Tuesday, 2022-09-13

« Monday, 2022-09-12 Index Wednesday, 2022-09-14 »
*** dviroel|afk is now known as dviroel00:41
*** dviroel is now known as dviroel|out00:50
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add standalone ovn-controller role  https://review.opendev.org/c/openstack/tripleo-ansible/+/84565301:04
*** rlandy is now known as rlandy|out01:58
opendevreviewgaobin proposed openstack/tripleo-heat-templates master: fixed word case  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85724902:06
opendevreviewTakashi Kajinami proposed openstack/tripleo-common master: Drop unnecessary usage of staticmethod  https://review.opendev.org/c/openstack/tripleo-common/+/85725002:08
lecris[m]jm1: jpodivin Thanks for the support yesterday, the issue was indeed a red-herring. The actual cause was a TLS issue which makes much more sense for when it was occurring02:47
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725203:12
opendevreviewBrendan Shephard proposed openstack/tripleo-heat-templates master: Move host_prep_tasks to standalone tripleo_neutron  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85725303:16
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725203:22
opendevreviewManojkatari proposed openstack/puppet-tripleo master: Add missing parameters for NFS cinder backends.  https://review.opendev.org/c/openstack/puppet-tripleo/+/85431503:24
opendevreviewManojkatari proposed openstack/puppet-tripleo master: Add missing parameters for RBD cinder backends.  https://review.opendev.org/c/openstack/puppet-tripleo/+/85707703:24
lecris[m]Anyone know where the TLS configuration for sqlalchemy/oslo/keystone (internal connection to sql part) are?03:25
lecris[m]I have looked for something like `oslo_config`, but that is already deprecated and removed03:26
opendevreviewTakashi Kajinami proposed openstack/puppet-pacemaker master: TripleO: Switch to CentOS Stream 9 job  https://review.opendev.org/c/openstack/puppet-pacemaker/+/84097003:32
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725203:35
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725203:54
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725203:58
opendevreviewDavid Sedgmen proposed openstack/puppet-tripleo stable/train: Resues fix from "Always update the local certmonger ca cert" https://review.opendev.org/c/openstack/tripleo-heat-templates/+/785020 [Train ONLY] in wallby this was moved to tripleo-ansible and is not straight forward to refactor into the current implementation in tripleo-ansible  https://review.opendev.org/c/openstack/puppet-tripleo/+/85531004:21
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725204:21
*** ysandeep|out is now known as ysandeep04:42
tkajinambhagyashris|ruck, hi. I've enabled promotion blocker tag on https://bugs.launchpad.net/tripleo/+bug/1974047 because it has been blocking puppet-pacemaker CI for a while. I was trying to find out the case but could not find any problem so far and need some help/eyes with it04:51
tkajinamit's quite strange the job is passing in the other repos but fails only in puppet-pacemaker repo04:51
bhagyashris|rucktkajinam, for cix you will need to add the milestone on bug04:53
bhagyashris|ruckwill check04:53
tkajinambhagyashris|ruck, ah, thanks for reminder. I added the milestone04:55
ykareltkajinam, it's failing because it's using ubi8 as base image, should be c9 stream image04:56
ykarelthe reason it's passing other places might be other places use content provider jobs04:57
ykarelsetting containers_base_image: "quay.io/centos/centos:stream9" should work for that job04:59
ykarelinfact containers_base_image: registry.access.redhat.com/ubi9:latest should be used as used in other jobs05:01
tkajinamykarel, hmm ok. yeah that is the problem. though I don't know why we do not get it from the centos 9 sc004 job template05:02
*** ysandeep is now known as ysandeep|brb05:02
opendevreviewTakashi Kajinami proposed openstack/puppet-pacemaker master: TripleO: Switch to CentOS Stream 9 job  https://review.opendev.org/c/openstack/puppet-pacemaker/+/84097005:02
ykareltkajinam, since only one tripleo job is running there, running content provider additionally doesn't make much sense as it will require one additional node for full job run05:04
opendevreviewTakashi Kajinami proposed openstack/tripleo-ci master: Force usage of ubi9 image for all CentOS 9 standalone jobs  https://review.opendev.org/c/openstack/tripleo-ci/+/85726105:04
opendevreviewTakashi Kajinami proposed openstack/tripleo-ci master: Force usage of ubi9 image for all CentOS 9 standalone jobs  https://review.opendev.org/c/openstack/tripleo-ci/+/85726105:06
tkajinamykarel, I'll workaround by adding override in puppet-pacemaker but ideally we need something like this ^^^05:06
tkajinamykarel, by the way thanks a ton for quickly pointing that !05:06
* lecris[m] sent a code block: https://matrix.org/_matrix/media/r0/download/matrix.org/JzTXVtOYEkbFgqQWBAlCHSVp05:07
ykareltkajinam, yes agree default needs to be fixed, but not sure if we need that at job level05:10
ykarelwill check that letter05:10
tkajinamit should be good as long as we can unblock the gate.05:16
lecris[m]Is this configuration with `/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml` being tested in the CI?05:27
ykareli don't think ^ being tested in CI05:31
lecris[m]Ok. There's an issue with the deployment currently: https://bugs.launchpad.net/tripleo/+bug/198940505:33
opendevreviewMerged openstack/tripleo-heat-templates master: Undercloud install: Create clouds.yaml with mode 600  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85588105:33
lecris[m]But isn't nova-ironic being migrated to an ansible-role?05:34
lecris[m]This one https://review.opendev.org/c/openstack/tripleo-ansible/+/855873?05:35
tkajinamlecris[m], that one does not touch nova-ironic05:35
*** ysandeep|brb is now known as ysandeep05:35
tkajinamjust only ironic-api05:35
tkajinamand ironic_pxe_*05:35
lecris[m]Kay, nothing on nova-ironic currently then?05:36
tkajinamthere is nothing on-going now05:37
opendevreviewLuis Tomas Bolivar proposed openstack/tripleo-heat-templates stable/wallaby: Ensure ovn_bgp_agent parameters are properly handled  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85457505:40
opendevreviewchandan kumar proposed openstack/tripleo-common master: [DNM] Build tripleo-ansible-ee container  https://review.opendev.org/c/openstack/tripleo-common/+/85045805:40
lecris[m]I am comparing `nova-conductor-container-puppet.yaml` with `nova-ironic-container-puppet` that call the same `nova_statedir_owner`, but I don't see any apparent difference05:42
opendevreviewLuis Tomas Bolivar proposed openstack/tripleo-heat-templates stable/wallaby: Ensure ovn_bgp_agent parameters are properly handled  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85457505:43
opendevreviewLuis Tomas Bolivar proposed openstack/tripleo-heat-templates stable/wallaby: Ensure ovn_bgp_agent parameters are properly handled  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85457505:44
lecris[m]Oh found it: https://opendev.org/openstack/tripleo-heat-templates/commit/cb889805334a7cd7325b2a9a1efe2bd00bd48c3105:45
opendevreviewTakashi Kajinami proposed openstack/tripleo-heat-templates master: nova-ironic: Fix selinux denial when relabeling /var/lib/nova  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85726305:45
opendevreviewMerged openstack/tripleo-ansible master: Improve and correct nftables role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85648705:45
tkajinamlecris[m], try this ^^^05:45
opendevreviewTakashi Kajinami proposed openstack/tripleo-heat-templates master: nova-ironic: Fix selinux denial when relabeling /var/lib/nova  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85726305:46
lecris[m]Yeah, I'll check it, but it should be just that05:47
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725205:47
lecris[m]Maybe the hole commit will need to be reverted, I'll keep you posted on the review there05:48
lecris[m]s/hole/whole/05:48
tkajinamlecris[m], are you using centos 8 or centos 9 ?05:49
lecris[m]905:49
tkajinamok05:49
tkajinamseems we are running CI with selinux permissive :-(05:50
lecris[m]Oh, there's ya problem :D05:51
lecris[m]Also about my various TLS issues, https://bugs.launchpad.net/tripleo/+bug/1989395: It seems that overriding `tripleo_internal_tls_ca_file` with the file in `InternalTLSCAFile` solves it. I have orverriden on the whole `tripleo_container_standalone` for testing, but probably it needs to be patched on all service heat templates05:53
lecris[m]It's a niche deployment scenario so I don't think it is/can be covered by CI05:58
opendevreviewyatin proposed openstack/openstack-tempest-skiplist master: Revert "Skip neutron_tempest_plugin.api.test_port_forwardings.PortForwardingTestJSON"  https://review.opendev.org/c/openstack/openstack-tempest-skiplist/+/85706706:18
opendevreviewLuca Miccini proposed openstack/tripleo-heat-templates master: Ensure /run/frr is present after (re)boot  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85726506:19
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725206:24
*** tkajinam is now known as Guest16206:33
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725206:41
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725206:46
Tenguhello there! folks, care to have a look at https://review.opendev.org/c/openstack/tripleo-ansible/+/853481 and, maybe, nudget it to the gate? :)06:53
Tengutkajinam: we're at one +W on https://review.opendev.org/q/topic:standalone%252Fapache to be able to get rid of puppetlabs-apache :)06:54
Tengu«just saying» ;)06:54
opendevreviewMarios Andreou proposed openstack/tripleo-upgrade stable/queens: Remove linter testing as pip dependencies won't install anymore.  https://review.opendev.org/c/openstack/tripleo-upgrade/+/85672307:20
opendevreviewMarios Andreou proposed openstack/tripleo-upgrade stable/queens: Remove linter testing as pip dependencies won't install anymore.  https://review.opendev.org/c/openstack/tripleo-upgrade/+/85672307:25
marioschem: fyi left you a comment - you have duplicate zuul layout thats why it was running :D07:27
marioschem: ^^ 07:27
chemmarios: thanks :)07:27
Tenguchandankumar: thanks for your comment on the tripleo_httpd_* change proposal.07:30
*** jm1|ruck is now known as jm1|rover07:33
*** jpena|off is now known as jpena07:37
opendevreviewSofer Athlan-Guyot proposed openstack/tripleo-upgrade stable/queens: Remove linter testing as pip dependencies won't install anymore.  https://review.opendev.org/c/openstack/tripleo-upgrade/+/85672307:44
opendevreviewSofer Athlan-Guyot proposed openstack/tripleo-upgrade stable/queens: Ensure fencing is correctly handled during update  https://review.opendev.org/c/openstack/tripleo-upgrade/+/85612607:46
opendevreviewJiri Podivin proposed openstack/validations-libs master: Removing superfluous imports and variable  https://review.opendev.org/c/openstack/validations-libs/+/85703707:48
chandankumarTengu: thank you, :-) please have a look https://review.opendev.org/c/openstack/tripleo-ansible/+/855358 when free!07:48
Tenguan easy one :)07:50
opendevreviewSofer Athlan-Guyot proposed openstack/tripleo-heat-templates master: Ensure container's image get updated if their name stay the same.  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85093307:51
opendevreviewManojkatari proposed openstack/puppet-tripleo master: Add missing parameters for RBD cinder backends.  https://review.opendev.org/c/openstack/puppet-tripleo/+/85707708:02
chandankumartkajinam: please have a look at this one https://review.opendev.org/c/openstack/tripleo-ci/+/850736 when around, thank you :-)08:03
tkajinamTengu, I've left a comment in the first tripleo-ansible patch. the 2nd one looks good. the tht patch also looks good but I'm still trying to understand how we set option for a specific vhost08:04
opendevreviewmbu proposed openstack/python-tripleoclient master: Add Ansible execution environment support  https://review.opendev.org/c/openstack/python-tripleoclient/+/77656408:05
Tengutkajinam: ah, the per-vhost/service options: it's done using t-h-t and the custom ansible role, such as tripleo_ironic.08:06
Tengutkajinam: t-h-t can use a "custom namespace" in the group_var, like I generate in the new apache-baremetal-ansible file, using the SERVICE_NAME as a distinct """namespace""" - it's then translated in the service ansible role, such as tripleo_ansible08:07
tkajinamthat basically requires re-defining the same vars in each role, right ?08:10
Tengutkajinam: yeah, more or less: https://review.opendev.org/c/openstack/tripleo-ansible/+/855873/14/tripleo_ansible/roles/tripleo_ironic/tasks/api_httpd.yaml#1908:11
Tenguif this answers your question...08:12
TenguBUT note: those "namespaced keys" are needed only for the global things we're setting in the apache-baremetal-ansible08:12
Tenguother keys are just set in the t-h-t service file, such as https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854568/18/deployment/ironic/ironic-api-container-puppet.yaml#37708:13
tkajinamI'm saying this from my curiosity but I'm wondering whether we can pass a single dict to override each options08:13
Tenguso mostly... we're talking "only" about some keys like TLS configuration, and module loading08:13
tkajinamit might be overkilling as we intentionally selected what we believe useful only and expose these08:13
TenguI thought about that, but I think the way I implemented it is easier to understand and to maintain08:13
Tenguespecially since the apache-baremetal-ansible is centralizing some actions around TLS certificates.08:14
opendevreviewManojkatari proposed openstack/puppet-tripleo master: Add missing parameters for NFS cinder backends.  https://review.opendev.org/c/openstack/puppet-tripleo/+/85431508:16
tkajinamTengu, we don08:19
tkajinamsorry. pushed Enter too early08:19
tkajinamTengu, we don't need to expose every parameter because some parameters might be for internal use. My concern is that in case we found one good vhost option which we want to make configurable then we might end up adding the same parameter in multiple roles.08:20
tkajinamas we have done in puppet for long. After adding a single parameter in puppet-openstacklib, I always need to update wsgi::apache in 15+ modules to allow usage of that parameter08:21
Tengutkajinam: sorry, on a call08:23
tkajinamTengu, no problem08:23
tkajinamchandankumar, done08:23
opendevreviewManojkatari proposed openstack/puppet-tripleo master: Add missing parameters for RBD cinder backends.  https://review.opendev.org/c/openstack/puppet-tripleo/+/85707708:23
chandankumartkajinam: thanks!08:24
chandankumarTengu: https://review.opendev.org/c/openstack/tripleo-ci/+/850736 another one good to go!08:25
opendevreviewTakashi Kajinami proposed openstack/tripleo-heat-templates master: nova-ironic: Fix selinux denial when relabeling /var/lib/nova  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85726308:36
*** ysandeep is now known as ysandeep|lunch09:06
opendevreviewSofer Athlan-Guyot proposed openstack/tripleo-heat-templates master: Ensure container's image get updated if their name stay the same.  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85093309:12
opendevreviewwangjiaqi proposed openstack/os-net-config master: Use py3 as the default runtime for tox  https://review.opendev.org/c/openstack/os-net-config/+/85730209:13
opendevreviewOliver Walsh proposed openstack/tripleo-ansible master: Ensure the openvswitch service is enabled and deps are installed  https://review.opendev.org/c/openstack/tripleo-ansible/+/85597509:26
opendevreviewOliver Walsh proposed openstack/tripleo-ansible master: Ensure the openvswitch service is enabled and deps are installed  https://review.opendev.org/c/openstack/tripleo-ansible/+/85597509:26
opendevreviewCristian Le proposed openstack/tripleo-heat-templates master: Add internal TLS CA file to group vars  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85733609:39
lecris[m]^ I think there should be a better place to put this instead of the keystone, but at least it does resolve the discrepancy issue09:41
jm1Tengu: o/ trying again today XD who can fix this cap issue? https://bugs.launchpad.net/tripleo/+bug/198924709:41
lecris[m]jm1: It is a red herring, the issue seems to be something else09:42
lecris[m]It would be great to remove that error so that it doesn't confuse others though09:43
jm1lecris[m]: exactly ;)09:43
opendevreviewOliver Walsh proposed openstack/tripleo-ansible master: Ensure the openvswitch service is enabled and deps are installed  https://review.opendev.org/c/openstack/tripleo-ansible/+/85597509:45
lecris[m]Weird ipa behaviour. After the deployment finished, I cannot dig to the top-level ipa dns zone. I thought it was a hiccup, but it happened twice now09:48
opendevreviewMerged openstack/tripleo-quickstart-extras master: Fix resolution of tripleo_ceph_deploy_container_namespace  https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/85720109:50
Tengutkajinam: back - but away for lunch again, sorry! took some more time.09:55
Tengujm1: well, sorry - was on a call - now lunch... I'll read the LP and come back.09:56
opendevreviewOliver Walsh proposed openstack/tripleo-heat-templates master: Use python to template cell urls  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85191709:56
Tengujm1, lecris[m] you can `git grep cap_add' in tripleo-heat-templates09:57
Tenguthis is how you can add capabilities to containers.09:57
Tengushould solve your thing.09:57
Tengu#lunch09:57
lecris[m]How can I debug 503 issue for horizon?10:01
jm1Tengu: can u send a patch for that cap_add thingy?10:04
jm1Tengu: pls :)10:04
lecris[m]I forgot for which service this one occured10:05
lecris[m]Looks pretty straightforward though10:06
lecris[m]Oh, but it has to be handled on tripleo-ansible10:08
opendevreviewJiri Podivin proposed openstack/validations-libs master: Logging facility for VF  https://review.opendev.org/c/openstack/validations-libs/+/85719810:15
opendevreviewCristian Le proposed openstack/tripleo-ansible master: Add audit write cap  https://review.opendev.org/c/openstack/tripleo-ansible/+/85733810:15
lecris[m]jm1: Do you remember other services that could have this issue?10:15
lecris[m]Though I don't know if adding this like such is appropriate so open for discussion10:16
opendevreviewchandan kumar proposed openstack/tripleo-quickstart-extras master: Initial playbook to compute node using standalone ansible playbook  https://review.opendev.org/c/openstack/tripleo-quickstart-extras/+/84383510:18
jm1lecris[m]: no idea. which is why i am asking Tengu for help here ^^10:20
lecris[m]👍️ Good strategy :D10:20
lecris[m]`environments/services/ironic-overcloud.yaml` has not been tested in quite a while:... (full message at <https://matrix.org/_matrix/media/r0/download/matrix.org/gLyDMdWmOxnSAGDniYYMKfuj>)10:23
opendevreviewchandan kumar proposed openstack/tripleo-ci master: Add tripleo-external-compute-deployment-pipeline job template  https://review.opendev.org/c/openstack/tripleo-ci/+/84383610:25
*** rlandy|out is now known as rlandy10:29
opendevreviewJiri Podivin proposed openstack/validations-libs master: Logging facility for VF  https://review.opendev.org/c/openstack/validations-libs/+/85719810:33
*** ysandeep|lunch is now known as ysandeep10:43
opendevreviewMerged openstack/tripleo-heat-templates master: Fix Update ovn_controller. from external-update playbook  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85719911:00
lecris[m]Anyone know what could cause this?... (full message at <https://matrix.org/_matrix/media/r0/download/matrix.org/OvwshVilFwPcKTMCAUlfEama>)11:03
lecris[m]Are there reported errors of neutron+TLS? The deployment works, but `neutron-api` service does not work because of connection to `ovs` presumably11:13
Tengujm1: seeing Dan answer on the github, I'd rather not add the CAP_AUDIT_WRITE.11:13
Tenguprobably something to correct in the container service so that it doesn't rely on audit.11:13
jm1Tengu: whatever it takes to silence that msg ;)11:16
lecris[m]Would adding a line to /etc/sudoers do that?11:16
TenguI don't think so, no11:17
opendevreviewMerged openstack/tripleo-ansible master: Add openssh test_deps as container manager needs it  https://review.opendev.org/c/openstack/tripleo-ansible/+/85535811:17
opendevreviewCedric Jeanneret proposed openstack/tripleo-ansible master: New roles for apache/httpd management  https://review.opendev.org/c/openstack/tripleo-ansible/+/85348111:17
Tengutkajinam: -^^  updated according to your comments11:18
opendevreviewCedric Jeanneret proposed openstack/tripleo-ansible master: New tripleo_ironic role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85587311:19
lecris[m]Are these new roles basically identical to the heat template ones or are there some fixes in them as well?11:21
Tengulecris[m]: what new roles?11:27
Tenguthe ones I pushed for httpd management?11:27
lecris[m]The latter, `tripleo_ironic`11:28
Tenguah, that. it only covers the httpd config11:28
opendevreviewVijayalakshmi proposed openstack/tripleo-ansible stable/wallaby: TripleO os_net_config playbooks should allow re-run  https://review.opendev.org/c/openstack/tripleo-ansible/+/85734611:28
lecris[m]But there are also `neutron_api` and so on11:28
Tenguyes. there will be a tripleo_neutron soon-ish11:28
TenguI sent a mail to the "discuss" ML about that, earlier today.11:29
Tengu"[tripleo] puppetlabs-apache: soon a just a bad memory?"11:29
lecris[m]What do these migrations aim to solve?11:30
Tenguit's all written in the mail.11:30
Tengubasically: remove a 3rd party dependency that usually breaks us on new releases, get a smaller footprint...11:31
Tenguand some other considerations.11:31
lecris[m]Thnx for the tldr11:31
lecris[m]Btw a quick question about undercloud, what's the purpose of the different `admin`, `public` and local ip addresses/names?11:33
*** dviroel|out is now known as dviroel11:36
opendevreviewDouglas Viroel proposed openstack/tripleo-heat-templates master: Test custom cpu_model on nested virt job  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85722611:45
opendevreviewCedric Jeanneret proposed openstack/tripleo-heat-templates master: Switch default firewall engine  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85280811:47
Tenguysandeep: -^^  added depends-on your 2 oooq+oooq-extras patches11:47
Tenguthat should make zuul green on that patch.11:47
Tenguhopefully.11:47
Tenguysandeep: meaning: testproject doesn't need to depends-on them now. Sorry if it crashed an on-going run though :/.11:48
ysandeepTengu, ack, rdo ci is still in shape due to mirror issue11:48
Tengujust want to validate things withing that patch.11:48
Tenguysandeep: ok - so I didn't hose things :). which is good.11:48
ysandeepTengu, yeah even better11:48
opendevreviewJaganathan Palanisamy proposed openstack/tripleo-common master: Derive parameters clean up  https://review.opendev.org/c/openstack/tripleo-common/+/85119411:56
Tengulecris[m], jm1 so, maybe we can edit the sudo.conf (not sudoers) in order to avoid any discussion with the audit thingy. According to the manpage, starting with 1.9.1, there's a "sudoers_audit" plugin now - maybe we can either exchange it with another thing, or mute its "audit log" capacities.11:58
Tenguit needs some more readong.11:58
Tengu*reading11:58
Tengubut that may be a path to follow.11:58
Tengubut from what I read, the plugin doesn't offer much related to audit log.11:58
Tengu`man sudo.conf' offers some more explanation, we may get to something nice... but it will require testing, of course.11:59
opendevreviewMerged openstack/tripleo-heat-templates stable/wallaby: Remove unneeded parameter tripleo_frr_ovn_bgp_agent_bridge_mappings  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85533012:08
opendevreviewOliver Walsh proposed openstack/tripleo-ansible master: Ensure the openvswitch service is enabled and deps are installed  https://review.opendev.org/c/openstack/tripleo-ansible/+/85597512:14
opendevreviewOliver Walsh proposed openstack/tripleo-ansible master: Ensure the openvswitch service is enabled and deps are installed  https://review.opendev.org/c/openstack/tripleo-ansible/+/85597512:20
jm1Tengu: thanks man! i guess you are also pretty booked but maybe you could paste your discoveries in the bug and give us some direction to whom (which dfg) we could assign that bug? 12:29
Tengujm1: gimme 5 minutes - my laptop had a crash -.-.12:30
Tenguof course.12:30
jm1Tengu: thank you :D (fyi ruck and rovers are mostly fighting intermittent and transient failures nowadays, we barely have time to dig into one of the bugs ourselfs :/ )12:31
Tengulecris[m]: had to -1 your patch adding the capability (cf discussion here - I'll push data to the LP)12:32
*** frenzyfriday is now known as frenzyfriday|lunch12:32
Tenguade_lee: heya! would you have some time to check on https://bugs.launchpad.net/tripleo/+bug/1989247 and, especially, comment #12 ?12:35
Tenguade_lee: apparently, under some circumstances, "sudo" wants to write in the audit log, and this is prevented from containers (https://github.com/containers/podman/issues/15626#issuecomment-1236306369) - I'd rather avoid re-adding the capability, and think it would be better to properly configure sudo.12:35
ade_leeTengu, ack - will look12:36
Tenguthanks!12:37
Tengujm1: things are under control. More or less.12:37
lecris[m]<Tengu> "lecris: had to -1 your patch..." <- No worries12:38
Tengulecris[m]: added some more context/comment12:39
chandankumarbogdando: slagle please have a look at this issue https://review.opendev.org/c/openstack/tripleo-ansible/+/842437/16#message-b674e65d15e6935100268c09e210503e6e74c7cc12:39
Tengubrb12:39
chandankumarit is blocking testing of standalone roles12:39
opendevreviewJakob Meng proposed openstack/openstack-tempest-skiplist master: Skip neutron_tempest_plugin.api.test_port_forwardings.PortForwardingTestJSON on c9 master network comp.  https://review.opendev.org/c/openstack/openstack-tempest-skiplist/+/85742212:41
bogdandochandankumar, abishop: ^^ the real error is Error: statfs /var/lib/config-data/ansible-generated/iscsid: no such file or directory12:41
bogdandounlikely /lib/modules mount12:42
bogdandoand that is related to new ansible config provider12:42
chandankumarbogdando: yes, as other standalone jobs are passing12:48
chandankumarLet me open a bug to track that12:48
Tenguade_lee: if needed, we can collaborate on that sudo.conf thingy.12:57
Tenguimho there are potential improvements in the containers sudo things. Maybe we should even avoid calling "sudo" from within the container and rely on the "--user root" for specific subset of commands ?12:58
Tengulecris[m]: incidentally.... I see the db_sync is supposed to run as root at this point. I'm a bit surprised to see "sudo" being involved.. (cc ade_lee )12:59
lecris[m]It is `sudo -u keystone`13:00
Tenguah. meh.13:01
Tengudidn't check deeper.13:01
Tengumaybe we can try to log only sudo denials.13:02
Tenguthat should do it. more or less.13:02
lecris[m]Tengu: But it is running as root so would there be sudo denials?13:04
lecris[m]I was thinking that if a specific command is written in sudoers, then it would not check audit13:05
lecris[m]But I don't know sudo configs13:05
opendevreviewMerged openstack/openstack-tempest-skiplist master: Skip neutron_tempest_plugin.api.test_port_forwardings.PortForwardingTestJSON on c9 master network comp.  https://review.opendev.org/c/openstack/openstack-tempest-skiplist/+/85742213:05
Tengulecris[m]: so by default sudo logs all - successes and denials.13:15
Tengulecris[m]: so if we configure it to log only denials, we shouldn't hit any issue, since things are allowed.13:16
Tenguwe basically don't really care about the sudo log when things are running as planed, do we?13:16
Tenguso imho, we can configure sudo to not log successes, and be off with it.13:16
lecris[m]👍 sounds reasonable13:17
lecris[m]Is it ok not to log unexpected sudo commands13:17
lecris[m]Realistically wouldn't occur, but 🤷‍♂️13:18
*** dasm|off is now known as dasm13:21
*** pdeore is now known as pdeore|afk13:24
*** frenzyfriday|lunch is now known as frenzyfriday13:26
opendevreviewMikolaj Ciecierski proposed openstack/tripleo-heat-templates stable/wallaby: Fix Update ovn_controller. from external-update playbook  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85743313:27
Tenguthat's for Security ;)13:43
opendevreviewyatin proposed openstack/tripleo-heat-templates master: Allow Undercloud to be deployed with Ml2 OVN  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85743613:48
opendevreviewCedric Jeanneret proposed openstack/tripleo-heat-templates master: Avoid a pipe and grep call  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85743713:55
opendevreviewyatin proposed openstack/tripleo-quickstart master: Switch fs001 to Deploy Undercloud with OVN  https://review.opendev.org/c/openstack/tripleo-quickstart/+/85350314:12
opendevreviewManojkatari proposed openstack/tripleo-heat-templates master: support tripleo_etcd ansible role  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/84984414:20
Tenguchandankumar: heya! is there anything in addition to https://review.opendev.org/c/openstack/tripleo-quickstart/+/856603 to do? apparently, zuul is still failing with the OC deploy (OC node unreachable).14:27
Tenguchandankumar: I first thought it was due to the nftables switch, but the failure happens far, far before we actually set anything in the firewall.14:27
Tenguchandankumar: for instance https://review.opendev.org/c/openstack/tripleo-heat-templates/+/852808 - and https://f0b14fac337d4721647f-43001c5c460bd4e8e3c2be96e8c7a69c.ssl.cf2.rackcdn.com/852808/12/check/tripleo-ci-centos-9-containers-multinode/005472b/logs/undercloud/home/zuul/overcloud_deploy.log14:27
TenguWait for connection to become available | 192.168.24.3 | error={"changed": false, "elapsed": 2407, "msg": "timed out waiting for ping module test: Data could not be sent to remote host \"192.168.24.3\". Make sure this host can be reached over ssh: ssh: connect to host 192.168.24.3 port 22: No route to host\r\n"}14:28
chandankumarTengu: weired14:35
chandankumarhttps://zuul.opendev.org/t/openstack/builds?job_name=tripleo-ci-centos-9-containers-multinode seems to be healthy14:36
chandankumarmay be something got merged or got updated caused that?14:36
chandankumarif dependent patches is not causing it14:36
Tenguhmm.14:41
Tenguuho. ok. I see far too many dropped packets.14:42
Tenguysandeep: apparently the vxlan opening needs to be in some other jobs :)14:42
Tenguysandeep: check that out: https://f0b14fac337d4721647f-43001c5c460bd4e8e3c2be96e8c7a69c.ssl.cf2.rackcdn.com/852808/12/check/tripleo-ci-centos-9-containers-multinode/005472b/logs/undercloud/var/log/extra/dropped-packets.txt14:42
Tenguysandeep: so you want to expand a bit the scope of your patch imho. we probably should open the vxlan related ports to all of the jobs involving overcloud nodes.14:43
ysandeepTengu, https://f0b14fac337d4721647f-43001c5c460bd4e8e3c2be96e8c7a69c.ssl.cf2.rackcdn.com/852808/12/check/tripleo-ci-centos-9-containers-multinode/005472b/logs/undercloud/home/zuul/undercloud-parameter-defaults.yaml ^^ undercloud already have those rules14:43
ysandeepchecking dropped-packet file 14:44
chandankumarTengu: what is the issue there?14:44
Tenguo_O14:44
Tenguchandankumar: UC can't talk to OC node. apparently infra is using vxlan, and while it should be OK, it doesn't seem to be THAT ok.14:45
ysandeepTengu, we shouldn't have drops for 4789 its here already: https://f0b14fac337d4721647f-43001c5c460bd4e8e3c2be96e8c7a69c.ssl.cf2.rackcdn.com/852808/12/check/tripleo-ci-centos-9-containers-multinode/005472b/logs/undercloud/home/zuul/undercloud-parameter-defaults.yaml14:45
chandankumarah ok14:45
TenguSRC=158.69.64.138 DST=158.69.65.240 vs ip saddr 158.69.65.24014:45
Tenguysandeep: we probably want to either allow the range (/24 or so), or take the right IP for the SRC.14:45
ysandeepTengu, I am in a mtg but lets talk tomorrow morning o/14:46
Tenguhere, vxlan packets come from SRC=158.69.64.138 while we're allowing saddr 158.69.65.24014:46
Tenguysandeep: sure thing!14:46
TenguI'll be in a meeting in ~15 minutes as well.14:46
Tengumaybe "ip daddr 158.69.65.240 udp dport 4789 counter packets 0 bytes 0 accept comment "020 Allow VXLan from CI infra network"14:47
Tenguwould be better.14:47
Tenguthough it's a bit too wide imho.14:47
Tengu(anything hitting that IP (which is public) on that port will be allowed - not sure this is that safe)14:47
opendevreviewJiri Podivin proposed openstack/validations-libs master: Logging facility for VF  https://review.opendev.org/c/openstack/validations-libs/+/85719814:49
opendevreviewJiri Podivin proposed openstack/validations-libs master: Logging facility for VF  https://review.opendev.org/c/openstack/validations-libs/+/85719814:52
Tengucorresponds to a /29 netmask.14:52
*** ykarel is now known as ykarel|afk14:54
Tenguok. that .138 is known within the deploy, according to https://f0b14fac337d4721647f-43001c5c460bd4e8e3c2be96e8c7a69c.ssl.cf2.rackcdn.com/852808/12/check/tripleo-ci-centos-9-containers-multinode/005472b/logs/quickstart_files/ssh.config.ansible14:56
Tengulooks like a bastion or something.14:56
Tenguso we may get that IP in some way in the deploy, and allow it.14:56
Tenguaw dang. no. it's not a /29, I didn't realize it's 138 vs 240 :).14:57
*** eliadcohen__ is now known as eliadcohen15:04
*** ykarel|afk is now known as ykarel15:10
opendevreviewJames Slagle proposed openstack/tripleo-ansible master: Add initial standalone playbooks and inventory for a compute node  https://review.opendev.org/c/openstack/tripleo-ansible/+/84050915:15
opendevreviewMerged openstack/tripleo-heat-templates stable/wallaby: Add 'ResellerAdmin' role to ceilometer user  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85649115:19
slaglebogdando: you have +2's from me on the nova roles15:23
slaglei'd be happy to get these merged and iteratively improve from there15:23
opendevreviewchandan kumar proposed openstack/tripleo-heat-templates master: [WIP] Include tripleo_iscsid/tasks/configure.yml  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85746415:26
chandankumarbogdando: slagle for this https://bugs.launchpad.net/tripleo/+bug/1989482 trying with above fix15:26
chandankumar^^15:26
opendevreviewCedric Jeanneret proposed openstack/tripleo-ansible master: New roles for apache/httpd management  https://review.opendev.org/c/openstack/tripleo-ansible/+/85348115:28
opendevreviewchandan kumar proposed openstack/tripleo-ci master: Add tripleo-external-compute-deployment-pipeline job template  https://review.opendev.org/c/openstack/tripleo-ci/+/84383615:28
opendevreviewCedric Jeanneret proposed openstack/tripleo-ansible master: New tripleo_ironic role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85587315:28
slaglechandankumar: looking15:35
bogdandoslagle: thanks!15:38
*** marios is now known as marios|out15:49
*** dviroel is now known as dviroel|lunch15:51
sdanniHi! We are working on deploying overcloud with SSL. We use letsencrypt certificates which will expire in 90 days. I wonder what is the common way to renew ssl certificates in openstack environment without redeploying overcloud?15:52
*** ysandeep is now known as ysandeep|out15:57
opendevreviewDaniel Bengtsson proposed openstack/tripleo-heat-templates master: Remove the python3-openclient and add a new task.  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85746916:01
lecris[m]sdanni: Does  certmonger work with letsencrypt?16:02
lecris[m]At the very least you can make a certbot service and restart haproxy and horizon16:05
lecris[m]Reload rather than restart16:06
sdannilecris[m]: i just googled it. I think there are some tools for certmonger to communicate with letsencrypt CA but none of them are officially supported16:07
sdannilecris[m]: do you mean I can manually replace the certs and keys on overcloud nodes and then reload haproxy?16:08
lecris[m]Yeah. I don't know if openstack terminates or passthrough's the tls protocol. If it's the latter that should be the feasible way16:10
lecris[m]If the former you could add acme to haproxy iirc16:11
sdannilecris[m]: if certmonger works with letsencrypt, could the process be simpler?16:13
lecris[m]Yes, because certmonger support is built-in16:13
sdannilecris[m]: gotcha! thanks16:19
*** jpena is now known as jpena|off16:35
opendevreviewLukas Bezdicka proposed openstack/tripleo-heat-templates stable/wallaby: WIP: FFWD3: enample templated haproxy/heat images  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85289816:35
*** dviroel|lunch is now known as dviroel16:57
opendevreviewMerged openstack/tripleo-heat-templates master: Correct label for /run/libvirt  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85653518:01
opendevreviewMerged openstack/tripleo-ansible master: Run molecule tests locally without zuul  https://review.opendev.org/c/openstack/tripleo-ansible/+/85633918:39
opendevreviewDouglas Viroel proposed openstack/tripleo-heat-templates master: Test custom cpu_model on nested virt job  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/85722618:50
*** dviroel is now known as dviroel|brb20:10
*** rlandy is now known as rlandy|bbl21:27
*** dasm is now known as dasm|off22:28
*** dasm|off is now known as Guest30523:03
*** rlandy|bbl is now known as rlandy23:27
opendevreviewBrendan Shephard proposed openstack/tripleo-ansible master: Add Neutron API standalone role  https://review.opendev.org/c/openstack/tripleo-ansible/+/85725223:42
« Monday, 2022-09-12 Index Wednesday, 2022-09-14 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!