16:11:13 <noonedeadpunk> #startmeeting openstack_ansible_meeting
16:11:14 <openstack> Meeting started Tue Jul 21 16:11:13 2020 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:11:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:11:17 <openstack> The meeting name has been set to 'openstack_ansible_meeting'
16:11:25 <noonedeadpunk> #topic office hours
16:11:51 <jrosser> o/ hello
16:12:02 <noonedeadpunk> \o/
16:12:13 <noonedeadpunk> Sorry for missing last week meeting
16:12:20 <noonedeadpunk> not sure if it even happen :(
16:12:56 <noonedeadpunk> so, from good things, centos8 is pretty close to be packported?
16:13:01 <noonedeadpunk> *backported
16:13:25 <noonedeadpunk> from bad ones, focal on master has issues and we're no good with new ansible?
16:13:28 <jrosser> sort of
16:13:48 <jrosser> i hope that https://review.opendev.org/#/c/742188/ is the last thing to need before we merge centos-8 into ussuri
16:13:59 <jrosser> but there are still things like telemetry on master iirc
16:14:22 * noonedeadpunk needs to look on them
16:14:32 <jrosser> perhaps we have to go back to an etherpad and checkist off all the roles
16:14:43 <jrosser> *checklist
16:15:01 <jrosser> and yes new ansible really does not like what we do in the galera_server role
16:15:18 <arkan> I recopied all the logs from the vm http://paste.openstack.org/show/796174/
16:15:21 <noonedeadpunk> I'm pretty sure we use hostvars not only in galera role
16:15:32 <jrosser> i was wondering if we should just set_fact the thing we need in a previous task
16:16:05 <jrosser> but that task is odd, delegate_to and also override ansible_host
16:16:13 <jrosser> i am not sure why that is like that
16:17:15 <noonedeadpunk> https://github.com/openstack/openstack-ansible-galera_server/commit/3d405dfd52c0a5059cefd877fd578114bcdd912d
16:17:43 <noonedeadpunk> but I think we probably should look into connection plugin instead?
16:17:48 <noonedeadpunk> not sure though...
16:18:44 <noonedeadpunk> eventually why not to delegate to `hostvars[galera_server_bootstrap_node]['ansible_host']` at once..
16:18:54 <noonedeadpunk> as they are not in inventory?
16:21:32 <noonedeadpunk> also, question about nova compute nodes has been raised again in bugs, https://bugs.launchpad.net/openstack-ansible/+bug/1887952
16:21:33 <openstack> Launchpad bug 1887952 in openstack-ansible "Running os-nova-install with --limit may not distribute SSH keys correctly" [Undecided,Opinion]
16:22:20 <noonedeadpunk> And I think, maybe it's time we thought about more advanced way of nodes auth? or at least we can probably stage nodes open keys on the deployment host
16:22:33 <noonedeadpunk> to be able to cleanly distribute them afterwards
16:32:17 <jrosser> oh yes that
16:32:30 <jrosser> i would like the get rid of the key distribution entirely
16:36:48 <jrosser> i think we should look at sshd TrustedUserCAKeys for this
16:48:10 <noonedeadpunk> yeah, I totally like that idea
16:49:10 <jrosser> it would completely simplify it
16:49:59 <jrosser> because currently every compute node needs the keys from all the others, sort of N*N type of problem
16:50:25 <jrosser> but with TrustedUserCAKeys we would install a (list?) of trusted CA on each host
16:50:36 <jrosser> then generate a suitable key once per compute node, and it's done
16:51:57 <jrosser> i think i already have a patch somewhere which was going to setup a CA for haproxy, so thats already existing
16:52:47 <jrosser> https://review.opendev.org/#/c/644555/ this could all be refreshed for SSH certificates instead
16:53:54 <noonedeadpunk> In terms of the role it's more complicated, but from the deployer prespective it's nicer
16:55:23 * noonedeadpunk tries to recall why needed to use openssl command everywhere instead of module
16:55:35 <noonedeadpunk> ah, it was centos7 issue which is not the case.
16:55:45 <noonedeadpunk> Btw, I saw you started the cleanup?
17:06:10 <noonedeadpunk> #endmeeting