Friday, 2015-11-13

« Thursday, 2015-11-12 Index Saturday, 2015-11-14 »
*** tzn has quit IRC00:00
*** diogogmt has joined #kolla00:00
*** dims has joined #kolla00:00
*** dims_ has quit IRC00:02
*** tzn has joined #kolla00:11
*** tzn has quit IRC00:15
*** sdake_ has quit IRC00:19
*** signed8bit is now known as signed8bit_ZZZzz00:21
*** dims has quit IRC00:25
*** achanda has joined #kolla00:28
*** dims has joined #kolla00:35
*** sdake has joined #kolla00:37
*** achanda_ has joined #kolla00:37
*** achanda_ has quit IRC00:38
*** cloudnautique has quit IRC00:38
*** achanda has quit IRC00:41
*** dims has quit IRC00:45
*** dims has joined #kolla00:51
*** sdake has quit IRC00:52
*** sdake has joined #kolla00:53
*** dwalsh has joined #kolla00:54
*** dims has quit IRC00:57
asalkelddo you guys run you own local registry?01:04
asalkeld(docker registry)01:04
*** mbound has quit IRC01:06
asalkeldok, i see that vagrant does that01:06
*** dims has joined #kolla01:07
*** sdake has quit IRC01:08
*** dwalsh has quit IRC01:08
*** asalkeld has quit IRC01:19
*** tzn has joined #kolla01:20
*** ssurana has quit IRC01:24
*** weiyu_ has joined #kolla01:25
*** tzn has quit IRC01:25
*** kjelly has quit IRC01:26
*** tzn has joined #kolla01:35
*** asalkeld has joined #kolla01:42
*** tfukushima has joined #kolla01:49
*** tpot has joined #kolla01:57
*** mbound has joined #kolla02:06
*** mbound has quit IRC02:11
*** kejlly_ has joined #kolla02:16
*** stvnoyes has quit IRC02:22
*** openstackgerrit has quit IRC02:22
*** stvnoyes has joined #kolla02:23
*** openstackgerrit has joined #kolla02:24
*** tpot has quit IRC02:25
*** weiyu_ has quit IRC02:28
*** tpot has joined #kolla02:30
*** bigjools_ has joined #kolla02:33
*** bigjools has quit IRC02:33
*** bigjools_ has quit IRC02:33
*** bigjools has joined #kolla02:34
*** kbyrne has quit IRC02:34
*** weiyu_ has joined #kolla02:35
*** kbyrne has joined #kolla02:36
*** cemmason has quit IRC02:36
*** alisonh has quit IRC02:36
*** Ti-mo has quit IRC02:36
*** ArchiFleKs has quit IRC02:37
*** harmw has quit IRC02:37
*** harmw_ has joined #kolla02:42
*** Ti-mo has joined #kolla02:44
*** cemmason has joined #kolla02:44
*** alisonh has joined #kolla02:44
*** ArchiFleKs has joined #kolla02:44
*** harmw has joined #kolla02:44
*** ArchiFleKs has quit IRC02:44
*** harmw has quit IRC02:44
*** ArchiFleKs has joined #kolla02:45
*** tpot has quit IRC02:58
*** suro-patz has joined #kolla03:01
*** tpot has joined #kolla03:02
*** signed8bit_ZZZzz has quit IRC03:08
*** signed8bit has joined #kolla03:09
*** achanda has joined #kolla03:09
*** tfukushima has quit IRC03:21
*** tfukushima has joined #kolla03:25
*** sdake has joined #kolla03:28
*** signed8bit has quit IRC03:31
*** tpot has quit IRC03:38
*** tpot has joined #kolla03:41
*** jasonsb has joined #kolla03:42
*** vbel has quit IRC03:56
*** dims has quit IRC03:56
*** suro-patz has quit IRC03:58
*** vbel has joined #kolla04:01
*** kejlly_ has quit IRC04:13
*** tfukushima has quit IRC04:29
*** weiyu_ has quit IRC04:30
*** kejlly_ has joined #kolla04:48
*** kejlly_ is now known as kjelly04:48
*** sacharya has joined #kolla04:50
*** sdake has quit IRC04:50
nihilifergood morning05:19
*** weiyu_ has joined #kolla05:30
*** tpot has quit IRC05:30
asalkeldhi05:37
kjellymorning05:44
*** tfukushima has joined #kolla05:44
*** suro-patz has joined #kolla05:46
*** weiyu_ has quit IRC05:47
*** suro-patz has quit IRC06:01
*** weiyu_ has joined #kolla06:16
*** sacharya has quit IRC06:36
*** sacharya has joined #kolla06:37
*** suro-patz has joined #kolla06:40
nihiliferDiogo Monteiro, are you here on IRC?07:06
nihiliferah, ok, diogogmt :)07:06
nihiliferyou here?07:06
*** suro-patz has quit IRC07:15
*** CBR09 has joined #kolla07:17
openstackgerritMichal Rostecki proposed openstack/kolla: Drop root for HAProxy  https://review.openstack.org/24501307:29
*** jasonsb has quit IRC07:32
SamYapleasalkeld: i run my own07:43
openstackgerritMerged openstack/kolla: Drop root privileges for rabbitmq  https://review.openstack.org/24472107:53
*** sdake has joined #kolla07:56
*** slotti has joined #kolla07:57
*** sdake_ has joined #kolla07:58
*** sdake has quit IRC08:01
*** jasonsb has joined #kolla08:03
*** jasonsb has quit IRC08:08
*** sacharya has quit IRC08:08
openstackgerritMichal Rostecki proposed openstack/kolla: Remove "../../etc/kolla" from synced folders in Vagrant  https://review.openstack.org/24502208:08
*** egonzalez has joined #kolla08:12
*** tfukushima has quit IRC08:19
*** achanda has quit IRC08:20
*** tfukushima has joined #kolla08:27
openstackgerritKuo-tung Kao proposed openstack/kolla: suggest to upgrade kernel in image-building.rst  https://review.openstack.org/24502508:31
kjellyHi, does anyone have the issue? run ` docker run ubuntu  setcap 'cap_net_bind_service=ep'  /bin/bash` with error08:32
kjellythe issue make me failed to build horizon images.08:32
*** itsuugo has joined #kolla08:32
kjellylinux kernel Linux user-GA-6PXSV3 4.2.0-16-generic and Linux vagrant-ubuntu-trusty-64 3.13.0-68-generic08:33
kjellylinux kernel Linux user-GA-6PXSV3 4.2.0-16-generic with Docker version 1.9.0 and Linux vagrant-ubuntu-trusty-64 3.13.0-68-generic with Docker version 1.8.208:34
SamYaplekjelly: i do not have that issue but my understanding is horizon for ubuntu is broken due to a recent change sdake did anyway08:37
*** shardy has joined #kolla08:39
*** CBR09 has quit IRC08:39
kjellySamYaple: failed because the commit https://github.com/openstack/kolla/commit/f9ccb1c8829cef551b875c7c387530e7980414a708:40
SamYaplekjelly: right but the horizon implementation is busted anyway08:40
kjellySamYaple: And the reason is  setcap 'cap_net_bind_service=ep' /usr/sbin/httpd failed08:40
SamYapleit needs to be the apache user08:40
*** exploreshaifali has joined #kolla08:41
SamYaplekjelly: httpd is only for centos08:41
kjellySamYaple: the error msg is "Failed to set capabilities on file `/bin/bash' (Invalid argument)"08:41
*** rmart04 has joined #kolla08:42
kjellySamYaple: whis is the reason you build horizon images failed?08:44
SamYaplekjelly: they don't fail for me08:44
SamYaplethey fail to run08:44
kjellySamYaple: Ok, I see.08:45
SamYaplebut you are right, the implementaiton is bust08:45
kjellySamYaple: there are some issue in docker and kernel to make me failed to build horizon images.08:45
kjelly:(08:46
*** itsuugo has quit IRC08:48
SamYaplekjelly: im going to revert that change. the recommened practice for apache is to run as root08:48
SamYaplehttps://httpd.apache.org/docs/2.2/misc/security_tips.html08:48
SamYaplewell i supose i dont have to revert it, just change it to launch apache as root08:49
*** jmccarthy has quit IRC08:53
*** kjelly has quit IRC08:53
*** kjelly has joined #kolla08:54
kjellymy computer crush ...08:54
openstackgerritSam Yaple proposed openstack/kolla: Revert "Drop root for Horizon service"  https://review.openstack.org/24503508:56
SamYaplekjelly: ^ that patch reverts the horizon stuff08:57
SamYapleI am not sure we need to change anything for horizon or keystone08:57
SamYapleapache already does priv dropping08:57
kjellySamYaple: Ok. I test it now08:58
*** jmccarthy has joined #kolla09:00
*** athomas has joined #kolla09:00
SamYaplesdake_: naked ping09:01
*** openstackgerrit has quit IRC09:01
*** openstackgerrit has joined #kolla09:01
kjellySamYaple: why we drop root priv? apache will do the thing.09:06
*** gfidente has joined #kolla09:07
SamYaplekjelly: yea we dont09:07
SamYaplei pointed this out yesterday to sdake09:07
kjellySamYaple: Ok. I see.09:08
*** mbound has joined #kolla09:10
*** kproskurin has joined #kolla09:27
*** tpot has joined #kolla09:33
kproskurinHi guys09:35
kproskurinI heard you’re gonna revert horizon root drop commit09:35
nihiliferkproskurin: https://review.openstack.org/#/c/245035/09:37
SamYaplekproskurin: i just submitted a patch.  i expect pushback on it09:37
SamYapleluckily i have 'best-practice' on my side09:37
kproskurinYeah, It’s probably best idea, BUT I still curios what’s was wrong with the permission? Anyone dig into it?09:38
SamYaplekproskurin: different kernels produce different results09:38
SamYaplewe really shouldnt be setting different caps on binaries like that09:39
SamYapleits not a commonly done thing09:39
kproskurinYeah, but I didn’t get setcap problem, I got file permission one. :-) Well, anyway.09:39
SamYapleyea who knows what else we would run into with it09:41
SamYaplebest to follow apaches best practice on the matter09:41
*** tfukushima has quit IRC09:52
vbelgood morning/evening09:57
vbelwhich minimal docker version we should stick into reqs?09:57
SamYaplevbel: i know the lowest veersion is 1.6.009:58
vbelI thought of this too - worked well for long time09:58
*** tzn has quit IRC09:58
vbelSamYaple: is there any reason to stick with 1.8.x ?09:59
vbellike registry issues09:59
SamYaplevbel: what do you mean? we are capped at 1.8.2 for now10:06
vbelSamYaple: so anything from 1.6.0 up to 1.8.2 is ok10:06
SamYaplevbel: yes should be10:08
vbelok, thanks10:09
*** openstackgerrit has quit IRC10:16
*** openstackgerrit has joined #kolla10:16
*** pbourke has quit IRC10:16
*** pbourke has joined #kolla10:17
openstackgerritMichal Rostecki proposed openstack/kolla: Add Ansible support for Magnum  https://review.openstack.org/23622310:31
*** cemmason has quit IRC10:32
*** cemmason has joined #kolla10:32
*** kjelly has quit IRC10:34
*** diogogmt has quit IRC10:51
*** dwalsh has joined #kolla10:53
*** tzn has joined #kolla10:55
*** alisonh has quit IRC10:57
*** exploreshaifali has quit IRC10:58
*** tzn has quit IRC11:00
*** dwalsh has quit IRC11:02
*** alisonh has joined #kolla11:13
openstackgerritSam Yaple proposed openstack/kolla: Remove unused tox jobs  https://review.openstack.org/24509611:23
*** tpot has quit IRC11:24
*** weiyu_ has quit IRC11:25
*** kjelly has joined #kolla11:35
openstackgerritSam Yaple proposed openstack/kolla: Convert gate to Ansible setup  https://review.openstack.org/24453811:35
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988211:46
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988211:49
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988211:50
*** jasonsb has joined #kolla12:07
*** tzn has joined #kolla12:07
*** jasonsb has quit IRC12:11
*** tzn has quit IRC12:12
vbelSamYaple, do we need to put Checking to all tasks? I mean Checking free port for Cinder API and so on?12:12
SamYaplevbel: i hadn't thought of that. but we probably should. Our tasks naming convention is 'Doing this' 'Running that' 'Starting this' so 'Checking port' would make sense12:14
vbelSamYaple, ok, thanks12:14
SamYaplesed -i 's/name: /name: Checking/g'12:14
*** rhallisey has joined #kolla12:15
vbelI am in vi :) but it is similar12:16
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988212:16
SamYaple:%s/name: /name: Checking/g12:17
vbelChecking free port for ....12:17
vbel?12:17
SamYapleworks for me12:17
vbelother stuff is corrected12:17
openstackgerritSam Yaple proposed openstack/kolla: Convert gate to Ansible setup  https://review.openstack.org/24453812:20
*** kjelly has quit IRC12:22
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988212:25
*** kjelly has joined #kolla12:27
*** jmccarthy has quit IRC12:35
*** jmccarthy has joined #kolla12:38
*** dims has joined #kolla12:40
kjellySamYaple: around ?12:49
SamYaplekjelly: yea12:54
kjellySamYaple: I have interesting why I have the issue, but you don't have. https://review.openstack.org/#/c/245025/12:55
openstackgerritSam Yaple proposed openstack/kolla: Convert gate to Ansible setup  https://review.openstack.org/24453812:55
kjellySamYaple: I reproduce the issue using vagrant withi image ubuntu/trusty64.12:55
kjellySamYaple: Could you try it?12:55
SamYaplekjelly: the gate is 3.13 and it doesnt have an issue either12:55
SamYaplei dont use vagrant12:56
*** dims has quit IRC12:56
*** dims has joined #kolla12:56
kjellySamYaple: Ok. it seems that I often hit strange issues.12:58
SamYapledont we all :)12:58
kjellySamYaple: the system of all gate is ubuntu 3.13?13:03
SamYapleyes13:05
*** tzn has joined #kolla13:07
rhalliseyvbel, I'm +2 on you pre-deploy. I just left a comment in there I'm curious about13:10
vbelrhallisey, if you put there 1.8.2.1 as max - will it work?13:10
rhalliseylet me try it.  I don't think so though13:12
vbelI think it depends on how version filter is implemented. At the same time we could cut version to 3 digits13:12
*** tzn has quit IRC13:12
rhalliseythat would be best13:12
rhallisey1.8.2.1 didn't work13:13
SamYaplerhallisey: when you run `docker version` it returns fc21?13:13
rhalliseyya13:13
SamYaplecan you pastebin that? i want to compare the differences with ubuntu13:13
rhalliseyhttp://fpaste.org/290105/20433144/13:13
SamYapleif thats different what else is13:13
SamYaplerhallisey: thats the client13:14
SamYaplewe need to be checking the server13:14
SamYaplethe server shouldn't be 1.8.2.fc2113:14
SamYaplehttp://fpaste.org/290106/42044514/13:15
rhalliseysorry that was incomplete13:15
rhalliseyeither way13:15
rhalliseyserver has same thing13:15
SamYaplecan you paste so i can compare the differences with ubuntu?13:16
rhalliseyya13:16
rhalliseyhttp://fpaste.org/290109/20629144/13:17
rhalliseylooks like the server doesn't show unless you run with root13:17
rhalliseyso if we need the server going to have to run with root13:17
SamYaplewe do have a standing requirement for kolla to run with elevated permissions13:18
SamYapleso no shocker there13:18
rhalliseykk13:18
*** signed8bit has joined #kolla13:18
rhalliseyjust pointing it out13:18
SamYaplehow did you install docker rhallisey?13:19
rhalliseyrdo-release13:19
rhalliseyrepo13:19
SamYapleugh rdo13:19
SamYaplealways causing issues13:19
SamYapleworst pacakging ever13:19
SamYapleyea the official docker packages dont have that version issue13:20
*** dims_ has joined #kolla13:23
*** dims has quit IRC13:23
vbelI am checking regex_replace('(\d+\.\d+\.\d+).*', '\1')13:26
SamYapleyea or we could convert it to tuples13:27
SamYaplenot sure whats cleanest13:27
*** dims_ has quit IRC13:27
*** dims has joined #kolla13:27
openstackgerritOpenStack Proposal Bot proposed openstack/kolla: Updated from global requirements  https://review.openstack.org/24514013:27
SamYaplew00t13:28
SamYapleKennan: ^^^ it finally went through that patch13:28
*** weiyu has joined #kolla13:31
*** weiyu has quit IRC13:32
openstackgerritVladislav Belogrudov proposed openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988213:35
vbelSamYaple, rhallisey : one more version to cover 1.8.2.whatever versions :)13:36
rhalliseyhehe thanks vbel13:36
*** cemmason has quit IRC13:38
vbelrhallisey, can you please check this with fc21 to be sure?13:38
*** cemmason has joined #kolla13:38
rhalliseyvbel, it works13:38
rhalliseynice job13:38
vbelrhallisey, thanks! :)13:38
SamYaplevbel: can you stop the docker daemon and then run your tests again?13:41
SamYapleit fails with a bad message about not being able to convert to yaml13:42
SamYaplenow id be ok with this since the task name is pretty clear, but perhaps there is a cleaner way to do it13:42
vbelSamYaple, yes13:42
*** athomas has quit IRC13:43
SamYaplejust give it some thought. im going to wait for the gate and merge unless you -W  we can always improve later13:43
vbelhttp://paste.openstack.org/show/478795/13:43
SamYapleyea thats fine with me it seems pretty clear13:44
SamYaplefyi vbel, this is the perfect time for custom filters13:45
vbelSamYaple, I already understood it :) Existing filters don't do such tasks easily13:46
SamYapleyea vbel ive been waiting for 2.0 to start doign filters because they change a little bit i beleive13:47
SamYaplebut we can use filters for this13:47
SamYaplefor database stuff13:48
*** athomas has joined #kolla13:48
*** egonzalez has quit IRC13:49
vbelwould be great to have such13:51
britthouserSo catching up since I was swamped yesturday.  For horizon nothing was required for droproot, since apache does that already.  I think the same will be true for Keystone, right?13:55
*** rmart04 has quit IRC13:56
*** mbound has quit IRC13:57
*** rmart04 has joined #kolla13:57
*** ashishjain has joined #kolla13:58
*** signed8bit is now known as signed8bit_ZZZzz13:58
*** mbound has joined #kolla13:59
ashishjainSamYaple: Hi13:59
*** openstackgerrit has quit IRC14:01
*** openstackgerrit has joined #kolla14:01
SamYaplehello ashishjain14:03
SamYaplebritthouser: this is correct14:03
SamYapleany compromisable process will be running as an unelevated user britthouser14:04
ashishjainSamYaple: I am of the view that kolla deployment on a baremetal laptop should not be recommended, instead an individual should do the same over a VM14:04
britthouserThanks SamYaple!  I'll just mark keystone as no-op in the blue print and continue on to my other containers.14:04
ashishjainwhich runs on his laptop14:04
ashishjainI am updating the bug https://bugs.launchpad.net/kolla/+bug/1514227 with my comments, you can probably provide your review comments14:05
openstackLaunchpad bug 1514227 in kolla "Update Documentation for bare metal deployment of kolla with single network interface " [Critical,Triaged] - Assigned to Ashish (ashish-jain14)14:05
openstackgerritChris Ricker proposed openstack/kolla: Fix typo in Fedora section of quickstart  https://review.openstack.org/24516414:08
*** tzn has joined #kolla14:08
*** slotti has quit IRC14:09
*** tzn has quit IRC14:13
*** ashishjain has quit IRC14:16
*** dwalsh has joined #kolla14:16
britthouserSo digging into keepalive container.14:20
britthouserIt is running as root14:20
britthouserbut their appears to be no keepalive user included as part of packaging.  I'm guessing this is b/c keepalive has to modify the networking stack to add/remove the VIP.14:20
britthouserSo therefore keepalive doesn't need drop root either.14:21
britthouserthat's what it looks like to me, but could use some confirmation.14:21
*** signed8bit_ZZZzz is now known as signed8bit14:24
vbelbritthouser: yes, it adds ip to interface, also it does multicasting. So it should be root14:24
* britthouser is terrible at picking containers to fix14:25
*** dims_ has joined #kolla14:29
SamYapleany compromisable process will be running as an unelevated user britthouser14:30
SamYaplebritthouser: oops repeat14:30
*** dims has quit IRC14:32
SamYaplebritthouser: yea keepalived is expected to run as root14:38
britthouserAnd I was helping a guy on my team with memcached, but it looks like it already runs unelevated, even without this change.14:39
britthousersomehow we chose all teh containers that need no work! =P14:39
SamYaplebritthouser: right memcahced is controled by the -u flag14:40
SamYapleand we already drop that14:40
SamYaplehowever, you can still add the USER command to the dockerfile14:40
SamYapleso im not sure how we are going to go about it14:40
SamYaplefor the ones that need root to run, sdake may want to use sudo on those commands14:41
SamYaplethe container itself will still be privlege dropped14:41
SamYapledont know14:41
britthouserSo you're saying for keystone/horizon/keepalived - one option would be to run teh container as USER, and sudo the command that launches the process.14:42
britthouservs leaving it as is.14:42
openstackgerritMerged openstack/kolla: Add playbook for hosts pre-deployment checks (ports, files)  https://review.openstack.org/23988214:43
SamYaplebritthouser: correct14:44
SamYaplemy guess is sdake will probably want that14:44
*** jtriley has joined #kolla14:45
*** cemmason has quit IRC14:45
*** dwalsh has quit IRC14:47
*** dwalsh has joined #kolla14:47
*** cemmason has joined #kolla14:47
britthouserYeah that makes sense.  I'll work toward that on keystone and see if I can figure out how todo it.14:48
britthouserAs for memcached - if I add USER to the end, I'd also have to remove the -u right?14:49
britthouserotherwise its kinda redundant14:49
SamYaplebritthouser: dunno. sounds right14:49
SamYaple-u <username>14:49
SamYapleAssume the identity of <username> (only when run as root).14:50
SamYaplefrom the man page14:50
openstackgerritMerged openstack/kolla: Fix typo in Fedora section of quickstart  https://review.openstack.org/24516414:50
britthouserok, I'll submit that, but honestly I'm on th fence if its needed since its already doing what we want....14:50
*** exploreshaifali has joined #kolla14:51
SamYaplebritthouser: yea but there are other reasons like `docker exec` now runs as that user rather than root14:51
SamYaplelittle things that could potentially increase security14:51
britthouserahh...ok that is good to know.  Thanks for the extra info14:52
SamYaplefor the record, its _very_ little security14:52
SamYapleyou can set teh user `with docker exec -u`14:53
SamYaplebut idk uniformity accross the project and all i gues14:53
britthouseryeah uniformity is a good enough reason for me. =)14:54
*** masterbound has joined #kolla15:01
openstackgerritChris Ricker proposed openstack/kolla: Update commands in kolla-build section  https://review.openstack.org/24519215:03
*** mbound has quit IRC15:05
*** tzn has joined #kolla15:09
*** sdake_ has quit IRC15:10
*** sdake has joined #kolla15:10
sdakemorning15:11
SamYaplemmorning sdake15:11
britthousermorning sdake15:12
britthouserquestion for you sdake:  SamYaple and I were discussing containers that require root (keystone/horizon/keepalived).  Are they OK as is, or should be still include USER but sudo the start command?15:13
*** tzn has quit IRC15:13
sdakeuser15:14
britthouserOk.15:14
sdakedocker exec could  easily be used to blow up the container contents15:14
sdakewith suer it still possible but harder15:14
sdakei alredy did horizion - it did not require root15:14
SamYaplesdake: you know `docker exec` has a user option15:14
SamYaplesdake: no thats gotta be reverted15:14
SamYaplehttps://review.openstack.org/#/c/245035/ sdake15:15
sdakei tested it on ubuntu15:15
*** signed8bit has quit IRC15:16
SamYaplesdake: it builds on some systems, not on others. it launches and runs on some, but not others15:16
SamYapleeither way, its not best practice15:16
sdakeit doenst seem to run on my overlayfs15:16
sdakebecause ubuntu is a pile of shit15:17
sdake;)15:17
SamYapleeither way were gonna revert it cause its not best practice15:17
sdakeso what do you propose we do - nothing?15:17
SamYapleyour opninions not need to matter15:17
sdakemy opinion always amtters samyaple15:17
SamYaplein your own head15:17
SamYaplefor one it already has privlege dropping15:18
SamYapleapache does that already15:18
SamYapleit works15:18
sdakeso do nothing then?15:18
SamYaplebut for consistency with other containers i thought perhaps we run apache as sudo15:18
SamYapleso we still have the USER directive15:18
SamYaplebut apache runs as root15:18
sdakethen sudo ends up as pid 115:19
SamYaplenot a problem as weve been over15:19
SamYaplebut if you have an issue wit hthat then yea, we do nothing15:19
sdakei disageee with your anaysis15:19
SamYaplebe that as it may, its not best practice and its broken15:20
SamYaplebest practice says run as root since it does priv dropping15:20
sdakethat is a super weak argument15:20
sdakethe doesnt work on some ubuntus is better15:20
SamYapleno. right now if a proccess gets compriomised it could write to the very logs tracking it and remove any trace of access15:21
SamYaplethats bad security15:21
SamYaplethis is why apache does its own priv handling15:21
SamYapleagain your opinion on the matter doesnt mean anything when best practice says otherwise15:21
SamYaplesmarter people than us have worked on it longer than us to make this secure, i trust them15:22
sdakelog alteration is a weak arguemnt, all of our containers suffer from log alteration15:23
SamYaplenot apache15:23
*** masterbound has quit IRC15:23
SamYapleand this is about security, any security is better15:23
SamYapleand no sdake non of our containers do15:23
SamYaplewhy? they log to syslog15:23
SamYaplewell when logging is 100% working non of them will15:24
sdakeok well then do nothing15:24
sdakei dont want sudo as pid115:24
SamYaplefair enough. i won't fight you on implementation that doesnt affect security15:25
SamYaplei wish su worked properly on all the kernels :(15:25
sdakebritthouser looks like nothing need be done with keystone15:25
sdakethe kenels it doen't work on are pile of shit ubuntu15:26
sdakeubuntu is just one big peice of garbage15:26
britthouserOk.  I still need sudo for keepalived since that process does run as root in teh container.  correct?15:26
sdakekeepalived can run as nonroot15:26
SamYaplesdake: try to be a bit more professional would ya15:26
sdakejust set perissions15:26
SamYaplesdake: best practice says its runs as root15:26
sdakeSamYaple yu accosted me when i woke up, what the he fuck do you expect15:26
sdakenext time wait an hour for me to boot up will ya15:27
SamYaplesdake: i didnt bring it up check the fucking logs dude15:27
SamYapleyou started spouting shit and i stopped you15:27
britthouseryeah sorry that was my bad15:27
sdakeand that doen't change the fact ubuntu is a pile of shit15:27
britthouserhow about an easy question: how do I indicate in the blueprint a NOOP15:27
SamYaplebritthouser: nah you arent being a douche right now. youre cool15:27
SamYaplebritthouser: remove the work item or put it as DONE and make a note in work items15:28
britthouserdo I infer from that at some point I was being a douche, SamYaple? =P15:28
sdakedont remove work items15:28
sdakebritthouser i think the implication is i am being a douche15:28
SamYaplebritthouser: there was that one time..... ;)15:28
britthouserI must have blockd it out. =)15:29
SamYaplebritthouser: im joking dont worry15:29
sdakeyou bettr jusst shut the fuck up sam15:29
SamYaplejesus dude go back to bed15:29
SamYapleor eat a snikers15:29
britthouserso sdake when you wake up would liek to discuss keepalived too15:29
sdakewell god damnit i'm awake lets disuss it15:30
sdakethe reason you need to run keepalived as root is to get access to certain capabilities15:30
britthousernone of hte packaging for keepalived includes a keepalived user.   I hitnk this is b/c keepalive has to alter the network stack to add the VIP to the interface and stuff15:31
SamYaplealso best practice and thats how all other daemon services run it15:31
sdakethis is how you gain capabilities15:31
sdakehttps://github.com/openstack/kolla/blob/master/docker/horizon/Dockerfile.j2#L6915:31
SamYapleit doesnt matter because 1, thats breaking for some kernels 2, thats not how anyone else runs it15:32
sdakekeepalived is run as root not becuse its best practic,but because the authros ar elazy15:32
SamYaplethats not true at all15:32
britthouserdoggone...I thought this would be a less contentious question. =)15:32
SamYaplebritthouser: i tried to warn you earlier15:32
SamYapleall pacakges and daemons run keepalived as root, neutron runs keepalived as root, i dont want to encounter a strange issue that turns out to be because we dont run it as root for not benefit at all15:34
sdakei eould  tend to agree ,should run as root15:35
britthouserok.  So that being the case, you still are not in favor of sudo being the PID 1.15:35
britthousertherefore keepalived is noop?15:35
sdakeright no pid=1 for sudo15:36
kjellysdake: The command, "setcap 'cap_net_bind_service=ep' /usr/sbin/apache2" will failed in some env. For example, vagrant image ubuntu/trusty64 with docker 1.8.2 will failed.15:36
britthouserOk.  I'm either very bad or very good at picking containers to work on. =P15:36
sdakekjelly i get it - its because of overlayfs - fails  on ubuntu in my evnrionment15:36
SamYaplebritthouser: yes15:37
sdakekjelly that is the *only* reason to rver that horizon patch not becaue apache running as root is best practie15:38
SamYaplesdake: i disagree with that. there is seperation of users where some processes are running as apache2/httpd and others as the other user (horizon/keystone)15:39
SamYaplei dont know what all is involved in who can acecss what, but thats why there is a best practice15:40
SamYaplesomeone else does know and this is what they decided15:40
*** dwalsh has quit IRC15:41
*** signed8bit has joined #kolla15:41
*** cloudnautique has joined #kolla15:48
*** tfukushima has joined #kolla15:50
openstackgerritMerged openstack/kolla: Update commands in kolla-build section  https://review.openstack.org/24519215:57
*** sdake has quit IRC15:58
*** tfukushima has quit IRC16:02
*** tzn has joined #kolla16:10
SamYaplehad a successful multinode deploy!16:11
*** tzn has quit IRC16:15
*** absubram has joined #kolla16:20
*** rmart04 has quit IRC16:21
*** sdake has joined #kolla16:21
kjellycongratulate :)16:27
*** sdake has quit IRC16:53
*** sdake has joined #kolla16:54
*** sacharya has joined #kolla16:58
openstackgerritMerged openstack/kolla: Add Ansible support for Magnum  https://review.openstack.org/23622317:01
*** kproskurin has quit IRC17:06
*** shardy has quit IRC17:10
openstackgerritOpenStack Proposal Bot proposed openstack/kolla: Updated from global requirements  https://review.openstack.org/24514017:11
openstackgerritMichal Rostecki proposed openstack/kolla: [WIP] Use trusts in heat.conf  https://review.openstack.org/23619817:13
openstackgerritMichal Rostecki proposed openstack/kolla: Add ZooKeeper support in kolla-ansible  https://review.openstack.org/24447417:26
*** jasonsb has joined #kolla17:34
*** cloudnautique has quit IRC17:40
*** cloudnautique has joined #kolla17:45
*** cloudnautique has joined #kolla17:45
*** rmart04 has joined #kolla17:47
*** rmart04 has quit IRC17:47
*** rmart04 has joined #kolla17:48
*** rmart04 has quit IRC17:48
openstackgerritMichal Rostecki proposed openstack/kolla-mesos: add config generation script and some examples  https://review.openstack.org/24291217:51
*** tzn has joined #kolla17:55
*** sacharya has quit IRC17:57
*** sacharya has joined #kolla17:58
openstackgerritMichal Rostecki proposed openstack/kolla-mesos: Rename package from kolla-mesos to kolla_mesos  https://review.openstack.org/24527617:58
*** tzn has quit IRC18:00
sdakeSamYaple wake up dude18:08
*** absubram has quit IRC18:09
*** tzn has joined #kolla18:10
openstackgerritMichal Rostecki proposed openstack/kolla-mesos: [WIP] Using DCOS library for Marathon  https://review.openstack.org/24445518:11
sdakejpeeler rhallisey mandre SamYaple - clock ticking on machal's core reviewer nominiation18:12
sdakeif you want to abstain i understand but if you didn't check the mailing list lately - its up there18:12
sdakeapologies for being an asshole this morning ,have some personal issues deaing with and i'min a a bad mood18:13
openstackgerritMichal Rostecki proposed openstack/kolla-mesos: add config generation script and some examples  https://review.openstack.org/24291218:14
*** ssurana has joined #kolla18:14
*** tzn has quit IRC18:15
*** vilobhmm has joined #kolla18:17
vilobhmmsdake : ping18:17
sdakesup bro18:18
openstackgerritMichal Rostecki proposed openstack/kolla-mesos: Rename package from kolla-mesos to kolla_mesos  https://review.openstack.org/24527618:18
vilobhmm:)18:18
vilobhmmsdake : have few questions regarding the HA proposal https://github.com/openstack/kolla/blob/master/specs/high-availability.rst18:19
sdakeshoot18:19
sdakeSamYaple is probably the person to ask though18:19
vilobhmmI did propose this https://blueprints.launchpad.net/oslo.middleware/+spec/distributed-control-layer18:19
vilobhmmbut realized in kolla you guys are planning to do something similar18:20
vilobhmmwanted to check if both ideas match18:20
*** athomas has quit IRC18:21
SamYaplevilobhmm: whats the question again?18:21
vilobhmmSamYaple : I did propose this https://blueprints.launchpad.net/oslo.middleware/+spec/distributed-control-layer and then i stumbled upon the ha proposal in kolla18:22
vilobhmmwanted to check if there is overlap18:22
vilobhmmwith the kolla proposal are we planning to target both sateless and stateful services ? how we plan to gurantee that stateful services start from the point they left off ?18:22
SamYaplevilobhmm: I think we only have two services that matter, rabbitmq and galera in this case18:23
SamYaplerabbitmq is handled by clusterer18:23
vilobhmmSamYaple : thats correct18:23
SamYapleand galera has its own stuff preventing starting without operator intervention18:24
vilobhmmok18:24
*** blahRus has joined #kolla18:24
*** jasonsb has quit IRC18:24
vilobhmmSamYaple : so is the plan to containerized all services and run it on multiple hosts and then if one of them crashes who takes the responsibility to spin the containers on other nodes ?18:26
vilobhmmwhere is the mapping of cluster awareness maintained18:26
SamYaplevilobhmm: oh that. no. that doesnt happen. Kolla-ansible doesnt have any clustering stuff like that18:26
SamYaplefor kolla-mesos will, but that implementation is a ways off18:27
vilobhmmis there a spec out for it18:27
vilobhmmif not can i propose it18:27
SamYaplevilobhmm: the kolla-mesos stuff is a new project so its entire implementation is up for grabs18:28
vilobhmmSamYaple : ok…is there a spec out for it which describes the tasks to be done….will something of this sort  https://blueprints.launchpad.net/oslo.middleware/+spec/distributed-control-layer help the HA proposal18:28
vilobhmmthis need not be in oslo jfyi18:29
vilobhmmSamYaple : ^^18:31
nihilifervilobhmm: generally, Mesos seems to do what you're talking about, if I understand you correctly. it means, when some Mesos slave fails, Mesos master schedules all containers from failed node on the another slave18:31
nihiliferthat's the part of already existing blueprint about Mesos18:32
nihiliferbut let me know if I misunderstood18:32
*** signed8bit is now known as signed8bit_ZZZzz18:32
SamYaplevilobhmm: that is unlikely to be a part of kolla-ansible, but nihilifer or asalkeld are the people to talk to about it for kolla-mesos18:32
*** dwalsh has joined #kolla18:33
vilobhmmnihilifer : but won't it add additional dependency on OS deployments to use mesos ?18:33
nihilifervilobhmm: yes, Mesos will be a dependency18:35
vilobhmmnihilifer : ok18:35
openstackgerritMichal Rostecki proposed openstack/kolla: Add ZooKeeper support in kolla-ansible  https://review.openstack.org/24447418:39
*** mfalatic has quit IRC18:47
*** achanda has joined #kolla18:51
*** signed8bit_ZZZzz is now known as signed8bit18:55
*** sdake has quit IRC19:00
*** sacharya has quit IRC19:10
*** sacharya has joined #kolla19:11
*** sacharya_ has joined #kolla19:13
*** bmace has quit IRC19:15
*** bmace has joined #kolla19:15
*** sacharya has quit IRC19:16
openstackgerritJosh Lothian proposed openstack/kolla: Drop root for Zaqar service  https://review.openstack.org/24530219:16
openstackgerritJosh Lothian proposed openstack/kolla: Drop root for Zaqar service  https://review.openstack.org/24530219:20
*** suro-patz has joined #kolla19:21
*** achanda has quit IRC19:22
*** thumpba has joined #kolla19:26
openstackgerritMerged openstack/kolla: Add ZooKeeper support in kolla-ansible  https://review.openstack.org/24447419:28
*** suro-patz1 has joined #kolla19:32
*** thumpba has quit IRC19:34
*** suro-patz has quit IRC19:34
*** thumpba has joined #kolla19:35
*** thumpba has quit IRC19:44
*** thumpba has joined #kolla19:45
*** achanda has joined #kolla19:47
*** sdake has joined #kolla19:48
sdakeyo19:48
*** achanda has quit IRC19:52
*** sacharya has joined #kolla19:58
*** sacharya_ has quit IRC19:58
*** thumpba has quit IRC20:05
*** thumpba has joined #kolla20:07
*** signed8bit is now known as signed8bit_ZZZzz20:10
*** dwalsh has quit IRC20:12
openstackgerritMerged openstack/kolla: Drop root for Zaqar service  https://review.openstack.org/24530220:14
*** thumpba has quit IRC20:18
*** thumpba has joined #kolla20:19
*** sdake has quit IRC20:19
*** thumpba has quit IRC20:21
britthouserI have a probably a very n00b question.  probably something easy I'm overlooking.  I updated ansible/roles/memcached/templates/memcached.json.j220:24
britthouserand removed the -u {{ memcache_user }}20:25
britthouserbut when I deploy20:25
britthouser(I also added USER memcached to the container)20:25
britthouserI still see -u in teh output of ps: /usr/bin/memcached -u memcached -vv -l 172.31.231.18 -p 1121120:26
britthouserdid I change th wrong spot?20:26
*** thumpba has joined #kolla20:26
*** dwalsh has joined #kolla20:28
*** sacharya_ has joined #kolla20:35
*** macsz1 has joined #kolla20:38
*** sacharya has quit IRC20:38
*** macsz1 has left #kolla20:38
*** dwalsh has quit IRC20:39
*** thumpba has quit IRC20:49
*** kjelly_ has joined #kolla20:51
*** dwalsh has joined #kolla20:51
*** kjelly has quit IRC20:51
*** thumpba has joined #kolla20:54
*** suro-patz1 has quit IRC20:55
*** suro-patz has joined #kolla20:55
*** cloudnautique has quit IRC20:56
openstackgerritBritt Houser proposed openstack/kolla: WIP: drop root on memcached  https://review.openstack.org/24533020:58
britthouserSo this is what I'm tried ^^20:59
britthouserbut still see memcached launched with -u20:59
*** jasonsb_ has joined #kolla21:00
*** sdake has joined #kolla21:12
*** cloudnautique has joined #kolla21:14
*** sacharya_ has quit IRC21:18
*** cloudnautique has quit IRC21:20
sdakebritthouser wrote his first kolla patch!21:24
sdakesay britthouser wh yis your ptach wip21:25
britthousersecond! =P  I had a docs one merger earlier.21:25
britthouserwell, when testing it, I saw some weird behavior21:25
britthouseroutlined above ^^21:25
sdakei was disconnected21:25
sdakecan  you paste21:25
britthouserbasically when I run that patch, but then I login to the memcached container I still see the '-u memcached'21:26
*** thumpba has quit IRC21:26
sdakeare you using a registry?21:26
britthouserno21:26
britthouserAIO21:26
britthousercentos/binary21:26
sdakedid you rebuild?21:26
britthouserI did...and when that didn't work, I wiped the entire system, made my change, and then built21:27
britthouserand then I banged my head on the desk21:27
sdakememecached.json21:27
sdakecheck that file out21:27
sdakeoh isee you already did21:27
sdakerm -rf /etc/kolla/memcach*21:28
*** thumpba has joined #kolla21:28
britthouseroh! Ok.21:28
sdakedo you run kolla-ansible deplooy as sudo?21:28
britthouserso I need to kolla/tools/cleanup-containers, rm -rf /ec/kolla/memcach*, kolla-ansible again?21:29
britthouserNo I run as root21:29
sdakelearn to run as your regular user then use sudo when necessary21:29
sdakeimo :)21:29
britthouseryeah I need todo that.  our lab kickstart just creates root user.21:30
sdakerun docker images | grep memcach21:30
sdakedocker images is the local system image cache21:30
britthouserOk...I'll try all this in aout 30min or so21:31
*** exploreshaifali has quit IRC21:34
*** sdake_ has joined #kolla21:36
*** tpot has joined #kolla21:36
*** sdake has quit IRC21:36
*** cloudnautique has joined #kolla21:36
sdake_britthouser the reason your container isn'tworkign is your not doing the usermod -g operation21:44
*** sacharya has joined #kolla21:57
*** sacharya_ has joined #kolla21:58
britthouserOk so I see the '-u memcached' in /etc/kolla/memcached/config.json22:00
britthouserwhen does that get written?22:00
*** gfidente has quit IRC22:01
*** sacharya has quit IRC22:01
sdake_that gets written during container startup to /run_command22:01
sdake_and then run_command is run22:02
sdake_but you need the usermod or sudo wont work22:02
sdake_and run_command will never be written22:02
openstackgerritMerged openstack/kolla: Updated from global requirements  https://review.openstack.org/24514022:02
britthouserGotcha22:02
britthouserok...so the regular workflow to redeploy we would be: cleanup-containers, make my update, kolla-build, kolla-ansible22:03
britthouserright?22:03
*** signed8bit_ZZZzz is now known as signed8bit22:05
openstackgerritMerged openstack/kolla: Revert "Drop root for Horizon service"  https://review.openstack.org/24503522:06
*** jtriley has quit IRC22:08
sdake_roger22:08
sdake_SamYaple I am pretty certain containes are no being upgraded when being pulled from registry22:08
sdake_do you have any thoughts on that?22:08
britthouserI think part of my problem is I was using kolla-build and not kolla/tools/build.py22:12
sdake_britthouser the yare the same thing22:12
sdake_although kolla-build pulls from /usr/share/kolla/docker22:12
britthouserso when I rebuilt memcached with the usermod update using kolla-build, nothing changed22:13
sdake_right22:13
*** thumpba has quit IRC22:13
sdake_use tools/build.py22:13
britthouserit was the same image ID22:13
sdake_a docs change would be appreciated indicating the differences between eval/deployvs dev22:13
britthouseryeah when I used tools/build.py, I got different ID.22:13
britthouserOk so kolla-build is for eval, but re-builds should use build.py ?22:14
britthouseror eval=initial ?22:14
britthouserI don' tknow enough of the difference yet...22:14
sdake_eval means someone downloaded and intalled he pip package22:14
sdake_vs cloned the git repo nd woring directly from it22:14
britthousergotcha.22:15
sdake_ls22:15
*** thumpba has joined #kolla22:15
britthouser1@#$!@#$!@22:15
britthouserIts doing the -u nonsense22:16
britthouserbut at least when I docker exec into it.22:16
britthouserI'm the memcached user22:16
sdake_did you add the usermod?22:16
britthouseryeah22:16
openstackgerritBritt Houser proposed openstack/kolla: WIP: drop root on memcached  https://review.openstack.org/24533022:16
britthousermaybe I didn't del /etc/kolla/memcached/config.json22:17
britthouserlemme rm that and redeploy22:17
sdake_yyou shouldn't havet o delete that file22:17
sdake_it should be overwritten on a redeploy22:17
sdake_ls -l /etc/kolla/mecached//config.json pleae22:18
britthouserit had the -u22:19
britthouserand I just deleted it...lemme see if its i my history22:19
britthouserhttp://paste.openstack.org/show/478846/22:20
britthouserthat is what it was22:20
britthousernow I deleted it22:20
britthouserand doing re deploy22:20
sdake_what is python2-os-brick22:20
* britthouser shug22:21
* britthouser shrug22:21
britthouser1@#$!@#$!@#22:21
britthouserwhen it was re-created, it had th -u in tehre22:22
britthouserI gotta be doing something stupid here22:22
britthouserI gotta walk away and look again alter.22:24
britthouserlater22:24
SamYaplesdake_: when its set to "missing" there wont be22:24
SamYaplethats the only condition though22:24
SamYaplebritthouser: did you pip install kolla?22:27
SamYapleis it using the pip install'd kolla configs?22:27
*** dwalsh has quit IRC22:29
rhalliseyholy22:33
rhalliseyanyone watching the news?22:33
SamYapleno whats up22:34
rhalliseyhuge attack in Paris22:35
rhalliseyturn on the tv22:35
SamYapledude i never had 'tv' in the sense i could turn it on and watch news22:35
SamYapleinterwebs are all i have22:36
SamYaplemy tv is for netflix22:36
rhalliseyjust type paris into google22:36
SamYapleive already got it all open man22:36
rhalliseycnn says 60 casualties22:36
SamYapleno its 60 hostages22:36
*** thumpba has quit IRC22:36
SamYaplestupid cdd22:37
SamYaplecnn*22:37
SamYaplebbd says 15 killed22:37
SamYaple60 hostages22:37
rhalliseythey're all guessing22:37
*** thumpba has joined #kolla22:37
SamYapleindeed22:38
SamYaplehttps://www.reddit.com/live/vwwnkuplwr9y22:38
SamYaplesomeones doing the live thread thing again22:38
*** daneyon_ has quit IRC22:40
SamYaplethats horrible22:43
*** thumpba has quit IRC22:43
rhalliseyjust horrible22:44
SamYaple30 hostages released22:45
SamYaplethats wierd22:45
sdake_SamYaple the default is always isn't it?22:45
sdake_i am pretty convinced always doesn't work like you think it does :)22:45
SamYaplesdake_: i know exactly how it works. and it will _always_ pull a new image anre restart the container if a new image exists22:46
*** thumpba has joined #kolla22:46
SamYaplethe certain conditions you are tlaking about are probably because you have "missing"22:46
SamYaplebecause you were testing AIO without pushing to a registry22:46
sdake_i dont ever set missing22:46
sdake_so that is not the case22:46
SamYapleso you _always_ use a registry?22:47
sdake_but let me create a typescript22:47
sdake_lways use a ergistry22:47
sdake_even on aio22:47
SamYaplealright22:47
sdake_i could be mistaken and got confused after a long day of code dev22:47
SamYaplefeel free to look at the code, but it compares layer hashes22:47
sdake_i get the code may look right but i'm pretty sure it isn't behaving correctly22:48
sdake_let me settle with typescript22:48
sdake_then we will both know for sure22:48
sdake_I am not sure myself22:48
SamYaplei do this all the time outside of kolla. push a new image and rerun my ansible stuff to pull it in and restart a container22:48
*** cloudnautique has quit IRC22:49
sdake_wierd docker_pull_policy is set to missing22:49
SamYaplebecause of AIO22:49
sdake_did you set that during the demo?22:49
SamYaplenope22:49
sdake_is that he defualt in the code base config?22:49
sdake_well that takes a load off22:49
*** thumpba has quit IRC22:50
SamYapleno the default is always22:50
openstackgerritRyan Hallisey proposed openstack/kolla: [WIP} Drop root privileges for openvswitch  https://review.openstack.org/24536622:51
sdake_i dont have any idea how that demo worked with missing set22:53
sdake_i *always* use a registry22:54
*** thumpba has joined #kolla22:54
SamYaplesdake_: it didnt... it was pulling images22:55
SamYaplebut this calls into question how you have been testing all this stuff for the past 2 weeks22:55
sdake_it calls into question how missing was set in my config file!22:55
*** cloudnautique has joined #kolla22:55
sdake_thatmakes me really nervious22:55
*** thumpba has quit IRC22:55
sdake_the way i have been testing is docker rmi imagename22:56
sdake_which missing will then repull a new image22:56
sdake_which is a huge pain in the ass22:56
sdake_SamYaple was it you were suggesting we shuld make our own docker module for use with ansible?23:01
sdake_or was I imagnging that23:01
SamYapleyea i was23:01
sdake_i am in heavy support of that idea23:01
SamYaplei dont wanna. but man is ansible really dropping the ball23:01
sdake_as annoying as it is23:01
sdake_we can't fork their code unfortunately23:01
sdake_so it would have to be a fresh rewrite23:01
SamYapleits fine. i have alot of code from the docker-compose one i wrote anywa23:02
sdake_being pinned to 1.8.2 or ansible 2.0 is redonkulous23:02
sdake_ansible is not going to tag a new release23:02
sdake_of 1.923:03
sdake_i dont know how they expect eveyrone to just upgrade to 2.023:03
sdake_since the playbookos are not copatible23:03
SamYaplebecause they said it would be 100% compatible23:03
sdake_and docker with their api changes - rediculous23:03
SamYaplethats how they sold themselves on it anyway23:03
sdake_if it was, kolla would run unaltered23:03
sdake_granted i dont know what it would take to port23:04
SamYaplethis 2.0 nonsense is going to push alot of people to other options23:04
sdake_maybe its a 5 hour job23:04
sdake_there aren't alot of other mature optoins23:04
SamYaplesaltstack is getting there23:04
SamYaplehonestly thoguh would you call ansible "mature" after this?23:04
SamYaple2.0 is a full rewrite23:04
SamYaplehow can a full rewrite be mature23:04
sdake_i would say a non-forward compatible upgrade is a failure23:04
sdake_well heat is mature and it gets rewritten every 2 months ;)23:05
sdake_the ideas are mature is what i mean23:05
SamYaplei wouldnt call heat mature23:05
sdake_not the implementation23:05
SamYapleits where most of our breakage is23:05
sdake_which heat?23:06
SamYaplethe heat in the repo23:06
sdake_that is just because we dont know how to handle their security model23:06
SamYapleno not the config23:06
SamYaplego back through the history without the rose colored glasses and see how many custom hacks weve done for heat23:06
SamYapleits our biggest breaker23:06
sdake_i agree heat has been a pai in the ass to containerize and ansiblize23:07
SamYaplenot to mention the legitamate openstack bugs....23:07
sdake_i think most of that is because of the security model tho23:07
sdake_so topic change23:07
sdake_libvirt23:07
sdake_security23:07
sdake_recommendations23:08
sdake_run container as root and let libvirt drop privs?23:08
sdake_or run libvirt as qemu and cross fingers23:08
SamYaplehttps://libvirt.org/drvqemu.html#securitydac23:09
sdake_thaks reading23:09
SamYapleor follow best practices23:09
SamYaplealways best practices23:09
*** blahRus has quit IRC23:11
*** tpot has quit IRC23:12
sdake_Thus, if a vendor / distributor has configured their libvirt package to run as 'qemu' by default, a number of changes will be required before an administrator can change a host to run guests as root. In particular it will be necessary to change ownership on the directories /var/run/libvirt/qemu/, /var/lib/libvirt/qemu/ and /var/cache/libvirt/qemu/ back to root, in addition to changing the /etc/libvirt/qemu.conf settings.23:12
sdake_well i read that whole document23:13
sdake_it basicallly expects to start as root and drop its own capabilities23:13
sdake_but with kolla we can drop capabilities before qemu desires to do so23:14
*** sacharya_ has quit IRC23:16
*** dims_ has quit IRC23:17
sdake_so bifront license is gplv323:18
* sdake_ groans23:18
*** signed8bit is now known as signed8bit_ZZZzz23:20
sdake_bmace i got a bit distracted with having my car towed23:24
sdake_was it 3.0.0-inwork?23:24
bmaceyeah, but we have a lot more changes since then, if you can't get that to work, just get master.23:25
*** vilobhmm has quit IRC23:27
SamYaplesdake_: we were never planning on forking/cloning bifrost23:28
SamYaplemy understanding was it was just going ot be docs23:29
SamYaplei dont know what we would be providing here...23:29
*** suro-patz1 has joined #kolla23:31
*** sdake has joined #kolla23:32
*** suro-patz has quit IRC23:32
sdake_doesn't nova-api rquire privileges to start?23:32
*** sdake_ has quit IRC23:32
*** tummy has joined #kolla23:36
*** rhallisey has quit IRC23:42
*** rhallisey has joined #kolla23:47
*** thumpba has joined #kolla23:56
« Thursday, 2015-11-12 Index Saturday, 2015-11-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!