16:01:15 #startmeeting openstack_ansible_meeting 16:01:16 Meeting started Tue Sep 19 16:01:15 2017 UTC and is due to finish in 60 minutes. The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:01:17 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:01:19 The meeting name has been set to 'openstack_ansible_meeting' 16:01:34 \o/ 16:01:35 #topic new bugs 16:01:44 #link https://bugs.launchpad.net/openstack-ansible/+bug/1718188 16:01:45 Launchpad bug 1718188 in openstack-ansible "Example layer 3 routed environment configuration limits VIP to POD1" [Undecided,New] 16:01:45 o/ 16:02:08 ahha thats mine 16:03:16 so either ive misunderstood how the vip works, or it cant escape from the subnet infra1 is on 16:03:49 the configuration doesn't match the description 16:04:13 pod1_container: 172.29.236.0/24, pod2_container: 172.29.237.0/24 16:04:35 but https://docs.openstack.org/project-deploy-guide/openstack-ansible/pike/app-config-pod.html#network-configuration 16:04:40 isn't consistent 16:04:45 Merged openstack/openstack-ansible-os_ironic stable/newton: Fix typo in timeout https://review.openstack.org/504969 16:04:53 Merged openstack/openstack-ansible-os_nova master: Add always tag where it's needed https://review.openstack.org/494386 16:04:57 lb vip address could be updated to use a /22 16:05:12 and description adapted 16:05:22 not in a l3 example like that 16:05:34 why not? 16:05:38 yeah it'll need to be in the same L3 segment 16:06:06 because the network l3 config only allows certain subnets to live in each pod 16:06:06 not sure what you both mean here 16:06:12 and they dont span pods 16:06:14 the vip is limited to one pod 16:06:19 so the vip cant float 16:06:29 yes what logan- says 16:06:55 ok let's take a step back first 16:07:10 do you agree there is a mismatch between the code and the description ? 16:08:31 i'm not sure which description. im just looking at the o_u_c config dump in that doc and the config is invalid 16:08:34 im on my mobile on the train so its not ideal to look in great detail 16:08:42 haproxy_hosts can only contain hosts in one pod 16:09:02 the floating ip os a layer2 construct i think 16:09:13 but the infra nodes have no l2 adjacency 16:09:16 that is the issue 16:09:28 we use vrrp (l2 failover) to fail the vip between hosts which will not work to fail the vip between l3 segments 16:09:39 agreed 16:09:52 i forsee sinilar problems for eutron routers in that example too 16:09:55 I agree on there, but let's focus on each bug at a time? 16:10:04 cidr_networks: 16:10:05 pod1_container: 172.29.236.0/24 16:10:05 pod2_container: 172.29.237.0/24 16:10:06 pod3_container: 172.29.238.0/24 16:10:09 pod4_container: 172.29.239.0/24 16:10:16 asettle, replied to your comment. 16:10:20 is obviously a mismatch with the rest 16:10:26 in : https://review.openstack.org/#/c/505289 16:10:31 mgariepy: grazie! (I didn't want to message you here because of triage) 16:11:02 (hence the -1 to grab attention) 16:11:04 (sorry) 16:11:09 then 16:11:12 (+2a for you, sir) 16:11:23 yeah evrardjp I see what you're saying re: the cidr_networks 16:11:27 i intended this bug to be about the l2 vs l3 / vrrp issue 16:11:33 ok 16:11:39 i hadnt spotted anything else wrong with the config 16:12:00 but i didnt look in great detail 16:12:22 i'll take this and updated docs. you'll either still need some l2 subnet spanning across haproxy hosts, or to use an external lb 16:12:25 jmccrory: are you there? 16:12:26 update* 16:12:36 evrardjp yes, just got on train and laptop 16:12:36 yeah 16:12:55 so here we plan for external adjacency on l2 16:13:12 or alternatively we should do a completely different section 16:13:20 but then we start talking about bgp 16:13:29 it sounds more complex than just giving a disclaimer 16:13:31 my 2p is that the infra nodes dont fit the pod model 16:13:42 that should be limited to compute/storage 16:13:54 why? 16:13:56 and other thing done for l2 infra 16:13:58 isn’t it acceptable to have an l2 connectivity between different pods if you want the vips to run on any pod ? 16:14:07 as long as haproxy is doing alright? 16:14:11 no ecause its a l3 example 16:14:49 anyway, could debate at length :) it doesnt work as is 16:14:56 with multi pods, you can easily add 2-3 more machines as your haproxy host and then it can see all internal pods/networks 16:15:31 yes 16:15:33 decoupling haproxy from controllers ( that live on a certain pod ) might be a workaround /way to go 16:15:39 as long as haproxy nodes would be the integration to the network, it should work, but I guess it all depends on the networks you'll use 16:15:59 jrosser_: I suggest you propose a patch then :p 16:16:03 just an example, no networks are going to be completely identical. i'll updat the docs and we can probably move on 16:16:22 haproxy nodes are the gateways via which the api/horizon .. so if there are multi pods, you need to ensure your haproxy hosts sees them 16:16:38 agreed. Modifying the docs telling the requirements for this, and update for consistency sounds great jmccrory 16:16:41 and it can be on l3 .. just the haproxies need to be in l2 for the vip/vrrp 16:16:53 jrosser_ admin0 you can review the patch jmccrory will post :p 16:16:56 l3 agents? 16:16:58 ok 16:17:08 ok 16:17:22 marking it as confirmed and medium because the pod deployment is not the most often read item in the docs 16:17:25 ok everyone? 16:17:34 ok 16:17:48 sure, thanks everyone 16:18:04 #link https://bugs.launchpad.net/openstack-ansible/+bug/1718187 16:18:05 Launchpad bug 1718187 in openstack-ansible "Implement neutron-fwaas-dashboard" [Undecided,New] 16:18:49 andymccr: are you there? 16:18:58 hello! 16:19:02 wasn't that work done already for translations? 16:19:09 no we dont deploy fwaas i dont think 16:19:14 ok 16:19:33 but i know jafeha_ is looking at adding a patch for this 16:19:37 Marking it as confirmed, thanks to the docs, and to high ? 16:19:47 well i guess you cant work around it so yeah maybe high 16:19:49 jafeha_: that would be great 16:20:00 i just said that if he runs into issues we can help guide through the process 16:20:18 yeah broken expectations..., maybe we should add testing into this scenario 16:20:21 isn’t network >> firewall what Fwaas is ? 16:20:25 into a * 16:20:31 which is there when i do it using ansible 16:20:49 Merged openstack/openstack-ansible master: Fix variable def. https://review.openstack.org/505289 16:20:53 Major Hayden proposed openstack/openstack-ansible-pip_install master: Optimize pip_install for CentOS https://review.openstack.org/504509 16:20:53 admin0: the bug is still valid 16:20:58 i think adding fwaas dashboard to the translations site would be cool but im not sure what else would be needed 16:21:23 fair enough 16:21:40 in the meantime let's see what jafeha_ says 16:21:42 next 16:21:44 #link https://bugs.launchpad.net/openstack-ansible/+bug/1717881 16:21:46 Launchpad bug 1717881 in openstack-ansible "public api does not work if it's behind proxy with ssl termination" [Undecided,New] 16:22:24 Merged openstack/openstack-ansible-os_neutron master: Update links in some docs https://review.openstack.org/504306 16:22:38 Marc Gariépy (mgariepy) proposed openstack/openstack-ansible stable/pike: Fix variable def. https://review.openstack.org/505288 16:23:19 would that be linked https://bugs.launchpad.net/openstack-ansible/+bug/1713663 ? 16:23:20 Launchpad bug 1713663 in openstack-ansible "Set enable_proxy_headers_parsing = True when HAProxy is used" [Medium,Confirmed] 16:23:30 Adri2000: are you there? 16:24:21 looks similar 16:24:25 yeah. 16:24:43 Ok will link the bug to the other bug. 16:26:01 next is maybe a docs bug? 16:26:03 #link https://bugs.launchpad.net/openstack-ansible/+bug/1717506 16:26:04 Launchpad bug 1717506 in openstack-ansible "Quick Start in openstack-ansible" [Undecided,New] 16:26:23 evrardjp: just left a comment in that one. Unless someone else is totally aware of all the things 16:26:39 yes I see 16:26:45 Yeah I have an idea 16:26:48 To me it's fairly incomplete, but if someone is able to fill in the gaps 16:27:00 if you cd /opt/openstack-ansible/playbooks 16:27:07 :D 16:27:11 cp etc/openstack_deploy/conf.d/{aodh,gnocchi,ceilometer}.yml.aio ... won't work 16:27:22 because etc/ is only in /opt/openstack-ansible 16:27:30 not playbooks subfolder 16:27:32 Ohhhh yeah, makes sense. 16:27:46 How have we had that for so long? I've never had an issue with the quick start 16:28:07 we just know what to copy ( without blindly copy/paste ) 16:28:32 S'pose that's probably true 16:28:38 yeah and the for f... sounds bad too 16:28:56 maybe better do multi lines copy/paste 16:29:00 instead of for loop 16:29:01 asettle: I guess admin0 is right 16:29:11 else there will be hey i am using zsh and this does not work 16:29:13 I'll mark it as confirmed 16:29:45 spotz, admin0 or asettle could you have some time to refactor that? 16:29:52 ok 16:29:57 i will 16:29:58 sorry, oxford comma. 16:30:02 Thanks admin0 :) 16:30:03 :) 16:30:20 well you all understood me, so let's continue. Thanks admin0! 16:31:34 next 16:31:36 #link https://bugs.launchpad.net/openstack-ansible/+bug/1717321 16:31:37 Launchpad bug 1717321 in openstack-ansible "Content-Security-Policy for services" [Undecided,New] 16:31:44 yo 16:32:57 that's barely readable :p 16:33:09 welcome to my thought process :P 16:33:29 Haha. 16:33:38 that's not helpful for triaging you know :p 16:33:48 basically it is a question of if and how we want to lock down access 16:34:03 I don't even know if it's an issue or a feature request right now. 16:34:12 this is a good to have 16:34:20 Feature request? 16:34:21 security request? 16:34:29 as an operator and apis etc facing public and looking at people scanning and trying to ddos or break in, is a nice addon 16:34:29 Security feature request :D 16:34:39 wfm 16:34:53 it's a 'good practice' 16:35:15 if it helps I've been running all those settings since ocata 16:35:26 and newton actually 16:35:27 so the good practice is for all the webservers and load balancer to handle Content-Security-Policy , right? 16:35:58 Major Hayden proposed openstack/openstack-ansible-openstack_hosts master: Optimize openstack_hosts for CentOS https://review.openstack.org/504437 16:36:12 yes 16:36:15 the next question is, could you document that? Because it only applies on valid certificates I guess 16:36:27 CSP doesn't need ssl 16:36:59 only the section below 'for ssl something like the following' (and the first comment) are for ssl 16:37:20 X-XSS-Protection, X-Frame-Options, X-Content-Type-Options, Content-Security-Policy do not need ssl 16:37:43 so maybe we should set something that sets the defaults for non ssl, and a boolean to flip when using proper certificates to add this extra security 16:37:50 for the ssl parts. 16:38:22 so I consider this doesn't break anything, but we should definitely make the life of everyone simpler if we define this 16:38:25 sgtm, how it's implimented will differ based on how we do the load balancing though 16:38:32 let's mark this as confirmed and wishlist then 16:38:34 “maybe we should set something that sets the defaults for non ssl” — defaults should always be SSL :D .. even with self-signed certs 16:39:02 did we decide on not using nginx at all or what (what layer should I be adding the headers to? 16:39:09 admin0: that's a different architecture case, I will not go that far for this bug. Let's focus on what's achievable. 16:39:15 right 16:39:41 prometheanfire: we have decided to take an exploration phase with uwsgi fast router vs nginx 16:39:48 on each physical node. 16:39:58 what does that mean? 16:40:13 summarized version: 16:40:17 it means write for uwsgi now and later we go for nginx :D 16:40:21 :D 16:40:40 whatever we are currently supporting, won't change. So if you have horizon behind apache behind haproxy, let's keep that 16:41:05 same for uwsgi apps behind nginx. 16:41:25 we should still take care of that for the current state, whatever the decision in the future would be 16:41:57 ok, so it's probably going to differ per role 16:41:57 prometheanfire: do you have cycles to fix that for default nginx services for example, like placement? 16:42:23 ya, it SHOULD be an easy oneliner (for each header) 16:42:35 wishlist , add docs for best practices in upstream projects, patches for osa config whenever convenient 16:42:56 NB we clean up nginx bits for placement and other services that had it: https://github.com/openstack/openstack-ansible-os_nova/blob/master/tasks/nova_uwsgi.yml#L35-L41 16:42:59 jmccrory: ya, I had to figure out the CSP for horizon by trial and error, not fun 16:43:04 jmccrory: agreed. 16:43:23 it just removes the site conf though and not nginx itself so that it wont break existing nginx hosts that are doing more than just placement for example 16:43:27 prometheanfire: how many days/weeks did it took ? 16:43:45 a couple days looking at a web debug console 16:43:51 by days I mean an hour a day or so 16:43:52 just annoying 16:44:27 ok let's continue. 16:44:32 one last thing 16:44:33 prometheanfire heh yeah bet it wasn't fun. would be good to have any project specific weirdness in their docs though 16:44:39 next 16:44:41 #link https://bugs.launchpad.net/openstack-ansible/+bug/1716927 16:44:42 Launchpad bug 1716927 in openstack-ansible " "Failed to update apt cache."}" [Undecided,New] 16:48:04 mmm 16:48:31 needs more info? maybe apt log? could be connection issue with keyserver or repo 16:49:00 yeah looks random 16:49:31 Alexandra Settle proposed openstack/openstack-ansible master: [deploy-guide] Updates git clone link https://review.openstack.org/505333 16:49:44 yes we need more apt log data 16:49:45 admin0: that should be your bug fix to 1715178 btw 16:50:48 noted 16:51:02 Marked as incomplete. 16:51:05 next 16:51:06 #link https://bugs.launchpad.net/openstack-ansible/+bug/1716925 16:51:07 Launchpad bug 1716925 in openstack-ansible "No package matching 'libmariadbclient-dev' is available"}" [Undecided,New] 16:51:48 that is maybe the follow up 16:52:13 yep 16:53:55 incomplete too then 16:54:10 next 16:54:13 #link https://bugs.launchpad.net/openstack-ansible/+bug/1716908 16:54:14 Launchpad bug 1716908 in openstack-ansible "Unable to create new instances after upgrade." [Undecided,New] 16:57:15 qemu-system-{{ ansible_WHATEVER }} is not in explicit dependency 16:57:22 https://github.com/openstack/openstack-ansible-os_nova/blob/master/vars/ubuntu-16.04.yml#L53 16:57:45 but I don't know what apt-get install qemu installs 16:57:49 so maybe I am wrong there 16:58:58 anyone? 16:58:59 qemu -> qemu-system -> qemu-system-* is the apt dependency chain 16:59:20 so latest qemu should be alright 17:00:19 but weirdly in his case qemu-system was 2.8 and qemu-block-extra was 2.8 17:00:32 but qemu-system-x86 was 2.5 17:01:05 we should probably add it to the explicit list then? 17:01:11 yeah so that's interesting... 17:01:14 I guess it's all aptitude behavior 17:01:15 qemu-system upgraded to UCA 17:01:23 the rest of the qemu-system-* deps didn't go to UCA 17:02:05 maybe we should give uca a higher prio 17:02:15 what happens if installing manually? 17:02:49 im testing right now, installing 'qemu' on a base system, adding uca, and then ill see what happens upgrading qemu after uca is installed 17:03:39 gate logs should help confirm this too 17:03:46 since we pull in the apt history 17:03:55 and ara stores all of the apt stdout 17:04:26 yeah 17:04:37 let's stop the bug triage for today though 17:04:51 we can triage this as confirmed or not offline of the meeting 17:04:57 thanks everyone! 17:05:02 yarp 17:05:05 plenty of bugs for next week then! 17:05:15 any last words? 17:05:16 :p 17:05:21 evrardjp: mind taking a look at https://bugs.launchpad.net/openstack-ansible/+bug/1717321/comments/3 for my plan of action? 17:05:22 Launchpad bug 1717321 in openstack-ansible "Content-Security-Policy for services" [Wishlist,Confirmed] 17:05:22 5 17:05:23 4 17:05:24 3 17:05:30 yeah I will have a look 17:05:33 after meeting, thanks 17:05:34 2 17:05:38 1 17:05:40 #endmeeting