#openstack-ansible log

15:01:24 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:01:24 <opendevmeet> Meeting started Tue Mar 11 15:01:24 2025 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:24 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:24 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:01:28 <noonedeadpunk> #topic rollcall
15:01:29 <noonedeadpunk> o/
15:05:10 <noonedeadpunk> #topic office hours
15:07:58 <noonedeadpunk> so I didn't do much again last week... though, I should be getting more time
15:08:11 <noonedeadpunk> and planning to focus on molecule testing for plugins
15:08:43 <noonedeadpunk> so https://zuul.opendev.org/t/openstack/build/77addcef55d64976ab2ed4d38d6ae22a already fails with permission denied and not connection dropped
15:09:04 <noonedeadpunk> so potentially jsut re-enabling root account there might help
15:09:44 <NeilHanlon> 👀
15:09:44 <NeilHanlon> o/
15:09:50 <NeilHanlon> i'm not late, you're early! /s
15:10:11 <noonedeadpunk> have I messed up with timezones?
15:10:24 <NeilHanlon> no I'm just all screwed up from daylight savings + travel
15:11:03 <noonedeadpunk> well, I'm really tend to screw daylight savings..
15:11:27 <noonedeadpunk> NeilHanlon: any news on rocky 10?
15:12:19 <noonedeadpunk> or whatever...
15:12:24 <noonedeadpunk> any news on gluster?:)
15:15:50 <noonedeadpunk> on the weekend I made a role for encryption of sensetive data in osa with ansible-vault
15:16:01 <noonedeadpunk> together with some testing, to the ops repo
15:16:27 <NeilHanlon> no news yet on rocky 10, but i think I told people this weekend we were targeting early/mid April for a beta
15:16:43 <NeilHanlon> as for Gluster... https://copr.fedorainfracloud.org/coprs/neil/glusterfs/build/8750388/
15:16:52 <NeilHanlon> (that's really why I was late lol)
15:17:12 <noonedeadpunk> I think this can be smth we can just generally suggest as basic thing on how to secure storage of openstack_deploy folder
15:17:15 <NeilHanlon> I will maintain it. :) probably in EPEL 10, if I can manage to do it
15:17:48 <noonedeadpunk> oh, that would be really nice...
15:18:08 <noonedeadpunk> I have no idea about gluster audience... but I believe it must have some except us, right?
15:18:22 <NeilHanlon> that makes sense noonedeadpunk re: secrets. I'd been also thinking about how we could incorporate SOPS (https://www.cncf.io/projects/sops/)
15:18:38 <noonedeadpunk> ah, yes, we actualyl do use sops here
15:18:41 <noonedeadpunk> with osa
15:18:46 <NeilHanlon> oh nice :D
15:18:54 <noonedeadpunk> so it's more then doable
15:19:00 <NeilHanlon> i only learned about SOPS at Cfgmgmtcamp this year
15:19:19 <noonedeadpunk> one thing I hate about sops, or well... one of things...
15:19:35 <noonedeadpunk> is that either it's very annoying to maintain if you're using GPGs
15:19:54 <noonedeadpunk> or weird if you use remote transport like vault
15:20:33 <noonedeadpunk> btw this year on cfgmgmt I learned about https://github.com/cyberark/conjur#rotators
15:21:34 <NeilHanlon> ahh. yeah I can see that being difficult
15:21:46 <noonedeadpunk> another thing I learned about sops - it's tricky to make it idempotent, as naturally sops will agree to double/triple/quadrople encrypt the same file
15:21:56 <noonedeadpunk> instead of detecting that it's already encrypted
15:21:59 <NeilHanlon> "security"
15:22:02 <NeilHanlon> lol
15:22:09 <NeilHanlon> that seems a bit broken, IMO
15:22:15 <NeilHanlon> conjur looks interesting...
15:23:59 <noonedeadpunk> but in fact I'm not sure what exactly sops accomplishes comparing to ansible-vault except being annoying
15:24:26 <noonedeadpunk> as one who has gpg in file encryption still able to decrypt file version anytime after if it has it locally
15:25:01 <noonedeadpunk> so most trivial usecase - employee was let go and we want prevent them to access secrets is not done with sops...
15:25:16 <noonedeadpunk> and ansible-vault is way more trivial....
15:25:25 <noonedeadpunk> but dunno
15:26:00 <noonedeadpunk> probably the usecase, is have GPG only for non-interactive sessions, like Ansible, and then rest go through vault
15:30:40 <noonedeadpunk> regarding sops implementation - given we have an ansible-vault as a reference, I will suggest my company to track sops implementation as smth we want to contribute to
15:32:39 <damiandabrowski> SOPS will refuse to encrypt yaml files multiple times
15:32:44 <damiandabrowski> but for text files...yes, it's a bit annoying
15:33:08 <noonedeadpunk> ansible-vault will refuse for text files as well ;)
15:33:43 <noonedeadpunk> the patch I'm talking about : https://review.opendev.org/c/openstack/openstack-ansible-ops/+/943866
15:34:54 <noonedeadpunk> and then I'd love to start looking into EL10 in upcoming weeks...
15:36:15 <noonedeadpunk> and one potential things, but it's probably for the PTG - if we wanna bring back freezer role
15:36:47 <noonedeadpunk> I do have quite working role for deployment
15:36:50 <noonedeadpunk> #link https://github.com/noonedeadpunk/openstack-ansible-os_freezer
15:37:54 <noonedeadpunk> but it's not deploying freezer-scheduler yet - waiting for merging blueprint to be able to run it centrally rather then on clients only
15:41:39 <NeilHanlon> I'm gonna try to start taking a look at OSA for c10s in the coming weeks, too. especially the modular libvirt stuffs
15:41:53 <NeilHanlon> I am done travelling for a little while so I can actually focus on some stuff
15:41:55 <noonedeadpunk> that part is indeed most concerning one
15:42:09 <noonedeadpunk> as I have actually no idea how that does work
15:42:39 <noonedeadpunk> or well: 1. what we need to start 2. what we don't need to start 3. How to control TLS/non-TLS now
15:43:19 <noonedeadpunk> and third one is the most unclear so far...
15:43:44 <noonedeadpunk> as doing ansible is trivial if you know what needs to be done...
15:44:18 <NeilHanlon> https://libvirt.org/daemons.html at least seems pretty verbose about the changes, on it's face
15:45:54 <NeilHanlon> agreed TLS is the most ambiguous right now
15:46:18 <noonedeadpunk> So right now we have quite some logic around libvirtd-tcp.socket and libvirtd-tls.socket and switching back-forth
15:46:28 <noonedeadpunk> and I don't understand to what it does translate tbh
15:47:14 <NeilHanlon> I will take that on, to disambiguate our config and what we're doing with the monolithic daemon
15:48:15 <noonedeadpunk> So apparently we need virtqemud, but then... virtinterfaced? virtnetworkd? virtnwfilterd? virtstoraged?
15:48:52 <noonedeadpunk> probably it transitions to virtproxyd-tls.socket?
15:49:33 <noonedeadpunk> yeah, I guess it's virtproxyd-tcp.socket / virtproxyd-tls.socket
15:49:59 <NeilHanlon> yeah, i think so
15:50:40 <noonedeadpunk> but somehow amount of things we'd need to control now increased dramatically
15:51:17 <noonedeadpunk> and how to restart them in proper order on upgrade :D
15:51:21 <NeilHanlon> yeah, there's a bunch more daemons to start or enable now, basically
15:54:38 <NeilHanlon> i will chat with the libvirt packagers for fedora and see what I can glean
15:55:03 <noonedeadpunk> that can be extremely helpful :)
15:55:29 <NeilHanlon> at a glance, it appears the libvirt packaging takes care of restarting during upgrade
15:55:41 <noonedeadpunk> oh rly?
15:55:55 <noonedeadpunk> as I got used that in RH world that's responsibility of user
15:56:16 <NeilHanlon> https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1684
15:57:20 <NeilHanlon> anyways, i can ask and translate from the spec for what services it does and doesn't reload
15:57:24 <NeilHanlon> or restart
15:57:41 <NeilHanlon> cause that's a pretty dang verbose specfile...
15:57:53 <noonedeadpunk> but this somehow looks like monolythinc one to me https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1771
15:58:18 <noonedeadpunk> but can be wrong
15:58:44 <noonedeadpunk> but actually I think it answers the question on order!
15:59:29 <noonedeadpunk> ok, thanks! That;s indeed a good read for me
15:59:47 <noonedeadpunk> and it all might be easier then expected
15:59:58 <NeilHanlon> i hope so! lol
16:00:13 <NeilHanlon> i will still reach out to the maintainers via email and ask for some guidance
16:00:30 <noonedeadpunk> sounds good, thanks!
16:00:33 <noonedeadpunk> #endmeeting