#openstack-ansible log

15:00:27 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:27 <opendevmeet> Meeting started Tue Sep 14 15:00:27 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:27 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:27 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:00:31 <noonedeadpunk> #topic rollcall
15:00:37 <noonedeadpunk> \o/
15:05:40 <jrosser> o/ hello
15:06:04 <noonedeadpunk> #topic office hours
15:06:35 <noonedeadpunk> So. Recently I was working on pki for galera and it should eventually work now.
15:07:05 <noonedeadpunk> The question there how fine to provide ca-file to the system trust store?
15:09:50 <jrosser> doesnt the openstack-hosts role do that?
15:10:10 <noonedeadpunk> it does.. the question here is to pymysql code
15:10:16 <noonedeadpunk> which for me looks weird...
15:10:20 <jrosser> ah ok
15:10:36 <noonedeadpunk> so here code that parses connection https://github.com/PyMySQL/PyMySQL/blob/main/pymysql/connections.py#L266-L284
15:10:48 <noonedeadpunk> and it feels the only way to enable ssl is to provide ca-file
15:11:00 <noonedeadpunk> regardless it is installed to system trust store or not
15:12:21 <noonedeadpunk> because it's stupid - `if ssl_ca` and next line - "ca": ssl_ca
15:12:45 <noonedeadpunk> so it would be just namerror
15:13:33 <jrosser> that is really odd code
15:14:18 <jrosser> oh well its default to None?
15:14:57 <noonedeadpunk> ah, indeed it is
15:15:13 <noonedeadpunk> so we can kind of just define ssl_verify_cert ?
15:15:28 <noonedeadpunk> then more relevant question
15:15:41 <noonedeadpunk> do we want to patch all roles for that ?:)
15:16:11 <noonedeadpunk> because we have that connection string literally everywhere https://opendev.org/openstack/openstack-ansible-os_glance/src/branch/master/templates/glance-api.conf.j2#L39
15:17:41 <jrosser> oh my
15:18:16 <jrosser> seems we should refactor that
15:18:21 <noonedeadpunk> so right now basically https://review.opendev.org/c/openstack/openstack-ansible/+/807880/8/inventory/group_vars/all/infra.yml solves the issue
15:24:01 <noonedeadpunk> another thing that I worked on was upgrade of ansible version. I hope it should pass now, but not 100% sure. At least ssh plugin seems to be fixed now
15:24:34 <opendevreview> Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Bump ansible version to 2.11.5  https://review.opendev.org/c/openstack/openstack-ansible/+/807316
15:25:49 <noonedeadpunk> Regarding next thing that I think we should do - is to work on nova role integration with PKI
15:26:02 <noonedeadpunk> because iirc live migration with tunneling is going to be droped in X
15:26:25 <noonedeadpunk> so we must have tls in place to release
15:32:04 <jrosser> that hopefully is not to difficult, as we kind of practice a bit now with the PKI role
15:32:25 <noonedeadpunk> and I do super dump istakes :(
15:32:30 <noonedeadpunk> *mistakes
15:32:41 <noonedeadpunk> *dumb
15:36:28 <noonedeadpunk> regarding reviews - I'd love to push a bit merge of murano fix https://review.opendev.org/c/openstack/openstack-ansible-os_murano/+/781239
15:37:00 <noonedeadpunk> and if we're fine with https://review.opendev.org/q/topic:%22bp%252Fprotecting-plaintext-configs%22+(status:open%20OR%20status:merged) as poc?
15:48:52 <spatel> anyone has any experience with server.com to renting servers for openstack?
15:49:14 <spatel> i am planning to build datacenter in EU and found these guys
15:50:01 <spatel> sorry if meeting is continue.
15:50:13 <noonedeadpunk> #endmeeting