#openstack-kolla log

15:00:40 <yoctozepto> #startmeeting kolla
15:00:40 <opendevmeet> Meeting started Wed Jan 19 15:00:40 2022 UTC and is due to finish in 60 minutes.  The chair is yoctozepto. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:40 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:40 <opendevmeet> The meeting name has been set to 'kolla'
15:00:45 <yoctozepto> #topic Roll-call
15:00:46 <yoctozepto> o/
15:01:03 <o_horecny2> o/
15:01:22 <mgoddard> \o
15:01:35 <halomiva> \o
15:01:47 <hrw> /o]
15:01:53 <hinermar> o/
15:02:08 <yoctozepto> crowds today, welcome!
15:02:16 <yoctozepto> #topic Agenda
15:02:17 <yoctozepto> * Roll-call
15:02:17 <yoctozepto> * Agenda
15:02:17 <yoctozepto> * Announcements
15:02:17 <yoctozepto> * Review action items from the last meeting
15:02:17 <yoctozepto> * CI status
15:02:19 <yoctozepto> * Release tasks
15:02:19 <yoctozepto> * Current cycle planning
15:02:21 <yoctozepto> * Additional agenda (from whiteboard)
15:02:21 <yoctozepto> * Open discussion
15:02:24 <yoctozepto> #topic Announcements
15:02:45 <yoctozepto> I got my 3rd vaccine last weekend
15:02:53 <yoctozepto> vaccine shot*
15:03:04 <yoctozepto> and have no other announcements :-)
15:03:05 <hrw> yoctozepto: good!
15:03:21 <yoctozepto> hrw: :-0
15:03:24 <yoctozepto> :-) *
15:03:33 <yoctozepto> (typos, typos everywhere :D )
15:03:35 <mgoddard> congrats
15:04:18 <yoctozepto> mgoddard: yeah, though I feel more like "please accept my condolences" for the time being
15:04:22 <hrw> welcome to the club etc
15:04:45 <yoctozepto> anyhow, no announcements - we be moving forward
15:04:53 <yoctozepto> #topic Review action items from the last meeting
15:04:59 <hrw> my 2nd and 3rd dose went same way - all fine, arm hurting 2-3 days
15:05:30 <yoctozepto> mnasiadka to triage security bugs and update them with resolution plan (if needed)
15:05:30 <yoctozepto> mnasiadka post a patch for docs - standard topics that should be discussed over PTG and then revisited in mid-cycle
15:05:30 <yoctozepto> kevko to let frickler know whether osism's solution is fine for his use case
15:05:40 <yoctozepto> hrw: I wish it was arm only :-)
15:05:48 <yoctozepto> kevko is not around
15:05:52 <yoctozepto> mnasiadka not around either
15:06:02 <yoctozepto> and they likely did not do these
15:06:05 <yoctozepto> restating
15:06:15 <yoctozepto> #action mnasiadka to triage security bugs and update them with resolution plan (if needed)
15:06:21 <yoctozepto> #action mnasiadka post a patch for docs - standard topics that should be discussed over PTG and then revisited in mid-cycle
15:06:25 <yoctozepto> #action kevko to let frickler know whether osism's solution is fine for his use case
15:06:37 <yoctozepto> #topic Release tasks
15:06:42 <yoctozepto> oopsie
15:06:44 <yoctozepto> #undo
15:06:44 <opendevmeet> Removing item from minutes: #topic Release tasks
15:06:50 <yoctozepto> #topic CI status
15:07:01 <yoctozepto> so, regarding CI
15:07:04 <yoctozepto> we had one fire
15:07:07 <yoctozepto> in the centos department
15:07:19 <yoctozepto> a good followup would be to deprecate this department
15:07:32 <yoctozepto> but I know some like it enough to endure all the pain
15:07:47 <hrw> ping one?
15:07:53 <yoctozepto> anyhow, the fire has been extinguished
15:08:12 <yoctozepto> we can sip our sodas and watch the CI work again
15:08:15 <yoctozepto> hrw: yeah
15:08:24 <yoctozepto> so... that would be the status for k and k-a
15:08:31 <yoctozepto> I've seen k-o-b stuff merging as well
15:08:38 <yoctozepto> so would assume it's good too
15:08:46 <yoctozepto> any kayobian to confirm?
15:09:00 <priteau_> Maybe some stable branches of kayobe are still be broken
15:09:17 <priteau_> s/be //
15:09:37 <yoctozepto> ack
15:10:24 <yoctozepto> please update the whiteboard when you feel like it
15:10:35 <yoctozepto> #topic Release tasks
15:11:02 <yoctozepto> it's R-10
15:11:04 <yoctozepto> still waiting for R-8: "Switch binary images to current release"
15:11:09 <yoctozepto> nothing else to report
15:11:26 <yoctozepto> #topic Current cycle planning
15:11:43 <yoctozepto> in here we can already tackle the "additional agenda" as it's related today
15:11:50 <hrw> I tested R-8 situation and images are buildable
15:11:57 <yoctozepto> (o.horecny2) Podman support
15:12:24 <yoctozepto> hrw: oh, great! finally some good news :-)
15:12:58 <o_horecny2> Hi guys, we would like to move forward with Podman things
15:13:00 <yoctozepto> o_horecny2 halomiva hinermar ^^
15:13:05 <yoctozepto> on podman
15:13:13 <yoctozepto> you wrote:
15:13:18 <yoctozepto> Asking for code review:
15:13:18 <yoctozepto> DockerWorker class refactor - https://review.opendev.org/c/openstack/kolla-ansible/+/823783
15:13:18 <yoctozepto> Systemd container control - https://review.opendev.org/c/openstack/kolla-ansible/+/816724
15:13:18 <yoctozepto> Next steps?
15:13:19 <yoctozepto> Deadline?
15:13:19 <yoctozepto> code freeze for Yoga release
15:13:44 <yoctozepto> it's good to remind ourselves it's one of major priorities for this cycle
15:13:53 <mgoddard> Kolla feature freeze: Mar 21 - Mar 25
15:14:05 <o_horecny2> yes, we would like to ask you about some code review, because we have already prepared change with podman on top of this changes
15:14:14 <yoctozepto> and we can have an exception if we *really* need it
15:14:28 <yoctozepto> but this should be merged by the next ptg in april
15:14:36 <mgoddard> I would suggest that we aim for systemd managed docker in yoga
15:14:42 <yoctozepto> so that we can throw a little podman party
15:15:03 <mgoddard> (just setting expectations based on past team review performance)
15:15:17 <yoctozepto> hmm
15:16:09 <mgoddard> bear in mind that podman might bring such questions as 'how to install it', 'how to migrate from docker to podman'
15:16:41 <mgoddard> does that seem like a reasonable target?
15:16:46 <o_horecny2> in case that change with docker managed by systemd is ok for you then we have same thing with podman.
15:17:15 <mgoddard> feel free to propose your podman change
15:17:27 <mgoddard> but I would suggest that we focus review effort on the systemd patch
15:17:28 <o_horecny2> yes, I understand. That is what we would like to focus now, but firsly we need to know that way how it is prepared is ok for you
15:17:49 <yoctozepto> mgoddard: we can have a preview
15:17:56 <yoctozepto> with no migration path
15:18:21 <mgoddard> possibly, although that is an easy way to end up with unfinished features :)
15:18:37 <yoctozepto> I can action myself to review these patches
15:18:54 <o_horecny2> halomiva hinermar what do you think? Do you expect some troubles with migration?
15:18:57 <mgoddard> same
15:19:13 <yoctozepto> mgoddard: I think it is possible to end up the other way around - people losing interest because of yet another cycle
15:19:23 <mgoddard> one issue may be with having both podman and docker installed
15:19:48 <yoctozepto> #action yoctozepto to review going-podman patches
15:19:52 <yoctozepto> #action mgoddard to review going-podman patches
15:19:52 <hinermar> i believe you can't have both docker and podman installed simutaneously
15:20:20 <yoctozepto> mgoddard, hinermar: last time I checked they can work side by side
15:20:33 <yoctozepto> but we should not mix the containers this way
15:20:35 <mgoddard> I've seen troubles with containers
15:20:40 <mgoddard> *containerd
15:21:09 <yoctozepto> yeah, something could misbehave, though I think they put things in containerd in two different namespaces
15:21:18 <yoctozepto> or whatever containerd calls that internal isolation
15:21:40 <yoctozepto> yup
15:21:41 <yoctozepto> https://github.com/containerd/containerd/blob/main/docs/namespaces.md
15:22:36 <yoctozepto> the biggest issue I see is with volumes
15:22:40 <mgoddard> +1
15:22:49 <yoctozepto> especially those multi-mounted ones
15:23:04 <yoctozepto> because for single-mounted ones one can create a simple migration path
15:23:14 <yoctozepto> but for multi-mounted it's not possible
15:23:24 <yoctozepto> so we need to down all containers with that mount
15:23:30 <yoctozepto> migrate volume
15:23:33 <yoctozepto> and redo them
15:23:36 <yoctozepto> restart*
15:23:42 <yoctozepto> which might be trickier than you think
15:23:43 <yoctozepto> :-)
15:24:08 <yoctozepto> thankfully we run host networking so no "fun" there
15:25:28 <o_horecny2> that is right, so we need to test and try to find some trail
15:25:45 <hinermar> I take it we should prevent users from having both managers and create migration tasks, right?
15:26:13 <yoctozepto> hinermar: we need to figure out a sensible migration path
15:26:18 <mgoddard> yes - if we ever have both installed it should only be for migration
15:27:15 <yoctozepto> but my take on that is that it's important, that's true, but should not prevent us from supporting podman for new installations
15:28:13 <o_horecny2> yes, that is right
15:28:26 <mgoddard> I wouldn't want to paint us into a corner though
15:29:48 <mgoddard> anyway, let's see how we get on with systemd
15:30:02 <yoctozepto> indeed
15:30:23 <o_horecny2> Do you guys think that this can be done inside upgrade action? Or should be for that prepared something new?
15:30:24 <yoctozepto> btw, the systemd poc is red
15:30:46 <yoctozepto> on CI
15:30:48 <mgoddard> o_horecny2: I expect it will need a new action
15:30:53 <yoctozepto> o_horecny2: I would imagine a separate action
15:30:54 <yoctozepto> mgoddard ++
15:32:01 <o_horecny2> yoctozepto: yes, some unite tests need to be finished, but guys firstly wanted to know if it is right way and not spend time on something which can be abandoned
15:33:49 <halomiva> systemd poc was reverted to version without container worker so you can decide if you want to go with abstract class or not
15:34:00 <yoctozepto> ah, ok
15:34:38 <mgoddard> I think abstract class probably makes sense when we introduce podman
15:35:06 <o_horecny2> mgoddard: yes, it is preparation for podman
15:35:09 <mgoddard> but it's not necessary for systemd, and it's hard to see what the interface should be without podman
15:37:20 <o_horecny2> so do you think that this abstract class patchset is not needed now? And we should focus onlu on systemd patchset?
15:37:32 <mgoddard> +1 - focus on systemd
15:37:46 <mgoddard> we can return to the container worker afterwards
15:37:52 <yoctozepto> +1
15:38:17 <o_horecny2> and what next? implement podman on top of systemd? or thirstly do that refactoring with abstract class?
15:38:27 <o_horecny2> *firstly
15:39:15 <o_horecny2> I mean this flow systemd change -> abstract class -> podman ?
15:39:16 <mgoddard> I'd just share the podman patch that you have, whichever way it is
15:39:31 <mgoddard> that is probably the right order
15:39:45 <mgoddard> but we need to see the podman patch to review the abstract class patch
15:40:10 <halomiva> now we have 3 version capable of basic deployment, docker worker + systemd worker, docker worker + container worker + systemd worker, podman worker + docker worker + container worker + systemd worker
15:40:33 <o_horecny2> with that abstract class or without it? because I believe that when we introduce podman together with abstract class, then you will want to split it again :)
15:40:35 <halomiva> should we push all of them and then we decide what we want to do first?
15:41:11 <yoctozepto> halomiva: that works for me
15:41:22 <mgoddard> if you have a patch that is separate already, then push that
15:42:50 <o_horecny2> ok, so halomiva and hinermar do you know what to do next?
15:43:12 <o_horecny2> is it clear for you?
15:43:19 <halomiva> yes
15:44:05 <hinermar> yes
15:45:05 <o_horecny2> #action halomiva/hinermar propose change for podman
15:45:38 <yoctozepto> #action halomiva/hinermar propose change for podman
15:45:48 <yoctozepto> thanks o_horecny2 halomiva hinermar
15:45:57 <yoctozepto> #topic Open discussion
15:46:04 <o_horecny2> thanks too
15:46:43 <mgoddard> on the secure RBAC front, there is this one: https://review.opendev.org/c/openstack/kolla-ansible/+/815577
15:47:14 <mgoddard> adds the service role to service users
15:47:24 <mgoddard> I started a discussion on the ML about it
15:47:36 <yoctozepto> yeah, seen the hi
15:47:50 <mgoddard> #link http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026777.html
15:47:51 <yoctozepto> :D
15:48:03 <mgoddard> fat fingered the first one
15:48:06 <yoctozepto> #link http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026777.html
15:48:32 <mgoddard> essentially, keystone gonna break us if we do nothing
15:48:41 <mgoddard> so we should do something
15:49:22 <mgoddard> unclear right now when they will change the default for enforce_scopes
15:50:30 <mgoddard> just putting it out there
15:50:45 <mgoddard> we can discuss in the ML, or on the patch
15:51:00 <yoctozepto> we can save ourselves for the time being by pinning keystone of course
15:51:17 <yoctozepto> but yeah, we need to address this
15:51:47 <yoctozepto> I am lacking the time resources to handle it though
15:53:20 <yoctozepto> I think we are out of other topics today
15:54:59 <mgoddard> +1
15:55:08 <yoctozepto> thank you all for attending
15:55:12 <yoctozepto> and see you next time
15:55:14 <yoctozepto> #endmeeting