Hey folks,

+1 to the direction we're going with this. Like Emilien said, the skies the limit when using a flexible automation framework like Ansible. We're definitely going to need Molecule tests for the role and unit/integration tests for the podman_container module itself. I left a comment in the podman_container feature request in Ansible to let the broader community know that we're working towards stabilizing that module. Hopefully that will get more contributors to help us fast track upstreaming it. It doesn't seem like Paunch is really used outside of TripleO so having it in Ansible, which has wider adoption, seems really ideal. As for backports, I think it's fair to say that Paunch for the most part "just works." When it does break it's a pain to fix. Which is even more reason to move away from it.

Sincerely,

Luke Short, RHCE

Software Engineer, OpenStack Deployment Framework

Red Hat, Inc.

On Fri, Oct 11, 2019 at 11:13 AM Emilien Macchi <emilien@redhat.com> wrote:

On Fri, Oct 11, 2019 at 10:55 AM James Slagle <james.slagle@gmail.com> wrote:
[snip]
Nice work! I like the approach with the new ansible role.

I do think there will be a balance between what makes sense to keep in
a python module vs an ansible task. If/then branching logic and
conditional tasks based on previous results is of course all possible
with ansible tasks, but it starts to become complex and difficult to
manage. A higher level language (python) is much better at that.
Personally, I prefer to view ansible as just an execution engine and
would look to keep the actual application and business logic in proper
reusable/testable code modules (python). Finding that right balance is
likely something we can figure out in review feedback, ad-hoc
discussions, etc.

Ack & agreed on my side.

An idea for a future improvement I would like to see as we move in
this direction is to switch from reading the container startup configs
from a single file per step
(/var/lib/tripleo-config/container-startup-config-step_{{ step
}}.json), to using a directory per step instead. It would look
something like:

/var/lib/tripleo-config/container-startup-config/step1
/var/lib/tripleo-config/container-startup-config/step1/keystone-init-tasks.json
/var/lib/tripleo-config/container-startup-config/step1/pacemaker-init-tasks.json
etc.

That way each service template can be converted to a proper ansible
role in tripleo-ansible that just drops its config into the right
directory on the managed node. When the tripleo-container-manage role
is then executed, it will operate on those files. This would also make
it much more clear what container caused a failure, since we could log
the results individually instead of just getting back the union of all
logs per step. I think you're patches already address this to some
degree since you are looping over the contents of the single file.

This is an excellent idea. One of the feedback I've got from the Upgrade folks is the need to be able to easily upgrade one service, and the current structure doesn't easily allow it. Your proposal is I think exactly addressing it; and indeed it'll help when migrating container config into their individual roles in tripleo-ansible.
I'll add that to the backlog.

The other feedback I would offer is perhaps continue to think about
keeping the container implementation pluggable in some fashion. Right
now you have a tasks/podman.yaml. What might it look like if we wanted
to have a tasks/kubernetes.yaml in the future, and how would that be
enabled?

Yes, that's what I had in mind when starting the role. The podman.yaml is for Podman logic.
We will probably have docker.yaml if we want to support Docker for FFU from Queens to Train.
And we can easily add a playbook "kubernetes.yaml" which will read the container config data, generate k8s YAML and then consume it via https://docs.ansible.com/ansible/latest/modules/k8s_module.html . Really there is no limit if we can make it really pluggable.

Thanks for the input and the great feedback,
--
Emilien Macchi