#openstack-ansible log

16:02:09 <evrardjp> #startmeeting openstack_ansible_meeting
16:02:10 <openstack> Meeting started Tue Jun  6 16:02:09 2017 UTC and is due to finish in 60 minutes.  The chair is evrardjp. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:02:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:02:13 <openstack> The meeting name has been set to 'openstack_ansible_meeting'
16:02:15 <andymccr> o/
16:02:19 <spotz> \o/
16:02:20 <evrardjp> #topic rollcall
16:02:44 <andymccr> hi!
16:03:14 <cloudnull> hi
16:03:44 <evrardjp> leaving a few seconds for ppl to join
16:03:44 <asettle> o/
16:03:55 <asettle> I Didn't see any doc stuff this week :)
16:04:42 <evrardjp> maybe there will be...
16:04:47 <evrardjp> suspense!
16:05:10 <andymccr> you never know. bug triage - anything can happen!
16:05:10 <evrardjp> ok we're good to start
16:05:17 <evrardjp> thrilling!
16:05:26 <evrardjp> #topic last week ap
16:05:29 <evrardjp> none
16:05:33 <evrardjp> #topic this week bugs
16:05:48 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695944
16:05:49 <openstack> Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Undecided,New]
16:05:56 <evrardjp> sounds critical to me
16:06:31 <andymccr> yeah
16:06:54 <andymccr> thats weird
16:07:01 <logan-> o/
16:07:18 <evrardjp> good logan- is there :)
16:07:32 <logan-> yeah it seems like some other people ought to be hitting that. i'm not sure yet but it would be interesting if someone can repro
16:07:38 <cloudnull> that one is a odd one.
16:08:07 <cloudnull> I had a similar issue which
16:08:15 <cloudnull> which was ansible_ssh_host related.
16:08:41 <logan-> ^^ yep i made sure to rip out every instance of ansible_ssh_host from openstack_deploy, any roles/playbooks, etc to make sure i wasnt hitting the thing you saw
16:09:17 <cloudnull> yea. idk why else would cause that ?
16:09:18 <logan-> i wonder if we're wallpapering it with the /etc/hosts sync
16:09:30 <logan-> because my test there uses unbound, it does not do any /etc/hosts work
16:09:45 <andymccr> logan-: that sounds likely
16:09:46 <cloudnull> hum...
16:09:51 <evrardjp> the CLI seems good
16:10:11 <andymccr> logan-: should be easy enough to test too? just # the entry for aio1 from /etc/hosts
16:10:13 <evrardjp> ssh doesn't know aio1
16:10:32 <logan-> yeah exactly theres no aio1 in my env, I think in the gate there probably would be because of the /etc/hosts management
16:11:00 <logan-> so it exposes the broken connection plugin behavior
16:11:02 <logan-> we could do a gate run with -vvvvv to confirm what host it is using to ssh to containers with
16:11:15 <logan-> er ssh to physical_host with, to lxc-attach containers
16:11:20 <evrardjp> you could ANSIBLE_DEBUG=yes ansible -vvvvv
16:11:28 <logan-> if it is ssh to aio1 instead of 172.29.236.100, we've got problems imo
16:11:33 <evrardjp> gives you full insights
16:11:39 <evrardjp> yes that's what's shown
16:12:02 <evrardjp> anyway, we have to fix it
16:12:06 <evrardjp> looks critical to me
16:12:07 <andymccr> logan-: agreed we should fix that either way
16:12:09 <andymccr> yeah
16:12:25 <evrardjp> anyone wants to take it?
16:12:55 <evrardjp> super busy times
16:13:15 <evrardjp> let's leave it to good will and mark an action point somewhere
16:13:33 <evrardjp> #action schedule to fix https://bugs.launchpad.net/openstack-ansible/+bug/1695944
16:13:34 <openstack> Launchpad bug 1695944 in openstack-ansible "SSH plugin fails to resolve physical host correctly on Ocata" [Critical,Confirmed]
16:13:44 <evrardjp> next
16:13:45 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695846
16:13:46 <openstack> Launchpad bug 1695846 in openstack-ansible "error when running os-nova-install.yml playbook with nova-config tag" [Undecided,New]
16:13:58 <openstackgerrit> Logan V proposed openstack/openstack-ansible master: [WIP] DNM: testing verbose output  https://review.openstack.org/471413
16:14:40 <andymccr> seems legit
16:14:44 <evrardjp> confirmed medium? we are breaking an interface here
16:14:47 <andymccr> yeah
16:14:53 <logan-> yep makes sense
16:14:59 <andymccr> agreed - although i do think we need a discussion around tags and our approach (for another time of course)
16:15:07 <andymccr> i like it but if we dont test it its always going to break without us knowing
16:15:26 <evrardjp> indeed. That's what I commented there too.
16:15:33 <evrardjp> Or what I tried to comment there.
16:15:48 <evrardjp> adding tests for these interfaces would be good.
16:16:02 <evrardjp> sadly I don't have time right now
16:16:09 <odyssey4me> yeah, me neither
16:16:13 <evrardjp> and I don't think this is a level1 prio
16:16:17 <andymccr> agreed
16:16:54 <evrardjp> if there are new contributors around that have time to improve OSA, they are welcomed to do it ! \o/
16:17:07 <evrardjp> we are friendly, we could give you advice!
16:17:10 <evrardjp> anyway
16:17:12 <evrardjp> next
16:17:14 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695827
16:17:15 <openstack> Launchpad bug 1695827 in openstack-ansible "correct way to apply CORS for Keystone?" [Undecided,New]
16:18:13 <odyssey4me> hmm, I wonder if we shouldn't just add those to the template as a default?
16:18:17 <evrardjp> set Access-Control-Allow-Origin "*" sounds a recipe for disaster
16:18:25 <odyssey4me> ah, there is that
16:18:48 <andymccr> maybe yeah
16:18:54 <andymccr> or move to use upstream nginx role :P
16:19:08 <odyssey4me> although, that's easy enough to expose via a var and perhaps link to the haproxy whitelist by default
16:19:09 <evrardjp> I think the question is valid, but I have not enough skills to do it properly
16:19:41 <odyssey4me> just comment a suggestion to propose a patch to include that in the default template for apache
16:19:47 <evrardjp> we can highjack on haproxy, but I think it's better to do it on the webserver
16:20:53 <evrardjp> I propose we mark it as confirmed and wishlist
16:22:27 <evrardjp> is that a yes?
16:22:44 <andymccr> yeah i guess thats a feature
16:22:44 <evrardjp> ok next
16:22:50 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1695258
16:22:50 <andymccr> so sounds fine
16:22:53 <openstack> Launchpad bug 1695258 in openstack-ansible "OSA Newton 14.2.4: Aodh evaluator showing MissingAuthPlugin error" [Undecided,New]
16:22:59 <andymccr> ugh :P
16:23:31 <andymccr> perhaps the correct response is to mark those roles as needing work
16:23:35 <jmccrory> is all the ceilometer stuff still out of newton integrated gate?
16:23:58 <andymccr> probably - plus they need quite a bit of work i believe, and nobody has had the inclination to do that.
16:24:17 <evrardjp> alextricity25: are you there?
16:24:44 <evrardjp> the question is valid
16:25:17 <evrardjp> I'd confirm it, with low importance because old branch and not frequent role
16:25:22 <evrardjp> "fix when convenient"
16:25:39 <andymccr> agreed
16:25:58 <evrardjp> next
16:26:01 <evrardjp> #link https://bugs.launchpad.net/openstack-ansible/+bug/1694727
16:26:02 <openstack> Launchpad bug 1694727 in openstack-ansible "Multicast not enabled through Firewalld on Openstack Hosts" [Undecided,New]
16:26:19 <evrardjp> I haven't confirmed, but I can guess the mess it's gonna cause
16:26:44 <andymccr> hmm yeah.
16:26:49 <evrardjp> oh it's not only about keepalived, the man's gonna have issues with vxlan too
16:27:01 <evrardjp> keepalived is the first one showing
16:27:10 <evrardjp> we don't configure hosts though
16:27:19 <andymccr> thats true also
16:27:42 <evrardjp> the thing with the ansible security role, is that we setup expectations that we are doing everything
16:28:11 <openstackgerrit> Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder  https://review.openstack.org/469955
16:28:22 <andymccr> yeah agreed - it should be documented though in host setup
16:28:29 <mgariepy[cell]> Can wemhave confirmation that fw rules are there ?
16:28:47 <evrardjp> ansible security can't know what group will be used for keepalived, so it's hard to do it there
16:28:57 <evrardjp> because it's becoming an independant role
16:29:17 <mgariepy[cell]> I have seen issue on some switches config with multucast stuff
16:29:31 <evrardjp> mgariepy[cell]: what do you mean?
16:29:52 <evrardjp> yeah multicast is used in OSA
16:30:04 <evrardjp> we don't configure switches though
16:30:16 <mgariepy[cell]> Is the security role add rules to firewalld ?
16:30:26 <openstackgerrit> Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Implement rolling upgrades for cinder  https://review.openstack.org/469955
16:30:40 <evrardjp> mgariepy[cell]: it could
16:31:35 <mgariepy[cell]> Keepalived also need some selinux love but i havent had time to fix it yet
16:31:38 <evrardjp> example https://github.com/openstack/openstack-ansible-security/blob/d8336717aadd8f7e501d3dc1c25b2aedd67d7e9f/tasks/rhel7stig/misc.yml#L283
16:32:08 <evrardjp> oh? It passes my gates, so I'd be happy to know the issue
16:32:22 <evrardjp> anyway
16:32:32 <evrardjp> I think it's an expectations problem here
16:32:43 <evrardjp> so either it's a doc change, to explain what we need
16:33:16 <mgariepy[cell]> +1 on doc change.
16:33:19 <evrardjp> or, we add a firewall configuration thing in the haproxy play
16:33:40 <evrardjp> but then another firewall configuration is needed for vxlan
16:34:10 <mgariepy[cell]> But on a default install is fwd configured by osa ?
16:34:22 <andymccr> mgariepy[cell]: i dont thinkso
16:34:40 <evrardjp> osa make uses of the security role by default IIRC
16:34:48 <evrardjp> therefore on centos we are configuring firewalld
16:34:56 <andymccr> i guess if we are configuring specific groups taht only get used by OSA and dont impact anything else, i can see why we would do it
16:35:05 <mgariepy[cell]> So the user added his fw conf ?
16:35:41 <evrardjp> not sure what you mean there
16:35:59 <evrardjp> for me it makes sense to limit this as a doc change
16:36:15 <evrardjp> you start with an ubuntu or centos with x configured
16:36:34 <andymccr> yeah taht works
16:37:14 <evrardjp> x is, here, a firewalling allowing multicast for keepalived and vxlan.
16:37:22 <evrardjp> confirmed medium?
16:37:26 <mgariepy[cell]> Yes doc change
16:39:09 <andymccr> yeah
16:39:11 <andymccr> agreed with that
16:39:20 <evrardjp> that's it for today
16:39:25 <evrardjp> thanks everyone
16:39:41 <evrardjp> (except if someone has a bug to discuss?)
16:39:46 <mgariepy[cell]> Thank ill be off now
16:39:55 <evrardjp> haha ok :)
16:40:03 <evrardjp> closing in 5
16:40:04 <evrardjp> 4
16:40:06 <evrardjp> 3
16:40:07 <evrardjp> 2
16:40:07 <evrardjp> 1
16:40:09 <evrardjp> #endmeeting