15:01:34 #startmeeting openstack_ansible_meeting 15:01:34 Meeting started Tue Nov 8 15:01:34 2022 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:34 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:34 The meeting name has been set to 'openstack_ansible_meeting' 15:01:40 #topic rollcall 15:01:55 o/ hello 15:01:57 hi! I'm back from vacation 15:02:01 o\ I'm sema-around today, unfortunatelly 15:02:11 #chair jrosser 15:02:11 Current chairs: jrosser noonedeadpunk 15:02:41 Will give chair if need to run or get distracted 15:03:13 I'm on business trip this week so will be sem-around until friday ( 15:04:00 #topic office hours 15:04:34 actually, we likely have a bug to discuss as well... I wanted to play with it but was short on time 15:04:58 It was already discussed one day though 15:05:00 #link https://bugs.launchpad.net/openstack-ansible/+bug/1993575 15:07:58 hmm 15:08:49 the searching for variable names to use kind of has to work 15:09:00 as thats the only way that things like _pki_ca_defs get populated at all 15:09:46 yeah, true 15:10:02 maybe it was some misusage ofc, so I wanted to test this out one more time 15:10:09 As I believe it should work indeed 15:14:14 damiandabrowski: do you want to share you recent finding about mariadbbackup? 15:15:42 yeah, turns out that mariadb 10.6.8(used in some Xena tags) is affected by a mariabackup bug: https://jira.mariadb.org/browse/MDEV-28758 15:16:09 i'll bump 10.6.8 to 10.6.9 later(10.6.9 is fixed) 15:17:47 there's one more thing: is it possible to merge this patch before Zed release? 15:17:47 https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/862171 15:17:50 +1 15:18:22 dependent patch is already merged but it broke horizon direct image upload. We need to merge the above one to get it back working 15:18:53 We have to release Zed before by 15 of December 15:19:12 *16 15:20:09 And we should at least sort out glance image fully before that. What I mean - we should have full clearance if we should have 2 api spawned or not 15:20:45 ah ok, so i guess even we already created changes like this one: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/860551 we're not going to release soon 15:20:53 Maybe we should do that regardless, but make it configurable 15:21:14 Yes. So we need some reviews/rechecks as well 15:21:58 Also, Wallaby EM is coming 15:22:52 I wanted to make final release based on https://review.opendev.org/c/openstack/openstack-ansible/+/861601 before EM-ing 15:23:22 regarding 2 separate glance apis: in my opinion we don't have to that that, but let me copy paste my statement from some previous meeting: 15:23:26 regarding glacnce OSSN-0090: I've read it once again and things are pretty clear for me now. 15:23:29 I think the most important paragraph for us is: https://wiki.openstack.org/wiki/OSSN/OSSN-0090#:~:text=This%20brings%20us,the%20image%20data. 15:23:31 So actually we've made a huge improvement by disabling show_multiple_locations - it was a real threat. 15:23:36 show_image_direct_url is just a potential issue. There is no confirmed attack vector. It's only about exposing image location which may help attackers. 15:23:39 On the other hand if we take RBD backend as an example, I believe most of the deployments have default config so direct URL isn't hard to guess(images//snap). 15:23:42 So is it worth to increase complexity of os_glance role because of this? I'm not sure... 15:23:44 Especially when I really hope it will be fixed properly at some point. Maybe mentioning it in docs like kolla did is enough. I leave it for discussion. 15:23:47 My patches for zookeeper/skyline are still not merged fwiw. I've made a mistake in them and updated jsut yestarday. Will ping infra during the week 15:30:16 I think I more meant if you was able to talk to glance folks :) 15:31:47 i was going to talk to them because i didn't fully understand OSSN-0090 but after reading it once again i realized it's not needed anymore because everything is clear for me now 15:32:56 um. ok. Then maybe we can just add comment on show multistore variable to the role? 15:33:33 Tbh why I'm concerned a bit, is that we might need to have to have and show multiple URLs for one of our projects... 15:37:58 what comment do you have in mind? just an information saying that this option is unsafe? yeah, that would be good 15:38:40 additionally, I just realized I probably made a mistake in my changes...glance_show_multiple_locations should be disabled by default but it's not really 15:38:42 I'll fix it tomorrow 15:40:38 but regarding making use of `show_multiple_locations`, please be aware of what glance docs say nowadays: 'This option is deprecated for removal since Newton. Its value may be silently ignored in the future.' 15:40:47 'silently ignored' scares me a bit 15:41:38 yeah, but it's obviously not... 15:42:32 I have in mind AZ usecase 15:44:03 that if you have 3 ceph clusters and want to have image uploaded once but available in all AZs - you might need to show multiple urls 15:45:24 yeah it's ok, i just wanted us to be aware that it can be silently ignored in the future without any release note :D at least that's how I understand it 15:45:33 but I guess we don't have any other option anyway 15:46:03 Well, there're set of nasty solutions that available :D 15:46:15 but yes, you're right about that 15:54:13 there's one more thing: as I promised on PTG, I'll start work on internal TLS soon 16:00:57 #endmeeting