15:01:24 #startmeeting openstack_ansible_meeting 15:01:24 Meeting started Tue Mar 11 15:01:24 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:24 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:24 The meeting name has been set to 'openstack_ansible_meeting' 15:01:28 #topic rollcall 15:01:29 o/ 15:05:10 #topic office hours 15:07:58 so I didn't do much again last week... though, I should be getting more time 15:08:11 and planning to focus on molecule testing for plugins 15:08:43 so https://zuul.opendev.org/t/openstack/build/77addcef55d64976ab2ed4d38d6ae22a already fails with permission denied and not connection dropped 15:09:04 so potentially jsut re-enabling root account there might help 15:09:44 👀 15:09:44 o/ 15:09:50 i'm not late, you're early! /s 15:10:11 have I messed up with timezones? 15:10:24 no I'm just all screwed up from daylight savings + travel 15:11:03 well, I'm really tend to screw daylight savings.. 15:11:27 NeilHanlon: any news on rocky 10? 15:12:19 or whatever... 15:12:24 any news on gluster?:) 15:15:50 on the weekend I made a role for encryption of sensetive data in osa with ansible-vault 15:16:01 together with some testing, to the ops repo 15:16:27 no news yet on rocky 10, but i think I told people this weekend we were targeting early/mid April for a beta 15:16:43 as for Gluster... https://copr.fedorainfracloud.org/coprs/neil/glusterfs/build/8750388/ 15:16:52 (that's really why I was late lol) 15:17:12 I think this can be smth we can just generally suggest as basic thing on how to secure storage of openstack_deploy folder 15:17:15 I will maintain it. :) probably in EPEL 10, if I can manage to do it 15:17:48 oh, that would be really nice... 15:18:08 I have no idea about gluster audience... but I believe it must have some except us, right? 15:18:22 that makes sense noonedeadpunk re: secrets. I'd been also thinking about how we could incorporate SOPS (https://www.cncf.io/projects/sops/) 15:18:38 ah, yes, we actualyl do use sops here 15:18:41 with osa 15:18:46 oh nice :D 15:18:54 so it's more then doable 15:19:00 i only learned about SOPS at Cfgmgmtcamp this year 15:19:19 one thing I hate about sops, or well... one of things... 15:19:35 is that either it's very annoying to maintain if you're using GPGs 15:19:54 or weird if you use remote transport like vault 15:20:33 btw this year on cfgmgmt I learned about https://github.com/cyberark/conjur#rotators 15:21:34 ahh. yeah I can see that being difficult 15:21:46 another thing I learned about sops - it's tricky to make it idempotent, as naturally sops will agree to double/triple/quadrople encrypt the same file 15:21:56 instead of detecting that it's already encrypted 15:21:59 "security" 15:22:02 lol 15:22:09 that seems a bit broken, IMO 15:22:15 conjur looks interesting... 15:23:59 but in fact I'm not sure what exactly sops accomplishes comparing to ansible-vault except being annoying 15:24:26 as one who has gpg in file encryption still able to decrypt file version anytime after if it has it locally 15:25:01 so most trivial usecase - employee was let go and we want prevent them to access secrets is not done with sops... 15:25:16 and ansible-vault is way more trivial.... 15:25:25 but dunno 15:26:00 probably the usecase, is have GPG only for non-interactive sessions, like Ansible, and then rest go through vault 15:30:40 regarding sops implementation - given we have an ansible-vault as a reference, I will suggest my company to track sops implementation as smth we want to contribute to 15:32:39 SOPS will refuse to encrypt yaml files multiple times 15:32:44 but for text files...yes, it's a bit annoying 15:33:08 ansible-vault will refuse for text files as well ;) 15:33:43 the patch I'm talking about : https://review.opendev.org/c/openstack/openstack-ansible-ops/+/943866 15:34:54 and then I'd love to start looking into EL10 in upcoming weeks... 15:36:15 and one potential things, but it's probably for the PTG - if we wanna bring back freezer role 15:36:47 I do have quite working role for deployment 15:36:50 #link https://github.com/noonedeadpunk/openstack-ansible-os_freezer 15:37:54 but it's not deploying freezer-scheduler yet - waiting for merging blueprint to be able to run it centrally rather then on clients only 15:41:39 I'm gonna try to start taking a look at OSA for c10s in the coming weeks, too. especially the modular libvirt stuffs 15:41:53 I am done travelling for a little while so I can actually focus on some stuff 15:41:55 that part is indeed most concerning one 15:42:09 as I have actually no idea how that does work 15:42:39 or well: 1. what we need to start 2. what we don't need to start 3. How to control TLS/non-TLS now 15:43:19 and third one is the most unclear so far... 15:43:44 as doing ansible is trivial if you know what needs to be done... 15:44:18 https://libvirt.org/daemons.html at least seems pretty verbose about the changes, on it's face 15:45:54 agreed TLS is the most ambiguous right now 15:46:18 So right now we have quite some logic around libvirtd-tcp.socket and libvirtd-tls.socket and switching back-forth 15:46:28 and I don't understand to what it does translate tbh 15:47:14 I will take that on, to disambiguate our config and what we're doing with the monolithic daemon 15:48:15 So apparently we need virtqemud, but then... virtinterfaced? virtnetworkd? virtnwfilterd? virtstoraged? 15:48:52 probably it transitions to virtproxyd-tls.socket? 15:49:33 yeah, I guess it's virtproxyd-tcp.socket / virtproxyd-tls.socket 15:49:59 yeah, i think so 15:50:40 but somehow amount of things we'd need to control now increased dramatically 15:51:17 and how to restart them in proper order on upgrade :D 15:51:21 yeah, there's a bunch more daemons to start or enable now, basically 15:54:38 i will chat with the libvirt packagers for fedora and see what I can glean 15:55:03 that can be extremely helpful :) 15:55:29 at a glance, it appears the libvirt packaging takes care of restarting during upgrade 15:55:41 oh rly? 15:55:55 as I got used that in RH world that's responsibility of user 15:56:16 https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1684 15:57:20 anyways, i can ask and translate from the spec for what services it does and doesn't reload 15:57:24 or restart 15:57:41 cause that's a pretty dang verbose specfile... 15:57:53 but this somehow looks like monolythinc one to me https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1771 15:58:18 but can be wrong 15:58:44 but actually I think it answers the question on order! 15:59:29 ok, thanks! That;s indeed a good read for me 15:59:47 and it all might be easier then expected 15:59:58 i hope so! lol 16:00:13 i will still reach out to the maintainers via email and ask for some guidance 16:00:30 sounds good, thanks! 16:00:33 #endmeeting