#openstack-ansible log

15:00:44 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:45 <openstack> Meeting started Tue Apr 27 15:00:44 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:46 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:48 <openstack> The meeting name has been set to 'openstack_ansible_meeting'
15:00:50 <noonedeadpunk> #topic rollcall
15:00:53 <noonedeadpunk> o/
15:01:00 <mgariepy> hello !
15:01:46 <noonedeadpunk> hey mgariepy! how're you doing?:)
15:01:58 <mgariepy> not too bad.
15:02:07 <mgariepy> how are you doing ?
15:02:44 <noonedeadpunk> having bad upgrade :(
15:02:54 <mgariepy> really ? how comes?
15:02:54 <noonedeadpunk> but that's fine)
15:03:01 * noonedeadpunk no idea
15:03:15 <mgariepy> what's failing ?
15:03:28 <noonedeadpunk> ended up with both broken rabbit, so had to wipe it and re-create from scratch, including vhosts and permissions
15:03:50 <mgariepy> ouch
15:03:54 <noonedeadpunk> and now galera falled apart as well
15:03:59 <openstackgerrit> wu.chunyang proposed openstack/openstack-ansible master: setup.cfg: Replace dashes with underscores  https://review.opendev.org/c/openstack/openstack-ansible/+/788312
15:05:13 <noonedeadpunk> ok, so...
15:05:16 <noonedeadpunk> #topic office hours
15:05:54 <noonedeadpunk> I still haven't sent anything from PTG, will do this right after the meeting
15:06:36 <noonedeadpunk> Also, there's a question regarding what we should do with ansible goes ahead
15:07:03 <noonedeadpunk> Today ansible-core 2.11 has been released which has soft requirement of py38
15:07:18 <noonedeadpunk> I think it mean that no CI has been done for py36, but not sure
15:07:54 <noonedeadpunk> I think it's smth we can already use for W, but probably worth postponing for X?
15:08:54 <jrosser> o/ sorry i'm late
15:09:05 <noonedeadpunk> As there we will drop bionic with it's 3.6 and already bullseye will be stable with 3.9 on board
15:09:54 <noonedeadpunk> the only issue is centos atm. But might be stream get some libselinux python binding till then?
15:10:19 <ajg20> Hello, I have setup OpenStack-Ansible on a server and I am getting the following error "Error: Failed to perform requested operation on instance "cirros", the instance has an error status: Please try again later [Error: Exceeded maximum number of retries. Exhausted all hosts available for retrying build failures for instance
15:10:20 <ajg20> d376970d-19a0-4bc5-a47e-43ef6ed2d63c.]." More details http://paste.openstack.org/show/804801/ . Can someone help me out?
15:10:40 <noonedeadpunk> while we can build pyenv ofc, I really dunno about building libselinux bindings...
15:11:13 <noonedeadpunk> ajg20: having meeting now, will be able to help in an hour or so
15:12:22 <ajg20> Thank you, Let me know when you have free.
15:14:48 <noonedeadpunk> So I'd say let's use ansible-base 2.10 for W and see how things will go during next cycle?
15:14:59 <jrosser> yeah, i think so
15:15:50 <jrosser> i wonder if spotz might know who to ask how we're supposed to use ansible-core on centos8 w.r.t python selinux bindings
15:16:52 <noonedeadpunk> I think that with 2.12 ansible-core they will implement some kind of containers for ansible-core
15:17:21 <noonedeadpunk> so that they won't need to worry about py in centos
15:17:57 <noonedeadpunk> Another thing we've briefly discussed during the day is https://review.opendev.org/c/openstack/openstack-ansible-specs/+/788057
15:18:14 <jrosser> there is this https://ansible-runner.readthedocs.io/en/latest/
15:19:01 <noonedeadpunk> `Python 2.7+ and 3.6+ are supported and installable via pip` lol
15:19:11 <jrosser> oh :/
15:19:32 <noonedeadpunk> pretty deserted I guess? https://ansible-runner.readthedocs.io/en/latest/install.html#changelog
15:19:59 <noonedeadpunk> dunno though
15:21:37 <jrosser> config in vault is one thing
15:22:03 <jrosser> but all deployment secrets in vault in the general sense, i.e OSA wide, is kind of something else again
15:22:17 <noonedeadpunk> yeah, agree
15:22:25 <jrosser> and as a deployment tool i kind of figure we should care about both of those
15:22:29 <noonedeadpunk> and this blueprint is regarding config in vault only
15:22:44 <jrosser> yes
15:23:12 <jrosser> deployment environment secrets in vault poses some interesting chicken/egg challenges too
15:23:16 <noonedeadpunk> probably as soon as we will have vault deployment, we can figure out how we want to integrate it with secrets as well
15:23:56 <noonedeadpunk> As I'm not sure about time during the upcoming cycle for this thing.
15:24:12 <jrosser> no me neither
15:24:16 <noonedeadpunk> While blueprint is assigned to the patch owner :)
15:25:13 <noonedeadpunk> And I have vault role in exact OSA format, where used even galera_role
15:25:47 <jrosser> ah interesting, we've got one too using the internal data store and raft HA
15:26:06 <noonedeadpunk> I used haproxy in octavia....
15:26:54 <noonedeadpunk> but I mean it should fit perfectly I guess to what we have in terms of containers and stuff
15:27:09 <noonedeadpunk> but yeah, now I got chicken/egg situation...
15:29:12 <jrosser> i did another pass on the pki role setup for rabbitmq
15:29:14 <noonedeadpunk> I think as long as they're going to lead implementation I'm pretty much fine with it
15:29:24 <jrosser> thats looking a lot more like python_venv_build approach now
15:29:29 <noonedeadpunk> oh, I saw pki has passed, haven;t checked rabbit
15:29:57 <jrosser> half way through doing the same for haproxy though theres more complexity there with needing to keep the original functionality + certbot and stuff
15:29:57 <noonedeadpunk> yeah, I was thinking about smth like that, but haven't digged into details yet
15:30:39 <jrosser> i still need to look at the variable names again, make them rabbitmq specific in defaults/main.yml with the option for a deployment wide openstack_<var> global setting
15:31:04 <noonedeadpunk> yeah, you read my thoughts!
15:31:35 <noonedeadpunk> I'm wondering if there's good usecase to use letsencrypt for rabbit/galera as well
15:31:43 <noonedeadpunk> in case of dns-01 auth
15:31:45 <jrosser> as a positive though it's really cleaned up the code for ssl in the rabbit role
15:31:54 <noonedeadpunk> not sure how to implement it though
15:32:18 <noonedeadpunk> yep, a lot of dropped stuff. And I think overall it will be the way cleaner
15:32:35 <jrosser> right, so theres a var in the pki role, pki_method
15:33:00 <jrosser> i'd intended to allow that to be used as some kind of extension where we could add certbot support in the future to the role
15:33:13 <jrosser> and allow the caller to specify the backend used to issue the cert
15:34:13 <noonedeadpunk> oh, nice idea, yes
15:34:37 <jrosser> if we do it right then you'd be able to specify that per certificate
15:36:02 <noonedeadpunk> and eventuyally that might be even some third part tooling (forgot what exact thing you talked about previously)
15:36:19 <jrosser> yes indeed, we've got step-ca running here as an internal CA
15:37:10 <jrosser> so i'd like to leave the door open for adding more opinionated backends like that to the pki role
15:37:27 <noonedeadpunk> yep, agree
15:41:04 <jrosser> is there anything else we need to prioritise to get merged for a release
15:41:50 <noonedeadpunk> oh, centos stream
15:42:21 <openstackgerrit> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Add centos-8 stream jobs  https://review.opendev.org/c/openstack/openstack-ansible/+/776226
15:44:23 <jrosser> oh urgh distro_metal_centos8 fails, of course!
15:50:26 <noonedeadpunk> on cinder :(
15:51:05 <jrosser> i also looked at the tempestconf fix we had, though i think we can't test that with a depends-on
15:53:31 <jrosser> oh i think it is possible, if we make a DNM patch which sets tempest_tempestconf_pip_packages to the url of the tempestconf change in gerrit
15:59:37 <noonedeadpunk> um....
15:59:56 <noonedeadpunk> I think the issue with gerrit change is in refs?
16:03:15 <noonedeadpunk> anyway..
16:03:18 <noonedeadpunk> #endmeeting