09:03:48 <mnasiadka> #startmeeting magnum 09:03:48 <opendevmeet> Meeting started Wed Sep 6 09:03:48 2023 UTC and is due to finish in 60 minutes. The chair is mnasiadka. Information about MeetBot at http://wiki.debian.org/MeetBot. 09:03:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 09:03:48 <opendevmeet> The meeting name has been set to 'magnum' 09:03:50 <mnasiadka> #topic rollcall 09:03:51 <mnasiadka> o/ 09:03:59 <dalees> o/ 09:04:14 <gbialas> o/ 09:04:28 <mnasiadka> #topic Secure RBAC 09:04:38 <mnasiadka> So, basically we've started to merge some of the rbac patches 09:04:48 <mnasiadka> Especially those in magnum-tempest-plugin 09:05:12 <mnasiadka> there are two that need second core 09:05:15 <mnasiadka> #link https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/877086 09:05:25 <mnasiadka> #link https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/875322 09:05:30 <mnasiadka> dalees: do you think you could have a look? 09:06:17 <dalees> I haven't looked at the RBAC change too deeply yet, but will try and spend some time 09:06:27 <mnasiadka> Actually the ones in openstack/magnum are merged 09:06:39 <mnasiadka> ricolin: if we need anything else merged for srbac - please shout 09:07:04 <dalees> yeah, i can look into these tempest ones 09:07:15 <mnasiadka> ok, let's move to next topic 09:07:18 <mnasiadka> #topic ClusterAPI 09:07:40 <mnasiadka> So, basically I think with the release calendar being as is now (so RC1 is close and then first week of Oct is the release day) 09:07:52 <mnasiadka> It might be very complicated to merge the CAPI driver changes 09:08:41 <mnasiadka> And we have some doubts on the direction of current patches + probably we'd need another round of discussions around this plus recognizing that the current patches are probably at least inspired by VexxHost driver 09:08:50 <mnasiadka> dalees: anything to add? 09:10:04 <dalees> No, not too much - but we do want to merge a CAPI driver next cycle. The functionality is too important 09:10:18 <mnasiadka> Yes, I agree - but let's do it right :) 09:10:40 <mnasiadka> ok, let's move into open discussion 09:10:43 <mnasiadka> #topic Open discussion 09:10:46 <mnasiadka> So, I have one point 09:10:56 <dalees> Yes, splitting the community on CAPI drivers isn't helpful and the path isn't clear yet. 09:11:13 <mnasiadka> the meetings on the https://meetings.opendev.org page show up as Container team meetings, and the url is to some really old logs 09:11:35 <mnasiadka> I'd like to fix that, so people have more clarity how to find the meeting date/logs 09:11:49 <mnasiadka> We have two options I guess - rename the Containers meeting to Magnum meeting and fix the link 09:12:01 <mnasiadka> or leave the meeting name as Containers and fix the link to point to Magnum 09:12:13 <mnasiadka> I think we'd need jakeyip to decide :) 09:12:40 <mnasiadka> so let's leave it for next meeting - but we should fix it 09:12:41 <dalees> Renaming to Magnum seems sensible, that's the commonly known product name 09:12:57 <mnasiadka> yeah, I'll consult with jakeyip later and do the needed changes 09:13:06 <mnasiadka> gbialas: you had something? 09:13:21 <gbialas> Yes, container team doesn't say much 09:13:48 <mnasiadka> so three votes for changing to Magnum :) 09:13:49 <gbialas> Yes. Deprecation of contianer_runtime default value 09:14:13 <mnasiadka> gbialas: can you link the current patch that jakeyip didn't like? 09:14:27 <gbialas> In short words: Change 'container_runtime' variable default to containerd, and deprecate 'host-docker'. From 1.24 dockershim is removed from k8s so host-docke dosn't make any sense 09:14:49 <gbialas> https://review.opendev.org/c/openstack/magnum/+/893378/1 09:15:05 <mnasiadka> #link https://review.opendev.org/c/openstack/magnum/+/893378 09:15:11 <mnasiadka> (so it renders in html properly in the logs) 09:15:26 <mnasiadka> So, we agreed to support Kubernetes 1.25+ in Bobcat in the driver 09:15:34 <mnasiadka> and drop support for older versions 09:15:43 <mnasiadka> I assume 1.25 does not support DockerShim anymore 09:15:50 <gbialas> Yes. 09:16:13 <mnasiadka> So we could change the default to containerd, and deprecate the whole variable (container_runtime) - to be dropped in C 09:16:40 <gbialas> That would be best outcome. 09:16:41 <mnasiadka> I understand the motivation that we didn't want to change defaults in the past, but with the current default - it's undeployable (you need to change to container) 09:16:50 <mnasiadka> dalees: opinions? 09:16:58 <dalees> so if old magnum templates exist that don't specify, changing a default may break them. This is the backwards compat problem, it's true with all labels sadly. 09:17:24 <dalees> we try and get around this by specifying all labels in magnum templates, it's a pain but less likely for breakages like this. 09:17:49 <dalees> having said that, i agree that having a default like docker doesn't make sense in 1.24+ if we don't install the out-of-tree dockershim 09:18:20 <mnasiadka> I'm not saying to backport the change of default, just change the default in Bobcat - that shouldn't break people that want to deploy 1.25+ when Bobcat is out 09:18:53 <mnasiadka> We just need proper release notes saying that please check your cluster template 09:19:27 <mnasiadka> (not counting the default kube_tag that we currently have, which does not help) 09:21:02 <gbialas> Also upgrading kube_tag and fedora image used to make tests to recent version would be useful. Ii docs we are still using Fedora 35 an 1.23 (in antelope) 09:21:11 <mnasiadka> I guess it would make sense to push that discussion to a time when jakeyip is around 09:21:31 <mnasiadka> And talk about how do make cluster templates without any labels work in Bobcat with some fresh kubernetes release 09:22:00 <mnasiadka> maybe we need to remove defaults at all for a cycle, and force people to set some of the labels mandatory 09:22:15 <dalees> yeah, the alternative to defaults is ignore them entirely and provide (quite large) magnum templates which specify known working labels for each k8s version. In this case it'd always be containerd. 09:22:41 <dalees> that's an interesting idea, mnasiadka. 09:23:07 <gbialas> Maybe each release we will ship just one version of key components which is proved to work, and use it as default. 09:23:37 <mnasiadka> gbialas: and warn users if they don't set these labels, it might break them after upgrading Magnum to a new OpenStack release 09:23:49 <dalees> anyway, mostly my point is that the defaults thing is a pain. Not that it shouldn't change. We just need to define a consistent policy and stick to it, letting deployers know it might break if they don't specify everything in their templates. 09:24:27 <mnasiadka> dalees: in other projects we state change of defaults in release notes, we could also add some warning in the docs 09:24:36 <mnasiadka> but I think we need some buy in from the PTL 09:24:37 <gbialas> Exactly. We can't keep backwards compatibility forever. k8s is droping something constantly 09:25:07 <dalees> i think it's worth a discussion 09:25:40 <gbialas> Yes. Happy to help with this (discussion and implementing) 09:26:11 <mnasiadka> Ok, this week is R-4, next week is RC1 week - we should decide on the meeting next week what is the approach we're taking - and implement it fast. 09:26:26 <mnasiadka> We should not be changing defaults after RC1 09:27:33 <mnasiadka> Ok, anything else? Anybody? 09:27:43 <gbialas> Nothing from me. 09:28:26 <dalees> No other topics from me 09:28:59 <mnasiadka> mkjpryor: you're a bit late, we postponed the CAPI driver merging for C cycle - we need to sort out everything, ideally have another discussion with mnaser and jakeyip (he's not available today) 09:29:14 <mnasiadka> ok then, let's finish for today 09:29:16 <mnasiadka> thanks for coming :) 09:29:18 <mnasiadka> #endmeeting