#openstack-ansible log

16:00:48 <evrardjp> #startmeeting openstack_ansible_meeting
16:00:49 <openstack> Meeting started Tue Jul 11 16:00:48 2017 UTC and is due to finish in 60 minutes.  The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:50 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:52 <openstack> The meeting name has been set to 'openstack_ansible_meeting'
16:00:55 <andymccr> so pumped! lets do this thing.
16:01:24 <evrardjp> Yeah, it's not like our days are not full already, right? right?
16:01:35 <evrardjp> we have 42 bugs today.
16:01:54 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702962 Misconfigured health check for Barbican with haproxy
16:01:55 <openstack> Launchpad bug 1702962 in openstack-ansible "Misconfigured health check for Barbican with haproxy" [Undecided,New]
16:02:33 <spotz> I blame odyssey4me cause I haven't seen him yet today
16:03:29 <andymccr> hmm
16:03:33 <andymccr> that should be easy enough to fix
16:03:37 <andymccr> id say its high if confirmed
16:04:07 <evrardjp> well that sounds bad
16:04:32 <evrardjp> jmccrory: did you deploy barbican at some point? Did you deploy it with haproxy?
16:04:38 <evrardjp> Or I remember wrong?
16:05:52 <andymccr> we should get a scenario with it in at some point - tbh i thought we had one already :)
16:06:01 <evrardjp> I don't see HEAD in the docs
16:06:37 <evrardjp> it looks probably valid
16:06:43 <evrardjp> confirmed high ?
16:06:51 <andymccr> yeah id say confirmed high
16:06:52 <evrardjp> or we wait for more confirmations?
16:07:00 <andymccr> we have had that with some other services recently, so i am guessing there is a change thats happened
16:07:24 <evrardjp> Yeah I remember seeing something on that topic
16:08:24 <evrardjp> ok let's move on
16:08:39 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702553
16:08:40 <openstack> Launchpad bug 1702553 in openstack-ansible "ansible-hardening : V-38660 - The snmpd service must only use SNMPv3 or newer Bad Grep" [Undecided,New]
16:09:03 <andymccr> damnit mhayden
16:09:08 <andymccr> how could you
16:09:21 <mhayden> oopsies
16:09:31 <andymccr> :D
16:09:37 <mhayden> i grabbed that one
16:09:42 <evrardjp> low hanging fruit confirmed ?
16:09:51 <evrardjp> what does that mean, you already fixed it?
16:09:52 <mhayden> yeah
16:09:59 <evrardjp> Because you had other ^# issues
16:10:01 <evrardjp> ok
16:10:06 <mhayden> well, grep never seems easy, but you know what i mean
16:10:27 <mhayden> there are a shedload of bug fixes in ansible-hardening that need reviews
16:10:29 * mhayden plugs
16:10:34 * mhayden waits for evrardjp to hit me with the bat
16:10:46 <odyssey4me> mhayden you write such buggy software, sheesh
16:10:50 <mhayden> indeed
16:11:03 <evrardjp> no, I'm just letting a message for the bug reporter
16:11:09 <evrardjp> we are good to go I think.
16:11:24 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702526
16:11:25 <openstack> Launchpad bug 1702526 in openstack-ansible "Setting security_pwquality_apply_rules: yes breaks passwd command" [Undecided,New]
16:11:25 <mhayden> https://review.openstack.org/#/q/project:openstack/ansible-hardening+status:open :)
16:11:26 <evrardjp> mhayden: !
16:11:30 <andymccr> haha mhayden tbh its kinda nice the amount of bug reports you get - shows ppl are using it.
16:11:41 <mhayden> i missed this one
16:11:45 <evrardjp> andymccr: Who is using openstack-ansible anyway
16:11:48 <evrardjp> :p
16:11:53 <andymccr> how do we spin ansible-security-hardening into its own project so we can get rid of these bugs on our list? :P
16:11:54 <mhayden> evrardjp: confirmed, low, assign to me! :)
16:12:14 <evrardjp> I like how this goes mhayden
16:12:26 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702123
16:12:27 <openstack> Launchpad bug 1702123 in openstack-ansible "SELinux error: keepalived reading haproxy pid file" [Undecided,New] - Assigned to Major Hayden (rackerhacker)
16:12:28 <evrardjp> darn.
16:12:30 <evrardjp> that's me
16:12:35 <evrardjp> good it merged.
16:12:53 <evrardjp> next
16:13:02 <evrardjp> oh wait
16:13:07 <evrardjp> It's not fixed for osa
16:13:24 <andymccr> huh? :P
16:13:41 <evrardjp> yes sorry
16:13:42 <mhayden> oh yeah, this was a PR in evrardjp's ansible-keepalived role
16:13:44 <evrardjp> the base code
16:13:52 <evrardjp> is merged in ansible-keepalived
16:14:01 <evrardjp> but there is something to do in OSA
16:14:05 <evrardjp> I assigned it to me
16:14:07 <evrardjp> let's go  on
16:14:12 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1701609
16:14:13 <openstack> Launchpad bug 1701609 in openstack-ansible "DNS plugin is explicitly excluded from neutron config" [Undecided,New]
16:14:42 <evrardjp> It looks like this is done according to docs
16:14:59 <evrardjp> I remember this was at the source of an openstack ML thread
16:15:45 <evrardjp> anyone knows more about it?
16:16:02 <andymccr> mugsie: do you have a recommendation on that one?
16:16:10 <evrardjp> Adri2000: ArchiFleKs?
16:16:26 <mugsie> andymccr: oh, I found out what was up with that last night
16:16:29 <evrardjp> I remember that ArchiFleKs was on it
16:16:34 <andymccr> ahh sweet
16:16:44 <evrardjp> ok?
16:16:46 <mugsie> let me close it - someone did the right thing - DNS is a "special" ML2 integration
16:17:06 <evrardjp> Yeah I worked with ArchiFleKs on that
16:17:13 <andymccr> ahh ok cool.
16:17:15 <mugsie> there is a corresponding if "dns" in neutron_plugins
16:17:24 <andymccr> thanks for looking into it all the same
16:17:27 <evrardjp> so we're good?
16:17:34 <evrardjp> I will mark it as invalid then
16:17:47 <evrardjp> 3
16:17:48 <evrardjp> 2
16:17:48 <evrardjp> 1
16:17:50 <evrardjp> next!
16:18:02 <andymccr> sweet :D
16:18:04 <andymccr> killing it
16:18:04 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700482
16:18:05 <openstack> Launchpad bug 1700482 in openstack-ansible "haproxy-endpoint-manage.yml dose not exist in stable/ocata" [Undecided,New]
16:18:21 <evrardjp> this looks invalid to me
16:18:40 <evrardjp> Too bad we can't talk to the user, we could have helped him
16:18:52 <evrardjp> invalid, ok for everyone?
16:19:07 <odyssey4me> that's been fixed
16:19:14 <odyssey4me> it was valid
16:19:18 <evrardjp> oh ok
16:19:20 <evrardjp> my bad
16:19:21 <jmccrory> https://review.openstack.org/#/c/477470/
16:19:36 <jmccrory> where odyssey4me fixed it
16:19:52 <andymccr> sweet
16:20:06 <andymccr> so its fixed pending sha bump? or the new sha is included
16:20:10 <andymccr> e.g. do we need a release asap?
16:20:20 <odyssey4me> it was never eeleased with the problem
16:20:33 <odyssey4me> this was someone chasing the head of the branch
16:20:42 <andymccr> ahh ok
16:20:45 <andymccr> thats even better then :D
16:21:12 <evrardjp> in any case, I marked it as incomplete, waiting for user confirmation that it was solved, as I usually do. If no answer it will expire.
16:21:20 <andymccr> sounds good to me
16:21:26 <evrardjp> next!
16:21:27 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700061
16:21:28 <openstack> Launchpad bug 1700061 in openstack-ansible "Telemetry doesn't work on deploying OpenStack using OSA Newton release" [Undecided,New]
16:21:56 <andymccr> telemetry
16:22:02 <evrardjp> so, it was working under Mitaka, but it's not working anymore
16:22:10 <evrardjp> but nobody put the time to make it work
16:22:23 <andymccr> yeah unfortunately, we havent had enough interested people maintaining those roles
16:22:25 <evrardjp> I'd say confirmed
16:22:37 <evrardjp> and we can go for low, because of the coverage of this
16:22:47 <andymccr> agered
16:22:49 <andymccr> agreed
16:22:59 <jmccrory> doesn't mention an error or what exactly isn't working
16:23:05 <andymccr> yeah that too
16:23:13 <andymccr> but im guessing its just not working in general since nobody has kept those maintained
16:24:39 <evrardjp> let's first agree on the importance: low
16:24:45 <andymccr> yeah sure
16:24:47 <evrardjp> because of its scoping
16:24:49 <evrardjp> ok
16:24:50 <evrardjp> so
16:24:51 <evrardjp> next
16:24:59 <evrardjp> well
16:25:08 <evrardjp> I mean, do we confirm or not?
16:25:38 <andymccr> yeah
16:25:42 <andymccr> i mean i think its clear its not working
16:25:55 <andymccr> just that there doesnt seem to be much interest in fixing it up
16:26:13 <evrardjp> ok so confirmed low
16:26:31 <andymccr> gets my vote
16:27:13 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700051
16:27:15 <openstack> Launchpad bug 1700051 in openstack-ansible "lsyncd don't work in centos7" [Undecided,New]
16:27:45 <evrardjp> that sounds bad
16:27:52 <evrardjp> mgariepy: mhayden?
16:27:55 <evrardjp> Did you see that?
16:27:59 <andymccr> that does sound bad
16:29:48 <andymccr> well
16:29:56 <evrardjp> confirmed high?
16:29:58 <andymccr> im spinning up a centos aio right now so maybe i can double check that
16:30:06 <andymccr> yeah
16:30:09 <andymccr> assign it to me i think
16:30:11 <evrardjp> don't forget the affinity :p
16:30:27 <evrardjp> even if not confirmed
16:30:32 <evrardjp> we can change the status
16:30:51 <andymccr> agreed
16:31:12 <andymccr> i'll probably just finish setting this up and add more hosts afterwards ;D
16:31:36 <evrardjp> haha true
16:31:38 <evrardjp> so
16:31:40 <evrardjp> next
16:31:41 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699875
16:31:42 <openstack> Launchpad bug 1699875 in openstack-ansible "rsyslog client postrotate script contains invalid command" [Undecided,New]
16:32:40 <andymccr> hmm
16:33:29 <andymccr> ok we should fix that one
16:33:40 <evrardjp> I don't see what's rong
16:33:43 <evrardjp> oh ok
16:33:45 <evrardjp> yeah
16:33:48 <evrardjp> fair enough
16:34:21 <evrardjp> we should template that per sys_mgr or something like that
16:34:25 <evrardjp> I don't really remember
16:34:31 <andymccr> yeah
16:34:41 <evrardjp> sounds a large annoyance
16:34:52 <evrardjp> I'd like to put that into high and low hanging fruit.
16:35:07 <evrardjp> see if it helps resolving
16:35:52 <evrardjp> 3
16:35:52 <evrardjp> 2
16:35:53 <evrardjp> 1
16:35:54 <evrardjp> next
16:36:06 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699539
16:36:08 <openstack> Launchpad bug 1699539 in openstack-ansible "Ansible prior 2.2.3 is vulnerable with CVE-2017-7466, CVE-2017-7473, CVE-2017-7481" [Undecided,New]
16:36:11 <evrardjp> interesting one IMO
16:37:00 <andymccr> they surely would've backporte dthose to like 2.1 branch too
16:37:00 <odyssey4me> considering how long ago we went from 2.1 to 2.2, and all the pain it took, I just don't see how we can do that
16:37:18 <andymccr> if not we need those fixes backported if the 2.1 branch is vulnerable to those cve's
16:37:28 <andymccr> we can then bump to latest version of 2.1
16:37:59 <evrardjp> isn't 2.1 receiving updates for this?
16:38:06 <evrardjp> sorry I didn't track it
16:38:35 <andymccr> not sure - we should look into that though
16:38:58 <andymccr> odyssey4me:  is right though, moving 2.1 --> 2.2 is not really a viable plan for a stable branch
16:39:31 <evrardjp> Hi all, we are happy to announce that Ansible 2.3.1 and 2.1.6 final have been released.
16:39:31 <evrardjp> The 2.3.1 release fixes several bugs, and both releases include a fix for CVE-2017-7481 (SEVERITY: Moderate).
16:39:51 <evrardjp> Extract from ansible project group, from jimi-c
16:40:11 <evrardjp> I guess we can assume that if we bump 2.1.6 it's good enough for security.
16:40:15 <evrardjp> so what are we running?
16:40:44 <logan-> https://github.com/openstack/openstack-ansible/blob/stable/newton/scripts/bootstrap-ansible.sh#L25
16:40:56 <logan-> 2.1.6.0
16:41:20 <logan-> https://github.com/openstack/openstack-ansible/commit/8e0582b686b7aca97c6d34d512a3fcbeb1a63452
16:41:42 <evrardjp> cool thanks logan-
16:41:51 <logan-> thanks odyssey4me :P
16:42:25 <andymccr> yeah was looking for that :P thanks
16:42:27 <evrardjp> so what's the triage?
16:42:33 <andymccr> well if we have resolved the cve's
16:42:33 <odyssey4me> haha :)
16:42:35 <evrardjp> thanks odyssey4me indeed
16:42:36 <andymccr> then its resolved already
16:44:33 <evrardjp> let's continue
16:44:41 <evrardjp> sorry if I'm a little slow today :p
16:44:44 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699191
16:44:45 <openstack> Launchpad bug 1699191 in openstack-ansible "Keystone role fails if backend admin or internal uri protocol differs from frontend" [Undecided,New]
16:46:25 <odyssey4me> ah, good bug
16:46:59 <odyssey4me> we'll have to work around it
16:47:28 <evrardjp> I don't think bugs can be considered good, but I still agree with you odyssey4me :D
16:48:06 <openstackgerrit> Markos Chandras (hwoarang) proposed openstack/openstack-ansible-os_gnocchi master: templates: gnocchi-httpd: Ensure proper user control in gnocchi root  https://review.openstack.org/482632
16:48:06 <openstackgerrit> Markos Chandras (hwoarang) proposed openstack/openstack-ansible-os_gnocchi master: Add support for the openSUSE Leap distributions  https://review.openstack.org/482633
16:48:15 <LiterateHawk> Hi all - does br-mgmt have to be a regular linuxbridge and not an OVS bridge?
16:48:56 <jamesdenton> LiterateHawk Yes, as far as i know
16:49:33 <evrardjp> ok let's mark it as confirmed and medium?
16:49:42 <evrardjp> let's finish this bug triage real quick
16:49:44 <LiterateHawk> jamesdenton Awesome. I got some strange errors trying to attach container veths to the bridge and figured
16:50:00 <evrardjp> could you discuss this guys at the end of the bug triage please?
16:50:25 <evrardjp> ok next
16:50:36 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1698871
16:50:37 <openstack> Launchpad bug 1698871 in openstack-ansible "[master] [os_gnocchi]Gnocchi role tests failing on installing pip packages" [Undecided,New] - Assigned to Miguel Alejandro Cantu (miguel-cantu)
16:50:47 <odyssey4me> internal SSL on the keystone container is not a tested code path - we should add a scenario to test it
16:51:01 <evrardjp> agreed odyssey4me
16:51:20 <evrardjp> next bug is targetting gnocchi, what should we do again?
16:51:28 <evrardjp> let's leave it as is?
16:51:33 <andymccr> yeah i thinkso
16:52:04 <evrardjp> ok
16:52:06 <evrardjp> let's move on
16:52:10 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1698831
16:52:11 <openstack> Launchpad bug 1698831 in openstack-ansible "os_cinder volume service fails with Volume group "cinder-volumes" not found" [Medium,New] - Assigned to Jesse Pretorius (jesse-pretorius)
16:52:33 <evrardjp> odyssey4me: what's the status of this?
16:52:48 <evrardjp> is it over with the related fixes?
16:53:01 <andymccr> i think thats fixed now - its an lxc issue that we couldnt get around afaik
16:53:43 <evrardjp> ok
16:53:48 <evrardjp> let's mark it as fixed then
16:54:15 <evrardjp> (waiting for odyssey4me's opinion, he is currently reading it)
16:54:34 <odyssey4me> it's only worked around for now
16:54:46 <odyssey4me> I still need to go back and implement a new test for it to ensure we increase coverage
16:55:06 <evrardjp> ok, good I'll leave it as in progress then
16:55:06 <odyssey4me> I'm marking as triaged
16:55:16 <evrardjp> ok that's good enough too.
16:55:47 <evrardjp> at the end of the meeting you can add a link to remember this :p
16:55:52 <evrardjp> next
16:55:54 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1697981
16:55:55 <openstack> Launchpad bug 1697981 in openstack-ansible "Override neutron_dnsmasq_neutron_conf_overrides is broken" [Undecided,New]
16:56:24 <evrardjp> looks a problem to me
16:56:34 <evrardjp> I'd personally mark it as confirmed and medium
16:56:42 <evrardjp> it's not high but it's very painful
16:58:00 <evrardjp> I'll take it, and I hope I will eventually have time to do it.
16:58:24 <evrardjp> next
16:58:26 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1697782
16:58:27 <openstack> Launchpad bug 1697782 in openstack-ansible "Mounting of ceph-backed cinder volumes is broken after Ocata upgrade" [Undecided,New]
16:58:33 <evrardjp> it's the last one for today, on the gong
17:00:00 <evrardjp> logan-: ?
17:00:06 <logan-> reading thru
17:00:10 <evrardjp> could you have a look at that? I think that might interest you
17:01:06 <logan-> yeah for sure. assign to me and ill try to confirm it. seems like it ought to be breaking our tempest runs in ceph builds if one of the tests tries to attach a volume to a nova instance
17:01:30 <logan-> ill make an aio and try to break it
17:01:55 <evrardjp> that's cool
17:01:57 <evrardjp> thanks logan-!
17:02:17 <evrardjp> we are done for today!
17:02:23 <evrardjp> thanks everyone, as usual.
17:02:28 <evrardjp> sorry for the time it took
17:02:33 <evrardjp> #endmeeting