15:00:25 #startmeeting kolla 15:00:25 Meeting started Wed Sep 15 15:00:25 2021 UTC and is due to finish in 60 minutes. The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:25 The meeting name has been set to 'kolla' 15:00:45 Good afternoon, sorry for the lack of pre-meeting notification, but was busy in a customer workshop. 15:00:52 #topic rollcall 15:01:29 mgoddard mnasiadka hrw egonzalez yoctozepto rafaelweingartne cosmicsound osmanlicilegi bbezak parallax Fl1nt - meeting in progress 15:01:36 \o 15:02:24 o/ 15:02:32 o/ 15:03:15 \o/ 15:05:42 #topic rollcall 15:05:48 ups 15:05:50 #topic agenda 15:06:00 * Announcements 15:06:00 * Review action items from the last meeting 15:06:00 * CI status 15:06:00 * Should we actually backport https://review.opendev.org/c/openstack/kolla-ansible/+/805449 ? 15:06:00 * Discuss https://review.opendev.org/c/openstack/kolla-ansible/+/692179/ 15:06:02 * Release tasks 15:06:02 * Xena cycle planning 15:06:04 * Yoga PTG planning 15:06:04 * Open discussion 15:07:07 #topic Announcements 15:07:12 I have no announcements, and don't know about any other announcements to make. Let's move on. 15:07:22 #topic Review action items from the last meeting 15:07:36 * mnasiadka yoctozepto to point all deployments to quay.io 15:08:32 change in review - so let's say it's done. 15:08:40 ++ 15:08:56 I haven't done my actions, so let me add them once again 15:09:10 #action mnasiadka to update docs encouraging to build your own containers and run your own registry 15:09:21 #action mnasiadka to create pull-retag-push blueprint based on kayobe RFE: https://storyboard.openstack.org/#!/story/2007731 15:09:36 #topic CI status 15:09:47 No new breakages I assume? ;-) 15:10:24 Kayobe has some issues with disk space on stable branches 15:10:38 Is there anybody handling that? 15:11:15 Not yet. I've just updated the white board 15:11:49 I was first thinking of adding some code looking for where disk space is used in the post-job role 15:11:50 I don't think it happens every time, does it? 15:12:03 Not every time, but quite often in upgrade jobs 15:12:37 e.g. https://zuul.opendev.org/t/openstack/builds?job_name=kayobe-overcloud-upgrade-centos8s&project=openstack%2Fkayobe&branch=stable%2Fwallaby 15:12:46 I have a patch for the monasca CI job: https://review.opendev.org/c/openstack/kolla-ansible/+/807689 15:12:53 priteau: if Zuul is reporting DISK_FULL - then it's on the executor and there's a limit, if it's in the job output itself - then it's in a different place. 15:14:01 priteau: one major difference with kayobe vs kolla upgrade jobs is kayobe does baremetal testing 15:14:12 maybe those disks push it over the limit 15:14:41 +1 to checking usage 15:15:23 infra has a way of checking what was the real disk usage in zuul logs (on the executor after a job has failed) - might just ask 15:16:16 ok, I think it has enough traction - we just need to look into that 15:16:30 #topic Should we actually backport https://review.opendev.org/c/openstack/kolla-ansible/+/805449 ? 15:18:06 Should we? Actually it's not good that we're automatically assuming docker-registry is insecure - but that's sort of a breaking change for users. 15:19:42 it's kind of prereq to switching to quay.io 15:19:57 due to the logic that will get triggered otherwise 15:20:15 but then again, we might only switch to quay.io xena+ 15:20:21 that suggests to me we can't backport quay 15:20:30 mhm 15:20:40 I am worried that it could break some people who actually have a secure deployment already, for example because their registry is on an internal network only 15:20:43 why prereq? we've been using docker hub as insecure? ;-) 15:21:00 mnasiadka: dockerhub is not set as registry; it's builtin 15:21:05 ;-) 15:21:24 oh boy 15:21:50 I wouldn't like to be surprised as a user with that 15:22:22 I guess me neither; perhaps let's do both on xena only? 15:22:32 Pierre Riteau proposed openstack/kayobe master: CI: Log disk usage details https://review.opendev.org/c/openstack/kayobe/+/809209 15:22:53 I agree, mgoddard seems to agree, yoctozepto seems to agree 15:23:26 * yoctozepto always agrees to have less work 15:23:33 anybody disagrees? 15:24:08 no :) 15:24:12 #agreed Not to backport change 805449 - quay.io will be default only on Xena+ 15:24:30 #topic Discuss https://review.opendev.org/c/openstack/kolla-ansible/+/692179/ 15:24:39 1 sec 15:24:49 seems we forgot to update this: https://docs.openstack.org/kolla-ansible/latest/user/multinode.html 15:25:19 right 15:25:23 yoctozepto: keen to follow up? 15:25:25 users now need to set insecure if they run a registry 15:25:35 or have a secure registry 15:25:51 Pierre Riteau proposed openstack/kayobe stable/victoria: CI: build CentOS Stream deployment images https://review.opendev.org/c/openstack/kayobe/+/809164 15:26:18 yes 15:26:26 Maybe a hacky guide how to do docker-registry with lets encrypt certs? 15:26:27 I meant if they follow those instructions 15:26:54 would rather say nothing that provide a hacky guide :) 15:27:06 So no guide then 15:27:12 But docs update needed 15:27:37 mnasiadka: what followup? 15:27:39 including insecure health warning 15:28:03 yoctozepto: docs, see ^^ 15:28:14 read, got it 15:28:24 but it gets changed with quay 15:28:33 so I'm not doing a noop change inbetween 15:28:36 Let's Encrypt only makes sense if you use a public domain name, right? I assume many places would have a local registry on a private network 15:28:36 ;p 15:28:48 see https://review.opendev.org/c/openstack/kolla-ansible/+/808486 15:29:04 I will fix it in there 15:29:25 that's the spirit 15:30:31 #action yoctozepto to fix multinode docs after defaulting to secure registry 15:31:02 So, let's get to the actual topic - which is the Keystone scoped auth 15:31:33 who is the actual owner of that change? I see 4 names in owner/uploader/committer/author 15:31:50 let's say it is me 15:32:33 headphoneJames is currently in scope 15:32:57 I am the one driving this one forward during our current cycle 15:33:20 ok, I see that a split to smaller changes has been agreed 15:33:25 but who is driving this conversation? :) 15:33:45 I understand we need to break this into smaller chunks, mgoddard has proposed a sensible approach 15:34:43 Fantastic, two weeks to feature freeze - what is realistic to merge? 15:34:58 first chunk 15:35:07 yup 15:35:16 it's a pretty small chunk 15:35:48 just to use system scope for the keystone admin user 15:36:58 I'm away next week 15:36:59 Ok then, so let's start with that 15:37:18 For the second chunk, I need to go through the service user roles and determine if they should have project scopes roles versus system scoped. 15:37:20 so merging more might be difficult, unless others want to weigh in 15:37:36 I am not sure how to do that 15:37:50 Yes. All roles are assigned in register.yml files 15:38:03 mostly using the service-ks-register role 15:38:37 so you can check *_ks_users and *_ks_user_roles 15:39:12 mostly this is just 'add user in service project with admin role' 15:39:12 I don't know which users require project scoped roles 15:39:26 those ones should be system scoped 15:39:51 anything that veers away from that may be worth raising 15:40:18 Maybe let's start with the obvious ones, and keep discussing in the change about the ,,unsure'' ones? 15:40:25 almost every *_ks_users have a service project defined 15:41:12 yes 15:42:11 should we have a period where we assign roles with both system and project scope? 15:42:23 Probably that would be the safest choice. 15:43:11 That is simple enough for the second chunk. 15:44:41 Ok, so when the first and second chunk would be ready for initial reviews? Is it possible this week for chunk #1? (so mgoddard can lay out his thoughts before vacation) 15:45:17 I can get the first one done this week. I will try to have it for you tomorrow 15:45:33 if not, I'll just focus the efforts in the next release 15:45:41 that would be great, as friday is usually busy for me 15:45:56 although I suppose your tomorrow is my friday 15:46:03 friday before vacation is always busy :) 15:46:55 It can get pushed to the next release if you don't have time on Friday 15:47:42 Surely some parts will get pushed to next release, but let's try to get something in. 15:49:07 Ok then, let's continue 15:49:22 #topic Release tasks 15:49:31 None according to Kolla's release calendar. 15:49:39 #topic Xena cycle planning 15:50:18 Let's try to look into the whiteboard if anything got merged. 15:50:57 Ansible - there are still two changes to merge - https://review.opendev.org/c/openstack/kolla-ansible/+/796758 and https://review.opendev.org/c/openstack/kolla/+/807279 - probably waiting for yoctozepto 15:53:21 Swift role looks like it's ready for reviews - https://review.opendev.org/c/openstack/kolla-ansible/+/797498 15:53:31 mgoddard: do you think you can look into this tomorrow/Friday? 15:53:42 will try 15:54:48 kevko's proxysql topic seems to not get traction, I doubt we'll get it in this cycle... 15:55:13 I need to look into Kayobe reviews, will try tomorrow. 15:55:55 Let's move to Yoga 15:56:01 #topic Yoga PTG planning 15:56:40 mgoddard: do we need to do anything? Send a mail to ML about planned sessions and etherpad link? 15:57:11 I'm not sure if I sent one before, but it wouldn't hurt to remind if so 15:57:14 #link https://etherpad.opendev.org/p/kolla-yoga-ptg 15:57:37 #action mnasiadka to send a mail to ML about Kolla PTG 15:57:57 are there any 'standard' topics to add? 15:58:03 e.g. core team cleanup 15:58:15 I'll add organizational topics, was thinking about that today. 15:59:06 ok then 15:59:09 #topic Open discussion 15:59:14 one minute left :) 15:59:53 Anybody has anything to discuss? 16:01:00 ok, time to wrap up 16:01:03 #endmeeting kolla