14:00:20 #startmeeting airship 14:00:21 Meeting started Tue Jan 15 14:00:20 2019 UTC and is due to finish in 60 minutes. The chair is mattmceuen. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:22 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:24 The meeting name has been set to 'airship' 14:00:28 #topic rollcall 14:00:42 gm everyone! 14:00:44 \o/ 14:00:50 GM!' 14:00:59 Here's our agenda for today: https://etherpad.openstack.org/p/airship-meeting-2019-01-15 14:01:11 Please add anything you'd like to discuss 14:01:15 Good morning! 14:01:26 and we'll give it a couple mins for folks to filter in 14:01:30 here 14:01:42 also here 14:01:49 hey guys 14:02:29 o/ 14:03:15 so the meat of the agenda today is to share/explain a few things that have gotten added in recently 14:03:20 #topic podsecuritypolicy chart 14:03:52 So you may or may not be familiar with k8s PodSecurityPolicies 14:04:43 If you configure your k8s to use them, then the k8s api server will only allow you an actor to schedule pods that meet certain criteria/policy 14:04:56 Based on k8s RBAC 14:05:36 This is a security feature we wanted to add into airship, but in a way that doesn't break all the privileged actions that are taken across airship and openstack-helm 14:05:46 This helm chart was added to openstack-helm-infra: https://github.com/openstack/openstack-helm-infra/tree/master/podsecuritypolicy 14:06:17 It specifies by default an incredibly (100%) permissive podsecuritypolity, and sets it up as a default for the cluster 14:06:54 It was also added into the Treasuremap reference yamls: https://review.openstack.org/#/c/629686/ 14:07:04 You can do a couple things through the chart: 14:07:18 Why was the chart put in a different project if it was intended as a part of Airship? 14:07:41 because it's not airship-specific 14:07:46 pretty broadly applicable 14:08:24 You can use the chart to: 14:08:24 1) add whatever additional podsecuritypolicies you want for your cluster, programmatically, letting helm manage lifecycle 14:08:34 2) change the default(s) 14:09:04 Over time, we want to tune the defaults in the chart to be a reasonable non-fully-open set of policy, as much as possible. However, the intent is also that operators fully customize it for their workloads, 14:09:39 Nice work mattmceuen 14:09:59 You can set up defaults in the chart individually for serviceacounts, authenticated users, and unauthenticated users via the chart, and/or associate the PSPs to other roles outside of the chart itself 14:10:04 that's it - any questions? 14:10:13 Should help make it much easier to manage the security posture of a cluster. 14:10:25 o/ 14:10:37 Hi 14:10:42 o/ guys :) 14:10:56 One more note, just having to do with how PSP's work in k8s 14:10:59 What is the expectation of coordinating access to PSPs and the service accounts created by other Helm charts? 14:11:48 that'll be on the operator to coordinate; in an airship world, via substitution. That would be a good pattern to construct/demo in treasuremap I'd think 14:12:59 so PSPs only affect pods created *after* the PSPs are in place. So, that's why the psp chart was added first in the treasuremap armada manifest 14:13:26 alright, next topic: 14:13:35 #topic Mini-mirror integration 14:13:41 dwalt take it away! 14:14:00 alrighty! 14:14:16 dwalt: Nice job! I like it. Thank you. 14:14:21 One of the challenges we were having in larger scale deployments was the coordination of packages on the host 14:14:26 Thanks roman_g! 14:15:57 i.e. packages changed between the time that we ran test deployment pipelines to the time we actually deployed Airship 14:17:13 Mini-mirror exists as a way to combat that issue. By mirroring Ubuntu package repositories and deploying them into the cluster, we can control what packages exist on the host for a deployment 14:17:55 o/ 14:18:23 Currently, you can utilize mini-mirror by building an image by specifying the sources/packages you would like to mirror 14:18:25 #link https://github.com/openstack/openstack-helm-images/blob/master/mini-mirror/README.rst 14:19:11 The next step is integrating mini-mirror into the genesis process, with the vision that we may one be able to deploy Airship without internet connectivity 14:19:31 The chart for mini-mirror is also here: 14:19:33 #link https://github.com/openstack/openstack-helm-addons/tree/master/mini-mirror 14:19:37 Any questions? 14:19:57 this looks really cool, are you thinking to add it to treasuremap any time soon? 14:20:26 At the moment mini-mirror does not contain: docker image archives and k8s binaries; they would need to be baked into some /var/cache inside the image 14:20:30 Kaspars: Thanks! Definitely. As soon as we have a published demo image, we would like to get a full demo 14:21:50 mini-mirror is just a framework. It should contain whatever packages you tell it sourced from whatever source you provide when you build the image. 14:22:05 ++ 14:22:19 Yup roman_g those would be good enhancements down the road 14:22:24 o/ powerds0111 14:22:48 anything else on the mini-mirror front guys? 14:22:57 also, hooray for clever names. very catchy 14:23:16 I would suggest if it isn't merged yet that you consider naming it mini-apt or something 14:23:47 lol well you got one vote each way there 14:23:52 but it's merged 14:24:10 It isn't really part of Airship, so this is just tangential, but there is a merged spec in Airship to support multiple OSes and making mini-mirror Ubuntu specific doesn't really jive with that 14:24:20 There would be nothing stopping adding rpm support 14:24:35 totally agree 14:24:35 And I don't think long term adding the complexity to make a single framework support both is worth it 14:24:50 Just pick whether you want mini-apt or mini-rpm and go forward 14:25:02 Or just a value toggel 14:25:18 All it would take is turning on or off, two manifests 14:25:19 the *chart* part is really an nginx chart, right dwalt? 14:25:31 Yeah, I don't really care about the chart part 14:25:32 and the apt magic is in the docker build stuff 14:25:36 The complexity is in building the image 14:25:44 At it's core, it really is just NGINX 14:25:56 the image itself is just an NGINX image with the mirrored snapshots 14:26:15 Again, just tangential as it isn't part of Airship. But a consideration. 14:26:15 so a similar tool could be used (with a toggle) to mirror rpm repos 14:26:24 it might make sense to separate the apt docker build from the rpm docker build, since they'd likely be quite different 14:26:52 This is true. And OpenStack-Helm addons already has the pattern for multiple OS/Dockerfiles 14:27:07 I don't think it's tangential, we want to bring multi-os support into Airship 14:27:08 OpenStack-Helm-images* 14:27:10 good point 14:27:26 anything else on MM? 14:27:55 Maxi-mirror? 14:28:16 :) 14:28:19 Just depends how much stuff you shove in the image portdirect :) 14:28:27 #topic Monthly Treasuremap Release 14:28:27 Is there thought toward caching of things like docker images at this point, or that still at design stage? 14:28:41 * mattmceuen jumps the gun 14:28:48 #topic maxi-mirror 14:29:23 portdirect: I think there's been some discussion around it, but I don't know if any stories are in storyboard or anyone working on it yet 14:29:51 me neither 14:29:52 While possibly branded as mini-mirror, I would expect something like that to basically be completely separate in terms of image build 14:30:32 I was more thinking an adjunt here, to separate the concerns 14:30:45 I think designs right now around image caching are something like squid w/ MITM TLS signing 14:30:48 Looks like mini-mirror allows offline host provisioning 14:31:05 dwalt: would you work on blueprint, or I can take it? 14:31:19 But still leaves the gap of how to get containers into a site without internet or artifactory or summat. 14:31:35 (bake into genesis iso) 14:31:39 roman_g: You can take a stab at it if you'd like! 14:31:45 dwalt: deal 14:31:50 At this point, that wasn't the business value targeted w/ mini-mirror 14:31:50 Nice 14:32:09 sthussey: I understand that, hence my q. 14:32:56 sthussey: portdirect: mattmceuen what is your decision/input? 14:33:23 Decision on what? If you want to draw up a spec for something, go for it. 14:33:40 roman_g: if you'd like to take a stab at a spec PS, I think that gives a good opportunity to prompt discussion, even (especially) if that prompts a change in direction 14:33:46 After 3 mins of percolation time, bit early for me to put my stake in the ground on anything roman_g 14:34:01 ++ to mattmceuen s point 14:34:18 thanks roman_g 14:34:34 Anything else on the multi-mirror discussino? 14:35:00 #topic Monthly Treasuremap Release 14:35:08 Kaspars, all yours 14:36:00 great! so we have I would say almost routine monthly tag of airship-treasuremap manifests found located at https://github.com/openstack/airship-treasuremap/releases 14:36:48 as before - it includes auto-uplifts of components (with a few exclusions this time that include MAAS HA that Scott will talk about later, and armada due to test pod handling) 14:37:17 there are a few other notable changes as ceph partition handling and update of Docker to much newer version 14:38:22 as before - it has ran through full airship deployment pipeline (Airship Seaworthy), here are few sentances about it https://airship-treasuremap.readthedocs.io/en/latest/ 14:38:57 I would say enjoy the latest release candidate for 1.0 14:39:21 that's awesome Kaspars 14:39:29 in-flight fix for Armada test pod handling: https://review.openstack.org/#/c/629313/ 14:39:45 thanks for keeping the good stuff coming and the pipelines green :) 14:39:59 o/ seaneagan 14:40:30 any other discussion on the release candidate? 14:41:18 #topic HA MaaS overview 14:41:23 sthussey all yours! 14:42:12 Recently there a significant refactor of the Airship chart for the Canonical MAAS product. 14:42:41 Previously it was a bit fragile in terms of where it ran and how it responded to moving to other nodes. 14:43:44 It now should support a highly available configuration for the MAAS components (HA Postgres under it is out of scope) and with that HA support comes mobility across nodes in the cluster 14:44:09 There are some caveats and suppositions for the current solution 14:44:17 thats great sthussey 14:44:39 is the required config in treasuremap and airship in a bottle - so we can take it for a spin? 14:44:41 1) It expects a flat L2 broadcast domain for the PXE network across all nodes in the cluster 14:45:07 re: config - Can't speak to Treasuremap, but the multinode-gate in AIAB should work with it 14:46:03 there has not been patchsets submitted for treasuremap, yet 14:46:19 2) You must be able to route between the PXE booting network and whatever network your cluster ingress runs on. If there is a single network in your cluster for all traffic, that is sufficient. 14:47:05 3) Currently there is no TLS support for accessing the MAAS API/metadata server. That support will hopefully be in place in the near future 14:47:41 Somewhat related, is Ironic making progress in the RCs? 14:48:08 hogepodge: there was good discussion in rodolfo's zoom call last thursday, if you want to see the recording 14:48:11 4) If you are using the OSH-infra ingress chart, you must be using nginx-ingress-controller v0.20.0 or better 14:48:29 (kind of previous topic juggling multiple chat windows) 14:48:30 Otherwise you get false port binding conflicts between cluster ingress and maas ingress 14:48:42 That is all from me. 14:49:01 thanks for all the details sthussey - that was a big effort with a lot of tricky bits 14:49:12 mattmceuen yes please, I’ll coordinate offline thx 14:49:21 awesome, sounds good hogepodge 14:49:37 sounds like treasuremap is pinned to an old version - I guess the interface to the maas chart isn't backwards compatible, right sthussey? 14:50:34 Not sure, would have to test. The previous overrides certainly won't enable the HA functionality 14:51:28 the pipeline did fail - so I had to disable auto-uplift for maas/drydock charts.. 14:51:33 gotcha. Kaspars, maybe we can coordinate in the chat here to after the meeting to see what the issues you were seeing are, so we can get HA MaaS into TM now that the stable release was cut 14:52:12 k we have a few more topics and scant few minutes! 14:52:20 #topic PS needing review 14:52:25 there was a pretty large PS comitted to AIAB - so those changes need to be ported to treasuremap as well 14:52:32 I'm just going to paste these with a blurb and then move on! 14:52:44 to support latest MAAS/drydock - as well as few DNS handling need to be settled 14:52:47 some work.. 14:52:54 Blurb: I want to make sure there's an opportunity for folks to bring up PS weekly that they view as high priority, and/or lost in the shuffle 14:52:58 https://review.openstack.org/630749 14:52:59 https://review.openstack.org/630752 14:52:59 https://review.openstack.org/630755 14:53:15 ^^ from dwalt - please give those some eyes soon team 14:53:20 any others? 14:54:09 One topic not on the agenda: 14:54:33 #topic best of luck mark-burnett ! 14:54:44 I have one regarding ATC codes for Denver Summit 14:55:24 best of luck, Mark!! 14:55:32 Mark is taking another opportunity. He is of course more than welcome to continue participating in the airship community as much as possible! But I also just wanted to share that hey may not have the same bandwidth 14:56:08 Mark has been instrumental in forming the airship community, and definitely with him best of luck in the next endeavor! 14:56:25 #topic ATC codes for Denver Summit 14:56:30 go for it hogepodge 14:57:00 Congratulations Mark! 14:57:40 congarts Mark! 14:57:47 we need to put together a list of active contributors to receieve discount codes for the Denver summit 14:58:23 To help us with that we need a list of repositories to draw from for contributions. 14:58:54 I’m assuming all repos prefixed airship-, but if there are others we missed getting them to fungi would be a big help 14:59:11 I think that is the right set hogepodge 14:59:31 thanks for making sure 14:59:37 Since Airship is so new, we’re looking at contributions back to the launch of Airship as a pilot project in Vancouver for the contribution timeframe 14:59:48 cool, thanks :-) 14:59:51 Sounds reasonable to me! :) 15:00:36 Ok guys we are hard outta time -- please vote in the board election, and help out with the deckhand doc builds: 15:00:36 Please, assist: airship-deckhand documentation builds are broken since Oct. 30, 2018 15:00:36 Bug: https://storyboard.openstack.org/#!/story/2004747 15:00:36 Logs: https://readthedocs.org/api/v2/build/8395458.txt 15:01:06 It's mine, and I don't know how to fix it. 15:01:32 roman_g: I will take a look at that sometime today 15:01:34 Cool - let's continue the discussion here post-meeting roman_g and get that working 15:01:38 #endmeeting