#openstack-ansible log

15:00:21 <noonedeadpunk> #startmeeting openstack_ansible_meeting
15:00:21 <opendevmeet> Meeting started Tue Aug 26 15:00:21 2025 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:21 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:21 <opendevmeet> The meeting name has been set to 'openstack_ansible_meeting'
15:00:25 <noonedeadpunk> #topic rollcall
15:00:43 <noonedeadpunk> o/
15:01:19 <damiandabrowski> hi!
15:05:34 <noonedeadpunk> #topic office hours
15:08:37 <noonedeadpunk> So as there was no feedback about moving playbooks to ops vs plugins - I marked my patch for moving it to plugins as ready for review
15:08:39 <noonedeadpunk> #link https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/956949
15:09:11 <noonedeadpunk> and also made another patch to move haproxy-endpoint-manage from ops repo to plugins as a follow-up
15:10:02 <noonedeadpunk> rest in ops repo seem a bit of opinionated still
15:10:09 <noonedeadpunk> and I'm not sure about them at all
15:10:45 <noonedeadpunk> on topic of EL10 support - there was no progress so far in terms of systemd-networkd and epel
15:10:59 <noonedeadpunk> so I decided to decouple CentOS 10 Stream from Rocky 10 patches
15:11:10 <noonedeadpunk> thus we can vote and backport them separately
15:11:14 <noonedeadpunk> #link https://review.opendev.org/c/openstack/openstack-ansible/+/958170
15:12:15 <opendevreview> Dmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Ensure no CQ mirroring policies applied  https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/958428
15:12:28 <damiandabrowski> ack
15:12:57 <noonedeadpunk> This one is actually created quite some headache during rabbitmq upgfrade for us ^
15:13:27 <noonedeadpunk> I think we should have it backported before tagging epoxy as 31.1.0
15:13:59 <noonedeadpunk> PKI role progress
15:14:42 <noonedeadpunk> I believe that Octavia got pretty much broken with merging cert installation by name
15:15:10 <noonedeadpunk> I was not digging deep, but it seems that role tries to install chain which is not created for root
15:15:24 <damiandabrowski> yeah, I already found a culprit. Will push a fix really soon, definitely today.
15:15:36 <noonedeadpunk> these are great news then!@
15:16:14 <jrosser> o/ hello
15:18:45 <noonedeadpunk> o/
15:19:58 <noonedeadpunk> and some next changes to pki role seems to be missing one more vote\
15:21:04 <jrosser> damiandabrowski: needs to see these patches i think and rebase some https://review.opendev.org/c/openstack/ansible-role-pki/+/957848
15:21:57 <noonedeadpunk> https://review.opendev.org/q/project:openstack/ansible-role-pki+status:open+label:verified+label:Code-Review%3D2
15:22:09 <damiandabrowski> ahh, there's another chain. Sorry, I didn't see it
15:22:14 <damiandabrowski> I'll have a look tomorrow
15:23:07 <noonedeadpunk> I think we need to start coming up with etherpad of things for the release
15:24:05 <noonedeadpunk> let's maybe use this link
15:24:07 <noonedeadpunk> #link https://etherpad.opendev.org/p/oct2025-ptg-os-ansible
15:24:21 <noonedeadpunk> hopefully it will match with the meetpad....
15:26:43 <noonedeadpunk> what things are we have as ongoing....
15:26:59 <noonedeadpunk> jrosser: I guess we wanna finalize Debian 13?
15:27:16 <jrosser> oh goodness i completely forgot about that :/
15:27:23 <jrosser> yes we do
15:27:30 <jrosser> afaik we were OK locally but not in CI
15:28:36 <noonedeadpunk> python 3.13 got way closer I guess...
15:28:48 <noonedeadpunk> but I can't recall what was missing from CI at this point...
15:29:00 <noonedeadpunk> I'm guessing usual things, like rabbitmq/mariadb
15:29:23 <noonedeadpunk> We also need to fix gather_subset
15:29:44 <noonedeadpunk> as with switch to 2.18 it's just silently ignored now
15:30:27 <noonedeadpunk> I haven't yet started looking into improvements to haproxy :(
15:30:46 <jrosser> i thought i had got a lot of stuff sorted for trixie, but it was a while ago
15:30:48 <noonedeadpunk> but it's also not a blocker at all
15:32:27 <noonedeadpunk> eh
15:32:40 <noonedeadpunk> you didn't use a topic for them, did you:?
15:32:46 <noonedeadpunk> found https://review.opendev.org/c/openstack/openstack-ansible/+/954616
15:33:23 <jrosser> it could be that i got it working in a VM but not more than that
15:33:40 <jrosser> i'll rebase 954616 and see where it is today
15:35:01 <noonedeadpunk> sounds good
15:35:15 <noonedeadpunk> anything else what comes to mind which we might wana target?
15:36:18 * noonedeadpunk checking previos ptg notes https://etherpad.opendev.org/p/apr2025-ptg-os-ansible
15:36:40 <noonedeadpunk> we mentioned PKI refactoring
15:37:44 <noonedeadpunk> in terms of not storing certs on deploy host
15:37:59 <noonedeadpunk> but I think it's worth doing that only after dust with vault will settle
15:38:31 <noonedeadpunk> Migration from OVS/LXB to OVN is still a black box for me
15:38:51 <noonedeadpunk> there were couple of really great articles, specifically from CERN, for LXB migration
15:39:02 <noonedeadpunk> but I did not take time to dig deep there
15:39:39 <noonedeadpunk> And I think we still have a really problematic bug with upgrade order for OVN
15:39:53 <noonedeadpunk> as ovn-controller should be upgraded before sb/nb dbs
15:40:23 <noonedeadpunk> while we are running upgrade same way as setup, where ovn-controller is targeted later on
15:40:50 <opendevreview> Damian Dąbrowski proposed openstack/ansible-role-pki master: Fix creation of certs signed by selfsigned issuers  https://review.opendev.org/c/openstack/ansible-role-pki/+/958550
15:40:57 <opendevreview> Jonathan Rosser proposed openstack/openstack-ansible master: Add debian trixie job definitions  https://review.opendev.org/c/openstack/openstack-ansible/+/954616
15:43:34 <opendevreview> Damian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: [DNM] Check if 958550 fixes octavia CI jobs  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/958551
15:43:45 <noonedeadpunk> damiandabrowski: hm, do we also need something for create_ca?
15:43:55 <noonedeadpunk> as failure happens on root isntallation I'd guess?
15:44:22 <jrosser> as we now have it i think that the tests should probably cover these cases
15:44:35 <jrosser> sooo much opportunity to break * here
15:44:46 <damiandabrowski> no no, failure happens on certificate creation, not the installation
15:44:49 <damiandabrowski> "Create certificate ca bundle for octavia_client" task
15:44:51 <noonedeadpunk> I'm talking about https://zuul.opendev.org/t/openstack/build/db82f298d73144fc95e90d86c1b21ff9
15:45:29 <noonedeadpunk> ah, ok, yes, makes sense then
15:46:59 <opendevreview> Damian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: [DNM] Check if 958550 fixes octavia CI jobs  https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/958551
15:48:20 <noonedeadpunk> I just a bit confused I guess...
15:49:32 <noonedeadpunk> yeah, and then we really don't know if ca was having intermediate or not
15:50:08 <noonedeadpunk> just trying to think if there could be more neat way rather then stat
15:51:00 <noonedeadpunk> as maybe instead we should be producing bundle for CA anyway?
15:51:12 <noonedeadpunk> when we generate root?
15:51:53 <damiandabrowski> yeah, that would be an alternative approach but I was a bit afraid of fixing already existing environments
15:52:31 <noonedeadpunk> Well, root creation is first step for upgrade anyway?
15:52:43 <noonedeadpunk> I mean - if the file does not exist - it will be created
15:53:13 <damiandabrowski> yeah...
15:53:25 <noonedeadpunk> so upgrade should be fine, I'd guess
15:53:44 <noonedeadpunk> unless we override existing chains with some random stuff
15:53:53 <noonedeadpunk> but we should not do that anyway :D
15:54:36 <noonedeadpunk> as that would be somehow in line with other approaches we selected to always produce $things
15:56:03 <jrosser> hrrm i am not sure 958550 will be vary obvious what is happening in the future
15:57:54 <damiandabrowski> ack, I can create an alternative patch that would always trigger generation of *-chain.crt
15:58:04 <noonedeadpunk> sounds good, thanks!
15:58:22 <noonedeadpunk> #endmeeting