16:02:55 #startmeeting Octavia 16:02:56 Meeting started Wed Sep 18 16:02:55 2019 UTC and is due to finish in 60 minutes. The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:02:57 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:03:00 The meeting name has been set to 'octavia' 16:03:05 hi 16:03:09 hi 16:03:10 Hi 16:03:21 I guess our PTL is MIA today. lol 16:03:48 hi 16:03:57 #topic Announcements 16:04:07 We are in feature freeze. Please do not merge any feature patches. 16:04:30 Thank you to everyone that helped us get those last few features merged after all of the infra and requirements issues we faced. 16:05:31 If you didn't follow the issues, a few weeks before feature freeze Ubuntu released a kernel that paniced if you had a NAT rule (floating IP) and sent a fragmented packet through it. This caused our tempest jobs to fail with "RETRY_LIMIT". 16:05:42 This was fixed in the -62 kernel release. 16:06:20 Then requirements had bumped configparser to 4.x.x, but the author pulled the package from pypi after the global-requirements update went out. 16:06:29 This also broke our jobs. 16:06:38 thank YOU for the hours put troubleshooting it, and syncing with infra and other teams 16:07:02 Just glad we got it fixed in time for feature freeze 16:07:19 RC1 and stable/train branches are next week. 16:07:43 Next week is RC1 week. We should try to have all of our bug fixes in for that. 16:08:08 I will not be available to do the release. rm_work or cgoncalves will need to take point on that. 16:08:22 I can create a stub release patch if you would like. 16:08:56 any help is welcome :) 16:09:19 Finally, as I hinted at above. I will not be available for the next two weeks. 16:09:23 I will coordinate with our PTL during your absence 16:10:00 Ok, I will put up a stub patch (no commit strings) and mark it WIP. Then send you two the link. 16:10:22 Any other announcements this week? 16:10:57 #topic Brief progress reports / bugs needing review 16:11:26 I have posted patches for the PDF docs Train goal. All of them are in pretty good shape except for the Octavia docs. 16:12:03 Three sections are "missing" from the PDF version. I'm not sure why. I have added it to the "PDF Docs" trouble sheet hoping for some help. 16:12:18 The latex seems to have the content, just the latex->pdf process drops them. 16:12:25 FYI I added https://review.opendev.org/#/c/682365/ to the review list 16:12:38 I think the patches are good enough to merge and then we can bug fix from there. 16:12:56 I would like to ask review for 16:12:58 #link https://review.opendev.org/#/c/681195/ 16:13:16 I have also picked up the IPv6 goal work. It is almost done, just some devstack plugin strangeness to figure out. Hope to have that done today. 16:13:31 And hit this bug 16:13:32 #link https://storyboard.openstack.org/#!/story/2006560 16:13:46 but didn't come with anything on it yet 16:15:33 To finish out my week I may try to improve an error message when the user gives us a pass phrase protected pkcs12 bundle. 16:16:04 We have seen a few folks get confused by that as barbican does not accept a pass phrase for pkcs12 "secrets". 16:16:29 👀 16:17:17 have been continuing to test haproxy2.0 with octavia and rm_work's single-process patch. looking good so far and haven't encountered any major issues now that my amp image has the components i wanted (thanks again johnsom) 16:17:19 Ann Taraday proposed openstack/octavia stable/rocky: Fix base (VRRP) port abandoned on revert https://review.opendev.org/682836 16:17:25 redrobot Hi. Just mentioning we need to give a better error message when users upload a pkcs12 to barbican that is pass phrase protected. 16:17:58 redrobot Since secrets don't have a pass phrase parameter.... Which, would kind of be pointless. 16:18:31 colin-, there's an open issue with the single-process. ataraday_ has a patch for it up for review 16:18:33 #link https://review.opendev.org/#/c/681195/ 16:19:10 ah i hadn't done one with multiple https listeners but glad we found it arleady and thanks to ataraday_ 16:20:46 Any other updates today? 16:21:18 with my stable liaison hat on, I proposed a handful of backport patches. they have been merging rather quick. thank you all for your reviews! 16:21:30 Please focus on getting the bug fixes merged for the RC1. 16:21:53 We should also strive to get our tempest patches merged. We will want to tag a tempest version at the same time. 16:22:07 yep 16:22:28 That bug fix above is a good example of a patch we really want in.... 16:22:50 #topic Open Discussion 16:22:57 Other topics for today? 16:23:18 I have one 16:23:31 I put up for review a patch that enables full MAC security by default 16:23:34 #link https://review.opendev.org/#/c/682932/ 16:23:36 Go for it 16:23:55 Does that include apparmor or only selinux? 16:24:08 thus far we have been setting systems to permissive (RHEL, CentOS, Fedora) 16:24:38 only SELinux as that is the only place right now we enable/disable 16:25:11 We should probably make this generic enough to work for either platform 16:25:14 we can consider including apparmor, sure 16:25:59 I'd like to know if this is something folks are positive about or not 16:26:03 I think our friends at Canonical have the apparmor rules, though we may not have them here. 16:26:28 production clouds usually have selinux/apparmor enabled, so we would be testing code closer to such envs 16:26:28 I think it is a great idea. 16:27:35 colin-, would you have some thoughts? :) 16:27:45 or just don't care 16:28:04 (valid response anyway) 16:29:14 hmm, ok. if there's any feedback please feel free to share it at a later time here on the channel or Gerrit 16:31:13 apparmor is in the package install linux. would someone know what is the default setting (permissive/enforcing)? 16:31:21 s/linux/list/ 16:31:39 I think by default in DIB it's permissive/audit 16:34:20 Other topics today? 16:35:27 Ok, thanks everyone! 16:35:30 #endmeeting