16:05:32 #startmeeting openstack_ansible_meeting 16:05:33 Meeting started Tue Jan 19 16:05:32 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:05:34 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:05:36 The meeting name has been set to 'openstack_ansible_meeting' 16:06:01 we have smth to discuss I guess this week, so I'd suggest to moe bug triaghe to the end if we have time for it 16:06:08 #topic office hours 16:06:20 hello 16:06:45 hello. 16:06:56 so you had awesome progress with new pip resolver 16:07:16 yeah, i was expecting tons of horrid stuff but it's not been so bad 16:07:22 I think now we stuck with really weird thing 16:07:46 (ie setupttols missing)? 16:07:57 i think i figured that, unfortunatley setuptools is in u-c, and we also have it in global-requirement-pins 16:08:26 so if they dont exactly match you have a constraint of setuptools==X simultaneous with setuptools==Y which isnt possible 16:09:05 and moreover virtualenv is also pinned 16:09:06 so thats kind of the remaining thing to figure out, if we still want to keep complete control of the setuptools version in the openstack-ansible repo 16:09:46 i was considering extending the repo server role to retrieve the u-c URL and create a filtered version with these things removed 16:10:10 so now requirements does not have prescedence over constraints? (I guess it was the case previously) 16:10:41 then we can kind of drop tempest as well... 16:10:57 it's possible that having one thing constrained twice now behaves differently 16:11:36 i'm not sure that this is true any more https://github.com/openstack/openstack-ansible/blob/master/global-requirement-pins.txt#L1-L4 16:12:36 seems that it's not since it does not override u-c anymore :( 16:12:44 which is really bad imo 16:15:27 so i think we should look at maintaining a file on the repo server which as an adjusted version of u-c 16:15:50 yeah you're right http://paste.openstack.org/show/801739/ 16:16:38 yes i think thats why my patch was total fail before because of that mismatch 16:16:56 so it should filter out stuff that is in the defined list + what we have in global-requirement-pins.txt right? 16:17:17 yeah, sounds about right 16:17:43 we have to do it this way as u-c is passed directly into pip as a URL 16:17:44 And it's the change to python_venv_build I guess 16:18:01 the alternative is to create a variable which is a filtered version u-c as a list 16:18:34 but thats a very wide ranging change 16:18:56 I'd rather download and store it I guess. However, another tricky thing is not to download it each time 16:19:26 So we might need to get uri like you did with tempest, filter things out, and save to file afterwards 16:19:56 or having some temp file that will be common across each role run.... 16:19:58 uh 16:21:00 need to have a look at how the variables are at the moment 16:21:15 well, at least that sounds like smth that can be done... 16:21:36 the roles use requirements_git_url 16:21:38 ok, anyway souds like some plan:) 16:21:53 sure, i'll take a look, feels like this is nearly done tbh 16:22:13 yeah, it does :) 16:22:48 ok, another thing. Changing policies to yaml. Change is pretty straightforward actually. But not sure about upgrade path 16:23:32 I think the best way is to make old policy.json absent at the same place where we will be placing ploicy.yaml 16:23:58 but that would mean we need to do cleanup in every single role afterwards 16:25:44 and having them dropped at some pre-stage (like in upgrade-utilities) is kind of too early I guess. And I'm not 100% sure, but are policies pre-loaded or read from disk with each request and do not require service restart? 16:26:16 i'm not sure, but i think gmann can probably give us good advice here 16:29:14 yeah... 16:31:57 Another thing was our SSL topic 16:32:17 I think we should at least create a repo for that and I wanted to ask about proper name for it:) 16:33:49 should we use smth like ansible-role-ssl or openstack-ansible-ssl? 16:34:03 I kind of don't have really good ideas about how it should be called... 16:35:00 hmm yes, naming is always hard 16:35:17 there was also service tokens, is that something we need to get done? 16:35:37 this sort of thing https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html 16:40:09 hm... I think I started doing smth related a while ago... 16:40:25 but what we should reflect for sure is healthapi endpoints 16:40:54 *healthcheck 16:41:14 But not sure if the're here for all services... 16:45:22 keystone_authtoken.service_token_roles_required <- that one 16:46:19 I guess that's kind of related things? 16:46:26 yes 16:46:48 I'm pretty sure I was patching it somewhere, but can't recall... 16:47:25 ok, octavia, zun and masakari are patched at least... 16:51:12 healthcheck is this https://docs.openstack.org/keystone/latest/admin/health-check-middleware.html 16:51:23 and it should be pretty simple to adjust 16:52:10 just need to be sure about what services have implemented that 16:52:25 btw, have you read about Venus? 16:52:56 which is new log management service 16:54:05 i saw some stuff on the ML but not looked too much, though it did look very interesting 16:57:09 Jonathan Rosser proposed openstack/ansible-hardening master: Fix linter errors https://review.opendev.org/c/openstack/ansible-hardening/+/771481 16:58:07 noonedeadpunk: any thoughts on the many many patches like this https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/768689 16:58:12 do we abandon them? 16:58:53 I clean forgot to take care about them... 16:59:02 * noonedeadpunk writes down on top of todo list 16:59:38 Yes, I think we should abandon them and I should go to release team and ask how we should stop publishing renos for each repo.... 17:00:27 #endmeeting