13:00:31 #startmeeting kolla 13:00:31 Meeting started Wed Aug 9 13:00:31 2023 UTC and is due to finish in 60 minutes. The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:31 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:00:31 The meeting name has been set to 'kolla' 13:00:34 #topic rollcall 13:00:36 o/ 13:00:40 \o 13:00:44 o/ 13:00:56 o/ 13:01:01 \o 13:01:03 Michal Arbet proposed openstack/kolla-ansible master: Add support for LetsEncrypt-managed certs https://review.opendev.org/c/openstack/kolla-ansible/+/741340 13:01:26 o/ 13:01:47 fantastic timing, meeting ended early, right into the next one 13:02:07 Michal Nasiadka proposed openstack/kolla master: Move to Debian 12 'bookworm' https://review.opendev.org/c/openstack/kolla/+/886088 13:03:05 #topic agenda 13:03:05 * CI status 13:03:05 * Release tasks 13:03:05 * Regular stable releases (first meeting in a month) 13:03:05 * Current cycle planning 13:03:06 * Additional agenda (from whiteboard) 13:03:06 * Open discussion 13:03:09 #topic CI status 13:03:30 So, kolla and kolla-ansible sound green-ish, magnum jobs are failing due to some designate issue 13:03:42 kayobe upgrade jobs still red - fixing in https://review.opendev.org/c/openstack/kolla-ansible/+/890198/46 13:03:53 #topic Release tasks 13:04:17 It's R-8 week 13:04:43 we have https://docs.openstack.org/kolla/latest/contributor/release-management.html#r-8-switch-images-to-current-release 13:05:14 Anybody wants to handle switching RDO and UCA to current in-development release? 13:05:54 Michal Nasiadka proposed openstack/kolla-ansible stable/yoga: Add documentation for migrating from CS8 to RL9 https://review.opendev.org/c/openstack/kolla-ansible/+/884858 13:05:55 I wonder whether we still need to do that at all 13:06:37 we use some packages from RDO for sure 13:06:46 I can handle RDO 13:06:49 2023.2 should work fine with ceph+libvirt from 2023.1 13:07:29 that true, but OVN users would be happy to get newer OVN version 13:08:05 Michal Arbet proposed openstack/kolla-ansible master: Add support for LetsEncrypt-managed certs https://review.opendev.org/c/openstack/kolla-ansible/+/741340 13:08:06 is OVN in UCA? I don't know about RDO 13:08:07 I guess I could maybe take a stab at the UCA part, never did it, but the linked change looks easy enough 13:08:12 frickler: yes it is 13:08:23 ok 13:08:26 don't know anything about RDO "delorean" 13:08:46 #action mnasiadka handle RDO switch to bobcat 13:08:54 #action SvenKieske handle UCA switch to bobcat 13:09:29 #topic Regular stable releases (first meeting in a month) 13:09:40 We agreed last time to do it after the systemd fix gets backported to 2023.1 13:09:56 it's still not merged in master, so let's try again next week 13:10:02 #topic Current cycle planning 13:10:07 I see good progress on Let's Encrypt 13:10:19 ihalomi: sorry, I didn't have time to have a look in Rocky failures on podman 13:10:33 ihalomi: any other issues on podman patches? Is there something we could review? 13:10:49 (as in merge before we fix the rocky problem) 13:11:25 mnasiadka: no other issues, this is basically this is the last obstacle to getting +1 13:11:48 last time I looked patches looked pretty good, afaik I did a full review, will have another look 13:12:01 Michal Nasiadka proposed openstack/kolla stable/yoga: ovsdpdk: add libdpdk-dev https://review.opendev.org/c/openstack/kolla/+/880317 13:12:19 ok, I'll have a look too 13:12:34 #topic Additional agenda (from whiteboard) 13:13:05 octavia jobboard patch seems to get better, I'll have a look at it later 13:13:27 debian bookworm support - I'll fix the conflicts in the kolla patch and it seems it's good to merge 13:13:27 I added the precheck verification as discussed 13:13:43 and then we could have a crack at the kolla-ansible side 13:13:49 we need to wait for the haproxy option fixes for bookworm 13:14:03 ok, there's a series of patches 13:14:09 I've seen a proposal to squash them together 13:14:13 I reviewed one patch but didn't track responses 13:14:18 yes, that was me 13:14:27 but maybe it's just easier to merge them as is when they pass properly? 13:15:04 but yes, we need to have a look at pushing those forward, I think the author is not going to work on them promptly enough ;-) 13:15:15 I can have a look again, but it seemed too complicated to me 13:15:24 mattcrees - rabbitmq enable ha queues by default is ready for review: https://review.opendev.org/c/openstack/kolla-ansible/+/882825 13:16:20 Basically I've added support in the CI upgrade jobs to migrate the queue types, and have proposed a KA command to reset rabbit state as this is a key part of the process 13:17:10 ok then, another thing to review queue ;) 13:17:16 ack 13:18:13 ok then 13:18:16 #topic Open discussion 13:18:19 could people with +2 powers take a look at the backports of: https://review.opendev.org/c/openstack/kolla-ansible/+/889189 ? thank you 13:18:25 Do we need to discuss the server-status thing again? 13:18:28 should be straight forward 13:18:56 I _guess_ the current server-status patch now looks fine? :) 13:19:29 mnasiadka I can give an update 13:20:05 this can't be fixed by 'require ip 127.0.0.1' because of https://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/roles/horizon/templates/horizon.conf.j2#L16 13:20:25 there is already 'require local' - https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html 13:20:52 so accept - the client address matches 127.0.0.0/8, the client address is ::1, both the client and the server address of the connection are the same 13:20:59 last case - is haproxy 13:21:18 I've updated change: https://review.opendev.org/c/openstack/kolla-ansible/+/888943/7..8 13:21:28 add more info and update release note 13:21:45 Well, I'm still not convinced - Rocky/CentOS have mod_status enabled, but not configured - and it does not show up there. 13:22:05 I'm ready to add mod_status to Rocky/Centos 13:22:06 with no config, the handler isn't used 13:22:06 So if we would remove the default configuration for mod_status in Debian/Ubuntu - we would get to the same state? 13:22:10 will propose Kolla fix 13:22:50 And then on top of this, we could add a feature to configure that properly in kolla-ansible? 13:23:07 Or is my thinking wrong? 13:23:21 frickler wrong 13:23:24 imho your thinking is only "wrong" that it breaks existing users 13:23:33 it can't be configured because of haproxy 13:23:56 add 'require 127.0.0.1' will completely disable status 13:24:14 because we use internal vip for apache listen 13:24:19 mmalchuk: I was talking about why the issue isn't seen in rocky 13:24:21 SvenKieske: it's not a feature, it's a bug for now :) 13:24:28 i.e. removing the default config and adding a role to properly configuring this would require us to backport a completely new role, no? and it must match the old behaviour at least for internal usage 13:24:35 an unplanned feature is a bug from my perspective 13:24:37 frickler did you see last change? https://review.opendev.org/c/openstack/kolla-ansible/+/888943/7..8 13:24:49 and Rocky is not affeced 13:25:02 this is in release note 13:25:38 yes, I was replying to mnasiadka 13:25:41 mnasiadka: that's really not helpful humor here: it's a security bug because it's reachable from potential untrusted networks on deb/ubuntu; it's a feature there because you can monitor apache stuff from internal networks, I don't want to break those users, do you? 13:26:08 SvenKieske: it's a feature only on Debian/Ubuntu, and it's a Debian/Ubuntu package and default config feature, not a kolla-ansible feature :) 13:26:39 or we backport completely new roles to old releases to fix this, could also work, but imho backports should be minimal, which mmalchuks change really is, there's not much to argue there from the maintenance perspective imho. 13:26:45 mnasiadka I will add the 'feature' to the Rocky/Centos but this is not related to bug 13:27:09 It's not a feature. 13:27:36 we will got the same behavior 13:27:45 on all installations 13:28:16 mnasiadka: do you really want to argue that we only promise to not break users if we built a feature in k-a ourselves? because than I'm out of this discussion, this is ridiculous 13:28:20 It's like with this ansible-core breakage, because we used handlers with import_tasks - bug was rejected because nobody ever planned this usage. 13:28:20 Centos/Redhat users can use monitoring localay, but will not be affected by bug we close now 13:28:55 server-status is a clear apache feature, it's not a bug per se, you just need to care how you enable that 13:29:03 We don't enable tht. 13:29:06 *that 13:29:18 It's enabled by default 13:29:25 only on 50% of the distributions we support 13:29:27 we enable that in horizon) 13:29:29 yeah sure, but don't break the default then 13:29:38 From my perspective it's a Debian/Ubuntu packaging bug 13:29:39 https://opendev.org/openstack/kolla-ansible/src/branch/master/ansible/roles/horizon/templates/horizon.conf.j2#L30 13:29:39 yes, and it is safe by default, adding haproxy in front is what breaks things 13:29:46 "only on 50%"..I'm out 13:29:55 and adding haproxy is what kolla does 13:30:02 your not having a honests helpful discussion imho 13:30:05 without this server status not available even without haproxy 13:30:29 do we really need to override Location / in horizon.conf? 13:30:48 mnasiadka: that's actually a second issue 13:30:58 frickler: which could fix the first issue 13:31:08 mnasiadka Ubuntu/Debian enable more modules than Centos/Rocky not only mod_status 13:31:14 mnasiadka: no 13:31:14 second thing - I'm all in deny'ing /server-status in haproxy on ALL frontends 13:31:28 but the patch denies it only on some of the services 13:31:42 and doesn't include a CI task that will check if we don't encounter the same bug in future 13:31:56 are we going to iterate on this bug every time it shows up? 13:32:17 I honestly don't care _how_ we do this. I care about two things: a) fix the security bug (I don't care whoever introduced it, upstream, we, little green men from mars) b) preserve legitimate use cases like internal monitoring without breaking them 13:32:34 on some - because of apache2 only services need this 13:32:35 ok, but then we agree on doing the filtering as proposed in haproxy? 13:32:43 I'm baffled that needs to be argued, like, at all. 13:33:07 we didnt use external vip on CI - this is another issue 13:33:18 Seems we have no other option, that to do the filtering as proposed in haproxy - question what about users that use external load balancers, should we update the docs for them? 13:33:56 "question what about users that use external load balancers" <- can you elaborate what you mean by that? I don't understand 13:33:59 if the loadbalancer isn't on the same host as apache, only the fix in the horizon location statement is needed 13:34:05 imho there are no such users 13:34:21 mmalchuk: of course there are 13:34:24 there are, but not affected 13:34:40 thanks for clarification instead of denying the problem ;-) 13:34:44 those won't match "Require local" 13:34:54 right 13:34:56 server-status on cinder api ? for example? kidding 13:35:13 but now, with the current shape of the patch - we enable mod_status on CentOS and Rocky for Horizon, right? 13:35:18 you mean people who don't use haproxy but use a different LB? well they need to do the filtering themselves I guess? a doc patch would be nice, but not strictly necessary imho 13:35:30 right 13:35:36 i will propose patch 13:36:02 they need to provide all balancing config themselves either way, so I hope they know what they are doing I guess. 13:36:05 we just add handler to config in kolla 13:36:34 should we backport this 'feature' ? 13:36:39 it's really funny that we are back to the original solution again (are we? I have lost track..) 13:37:11 mmalchuk: I'm asking, because https://review.opendev.org/c/openstack/kolla-ansible/+/888943/8/ansible/roles/horizon/templates/horizon.conf.j2#34 will change behaviour on CentOS/Rocky 13:37:17 well if it breaks existing users without the backport I'd argue we need a backport 13:37:25 if it's planned - then include that in the reno, but for backporting - we shouldn't probably doing that 13:37:37 frickler as said 'not affected' 13:37:55 there is 'require local' already in apache config from package 13:38:01 not in CentOS/Rocky 13:38:08 and here you add it for ALL distributions 13:38:12 mnasiadka: this will not enable server-status 13:38:17 are you sure? 13:38:19 not. but there is no handler there! 13:38:20 yes 13:38:23 sorry) 13:38:28 exactly, no handler 13:38:45 ah ok, SetHandler is missing 13:38:49 so centos/redhat not affected at all 13:38:52 even with fix 13:39:07 yeah this only requires a local ip to get to the route, but if apache has no route to that path everything is fine, I didn't check rocky myself 13:39:33 but wen I propose change to Kolla container - there will be work, so we need merge first fix 13:39:38 when 13:39:54 I wish the "enable this on rocky" would be a separate discussion, I have no eggs in the basket regarding rocky :) 13:40:22 I would skip that part unless rocky users ask for it 13:41:18 I will propose, lets people decide 13:41:35 we will have same behaviour in all installations 13:42:00 that's another discussion 13:42:05 yep 13:42:10 yeah from a strict technical standpoint we should try to provide similar functionality for all distros 13:42:21 indeed 13:42:39 afaik that's why we use upstream packages, maybe we should package apache httpd ourselves? /troll 13:42:57 it can be described in the docs. about 'curl... server-status' to check 13:43:29 huge overhead 13:43:48 do we have 2 minutes for a quick report about our favourite etcd version? (timeboxed) 13:43:50 SvenKieske: better tell me why Debian/Ubuntu exposes all users to that ,,issue'' 13:44:33 the answer 'because')) 13:44:38 just debian things I guess, not a fan of the tech side - I was always a fedora guy personally - I stumbled upon this error in a different context some years ago. 13:44:51 because they want 13:44:58 jangutter: imo later is better, but we can ony bump minor version by one per cycle? 13:45:11 TL;DR etcd 3.4 drops deprecated API interfaces. Nearly every kolla-ansible service uses the old interface. 13:45:13 also please stop these distro wars 13:45:27 they enable huge list of modules and expose more info 13:45:42 debian has the philosophy of enabling everything to nanny the user (autostarting services), except where it's useful (providing auditd with remote support).. 13:45:44 frickler: not a distro war, but it should be semi-secure by default ;) 13:45:58 jangutter: oh, so 3.4 is too new for us? 13:46:10 jangutter: so all services need a change in their config 13:46:12 jangutter: ? 13:46:17 I can work with every distro, and there are objectively bad and good things in all of them 13:46:27 and Zun is particularly badly affected - they depend on a particularly painful combination of docker and old etcd. I only see WIP things for it, but it requires some hard rework for them. 13:46:34 jangutter: afaict devstack is also hardcoded to 3.3, guess we need to bump there first 13:46:51 Cinder (and hopefully all tooz affected things) are configurable and "works" on 3.4. 13:46:52 jangutter: we can drop zun support, it's been painful already ;) 13:47:26 uh that's a bummer, should there be a blueprint or ML post to coordinate upgrades for etcd then? 13:48:06 Yah, noting that 3.3 is no longer maintained, and 3.4 is likely to be soon, sooner migration is better. 13:48:45 I'll propose a bump in devstack and see what happens there 13:49:00 and then we can check in kolla again 13:49:12 There's a lot of "v3alpha" hardcoded everywhere in clients, especially python ones. 13:49:42 ok, so that seems like a longer topic - maybe worth a thread on ML? 13:49:50 (I got it to work in k-a, trying to fix the unrelated noise in the job) 13:49:59 I'll send out a post! 13:50:01 Maksim Malchuk proposed openstack/kolla-ansible master: Deny access to public /server-status in http Openstack services https://review.opendev.org/c/openstack/kolla-ansible/+/888943 13:50:22 I have two more small patches: https://review.opendev.org/c/openstack/kolla-ansible/+/871054 and https://review.opendev.org/c/openstack/kolla-ansible/+/876650 13:50:48 Zun might be a casualty unfortunately, they hit a deprecated "feature" in docker _and_ etcd. 13:51:32 I don't think it's overly active, so no hard feelings 13:51:36 don't know if there's a lot of users 13:51:51 Thanks! end of timebox, feel free to ping me if you're interested or have Zun contacts 13:52:45 ok 13:52:51 anybody anything else? 13:53:41 kayobe reviews? 13:53:57 once kayobe CI is fixed we can handle that 13:54:03 currently it's broken due to systemd issue 13:54:10 https://review.opendev.org/c/openstack/kayobe/+/879554 13:54:14 https://review.opendev.org/c/openstack/kayobe/+/861397 13:54:22 please these two 13:54:33 they won't pass the CI, nor the gate, upgrade jobs are broken 13:55:06 ok, I think we've had the longest meeting this year 13:55:08 already passed 13:55:09 thanks for coming 13:55:15 thank you 13:55:15 mmalchuk: but they won't pass now. 13:55:20 #endmeeting