16:00:48 <evrardjp> #startmeeting openstack_ansible_meeting 16:00:49 <openstack> Meeting started Tue Jul 11 16:00:48 2017 UTC and is due to finish in 60 minutes. The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:50 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:52 <openstack> The meeting name has been set to 'openstack_ansible_meeting' 16:00:55 <andymccr> so pumped! lets do this thing. 16:01:24 <evrardjp> Yeah, it's not like our days are not full already, right? right? 16:01:35 <evrardjp> we have 42 bugs today. 16:01:54 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702962 Misconfigured health check for Barbican with haproxy 16:01:55 <openstack> Launchpad bug 1702962 in openstack-ansible "Misconfigured health check for Barbican with haproxy" [Undecided,New] 16:02:33 <spotz> I blame odyssey4me cause I haven't seen him yet today 16:03:29 <andymccr> hmm 16:03:33 <andymccr> that should be easy enough to fix 16:03:37 <andymccr> id say its high if confirmed 16:04:07 <evrardjp> well that sounds bad 16:04:32 <evrardjp> jmccrory: did you deploy barbican at some point? Did you deploy it with haproxy? 16:04:38 <evrardjp> Or I remember wrong? 16:05:52 <andymccr> we should get a scenario with it in at some point - tbh i thought we had one already :) 16:06:01 <evrardjp> I don't see HEAD in the docs 16:06:37 <evrardjp> it looks probably valid 16:06:43 <evrardjp> confirmed high ? 16:06:51 <andymccr> yeah id say confirmed high 16:06:52 <evrardjp> or we wait for more confirmations? 16:07:00 <andymccr> we have had that with some other services recently, so i am guessing there is a change thats happened 16:07:24 <evrardjp> Yeah I remember seeing something on that topic 16:08:24 <evrardjp> ok let's move on 16:08:39 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702553 16:08:40 <openstack> Launchpad bug 1702553 in openstack-ansible "ansible-hardening : V-38660 - The snmpd service must only use SNMPv3 or newer Bad Grep" [Undecided,New] 16:09:03 <andymccr> damnit mhayden 16:09:08 <andymccr> how could you 16:09:21 <mhayden> oopsies 16:09:31 <andymccr> :D 16:09:37 <mhayden> i grabbed that one 16:09:42 <evrardjp> low hanging fruit confirmed ? 16:09:51 <evrardjp> what does that mean, you already fixed it? 16:09:52 <mhayden> yeah 16:09:59 <evrardjp> Because you had other ^# issues 16:10:01 <evrardjp> ok 16:10:06 <mhayden> well, grep never seems easy, but you know what i mean 16:10:27 <mhayden> there are a shedload of bug fixes in ansible-hardening that need reviews 16:10:29 * mhayden plugs 16:10:34 * mhayden waits for evrardjp to hit me with the bat 16:10:46 <odyssey4me> mhayden you write such buggy software, sheesh 16:10:50 <mhayden> indeed 16:11:03 <evrardjp> no, I'm just letting a message for the bug reporter 16:11:09 <evrardjp> we are good to go I think. 16:11:24 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702526 16:11:25 <openstack> Launchpad bug 1702526 in openstack-ansible "Setting security_pwquality_apply_rules: yes breaks passwd command" [Undecided,New] 16:11:25 <mhayden> https://review.openstack.org/#/q/project:openstack/ansible-hardening+status:open :) 16:11:26 <evrardjp> mhayden: ! 16:11:30 <andymccr> haha mhayden tbh its kinda nice the amount of bug reports you get - shows ppl are using it. 16:11:41 <mhayden> i missed this one 16:11:45 <evrardjp> andymccr: Who is using openstack-ansible anyway 16:11:48 <evrardjp> :p 16:11:53 <andymccr> how do we spin ansible-security-hardening into its own project so we can get rid of these bugs on our list? :P 16:11:54 <mhayden> evrardjp: confirmed, low, assign to me! :) 16:12:14 <evrardjp> I like how this goes mhayden 16:12:26 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1702123 16:12:27 <openstack> Launchpad bug 1702123 in openstack-ansible "SELinux error: keepalived reading haproxy pid file" [Undecided,New] - Assigned to Major Hayden (rackerhacker) 16:12:28 <evrardjp> darn. 16:12:30 <evrardjp> that's me 16:12:35 <evrardjp> good it merged. 16:12:53 <evrardjp> next 16:13:02 <evrardjp> oh wait 16:13:07 <evrardjp> It's not fixed for osa 16:13:24 <andymccr> huh? :P 16:13:41 <evrardjp> yes sorry 16:13:42 <mhayden> oh yeah, this was a PR in evrardjp's ansible-keepalived role 16:13:44 <evrardjp> the base code 16:13:52 <evrardjp> is merged in ansible-keepalived 16:14:01 <evrardjp> but there is something to do in OSA 16:14:05 <evrardjp> I assigned it to me 16:14:07 <evrardjp> let's go on 16:14:12 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1701609 16:14:13 <openstack> Launchpad bug 1701609 in openstack-ansible "DNS plugin is explicitly excluded from neutron config" [Undecided,New] 16:14:42 <evrardjp> It looks like this is done according to docs 16:14:59 <evrardjp> I remember this was at the source of an openstack ML thread 16:15:45 <evrardjp> anyone knows more about it? 16:16:02 <andymccr> mugsie: do you have a recommendation on that one? 16:16:10 <evrardjp> Adri2000: ArchiFleKs? 16:16:26 <mugsie> andymccr: oh, I found out what was up with that last night 16:16:29 <evrardjp> I remember that ArchiFleKs was on it 16:16:34 <andymccr> ahh sweet 16:16:44 <evrardjp> ok? 16:16:46 <mugsie> let me close it - someone did the right thing - DNS is a "special" ML2 integration 16:17:06 <evrardjp> Yeah I worked with ArchiFleKs on that 16:17:13 <andymccr> ahh ok cool. 16:17:15 <mugsie> there is a corresponding if "dns" in neutron_plugins 16:17:24 <andymccr> thanks for looking into it all the same 16:17:27 <evrardjp> so we're good? 16:17:34 <evrardjp> I will mark it as invalid then 16:17:47 <evrardjp> 3 16:17:48 <evrardjp> 2 16:17:48 <evrardjp> 1 16:17:50 <evrardjp> next! 16:18:02 <andymccr> sweet :D 16:18:04 <andymccr> killing it 16:18:04 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700482 16:18:05 <openstack> Launchpad bug 1700482 in openstack-ansible "haproxy-endpoint-manage.yml dose not exist in stable/ocata" [Undecided,New] 16:18:21 <evrardjp> this looks invalid to me 16:18:40 <evrardjp> Too bad we can't talk to the user, we could have helped him 16:18:52 <evrardjp> invalid, ok for everyone? 16:19:07 <odyssey4me> that's been fixed 16:19:14 <odyssey4me> it was valid 16:19:18 <evrardjp> oh ok 16:19:20 <evrardjp> my bad 16:19:21 <jmccrory> https://review.openstack.org/#/c/477470/ 16:19:36 <jmccrory> where odyssey4me fixed it 16:19:52 <andymccr> sweet 16:20:06 <andymccr> so its fixed pending sha bump? or the new sha is included 16:20:10 <andymccr> e.g. do we need a release asap? 16:20:20 <odyssey4me> it was never eeleased with the problem 16:20:33 <odyssey4me> this was someone chasing the head of the branch 16:20:42 <andymccr> ahh ok 16:20:45 <andymccr> thats even better then :D 16:21:12 <evrardjp> in any case, I marked it as incomplete, waiting for user confirmation that it was solved, as I usually do. If no answer it will expire. 16:21:20 <andymccr> sounds good to me 16:21:26 <evrardjp> next! 16:21:27 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700061 16:21:28 <openstack> Launchpad bug 1700061 in openstack-ansible "Telemetry doesn't work on deploying OpenStack using OSA Newton release" [Undecided,New] 16:21:56 <andymccr> telemetry 16:22:02 <evrardjp> so, it was working under Mitaka, but it's not working anymore 16:22:10 <evrardjp> but nobody put the time to make it work 16:22:23 <andymccr> yeah unfortunately, we havent had enough interested people maintaining those roles 16:22:25 <evrardjp> I'd say confirmed 16:22:37 <evrardjp> and we can go for low, because of the coverage of this 16:22:47 <andymccr> agered 16:22:49 <andymccr> agreed 16:22:59 <jmccrory> doesn't mention an error or what exactly isn't working 16:23:05 <andymccr> yeah that too 16:23:13 <andymccr> but im guessing its just not working in general since nobody has kept those maintained 16:24:39 <evrardjp> let's first agree on the importance: low 16:24:45 <andymccr> yeah sure 16:24:47 <evrardjp> because of its scoping 16:24:49 <evrardjp> ok 16:24:50 <evrardjp> so 16:24:51 <evrardjp> next 16:24:59 <evrardjp> well 16:25:08 <evrardjp> I mean, do we confirm or not? 16:25:38 <andymccr> yeah 16:25:42 <andymccr> i mean i think its clear its not working 16:25:55 <andymccr> just that there doesnt seem to be much interest in fixing it up 16:26:13 <evrardjp> ok so confirmed low 16:26:31 <andymccr> gets my vote 16:27:13 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1700051 16:27:15 <openstack> Launchpad bug 1700051 in openstack-ansible "lsyncd don't work in centos7" [Undecided,New] 16:27:45 <evrardjp> that sounds bad 16:27:52 <evrardjp> mgariepy: mhayden? 16:27:55 <evrardjp> Did you see that? 16:27:59 <andymccr> that does sound bad 16:29:48 <andymccr> well 16:29:56 <evrardjp> confirmed high? 16:29:58 <andymccr> im spinning up a centos aio right now so maybe i can double check that 16:30:06 <andymccr> yeah 16:30:09 <andymccr> assign it to me i think 16:30:11 <evrardjp> don't forget the affinity :p 16:30:27 <evrardjp> even if not confirmed 16:30:32 <evrardjp> we can change the status 16:30:51 <andymccr> agreed 16:31:12 <andymccr> i'll probably just finish setting this up and add more hosts afterwards ;D 16:31:36 <evrardjp> haha true 16:31:38 <evrardjp> so 16:31:40 <evrardjp> next 16:31:41 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699875 16:31:42 <openstack> Launchpad bug 1699875 in openstack-ansible "rsyslog client postrotate script contains invalid command" [Undecided,New] 16:32:40 <andymccr> hmm 16:33:29 <andymccr> ok we should fix that one 16:33:40 <evrardjp> I don't see what's rong 16:33:43 <evrardjp> oh ok 16:33:45 <evrardjp> yeah 16:33:48 <evrardjp> fair enough 16:34:21 <evrardjp> we should template that per sys_mgr or something like that 16:34:25 <evrardjp> I don't really remember 16:34:31 <andymccr> yeah 16:34:41 <evrardjp> sounds a large annoyance 16:34:52 <evrardjp> I'd like to put that into high and low hanging fruit. 16:35:07 <evrardjp> see if it helps resolving 16:35:52 <evrardjp> 3 16:35:52 <evrardjp> 2 16:35:53 <evrardjp> 1 16:35:54 <evrardjp> next 16:36:06 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699539 16:36:08 <openstack> Launchpad bug 1699539 in openstack-ansible "Ansible prior 2.2.3 is vulnerable with CVE-2017-7466, CVE-2017-7473, CVE-2017-7481" [Undecided,New] 16:36:11 <evrardjp> interesting one IMO 16:37:00 <andymccr> they surely would've backporte dthose to like 2.1 branch too 16:37:00 <odyssey4me> considering how long ago we went from 2.1 to 2.2, and all the pain it took, I just don't see how we can do that 16:37:18 <andymccr> if not we need those fixes backported if the 2.1 branch is vulnerable to those cve's 16:37:28 <andymccr> we can then bump to latest version of 2.1 16:37:59 <evrardjp> isn't 2.1 receiving updates for this? 16:38:06 <evrardjp> sorry I didn't track it 16:38:35 <andymccr> not sure - we should look into that though 16:38:58 <andymccr> odyssey4me: is right though, moving 2.1 --> 2.2 is not really a viable plan for a stable branch 16:39:31 <evrardjp> Hi all, we are happy to announce that Ansible 2.3.1 and 2.1.6 final have been released. 16:39:31 <evrardjp> The 2.3.1 release fixes several bugs, and both releases include a fix for CVE-2017-7481 (SEVERITY: Moderate). 16:39:51 <evrardjp> Extract from ansible project group, from jimi-c 16:40:11 <evrardjp> I guess we can assume that if we bump 2.1.6 it's good enough for security. 16:40:15 <evrardjp> so what are we running? 16:40:44 <logan-> https://github.com/openstack/openstack-ansible/blob/stable/newton/scripts/bootstrap-ansible.sh#L25 16:40:56 <logan-> 2.1.6.0 16:41:20 <logan-> https://github.com/openstack/openstack-ansible/commit/8e0582b686b7aca97c6d34d512a3fcbeb1a63452 16:41:42 <evrardjp> cool thanks logan- 16:41:51 <logan-> thanks odyssey4me :P 16:42:25 <andymccr> yeah was looking for that :P thanks 16:42:27 <evrardjp> so what's the triage? 16:42:33 <andymccr> well if we have resolved the cve's 16:42:33 <odyssey4me> haha :) 16:42:35 <evrardjp> thanks odyssey4me indeed 16:42:36 <andymccr> then its resolved already 16:44:33 <evrardjp> let's continue 16:44:41 <evrardjp> sorry if I'm a little slow today :p 16:44:44 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1699191 16:44:45 <openstack> Launchpad bug 1699191 in openstack-ansible "Keystone role fails if backend admin or internal uri protocol differs from frontend" [Undecided,New] 16:46:25 <odyssey4me> ah, good bug 16:46:59 <odyssey4me> we'll have to work around it 16:47:28 <evrardjp> I don't think bugs can be considered good, but I still agree with you odyssey4me :D 16:48:06 <openstackgerrit> Markos Chandras (hwoarang) proposed openstack/openstack-ansible-os_gnocchi master: templates: gnocchi-httpd: Ensure proper user control in gnocchi root https://review.openstack.org/482632 16:48:06 <openstackgerrit> Markos Chandras (hwoarang) proposed openstack/openstack-ansible-os_gnocchi master: Add support for the openSUSE Leap distributions https://review.openstack.org/482633 16:48:15 <LiterateHawk> Hi all - does br-mgmt have to be a regular linuxbridge and not an OVS bridge? 16:48:56 <jamesdenton> LiterateHawk Yes, as far as i know 16:49:33 <evrardjp> ok let's mark it as confirmed and medium? 16:49:42 <evrardjp> let's finish this bug triage real quick 16:49:44 <LiterateHawk> jamesdenton Awesome. I got some strange errors trying to attach container veths to the bridge and figured 16:50:00 <evrardjp> could you discuss this guys at the end of the bug triage please? 16:50:25 <evrardjp> ok next 16:50:36 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1698871 16:50:37 <openstack> Launchpad bug 1698871 in openstack-ansible "[master] [os_gnocchi]Gnocchi role tests failing on installing pip packages" [Undecided,New] - Assigned to Miguel Alejandro Cantu (miguel-cantu) 16:50:47 <odyssey4me> internal SSL on the keystone container is not a tested code path - we should add a scenario to test it 16:51:01 <evrardjp> agreed odyssey4me 16:51:20 <evrardjp> next bug is targetting gnocchi, what should we do again? 16:51:28 <evrardjp> let's leave it as is? 16:51:33 <andymccr> yeah i thinkso 16:52:04 <evrardjp> ok 16:52:06 <evrardjp> let's move on 16:52:10 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1698831 16:52:11 <openstack> Launchpad bug 1698831 in openstack-ansible "os_cinder volume service fails with Volume group "cinder-volumes" not found" [Medium,New] - Assigned to Jesse Pretorius (jesse-pretorius) 16:52:33 <evrardjp> odyssey4me: what's the status of this? 16:52:48 <evrardjp> is it over with the related fixes? 16:53:01 <andymccr> i think thats fixed now - its an lxc issue that we couldnt get around afaik 16:53:43 <evrardjp> ok 16:53:48 <evrardjp> let's mark it as fixed then 16:54:15 <evrardjp> (waiting for odyssey4me's opinion, he is currently reading it) 16:54:34 <odyssey4me> it's only worked around for now 16:54:46 <odyssey4me> I still need to go back and implement a new test for it to ensure we increase coverage 16:55:06 <evrardjp> ok, good I'll leave it as in progress then 16:55:06 <odyssey4me> I'm marking as triaged 16:55:16 <evrardjp> ok that's good enough too. 16:55:47 <evrardjp> at the end of the meeting you can add a link to remember this :p 16:55:52 <evrardjp> next 16:55:54 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1697981 16:55:55 <openstack> Launchpad bug 1697981 in openstack-ansible "Override neutron_dnsmasq_neutron_conf_overrides is broken" [Undecided,New] 16:56:24 <evrardjp> looks a problem to me 16:56:34 <evrardjp> I'd personally mark it as confirmed and medium 16:56:42 <evrardjp> it's not high but it's very painful 16:58:00 <evrardjp> I'll take it, and I hope I will eventually have time to do it. 16:58:24 <evrardjp> next 16:58:26 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1697782 16:58:27 <openstack> Launchpad bug 1697782 in openstack-ansible "Mounting of ceph-backed cinder volumes is broken after Ocata upgrade" [Undecided,New] 16:58:33 <evrardjp> it's the last one for today, on the gong 17:00:00 <evrardjp> logan-: ? 17:00:06 <logan-> reading thru 17:00:10 <evrardjp> could you have a look at that? I think that might interest you 17:01:06 <logan-> yeah for sure. assign to me and ill try to confirm it. seems like it ought to be breaking our tempest runs in ceph builds if one of the tests tries to attach a volume to a nova instance 17:01:30 <logan-> ill make an aio and try to break it 17:01:55 <evrardjp> that's cool 17:01:57 <evrardjp> thanks logan-! 17:02:17 <evrardjp> we are done for today! 17:02:23 <evrardjp> thanks everyone, as usual. 17:02:28 <evrardjp> sorry for the time it took 17:02:33 <evrardjp> #endmeeting