15:00:21 #startmeeting openstack_ansible_meeting 15:00:21 Meeting started Tue Aug 26 15:00:21 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:21 The meeting name has been set to 'openstack_ansible_meeting' 15:00:25 #topic rollcall 15:00:43 o/ 15:01:19 hi! 15:05:34 #topic office hours 15:08:37 So as there was no feedback about moving playbooks to ops vs plugins - I marked my patch for moving it to plugins as ready for review 15:08:39 #link https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/956949 15:09:11 and also made another patch to move haproxy-endpoint-manage from ops repo to plugins as a follow-up 15:10:02 rest in ops repo seem a bit of opinionated still 15:10:09 and I'm not sure about them at all 15:10:45 on topic of EL10 support - there was no progress so far in terms of systemd-networkd and epel 15:10:59 so I decided to decouple CentOS 10 Stream from Rocky 10 patches 15:11:10 thus we can vote and backport them separately 15:11:14 #link https://review.opendev.org/c/openstack/openstack-ansible/+/958170 15:12:15 Dmitriy Rabotyagov proposed openstack/openstack-ansible-rabbitmq_server master: Ensure no CQ mirroring policies applied https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/958428 15:12:28 ack 15:12:57 This one is actually created quite some headache during rabbitmq upgfrade for us ^ 15:13:27 I think we should have it backported before tagging epoxy as 31.1.0 15:13:59 PKI role progress 15:14:42 I believe that Octavia got pretty much broken with merging cert installation by name 15:15:10 I was not digging deep, but it seems that role tries to install chain which is not created for root 15:15:24 yeah, I already found a culprit. Will push a fix really soon, definitely today. 15:15:36 these are great news then!@ 15:16:14 o/ hello 15:18:45 o/ 15:19:58 and some next changes to pki role seems to be missing one more vote\ 15:21:04 damiandabrowski: needs to see these patches i think and rebase some https://review.opendev.org/c/openstack/ansible-role-pki/+/957848 15:21:57 https://review.opendev.org/q/project:openstack/ansible-role-pki+status:open+label:verified+label:Code-Review%3D2 15:22:09 ahh, there's another chain. Sorry, I didn't see it 15:22:14 I'll have a look tomorrow 15:23:07 I think we need to start coming up with etherpad of things for the release 15:24:05 let's maybe use this link 15:24:07 #link https://etherpad.opendev.org/p/oct2025-ptg-os-ansible 15:24:21 hopefully it will match with the meetpad.... 15:26:43 what things are we have as ongoing.... 15:26:59 jrosser: I guess we wanna finalize Debian 13? 15:27:16 oh goodness i completely forgot about that :/ 15:27:23 yes we do 15:27:30 afaik we were OK locally but not in CI 15:28:36 python 3.13 got way closer I guess... 15:28:48 but I can't recall what was missing from CI at this point... 15:29:00 I'm guessing usual things, like rabbitmq/mariadb 15:29:23 We also need to fix gather_subset 15:29:44 as with switch to 2.18 it's just silently ignored now 15:30:27 I haven't yet started looking into improvements to haproxy :( 15:30:46 i thought i had got a lot of stuff sorted for trixie, but it was a while ago 15:30:48 but it's also not a blocker at all 15:32:27 eh 15:32:40 you didn't use a topic for them, did you:? 15:32:46 found https://review.opendev.org/c/openstack/openstack-ansible/+/954616 15:33:23 it could be that i got it working in a VM but not more than that 15:33:40 i'll rebase 954616 and see where it is today 15:35:01 sounds good 15:35:15 anything else what comes to mind which we might wana target? 15:36:18 * noonedeadpunk checking previos ptg notes https://etherpad.opendev.org/p/apr2025-ptg-os-ansible 15:36:40 we mentioned PKI refactoring 15:37:44 in terms of not storing certs on deploy host 15:37:59 but I think it's worth doing that only after dust with vault will settle 15:38:31 Migration from OVS/LXB to OVN is still a black box for me 15:38:51 there were couple of really great articles, specifically from CERN, for LXB migration 15:39:02 but I did not take time to dig deep there 15:39:39 And I think we still have a really problematic bug with upgrade order for OVN 15:39:53 as ovn-controller should be upgraded before sb/nb dbs 15:40:23 while we are running upgrade same way as setup, where ovn-controller is targeted later on 15:40:50 Damian Dąbrowski proposed openstack/ansible-role-pki master: Fix creation of certs signed by selfsigned issuers https://review.opendev.org/c/openstack/ansible-role-pki/+/958550 15:40:57 Jonathan Rosser proposed openstack/openstack-ansible master: Add debian trixie job definitions https://review.opendev.org/c/openstack/openstack-ansible/+/954616 15:43:34 Damian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: [DNM] Check if 958550 fixes octavia CI jobs https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/958551 15:43:45 damiandabrowski: hm, do we also need something for create_ca? 15:43:55 as failure happens on root isntallation I'd guess? 15:44:22 as we now have it i think that the tests should probably cover these cases 15:44:35 sooo much opportunity to break * here 15:44:46 no no, failure happens on certificate creation, not the installation 15:44:49 "Create certificate ca bundle for octavia_client" task 15:44:51 I'm talking about https://zuul.opendev.org/t/openstack/build/db82f298d73144fc95e90d86c1b21ff9 15:45:29 ah, ok, yes, makes sense then 15:46:59 Damian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: [DNM] Check if 958550 fixes octavia CI jobs https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/958551 15:48:20 I just a bit confused I guess... 15:49:32 yeah, and then we really don't know if ca was having intermediate or not 15:50:08 just trying to think if there could be more neat way rather then stat 15:51:00 as maybe instead we should be producing bundle for CA anyway? 15:51:12 when we generate root? 15:51:53 yeah, that would be an alternative approach but I was a bit afraid of fixing already existing environments 15:52:31 Well, root creation is first step for upgrade anyway? 15:52:43 I mean - if the file does not exist - it will be created 15:53:13 yeah... 15:53:25 so upgrade should be fine, I'd guess 15:53:44 unless we override existing chains with some random stuff 15:53:53 but we should not do that anyway :D 15:54:36 as that would be somehow in line with other approaches we selected to always produce $things 15:56:03 hrrm i am not sure 958550 will be vary obvious what is happening in the future 15:57:54 ack, I can create an alternative patch that would always trigger generation of *-chain.crt 15:58:04 sounds good, thanks! 15:58:22 #endmeeting