| *** dlw has joined #kata-dev | 01:48 | |
| *** zerocoolback has joined #kata-dev | 02:21 | |
| *** zerocoolback has quit IRC | 02:21 | |
| *** zerocoolback has joined #kata-dev | 02:21 | |
| *** zerocoolback has quit IRC | 03:56 | |
| *** sjas_ has joined #kata-dev | 04:22 | |
| *** sjas has quit IRC | 04:26 | |
| *** jodh has joined #kata-dev | 05:40 | |
| *** jodh has quit IRC | 05:40 | |
| *** jodh has joined #kata-dev | 05:40 | |
| *** zerocoolback has joined #kata-dev | 06:42 | |
| *** zerocoolback has quit IRC | 06:43 | |
| *** zerocoolback has joined #kata-dev | 06:43 | |
| *** zerocoolback has quit IRC | 06:48 | |
| *** sameo has joined #kata-dev | 07:36 | |
| *** davidgiluk has joined #kata-dev | 08:00 | |
| *** gwhaley has joined #kata-dev | 09:24 | |
| *** isaagar has quit IRC | 09:40 | |
| *** dlw1 has joined #kata-dev | 10:03 | |
| *** dlw has quit IRC | 10:03 | |
| *** dlw1 is now known as dlw | 10:03 | |
| *** isaagar has joined #kata-dev | 10:06 | |
| *** dlw1 has joined #kata-dev | 10:36 | |
| *** dlw has quit IRC | 10:37 | |
| *** dlw1 is now known as dlw | 10:37 | |
| *** devimc has joined #kata-dev | 11:47 | |
| *** lsm5 has quit IRC | 11:49 | |
| *** lsm5 has joined #kata-dev | 11:50 | |
| *** lsm5 has quit IRC | 11:54 | |
| *** lsm5 has joined #kata-dev | 11:54 | |
| *** zerocoolback has joined #kata-dev | 12:21 | |
| *** dlw has quit IRC | 12:31 | |
| *** isaagar has quit IRC | 12:36 | |
| *** sjas_ is now known as sjas | 12:48 | |
| *** isaagar has joined #kata-dev | 12:50 | |
| *** devimc has quit IRC | 13:32 | |
| *** devimc has joined #kata-dev | 13:32 | |
| kata-irc-bot1 | <salvador.fuentes> hi clarkb, @sebastien.boeuf, @archana.m.shinde I removed this iptables rule: `13 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited` from the openstack-INPUT chain and the k8s tests worked correctly | 14:04 |
|---|---|---|
| *** lamego has joined #kata-dev | 14:10 | |
| kata-irc-bot1 | <julio.montes> hi @anne | 14:10 |
| kata-irc-bot1 | <julio.montes> me again :D , any update on the canonical review ? | 14:12 |
| kata-irc-bot1 | <sebastien.boeuf> @salvador.fuentes that's good news :slightly_smiling_face: | 14:17 |
| kata-irc-bot1 | <sebastien.boeuf> @salvador.fuentes so we have a Zuul build succeeding now ? | 14:18 |
| kata-irc-bot1 | <salvador.fuentes> @sebastien.boeuf not yet, only on the machine that clarkb provided to us | 14:19 |
| kata-irc-bot1 | <salvador.fuentes> not sure what would be the best approach here, but I think that maybe that iptables rule should be removed/changed on the openstack infra job? clarkb, wdyt? | 14:20 |
| kata-irc-bot1 | <sebastien.boeuf> yeah let's wait for clarkb input on this | 14:21 |
| *** fiddletwix has quit IRC | 15:15 | |
| *** LinuxMe has joined #kata-dev | 15:31 | |
| *** p_god_ has joined #kata-dev | 15:39 | |
| *** p_god_ has quit IRC | 15:39 | |
| *** gwhaley1 has joined #kata-dev | 15:42 | |
| *** gwhaley has quit IRC | 15:42 | |
| clarkb | sebastien.boeuf salvador.fuentes I wouldn't remove that reject as it is there to protect the test job from other test jobs and the avoid reflection attacks from running services and that sort of thing | 16:01 |
| clarkb | I got a change merged to allow 10.244.0.0/16 to talk to port 6443 on the test node which should fix it too, but that failed testing due to a new crio test failure and I think vexxhost is still having ipv6 issues | 16:01 |
| clarkb | (so I'm not sure if that worked. But that is the sort of thing I would do) | 16:03 |
| kata-irc-bot1 | <salvador.fuentes> clarkb, ahh great, thanks clarkb, can you share the change so I can test it on the machine that I have? | 16:03 |
| clarkb | https://review.openstack.org/#/c/577590/4/roles/kata-setup/tasks/main.yaml is the change I made | 16:03 |
| clarkb | basically add a rule to the top of INPUT that allows 10.244.0.0/16 source to dest port 6443 over tcp | 16:04 |
| kata-irc-bot1 | <salvador.fuentes> thanks | 16:04 |
| kata-irc-bot1 | <salvador.fuentes> and yes, I see that the cri-o test #3 failed, I'll be opening some PRs to fix this, in the meantime I added a recheck to the proxy PR. | 16:08 |
| clarkb | tracing through all of the k8s nat and firewall rules the 10.244.0.2 IP assigned to the kata instance talks to 10.96.0.1 which gets NATed to $actual_host_ip and it was on that last leg of the packet journey that iptables dropped the packet according to the logs. So allowing 10.244.0.2 to talk to $host_ip should fix it | 16:09 |
| *** annabelleB has joined #kata-dev | 16:35 | |
| *** LinuxMe has quit IRC | 16:55 | |
| *** annabelleB has quit IRC | 17:01 | |
| *** LinuxMe has joined #kata-dev | 17:07 | |
| *** zerocoolback has quit IRC | 17:19 | |
| *** zerocoolback has joined #kata-dev | 17:19 | |
| *** zerocoolback has quit IRC | 17:23 | |
| kata-irc-bot1 | <salvador.fuentes> clarkb, your change fixed the k8s issue :slightly_smiling_face: | 17:36 |
| clarkb | yay | 17:36 |
| kata-irc-bot1 | <salvador.fuentes> now we hit another failure on the docker swarm tests, seems like the interface has several ipv6 | 17:37 |
| clarkb | it should have one global ip and one link local ip | 17:37 |
| *** FL1SK has joined #kata-dev | 17:44 | |
| *** gwhaley1 has quit IRC | 17:46 | |
| *** jodh has quit IRC | 17:46 | |
| *** LinuxMe has quit IRC | 18:38 | |
| *** sameo has quit IRC | 18:41 | |
| kata-irc-bot1 | <salvador.fuentes> clarkb: the machines on the CI have one ipv4 address with scope global and one ipv6 local, do you think we can change this with the zuul machines? | 19:12 |
| *** davidgiluk has quit IRC | 19:26 | |
| *** devimc has quit IRC | 20:54 | |
| *** LinuxMe has joined #kata-dev | 21:39 | |
| *** LinuxMe has quit IRC | 21:44 | |
| *** lamego has left #kata-dev | 21:56 | |
| *** annabelleB has joined #kata-dev | 22:15 | |
| clarkb | what would we change it to? | 23:22 |
| clarkb | this is default vexxhost network setup | 23:23 |
| clarkb | if the ask is to remove ipv6 I dont think we would do that for you bu you could manipulate that in the job if necessary | 23:24 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!