#openstack-ansible log

15:00:52 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:52 <opendevmeet> Meeting started Tue May  3 15:00:52 2022 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:52 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:52 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:01:00 <noonedeadpunk> #topic rollcall
15:01:25 <mgariepy> hey !
15:01:31 <noonedeadpunk> o/
15:02:49 <ebbex> o/
15:05:25 <jrosser> o/ hello
15:05:49 <noonedeadpunk> #topic bug triage
15:06:23 <NeilHanlon> heyo o/
15:06:29 <noonedeadpunk> we have some new bug reports that we likely want to triage:)
15:08:08 <noonedeadpunk> #link https://bugs.launchpad.net/openstack-ansible/+bug/1971179
15:10:40 <noonedeadpunk> jrosser any thoughtson that? As I haven't looked into CSP at all...
15:12:09 <jrosser> well i'm not sure acutally
15:13:37 <jrosser> we set some cors overrides here
15:13:40 <jrosser> allow_headers: origin,content-md5,x-image-meta-checksum,x-storage-token,accept-encoding,x-auth-token,x-identity-status,x-roles,x-service-catalog,x-user-id,x-tenant-id,x-openstack-request-id
15:13:57 <jrosser> allowed_origin: "{{ external_horizon_fqdn }}"
15:15:05 <jrosser> it would help with some actual error there on LP to help
15:15:33 <NeilHanlon> ^ agree
15:16:02 <noonedeadpunk> +1 to that
15:16:46 <jrosser> https://github.com/openstack/openstack-ansible-os_glance/blob/1d8cb0dbd9472e4bbd82a61bb569626e5b89d205/defaults/main.yml#L190
15:17:01 <jrosser> this suggests that they configure the external vip to be an IP rather than FQDN
15:18:20 <NeilHanlon> i was able to replicate in my AIO
15:18:40 <NeilHanlon> https://paste.opendev.org/show/bXO5EAH3U9G3eEeffzsd/
15:18:46 <NeilHanlon> indeed external vip is an IP
15:19:44 <jrosser> and that was something like `openstack image create <blah> <blah>` ?
15:20:37 <NeilHanlon> No, uploading via horizon
15:20:42 <jrosser> oh yes right
15:20:57 <noonedeadpunk> yeah, well, than I'd say it's confirmed
15:22:05 <NeilHanlon> I'll put what I found in the LP
15:22:40 * jrosser wonders why it connects to the external VIP
15:23:30 <NeilHanlon> me too, i would've expected some horizon-layer proxy into glance, not a direct call to the api port
15:24:01 <mgariepy> are the endpoint in keystone set to the IP ?
15:24:44 <noonedeadpunk> Well, it depends on image upload mode
15:24:49 <noonedeadpunk> There's a direct and legacy one
15:25:08 <NeilHanlon> possibly. it looks like glance returns the upload_url to the client, and then that url is used to POST the image
15:25:37 <noonedeadpunk> https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/defaults/main.yml#L163-L168
15:26:04 <NeilHanlon> a-ha :)
15:27:46 <noonedeadpunk> let's go next
15:28:13 <noonedeadpunk> #link https://bugs.launchpad.net/openstack-ansible/+bug/1971175
15:28:39 <noonedeadpunk> It kind of sounds related
15:29:06 <noonedeadpunk> And at this point I'm not sure how previous one is valid
15:30:41 <noonedeadpunk> Maybe we should jsut suggest setting vip to domain and that's it...
15:31:13 <jrosser> yes - i'm not sure it will ever really work with the IP?
15:31:42 <jrosser> well......
15:32:12 <jrosser> i think what i mean is that in a real deployment (not AIO) we expect the external VIP to have a certificate with the fqdn in it
15:32:23 <jrosser> and the fqdn to be used as the external vip in openstack_user_config
15:33:15 <jrosser> tbh there is more info needed here on this bug too
15:33:21 <noonedeadpunk> yeah, we likely should just explain there
15:38:29 <jrosser> i left a quick comment there asking for more info
15:38:45 <noonedeadpunk> ok, great, thanks!
15:39:11 <noonedeadpunk> #link https://bugs.launchpad.net/openstack-ansible/+bug/1970226
15:39:30 <noonedeadpunk> andrewbonney: did you have a chance to test out the patch mentioned to oslo?
15:40:36 <jrosser> i'm not sure andrewbonney is around just now but we can certainly look at that patch
15:40:48 <noonedeadpunk> ok, gotcha
15:41:29 <noonedeadpunk> I will likely leave other things for next meeting as we likely need to have smth else to discuss
15:41:47 <noonedeadpunk> #topic office hours
15:43:24 <noonedeadpunk> I will push a patch today for EM of V
15:43:40 <jrosser> thanks to mgariepy for looking at a bunch of older patches last week
15:47:08 <jrosser> things are looking reasonable for ubuntu 22.04, for the basic AIO jobs
15:47:50 <jrosser> there are a couple of small constraints things in horizon and rally which i guess are becasue they've not been tested on py3.10 before
15:49:55 <mgariepy> so i started to fix/abandon old patches we have in gerrit last week.
15:49:56 <noonedeadpunk> ok, that's great. bad that it can't be more then exeprimantal though
15:50:10 <noonedeadpunk> but that's fair I believe
15:50:24 <jrosser> that sounds reasonably, it can be supported for Zed i think
15:50:41 <mgariepy> some patches are backport on older branches . how far should we try to fix them ?
15:51:05 <jrosser> regarding older branches there are these patches https://review.opendev.org/c/openstack/openstack-ansible/+/838022
15:51:22 <jrosser> those are passing suprisingly many jobs with just some wierd error in the linters job
15:51:56 <noonedeadpunk> uh
15:52:15 <noonedeadpunk> should be easy to fix though
15:52:38 <jrosser> oh yes it's that same sha for config_template which broke on other branches
15:53:16 <jrosser> i forget that config_template does not branch
15:56:36 <mgariepy> ho. on the rocky tests the ci does not have the passwd pkg installed.. which makes the hardening role fail.
15:57:03 <mgariepy> should we ask opendev to add the pkg or shall we install it ourself?
15:57:28 <mgariepy> for this one: https://review.opendev.org/c/openstack/ansible-hardening/+/835733
15:57:44 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible stable/train: Mark OSA repository as safe in git.config in CI  https://review.opendev.org/c/openstack/openstack-ansible/+/838022
15:59:09 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible stable/stein: Mark OSA repository as safe in git.config in CI  https://review.opendev.org/c/openstack/openstack-ansible/+/838023
16:00:43 <jrosser> mgariepy: we would put it here? https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/redhat-8.yml#L53
16:01:59 <jrosser> NeilHanlon: any thoughts on that - if we should expect passwd to be present in the CI image?
16:03:03 <mgariepy> it is in the cloud image..
16:03:34 <NeilHanlon> yeah that's.. weird. I guess because we are making the image from a container base.
16:06:20 <NeilHanlon> I did a https://review.opendev.org/c/openstack/diskimage-builder/+/840352
16:06:52 <mgariepy> cool.
16:07:19 <NeilHanlon> i could patch os_hosts too if it'd help clear up the tests quickly
16:08:10 <noonedeadpunk> #endmeeting