16:02:09 #startmeeting openstack_ansible_meeting 16:02:10 Meeting started Tue Jun 6 16:02:09 2017 UTC and is due to finish in 60 minutes. The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:02:11 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:02:13 The meeting name has been set to 'openstack_ansible_meeting' 16:02:15 o/ 16:02:19 \o/ 16:02:20 #topic rollcall 16:02:44 hi! 16:03:14 hi 16:03:44 leaving a few seconds for ppl to join 16:03:44 o/ 16:03:55 I Didn't see any doc stuff this week :) 16:04:42 maybe there will be... 16:04:47 suspense! 16:05:10 you never know. bug triage - anything can happen! 16:05:10 ok we're good to start 16:05:17 thrilling! 16:05:26 #topic last week ap 16:05:29 none 16:05:33 #topic this week bugs 16:05:48 #link https://bugs.launchpad.net/openstack-ansible/+bug/1695944 16:05:49 Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Undecided,New] 16:05:56 sounds critical to me 16:06:31 yeah 16:06:54 thats weird 16:07:01 o/ 16:07:18 good logan- is there :) 16:07:32 yeah it seems like some other people ought to be hitting that. i'm not sure yet but it would be interesting if someone can repro 16:07:38 that one is a odd one. 16:08:07 I had a similar issue which 16:08:15 which was ansible_ssh_host related. 16:08:41 ^^ yep i made sure to rip out every instance of ansible_ssh_host from openstack_deploy, any roles/playbooks, etc to make sure i wasnt hitting the thing you saw 16:09:17 yea. idk why else would cause that ? 16:09:18 i wonder if we're wallpapering it with the /etc/hosts sync 16:09:30 because my test there uses unbound, it does not do any /etc/hosts work 16:09:45 logan-: that sounds likely 16:09:46 hum... 16:09:51 the CLI seems good 16:10:11 logan-: should be easy enough to test too? just # the entry for aio1 from /etc/hosts 16:10:13 ssh doesn't know aio1 16:10:32 yeah exactly theres no aio1 in my env, I think in the gate there probably would be because of the /etc/hosts management 16:11:00 so it exposes the broken connection plugin behavior 16:11:02 we could do a gate run with -vvvvv to confirm what host it is using to ssh to containers with 16:11:15 er ssh to physical_host with, to lxc-attach containers 16:11:20 you could ANSIBLE_DEBUG=yes ansible -vvvvv 16:11:28 if it is ssh to aio1 instead of 172.29.236.100, we've got problems imo 16:11:33 gives you full insights 16:11:39 yes that's what's shown 16:12:02 anyway, we have to fix it 16:12:06 looks critical to me 16:12:07 logan-: agreed we should fix that either way 16:12:09 yeah 16:12:25 anyone wants to take it? 16:12:55 super busy times 16:13:15 let's leave it to good will and mark an action point somewhere 16:13:33 #action schedule to fix https://bugs.launchpad.net/openstack-ansible/+bug/1695944 16:13:34 Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Critical,Confirmed] 16:13:44 next 16:13:45 #link https://bugs.launchpad.net/openstack-ansible/+bug/1695846 16:13:46 Launchpad bug 1695846 in openstack-ansible "error when running os-nova-install.yml playbook with nova-config tag" [Undecided,New] 16:13:58 Logan V proposed openstack/openstack-ansible master: [WIP] DNM: testing verbose output https://review.openstack.org/471413 16:14:40 seems legit 16:14:44 confirmed medium? we are breaking an interface here 16:14:47 yeah 16:14:53 yep makes sense 16:14:59 agreed - although i do think we need a discussion around tags and our approach (for another time of course) 16:15:07 i like it but if we dont test it its always going to break without us knowing 16:15:26 indeed. That's what I commented there too. 16:15:33 Or what I tried to comment there. 16:15:48 adding tests for these interfaces would be good. 16:16:02 sadly I don't have time right now 16:16:09 yeah, me neither 16:16:13 and I don't think this is a level1 prio 16:16:17 agreed 16:16:54 if there are new contributors around that have time to improve OSA, they are welcomed to do it ! \o/ 16:17:07 we are friendly, we could give you advice! 16:17:10 anyway 16:17:12 next 16:17:14 #link https://bugs.launchpad.net/openstack-ansible/+bug/1695827 16:17:15 Launchpad bug 1695827 in openstack-ansible "correct way to apply CORS for Keystone?" [Undecided,New] 16:18:13 hmm, I wonder if we shouldn't just add those to the template as a default? 16:18:17 set Access-Control-Allow-Origin "*" sounds a recipe for disaster 16:18:25 ah, there is that 16:18:48 maybe yeah 16:18:54 or move to use upstream nginx role :P 16:19:08 although, that's easy enough to expose via a var and perhaps link to the haproxy whitelist by default 16:19:09 I think the question is valid, but I have not enough skills to do it properly 16:19:41 just comment a suggestion to propose a patch to include that in the default template for apache 16:19:47 we can highjack on haproxy, but I think it's better to do it on the webserver 16:20:53 I propose we mark it as confirmed and wishlist 16:22:27 is that a yes? 16:22:44 yeah i guess thats a feature 16:22:44 ok next 16:22:50 #link https://bugs.launchpad.net/openstack-ansible/+bug/1695258 16:22:50 so sounds fine 16:22:53 Launchpad bug 1695258 in openstack-ansible "OSA Newton 14.2.4: Aodh evaluator showing MissingAuthPlugin error" [Undecided,New] 16:22:59 ugh :P 16:23:31 perhaps the correct response is to mark those roles as needing work 16:23:35 is all the ceilometer stuff still out of newton integrated gate? 16:23:58 probably - plus they need quite a bit of work i believe, and nobody has had the inclination to do that. 16:24:17 alextricity25: are you there? 16:24:44 the question is valid 16:25:17 I'd confirm it, with low importance because old branch and not frequent role 16:25:22 "fix when convenient" 16:25:39 agreed 16:25:58 next 16:26:01 #link https://bugs.launchpad.net/openstack-ansible/+bug/1694727 16:26:02 Launchpad bug 1694727 in openstack-ansible "Multicast not enabled through Firewalld on Openstack Hosts" [Undecided,New] 16:26:19 I haven't confirmed, but I can guess the mess it's gonna cause 16:26:44 hmm yeah. 16:26:49 oh it's not only about keepalived, the man's gonna have issues with vxlan too 16:27:01 keepalived is the first one showing 16:27:10 we don't configure hosts though 16:27:19 thats true also 16:27:42 the thing with the ansible security role, is that we setup expectations that we are doing everything 16:28:11 Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder https://review.openstack.org/469955 16:28:22 yeah agreed - it should be documented though in host setup 16:28:29 Can wemhave confirmation that fw rules are there ? 16:28:47 ansible security can't know what group will be used for keepalived, so it's hard to do it there 16:28:57 because it's becoming an independant role 16:29:17 I have seen issue on some switches config with multucast stuff 16:29:31 mgariepy[cell]: what do you mean? 16:29:52 yeah multicast is used in OSA 16:30:04 we don't configure switches though 16:30:16 Is the security role add rules to firewalld ? 16:30:26 Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder https://review.openstack.org/469955 16:30:40 mgariepy[cell]: it could 16:31:35 Keepalived also need some selinux love but i havent had time to fix it yet 16:31:38 example https://github.com/openstack/openstack-ansible-security/blob/d8336717aadd8f7e501d3dc1c25b2aedd67d7e9f/tasks/rhel7stig/misc.yml#L283 16:32:08 oh? It passes my gates, so I'd be happy to know the issue 16:32:22 anyway 16:32:32 I think it's an expectations problem here 16:32:43 so either it's a doc change, to explain what we need 16:33:16 +1 on doc change. 16:33:19 or, we add a firewall configuration thing in the haproxy play 16:33:40 but then another firewall configuration is needed for vxlan 16:34:10 But on a default install is fwd configured by osa ? 16:34:22 mgariepy[cell]: i dont thinkso 16:34:40 osa make uses of the security role by default IIRC 16:34:48 therefore on centos we are configuring firewalld 16:34:56 i guess if we are configuring specific groups taht only get used by OSA and dont impact anything else, i can see why we would do it 16:35:05 So the user added his fw conf ? 16:35:41 not sure what you mean there 16:35:59 for me it makes sense to limit this as a doc change 16:36:15 you start with an ubuntu or centos with x configured 16:36:34 yeah taht works 16:37:14 x is, here, a firewalling allowing multicast for keepalived and vxlan. 16:37:22 confirmed medium? 16:37:26 Yes doc change 16:39:09 yeah 16:39:11 agreed with that 16:39:20 that's it for today 16:39:25 thanks everyone 16:39:41 (except if someone has a bug to discuss?) 16:39:46 Thank ill be off now 16:39:55 haha ok :) 16:40:03 closing in 5 16:40:04 4 16:40:06 3 16:40:07 2 16:40:07 1 16:40:09 #endmeeting