[openstack-ansible] Bobcat vPTG results
Dmitriy Rabotyagov
noonedeadpunk at gmail.com
Mon Apr 3 10:25:36 UTC 2023
Hi everyone,
This year we didn't have many attendees, but I want to thank everyone
who managed to join the discussion regarding further project plans and
goals.
1. Things we'd love to work on to release 2023.1 (Antelope):
* Documentation improvements. That includes:
** Since Zed we're using OVN as a default network driver, while most
docs still refer to LXB in examples. We'd need to update architecture
and most networking docs with regards to this change, as they might be
misleading at the moment.
** Update Ironic documentation with regards to the latest changes to the role.
** Describe multi-arch deployments
* Finalize internal TLS - encryption between haproxy and uwsgi
backends that happens through the management network. We have couple
of topics here
** Split haproxy configuration so that backends were configured
per-service playbooks rather then while running haproxy one.
https://review.opendev.org/q/topic:separated-haproxy-service-config
** Actually patching services to support TLS for backends
https://review.opendev.org/q/topic:tls-backend
** Ensure we test in CI both TLS and non-TLS usecases for internal traffic.
* Bump MariaDB version to the next LTS release - 10.11
* Adding support for leap upgrades to our upgrade script and CI
* After switching to cloudsmith repo to be source for RabbitMQ and
Erlang we struggle a lot with packages being obsoleted and removed
randomly from the repo. With that we're going to execute following
plan:
** Switch rabbitmq back to packagecloud - it contains packages for
both deb and rpm
** Use minor releases of erlang rather than specific bugfix releases
that will still come from cloudsmith. Hopefully that will fail less.
** File an issue to rabbitmq-erlang-deb to publish releases in
github/packagecloud alike to rpms
** Track down state of ELS repo that could be used as alternative to
cloudsmith given it's working reliably.
* At the moment systemd services don't restart if only init overrides
are applied. POC patch was proposed and this topic should track
progress: https://review.opendev.org/q/topic:osa%252Fsystemd_restart_on_unit_change
We will also attempt to backport this to stable branches with just the
single vote as patches are quite trivial.
2. Bobcat goals
* Pretty endpoint names. It's great to have a supported way of having
pretty names in your endpoints, like compute.example.com. While this
is completely possible to achieve with current codebase, we have ways
to improve and ease the process of doing so.
** haproxy maps we've added should simplify the process a lot
** Add a boolean variable, that instead of concatenating vip_address +
port, do service_type + vip_address in roles with ability of global
override
** Fix certificates to include SAN or wildcard for all endpoint names
** document a way of doing that
* There is a long-going confusion about variables
external/internal_lb_vip_address as they could be either IP or an FQDN
and then needing other vars for the IP in haproxy/keepalived. We can
attempt to replace this variable with a more meaningful or intuitive
one.
** With that change we also have a chance of fixing inconsistent
service names (url vs. uri) across roles
* At the moment PKI keys/certificates can't be stored in a trusted
storage, as community.crypto.openssl_privatekey does require keys to
be files on filesystem. With that we can replace such module with
openssl_privatekey_pipe as then it can use different lookups.
** With that it would be also great to re-think/document a way of
storing user-secrets outside of using ansible-vault (that's trivial).
* With RabbitMQ 4.0 HA queues that are used now by default are going
to be removed. Quorum queues can be used instead to provide HA for
queues. Though they have quite different concepts. In order to migrate
to them, the exchange needs to be re-created with the enabled
persistence option. Easiest way to do that would be re-creating
vhosts, which will result in significant downtime for services like
nova or neutron, but that's the price that should be paid for the
migration/upgrade. Topic can be tracked here:
https://review.opendev.org/q/topic:osa%252Fquorum_queues
* ansible-core 2.14 requires >=py39, so Ubuntu 20.04 support will be
dropped early in the cycle.
* We also discussed resuming efforts of fucntional testing with
molecule. We came up with following requirements/pain ponts:
** avoid duplicated boilerplate in all repos
** a way to run tests locally, document that
** clean up current tox/test for projects to avoid confusion
* We agreed on having a common role for managing openstack resources,
like images, networks, flavors, etc. This is valuable not only for
operators, but also for our service roles, like octavia or tempest,
where we're creating specific resources in pretty different ways each
time. Work has started in the plugins repo with ambition to move that
to openstack collection in the future:
https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/878794
* We're not sure about current IPv6-only deployments at the moment,
when talking about public networks. While private networks is not smth
we want to focus on right now, we need to ensure that IPv6-only public
networks are supported and documented. Volunteers are highly
appreciated for this work.
* Releasing skyline role. While we have a POC role, Skyline doesn't
meet internal requirements of OSA maintainers. So while we'd love to
see role being released, it's unlikely to be a priority for majority
of current team. So we're calling for volunteers to make Skyline role
ready for releasing in Bobcat.
* We also agreed to work on Core reviewers promotion/demotion policies
and process, that should be published on Core reviewers page:
https://docs.openstack.org/openstack-ansible/latest/contributor/core-reviewers.html
More information about the openstack-discuss
mailing list