16:01:05 #startmeeting OpenStack Ansible Meeting 16:01:05 Meeting started Thu Jun 25 16:01:05 2015 UTC and is due to finish in 60 minutes. The chair is cloudnull. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:06 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:09 The meeting name has been set to 'openstack_ansible_meeting' 16:01:15 moo. 16:01:30 . 16:01:57 we have lots of ground to cover today so we're skipping the formalities. 16:02:00 o/ everyone 16:02:05 hello 16:02:29 #topic Defining the project mission - odyssey4me 16:03:00 #link https://review.openstack.org/191105 16:03:12 sorry I'm late, now present 16:03:42 did you want to talk about "Defining the project mission" 16:03:51 hey 16:03:55 Present 16:04:05 specifically - Is our mission to deploy OpenStack (just OpenStack services), or to deploy whole OpenStack environment (OpenStack and all supporting infrastructure)? Where do we draw the line? 16:04:55 IMO i think its the later. we build a batteries included stack for use in production. 16:04:59 good question 16:04:59 Sure, I just wanted to raise the questions set out in the agenda and have us discuss them again. It seems that we didn't quite get to a conclusion before and we're being inconsistent already 16:05:37 with infra (such as galera) is more opinionated, but its easier to guarantee a working product when you do those things 16:05:39 cloudnull: I think the focus is on openstack, but we should be able to deploy all thats needed to get it to work. 16:05:51 if you say 'have a sql database' who knows what you're getting into 16:05:58 How much of openstack? 16:06:02 could be mariadb, could be postgres, maybe redundant, maybe not 16:06:02 I don't have strong feelings either way, but I would like us to be clear on what we're about so that we can use the principle as a backing for reviews and spec decisions. 16:06:04 For instance...mongo for ceilometer 16:06:34 I think we could probably focus more on openstack by reusing other people's bits for infra, however that always sounds easier than it is. 16:06:53 there always the option of making it an option 16:06:58 I know others have expressed opinions on it before, just pointing out that deploying what openstack needs to work also leaves the question of what parts of openstack do we care about? 16:07:03 As a for instance, we could easily draw the ELK stack roles back into the project as they are OpenStack focused and developed for this stack... 16:07:09 just dont run the infra plays. if you dont, here's a set of prereqs 16:07:20 Im with hughsaunders that if we can consume upstream other things we should do that, however I've not found roles that are "better" than what we already have . 16:07:30 which we could replace 16:07:38 I'd like to see use break some of the roles out 16:07:43 *us 16:08:21 I've always thought osad should be a consumer of roles not an owner of them 16:08:23 #note git-harry spoke in a meeting 16:08:24 Sure, I think we could do better at breaking the roles out into their own repositories and posting them into galaxy. This would be especially useful for infra-type roles which could be used for other deployments. 16:08:52 hughsaunders: lol 16:09:17 however, my question related a lot more to whether our focus is on deploying openstack... or are we going the whole hog of also facilitating pinning, package additions/removals, host setups, networking setups, etc 16:09:38 these all support an openstack environment, but aren't essential 16:09:52 ... to include in this project 16:09:57 once we move we'll have the ability to create new repos as needed, which will help facilitate moving roles into stand alone repos as needed. 16:10:12 ah. i read the question wrong, odyssey4me 16:10:59 odyssey4me: that's where I see osad as a ref implementation. So all the roles should be broken out and then osad is essentially a way to test them 16:11:10 It's never going to be all things to all people 16:11:30 by breaking all the roles out it makes most of the project easy to consume by others 16:11:43 s/easy/easier/ 16:11:54 this is presumably why we don't do pxe - so we can fit in with existing provisioning systems 16:11:55 git-harry yes, perhaps actually a role break-out is the way to show people how to be more flexible and consume other roles 16:11:57 so... back to the idea of saying you can use our infra roles or you need to meet a set of prereqs that the openstack roles expect? 16:11:58 odyssey4me: in that sense i say no. we dont do pxe booting of hosts / network setup / pinning of system packages. 16:12:02 does mean we can't win rule the stack though :/ 16:12:15 cloudnull: that sounds like more of a per-deployer task (like rpc) 16:12:22 ++ 16:12:30 unless its something that impacts openstack itself 16:12:43 hughsaunders: we can rule the stack, just bring your own pxe system 16:12:45 :) 16:12:58 cloudnull: :) 16:13:09 o/ 16:13:25 * svg struggling to get online on it train 16:13:39 my concern is really down to the question of where we draw the line 16:13:44 svg: are you visiting the uk? 16:13:57 odyssey4me: i dont think we need to draw a line, just provide options? 16:13:59 if our arms are too wide open then we risk bit rot 16:14:15 *gr* 16:14:31 "heres what we test, if your stuff meets or exceeds the expectations, you can do your own thing for any part of it" 16:15:00 perhaps we should shift the question to where we draw the line in terms of testing things that get added 16:15:10 i think its safe to say that we will do some host tuning and that we will have to interact with host machines however I dont think that we do anything in terms of provisioning. 16:15:12 we probably need a) more contributors b) more contributors with specialization in things like galera 16:15:42 cloudnull and what if someone decides to submit patches for provisioning 16:15:51 "we do software" 16:16:06 host provisioning sounds pretty generic 16:16:08 in big tent i'd say those get moved to a new repo. 16:16:11 they can be used for anything 16:16:23 but odyssey4me would that be ansible provisioning ? 16:16:31 or ansible setting up a provisioning system ? 16:16:46 that is later used to boot strap hosts? 16:16:51 cloudnull alright, I think essentially if we adopt the strategy of breaking out the roles then we're not creating first and second class citizens 16:17:42 which would then mean that we accept all the things, but we only test against a reference set of configurations and roles.... any other roles need to be tested individually 16:18:24 Yeah, providing reference configurations would be helpful there 16:18:38 Here's an AIO test, here's a 3 node test, here's a 5 16:18:43 this is likely. and we're probably going to have to revise our test scripts to facilitate better testing of those roles. 16:18:53 and add more jobs 16:19:16 IE stand alone keystone, keystone + swift, all the things, etc. . 16:19:20 Yeah 16:19:29 yup 16:19:47 infra said they could support multi-node tests at summit, too 16:19:57 But there'll be some networking monkeying we'll have to do 16:20:01 but, for instance, bugs like https://bugs.launchpad.net/openstack-ansible/+bug/1411897 would not be something we turn away if we accept all things 16:20:02 Launchpad bug 1411897 in openstack-ansible "Make package auto updates tunable" [Wishlist,Invalid] 16:20:35 palendae yeah, it's on my to-do list to get multi-node working... I have all the info I need, I just need the time 16:20:40 Cool 16:20:48 pfft time 16:20:49 And that particular one they move to rpc-openstack 16:21:09 moved* 16:21:11 odyssey4me: i dont agree. 16:21:20 palendae yep, it was moved because it was denied in the project because it was considered out of scope for OSAD 16:21:24 we turn that away because we're not pinning 16:21:32 but we've provided the ability for a deployer to pin 16:21:39 so the question stands, where do we draw the line? 16:21:59 sure, so should we provide the ability to blacklist packages? 16:22:01 and that package is installed in the base os at install time, which they configure. 16:22:22 or to remove specified packages, or to tune the unattended updates? 16:22:22 so its on their provisioning system to make that go away . 16:23:00 Yeah, I kinda of agree with odyssey4me. We're allowing a hook to pin packages, but we're not allowing a hook to turn off auto updates? 16:23:46 we're not making consistent decisions about what we allow or disallow - that's what I'm trying to address 16:23:51 again provisioning. would also add a hook to remove the gnome desktop should they have it installed ? 16:24:09 pinning has nothing to do with openstack, so why do we have a hook for it? 16:24:37 pinning does not. and Id be happy to remove that role. 16:24:43 if we have a hook for that, why can't we have a hook for gnome desktop, widget1 and salamander_love123? 16:24:53 it was added to help deployers (rax) 16:25:30 cloudnull yep, and I thought we had decided not to add it and had referred it just like we did the auto updates thing... then suddenly there was a patch merged for it 16:25:41 inconsistency :) 16:25:55 i hate pinning, its up to the deployer to create a repo . if they dont have one they get the community repo. 16:26:33 * svg uses aptly to 'pin' packages 16:26:38 I really do feel that we can happily welcome anything and everything. I'm happy if someone preps a patch for it and agree that we can facilitate anything, but we only get opinionated about how to use that framework when it comes to a reference architecture for the project. 16:26:58 svg: doing it right 16:27:10 So if we're doing things for deployers 16:27:17 Not every deployer will agree with us on everything 16:27:28 Regardless of whether one of our cores hates some approach or not 16:28:00 palendae sure, that's why I'm happy to provide a framework in the project - but the deployer needs to configure something for it to do anything 16:28:03 (but now I need to have the container images to use that repo too, IIRC not configureabl) 16:29:06 palendae but then we need to be consistent about it - we allow anything in terms of a framework, but not something opinionated unless it has a reference architecture with it which is gate-tested 16:29:16 odyssey4me: I agree with you 16:29:57 so lets revert this and stick to our guns https://review.openstack.org/#/c/180613 16:30:26 cloudnull what I'm suggesting is that we don't - we allow it and anything else 16:30:43 but much like that patch, it does nothing unless a deployer uses it 16:30:53 Ok, so once that's reverted, how would a deployer add that functionality without having to edit osad roles directly? 16:31:29 of course this leads to... what if someone wants to deploy this on another distro :) 16:31:29 if that means that we allowing provisioning into core OSAD, as a blanket "we accept all the things". i say no. 16:31:54 svg: you could change the repo url to point to upstream and not add the repo containers ? 16:33:13 in fact, for these sorts of things the right way to do it would be to create a role in github/stackforge - then it can be consumed, but optionally 16:33:24 palendae: a deployer could create their own role to pin. 16:33:38 cloudnull: Ok, but then how do they make the osad ones rely on it? 16:33:39 or have a proper mirror 16:33:47 we could perhaps just have a doc in our repo providing basic info on roles we've worked with and how to consume them in osad's framework 16:33:51 That particular patch touches a lot of osad roles 16:33:59 it does 16:34:40 but they are all role deps - the role could be run in an earlier play without those. 16:34:51 palendae cloudnull it only does because the decision was made to change all the disparate pinning in those roles to consume this role... which was a good decision 16:35:40 anyway, this has taken enough time and I think we should sleep on it and talk some more about it next meeting 16:35:50 ok 16:35:59 #topic What is our roadmap like? Will making fernet tokens in keystone be an 11.1.0 feature? palendae 16:36:23 Yeah, my question here was do we have those point releases figured out yet? 16:36:35 Fernet tokens is just a good example 16:36:45 #link https://review.openstack.org/#/c/193729 (fernet tokens as the default) 16:37:10 short answer palendae no. 16:37:17 k 16:37:23 I've heard rule-of-thumb 16:37:29 generally, the road map is dicated by specs 16:37:31 "It's a big change, changes a default" 16:37:32 and not set 16:37:54 but we dont really have much in the way of specs, yet 16:38:43 in this case I'd say fernet hits master , and its backported to kilo, which changes the default token provider in a big way so we rev. 16:38:59 and 11.0.4 becomes 11.1.0 16:39:03 so... why did we go with fernet? 16:39:09 (on a side note) 16:39:26 its faster, and ha. 16:39:31 I agree with that as a strategy, but I kinda think that perhaps we should pile-up a few things before we declare a minor rev 16:39:33 cloudnull: Ok 16:39:34 Sam-I-Am: performance, infrastructure overhead, scalability 16:39:34 dolphm: -cc 16:39:42 odyssey4me: I agree with that too 16:39:51 And yes, perhaps the switch to fernet tokens should be covered by a spec to infom people why 16:39:52 So fernet as default goes in 11.1.0, but it's not the only thing 16:40:08 this is what we have so far in 11.0.4 16:40:09 even if the spec is a small one 16:40:09 dolphm: ok, figured as much 16:40:10 #link https://launchpad.net/openstack-ansible/+milestone/11.0.4 16:41:07 we have quite a few "features" targetting 11.0.4 16:41:39 odyssey4me: Agreed with a spec 16:41:41 IE cinder on metal, keystone ssl, fernet, etc... 16:42:08 cloudnull fair enough - I think it may be worth shifting those to a new milestone and seeing how that looks 16:42:18 cloudnull: are they targeted to the milestone? 16:42:24 they are 16:42:28 11.0.4 16:42:32 there's no Wishlist bugs or blueprints 16:42:54 nope. 16:42:58 yep - we seem to have adopted a strategy of not marking things as wishlist any more 16:43:06 then there's clearly no features being tracked against 11.0.4! 16:43:09 So many things went wishlist we never touched them 16:43:21 this is a bad habit 16:43:22 * cloudnull still sifting through them 16:43:25 Yeah 16:43:27 It is 16:43:31 We swung the opposite direction 16:43:38 So many things not marked wishlist, we never touch them :) 16:44:01 i agree with specs being created. 16:44:18 wishlist items should be small feature changes - the rest should be blueprints and the bigger ones with specs 16:44:55 I think we should create a 11.1 milestone - move the ones that look like features to it, then decide on which become specs and which become wishlist items 16:45:11 ++ 16:45:12 there's not much point to a blueprint without a spec, given how broken blueprints are on their own. how to draw the line between the two is another story... 16:45:17 odyssey4me: +1 16:45:40 we're too easily falling into the trap of letting everything be a bug and we need to get more disciplined about this 16:45:59 so with that said we need people to write these specs and will need to do it retro actively for the items that we have had in the queue for a while 16:46:10 example 16:46:11 #link https://bugs.launchpad.net/bugs/1455238 16:46:13 Launchpad bug 1455238 in openstack-ansible "Ceph Support" [Medium,In progress] - Assigned to Serge van Ginderachter (svg) 16:47:07 so who, with me, is going to do this ? 16:47:50 dont all speak at once. . . 16:48:09 so maybe we do this going forward ? 16:48:48 cloudnull I'll be happy to assist after the federation sprints are done, so that'll be in around 2-3 weeks :/ 16:49:44 ok so if nobody wants to help write specs then im inclided to say that we do it from NOW on. and mark all of the "features" as wishlist which will be merged into 11.1.0 16:50:00 cloudnull I think that's fair 16:50:09 going once. 16:50:29 going twice. 16:50:32 That also means we (cores especially) need to be vigilant about pushing back when someone doesn't propose a spec 16:50:42 You want it, you spec it 16:50:44 palendae yep 16:50:53 and sold. 16:50:54 bang? 16:50:58 We can help, but shouldn't do it for you 16:51:28 from this day forth no spec, no feature. everything in the pipline will be makred as wishlist and handled in our current targetted milestones. 16:51:37 So say we all 16:51:45 by your command 16:51:56 next 16:52:02 #topic Discuss https://review.openstack.org/189998 (Fernet token support for keystone) odyssey4me 16:52:34 i think we can do this with the same pattern we're using for the swift ring distribution . 16:52:44 in terms of rotation. 16:52:45 So currently the patch we have has 3 keys, and only rotates when the playbook for installing keystone is run. 16:53:19 in the proposed default patch its been set to 7 16:53:20 https://review.openstack.org/#/c/193729/15/playbooks/roles/os_keystone/defaults/main.yml 16:53:28 back 16:53:45 I'm in favor of the keystone user having ssh keys and the keys being distributed on rotation in something like a cron job. 16:53:49 s/proposed/merged 16:54:01 odyssey4me: me too. 16:54:20 which will also get rid of the need to sync back the keys to the deploy host. 16:54:26 and then distribute 16:54:42 I think that this should form part of the 'feature' for 11.1 and we shouldn't release 11.1 until that's done as it's a key requirement for making this production ready 16:54:52 done. 16:55:07 i am in agreement. 16:55:40 alright, so who's going to do it? sigmavirus24_awa ? 16:56:07 im happy to bang it out. i know the swift code failly well . 16:56:14 and it shouldnt take much to get it in 16:56:24 cloudnull cool, thanks :) 16:57:04 so last 5 min. 16:57:08 #topic open 16:57:36 open bar, perhaps? 16:57:43 anything that we want to talk about ? 16:57:49 open bar would be nice ! 16:58:24 i just finished re-assigning a few bug priorities to wishlist in https://launchpad.net/openstack-ansible/+milestone/11.0.4, none are committed yet though, so it's still sane to release 11.0.4 at the moment 16:58:50 tyvm dolphm! 16:59:41 ok we're done here. 16:59:46 #endmeeting