15:00:52 #startmeeting openstack_ansible_meeting 15:00:52 Meeting started Tue May 3 15:00:52 2022 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:52 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:52 The meeting name has been set to 'openstack_ansible_meeting' 15:01:00 #topic rollcall 15:01:25 hey ! 15:01:31 o/ 15:02:49 o/ 15:05:25 o/ hello 15:05:49 #topic bug triage 15:06:23 heyo o/ 15:06:29 we have some new bug reports that we likely want to triage:) 15:08:08 #link https://bugs.launchpad.net/openstack-ansible/+bug/1971179 15:10:40 jrosser any thoughtson that? As I haven't looked into CSP at all... 15:12:09 well i'm not sure acutally 15:13:37 we set some cors overrides here 15:13:40 allow_headers: origin,content-md5,x-image-meta-checksum,x-storage-token,accept-encoding,x-auth-token,x-identity-status,x-roles,x-service-catalog,x-user-id,x-tenant-id,x-openstack-request-id 15:13:57 allowed_origin: "{{ external_horizon_fqdn }}" 15:15:05 it would help with some actual error there on LP to help 15:15:33 ^ agree 15:16:02 +1 to that 15:16:46 https://github.com/openstack/openstack-ansible-os_glance/blob/1d8cb0dbd9472e4bbd82a61bb569626e5b89d205/defaults/main.yml#L190 15:17:01 this suggests that they configure the external vip to be an IP rather than FQDN 15:18:20 i was able to replicate in my AIO 15:18:40 https://paste.opendev.org/show/bXO5EAH3U9G3eEeffzsd/ 15:18:46 indeed external vip is an IP 15:19:44 and that was something like `openstack image create ` ? 15:20:37 No, uploading via horizon 15:20:42 oh yes right 15:20:57 yeah, well, than I'd say it's confirmed 15:22:05 I'll put what I found in the LP 15:22:40 * jrosser wonders why it connects to the external VIP 15:23:30 me too, i would've expected some horizon-layer proxy into glance, not a direct call to the api port 15:24:01 are the endpoint in keystone set to the IP ? 15:24:44 Well, it depends on image upload mode 15:24:49 There's a direct and legacy one 15:25:08 possibly. it looks like glance returns the upload_url to the client, and then that url is used to POST the image 15:25:37 https://opendev.org/openstack/openstack-ansible-os_horizon/src/branch/master/defaults/main.yml#L163-L168 15:26:04 a-ha :) 15:27:46 let's go next 15:28:13 #link https://bugs.launchpad.net/openstack-ansible/+bug/1971175 15:28:39 It kind of sounds related 15:29:06 And at this point I'm not sure how previous one is valid 15:30:41 Maybe we should jsut suggest setting vip to domain and that's it... 15:31:13 yes - i'm not sure it will ever really work with the IP? 15:31:42 well...... 15:32:12 i think what i mean is that in a real deployment (not AIO) we expect the external VIP to have a certificate with the fqdn in it 15:32:23 and the fqdn to be used as the external vip in openstack_user_config 15:33:15 tbh there is more info needed here on this bug too 15:33:21 yeah, we likely should just explain there 15:38:29 i left a quick comment there asking for more info 15:38:45 ok, great, thanks! 15:39:11 #link https://bugs.launchpad.net/openstack-ansible/+bug/1970226 15:39:30 andrewbonney: did you have a chance to test out the patch mentioned to oslo? 15:40:36 i'm not sure andrewbonney is around just now but we can certainly look at that patch 15:40:48 ok, gotcha 15:41:29 I will likely leave other things for next meeting as we likely need to have smth else to discuss 15:41:47 #topic office hours 15:43:24 I will push a patch today for EM of V 15:43:40 thanks to mgariepy for looking at a bunch of older patches last week 15:47:08 things are looking reasonable for ubuntu 22.04, for the basic AIO jobs 15:47:50 there are a couple of small constraints things in horizon and rally which i guess are becasue they've not been tested on py3.10 before 15:49:55 so i started to fix/abandon old patches we have in gerrit last week. 15:49:56 ok, that's great. bad that it can't be more then exeprimantal though 15:50:10 but that's fair I believe 15:50:24 that sounds reasonably, it can be supported for Zed i think 15:50:41 some patches are backport on older branches . how far should we try to fix them ? 15:51:05 regarding older branches there are these patches https://review.opendev.org/c/openstack/openstack-ansible/+/838022 15:51:22 those are passing suprisingly many jobs with just some wierd error in the linters job 15:51:56 uh 15:52:15 should be easy to fix though 15:52:38 oh yes it's that same sha for config_template which broke on other branches 15:53:16 i forget that config_template does not branch 15:56:36 ho. on the rocky tests the ci does not have the passwd pkg installed.. which makes the hardening role fail. 15:57:03 should we ask opendev to add the pkg or shall we install it ourself? 15:57:28 for this one: https://review.opendev.org/c/openstack/ansible-hardening/+/835733 15:57:44 Jonathan Rosser proposed openstack/openstack-ansible stable/train: Mark OSA repository as safe in git.config in CI https://review.opendev.org/c/openstack/openstack-ansible/+/838022 15:59:09 Jonathan Rosser proposed openstack/openstack-ansible stable/stein: Mark OSA repository as safe in git.config in CI https://review.opendev.org/c/openstack/openstack-ansible/+/838023 16:00:43 mgariepy: we would put it here? https://github.com/openstack/openstack-ansible-openstack_hosts/blob/master/vars/redhat-8.yml#L53 16:01:59 NeilHanlon: any thoughts on that - if we should expect passwd to be present in the CI image? 16:03:03 it is in the cloud image.. 16:03:34 yeah that's.. weird. I guess because we are making the image from a container base. 16:06:20 I did a https://review.opendev.org/c/openstack/diskimage-builder/+/840352 16:06:52 cool. 16:07:19 i could patch os_hosts too if it'd help clear up the tests quickly 16:08:10 #endmeeting