15:01:34 <noonedeadpunk> #startmeeting openstack_ansible_meeting 15:01:34 <opendevmeet> Meeting started Tue Nov 8 15:01:34 2022 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:34 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:34 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting' 15:01:40 <noonedeadpunk> #topic rollcall 15:01:55 <jrosser> o/ hello 15:01:57 <damiandabrowski> hi! I'm back from vacation 15:02:01 <noonedeadpunk> o\ I'm sema-around today, unfortunatelly 15:02:11 <noonedeadpunk> #chair jrosser 15:02:11 <opendevmeet> Current chairs: jrosser noonedeadpunk 15:02:41 <noonedeadpunk> Will give chair if need to run or get distracted 15:03:13 <noonedeadpunk> I'm on business trip this week so will be sem-around until friday ( 15:04:00 <noonedeadpunk> #topic office hours 15:04:34 <noonedeadpunk> actually, we likely have a bug to discuss as well... I wanted to play with it but was short on time 15:04:58 <noonedeadpunk> It was already discussed one day though 15:05:00 <noonedeadpunk> #link https://bugs.launchpad.net/openstack-ansible/+bug/1993575 15:07:58 <jrosser> hmm 15:08:49 <jrosser> the searching for variable names to use kind of has to work 15:09:00 <jrosser> as thats the only way that things like _pki_ca_defs get populated at all 15:09:46 <noonedeadpunk> yeah, true 15:10:02 <noonedeadpunk> maybe it was some misusage ofc, so I wanted to test this out one more time 15:10:09 <noonedeadpunk> As I believe it should work indeed 15:14:14 <noonedeadpunk> damiandabrowski: do you want to share you recent finding about mariadbbackup? 15:15:42 <damiandabrowski> yeah, turns out that mariadb 10.6.8(used in some Xena tags) is affected by a mariabackup bug: https://jira.mariadb.org/browse/MDEV-28758 15:16:09 <damiandabrowski> i'll bump 10.6.8 to 10.6.9 later(10.6.9 is fixed) 15:17:47 <damiandabrowski> there's one more thing: is it possible to merge this patch before Zed release? 15:17:47 <damiandabrowski> https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/862171 15:17:50 <noonedeadpunk> +1 15:18:22 <damiandabrowski> dependent patch is already merged but it broke horizon direct image upload. We need to merge the above one to get it back working 15:18:53 <noonedeadpunk> We have to release Zed before by 15 of December 15:19:12 <noonedeadpunk> *16 15:20:09 <noonedeadpunk> And we should at least sort out glance image fully before that. What I mean - we should have full clearance if we should have 2 api spawned or not 15:20:45 <damiandabrowski> ah ok, so i guess even we already created changes like this one: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/860551 we're not going to release soon 15:20:53 <noonedeadpunk> Maybe we should do that regardless, but make it configurable 15:21:14 <noonedeadpunk> Yes. So we need some reviews/rechecks as well 15:21:58 <noonedeadpunk> Also, Wallaby EM is coming 15:22:52 <noonedeadpunk> I wanted to make final release based on https://review.opendev.org/c/openstack/openstack-ansible/+/861601 before EM-ing 15:23:22 <damiandabrowski> regarding 2 separate glance apis: in my opinion we don't have to that that, but let me copy paste my statement from some previous meeting: 15:23:26 <damiandabrowski> regarding glacnce OSSN-0090: I've read it once again and things are pretty clear for me now. 15:23:29 <damiandabrowski> I think the most important paragraph for us is: https://wiki.openstack.org/wiki/OSSN/OSSN-0090#:~:text=This%20brings%20us,the%20image%20data. 15:23:31 <damiandabrowski> So actually we've made a huge improvement by disabling show_multiple_locations - it was a real threat. 15:23:36 <damiandabrowski> show_image_direct_url is just a potential issue. There is no confirmed attack vector. It's only about exposing image location which may help attackers. 15:23:39 <damiandabrowski> On the other hand if we take RBD backend as an example, I believe most of the deployments have default config so direct URL isn't hard to guess(images/<image_id>/snap). 15:23:42 <damiandabrowski> So is it worth to increase complexity of os_glance role because of this? I'm not sure... 15:23:44 <damiandabrowski> Especially when I really hope it will be fixed properly at some point. Maybe mentioning it in docs like kolla did is enough. I leave it for discussion. 15:23:47 <noonedeadpunk> My patches for zookeeper/skyline are still not merged fwiw. I've made a mistake in them and updated jsut yestarday. Will ping infra during the week 15:30:16 <noonedeadpunk> I think I more meant if you was able to talk to glance folks :) 15:31:47 <damiandabrowski> i was going to talk to them because i didn't fully understand OSSN-0090 but after reading it once again i realized it's not needed anymore because everything is clear for me now 15:32:56 <noonedeadpunk> um. ok. Then maybe we can just add comment on show multistore variable to the role? 15:33:33 <noonedeadpunk> Tbh why I'm concerned a bit, is that we might need to have to have and show multiple URLs for one of our projects... 15:37:58 <damiandabrowski> what comment do you have in mind? just an information saying that this option is unsafe? yeah, that would be good 15:38:40 <damiandabrowski> additionally, I just realized I probably made a mistake in my changes...glance_show_multiple_locations should be disabled by default but it's not really 15:38:42 <damiandabrowski> I'll fix it tomorrow 15:40:38 <damiandabrowski> but regarding making use of `show_multiple_locations`, please be aware of what glance docs say nowadays: 'This option is deprecated for removal since Newton. Its value may be silently ignored in the future.' 15:40:47 <damiandabrowski> 'silently ignored' scares me a bit 15:41:38 <noonedeadpunk> yeah, but it's obviously not... 15:42:32 <noonedeadpunk> I have in mind AZ usecase 15:44:03 <noonedeadpunk> that if you have 3 ceph clusters and want to have image uploaded once but available in all AZs - you might need to show multiple urls 15:45:24 <damiandabrowski> yeah it's ok, i just wanted us to be aware that it can be silently ignored in the future without any release note :D at least that's how I understand it 15:45:33 <damiandabrowski> but I guess we don't have any other option anyway 15:46:03 <noonedeadpunk> Well, there're set of nasty solutions that available :D 15:46:15 <noonedeadpunk> but yes, you're right about that 15:54:13 <damiandabrowski> there's one more thing: as I promised on PTG, I'll start work on internal TLS soon 16:00:57 <noonedeadpunk> #endmeeting