#openstack-ansible log

15:00:48 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:48 <opendevmeet> Meeting started Tue Dec 20 15:00:48 2022 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:48 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:48 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:00:53 <noonedeadpunk> #topic rollcall
15:00:58 <noonedeadpunk> o/
15:01:09 <jamesdenton> o/
15:01:17 <damiandabrowski> hi!
15:01:33 <mgariepy> hey o/
15:02:58 <noonedeadpunk> #topic office hours
15:03:20 <noonedeadpunk> So, congrats and thanks for all contributors who put an effort for Zed release
15:03:46 <noonedeadpunk> I wanted to count contributors but failed in a way time-wise for that :(
15:03:52 <jamesdenton> \o/
15:03:58 <damiandabrowski> \o/
15:04:16 <jamesdenton> big thanks to the heavy hitters who keep it all together
15:05:19 <noonedeadpunk> We obviously have issue with neutron :D
15:05:38 <noonedeadpunk> The thing that hits us on Zed with updated SHA for neutron, also hits for master
15:05:55 <noonedeadpunk> So we need to find the reason for https://review.opendev.org/c/openstack/openstack-ansible/+/867954
15:06:00 <jamesdenton> is there a known upstream bug by chance?
15:06:19 <jamesdenton> i can try to look into that
15:06:50 <noonedeadpunk> I reached neutron folks but they were not helpful and were saying that we try to do weird things liek create network multiple times. But likely I just need to narrow down to specific commit that brings this regression...
15:07:07 <noonedeadpunk> The thing is that only metal deploy does fail
15:07:12 <noonedeadpunk> and LXC is good
15:07:27 <jamesdenton> it's the lock wait timeout issue, right?
15:07:29 <noonedeadpunk> so it's smth when running neutron-server outside of the container
15:07:35 <noonedeadpunk> well... I guess
15:07:44 <noonedeadpunk> at least that's what I see in neutron logs.
15:08:14 <noonedeadpunk> I'd assume it can be realted to the sqlalchemy changes...
15:08:14 <jamesdenton> ok, i will try one locally today and see what's upo
15:08:50 <noonedeadpunk> As there was a workaround during branching/initial release that afterwards should be replaced with proper fix
15:09:21 <noonedeadpunk> I won't have time for that until end of the week for sure
15:11:46 <noonedeadpunk> Also I'm not really sure what we are testing until 867954 lands. So I'd say it's better to sort it out
15:12:11 <noonedeadpunk> Once it's done I'm thinking to check ansible-core 2.14 for 2023.1
15:13:49 <noonedeadpunk> I'm not sure what to do with openstack collection though
15:14:08 <noonedeadpunk> Also in terms of Zed. They were planning release of 2.0 early 2023
15:14:28 <noonedeadpunk> And now we have SHA in the middle of the master that obviously has some bugs and things in progress
15:15:29 <NeilHanlon> o/, here & late (as usual)
15:15:52 <noonedeadpunk> But I guess it would be good to backport usage of 2.0 after it get's tagged to Z
15:16:54 <noonedeadpunk> other then that we should add upgrade jobs from Yoga which means updating our upgrade script in some way
15:17:11 <noonedeadpunk> that will allow selection of destination?
15:17:18 <noonedeadpunk> or well, ask for the input?
15:18:41 <noonedeadpunk> I wonder if it should be smth like dialog or just super simple
15:18:43 <jamesdenton> meaning, Y->Z or Y->A?
15:18:47 <noonedeadpunk> Yup
15:18:55 <noonedeadpunk> or well
15:19:34 <noonedeadpunk> yes, options are correct, but I've jsut realized that for upgrade script we just checkout to destination and then run it
15:20:21 <noonedeadpunk> so it sounds, like we should detect just where we are based on the current git state and verify if it's valid or not....
15:20:23 <damiandabrowski> +1 for backporting openstack ansible collection later if 1.x works fine with Zed
15:20:32 <damiandabrowski> but as I can see, it does not officially support Zed :/
15:20:35 <damiandabrowski> "1.x.x releases of Ansible OpenStack collection are compatible with OpenStack SDK 0.x.x prior to 0.99.0 only (OpenStack Yoga and earlier)."
15:21:23 <noonedeadpunk> We use >1 but <2.0. So we use SHA from master, and they will create 2.0 from master as well, but in fairly later commit
15:21:34 <noonedeadpunk> 2.0 simply doesn't exist atm
15:21:58 <damiandabrowski> ah okok
15:22:03 <damiandabrowski> fine for me
15:22:26 <noonedeadpunk> so we're using even not alpha but some "work in progress" version that is stable enough according to our CI
15:23:45 <noonedeadpunk> the more I think about upgrsade jobs the more I feel complexity
15:25:30 <noonedeadpunk> Oh. Also we discussed yestarday that for PKI role it would be great to allow using *_pipe modules from crypto. Which means that module can accept cert or private key from variable rather from file. And variable can be set to any lookup plugin eventually.
15:25:52 <noonedeadpunk> That would enable us to store certs/private keys in vault/sops/encrypted with ansible-vault
15:26:58 <noonedeadpunk> The only thing is how to save/create/generate certs for the first time. as while reading them is relatively easy, creating is not in fact
15:28:10 <noonedeadpunk> I think question I have for everyone is - how do you save/store/manage certs? Hashi vault?
15:28:38 <noonedeadpunk> trying to narrow down options that we want to implement outside of file as it is today
15:31:43 <damiandabrowski> ouh, these *_pipe modules look promising
15:39:57 <jrosser> our deployments just have their certs using the pki role files on the deploy node today
15:40:07 <jrosser> but any other certs we have in hashi vault
15:40:46 <jrosser> i think that we should refactor the PKI role a bit as it stands to make a `file` backend and switch to the *_pipe modules
15:40:50 <noonedeadpunk> oh, btw, interesting question - how does hashi lookup module perform?
15:41:05 <jrosser> that should put in place all the structure needed to make the backend pluggable
15:41:34 <jrosser> we make it be in pre_tasks so it only calls it once, using lookup rather than the native module, but that is just history really
15:42:30 <noonedeadpunk> so while I do understand how to store in Vault, but I don't really understand how to store using sops for example, or ansible-vault
15:42:58 <jrosser> ansible vault is difficult - i did not find an example for using ansible to create a new ansible-vault-encrypted var
15:44:04 <noonedeadpunk> sops should support that though....
15:46:00 <noonedeadpunk> well, I guess creating such var/file can be matter of command, given that you've defined password file in ENV var
15:46:02 <jrosser> yeah community.sops.sops_encrypt
15:46:23 <noonedeadpunk> but it's tricky/nasty indeed
15:46:39 <jrosser> so what i was thinking is we should make tasks/standalone/{{backend}}_read.yml / _write.yml
15:47:09 <jrosser> and in the middle of including those is some 'generate' function that is conditional on if the read worked or not
15:48:09 <jrosser> abstract away how/where the private key comes from, it just needs to end up in some well known var and a status fact be set
15:48:47 <noonedeadpunk> and feed result of that to pipe... Yeah, that can work, though will be super complex
15:49:10 <noonedeadpunk> I wonder if we want to resurrect our idea with roles testing before messing up with that?
15:49:16 <noonedeadpunk> or well, your idea :)
15:49:21 <jrosser> that would be a great thing to do
15:49:56 <noonedeadpunk> that way we can try to ensure that we won't break current deplooyments very badly
15:50:09 <noonedeadpunk> as workflow sounds quite complex
15:50:39 <noonedeadpunk> btw we also might want to get our vault role in for tests of integration for that backend
15:51:09 <noonedeadpunk> (or use some 3rd party at worst)
15:51:53 <noonedeadpunk> well.. this has now quite solid list of pre-requisitives
15:53:03 <noonedeadpunk> but that's for good I think
15:56:08 <noonedeadpunk> I do like the idea
15:57:01 <damiandabrowski> btw. as I mentioned today, we have broken gating for xena, this patch aims to fix it: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/868107
15:57:33 <damiandabrowski> yesterday*
15:57:57 <noonedeadpunk> damiandabrowski: well, you can't do that I think
15:58:30 <noonedeadpunk> max supported erlang is 24.2 for rabbit 3.9.8
15:58:34 <noonedeadpunk> https://www.rabbitmq.com/which-erlang.html
16:00:03 <damiandabrowski> awwww, you're right :|
16:00:13 <noonedeadpunk> well, time is over, so will wrap this up
16:00:14 <damiandabrowski> so i have to bump rabbitmq version as well
16:00:25 <noonedeadpunk> Also want to remind, that next 2 meetings are cancelled
16:01:02 <noonedeadpunk> So see you all on next meeting in 2023 :)
16:01:17 <noonedeadpunk> #endmeeting