#openstack-ansible log

15:01:34 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:01:34 <opendevmeet> Meeting started Tue Nov  8 15:01:34 2022 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:34 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:34 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:01:40 <noonedeadpunk> #topic rollcall
15:01:55 <jrosser> o/ hello
15:01:57 <damiandabrowski> hi! I'm back from vacation
15:02:01 <noonedeadpunk> o\ I'm sema-around today, unfortunatelly
15:02:11 <noonedeadpunk> #chair jrosser
15:02:11 <opendevmeet> Current chairs: jrosser noonedeadpunk
15:02:41 <noonedeadpunk> Will give chair if need to run or get distracted
15:03:13 <noonedeadpunk> I'm on business trip this week so will be sem-around until friday (
15:04:00 <noonedeadpunk> #topic office hours
15:04:34 <noonedeadpunk> actually, we likely have a bug to discuss as well... I wanted to play with it but was short on time
15:04:58 <noonedeadpunk> It was already discussed one day though
15:05:00 <noonedeadpunk> #link https://bugs.launchpad.net/openstack-ansible/+bug/1993575
15:07:58 <jrosser> hmm
15:08:49 <jrosser> the searching for variable names to use kind of has to work
15:09:00 <jrosser> as thats the only way that things like _pki_ca_defs get populated at all
15:09:46 <noonedeadpunk> yeah, true
15:10:02 <noonedeadpunk> maybe it was some misusage ofc, so I wanted to test this out one more time
15:10:09 <noonedeadpunk> As I believe it should work indeed
15:14:14 <noonedeadpunk> damiandabrowski: do you want to share you recent finding about mariadbbackup?
15:15:42 <damiandabrowski> yeah, turns out that mariadb 10.6.8(used in some Xena tags) is affected by a mariabackup bug: https://jira.mariadb.org/browse/MDEV-28758
15:16:09 <damiandabrowski> i'll bump 10.6.8 to 10.6.9 later(10.6.9 is fixed)
15:17:47 <damiandabrowski> there's one more thing: is it possible to merge this patch before Zed release?
15:17:47 <damiandabrowski> https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/862171
15:17:50 <noonedeadpunk> +1
15:18:22 <damiandabrowski> dependent patch is already merged but it broke horizon direct image upload. We need to merge the above one to get it back working
15:18:53 <noonedeadpunk> We have to release Zed before by 15 of December
15:19:12 <noonedeadpunk> *16
15:20:09 <noonedeadpunk> And we should at least sort out glance image fully before that. What I mean - we should have full clearance if we should have 2 api spawned or not
15:20:45 <damiandabrowski> ah ok, so i guess even we already created changes like this one: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/860551 we're not going to release soon
15:20:53 <noonedeadpunk> Maybe we should do that regardless, but make it configurable
15:21:14 <noonedeadpunk> Yes. So we need some reviews/rechecks as well
15:21:58 <noonedeadpunk> Also, Wallaby EM is coming
15:22:52 <noonedeadpunk> I wanted to make final release based on https://review.opendev.org/c/openstack/openstack-ansible/+/861601 before EM-ing
15:23:22 <damiandabrowski> regarding 2 separate glance apis: in my opinion we don't have to that that, but let me copy paste my statement from some previous meeting:
15:23:26 <damiandabrowski> regarding glacnce OSSN-0090: I've read it once again and things are pretty clear for me now.
15:23:29 <damiandabrowski> I think the most important paragraph for us is: https://wiki.openstack.org/wiki/OSSN/OSSN-0090#:~:text=This%20brings%20us,the%20image%20data.
15:23:31 <damiandabrowski> So actually we've made a huge improvement by disabling show_multiple_locations - it was a real threat.
15:23:36 <damiandabrowski> show_image_direct_url is just a potential issue. There is no confirmed attack vector. It's only about exposing image location which may help attackers.
15:23:39 <damiandabrowski> On the other hand if we take RBD backend as an example, I believe most of the deployments have default config so direct URL isn't hard to guess(images/<image_id>/snap).
15:23:42 <damiandabrowski> So is it worth to increase complexity of os_glance role because of this? I'm not sure...
15:23:44 <damiandabrowski> Especially when I really hope it will be fixed properly at some point. Maybe mentioning it in docs like kolla did is enough. I leave it for discussion.
15:23:47 <noonedeadpunk> My patches for zookeeper/skyline are still not merged fwiw. I've made a mistake in them and updated jsut yestarday. Will ping infra during the week
15:30:16 <noonedeadpunk> I think I more meant if you was able to talk to glance folks :)
15:31:47 <damiandabrowski> i was going to talk to them because i didn't fully understand OSSN-0090 but after reading it once again i realized it's not needed anymore because everything is clear for me now
15:32:56 <noonedeadpunk> um. ok. Then maybe we can just add comment on show multistore variable to the role?
15:33:33 <noonedeadpunk> Tbh why I'm concerned a bit, is that we might need to have to have and show multiple URLs for one of our projects...
15:37:58 <damiandabrowski> what comment do you have in mind? just an information saying that this option is unsafe? yeah, that would be good
15:38:40 <damiandabrowski> additionally, I just realized I probably made a mistake in my changes...glance_show_multiple_locations should be disabled by default but it's not really
15:38:42 <damiandabrowski> I'll fix it tomorrow
15:40:38 <damiandabrowski> but regarding making use of `show_multiple_locations`, please be aware of what glance docs say nowadays: 'This option is deprecated for removal since Newton. Its value may be silently ignored in the future.'
15:40:47 <damiandabrowski> 'silently ignored' scares me a bit
15:41:38 <noonedeadpunk> yeah, but it's obviously not...
15:42:32 <noonedeadpunk> I have in mind AZ usecase
15:44:03 <noonedeadpunk> that if you have 3 ceph clusters and want to have image uploaded once but available in all AZs - you might need to show multiple urls
15:45:24 <damiandabrowski> yeah it's ok, i just wanted us to be aware that it can be silently ignored in the future without any release note :D at least that's how I understand it
15:45:33 <damiandabrowski> but I guess we don't have any other option anyway
15:46:03 <noonedeadpunk> Well, there're set of nasty solutions that available :D
15:46:15 <noonedeadpunk> but yes, you're right about that
15:54:13 <damiandabrowski> there's one more thing: as I promised on PTG, I'll start work on internal TLS soon
16:00:57 <noonedeadpunk> #endmeeting