15:00:27 <noonedeadpunk> #startmeeting openstack_ansible_meeting 15:00:27 <opendevmeet> Meeting started Tue Sep 14 15:00:27 2021 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:27 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:27 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting' 15:00:31 <noonedeadpunk> #topic rollcall 15:00:37 <noonedeadpunk> \o/ 15:05:40 <jrosser> o/ hello 15:06:04 <noonedeadpunk> #topic office hours 15:06:35 <noonedeadpunk> So. Recently I was working on pki for galera and it should eventually work now. 15:07:05 <noonedeadpunk> The question there how fine to provide ca-file to the system trust store? 15:09:50 <jrosser> doesnt the openstack-hosts role do that? 15:10:10 <noonedeadpunk> it does.. the question here is to pymysql code 15:10:16 <noonedeadpunk> which for me looks weird... 15:10:20 <jrosser> ah ok 15:10:36 <noonedeadpunk> so here code that parses connection https://github.com/PyMySQL/PyMySQL/blob/main/pymysql/connections.py#L266-L284 15:10:48 <noonedeadpunk> and it feels the only way to enable ssl is to provide ca-file 15:11:00 <noonedeadpunk> regardless it is installed to system trust store or not 15:12:21 <noonedeadpunk> because it's stupid - `if ssl_ca` and next line - "ca": ssl_ca 15:12:45 <noonedeadpunk> so it would be just namerror 15:13:33 <jrosser> that is really odd code 15:14:18 <jrosser> oh well its default to None? 15:14:57 <noonedeadpunk> ah, indeed it is 15:15:13 <noonedeadpunk> so we can kind of just define ssl_verify_cert ? 15:15:28 <noonedeadpunk> then more relevant question 15:15:41 <noonedeadpunk> do we want to patch all roles for that ?:) 15:16:11 <noonedeadpunk> because we have that connection string literally everywhere https://opendev.org/openstack/openstack-ansible-os_glance/src/branch/master/templates/glance-api.conf.j2#L39 15:17:41 <jrosser> oh my 15:18:16 <jrosser> seems we should refactor that 15:18:21 <noonedeadpunk> so right now basically https://review.opendev.org/c/openstack/openstack-ansible/+/807880/8/inventory/group_vars/all/infra.yml solves the issue 15:24:01 <noonedeadpunk> another thing that I worked on was upgrade of ansible version. I hope it should pass now, but not 100% sure. At least ssh plugin seems to be fixed now 15:24:34 <opendevreview> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible version to 2.11.5 https://review.opendev.org/c/openstack/openstack-ansible/+/807316 15:25:49 <noonedeadpunk> Regarding next thing that I think we should do - is to work on nova role integration with PKI 15:26:02 <noonedeadpunk> because iirc live migration with tunneling is going to be droped in X 15:26:25 <noonedeadpunk> so we must have tls in place to release 15:32:04 <jrosser> that hopefully is not to difficult, as we kind of practice a bit now with the PKI role 15:32:25 <noonedeadpunk> and I do super dump istakes :( 15:32:30 <noonedeadpunk> *mistakes 15:32:41 <noonedeadpunk> *dumb 15:36:28 <noonedeadpunk> regarding reviews - I'd love to push a bit merge of murano fix https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/781239 15:37:00 <noonedeadpunk> and if we're fine with https://review.opendev.org/q/topic:%22bp%252Fprotecting-plaintext-configs%22+(status:open%20OR%20status:merged) as poc? 15:48:52 <spatel> anyone has any experience with server.com to renting servers for openstack? 15:49:14 <spatel> i am planning to build datacenter in EU and found these guys 15:50:01 <spatel> sorry if meeting is continue. 15:50:13 <noonedeadpunk> #endmeeting