14:01:09 #startmeeting TripleO 14:01:09 Meeting started Tue Jan 22 14:01:09 2019 UTC and is due to finish in 60 minutes. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:10 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:13 The meeting name has been set to 'tripleo' 14:01:31 #topic agenda 14:01:33 * Review past action items 14:01:35 * One off agenda items 14:01:37 * Squad status 14:01:39 * Bugs & Blueprints 14:01:41 * Projects releases or stable backports 14:01:43 * Specs 14:01:44 o/ 14:01:45 * open discussion 14:01:47 Anyone can use the #link, #action and #info commands, not just the moderatorǃ 14:01:49 Hey folks! who's around? 14:01:55 jaosorior: I'll try and check that lp bug later 14:01:58 o/ 14:02:07 o/ 14:02:09 bandini: thanks 14:02:15 \o/ 14:02:16 hi 14:02:18 o/ 14:02:19 o/ 14:02:28 o/ 14:02:59 o/ 14:03:32 o/ 14:04:04 «o/ 14:04:08 o/ 14:04:27 Matthias Runge proposed openstack/tripleo-heat-templates stable/rocky: Enable ovs-stats by default when using ovs https://review.openstack.org/632471 14:04:40 #topic review past action items 14:04:41 None. 14:04:42 o/ 14:04:51 #topic one off agenda items 14:04:53 #link https://etherpad.openstack.org/p/tripleo-meeting-items 14:05:02 First topic: (gcerami) make fedora 28 with centos 7 containers job voting 14:05:36 panda: ^^ 14:06:01 o/ 14:07:42 panda or anybody else from the CI team that can comment on that? ^^ 14:07:47 yeah sorry 14:07:49 got sidetracked 14:08:14 so, the job has proven to have valuable informations on the interaction between tripleo and python 3 14:08:17 o/ 14:08:29 we had some legit failure on the periodic runs 14:08:37 and we are fixing actual bugs, 14:08:59 jelou! 14:09:07 so I would like to understand if it's ok for us to start blocking patchesd base on the result of that jo 14:09:18 b 14:10:01 panda: seems reasonable to me (fwiw) 14:10:04 we are talking about the fedora 28 job taht uses centos 7 containers 14:10:32 bugs like this for example https://bugs.launchpad.net/tripleo/+bug/1812837 14:10:33 Launchpad bug 1812837 in tripleo "periodic fedora 28 job failing with "/bin/sh: line 1: exit: null: numeric argument required" in Run async deployment StandalonePostDeployment step" [Undecided,Triaged] 14:11:10 panda, but for catching these we need to run fedora jobs in distgit changes also ^^ 14:11:47 ykarel: are we ready to do it ? 14:12:20 panda, we started with testing centos standalone, didn't checked it can cover fedora too yet 14:13:19 panda: should we enable it for the distgit changes before enabling it for every patch here? 14:13:42 overall for catching other issues that happened recently voting is must in upstream, and for particual issues like 1812837 we need in distgit 14:13:44 we also hit this one https://bugs.launchpad.net/tripleo/+bug/1812632 14:13:46 Launchpad bug 1812632 in tripleo "Overcloud nova compute docker command failing on nova_cellv2_discover_hosts" [Critical,Fix released] - Assigned to Martin Schuppert (mschuppert) 14:13:55 yes mentioning ^^ only 14:15:08 ykarel: what you think, can this involves distgit too ? ^ 14:15:09 breakages in distgit changes are rare as compared to project changes 14:15:50 panda, 181263 is caused by tht change 14:16:01 fedora was non-voting, but no one noticed 14:16:07 ykarel: ok, so we need the job voting there 14:16:11 even that patch caused fs035 also 14:16:37 panda, yes, also it's good if reviewers not ignore non-voting jobs 14:16:43 results 14:16:48 tox 14:16:58 jaosorior: so yeah, not only distgit 14:17:15 jaosorior: ERROR: toxini file 'tox.ini' not found 14:17:17 panda: if we have started catching bugs with it. And we have the capacity, then yeah 14:17:22 panda: lol 14:17:34 panda: do we have the capacity to add that job? 14:17:49 jaosorior: it's standalone, we'll make the capacity 14:17:57 jaosorior: i think that if we make f28 voting we will much better, as we already have to take care of these jobs. it would save time 14:18:25 understood 14:18:45 panda: the job is passing right now, right? 14:19:17 jaosorior: no, but it hits legit bugs. 14:19:46 panda: the suggestion is still to add it as non-voting initially, right? and then move it to voting? 14:20:40 jaosorior: the job is already there non-voting, it has been for at least a month. It was quite resilient even if the hashes between fedora and centos repos where not aligned 14:21:10 jaosorior: no it's in periodic too, and we are basing promotion on that result 14:21:16 jaosorior: on both fedora and centos side 14:22:44 alright, if the job has been stable, it's working, and it's legitimally catching bugs; lets block based on it. 14:23:26 thanks. We are available in the community meeting to discuss eventual details 14:23:39 ack 14:23:44 thanks for bringing it up panda 14:24:02 Next topic: (chkumar) We are now able to run os_tempest in standalone job (patches in review) 14:24:31 #link http://logs.openstack.org/00/627500/65/check/tripleo-ci-centos-7-standalone-os-tempest/198ae77/logs/undercloud/var/log/tempest/stestr_results.html.gz 14:24:45 chandankumar: ^^ 14:24:48 Hey It's me 14:25:12 As we are working with OSA team to consume os_tempest role in Tripleo CI 14:25:33 jaosorior: we are able to now run tempest using os_tempest in tripleo CI, 14:26:00 here is the new job https://review.openstack.org/#/c/627500/ which does the same will be get merged soon 14:26:26 and here is more updates what happened last week http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001946.html 14:26:33 (19 14:26:36 we will try to finish integration by upcoming week 14:27:13 chandankumar: nice work! I'll stay put if you need reviews. 14:27:24 jaosorior: sure thanks :-) 14:27:47 The next topic is from me: (jaosorior) Reminder: ssbarnea and I are going through Launchpad bugs each week 14:28:04 So, if anybody is interested. It's one hour before this meeting 14:28:39 That's all. 14:28:44 ssbarnea|bkp2 because it's rover I guess 14:31:44 #topic Squad status 14:31:46 ci 14:31:48 #link https://etherpad.openstack.org/p/tripleo-ci-squad-meeting 14:31:50 upgrade 14:31:52 #link https://etherpad.openstack.org/p/tripleo-upgrade-squad-status 14:31:54 containers 14:31:56 #link https://trello.com/b/S8TmOU0u/tripleo-podman 14:31:58 integration 14:32:00 #link https://etherpad.openstack.org/p/tripleo-integration-squad-status 14:32:02 ui/cli 14:32:04 #link https://etherpad.openstack.org/p/tripleo-ui-cli-squad-status 14:32:06 validations 14:32:08 #link https://etherpad.openstack.org/p/tripleo-validations-squad-status 14:32:10 networking 14:32:12 #link https://etherpad.openstack.org/p/tripleo-networking-squad-status 14:32:14 security 14:32:16 #link https://etherpad.openstack.org/p/tripleo-security-squad 14:32:18 edge 14:32:20 #link https://etherpad.openstack.org/p/tripleo-edge-squad-status 14:32:22 Any squad wanting to bring up their status, or a topic for the general public? 14:32:34 hmm maybe for validation? 14:32:52 Tengu: wanna give the update? 14:33:01 The validation framework is back on the bench, and we'll get weekly meeting (hopefully). 14:33:31 among the tasks, it was decided to move the validations as plain ansible roles in order to have a generic way to run and maintain them 14:33:47 more information about the on-going work is located on this public trello board 14:33:51 #link https://trello.com/b/x3h5FrnX/validation-framework 14:34:29 thanks Tengu 14:35:24 #topic bugs & blueprints 14:35:25 #link https://launchpad.net/tripleo/+milestone/stein-3 14:35:27 For Stein we currently have 21 (for stein-3) blueprints open in Launchpad. 14:35:29 Bugs: 593 stein-3. 105 (0) open Storyboard bugs. 14:35:31 #link https://storyboard.openstack.org/#!/project_group/76 14:36:26 #link https://storyboard.openstack.org/#!/project_group/76 14:36:27 #topic projects releases or stable backports 14:37:12 #topic specs 14:37:14 #link https://review.openstack.org/#/q/project:openstack/tripleo-specs+status:open 14:37:22 Any specs someone would like to discuss here? 14:37:27 Merged openstack/tripleo-heat-templates master: mistral-executor: bind mount the docker socket only when needed https://review.openstack.org/631775 14:39:12 #topic open discussion 14:39:14 Anything else that folks want to bring up to the meeting? 14:39:34 firewall management in tripleo maybe? 14:39:42 looks like https://review.openstack.org/#/c/622324 got a lot of feedback. i assume jistr integrated it into it's most recent update. 14:39:45 (sorry to bring that now ;)) 14:40:02 ci community call immediately after tripleo weekly https://bluejeans.com/4113567798 14:40:34 jistr: do you think it's ready ? (i need to read the updated version) 14:40:36 fultonj: yea i did. There are some small tweaks to make to the spec still, but i think majority of it is quite close to reality. 14:41:00 fultonj: i'll WIP it, one more update to match the currently-being-implemented CLI 14:41:08 and then it's good i think 14:41:32 so if anyone provided feedback intially, they should check that it's been added as they think it should. 14:41:36 i'll do that 14:41:38 for ceph 14:41:41 thanks jistr 14:42:56 fultonj: I'll check it out as well. Thanks for brining it up 14:42:59 yup thanks fultonj & and all who provided feedback 14:43:19 Chandan Kumar proposed openstack/tripleo-quickstart-extras master: Use os_tempest for running tempest on standalone https://review.openstack.org/628415 14:43:32 Tengu: firewall management sounds good. 14:43:37 * like a good topic 14:43:53 btw there's a good bunch of patches for that spec already posted by me and chem, if you're interested in reviewing those too https://review.openstack.org/#/q/topic:bp/upgrades-with-os+(status:open+OR+status:merged) 14:43:55 hehe 14:44:24 jaosorior: so yeah, basically we have some issues with iptables management. some dangling rules, some default, unmanaged rules and the like. 14:44:35 Chandan Kumar proposed openstack-infra/tripleo-ci master: Run tempest using os_tempest role in standalone job https://review.openstack.org/627500 14:44:45 I started working on the latter, especially the rules added by the iptables-services package itself: https://review.openstack.org/#/c/632117/ 14:45:18 I'd love to get some feedback on the approach, and if anyone has some idea about how to remove those nasty default rules from an already-deployed infra.... :) 14:45:47 fact is, one of them actually open the ssh port for the world - this is actually wanted now, as per https://review.openstack.org/#/q/Ie548f7216610e15af24c96f65a58cc8de603235c - but it is now optional. 14:46:06 Tengu well, it is wanted for the undercloud only. Not the overcloud. 14:46:16 also, the default rules pushed by iptables-services prevent any logging to happen, as it has a REJECT before the LOG... 14:46:17 the overcloud should only allow access in the ctlplane network. 14:46:32 jaosorior: yeah, in addition - ssh is wide open on the overcloud nodes, like the controllers..... 14:46:52 Tengu: not anymore, AFAIK 14:47:22 jaosorior: well, once https://review.openstack.org/#/c/632117/ is merged, we'll be clean for new install. 14:47:36 but older ones will keep the 4-5 rules, unless we find a way to drop them. 14:47:38 either way, the point remains, we have a mess with iptables rules management 14:47:55 the big issue is, puppet doesn't see those rules as they don't have any comment. 14:48:11 puppetlabs-firewall manages rules using the ressouce name as a comment directly. 14:48:44 so the only way I see is via ansible, in an update/upgrade task, and remove those rules with a state: absent 14:49:39 Carlos Camacho proposed openstack/tripleo-heat-templates master: Include the DB password in a Mistral environment for creating backups and restores https://review.openstack.org/632438 14:49:50 Also, we have to keep in mind that removing rule from puppet will NOT remove it from the system 14:50:11 we must set the "ensure => absent" in order to actually remove the rule. 14:50:36 we don't have a way to purge unknown rules, since other software are injecting stuff inside iptables, like neutron. 14:50:51 Tengu: well, purging unkown rules would be problematic for neutron, wouldn't it? 14:51:03 yeah, that's my point. 14:51:06 UNLESS.... 14:51:18 we create dedicated chains, and neutron pushes its rules in them only. 14:51:27 Tengu: might wanna talk to beagles about that 14:51:30 and we manage the "-j neutron-chain-name" within puppet 14:51:38 yeap 14:52:20 so yeah. pretty dense topic, I'll stop here for now, but I'm pretty sure I'll be back on it shortly ;). 14:52:43 alright, at this point it makes sense to talk to some folks that know neutron and ask what can we do to play well with it 14:52:49 just wanted to draw attention on that. 14:53:00 sounds to me like it's something we do want to fix 14:53:08 yep. 14:53:15 well, it would be good, at least :). 14:53:21 having ports randomly open cause we didn't purge them is not a good idea 14:53:29 for the sake of security, clean env and some other consideration 14:53:38 Tengu: thanks for bringing it up 14:53:44 yw :) 14:53:54 Tengu: lets start tracking this in the security squad 14:53:58 I'll bring it up there too. 14:54:17 Alright! any other topics people wanna bring up? 14:54:22 Reminder: deadline for openstack summit CFP is tomorrow 11:59PM PT 14:54:37 oh! true! 14:54:57 fwiw- I think neutron managed chains are already on things like neutron-openvswi-PREROUTING 14:55:04 I'll check to see if this is always the case 14:55:13 jaosorior, Tengu 14:55:17 ^^^ 14:55:23 beagles: thanks! let us know if that's the case. 14:55:45 beagles: thanks! I'm in another mtg, but I'll be happy to discuss with you :) 14:55:47 there may be other rules neutron "sticks in there" as a workaround to another issue - i.e. being able to talk to the openvswitch daemon 14:55:55 Tengu, ack 14:56:11 #endmeeting