#openstack-ansible log

16:01:21 <noonedeadpunk> #startmeeting openstack_ansible_meeting
16:01:22 <openstack> Meeting started Tue Jul 28 16:01:21 2020 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:25 <openstack> The meeting name has been set to 'openstack_ansible_meeting'
16:01:37 <noonedeadpunk> #topic office hours
16:02:02 <noonedeadpunk> o\
16:03:08 <jrosser> hello
16:06:00 <noonedeadpunk> Hey, I'm from phone at the moment, so...
16:06:27 <noonedeadpunk> I guess we've backported most of the things for centos8
16:06:51 <noonedeadpunk> Except Murano (which start timeouting)
16:07:15 <noonedeadpunk> And zun which I'm taking look at (maybe just few several things)
16:08:21 <noonedeadpunk> Don't have really much things to share as was doing mostly some personal stuff:(
16:09:06 <jrosser> similar, we just need to keep on top of the backports and get everything merged
16:09:31 <noonedeadpunk> But I hope I'll be more productive and less lazy this week, and we should do final release I guess on 2 weeks? Due date was 10th of August iirc
16:10:31 <noonedeadpunk> And I'd love to finish bind-to-mgmt thing
16:11:11 <noonedeadpunk> And also work on ci things, to get upgrade jobs finally merged
16:11:25 <noonedeadpunk> (I mean their fix)
16:11:27 <jrosser> yes, been so busy i've kind of paged-out where we were up to with bind-to-mgmt
16:11:50 <noonedeadpunk> I think on db from utility still
16:12:33 <noonedeadpunk> And need to patch every role for that
16:14:37 <jrosser> oh yes thats it
16:14:44 <jrosser> that does not sound like a job for U
16:19:04 <noonedeadpunk> Uh, it was planned a different way, but yeah...
16:19:24 <noonedeadpunk> I think a have a lot of time on my hands at the moment anyway:)
16:20:53 <noonedeadpunk> BTW, dmsimard (sorry for misspelling) gave great suggestion to allow users to deploy Ara with OSA
16:21:13 <noonedeadpunk> To keep track on playbook execution in better way than just logs
16:21:26 <noonedeadpunk> And I think that's really great idea:)
16:22:17 <jrosser> if you want to bash on bind-to-mgmt thats cool
16:22:43 <dmsimard> \o
16:23:47 <dmsimard> if you're interested there's an ansible role to deploy the API server here: https://github.com/ansible-community/ara-collection or docker images: https://hub.docker.com/r/recordsansible/ara-api
16:24:59 <dmsimard> happy to help otherwise point you in the right direction or answer questions
16:25:34 <noonedeadpunk> Oh, so we can even just include the role
16:25:52 <noonedeadpunk> During ansible bootstrap or something
16:26:38 <dmsimard> you can take inspiration from the playbook used to deploy the live demo: https://github.com/ansible-community/ara-infra/blob/master/playbooks/live-demo.yaml
16:26:38 <noonedeadpunk> jrosser, yeah, I was about to do that right tomorrow, but as I was not so deep in that topic I might ping you
16:27:00 <dmsimard> note that ara-web isn't required (and is neglected right now)
16:27:43 <dmsimard> noonedeadpunk: the role sets up the API server, there needs to be a part on the ansible control node where you install the ara callback and set it up to point to the api server
16:28:12 <dmsimard> which should be easy enough, something like pip install ara; export ANSIBLE_CALLBACK_PLUGINS=$(python3 -m ara.setup.callback_plugins)
16:28:41 <dmsimard> oh, and then export ARA_API_CLIENT=http and ARA_API_SERVER=http://api-server
16:28:51 <noonedeadpunk> Sounds neat. Does role deploy web UI as well?
16:28:54 <jrosser> noonedeadpunk: sure  just ask as it's really not that far off
16:29:14 <dmsimard> the API server comes with a built-in UI, this one: https://api.demo.recordsansible.org/
16:29:32 <jrosser> noonedeadpunk: i think what i was working towards in a AIO was this https://review.opendev.org/#/c/733408/
16:29:39 <dmsimard> the CLI will be bundled with the main 'ara' package
16:30:07 <dmsimard> it's not released yet but it's in master
16:30:23 <noonedeadpunk> Ok, will try to take a look a bit later that week, and will ping you for sure:)
16:30:34 <dmsimard> sure, you know where to find me
16:30:40 <noonedeadpunk> Yeah:)
16:31:19 <noonedeadpunk> I think we should probably add a separate inventory group for Ara API and Ara web
16:32:08 <noonedeadpunk> And by default offer to set it to deploy host? Oh, BTW, is there any possibility to restrict access?
16:32:17 <dmsimard> sure -- for ara-web this is https://web.demo.recordsansible.org/ and I can't quite recommend it yet so don't bother with it for now :p
16:32:44 <dmsimard> It makes sense to create an inventory group, sure
16:33:17 <dmsimard> by default everything is opened read/write without authentication but you can turn on authentication only for writes or for both read/write, this is explained here: https://ara.readthedocs.io/en/latest/api-security.html
16:34:01 <dmsimard> There is no concept of permission granularity/RBAC/groups/etc -- either you have access or you don't
16:35:56 <noonedeadpunk> I mean I'm not sure if we can/should put Ara under our haproxy and deploy it in container, or just independent web server on deploy host or in container on private ips...
16:36:36 <noonedeadpunk> But yeah, that are details:)
16:36:42 <dmsimard> I don't have a strong opinion as my experience with OSA is limited
16:37:09 <dmsimard> another thing to consider is where to store the data -- by default this is in a sqlite database but the role supports mysql/postgresql as well
16:37:17 <noonedeadpunk> That's totally fine, I'm probably thinking out loud
16:38:07 <noonedeadpunk> Ok, I think that should be in our infra stuff then - we have a galera cluster which might work just nice for that
16:38:42 <noonedeadpunk> BTW, can it work under uwsgi?
16:38:42 <dmsimard> that might lead to some chicken/egg if ansible tries to use ara before mysql is setup
16:39:07 <noonedeadpunk> Oh, that's good point
16:39:08 <dmsimard> surely ? would love to have support for it in the role, there's only gunicorn right now
16:40:00 <dmsimard> should be simple enough to add, the role was structured to eventually support uwsgi/mod_wsgi
16:40:08 <dmsimard> I just don't know uwsgi a lot :)
16:40:50 <noonedeadpunk> Hm, but how ansible role does setup Ara without chicken/egg situation?
16:41:15 <noonedeadpunk> I mean I think plugins are set during role execution?
16:41:53 <noonedeadpunk> But yeah, I see what you mean, that we'll setup Ara only after launching massive amount of roles
16:42:13 <noonedeadpunk> So we'd miss data for them
16:42:15 <dmsimard> if ansible is setup to use ara with ANSIBLE_CALLBACK_PLUGINS but ara hasn't been installed yet, it will just skip it
16:42:30 <dmsimard> i.e, nothing to load, moving on
16:42:45 <dmsimard> there might be a warning but it's not fatal and has no impact
16:43:04 <noonedeadpunk> Oh, I think then we're ok
17:30:41 <noonedeadpunk> #endmeeting