit message08:23
mnasiadkayeah, updated the commit message as well08:23
kevkomnasiadka: but as I see you've amended also commit message 08:23
kevkomnasiadka: thanks .. I am glad that I can ask you guys for reviews because CI will work again :D :D 08:25
kevkomnasiadka: and push new ones 08:25
mnasiadkayeah, tooz patch landed, but the release and u-c bump is not there yet08:26
mnasiadkaso it would make sense to merge the pin today as well08:26
kevkomnasiadka: btw, I found that glance-api configuration file (for paste_deploy group) don't work as it's described in a describtion above ...08:27
kevkomnasiadka: there is described that if you change config_file to something different (paste ini config) ... as example "foo.ini" ....on the end it will be /etc/glance/foo.ini ...08:28
mnasiadkalol08:29
kevkomnasiadka: but if you change it ...it is just not working :D 08:29
kevkomnasiadka: https://github.com/openstack/glance/blob/519ce0b94dcc6dad229fbe08d8d21ccdefb6c99e/glance/common/config.py#L682-L70508:30
kevkomnasiadka: aaaand ...another review ..do you think it's wrong here ? https://review.opendev.org/c/openstack/glance/+/91195508:31
kevkomnasiadka: I think authot wrote that function wrong ...i fixed it and unit is not working now ... but I really hate unit fixing :D 08:32
mnasiadkalol08:32
mnasiadkawell, then the unit test should be fixed first, to demonstrate that it's not working properly ;-)08:32
kevkomnasiadka: i know ... but i am not good in it :D 08:33
kevkomnasiadka: but check that function ....original is returning always True from function can_migrate_to_central_db ...but it makes sense only if cache is turned on ...08:34
kevkomnasiadka: By the way, Kolla worked with this fix in Glance, it was actually the inspiration for me to try to fix Kolla without changing the code in Glance, but this was the initial problem... (cache_dir was None in glance-api and /var/lib/.... in glance-cachce ....so it started failing ..... but initial problem was that it actually jumped into08:37
kevkocode for cache ...)08:37
kevkoso kolla proposed patch is kind a workaround ...but following also docs ...so ...08:38
opendevreviewRoman Krček proposed openstack/kolla-ansible master: Split ipv4 and ipv6 systemctl config  https://review.opendev.org/c/openstack/kolla-ansible/+/91209108:52
kevkomnasiadka: e\\ndocker.errors.APIError: 500 Server Error for http+docker://localhost/v1.44/images/create?tag=master-ubuntu-jammy&fromImage=mirror-int.iad.rax.opendev.org%3A4447%2Fopenstack.kolla%2Ffluentd: Internal Server Error (\"Get \"https://mirror-int.iad.rax.opendev.org:4447/v2/\": context deadline exceeded (Client.Timeout exceeded while08:58
kevkoawaiting headers)\")\\n'"08:58
kevkoaaaaaaaa08:58
mnasiadkakevko: yep, reported on opendev08:58
kevkomnasiadka: how fast they work ? :D 08:58
mnasiadkahave no clue, in this timezone it's probably only frickler ;-)08:59
kevkoOr is it just temporary?08:59
mnasiadkaWe've seen that in other jobs, and some Kayobe jobs yesterday08:59
kevkoSo I will have to play in my sandbox.. :) 09:01
kevkomnasiadka: what about that tooz ? do we have review for that already somewhere ? 09:02
mnasiadkahttps://review.opendev.org/c/openstack/kolla/+/91170309:02
opendevreviewMichal Nasiadka proposed openstack/kolla master: openstack-base: Pin tooz to 5.0.0  https://review.opendev.org/c/openstack/kolla/+/91170309:02
mnasiadkaadded depends-on on glance patch09:03
kevkomnasiadka: thanks 09:11
kevkomnasiadka: wondering ..that from a code it should be enough to just define chaching options in glance-api.conf09:12
mnasiadkawe could make it better once CI is working I guess :)09:14
mnasiadkaso let's merge this - maybe 7 rechecks will be enough ;-)09:14
kevkoi am ok with it 09:15
kevkomnasiadka: I mean ... not only in glance-api ...just drop jinja conditional inside the glance-api.conf09:16
opendevreviewRoman Krček proposed openstack/kolla-ansible master: Split ipv4 and ipv6 systemctl config  https://review.opendev.org/c/openstack/kolla-ansible/+/90583109:17
kevkomnasiadka: yep, working 09:23
kevkomnasiadka: let me edit last time 09:24
mnasiadkakevko: sure, the current run is going to fail anyway :(09:24
kevkomnasiadka: I know :) 09:25
kevkomnasiadka: it's possible that the fix in glance will land earlier :D https://review.opendev.org/c/openstack/glance/+/91195509:37
opendevreviewJake Hutchinson proposed openstack/kayobe master: Register baremetal compute nodes in Ironic  https://review.opendev.org/c/openstack/kayobe/+/90967110:29
SvenKieskemhm, I'm not sure yet, but could someone verify that they have the keystone role "service" created in their envs? kevko? mnasiadka? maybe I found a bug - rather community members, but I had now two instances where the service role was missing10:33
SvenKieskeI'm currently setting up a fresh env to test myself, but it still takes some time10:34
SvenKieskeI have a hunch https://review.opendev.org/c/openstack/kolla-ansible/+/909002 is buggy, I downloaded the logs and I found: "ERROR keystone.server.flask.application keystone.exception.RoleNotFound: Could not find role: service."10:35
SvenKieskebut I still have to go through all the logs to verify10:35
opendevreviewscoopex proposed openstack/kolla-ansible master: rabbitmq: configuration improvements  https://review.opendev.org/c/openstack/kolla-ansible/+/90052810:41
opendevreviewJake Hutchinson proposed openstack/kayobe master: Register baremetal compute nodes in Ironic  https://review.opendev.org/c/openstack/kayobe/+/90967110:47
opendevreviewJake Hutchinson proposed openstack/kayobe master: Register baremetal compute nodes in Ironic  https://review.opendev.org/c/openstack/kayobe/+/90967110:47
opendevreviewJake Hutchinson proposed openstack/kayobe master: Register baremetal compute nodes in Ironic  https://review.opendev.org/c/openstack/kayobe/+/90967110:51
kevkoSvenKieske: I will check in a while ... Smoking 🚬 now 11:48
kevkoSvenKieske: I have service role in my master test stack11:52
kevko(kolla-ansible)[root]# openstack role assignment list --names | egrep '\ cinder|\ nova'12:02
kevko| admin            | cinder@Default                     |       | service@Default |                  |        | False     |12:02
kevko| service          | cinder@Default                     |       | service@Default |                  |        | False     |12:02
kevko| admin            | nova@Default                       |       | service@Default |                  |        | False     |12:02
kevko| service          | nova@Default                       |       | service@Default |                  |        | False     |12:02
kevkoSvenKieske: but I have also the same error log in keystone log 12:02
kevkohttps://paste.openstack.org/show/bV2ZJ4dMupTwRCO8iZkA/12:12
SvenKieskethats the role assignment12:15
kevkoopenstack role show service << this produce error 12:15
SvenKieskequery for the role itself instead12:15
SvenKieskeyeah I suspected as much12:15
kevkoSvenKieske: but api normally replied 12:16
kevkohttps://paste.openstack.org/show/bvUMxl2aTtApAgVhZx5e/12:16
SvenKieskekevko, what I currently suspect is this comment: https://review.opendev.org/c/openstack/keystone/+/863420/comment/655c953c_92da126b/12:16
SvenKieske"If you specify any project name for bootstrap command then there is no need to create service role for that project, it requires only admin, member and reader roles. "12:16
SvenKieskeand I'm not sure if we run bootstrap command with the right incantation to actually create service role12:17
SvenKieskebut I'm also not sure I understand that comment correctly.12:17
SvenKieskewhat I currently think - might be wrong - is you need to call keystone-bootstrap without args to bootstrap basic stuff? but we always call it with args? not sure how NULL args are handled. but this might be very well wrong or incomplete, still digging through code and logs12:20
kevkoBefore the introduction of the service role, a service had to be granted the admin role in order to have elevated privileges, which gave a service powers way beyond what was necessary. With the service role in place, we can now allow all service-to-service APIs to default to the service role only. For example, a policy that requires service can be12:23
kevkoexpressed as:12:23
SvenKieskeit might also just be that we don't run keystone-bootstrap during upgrades? that's still on the list (because all envs where this was reported where upgrades)12:23
SvenKieskenvm, at least it seems we do run the role on upgrade, if it's not bugged somehow: https://review.opendev.org/c/openstack/kolla-ansible/+/909085/4/ansible/roles/keystone/tasks/upgrade.yml12:25
kevkoSvenKieske: i am 80 percent sure this is bug in keystone12:25
SvenKieskexD12:25
kevkoSvenKieske: ah, maybe not :) 12:26
SvenKieskemhm, maybe we don't run keystone-bootstrap command early enough and thus the errors are produced? but they still show up later, don't they? even after the service role is created? weird12:26
kevkoSvenKieske: this is returning None https://github.com/openstack/keystone/blob/2ac039b717669bf9744f72161e82bdac46dbfacf/keystone/assignment/role_backends/sql.py#L6312:27
kevkoSvenKieske: what about this ? 12:32
kevkoDeprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.\x1b[00m12:32
SvenKieskemhm, interesting12:39
SvenKieskewhere would we have deprecated policy rules? did you find this in keystone log?12:40
SvenKieskeah I have these too12:40
kevkoThe problem is that when you ask for the role "service"... it prepopulates "service" in the code, and it falls into functions that expect IDs.12:46
opendevreviewJake Hutchinson proposed openstack/kayobe master: Register baremetal compute nodes in Ironic  https://review.opendev.org/c/openstack/kayobe/+/90967112:52
*** carloss_ is now known as carloss13:15
kevkoSvenKieske: do you know btw why designate-manage pool update from time to time returns -1 ? 13:37
SvenKieskeno idea, really :D because it's designate?13:38
kevkoSvenKieske: designate working very nice ..13:47
kevkoSvenKieske: i think maybe because some type of timeout maybe 13:47
SvenKieskeyeah sorry. agreed it works, but the design is imho showing it's age, but there's nothing better to replace it just yet I guess.13:48
kevkoSvenKieske: what is bad on design ? 13:49
SvenKieskee.g. it can't take advantage of more efficient DNS update algorithms. it only supports AXFR, it's thus not suitable for large DNS deployments imho (maybe that was also never intended).13:51
SvenKieskeit would be nice e.g. if it could hook up into powerdns api, but that would require a redesign, I actually looked into doing that until I realized that everything is build around the AXFR assumption and then gave up.13:52
SvenKieskethere's nothing work with relying on AXFR if you only have, I don't know 1000 domains or some such? so it's viable for small-/mid-sized setup I'd say.13:54
SvenKieskes/work/wrong/13:54
mnasiadkakevko: so what’s up with glance? Do we need your patch?14:05
kevkomnasiadka: for now yes ..because glance itself is broken ... then no ...14:08
kevkomnasiadka: we can merge it ...and then we can revert after glance will be merged 14:09
kevkomnasiadka: there is a problem that if there is no option for cache_dir ...it's none ..and in a code it's handled in bad way 14:09
kevkomnasiadka: check my glance patch14:09
dougszuSvenKieske: If it's any help, I'm running a March 1st checkout and I see the service role in `openstack role list`14:24
mnasiadkakevko: i see extremely stable glance ci ;) rechecked the k-a patch14:24
opendevreviewMark Goddard proposed openstack/kolla-ansible master: Avoid unnecessary secondary fact gathering failure  https://review.opendev.org/c/openstack/kolla-ansible/+/91226314:36
fricklermnasiadka: jovial: what about release highlights? they would be due today and I haven't seen any (but I was also out today so maybe missed something)14:51
kevkomnasiadka: https://review.opendev.org/c/openstack/glance/+/911955 merging :) 15:09
kevkomnasiadka: after glance will be merged ... k-a patch will not be needed 15:10
kevkomnasiadka: but i don't know how to trigger fresh new build glance images ...depends-on to some kolla patch with dummy RUN echo 'rebuild' or what ? 15:11
SvenKieskedougszu: thanks for the data point; might be this is only triggered in some upgrade scenarios, but I'm still not sure how, because we also run the service register playbook on upgrade15:26
kevkoSvenKieske: as I said ...it's bug in keystone 15:29
SvenKieskekevko: did you already find something?15:32
SvenKieskeI'm currently writing up how it's supposed to work and document the status quo bascially15:33
SvenKieskeso if I can include any pointer in the bug report that would be helpful to continue the research :)15:33
SvenKieskekevko: do you mean this? https://github.com/openstack/keystone/blob/2ac039b717669bf9744f72161e82bdac46dbfacf/keystone/assignment/role_backends/sql.py#L6315:33
SvenKieskeah right, you mentioned it above, that if you trigger this function with "service" there is no "role_id" and it returns the exception15:35
kevkoSvenKieske: yeah - I've already told you ..15:37
mnasiadkafrickler: let me chase bbezak 15:38
kevkoSvenKieske: simply said ... in a code all functions accept role_id ..but in whole chain of calling functions there is a call with function(role_name)15:39
mnasiadkakevko: they will get built tomorrow morning15:39
kevkoSvenKieske: it's not only service role ...just check your log for keystone and in second terminal execute openstack role show foo ...and you will see the same error15:39
mnasiadkaIt doesn't make any sense to trigger build and publish at this point of day ;)15:39
kevkomnasiadka: no problem ... but i can create my own to just verify and then abandon no ? 15:40
mnasiadkawe can recheck the tooz pin as well15:42
SvenKieskekevko: yeah it's also in keystone catalog: https://github.com/openstack/keystone/blob/2ac039b717669bf9744f72161e82bdac46dbfacf/keystone/catalog/core.py#L15015:56
mnasiadkakevko: so basically everything will be fixed on Monday it seems ;-)16:07
SvenKieskekevko: my current downstream writeup, will do a proper keystone bugreport once I understood this mess: https://github.com/osism/issues/issues/90716:15
mnasiadkabasically I think somebody should fix keystone logging, all those tracebacks are not helping - and GET to non-existent domain/project/role should be some silent error, at most a debug log message I guess16:16
mnasiadkafrickler: https://review.opendev.org/c/openstack/releases/+/91228216:46
mnasiadka(for kolla and k-a)16:46
LockesmithIs there a guide anywhere on how to correctly use tls certs generated externally via certbot?22:54
« Thursday, 2024-03-07 Index Saturday, 2024-03-09 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!