| alvinstarr | This mornings dumb question. | 13:34 |
|---|---|---|
| alvinstarr | I am trying to create a new role that is only allowed to create users and projects. | 13:34 |
| alvinstarr | It looks like that is a build time as opposed to a run time configuration thing. | 13:34 |
| alvinstarr | How/where would I build the rules for this new role? | 13:34 |
| noonedeadpunk | hey | 13:35 |
| noonedeadpunk | alvinstarr: I think what you're looking for is a domain manager | 13:35 |
| noonedeadpunk | which should be available in recent releases out of the box | 13:35 |
| noonedeadpunk | https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#manager | 13:36 |
| noonedeadpunk | so pretty much your user need to have a `manager` role assigned to a specific domain | 13:36 |
| noonedeadpunk | but eventually, defining privileges for new roles is done through overrides of policies | 13:44 |
| noonedeadpunk | osa contains variables for each service to define overrides to apply to the service, but you'd need to pretty much write rules you want/need there | 13:45 |
| alvinstarr | Thanks. | 13:47 |
| alvinstarr | I think your right the manager role will work for me. | 13:47 |
| alvinstarr | I just need to get a better handle on role assignment and management as it stands currently. | 13:47 |
| noonedeadpunk | alvinstarr: but that works best in multi-domain envs. ie, you create a domain for "customer" and assign a manager there for "self-service" | 13:52 |
| noonedeadpunk | also - last time I checked, Horizon was not supporting that nicely | 13:52 |
| alvinstarr | We may be able to get away with the default domain. | 13:58 |
| alvinstarr | I just did not want to hand out complete admin control to the software that will be creating customer accounts and projects | 13:58 |
| noonedeadpunk | ++ | 14:04 |
| noonedeadpunk | #startmeeting openstack_ansible_meeting | 15:01 |
| opendevmeet | Meeting started Tue Mar 11 15:01:24 2025 UTC and is due to finish in 60 minutes. The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:01 |
| opendevmeet | The meeting name has been set to 'openstack_ansible_meeting' | 15:01 |
| noonedeadpunk | #topic rollcall | 15:01 |
| noonedeadpunk | o/ | 15:01 |
| noonedeadpunk | #topic office hours | 15:05 |
| noonedeadpunk | so I didn't do much again last week... though, I should be getting more time | 15:07 |
| noonedeadpunk | and planning to focus on molecule testing for plugins | 15:08 |
| noonedeadpunk | so https://zuul.opendev.org/t/openstack/build/77addcef55d64976ab2ed4d38d6ae22a already fails with permission denied and not connection dropped | 15:08 |
| noonedeadpunk | so potentially jsut re-enabling root account there might help | 15:09 |
| NeilHanlon | 👀 | 15:09 |
| NeilHanlon | o/ | 15:09 |
| NeilHanlon | i'm not late, you're early! /s | 15:09 |
| noonedeadpunk | have I messed up with timezones? | 15:10 |
| NeilHanlon | no I'm just all screwed up from daylight savings + travel | 15:10 |
| noonedeadpunk | well, I'm really tend to screw daylight savings.. | 15:11 |
| noonedeadpunk | NeilHanlon: any news on rocky 10? | 15:11 |
| noonedeadpunk | or whatever... | 15:12 |
| noonedeadpunk | any news on gluster?:) | 15:12 |
| noonedeadpunk | on the weekend I made a role for encryption of sensetive data in osa with ansible-vault | 15:15 |
| noonedeadpunk | together with some testing, to the ops repo | 15:16 |
| NeilHanlon | no news yet on rocky 10, but i think I told people this weekend we were targeting early/mid April for a beta | 15:16 |
| NeilHanlon | as for Gluster... https://copr.fedorainfracloud.org/coprs/neil/glusterfs/build/8750388/ | 15:16 |
| NeilHanlon | (that's really why I was late lol) | 15:16 |
| noonedeadpunk | I think this can be smth we can just generally suggest as basic thing on how to secure storage of openstack_deploy folder | 15:17 |
| NeilHanlon | I will maintain it. :) probably in EPEL 10, if I can manage to do it | 15:17 |
| noonedeadpunk | oh, that would be really nice... | 15:17 |
| noonedeadpunk | I have no idea about gluster audience... but I believe it must have some except us, right? | 15:18 |
| NeilHanlon | that makes sense noonedeadpunk re: secrets. I'd been also thinking about how we could incorporate SOPS (https://www.cncf.io/projects/sops/) | 15:18 |
| noonedeadpunk | ah, yes, we actualyl do use sops here | 15:18 |
| noonedeadpunk | with osa | 15:18 |
| NeilHanlon | oh nice :D | 15:18 |
| noonedeadpunk | so it's more then doable | 15:18 |
| NeilHanlon | i only learned about SOPS at Cfgmgmtcamp this year | 15:19 |
| noonedeadpunk | one thing I hate about sops, or well... one of things... | 15:19 |
| noonedeadpunk | is that either it's very annoying to maintain if you're using GPGs | 15:19 |
| noonedeadpunk | or weird if you use remote transport like vault | 15:19 |
| noonedeadpunk | btw this year on cfgmgmt I learned about https://github.com/cyberark/conjur#rotators | 15:20 |
| NeilHanlon | ahh. yeah I can see that being difficult | 15:21 |
| noonedeadpunk | another thing I learned about sops - it's tricky to make it idempotent, as naturally sops will agree to double/triple/quadrople encrypt the same file | 15:21 |
| noonedeadpunk | instead of detecting that it's already encrypted | 15:21 |
| NeilHanlon | "security" | 15:21 |
| NeilHanlon | lol | 15:22 |
| NeilHanlon | that seems a bit broken, IMO | 15:22 |
| NeilHanlon | conjur looks interesting... | 15:22 |
| noonedeadpunk | but in fact I'm not sure what exactly sops accomplishes comparing to ansible-vault except being annoying | 15:23 |
| noonedeadpunk | as one who has gpg in file encryption still able to decrypt file version anytime after if it has it locally | 15:24 |
| noonedeadpunk | so most trivial usecase - employee was let go and we want prevent them to access secrets is not done with sops... | 15:25 |
| noonedeadpunk | and ansible-vault is way more trivial.... | 15:25 |
| noonedeadpunk | but dunno | 15:25 |
| noonedeadpunk | probably the usecase, is have GPG only for non-interactive sessions, like Ansible, and then rest go through vault | 15:26 |
| noonedeadpunk | regarding sops implementation - given we have an ansible-vault as a reference, I will suggest my company to track sops implementation as smth we want to contribute to | 15:30 |
| damiandabrowski | SOPS will refuse to encrypt yaml files multiple times | 15:32 |
| damiandabrowski | but for text files...yes, it's a bit annoying | 15:32 |
| noonedeadpunk | ansible-vault will refuse for text files as well ;) | 15:33 |
| noonedeadpunk | the patch I'm talking about : https://review.opendev.org/c/openstack/openstack-ansible-ops/+/943866 | 15:33 |
| noonedeadpunk | and then I'd love to start looking into EL10 in upcoming weeks... | 15:34 |
| noonedeadpunk | and one potential things, but it's probably for the PTG - if we wanna bring back freezer role | 15:36 |
| noonedeadpunk | I do have quite working role for deployment | 15:36 |
| noonedeadpunk | #link https://github.com/noonedeadpunk/openstack-ansible-os_freezer | 15:36 |
| noonedeadpunk | but it's not deploying freezer-scheduler yet - waiting for merging blueprint to be able to run it centrally rather then on clients only | 15:37 |
| NeilHanlon | I'm gonna try to start taking a look at OSA for c10s in the coming weeks, too. especially the modular libvirt stuffs | 15:41 |
| NeilHanlon | I am done travelling for a little while so I can actually focus on some stuff | 15:41 |
| noonedeadpunk | that part is indeed most concerning one | 15:41 |
| noonedeadpunk | as I have actually no idea how that does work | 15:42 |
| noonedeadpunk | or well: 1. what we need to start 2. what we don't need to start 3. How to control TLS/non-TLS now | 15:42 |
| noonedeadpunk | and third one is the most unclear so far... | 15:43 |
| noonedeadpunk | as doing ansible is trivial if you know what needs to be done... | 15:43 |
| NeilHanlon | https://libvirt.org/daemons.html at least seems pretty verbose about the changes, on it's face | 15:44 |
| NeilHanlon | agreed TLS is the most ambiguous right now | 15:45 |
| noonedeadpunk | So right now we have quite some logic around libvirtd-tcp.socket and libvirtd-tls.socket and switching back-forth | 15:46 |
| noonedeadpunk | and I don't understand to what it does translate tbh | 15:46 |
| NeilHanlon | I will take that on, to disambiguate our config and what we're doing with the monolithic daemon | 15:47 |
| noonedeadpunk | So apparently we need virtqemud, but then... virtinterfaced? virtnetworkd? virtnwfilterd? virtstoraged? | 15:48 |
| noonedeadpunk | probably it transitions to virtproxyd-tls.socket? | 15:48 |
| noonedeadpunk | yeah, I guess it's virtproxyd-tcp.socket / virtproxyd-tls.socket | 15:49 |
| NeilHanlon | yeah, i think so | 15:49 |
| noonedeadpunk | but somehow amount of things we'd need to control now increased dramatically | 15:50 |
| noonedeadpunk | and how to restart them in proper order on upgrade :D | 15:51 |
| NeilHanlon | yeah, there's a bunch more daemons to start or enable now, basically | 15:51 |
| NeilHanlon | i will chat with the libvirt packagers for fedora and see what I can glean | 15:54 |
| noonedeadpunk | that can be extremely helpful :) | 15:55 |
| NeilHanlon | at a glance, it appears the libvirt packaging takes care of restarting during upgrade | 15:55 |
| noonedeadpunk | oh rly? | 15:55 |
| noonedeadpunk | as I got used that in RH world that's responsibility of user | 15:55 |
| NeilHanlon | https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1684 | 15:56 |
| NeilHanlon | anyways, i can ask and translate from the spec for what services it does and doesn't reload | 15:57 |
| NeilHanlon | or restart | 15:57 |
| NeilHanlon | cause that's a pretty dang verbose specfile... | 15:57 |
| noonedeadpunk | but this somehow looks like monolythinc one to me https://src.fedoraproject.org/rpms/libvirt/blob/rawhide/f/libvirt.spec#_1771 | 15:57 |
| noonedeadpunk | but can be wrong | 15:58 |
| noonedeadpunk | but actually I think it answers the question on order! | 15:58 |
| noonedeadpunk | ok, thanks! That;s indeed a good read for me | 15:59 |
| noonedeadpunk | and it all might be easier then expected | 15:59 |
| NeilHanlon | i hope so! lol | 15:59 |
| NeilHanlon | i will still reach out to the maintainers via email and ask for some guidance | 16:00 |
| noonedeadpunk | sounds good, thanks! | 16:00 |
| noonedeadpunk | #endmeeting | 16:00 |
| opendevmeet | Meeting ended Tue Mar 11 16:00:33 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:00 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-03-11-15.01.html | 16:00 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-03-11-15.01.txt | 16:00 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/openstack_ansible_meeting/2025/openstack_ansible_meeting.2025-03-11-15.01.log.html | 16:00 |
| NeilHanlon | Thanks for running noonedeadpunk! :) (as always ;)) | 16:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!