15:01:47 #startmeeting kolla 15:01:47 Meeting started Wed Dec 15 15:01:47 2021 UTC and is due to finish in 60 minutes. The chair is mgoddard. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:47 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:47 The meeting name has been set to 'kolla' 15:02:16 #topic rollcall 15:02:27 o/ 15:03:06 [°][o][°] 15:03:31 \o 15:04:33 \o 15:05:30 \o 15:05:39 # topic agenda 15:05:42 #topic agenda 15:06:00 * Roll-call 15:06:03 * Agenda 15:06:05 * Announcements 15:06:07 * Review action items from the last meeting 15:06:09 * CI status 15:06:11 * Release tasks 15:06:13 * Current cycle planning 15:06:21 * (mnasiadka) - log4j vulnerability and Kolla - elasticsearch/logstash? 15:06:26 * Open discussion 15:06:32 #topic announcements 15:06:41 mnasiadka asked me to chair today as he is unavailable 15:08:07 anyone else? 15:08:49 #topic Review action items from the last meeting 15:09:07 mnasiadka to triage security bugs and update them with resolution plan (if needed) 15:09:10 mnasiadka post a patch for docs - standard topics that should be discussed over PTG and then revisited in mid-cycle 15:09:12 anybody not forget to go through backports for stable branches (L248 on Whiteboard) and do stable releases afterwards. 15:09:14 parallax look into Grafana Kolla build failures on Ussuri/CentOS 15:09:16 yoctozepto to send mail to openstack ML about dropping vmtp 15:09:18 yoctozepto to remove CentOS 8 based CI jobs and manage communication (ML and renos) 15:09:19 this list seems to just be growing :) 15:09:26 anyone complete any? 15:10:42 #action mnasiadka to triage security bugs and update them with resolution plan (if needed) 15:10:50 #action mnasiadka post a patch for docs - standard topics that should be discussed over PTG and then revisited in mid-cycle 15:11:03 #action anybody not forget to go through backports for stable branches (L248 on Whiteboard) and do stable releases afterwards 15:11:06 vmtp mail happened. no response 15:11:21 #action parallax look into Grafana Kolla build failures on Ussuri/CentOS 15:11:28 #action yoctozepto to remove CentOS 8 based CI jobs and manage communication (ML and renos) 15:11:31 ok 15:11:38 #topic CI status 15:12:03 whiteboard mostly green 15:12:33 kolla/ussuri is broken due to monasca-grafana iirc 15:12:54 there was some patch to fix it, failed on something else, not checked why 15:13:25 It was merged? https://review.opendev.org/c/openstack/kolla/+/821533 15:13:58 cool ;) 15:14:09 #topic Release tasks 15:14:38 we are in R-15 15:15:08 Nothing to do for now 15:15:15 #topic Current cycle planning 15:15:26 I think we're a bit low on numbers for planning today 15:15:38 #topic (mnasiadka) - log4j vulnerability and Kolla - elasticsearch/logstash? 15:16:14 priteau: I think you were involved in the internal discussion on this earlier 15:16:18 Yes, I can share 15:16:21 thanks 15:16:28 I only looked at victoria so far 15:16:53 The latest images on quay.io include the new release from elastic 15:17:05 elasticsearch-oss 6.8.21 15:17:49 Also, even an old-ish image (built last summer) was not vulnerable because it was 6.8.9+ 15:18:18 And JDK11 15:18:36 I am checking wallaby now, which is Elasticsearch 7 15:18:48 I've not looked at Logstash 15:19:59 wallaby: elasticsearch-oss-7.10.2-1.x86_64 15:20:15 Note I am only looking at centos-binary 15:20:56 So Wallaby (and above I suppose), theoretically not vulnerable because 7.8+, thanks to Java Security Manager 15:21:17 However we don't get the proper fix from Elastic, which would be 7.16.1 15:21:52 Unless this was also backported to 7.10 15:22:24 Nope, looks like 7.10.2 is an old release 15:23:06 That's all I have to share so far 15:23:46 sounds like we are fairly safe for elastic in the maintained releases 15:24:07 we could apply the java option mitigation 15:24:54 That would make it safer indeed, especially for wallaby/xena 15:25:11 Since they don't get the new package which applies the java option 15:26:22 anyone want to pick it up? 15:27:03 me 15:27:46 #action parallax_ apply jvm option mitigation for log4shell in elasticsearch 15:27:47 thanks 15:27:52 np 15:27:55 #topic Open discussion 15:28:02 Does anyone have anything this week? 15:28:43 There is a bug in k-a ovn implementation of system-id registration in ovs - which suppose to be in UUID format - impacting mostly neutron-ovn-metadata-agent - https://bugs.launchpad.net/kolla-ansible/+bug/1952550 15:28:48 related fix - https://review.opendev.org/c/openstack/kolla-ansible/+/818700 15:29:12 Changing back to UUID in running environment is tricky - I'm working on it currently 15:31:10 changing to UUID works fine with that change above - however one needs to do manually cleanup of old chassis and chassis_private in ovn_sb_db, and then restart metadata agent, and cleanup entries in neutron via openstack network agent list 15:31:34 which is something I'm not sure if we can automate in k-a easily 15:32:07 what happens if you don't do it? 15:32:57 ovn-metadata agent won't work 15:33:26 connectivity works fine as far as I can see 15:34:02 similar to this - https://bugzilla.redhat.com/show_bug.cgi?id=1948472#c12 15:34:38 ok, seems like the discussion is ongoing in the bug 15:34:42 and review 15:34:49 yeap 15:34:59 just to let you know 15:36:14 this also has bigger impact when used with ovs 2.16 - which is doing automatic leadership transfer when doing snapshots of ovsdb - then ovn-metadata-agent cannot reconnect when non UUID system-id is used 15:40:17 sounds nasty 15:40:21 any other topics? 15:43:02 thanks all 15:43:04 #endmeeting