15:00:42 <noonedeadpunk> #startmeeting openstack_ansible_meeting 15:00:42 <opendevmeet> Meeting started Tue Jun 29 15:00:42 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:42 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:42 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting' 15:00:54 <noonedeadpunk> #topic rollcall 15:00:57 <noonedeadpunk> o/ 15:03:03 <gshippey> o/ 15:05:09 <noonedeadpunk> #topic office hours 15:05:32 <noonedeadpunk> so, today roles have branched 15:05:43 <noonedeadpunk> and we are partially stuck because of the tests repo 15:06:11 <noonedeadpunk> we have this topic to track down progress 15:06:14 <noonedeadpunk> #link https://review.opendev.org/q/topic:%22create-wallaby%22+(status:open) 15:06:46 <noonedeadpunk> so eventually main failing point are: functional tests and linters 15:07:04 <noonedeadpunk> functional teests fail because of the pki role eventually 15:07:04 <jrosser> o/ hello 15:08:51 <noonedeadpunk> I kind of pushed https://review.opendev.org/c/openstack/ansible-role-pki/+/798685 but dunno how to test if functional are gonna like it 15:09:03 <noonedeadpunk> as depends-on doesn't work.... 15:09:16 <noonedeadpunk> and same issue go for linters actually.... 15:09:41 <jrosser> something else fails oddly now "Could not find or access '/etc/pki/rabbitmq-ca/roots/RabbitMQRoot/certs/RabbitMQRoot.crt' on the Ansible Controller 15:10:59 <noonedeadpunk> oh, indeed,,,, 15:11:12 <noonedeadpunk> it feels more like certs are not generated properly 15:11:39 <jrosser> oh i see whats happening 15:11:54 <noonedeadpunk> we're using defaults in rabbit role 15:11:56 <jrosser> its created at "path": "/etc/pki/rabbitmq-ca/roots/RabbitMQRoot/certs/RabbitMQRoot-1000.crt" 15:12:10 <noonedeadpunk> and maybe we have more stuff defined in integrated repo 15:12:19 <jrosser> yes 15:12:28 <jrosser> the rabbit repo will use the integrated tests 15:12:57 <jrosser> it's because the rabbit role will use the deployment wide Root CA in the integrated tests 15:12:59 <noonedeadpunk> well, we can probably also add overrides to tests repo to fit what we have 15:13:08 <noonedeadpunk> but maybe worth adjusting defaults if needed? 15:13:34 <noonedeadpunk> yeah 15:13:50 <noonedeadpunk> (but I don't still see what exactly fails there) 15:14:02 <noonedeadpunk> or how to avoid that... 15:15:17 <jrosser> when the CA cert is generated the serial number has been included in the filename 15:15:33 <jrosser> when it tries to install that CA it looks for it at a path without the serial number 15:16:29 <jrosser> but those two things should be symlinked to each other https://github.com/openstack/ansible-role-pki/blob/master/tasks/standalone/create_ca.yml#L108-L113 15:16:46 <noonedeadpunk> oh, ok, I see 15:17:22 <noonedeadpunk> but links seems to be created according to what I see? 15:18:16 <noonedeadpunk> https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_728/798638/5/check/openstack-ansible-functional-ubuntu-focal/728b8a7/logs/ara-report/results/452.html 15:18:46 <jrosser> it certainly looks correct 15:19:30 <jrosser> oh! Host: infra1 15:20:05 <noonedeadpunk> but it's copy module... 15:20:52 <jrosser> yes, but it expects the source to be on the controller node 15:21:18 <jrosser> but the CA stuff has been constructed on infra1 15:22:21 <jrosser> so thats kind of two issues - the CA isn't built on localhost..... and/or this doesn't cope with the case when the CA is built on something != localhost 15:22:54 <noonedeadpunk> Well looking at https://zuul.opendev.org/t/openstack/build/728b8a7ca5d64883b189c1f116eeceb8/log/job-output.txt it looks like delegated? 15:23:02 <noonedeadpunk> L5001 15:23:24 <jrosser> i was looking at the tasks at the end of here https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_728/798638/5/check/openstack-ansible-functional-ubuntu-focal/728b8a7/logs/ara-report/playbooks/1.html?status=failed&status=unreachable#results 15:23:50 <noonedeadpunk> well, maybe it's ara doesn't show delegate properly? 15:23:57 <jrosser> could be 15:24:10 <noonedeadpunk> dmsimard: anything known that ara doesn't respect delegate_to? 15:25:10 <noonedeadpunk> so I still didn't quite get why it fails.... ;( 15:25:25 <jrosser> i think these tasks fall outside the delegate? https://github.com/openstack/ansible-role-pki/blob/master/tasks/standalone/install_ca.yml 15:25:43 <noonedeadpunk> they are outside of the delegate 15:25:57 <noonedeadpunk> but it's fine, since we copy from localhost to remote host 15:26:02 <noonedeadpunk> so we run against remote host 15:26:19 <noonedeadpunk> (it doesn't respect `something != localhost` for sure) 15:27:45 <jrosser> i think i see why it fails though, the tasks to build the CA target infra1 and delegate to localhost 15:28:11 <jrosser> oh errm 15:28:59 <opendevreview> Merged openstack/openstack-ansible-os_tempest stable/wallaby: Update .gitreview for stable/wallaby https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/798587 15:29:03 <opendevreview> Merged openstack/openstack-ansible-os_tempest stable/wallaby: Update TOX_CONSTRAINTS_FILE for stable/wallaby https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/798588 15:31:29 * noonedeadpunk tries to reproduce 15:32:06 <noonedeadpunk> but eventually doing final W release is smth we should look into (and thus unblocking functional stuff) 15:32:35 <jrosser> i am kind of confused with what is happening here tbh 15:32:39 <noonedeadpunk> I dunno if it's worth making RC1 with not merged .gitreview in roles for W 15:33:26 <jrosser> there is a difference that in the integrated repo it will target localhost though https://github.com/openstack/openstack-ansible/blob/master/playbooks/certificate-authority.yml#L16 15:34:58 <noonedeadpunk> openstack_pki_setup_host is not defined anywhere, so it should be like that in both cases? 15:35:55 <jrosser> in the integrated repo we never have it create a CA during the rabbit role though 15:35:59 <noonedeadpunk> but yes... 15:36:08 <noonedeadpunk> `included: /home/zuul/src/opendev.org/openstack/ansible-role-pki/tasks/main_ca.yml for infra1` 15:36:09 <jrosser> thats done up front 15:36:59 <noonedeadpunk> oh... 15:37:14 <noonedeadpunk> indeed... 15:37:58 <noonedeadpunk> we just include pki role as main there 15:38:08 <noonedeadpunk> and go through https://opendev.org/openstack/ansible-role-pki/src/branch/master/tasks/main.yml 15:38:21 <jrosser> the idea was it should be able to stand alone 15:39:00 <noonedeadpunk> well, good probably that we catched that... 15:40:01 <noonedeadpunk> but I think we can't delegate inlcude task... 15:41:32 <noonedeadpunk> um, I dunno how to fix that without adjusting playbook for rabbitmq 15:42:30 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible-tests master: Gather /etc/pki directory https://review.opendev.org/c/openstack/openstack-ansible-tests/+/798703 15:42:33 <noonedeadpunk> or we need to make respect `pki_setup_host != localhost` during copy 15:43:36 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible-tests master: Gather /etc/pki directory https://review.opendev.org/c/openstack/openstack-ansible-tests/+/798703 15:44:04 <jrosser> maybe it should be using slurp rather than copy 15:44:08 <noonedeadpunk> oh, smth weird is there... 15:44:26 <noonedeadpunk> yeah, might be actually 15:44:35 <jrosser> do you have this locally?\ 15:44:54 <noonedeadpunk> deploying 15:45:00 <noonedeadpunk> already on container creation 15:45:48 <noonedeadpunk> doh, no, lost connection to VM :( 15:46:06 <noonedeadpunk> (pretty common thing for functional tests actually) 15:49:42 <noonedeadpunk> ah, well I do have same net for br-mgmt and internal one :( 15:50:55 <jrosser> it feels like some of the patterns from python_venv_build are what is needed here, like where it collects the constraints file 15:52:00 <jrosser> this actually https://github.com/openstack/ansible-role-python_venv_build/blob/master/tasks/python_venv_install.yml#L16-L23 15:52:11 <jrosser> slurp / delegate / run_once / register 15:53:05 <noonedeadpunk> oh, well, yeah, looks pretty applicable 15:58:30 <noonedeadpunk> #endmeeting