15:00:12 #startmeeting openstack_ansible_meeting 15:00:12 Meeting started Tue Aug 6 15:00:12 2024 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:12 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:12 The meeting name has been set to 'openstack_ansible_meeting' 15:00:18 #topic rollcall 15:00:20 o/ 15:00:24 o/ hello 15:00:28 o/ 15:03:20 #topic office hours 15:03:42 So, I think we're ready to have new bugfix releases for stable branches 15:04:05 though, I realized that it's probably worth pinging/bumping config_template collection for that 15:04:19 #link https://review.opendev.org/c/openstack/releases/+/925750 15:04:28 or, we can include it in the next one 15:04:43 there's 1 "bugfix" that mainly affects 1 nova thing 15:05:26 so this topic is useless without config_template update 15:05:28 #link https://review.opendev.org/q/Ifc1239e4ef768e94c44d8d07df7a0b93c73638f9 15:05:54 Im kinda fine with both options 15:07:05 ah so in order to be able to use that we need to bump the version of config_template on stable branches? 15:07:11 yeah 15:08:09 maybe frickler will be able to help landing it when around :D 15:08:29 well - the change it needs to config_template is kind of small 15:08:43 not like a large change 15:09:06 yeah, so it should be not an issue to update it's version 15:09:17 just matter of time 15:09:28 i think thats OK if your happy with that 15:10:01 then, I just found an outstanding topic, that's been a while after initial discussion. 15:10:13 #link https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/922837 15:10:53 was going to ask if probably you have a better workaround already in place? 15:11:29 that would be a question best for andrewbonney i think 15:12:00 as I wasn;t able to iterate on that and even already forgot what the problem was :( 15:12:24 Just reminding myself... 15:12:33 and that sounds like smth worth backporting to 2024.1 at very least 15:12:42 well yes - i think that at the moment the code doesnt really account for the deploy host being seperate 15:12:47 ^ sort of 15:13:05 and that you want to treat the utility containers as deleteable 15:13:18 yeah, true 15:13:28 now I've recalled 15:13:44 Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Enchance reference_group logic for inventory https://review.opendev.org/c/openstack/openstack-ansible/+/923596 15:13:55 perhaps it is actually better that the keypair is created on the deploy host, completely seperate 15:14:52 For this since we use an ansible role to deploy OSA to our deployment host, we copy over the octavia private key to deployment host, which then gets deployed to utility lxc, and added a task to utility playbook to deploy the key to utility lxc in event it is deleted 15:15:18 Maybe doesn't fit the use case here 15:15:37 i think the issue here is that in the past it worked kind of like that 15:16:00 but refactoring to use the openstack_resources role to handle creating the keypair has pretty different behaviour 15:16:33 but to be fair - location on the deploy host was also very unfortunate, as it was under ${HOME} 15:16:54 oh indeed yes 15:16:54 Yeah, I think I worked around this when upgrading to C making sure the existing keys were manually in the right places to prevent tasks running, but that doesn't fix things if we needed to do a fresh deploy with our model 15:17:09 so, we had some envs, where keypair was created under certain user home directories rather then "assumed" /root 15:17:27 we could move to the ssh_keypairs role we have in the plugins repo 15:17:54 then i think this all gets regularised with the other autogenerated keys 15:17:56 but I think this is smth we'd need to fix before doing 29.1.0? as this totally will mess upgrades... 15:18:52 and thinking about that... I guess I will get some time this week to look into the patch as part of upgrade preparation.. 15:19:19 imho it is just making things more difficult by having nova generate the keypair 15:19:50 So openstack_resources role does not rely on nova for that anymore 15:20:01 moreover - this behaviour is deprecated in nova 15:20:15 so current microapi will refuse to generate a keypair for you 15:20:32 oh then we need to fix `comment: Generated-by-Nova` 15:21:02 well. the problem with the comment is... that for existing keys module will either fail or rewrite the key depending on options 15:21:16 so it's done to make it idempotent for upgrades case... 15:21:21 ah 15:21:40 (but as we know - upgrades are borked out of aio anyway) 15:21:58 we should just patch octavia to have an ssh CA :) 15:22:07 then you could make the key only when you need it 15:22:29 hehe 15:22:54 that would be too good 15:23:20 ok, another thing, is that we have a lot of CI failures recently 15:23:29 hmm well if you have some time to think about it - i don't think we will fix it here just now 15:23:40 yes i was trying to keep a list of whats failing 15:24:24 a bunch of failing to retrieve u-c which i think could be some regression as i thought we got that locally 15:24:44 a bunch of failing to download cirros which needs openstack_resources to have a concept of a cache directiry 15:24:51 one big change is that nginx got replaced with apache 15:24:54 ceph seems fragile 15:25:16 and there was obvious issue with rocky tls jobs which is now fixed 15:25:46 yeah, openstack_resources totally needs a bit more love regarding images... 15:26:19 And I also spotted ceph, but it seems to fail somewhere on tempest 15:26:27 right - we did discuss caching / format conversion / which SHA to specify previously 15:28:46 yeah, though was not able to check on that specifically 15:29:06 was trying to fix the tests repo - utter waste of time :( 15:29:28 we're doing so much things differently now.... 15:31:54 ah. btw I've tried to propose some change to the apache role which we could potentially use, but seems it didn't went particulary well: https://github.com/geerlingguy/ansible-role-apache/pull/256 15:32:18 and yeah. there's quite some complexity needed not to break existing deployments 15:32:45 so likely we'd need to come up with own one (as usual) 15:33:45 and it's still on me to document how to run services on domain.com/ 15:34:45 pretty much got that example working :D 15:37:03 ended pretty much with this for services that use uwsgi: https://paste.openstack.org/show/bExMotkR2J2rZFmR9AzH/ 15:37:58 but for those, that are not, I have to add `public_endpoint` option, ie for glance https://paste.openstack.org/show/bTA86aXPXL5rjHOJ6njP/ 15:38:17 so having subdomains is way more neat, imo... 15:40:36 but question stands - how to make such setup neat enough 15:41:46 or just let it be documentation only 15:44:07 subdomains are much neater - especially when dealing with multiple regions, prefer this too 15:45:58 the problem I was trying to solve - have single let's encrypt certificate 15:46:52 But well, it's possible to specify all subdomains in the list as well... 15:47:42 though until you will want to have different certs for internal and external endpoints... 15:49:22 but yeah - I wasn't able to make RGW to work under URI at all 15:49:24 one thing you can do, if you place behind cloudflare using advance cert subscription, it proxys all. Still uses lets encrypt but makes management very simple and only a small fee 15:49:54 well - we can't use cloudflare compliance wise 15:49:59 ah :( 15:50:15 but yeah, I have 2 options here, so hopefully will document both of them soon 15:50:35 I successfully modified the network configuration of an AIO in between deployment steps and ended up with an environment where I can create floating IPs that live on my physical network. Now I'll re-image and try using the same configuration files for a standard install. 15:53:47 * frickler is reading backlog, but not sure about the context, which change needs more power? 15:54:17 with the release hat on:) https://review.opendev.org/c/openstack/releases/+/925750 16:02:32 #endmeeting