| opendevreview | Hector Vido proposed openstack/ansible-role-systemd_networkd master: Save current network conf on /etc/systemd/network. https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/940672 | 02:39 |
|---|---|---|
| opendevreview | Hector Vido proposed openstack/ansible-role-systemd_networkd master: Save current network on /etc/systemd/network. https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/940672 | 02:46 |
| gokhan_ | hello folks, how can we update /etc/hosts file with new inventory. it seems we can use openstack_hosts playbook | 09:07 |
| jrosser | gokhan_: perhaps something like `openstack-ansible playbooks/openstack-hosts-setup.yml --tags openstack_hosts-file` | 09:18 |
| jrosser | you can see that tag on that part here https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/tasks/main.yml#L90 | 09:18 |
| opendevreview | Andrew Bonney proposed openstack/openstack-ansible master: docs: adjust rabbitmq quorum queue guidance for 2024.2 onwards https://review.opendev.org/c/openstack/openstack-ansible/+/940693 | 12:38 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/ansible-role-systemd_networkd master: Allow to apply only overrides to the network interface https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/940324 | 12:40 |
| noonedeadpunk | we rerally need to improve our upgrade and monitoring guide around rabbitmq as well | 12:41 |
| noonedeadpunk | wrt https://www.rabbitmq.com/docs/man/rabbitmq-queues.8 | 12:42 |
| noonedeadpunk | as OS upgrade will nuke quorum queues setup without re-adding node which was re-setup | 12:43 |
| noonedeadpunk | and also check_if_node_is_quorum_critical is a good healthcheck for upgrade as well | 12:43 |
| noonedeadpunk | and OVN is a next thing which will struggle during OS upgrade atm... | 12:45 |
| opendevreview | Hector Vido proposed openstack/ansible-role-systemd_networkd master: Save current network on /etc/systemd/network. https://review.opendev.org/c/openstack/ansible-role-systemd_networkd/+/940672 | 12:59 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-ops unmaintained/2023.1: Update .gitreview for unmaintained/2023.1 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/939849 | 13:32 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:04 |
| opendevmeet | Meeting started Tue Feb 4 15:04:24 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:04 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:04 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:04 |
| noonedeadpunk | #topic rollcall | 15:04 |
| noonedeadpunk | half-here as on the event right now | 15:04 |
| jrosser | o/ hello | 15:05 |
| noonedeadpunk | #topic office hours | 15:10 |
| noonedeadpunk | so. this weak I realized we're having soooo much things to grow in :D | 15:11 |
| noonedeadpunk | *week | 15:11 |
| jrosser | i hope you make some notes :) | 15:11 |
| noonedeadpunk | Yeah, some. Btw, I was wondering, do you happen to use VSCode or some other IDE? | 15:12 |
| jrosser | mostly just vim | 15:12 |
| jrosser | but for serious search/replace across all the repos, then yes vscode | 15:12 |
| noonedeadpunk | as one thing I learned about - ansible development environment. Basically a way to spwan a docker container with pre-installed ansible-core/molecule/etc | 15:13 |
| jrosser | also the ssh remote thing to make a vm appear like local development is excellent | 15:13 |
| noonedeadpunk | and then there's a way to spawn workloads from it | 15:13 |
| noonedeadpunk | and you can quite easily describe and ship config for vscode to spawn such environment | 15:13 |
| noonedeadpunk | pretty much through https://github.com/Microsoft/vscode-remote-release | 15:14 |
| noonedeadpunk | sorry, * https://code.visualstudio.com/docs/devcontainers/containers | 15:15 |
| noonedeadpunk | but there're quite some ways of doing same without vscode as well | 15:15 |
| jrosser | ah yes i am already familiar with https://code.visualstudio.com/docs/remote/ssh | 15:16 |
| noonedeadpunk | yeah, I firstly set link to the bundle instead of specific plugin | 15:16 |
| noonedeadpunk | so basically if we have devcontainer.json file in tree of roles with molecule - it might make experience sooooo much better | 15:17 |
| noonedeadpunk | another thing I learned - is argument spec files for roles | 15:18 |
| noonedeadpunk | https://docs.ansible.com/ansible/latest/collections/ansible/builtin/validate_argument_spec_module.html | 15:18 |
| noonedeadpunk | where one can describe expected input to the role and then verify it's validity | 15:19 |
| noonedeadpunk | so that you can resolve/fail faster | 15:20 |
| noonedeadpunk | and then it makes generating documentation for module way more trivial | 15:20 |
| jrosser | though if you have the whole external interface in defaults/main.yml...... | 15:20 |
| jrosser | it might be more appropriate when we iterate over include_tasks or whatever in openstack service setup, and the input data it complex | 15:21 |
| noonedeadpunk | so the thing is, that we know defaults work, but let's say neutron. it's quite frequent one can mis-use mappings... I'm not sure though if it arg spec can prevent this prom happening or not... | 15:22 |
| jrosser | yes and the rules for what you have to have in those mappings is super unclear | 15:23 |
| noonedeadpunk | just I think in general it might be nice to fail early in some tricky places we aware about... but yeah, probably it's not very important indeed for now | 15:23 |
| jrosser | i expect some of the "utility" roles would benefit most, rather than the openstack services to start with | 15:24 |
| noonedeadpunk | but then kind if we can define a rule for smth - probably it's worth re-factoring a bit and making more obvious? | 15:24 |
| noonedeadpunk | oh, yes, sure | 15:24 |
| jrosser | as the inputs tend to be "list of things", defaults to [] | 15:25 |
| noonedeadpunk | well, yes, on that level it's not gonna be helpful at all | 15:26 |
| noonedeadpunk | but it can be handy at some cases... at least describe allowed or mutually exclusive options we do not support | 15:29 |
| noonedeadpunk | but agree - it mostly happens inside of complex data structures in our case | 15:29 |
| noonedeadpunk | also - I learned about Conjur today - kinda "vault" alternative: https://github.com/cyberark/conjur | 15:29 |
| noonedeadpunk | I think interesting part was, that you kinda register ansible controller once and allow there access to group hosts registered in service | 15:30 |
| noonedeadpunk | but also it pushed me to the idea of replacing ssh keys with such secrets | 15:31 |
| noonedeadpunk | and probably writing some doc on how to do that | 15:31 |
| noonedeadpunk | (even with vault) | 15:31 |
| noonedeadpunk | but worse part - is that again it's all just lookups :( | 15:32 |
| noonedeadpunk | though you don;'t need to have a token supplied each time you run ansible | 15:32 |
| noonedeadpunk | as once host is registered - it can operate and fetch things. | 15:32 |
| noonedeadpunk | so kinda sounded neat | 15:33 |
| jrosser | so for vault+jenkins we give jenkins a token | 15:33 |
| jrosser | and you can do things like make that token only valid for the IP you want | 15:34 |
| noonedeadpunk | and you don't run anything manually from the deploy host? | 15:34 |
| jrosser | a mixture | 15:34 |
| opendevreview | Merged openstack/openstack-ansible master: docs: adjust rabbitmq quorum queue guidance for 2024.2 onwards https://review.opendev.org/c/openstack/openstack-ansible/+/940693 | 15:34 |
| jrosser | periodic stuff in jenkins "is everything broken?" kind of jobs | 15:34 |
| noonedeadpunk | I think what I don't like most right now - is usage of passwordless SSH key | 15:34 |
| noonedeadpunk | for the root user, kinda | 15:34 |
| noonedeadpunk | at least that's what we "promote" most | 15:35 |
| jrosser | signed keys make that ephemeral at least | 15:35 |
| jrosser | though we pretty much just leave this to the operator to decide i guess | 15:35 |
| noonedeadpunk | true | 15:36 |
| noonedeadpunk | but would be nice to have some options documented one day | 15:36 |
| jrosser | now we have fixed the connection plugin it would be good to have a "non root" job | 15:36 |
| noonedeadpunk | ++ | 15:37 |
| jrosser | i expect it is mostly ok, but there will be some errors for sure | 15:37 |
| noonedeadpunk | So there were multiple things I've faced when tried last time... | 15:38 |
| noonedeadpunk | like owner of the user_secrets | 15:38 |
| noonedeadpunk | but for metal it was doable, yes | 15:38 |
| noonedeadpunk | still - you kind of assumed to have the user added to sudoers with * more or less | 15:39 |
| noonedeadpunk | and passwordless escalation | 15:39 |
| jrosser | you do | 15:39 |
| jrosser | so this is kind of security theatre imho | 15:39 |
| noonedeadpunk | yeah, totally | 15:40 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible stable/2024.2: docs: adjust rabbitmq quorum queue guidance for 2024.2 onwards https://review.opendev.org/c/openstack/openstack-ansible/+/940715 | 15:41 |
| noonedeadpunk | ah, also I was shown a mise - alike to pyenv, except supports more languages https://mise.jdx.dev/environments/ | 15:41 |
| jrosser | so i still need to work some more on why molecule is unreliable on the plugins repo | 15:44 |
| jrosser | there is something difficult to reproduce happening there | 15:44 |
| noonedeadpunk | and again - was highly encouraged to try starting usage of UV instead of PIP for our python_venv_build role. Though I do recall there was smth impossible to do regarding building wheels... But can't recall what, so hard to say if it was fixed or not | 15:44 |
| noonedeadpunk | It kind of reliable | 15:45 |
| noonedeadpunk | It fails very reliably | 15:45 |
| noonedeadpunk | just not reproducible outside of CI | 15:45 |
| noonedeadpunk | I think I won't do much this week to be frank, as will be back hopefully Thursday, but likely even Friday | 15:46 |
| jrosser | it is strange as the docker connection method has already run things OK | 15:46 |
| jrosser | like starting sshd was not successful | 15:46 |
| noonedeadpunk | yeah... or it drops connection right after | 15:47 |
| jrosser | well actually thats interesting - maybe i should put in a `wait_for` on port 22 | 15:47 |
| jrosser | nothing really to lose with doing that | 15:48 |
| noonedeadpunk | so if tcp runs - it will pass | 15:48 |
| noonedeadpunk | yeah, good idea | 15:48 |
| noonedeadpunk | it's really confusing why these non-reproducible issues happen only on CentOS | 15:49 |
| noonedeadpunk | what so specific could be about CI image influencing that | 15:50 |
| noonedeadpunk | which has effect inside docker..,, | 15:50 |
| jrosser | and more confusingly its centos container on ubuntu host | 15:52 |
| jrosser | so for each of the different OS we test, the parent OS is the same | 15:52 |
| noonedeadpunk | well, I tried to run in ubuntu VM | 15:52 |
| noonedeadpunk | and, what is even more interesting - it doesn't happen for Rocky | 15:53 |
| noonedeadpunk | so it's not some generic ubuntu/el thing | 15:53 |
| noonedeadpunk | (at least so far) | 15:53 |
| noonedeadpunk | but wait_for is really a good check | 15:54 |
| noonedeadpunk | I was also thinking if doing a collection out of all systemd roles would make sense... and make it's releasing independent... | 15:56 |
| jrosser | that would be a nice thing | 15:57 |
| noonedeadpunk | as eventually one thing I don't know how to solve in a good way -- is release management of collections which are on stable branch policy | 15:58 |
| noonedeadpunk | as ideally one need to align tags with versions in galaxy.yml | 15:59 |
| noonedeadpunk | but then we can potentially replace chunk of systemd roles with modules 0 like you suggested one day | 16:00 |
| noonedeadpunk | also what was tolded - that while roles are not going anyway so far - RH is not gonna invest in future development of tooling to support roles outside of collections | 16:01 |
| noonedeadpunk | * told | 16:01 |
| noonedeadpunk | #endmeeting | 16:02 |
| opendevmeet | Meeting ended Tue Feb 4 16:02:22 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-02-04-15.04.html | 16:02 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-02-04-15.04.txt | 16:02 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-02-04-15.04.log.html | 16:02 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add most basic molecule test for ssh connection plugin https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939898 | 17:25 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Update ssh connection plugin paramters to match upstream https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939899 | 17:25 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Automatically import ssh connection plugin options from the base class https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939957 | 17:25 |
| jrosser | huh is ansible-compat *still* broken? | 17:38 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add most basic molecule test for ssh connection plugin https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939898 | 17:39 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Update ssh connection plugin paramters to match upstream https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939899 | 17:39 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Automatically import ssh connection plugin options from the base class https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939957 | 17:39 |
| opendevreview | Merged openstack/openstack-ansible master: Pin ansible-compat up to 25.0.0 https://review.opendev.org/c/openstack/openstack-ansible/+/939274 | 17:48 |
| opendevreview | Merged openstack/openstack-ansible stable/2024.2: docs: adjust rabbitmq quorum queue guidance for 2024.2 onwards https://review.opendev.org/c/openstack/openstack-ansible/+/940715 | 17:48 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add most basic molecule test for ssh connection plugin https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939898 | 17:50 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Update ssh connection plugin paramters to match upstream https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939899 | 17:50 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Automatically import ssh connection plugin options from the base class https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939957 | 17:50 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Add most basic molecule test for ssh connection plugin https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939898 | 18:13 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Update ssh connection plugin paramters to match upstream https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939899 | 18:13 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-plugins master: Automatically import ssh connection plugin options from the base class https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/939957 | 18:13 |
| opendevreview | Merged openstack/openstack-ansible-os_ironic stable/2024.1: Fix quorum queue support for ironic-inspector https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/940521 | 18:17 |
| opendevreview | Merged openstack/openstack-ansible-ops unmaintained/2023.1: Update .gitreview for unmaintained/2023.1 https://review.opendev.org/c/openstack/openstack-ansible-ops/+/939849 | 18:28 |
| spatel | jrosser I have a ansible question | 22:05 |
| spatel | In my play I am setting hostname using shell: hostname foobar | 22:05 |
| spatel | and in next play checking if ansible_hostname == foobar do this.. but somehow it not doing.. | 22:06 |
| spatel | look like after setting hostname ansible facts not getting updates or fathers | 22:06 |
| spatel | Any way to tell after X task update ansible_hostname ? | 22:07 |
| jrosser | spatel: do you use the setup module to gather facts again after setting the hostname? | 22:13 |
| jrosser | rather than shell there is also a native ansible module to set the hostname https://docs.ansible.com/ansible/latest/collections/ansible/builtin/hostname_module.html | 22:14 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Use module_hotfixes for yum_repository https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/939798 | 22:43 |
| spatel | jrosser I found the way to gather facts before task :) | 22:44 |
| spatel | Sorry! As soon as I ping you and realized I can just add condition | 22:45 |
| spatel | Do you think native variable do good stuff compare to shell ? | 22:45 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Add molecule testing for the role https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/939751 | 23:14 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!