16:02:09 <evrardjp> #startmeeting openstack_ansible_meeting 16:02:10 <openstack> Meeting started Tue Jun 6 16:02:09 2017 UTC and is due to finish in 60 minutes. The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:02:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:02:13 <openstack> The meeting name has been set to 'openstack_ansible_meeting' 16:02:15 <andymccr> o/ 16:02:19 <spotz> \o/ 16:02:20 <evrardjp> #topic rollcall 16:02:44 <andymccr> hi! 16:03:14 <cloudnull> hi 16:03:44 <evrardjp> leaving a few seconds for ppl to join 16:03:44 <asettle> o/ 16:03:55 <asettle> I Didn't see any doc stuff this week :) 16:04:42 <evrardjp> maybe there will be... 16:04:47 <evrardjp> suspense! 16:05:10 <andymccr> you never know. bug triage - anything can happen! 16:05:10 <evrardjp> ok we're good to start 16:05:17 <evrardjp> thrilling! 16:05:26 <evrardjp> #topic last week ap 16:05:29 <evrardjp> none 16:05:33 <evrardjp> #topic this week bugs 16:05:48 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695944 16:05:49 <openstack> Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Undecided,New] 16:05:56 <evrardjp> sounds critical to me 16:06:31 <andymccr> yeah 16:06:54 <andymccr> thats weird 16:07:01 <logan-> o/ 16:07:18 <evrardjp> good logan- is there :) 16:07:32 <logan-> yeah it seems like some other people ought to be hitting that. i'm not sure yet but it would be interesting if someone can repro 16:07:38 <cloudnull> that one is a odd one. 16:08:07 <cloudnull> I had a similar issue which 16:08:15 <cloudnull> which was ansible_ssh_host related. 16:08:41 <logan-> ^^ yep i made sure to rip out every instance of ansible_ssh_host from openstack_deploy, any roles/playbooks, etc to make sure i wasnt hitting the thing you saw 16:09:17 <cloudnull> yea. idk why else would cause that ? 16:09:18 <logan-> i wonder if we're wallpapering it with the /etc/hosts sync 16:09:30 <logan-> because my test there uses unbound, it does not do any /etc/hosts work 16:09:45 <andymccr> logan-: that sounds likely 16:09:46 <cloudnull> hum... 16:09:51 <evrardjp> the CLI seems good 16:10:11 <andymccr> logan-: should be easy enough to test too? just # the entry for aio1 from /etc/hosts 16:10:13 <evrardjp> ssh doesn't know aio1 16:10:32 <logan-> yeah exactly theres no aio1 in my env, I think in the gate there probably would be because of the /etc/hosts management 16:11:00 <logan-> so it exposes the broken connection plugin behavior 16:11:02 <logan-> we could do a gate run with -vvvvv to confirm what host it is using to ssh to containers with 16:11:15 <logan-> er ssh to physical_host with, to lxc-attach containers 16:11:20 <evrardjp> you could ANSIBLE_DEBUG=yes ansible -vvvvv 16:11:28 <logan-> if it is ssh to aio1 instead of 172.29.236.100, we've got problems imo 16:11:33 <evrardjp> gives you full insights 16:11:39 <evrardjp> yes that's what's shown 16:12:02 <evrardjp> anyway, we have to fix it 16:12:06 <evrardjp> looks critical to me 16:12:07 <andymccr> logan-: agreed we should fix that either way 16:12:09 <andymccr> yeah 16:12:25 <evrardjp> anyone wants to take it? 16:12:55 <evrardjp> super busy times 16:13:15 <evrardjp> let's leave it to good will and mark an action point somewhere 16:13:33 <evrardjp> #action schedule to fix https://bugs.launchpad.net/openstack-ansible/+bug/1695944 16:13:34 <openstack> Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Critical,Confirmed] 16:13:44 <evrardjp> next 16:13:45 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695846 16:13:46 <openstack> Launchpad bug 1695846 in openstack-ansible "error when running os-nova-install.yml playbook with nova-config tag" [Undecided,New] 16:13:58 <openstackgerrit> Logan V proposed openstack/openstack-ansible master: [WIP] DNM: testing verbose output https://review.openstack.org/471413 16:14:40 <andymccr> seems legit 16:14:44 <evrardjp> confirmed medium? we are breaking an interface here 16:14:47 <andymccr> yeah 16:14:53 <logan-> yep makes sense 16:14:59 <andymccr> agreed - although i do think we need a discussion around tags and our approach (for another time of course) 16:15:07 <andymccr> i like it but if we dont test it its always going to break without us knowing 16:15:26 <evrardjp> indeed. That's what I commented there too. 16:15:33 <evrardjp> Or what I tried to comment there. 16:15:48 <evrardjp> adding tests for these interfaces would be good. 16:16:02 <evrardjp> sadly I don't have time right now 16:16:09 <odyssey4me> yeah, me neither 16:16:13 <evrardjp> and I don't think this is a level1 prio 16:16:17 <andymccr> agreed 16:16:54 <evrardjp> if there are new contributors around that have time to improve OSA, they are welcomed to do it ! \o/ 16:17:07 <evrardjp> we are friendly, we could give you advice! 16:17:10 <evrardjp> anyway 16:17:12 <evrardjp> next 16:17:14 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695827 16:17:15 <openstack> Launchpad bug 1695827 in openstack-ansible "correct way to apply CORS for Keystone?" [Undecided,New] 16:18:13 <odyssey4me> hmm, I wonder if we shouldn't just add those to the template as a default? 16:18:17 <evrardjp> set Access-Control-Allow-Origin "*" sounds a recipe for disaster 16:18:25 <odyssey4me> ah, there is that 16:18:48 <andymccr> maybe yeah 16:18:54 <andymccr> or move to use upstream nginx role :P 16:19:08 <odyssey4me> although, that's easy enough to expose via a var and perhaps link to the haproxy whitelist by default 16:19:09 <evrardjp> I think the question is valid, but I have not enough skills to do it properly 16:19:41 <odyssey4me> just comment a suggestion to propose a patch to include that in the default template for apache 16:19:47 <evrardjp> we can highjack on haproxy, but I think it's better to do it on the webserver 16:20:53 <evrardjp> I propose we mark it as confirmed and wishlist 16:22:27 <evrardjp> is that a yes? 16:22:44 <andymccr> yeah i guess thats a feature 16:22:44 <evrardjp> ok next 16:22:50 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695258 16:22:50 <andymccr> so sounds fine 16:22:53 <openstack> Launchpad bug 1695258 in openstack-ansible "OSA Newton 14.2.4: Aodh evaluator showing MissingAuthPlugin error" [Undecided,New] 16:22:59 <andymccr> ugh :P 16:23:31 <andymccr> perhaps the correct response is to mark those roles as needing work 16:23:35 <jmccrory> is all the ceilometer stuff still out of newton integrated gate? 16:23:58 <andymccr> probably - plus they need quite a bit of work i believe, and nobody has had the inclination to do that. 16:24:17 <evrardjp> alextricity25: are you there? 16:24:44 <evrardjp> the question is valid 16:25:17 <evrardjp> I'd confirm it, with low importance because old branch and not frequent role 16:25:22 <evrardjp> "fix when convenient" 16:25:39 <andymccr> agreed 16:25:58 <evrardjp> next 16:26:01 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1694727 16:26:02 <openstack> Launchpad bug 1694727 in openstack-ansible "Multicast not enabled through Firewalld on Openstack Hosts" [Undecided,New] 16:26:19 <evrardjp> I haven't confirmed, but I can guess the mess it's gonna cause 16:26:44 <andymccr> hmm yeah. 16:26:49 <evrardjp> oh it's not only about keepalived, the man's gonna have issues with vxlan too 16:27:01 <evrardjp> keepalived is the first one showing 16:27:10 <evrardjp> we don't configure hosts though 16:27:19 <andymccr> thats true also 16:27:42 <evrardjp> the thing with the ansible security role, is that we setup expectations that we are doing everything 16:28:11 <openstackgerrit> Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder https://review.openstack.org/469955 16:28:22 <andymccr> yeah agreed - it should be documented though in host setup 16:28:29 <mgariepy[cell]> Can wemhave confirmation that fw rules are there ? 16:28:47 <evrardjp> ansible security can't know what group will be used for keepalived, so it's hard to do it there 16:28:57 <evrardjp> because it's becoming an independant role 16:29:17 <mgariepy[cell]> I have seen issue on some switches config with multucast stuff 16:29:31 <evrardjp> mgariepy[cell]: what do you mean? 16:29:52 <evrardjp> yeah multicast is used in OSA 16:30:04 <evrardjp> we don't configure switches though 16:30:16 <mgariepy[cell]> Is the security role add rules to firewalld ? 16:30:26 <openstackgerrit> Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder https://review.openstack.org/469955 16:30:40 <evrardjp> mgariepy[cell]: it could 16:31:35 <mgariepy[cell]> Keepalived also need some selinux love but i havent had time to fix it yet 16:31:38 <evrardjp> example https://github.com/openstack/openstack-ansible-security/blob/d8336717aadd8f7e501d3dc1c25b2aedd67d7e9f/tasks/rhel7stig/misc.yml#L283 16:32:08 <evrardjp> oh? It passes my gates, so I'd be happy to know the issue 16:32:22 <evrardjp> anyway 16:32:32 <evrardjp> I think it's an expectations problem here 16:32:43 <evrardjp> so either it's a doc change, to explain what we need 16:33:16 <mgariepy[cell]> +1 on doc change. 16:33:19 <evrardjp> or, we add a firewall configuration thing in the haproxy play 16:33:40 <evrardjp> but then another firewall configuration is needed for vxlan 16:34:10 <mgariepy[cell]> But on a default install is fwd configured by osa ? 16:34:22 <andymccr> mgariepy[cell]: i dont thinkso 16:34:40 <evrardjp> osa make uses of the security role by default IIRC 16:34:48 <evrardjp> therefore on centos we are configuring firewalld 16:34:56 <andymccr> i guess if we are configuring specific groups taht only get used by OSA and dont impact anything else, i can see why we would do it 16:35:05 <mgariepy[cell]> So the user added his fw conf ? 16:35:41 <evrardjp> not sure what you mean there 16:35:59 <evrardjp> for me it makes sense to limit this as a doc change 16:36:15 <evrardjp> you start with an ubuntu or centos with x configured 16:36:34 <andymccr> yeah taht works 16:37:14 <evrardjp> x is, here, a firewalling allowing multicast for keepalived and vxlan. 16:37:22 <evrardjp> confirmed medium? 16:37:26 <mgariepy[cell]> Yes doc change 16:39:09 <andymccr> yeah 16:39:11 <andymccr> agreed with that 16:39:20 <evrardjp> that's it for today 16:39:25 <evrardjp> thanks everyone 16:39:41 <evrardjp> (except if someone has a bug to discuss?) 16:39:46 <mgariepy[cell]> Thank ill be off now 16:39:55 <evrardjp> haha ok :) 16:40:03 <evrardjp> closing in 5 16:40:04 <evrardjp> 4 16:40:06 <evrardjp> 3 16:40:07 <evrardjp> 2 16:40:07 <evrardjp> 1 16:40:09 <evrardjp> #endmeeting