14:00:01 #startmeeting kolla 14:00:01 Meeting started Wed Nov 27 14:00:01 2024 UTC and is due to finish in 60 minutes. The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:01 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:01 The meeting name has been set to 'kolla' 14:00:04 #topic rollcall 14:00:05 o/ 14:00:07 ah yeah, if you have created a zone in a different project you can have zone highjacks.. 14:00:09 o/ 14:00:10 o/ 14:00:12 \o/ 14:00:43 SvenKieske: but i thought that for this reason in neutron conf is designate user configured ...for this integration 14:01:14 \o 14:01:26 let's discuss this later :) 14:01:29 #topic agenda 14:01:30 yep 14:01:35 * CI status 14:01:41 * Release tasks 14:01:51 * Current cycle planning 14:01:57 * Additional agenda (from whiteboard) 14:02:02 * Open discussion 14:02:04 o/ 14:02:06 #topic CI status 14:02:12 So... Docker doesn't like us 14:02:30 for Kolla - there are now only two images that we fetch from docker hub - debian and ubuntu base images 14:02:38 just mentioning this: https://www.docker.com/community/open-source/application/ 14:03:00 other solutions are using quay.io or self hosting/building of course. not sure what's the least amount of work 14:03:03 I see two options of trying to fix this - 1) docker login 2) mirror those images to something like quay.io 14:03:11 No, I'm not going to beg Mirantis to give me access 14:03:25 there is a role being developed in zuul to perform 2) https://review.opendev.org/c/zuul/zuul-jobs/+/935574 14:03:26 If somebody else wants to go the extra mile of paperwork - fine by me 14:04:30 Any volunteers for the paperwork? :) 14:05:05 Guess not 14:05:21 frickler: that's why we're probably going to wait until that merges and we can use that for mirroring debian/ubuntu 14:05:35 yes, I'd second that 14:06:01 and which quay.io account are we going to use? I think there was a kolla account, right? 14:06:02 Ok then, any other CI failures not related to DockerHub? 14:06:15 SvenKieske: we have openstack.kolla org, I'd say we use that. 14:06:24 good :) 14:06:28 mnasiadka: yes, jobs failing on raxflex 14:06:55 frickler: how are they failing? 14:07:00 example at https://zuul.opendev.org/t/openstack/build/d7a108adc1c8491a92362bcb40b37670 I hope i can look into this later this week 14:07:13 essentially: Error mounting /var/lib/docker: mount: /var/lib/docker: can't find LABEL=kolla. 14:07:32 Ah, I've seen that 14:07:37 thought it's some kernel bug 14:07:38 yep, I had roughly 5-10 of those the last days 14:07:39 so something being different about the ephemeral volume. maybe there isn't any in that cloud 14:08:00 usually these are retried because the failure happens in pre 14:08:12 well, we check if there is one - https://github.com/openstack/kolla/blob/master/roles/configure-ephemeral/tasks/main.yml 14:08:43 if someone finds the cause for this, I won't mind, too ;) 14:08:44 either /dev/xvde or a disk with "ephemeral" label 14:09:06 ah, it might be that /dev/xvde is swap instead 14:09:22 that makes things complicated 14:09:36 but we can always check for raxflex ;-) 14:09:49 anyway, the data to debug should be in the logs 14:09:56 we really should not rely on special device names, labels are more stable 14:10:07 darmach68: want to have a look? 14:10:07 if not, I can also hold a node if needed 14:10:12 SvenKieske: some cloud does /dev/xvde but no labels :) 14:10:18 but I never looked at that file 14:10:19 mnasiadka sure! 14:10:29 frickler: we have a volunteer 14:10:39 cool 14:11:15 nice 14:12:09 ok then, let's move on 14:12:19 #topic Release tasks 14:12:41 bbezak: I think we have around two weeks to switch to Epoxy sources? 14:12:59 let me see 14:13:06 yup, R-17 14:13:10 R-17: Switch source images to current releaseĀ¶ 14:13:11 yeap 14:13:19 Dawud proposed openstack/kolla-ansible master: Add size limits to Fluentd buffers https://review.opendev.org/c/openstack/kolla-ansible/+/924359 14:13:20 Dec 02 - Dec 06 14:14:23 frickler: /dev/vdb has ephemeral0 label on raxflex 14:15:37 but for some reason when we create a filesystem with kolla label - it's not there for mounting 14:16:16 bbezak: willing to raise those next week? or do we need another volunteer? 14:18:27 source image changes mnasiadka ? 14:18:31 yup 14:18:34 willdo 14:18:37 there are three changes listed :) 14:18:42 goodie 14:18:54 #topic Current cycle planning 14:19:59 So, I started our WSGI mission with Gunicorn, but that's hard to implement because it requires changes in at least Nova - so probably not a good idea 14:20:12 so I went with uWSGI, although it's in maintenance mode - but Devstack and others are using it 14:20:20 And it seems to work now even with backend TLS 14:20:24 So the question is 14:20:40 do we want to support both apache/mod_wsgi and uwsgi for a cycle? 14:20:54 is it worth it to publish your findings wrt to WSGI to the ML as well? to get broader feedback, e.g. from nova folks? 14:20:58 I think we should? at least for keystone/horizon 14:21:05 SvenKieske: that's my plan 14:21:16 well, apache (or nginx) and uwsgi - yes 14:21:31 I'm asking if we should replace apache/mod_wsgi with uwsgi in Epoxy 14:21:37 or support both for one cycle 14:21:44 there is some discussion to happen in the scope of the eventlet-rm team about which wsgi/asgi solution to use in the future 14:21:55 so we might need to change again later 14:22:08 support both for transition seems better to me 14:22:14 hi again, one simple question: is there a ref doc where i can find what are the conf options i can setup in a kolla-build.conf ? i didnt manage to find any on the docs.openstack.org site. thanks a lot 14:22:21 https://github.com/pallets/werkzeug is afaik a still maintained wsgi server, not sure if it's "better" though. 14:22:25 parasitid: we have a meeting now, please ask later 14:22:52 SvenKieske: I think I prefer to go with what others are doing, at least we see the same problems 14:23:12 At least for now :) 14:23:30 frickler: yeah, seen that, but it doesn't seem like it will be changed in Epoxy 14:23:40 sure, absolutely, would be nice if openinfra could converge on the same solution! but I would like something alive upstream :) 14:24:06 that said I don't know if uwsgi is just simply "finished", maybe? :) 14:24:30 anyway, so we go with both apache/mod_wsgi and uwsgi in Epoxy and deprecate apache/mod_wsgi approach so it's removed in F (unless we see some issues) 14:24:49 SvenKieske: You're trying to use the funny term "feature complete"? :) 14:25:20 yeah :) but looking at the c code of uwsgi I'm not so certain I would bet my life on it. 14:26:06 yes, I went with gunicorn since Skyline uses it, but then it has problems passing CLI args - I'll write about my adventure on ML and we can take it from there 14:26:43 nice 14:26:48 Any other new features/changes we need to discuss? 14:27:10 frickler: is there a link to the eventlet-rm team discussion about wsgi/asgi solution? was that only on the ML? 14:27:30 SvenKieske: there's a channel - #openstack-eventlet-removal 14:27:38 SvenKieske: no, there is a (biweekly?) meeting 14:27:47 and meeting logs should be in the usual place 14:28:01 ah ty 14:28:26 also some notes in https://etherpad.opendev.org/p/epoxy-eventlet-tracking 14:28:52 Ok, from another front - I think it would be good if somebody would focus on getting RMQ QueueManager stuff tested and validated 14:28:57 Matt Crees: alive? 14:29:57 Ok, I'll chase him internally - maybe he can do some work in that area 14:30:16 that new ovs exporter project also looked interesting 14:30:17 mnasiadka: there is need to share /dev/shm 14:30:20 yes, that would be nice, it should work now properly in containers 14:30:25 Quemanager 14:30:29 if we have the above device^^ 14:30:30 for oslo services 14:30:48 then ..it can work nice .. 14:30:49 kevko: I know, I'm just trying to find somebody else than you to test it out thoroughly :) 14:31:08 And I assume that's needed for the fanout queues in new RMQ world? 14:31:21 mnasiadka: like i am not testing well ? :D 14:31:33 mnasiadka: yep, correct ... fanouts .. 14:31:50 kevko: I'd prefer that we don't blame everything on you :) 14:32:11 yes, pretty certain we need the queue manager to get this correctly working 14:32:38 there was a ML report having issues with quorum queues, but there was not much information what the actual issue was - could've been just misconfiguration 14:33:01 Well, I've seen issues with quorum queues and ironic-neutron-agent 14:33:30 I don't know if that's rather a fanout queue, or not - in classical world it had autodelete on 14:33:42 Haha, I don't recall you ever having to blame me for anything :D, as far as I know, everything works :) 14:33:58 and now it doesn't, so it's piling up queues and messages unless you delete those old queues without consumers 14:34:10 kevko: nobody's perfect :) 14:35:25 Ok then, let's move on 14:35:36 #topic Additional agenda (from whiteboard) 14:36:15 (SvenKieske 2024-11-13) reviews would be nice: 14:36:22 https://review.opendev.org/c/openstack/kolla-ansible/+/928949 14:36:47 https://review.opendev.org/q/+status:open+-is:WIP+uploader:kieske@osism.tech+label:Verified%252B1+-label:Workflow-1+is:mergeable 14:37:02 If anybody got some time, especially our quickstartguide needs to be changed since our arguments are reversed now (good first issue, if you are new to kolla): https://bugs.launchpad.net/kolla-ansible/+bug/2087920 14:37:16 darmach68: I know you complained over the quickstart guide recently, right? 14:37:20 ah I probably get around to fix the quick start guide today 14:37:35 but I won't complain if someone is faster :D 14:37:54 that list above is mostly backports I think 14:38:19 ok then, I'll just leave it there - I reapplied my +2 on the first patch from the list 14:38:28 the issue darmach found was with the deploy guide? different bug 14:38:36 Ah, that's another thing 14:38:58 We were discussing that today, that probably those variables that we use in docs conf.py should land in deploy-guide conf.py as well 14:39:08 so maybe we need to move that to some common place and source it? 14:39:15 +1 14:39:30 darmach688: you've got your answer 14:39:44 Next one from the whiteboard 14:39:45 (frickler 2024-11-27) transition stable/2023.1 to unmaintained? 14:39:48 https://review.opendev.org/c/openstack/releases/+/934490 14:40:00 I think all non-deployment projects already moved to unmaintained? 14:40:18 well almost all, some still lagging 14:40:43 Do we need to do anything in Kolla like switch to use unmaintained sources? 14:40:53 but a lot of stable/2023.1 branches are already gone 14:41:12 so yes, those references would need to get switched likely like was done for zed? 14:41:25 yes, I think so, also in the docs, no? 14:41:29 Yes, so any volunteer to do the switch? 14:42:05 a related question would be whether some of the older branches can be eoled? or who is volunteering to take care of them? 14:42:17 I'll do that again... darmach68 ? 14:42:25 #link https://review.opendev.org/c/openstack/kolla-ansible/+/927022 14:42:28 frickler: from my perspective yoga and zed can be EOLed 14:42:43 if anybody is there - it's his own fault ;-) 14:42:51 that's an example what needs to be fixed in the docs part at least 14:43:24 that as well: https://review.opendev.org/c/openstack/kolla-ansible/+/917421 (update .gitreview) 14:43:57 if you search for unmaintained you find quite some stuff :) 14:44:03 yup 14:44:15 Yep, let it be me :D 14:44:21 ok then 14:44:23 the gitreview update patch will be auto-created 14:44:29 drop upgrade testing as well 14:44:43 ah right 14:44:54 so if there are no complaints, we could just go ahead with the release patch first 14:45:03 ok then, once we fix antelope and transition it to unmaintained - we can EOL yoga and zed 14:45:09 and amend the unmaintained branches as needed afterwards? 14:45:13 frickler: fine by me 14:45:54 commented on the patch 14:46:03 ok then, let's go to open discussion 14:46:06 #topic Open discussion 14:46:12 Anybody anything? 14:46:15 ah, you were faster than me ;) 14:46:23 yes, one more thing 14:46:25 Certificates defaults 14:46:26 https://review.opendev.org/c/openstack/kolla-ansible/+/934514 14:46:30 please review 14:47:11 cberendt (fellow kolla core) is running for foundation board, maybe someone wants to support his nomination https://openinfra.dev/a/community/members/7040 14:47:41 mmalchuk: I'm rather thinking about -1 than merging - I don't think people should be using that role for anything except development envs and testing 14:48:07 mnasiadka nice) why? 14:48:11 frickler, SvenKieske, bbezak, kevko what do you think? 14:48:25 because Kolla-Ansible should not be in the certificate management business :) 14:48:28 it _might_ be useful if you need to test some specific cert/CA settings 14:48:32 peoples already use this for production for a years) 14:48:40 but yeah, maybe there are better tools for that 14:48:54 you really shouldn't use this for production, honestly 14:49:21 use a proper CA at least, there are some projects on github etc which do this 14:49:40 SvenKieske but there is no other tools in Kolla for production) 14:50:25 you can always push your CA cert with external cert role, no? 14:50:39 e.g. something like this (no endorsement, there are others as well): https://github.com/smallstep/certificates 14:50:49 mnasiadka: kolla-ansible should be cert manager ...but still ...everyone is using it :D :D :D 14:50:57 *shouldn't be 14:51:05 I do that, only CA and use role to generate endlevel certs 14:51:41 Michal Nasiadka proposed openstack/kolla-ansible master: nova: Add support for using uWSGI https://review.opendev.org/c/openstack/kolla-ansible/+/935975 14:51:45 I am ok with it ...it's just movement values to variables ..that's all 14:52:04 I think we discussed some PTGs ago to support things like smallstep 14:52:06 yep 14:52:36 yes, I mean of course people will be using test CAs in prod, it doesn't matter how many warnings you put into docs :D 14:52:52 Yes, I don't know if we should make it easier though :) 14:53:05 And I don't know if I like the command: style of that role ;-) 14:53:07 the bugreport is open, this change only PartialBug so lets merg it and add smalstep or whatever and close the bug 14:53:47 It's not a bug 14:53:55 It's by design 14:54:06 design with bug))) 14:54:10 Well, if it will be under ansible/roles ...from my perspective it can be used by user ...we also providing kolla-ansible certificates command ...so if we don't want from users to use it ...remove it and place into kolla collections or somewhere ...or something similar as we did for ceph 14:55:03 yes, it in the K-A but can't be used and configured 14:55:15 That was my comment long time ago when we added that certificates role - but obviously it makes life easier when doing a development/test deployment with TLS 14:55:15 so this is an issue 14:55:44 Issue why? 14:56:11 Tell us why do you need to set those variables to do a K-A deployment for testing 14:56:22 certs generated with wrong defaults 14:56:28 at least days 14:56:35 from a users perspective I can see why you would want it. from a dev perspective I would argue to make it harder to use and replace by proper CA integration. you can use your CA api for configuring all this stuff, it's outside of kollas domain imho. 14:56:36 at least days of validity 14:57:04 isn't the current validity a year or something? 14:57:46 maybe I don't understand the validity issue. 14:58:00 Me neither 14:58:06 after an year peoples forgot about self-signed cert and get an issue in api/browser again 14:58:32 after a year a test environment is broken anyway 14:58:37 some of them want certs in dev for 10 years for example 14:58:37 you've got year long development environments? 14:58:56 yep 14:59:06 we still have ussuri ))) 14:59:06 so either you automate your CA, (you need to control client CA deployment anyway I guess) 14:59:26 on Centos7 ))) 14:59:27 I mean changing validity is orthogonal to make it configurable 14:59:31 I'd assume that long existing dev/test env should already be rebuilt ;) 14:59:51 we could propose to set validity to seven days only, and hardcode that, to make clear this is only for dev mode? ;) 15:00:07 SvenKieske: +1 15:00:18 lol 15:00:24 SvenKieske +1 for harcore solutions! 15:00:31 Yeah, probably that's what we should rather do 15:00:49 poor users using this in prod xD 15:01:04 maybe 14 or 30 so we're not that hard on people - but that shouldn't be a year 15:01:15 lets drop the certificates role at all! and ask users to use their own CA 15:01:24 this would be hardcore) 15:01:29 We do that in the docs, don't we? 15:01:41 I think it's really good to have a cert stub like this for easy testing 15:01:44 no one reads the docs) 15:02:10 I'm happy to move that role outside of kolla-ansible delivered roles and just give a bash script to create certs for dev env with TLS 15:02:12 or we go full in and implement a proper CA even for testing, that would be better, but nobody got time for that I guess? 15:02:41 we at least need something to test TLS in CI 15:02:46 oh cool. lets rewrite ansible to bash) 15:03:04 haha ..let's do that :D 7 days is fine :D 15:03:30 mmalchuk I started recently, and found out that half is outdated, the other half doesn't template/render properly ;) 15:03:31 we will see how many bugreports we will receive :D 15:03:38 anyway we are over time for the meeting 15:03:47 yup 15:03:56 Okay, can anybody advise me I've asked before meeting ? 15:04:07 do anybody know if i can 1. have external public network with dns_domain set - shared, 2. zone for that network => Can another tenant create VM on this network and it will be automatically DNS created ? 15:04:14 so the consensus is let's leave it as it is or make it harder for users to use ;-) 15:04:56 kevko: no, external networks are intentionally excluded 15:05:08 be prepare for bugreports) 15:05:44 frickler: Hmm, I had that feeling ... 15:05:55 frickler: what about zone transfer request ? 15:06:29 ok then, let's finish the meeting 15:06:30 #endmeeting