15:02:22 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:02:22 <opendevmeet> Meeting started Tue Apr 25 15:02:22 2023 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:22 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:22 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:02:26 <noonedeadpunk> #topic rollcall
15:02:31 <noonedeadpunk> sorry for the delay
15:02:35 <NeilHanlon> o/ heya
15:02:42 <noonedeadpunk> was a bit o_O on a raid controller
15:02:49 <noonedeadpunk> o/
15:02:51 <damiandabrowski> hi!
15:04:29 <jrosser> o/ hello
15:05:19 <noonedeadpunk> #topic office hours
15:05:55 <noonedeadpunk> First of all let me greet NeilHanlon as a new member of OSA Core Reviewers group! Thanks for all work you do and welcome aboard!
15:06:43 <NeilHanlon> thank you! I appreciate all your confidence
15:06:46 <jrosser> excellent
15:06:48 <NeilHanlon> i'll try not to break too many things
15:07:08 <noonedeadpunk> we still do :D
15:07:26 <damiandabrowski> welcome! \o/
15:09:27 <noonedeadpunk> Next to that small reminder - we have exactly 1 month left for 2023.1 release. And out of agreed stuff we have tls and upgrade jobs that needs landing
15:11:10 <noonedeadpunk> For upgrades I've proposed this patch: https://review.opendev.org/c/openstack/openstack-ansible/+/879884
15:12:04 <noonedeadpunk> This is another important part and not only for distro jobs: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/880761
15:12:52 <noonedeadpunk> Regarding TLS - we have this topic going on - https://review.opendev.org/q/topic:tls-backend
15:13:07 <noonedeadpunk> Separated haproxy config has been merged at this point
15:13:28 <noonedeadpunk> Today during discussion on TLS we agreed to review https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/876429 now.
15:13:48 <noonedeadpunk> Once it will satisfy everyone, damiandabrowski will be able to proceed updating all others
15:15:18 <noonedeadpunk> With that we need to decide on default behaviour. If we want to switch it to have internal tls be default or not
15:15:42 <jrosser> it is good to see this has passed https://review.opendev.org/c/openstack/openstack-ansible/+/879501
15:15:53 <noonedeadpunk> As at the moment, outside of AIO, internal endpoint won't be covered with TLS. Though galera and rabbitmq communications will be protected
15:16:12 <noonedeadpunk> at least once :D
15:16:32 <noonedeadpunk> but yes, that's quite sweet
15:18:26 <cloudnull> O-nice. TLS backends by default?
15:18:28 <NeilHanlon> very good to see that! :D
15:18:41 <NeilHanlon> have we seen this before? https://paste.opendev.org/show/bJ3qHVpW1RLVqjXlUJKP/
15:19:12 <cloudnull> that's sweet.
15:19:45 <noonedeadpunk> NeilHanlon: I think yes, and there should be rescue part
15:20:08 <noonedeadpunk> so it should not be critical failure
15:20:21 <jrosser> would be nice to get rid of that
15:20:38 <NeilHanlon> ah, good enough.. trying to debug a different error i'm having during neutron install
15:20:46 <noonedeadpunk> iirc it was tricky, and cloudnull might have better memories of that :)
15:21:08 <NeilHanlon> https://paste.opendev.org/show/bG8sYIvHkrdXeUWmcMZk/
15:21:11 <noonedeadpunk> Regarding TLS by default - I'm not sure at the moment.
15:21:27 <cloudnull> noonedeadpunk those are things I'd rather forget :D
15:21:38 <noonedeadpunk> fair enough :D
15:21:40 <cloudnull> its awesome seeing that go forward
15:21:44 <cloudnull> ++ nice work
15:22:14 <noonedeadpunk> So regarding TLS I would rather leave defaults as is for now. And maybe enable that on 2024.1
15:22:34 <noonedeadpunk> As it's quite close to the release and we haven't tested that enough to make it default
15:22:55 <noonedeadpunk> But we totally should create a job that would cover this path for sure
15:22:58 <cloudnull> NeilHanlon re: the mount issue. you can run something like `systemctl status "$(systemd-escape -p --suffix=mount /var/www/repo)"` to see what that mount service unit is doing?
15:23:06 <jrosser> i wonder if we can use `lsmount` or something
15:23:20 <NeilHanlon> cloudnull: yeah the mount itself is fine, rfom what I can tell, just doesn't support remount
15:23:31 <cloudnull> ah - that could be .
15:23:38 <cloudnull> is that in the service unit?
15:23:51 <noonedeadpunk> cloudnull: https://opendev.org/openstack/ansible-role-systemd_mount/src/branch/master/tasks/systemd_mounts.yml#L75-L85
15:23:56 <NeilHanlon> regarding my other issue w/ neutron, seems they're just not there, so probably an issue with something else anyways lol
15:24:08 <damiandabrowski> I'm okay with enabling TLS backend by default in 2024.1
15:24:16 <noonedeadpunk> but I think it's glusterfs in topic
15:24:33 <jrosser> if we need to test if something is a mount then there is this https://github.com/openstack/openstack-ansible-repo_server/blob/stable/zed/tasks/repo_pre_install.yml#L40
15:24:38 <cloudnull> yeah I knew I remembered this being my fault.
15:25:05 <noonedeadpunk> I tried to check that but realized that can't come up with anything better
15:25:37 <cloudnull> so maybe https://opendev.org/openstack/ansible-role-systemd_mount/src/branch/master/vars/main.yml#L18-L19 just needs to be set to start/stop
15:26:55 <cloudnull> also I guess https://opendev.org/openstack/ansible-role-systemd_mount/src/branch/master/vars/main.yml#L17 never quite worked right
15:27:41 <cloudnull> maybe it used to be silent in older systemd? not sure.
15:28:13 <jrosser> it seems kind of trivial thing but it does alarm a lot of people who see the failed task
15:28:26 <cloudnull> ++
15:28:33 <NeilHanlon> (like me...)
15:31:29 <noonedeadpunk> damiandabrowski: so I think we should add a job, that will enable TLS for internal/admin endpoints (with rollback of behaviour to just default that is non-tls) and between haproxy/usgi
15:32:06 <noonedeadpunk> then we can revert this thing
15:32:21 <noonedeadpunk> (leaving non-tls job as a separate one)
15:35:06 <damiandabrowski> so create a separate job that will deploy openstack with frontend & backend TLS enabled and then disable both backend and frontend TLS?
15:36:31 <noonedeadpunk> let me re-phrase this :)
15:37:03 <noonedeadpunk> right now jobs do deploy frontend with TLS for internal VIP, that is not default behaviour
15:37:13 <noonedeadpunk> So we return main jobs just to defaults
15:42:21 <damiandabrowski> ok, and what's next? how are we going to test tls backend? :D
15:42:52 <noonedeadpunk> Yes, so and for TLS backend we add another job for rocky/ubuntu
15:44:03 <damiandabrowski> ok, i think i get it now
15:44:09 <jrosser> it will be much more obvious
15:44:13 <damiandabrowski> Can I count on your help with zuul?
15:44:24 <jrosser> `tls` in the job name to drop in the right vars and off we go
15:44:50 <noonedeadpunk> damiandabrowski: sure, I can make such job when we're ready or just help out :)
15:45:03 <jrosser> you should be able to use what i did for proxy/stepca as a boilerplate for how that works
15:45:18 <damiandabrowski> okok thanks
15:45:32 <damiandabrowski> is it okay to include CI logic in this patch? https://review.opendev.org/c/openstack/openstack-ansible/+/879085
15:45:36 <damiandabrowski> or should i create separate one?
15:46:10 <jrosser> small patches = good :)
15:46:37 <damiandabrowski> ok ;)
15:52:12 <noonedeadpunk> We have couple of roles broken btw
15:52:20 <noonedeadpunk> Among them are magnum and zun
15:52:41 <noonedeadpunk> For zun I will try to invest some time and try to see why it's stuck
15:54:07 <noonedeadpunk> regarding magnum - error is that we can't update cluster label/properties.
15:54:13 <noonedeadpunk> *cluster template
15:56:16 <noonedeadpunk> Eventually that sounds to me now, that there's issue with module...
15:56:38 <noonedeadpunk> So we're supplying same `magnum_cluster_templates` but on second execution module jsut error out?
15:58:22 <noonedeadpunk> ofc we can comment out https://opendev.org/openstack/openstack-ansible/src/branch/master/tests/roles/bootstrap-host/templates/user_variables_magnum.yml.j2#L36-L41 but still feels like some module issue after refactoring
16:03:24 <noonedeadpunk> #endmeeting