#openstack-ansible log

15:02:05 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:02:06 <opendevmeet> Meeting started Tue Jun  1 15:02:05 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:07 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:09 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:02:16 <noonedeadpunk> #topic rollcall
15:03:12 <noonedeadpunk> o/
15:04:41 <jrosser> o/ hello
15:07:14 <noonedeadpunk> #topic office hours
15:07:32 <noonedeadpunk> Ok, so proably worth discussing irc change?
15:08:00 <noonedeadpunk> Patch to docs have merged, but I'm not sure about the best way to update all our members with that
15:08:18 <noonedeadpunk> considering we can't change topic now
15:08:38 <noonedeadpunk> And I actually didn't got TC recomendation about having volunteers :(
15:08:45 <jrosser> i forget to stay in the freenode channel, perhaps worth rejoining to herd people over to here
15:08:49 <noonedeadpunk> *didn't get
15:09:07 <noonedeadpunk> I'm keeping an eye on the channel
15:09:16 <noonedeadpunk> *old one
15:10:09 <noonedeadpunk> I wonder if it's worth to write independent ML as well
15:10:43 <noonedeadpunk> I guess no, as one has been sent with [all] tag...
15:11:40 <noonedeadpunk> and according to ppl number in channels, at least 50% have moved here
15:12:59 <noonedeadpunk> So probably we can just keeping an eye for some time and redirect using link to the https://docs.openstack.org/openstack-ansible/latest/contributor/contributing.html#irc-channel
15:13:54 <noonedeadpunk> oh, btw I did some cleanup of the projects wiki pages
15:14:05 <noonedeadpunk> and dropped all stuf from 2015 from there...
15:15:00 <noonedeadpunk> #idea we can continue keeping track of our etherpads on https://wiki.openstack.org/wiki/OpenStack-Ansible
15:15:22 <jrosser> oh yes that would be helpful
15:15:41 <noonedeadpunk> I put there only the last ones I could recall
15:17:39 <noonedeadpunk> #agreed to use project wiki page for keeping track on etherpads
15:18:44 <noonedeadpunk> ok, so another thing is bulsseye
15:18:54 <jrosser> should we go over what is outstanding in order to branch for W
15:18:56 <jrosser> oh yes
15:19:10 <noonedeadpunk> I got lxc working now
15:19:18 <jrosser> ahha, was it systemd?
15:19:36 <noonedeadpunk> yes and it also required extra cgroups permissins
15:19:38 <jrosser> there was related chatter in #lxc irc channel last night
15:19:40 <noonedeadpunk> *permissions
15:19:51 <noonedeadpunk> so I switched from ro to mixed
15:20:04 <jrosser> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825394
15:20:06 <opendevmeet> Debian bug 825394 in systemd "systemd kill background processes after user logs out" [Normal,Fixed]
15:20:09 <noonedeadpunk> Well, systemd is "broken" since 2019 in this regard
15:20:16 <noonedeadpunk> *apparmor
15:20:19 <jrosser> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989317
15:20:19 <opendevmeet> Debian bug 989317 in systemd "systemd kill background processes after user logs out (#825394 regression)" [Normal,Open]
15:20:47 <noonedeadpunk> but we use unconfined profile anyway
15:21:03 <noonedeadpunk> no, that wasn't it
15:21:28 <jrosser> unconfined had to come in for buster
15:21:31 <noonedeadpunk> that was more apparmour and systemd-networkd in terms of trying to do weird mounts
15:21:57 <noonedeadpunk> yeah, but we set it explicitly for 10 only:)
15:22:09 <jrosser> aaaahhhh
15:22:46 <noonedeadpunk> and 11 was missing templates and this thing https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/793896/1/tasks/lxc_container_config.yml
15:23:11 <noonedeadpunk> eventually that was the reason why containers were not starting at all
15:24:18 <noonedeadpunk> the only thing that stopps us is still linters. as eventually I missed some roles with automated patching
15:24:31 <noonedeadpunk> because they were using template with linters included
15:25:22 <jrosser> i need to revisit the pki role patch to the openstack-ansible repo
15:25:37 <jrosser> move things to group_vars and make some better docs
15:25:42 <opendevreview> Merged openstack/openstack-ansible-lxc_hosts master: Replace linters test with integarted one  https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/793937
15:25:44 <noonedeadpunk> yeah, that's I guess close to last blocker for us
15:26:05 <noonedeadpunk> but docs we can do even after branching with follow-up
15:26:21 <noonedeadpunk> eventually, we can do even RC1 without branching
15:26:38 <noonedeadpunk> but it still better to be usable
15:27:20 <noonedeadpunk> oh, well! we also must merge our facts gathering issue
15:28:31 <noonedeadpunk> https://review.opendev.org/c/openstack/openstack-ansible/+/790042
15:28:59 <noonedeadpunk> ah, you just voted :)
15:31:22 <noonedeadpunk> and we need to also fix linters on V, as things are bad there as well
15:31:38 <noonedeadpunk> But I think we should just workaround there somehow
15:31:45 <noonedeadpunk> Will try to look into this as well
15:31:46 <jrosser> oh hmm i wonder if we have circular dependancies on the PKI stuff too
15:31:53 <jrosser> in order to merge the rabbitmq and haproxy changes
15:32:58 <noonedeadpunk> https://review.opendev.org/c/openstack/openstack-ansible/+/788031 looks like mergable?
15:33:09 <noonedeadpunk> We just need to drop WIP from topic
15:33:43 <jrosser> thats the one where user_variables_pki needs to go to group vars, but yes that can merge
15:33:46 <noonedeadpunk> ahhh
15:36:01 <opendevreview> Merged openstack/openstack-ansible-os_nova master: Don't rely on compute_hosts existance  https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/793954
15:36:17 <noonedeadpunk> haproxy should probably depend on https://review.opendev.org/c/openstack/openstack-ansible/+/788031
15:36:55 <noonedeadpunk> and then they all should be able to merge hopefully?
15:37:27 <noonedeadpunk> btw, we have a fresh bug https://bugs.launchpad.net/openstack-ansible/+bug/1930276
15:37:29 <opendevmeet> Launchpad bug 1930276 in openstack-ansible "Nova API not restarted when nova policy is updated" [Undecided,New] - Assigned to Dmitriy Rabotyagov (noonedeadpunk)
15:37:33 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible-haproxy_server master: Use external PKI role to manage haproxy self-signed certificates  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/790078
15:37:54 <noonedeadpunk> I haven't triaged it yet, was jsut about to start reproducing it
15:38:11 <noonedeadpunk> I believe I saw how policies are applied on fly without service restart...
15:38:24 <jrosser> oh interesting
15:38:47 <noonedeadpunk> and I pushed all policy-to-yaml keeping that in mind...
15:39:07 <noonedeadpunk> so it might be potentially another blocker
15:39:35 <noonedeadpunk> not for RC1 but for branching maybe
15:40:04 <noonedeadpunk> My plan would be to do RC1 as soon as we land PKI
15:41:02 <opendevreview> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Don't collect virtual facts  https://review.opendev.org/c/openstack/openstack-ansible/+/789926
15:42:37 <jrosser> hmm looks complicated https://github.com/openstack/oslo.policy/blob/92eae81048b392f140e35e060e4c66195a08613e/oslo_policy/policy.py#L598
15:43:41 <noonedeadpunk> oh, so like if policy file was not present, it won't be loaded without restart?
15:47:00 <jrosser> well the whole force_reload thing makes me wonder too - theres a layer of caching
15:47:50 <noonedeadpunk> It can leverage inotify for example
15:48:06 <noonedeadpunk> but then indeed not existent file won't be checked
15:48:30 <noonedeadpunk> I wonder if jsut creating empty policy file is a good solution if that's how it works
15:48:39 <jrosser> https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_cache_handler.py#L25
15:51:35 <jrosser> not totally sure i understand why a restart fixes it
15:52:09 <jrosser> well or rather why it's not picked up
15:52:32 <noonedeadpunk> ok, so looking at it it seems like the same behaviour for non existent file and caching?
15:53:18 <noonedeadpunk> I wonder actually what version it's about
15:54:03 <noonedeadpunk> but worth testing in aio anyway imo
15:54:16 <noonedeadpunk> As I can't fully understand code right now...
15:55:23 <noonedeadpunk> I mean read_cached_file returns True in both cases...
15:56:59 <jrosser> maybe also worth asking the oslo people what the expected behaviour is
15:57:40 <jrosser> seems like it maybe up to other projects to call Enforcer.load_rules when they see fit
15:58:30 <noonedeadpunk> yeah, might be...
16:01:43 <jrosser> well it's in the docs actually `Whenever an API call to an OpenStack service is made, the service’s policy engine uses the appropriate policy definitions to determine if the call can be accepted. Any changes to policy.yaml are effective immediately, which allows new policies to be implemented while the service is running.`
16:02:16 <jrosser> https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html
16:03:42 <noonedeadpunk> But I still can imagine different thing happen in reality in case policy.yaml doesn't exist... But yes, I totally saw things happening like this...
16:04:08 <noonedeadpunk> *like written in the doc
16:04:12 <noonedeadpunk> #endmeeting