Tuesday, 2015-07-07

« Monday, 2015-07-06 Index Wednesday, 2015-07-08 »
*** sdake_ has joined #openstack-ansible00:00
*** sdake has quit IRC00:02
*** weezS has quit IRC00:02
*** sdake has joined #openstack-ansible00:09
openstackgerritMerged stackforge/os-ansible-deployment: Fixes RabbitMQ guest user creation  https://review.openstack.org/19879400:09
*** TheIntern has quit IRC00:12
*** sdake_ has quit IRC00:13
*** galstrom_zzz is now known as galstrom00:48
*** fawadkhaliq has joined #openstack-ansible00:53
*** fawadkhaliq has quit IRC00:56
*** daneyon has joined #openstack-ansible01:06
*** annashen has joined #openstack-ansible01:17
*** annashen has quit IRC01:22
*** JRobinson__ is now known as JRobinson__afk01:32
*** JRobinson__afk is now known as JRobinson__01:44
*** galstrom is now known as galstrom_zzz02:06
*** daneyon has quit IRC02:08
*** daneyon has joined #openstack-ansible02:08
*** annashen has joined #openstack-ansible02:18
*** annashen has quit IRC02:22
*** weezS has joined #openstack-ansible02:25
*** weezS has joined #openstack-ansible02:26
*** daneyon has quit IRC02:45
*** annashen has joined #openstack-ansible03:19
*** annashen has quit IRC03:23
*** weezS has quit IRC03:54
*** weezS has joined #openstack-ansible03:56
*** JRobinson__ is now known as JRobinson__afk04:07
*** annashen has joined #openstack-ansible04:19
*** annashen has quit IRC04:24
*** weezS has quit IRC04:30
*** shausy has joined #openstack-ansible04:45
*** JRobinson__afk is now known as JRobinson__04:53
openstackgerritMiguel Grinberg proposed stackforge/os-ansible-deployment: [WIP] SSL support for haproxy  https://review.openstack.org/19895704:58
openstackgerritMiguel Grinberg proposed stackforge/os-ansible-deployment: [WIP] SSL support for haproxy  https://review.openstack.org/19895705:00
*** jwagner is now known as jwagner_away05:07
*** annashen has joined #openstack-ansible05:21
*** annashen has quit IRC05:25
*** ig0r_ has joined #openstack-ansible05:52
*** ig0r__ has quit IRC05:55
*** annashen has joined #openstack-ansible06:21
*** annashen has quit IRC06:26
*** radek__ has joined #openstack-ansible06:28
*** shausy has quit IRC07:05
*** shausy has joined #openstack-ansible07:06
*** vdo has joined #openstack-ansible07:17
*** annashen has joined #openstack-ansible07:22
*** annashen has quit IRC07:27
*** git-harry has quit IRC07:56
*** git-harry has joined #openstack-ansible07:56
*** JRobinson__ has quit IRC08:09
*** annashen has joined #openstack-ansible08:23
*** annashen has quit IRC08:28
*** shausy has quit IRC09:03
*** shausy has joined #openstack-ansible09:03
*** annashen has joined #openstack-ansible09:24
*** annashen has quit IRC09:29
*** alexisc has joined #openstack-ansible09:35
*** alexisc has left #openstack-ansible09:37
openstackgerritMatt Thompson proposed stackforge/os-ansible-deployment: Fix scripts/run-upgrade.sh  https://review.openstack.org/19831109:57
openstackgerritgit-harry proposed stackforge/os-ansible-deployment: Set default inventory file for inventory-manage.py  https://review.openstack.org/19904010:19
*** annashen has joined #openstack-ansible10:25
*** annashen has quit IRC10:30
openstackgerritgit-harry proposed stackforge/os-ansible-deployment: Set default inventory file for inventory-manage.py  https://review.openstack.org/19904010:38
openstackgerritMatt Thompson proposed stackforge/os-ansible-deployment: Fix scripts/run-upgrade.sh  https://review.openstack.org/19831110:41
openstackgerritDarren Birkett proposed stackforge/os-ansible-deployment: Added in keystone reserved port  https://review.openstack.org/19670211:05
*** annashen has joined #openstack-ansible11:26
*** annashen has quit IRC11:30
*** markvoelker has quit IRC11:59
*** markvoelker has joined #openstack-ansible11:59
*** jaypipes has joined #openstack-ansible12:02
evrardjphello everyone12:03
*** annashen has joined #openstack-ansible12:27
*** tlian has joined #openstack-ansible12:30
*** annashen has quit IRC12:31
*** markvoelker has quit IRC12:31
openstackgerritHugh Saunders proposed stackforge/os-ansible-deployment: Upgrade the Keystone library to use v3  https://review.openstack.org/19694312:34
odyssey4mehowdy evrardjp12:39
*** markvoelker has joined #openstack-ansible12:40
evrardjpsvg: FYI ceph-ansible from leseb isn't only for deploying ceph, it also handles creating the keys for openstack (cf ceph-mon role)12:43
evrardjphello odyssey4me! nice weather in UK?12:49
svgevrardjp: so are you saing i should re-use that role to do the key providing?12:58
evrardjpI just mean there will be overlapping if we do the key provisioning in osad13:03
evrardjp(for the future)13:03
openstackgerritMatt Thompson proposed stackforge/os-ansible-deployment: [WIP] Limit swift_vars / swift_proxy_vars  https://review.openstack.org/19909413:22
*** annashen has joined #openstack-ansible13:27
*** annashen has quit IRC13:32
*** KLevenstein has joined #openstack-ansible13:39
*** ccrouch has joined #openstack-ansible13:42
*** ccrouch has left #openstack-ansible13:45
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Add Keystone SSL key/cert generation & distribution  https://review.openstack.org/19447413:49
*** TheIntern has joined #openstack-ansible13:50
openstackgerritMatt Thompson proposed stackforge/os-ansible-deployment: [WIP] Limit swift_proxy_vars to swift_proxy container  https://review.openstack.org/19909413:52
openstackgerritMatt Thompson proposed stackforge/os-ansible-deployment: [WIP] Limit swift_proxy_vars to swift_proxy container  https://review.openstack.org/19909413:53
*** shausy has quit IRC13:54
*** sigmavirus24_awa is now known as sigmavirus2413:57
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Keystone SSL cert/key distribution and configuration  https://review.openstack.org/19447414:00
odyssey4mesvg it may just be worth going with any minor changes you've made and it can be iterated later when others have a chance to work with it14:01
*** Mudpuppy has joined #openstack-ansible14:01
odyssey4meevrardjp it's warm, humid but overcast... :p14:02
*** ccrouch has joined #openstack-ansible14:02
cloudnullgood morning14:03
*** sdake has quit IRC14:14
odyssey4meo/ cloudnull14:14
*** sdake has joined #openstack-ansible14:14
openstackgerritKevin Carter proposed stackforge/os-ansible-deployment: Updated juno for new dev work  https://review.openstack.org/19911914:16
openstackgerritMerged stackforge/os-ansible-deployment: Set default inventory file for inventory-manage.py  https://review.openstack.org/19904014:17
sigmavirus24hughsaunders: from what I udnerstood from the bug that mattt linked yesterday, as long as we use auth_plugin for Nova's neturonclient config, it will support keystone v314:20
*** Bjoern_ has joined #openstack-ansible14:22
cloudnull11.0.4 is official out the door14:23
cloudnullif you have a hold on an item for inclusion into 11.1.0 please revise / update them14:23
cloudnullIE https://review.openstack.org/#/q/status:open+project:stackforge/os-ansible-deployment+branch:kilo,n,z14:23
b3rnard0thanks cloudnull14:23
openstackgerritKevin Carter proposed stackforge/os-ansible-deployment: Updated kilo for new dev work  https://review.openstack.org/19912414:23
hughsaunderssigmavirus24: ok, will try. I just looked at the imports and only saw v214:25
sigmavirus24The auth_plugin in keystoneclient is what will handle v314:26
hughsaundersok14:26
openstackgerritKevin Carter proposed stackforge/os-ansible-deployment: Updated master for new dev work  https://review.openstack.org/19912614:26
evrardjpif it's official, congrats everyone!14:26
cloudnullthanks evrardjp :)14:27
cloudnullcan we get someone to review https://review.openstack.org/#/c/173067/14:27
cloudnullceilometer implementation .14:28
*** annashen has joined #openstack-ansible14:28
*** toddnni_ has joined #openstack-ansible14:29
*** toddnni has quit IRC14:29
*** toddnni_ is now known as toddnni14:29
*** weezS has joined #openstack-ansible14:31
openstackgerritMiguel Alejandro Cantu proposed stackforge/os-ansible-deployment: Implement Ceilometer  https://review.openstack.org/17306714:32
*** annashen has quit IRC14:33
*** jwagner_away is now known as jwagner14:33
*** alextricity has joined #openstack-ansible14:34
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Keystone SSL cert/key distribution and configuration  https://review.openstack.org/19447414:38
odyssey4mecloudnull any chance you can take a look at https://review.openstack.org/194474 as an updated review based on miguelgrinberg's earlier work - this definitely works, and seems like a much better solution to me based on previous review comments14:43
* cloudnull looking now14:50
d34dh0r53how does the idea of breaking user_secrets.yml into a secrets.d directory sound? cray-cray?15:10
d34dh0r53probably needs to be done with user_group_vars.yml as well15:11
matttd34dh0r53: make sure you keep scripts/run-upgrade.sh updated if you do that :)15:11
matttd34dh0r53: (we're still dealing w/ the env.d changes that went into master/kilo)15:11
d34dh0r53mattt: yeah15:11
hughsaundersd34dh0r53: why?15:12
odyssey4med34dh0r53 if we had a conf.d type thingy for user_vars then we wouldn't need something else for the secrets - we can just use the same folder?15:12
d34dh0r53well, I'm looking at the ceilometer patch and we have conf.d and env.d where you can easily drop small files, then you have to go an edit the monolithic user_secrets and user_group_vars, which kind of defeats the purpose of the *.d directories15:13
odyssey4med34dh0r53 if we could do away with using the command line overriding and have more predictable inventory-based overrides then I think it'd make it easier to understand precedence15:13
odyssey4mequite honestly I'd prefer the stuff just to go into conf.d15:13
d34dh0r53not just for precedence but for ease of adding optional features15:13
d34dh0r53yeah, that would work15:14
odyssey4med34dh0r53 it'd be useful to perhaps then augment the dynamic inventory to output warnings about var duplications15:15
d34dh0r53yeah15:15
d34dh0r53very useful15:15
odyssey4med34dh0r53 git-harry has been working his way through variable-related weirdness and has recently commented about all this not being great\15:16
d34dh0r53odyssey4me: I can see that, it's confusing at best15:16
alextricityd34dh0r53: Do we still *require* a logging host?15:19
odyssey4mehughsaunders sigmavirus24 can it be this easy? http://adam.younglogic.com/2015/03/convince-nova-to-use-the-v3-version-of-the-api/15:19
d34dh0r53RAX does, yes15:19
odyssey4mealextricity require, not really - but it's expected that most environments will want at least the centralised rsyslog15:20
alextricityThanks!15:21
openstackgerritDarren Birkett proposed stackforge/os-ansible-deployment: Set default inventory file for inventory-manage.py  https://review.openstack.org/19914915:24
sigmavirus24odyssey4me: maybe but the only problem I've been seeing with nova is its interaction with neutron15:25
odyssey4mehughsaunders sigmavirus24 also, almost every play/role is set to use the internalURL as the default endpoint - in your tests is that endpoint v3?15:25
sigmavirus24odyssey4me: yes15:26
odyssey4mehughsaunders sigmavirus24 here's another resource worth working through: http://adam.younglogic.com/2015/05/rdo-v3-only/15:26
*** annashen has joined #openstack-ansible15:29
sigmavirus24odyssey4me: do we want it to be v3 only though?15:29
odyssey4mesigmavirus24 essentially I think that we should configure all services to use v3, but still leave the v2 endpoint available for end-users15:30
odyssey4mewe need horizon to use v3, and federation needs v3 - and v3's been around for ages... it's time to move :)15:30
odyssey4mehorizon's websso for federation will not work without v315:32
*** annashen has quit IRC15:34
odyssey4mesigmavirus24 shall I prepare a separate patch related to allow 'insecure' comms to keystone (for self-signed certs and all that)?15:35
sigmavirus24odyssey4me: maybe15:45
sigmavirus24I'm still trying to figure out why this is broken15:45
sigmavirus24because nothing can ever be simple in openstack15:46
odyssey4mesigmavirus24 I'm going to go ahead with that - I think it deserves a separate patch.15:46
sigmavirus24I hadn't forgotten about it15:46
sigmavirus24Just wanted to fix this crap first before piling more on =P15:46
odyssey4meyou can add the option to the module inside the module patch, but I'll ensure that the services and CLI are configured to work properly15:47
*** sdake_ has joined #openstack-ansible15:48
*** sdake has quit IRC15:48
openstackgerritAndy McCrae proposed stackforge/os-ansible-deployment-specs: Multi-region swift  https://review.openstack.org/19832215:50
*** daneyon has joined #openstack-ansible16:00
b3rnard0bug triage?16:02
cloudnullbug triage time cloudnull, mattt, andymccr, d34dh0r53, hughsaunders, b3rnard0, palendae, Sam-I-Am, odyssey4me, serverascode, rromans, mancdaz, dolphm, _shaps_, BjoernT, claco, echiu, dstanek, jwagner, ayoung16:03
dstaneko/16:04
odyssey4meo/16:04
palendaep/16:04
cloudnullfirst up https://bugs.launchpad.net/openstack-ansible/+bug/147229516:05
openstackLaunchpad bug 1472295 in openstack-ansible "Juno: cinder and glance client have endpoint selection issues" [Undecided,New]16:05
rromans.16:06
cloudnullbased on the issue it looks like the clients have once again broken the ability to select endpoint types.16:06
cloudnullkey word, once again ...16:06
sigmavirus24o/16:07
sigmavirus24hm16:08
cloudnulloh wait maybe not. Bjoern_ you around ?16:08
Bjoern_yes16:08
sigmavirus24Bjoern_: seems to be indicating that this is an issue with f5's16:08
*** Bjoern_ is now known as BjoernT16:08
cloudnull^ that16:08
BjoernTwe did try setting x-forwarded-proto to https and the keystone middleware does not seem to pick this up16:08
sigmavirus24I suspect <ip> is the internalURL16:08
BjoernTonly once I changed public_endpoint it did fix this issue.16:09
sigmavirus24And so when the client is made to that we can't see it16:09
sigmavirus24BjoernT: public endpoint in the keystone catalog?16:09
BjoernTinterestingly this issue is not present on older glance/cinder clients16:09
BjoernTpublic endpoint was changed to https correctly16:09
*** alextricity has quit IRC16:09
sigmavirus24That is interesting16:09
BjoernTas I said the glance client didn't even download the catalog and just tried http://public_vip16:10
*** alextricity has joined #openstack-ansible16:10
BjoernTand it fixed after we changed linkes: href16:10
BjoernTpublic_endpoint is set to None by default16:10
odyssey4mePerhaps I have the wrong end of the stick here? Do you mean 'public_endpoint' in a conf file or in your keystone endpoint-list?16:11
sigmavirus24odyssey4me: yeah that's where I'm confused as well16:12
cloudnullits the keystone.conf setting that we used to set by default in icehouse i supose.16:12
cloudnullhttps://github.com/stackforge/os-ansible-deployment/blob/juno/rpc_deployment/roles/keystone_common/templates/keystone.conf.j2#L10-L1216:12
cloudnull^ BjoernT you set that right ?16:12
BjoernTNone is supposedly correct, taking the ip from the original request but I guess there is a bug in keystone middleware.To fix it for now i used the keystone_public_endpoint setting16:13
BjoernTcloudnull: correcy16:14
BjoernTcorrect16:14
sigmavirus24dolphm: dstanek ^16:15
cloudnullso is this an issue? because it has the ability to be set dstanek, lbragstad, dstanek ^16:15
cloudnullsigmavirus24:  :)16:15
*** fawadkhaliq has joined #openstack-ansible16:15
dstaneksigmavirus24: sorry, was trouble shooting something. is the question wether or not setting public_endpoint to None is valid?16:16
sigmavirus24dstanek: the question is whether or not this is a bug in keystonemiddleware I believe16:16
odyssey4meBjoernT is this only in Juno? have you tried replicating it in kilo?16:17
BjoernTsame issue for kilo16:17
BjoernTsince we added the https fix in kilo we might set public_endpoint automatically once the protocol is https16:18
BjoernTor we need to expose this issue in the release notes once the public endpoints are using https16:19
dstaneksigmavirus24: not sure where the bug is there; the returned tokens link should be secure right?16:20
*** yaya has joined #openstack-ansible16:20
odyssey4meso yeah, I'm still trying to understand - is the issue that the wrong endpoint address is exposed to the client?16:21
odyssey4meie the internalURL instead of the publicURL?16:21
BjoernTI think the issues is as simple as public_endpoint = None does not account for the protocol https vs http. Otherwise everything is correct. It does not return the internal endpoint16:23
cloudnulli think its that the ssl termination is happening on an LB and by setting the keystone_public_endpoint within config its able to redirect the clients back to the lb otherwise its failing to get the service catalog ?16:23
cloudnullotherwise im confused. or not well caffeinated16:23
BjoernTsince older glance and cinder clients just ignored the href from the links response header, the issue did happen since it was using OS_AUTH_URL and then downloading the service catalog16:24
BjoernTat some point we might decide if  we go back to 10.1.1 versions for cinder and glance16:24
BjoernTor set public_endpoint in keystone.conf correctly16:24
odyssey4meBjoernT it would seem to me that public_endpoint was built for this exact purpose16:25
odyssey4meif you're front-ending your keystone with something that keystone doesn't know about, then use that setting16:25
dstanekif you don't set the public_endpoint it tries to figure it out: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/wsgi.py#n80616:25
odyssey4meotherwise it'll return values from the service catalogue, which it seems you don't want16:25
BjoernTYeah, but it seems it going to be deprecated in favor of the service catalog16:25
odyssey4methere's no deprecation notice: http://docs.openstack.org/kilo/config-reference/content/section_keystone.conf.html16:26
BjoernTeither way we have to look how to deal with this issue and maybe filing a upstream bug16:26
odyssey4meit looks like it's behaving as designed to me, unless I'm missing something?16:27
dstanekBjoernT: if you properly set the value does it work?16:27
sigmavirus24dstanek: yes16:27
BjoernTyes16:27
BjoernTit does16:27
BjoernTthe href is changed inside the links16:27
BjoernTresponse16:27
odyssey4methe issue is that the old clients had bad habits :p16:27
dstanekBjoernT: i don't think it's really an upstream bug, but we could probably be smarter about how we guess16:28
*** annashen has joined #openstack-ansible16:28
sigmavirus24dstanek: don't guess, just know. When is Keystone landing telepathy?16:29
cloudnull^ lol16:29
* sigmavirus24 is not helping16:29
* sigmavirus24 will shut up16:29
palendaesigmavirus24: Right after Neutron does16:29
d34dh0r53haha16:29
d34dh0r53apt-get install libtelepathy16:30
sigmavirus24palendae: neutron already does what you expect it to (break)16:30
dstaneksigmavirus24: next cycle. this cycle we are working on making it access your bank account16:30
d34dh0r53lol16:31
sigmavirus24dstanek: sounds fair16:31
sigmavirus24dstanek: so keystone is trying to replace ceilometer? Thank the $DEITIES16:31
cloudnullok so idk if this is an issue ?16:32
cloudnullit seems that theres a setting that can be used to fix the problem16:32
cloudnulland that the problem is unique to the environment .16:32
sigmavirus24Yeah, do we provide  a variable to set that config option?16:33
cloudnullhttps://github.com/stackforge/os-ansible-deployment/blob/juno/rpc_deployment/roles/keystone_common/templates/keystone.conf.j2#L10-L1216:33
odyssey4meit seems to me that there is already a setting to provide the requested behaviour - the only thing that may be worth doing is a upgrade/release note to indicate that behaviour has changed between version16:33
sigmavirus24If so there's a work around. I'm curious what differs between those versions of the client16:33
odyssey4meor keystonemiddleware, or whatever16:33
sigmavirus24yeah16:33
sigmavirus24I wonder if not setting it is equivalent to using None16:34
sigmavirus24but that's besides the point16:34
sigmavirus24I've added the clients as being affected16:35
sigmavirus24I think this is something they should see and check for in current versions16:35
*** sdake_ is now known as sdae16:35
sigmavirus24It's interesting to say the least16:35
cloudnullok marked incomplete for now .16:36
cloudnullnext https://bugs.launchpad.net/openstack-ansible/+bug/147203816:36
openstackLaunchpad bug 1472038 in openstack-ansible "Sort dynamic inventory files in juno/icehouse" [Undecided,New]16:36
*** yaya has quit IRC16:36
cloudnullthis is a simple fix, in kilo we sort the inventory in juno we didnt. we should do that.16:36
cloudnullTheIntern: ^ low hanging fruit16:37
TheInternalrighty16:37
TheInternHow should they be sorted?16:38
sigmavirus24reverse chronologically16:38
TheInternwill do16:39
cloudnullbasically backport these lines into juno https://github.com/stackforge/os-ansible-deployment/blob/master/playbooks/inventory/dynamic_inventory.py#L960-L96516:39
*** sdae is now known as sdake16:39
sigmavirus24cloudnull: ruins all my fun16:40
cloudnulllol16:41
cloudnullnext https://bugs.launchpad.net/openstack-ansible/+bug/147192616:42
openstackLaunchpad bug 1471926 in openstack-ansible "Add rpc tunables to nova.conf" [Undecided,New]16:42
cloudnullthese should be simple enough too.16:42
palendaeThat has a complement in https://github.com/rcbops/rpc-openstack/issues/22016:42
cloudnullhowever in juno the vars are different than kilo with the new oslo messaging section .16:43
cloudnullnext https://bugs.launchpad.net/openstack-ansible/+bug/147174616:45
openstackLaunchpad bug 1471746 in openstack-ansible "Use of groups in roles" [Undecided,New]16:45
cloudnullgit-harry: svg: ^16:45
cloudnullidk agree that we are using an anti pattern , but i do agree that we can clean up some of the roles and the usage of groups and that we should document the groups that are required.16:46
odyssey4meit does seem that we're diverging from a standard use of roles, but other than breaking roles up I have yet to find an alternative way of doing some of the things we're doing16:48
sigmavirus24I think if gregdek and other ansible folk could weigh in on this, that'd be great too16:49
odyssey4mefor now perhaps doing the documenting thing is a good idea, but ultimately we probably need a re-look at how we do variables, roles, playbooks, etc and try to bring it more into line with better practises16:49
sigmavirus24They have endorsed us as the way to deploy openstack with ansible, right? So they must not find it particularly objectionable that we're doing things this way16:49
sigmavirus24That doesnt' mean we couldn't be doing stuff better, just that it must not be too terrible16:50
odyssey4methere are some real issues with using roles at the moment which make them very inflexible16:50
cloudnullbreaking up the roles in more individual consumable parts may be a good way to do it, but then again we had that in juno; it was terribly inefficient and added complexity that need not be there.16:50
odyssey4meyep16:50
palendaeIMO the big ones that need to be stand alone are Keystone and Swift16:50
palendaeOther than that I'm not sure it's helping16:50
odyssey4meit's worth some thinking - we may be able to find better ways of doing things if we try16:51
palendaeSure16:51
cloudnullodyssey4me:  ++ i think we need to take a good long look at inventory and how to do that better.16:51
odyssey4meeg: neutron & neutron-agents could split16:51
sigmavirus24yeah, I think this is a good long-term goal for the organization of our inventory16:52
odyssey4menova could split into some parts which are more role focused - ie those that go on controllers, and those that go on compute nodes16:52
sigmavirus24We should probably focus this on the bug or ML and then turn that into a spec16:53
odyssey4mebut these sorts of splits should not be done without a good look at how better to do the inventory, vars, etc16:53
cloudnullsigmavirus24: +116:53
odyssey4me+116:53
sigmavirus24(and then turn the spec into an implementation of course)16:53
cloudnullwhat I want to avoid is the role sprawl we had before .16:53
sigmavirus24Should we say that the M cycle would be best for that kind of work?16:53
cloudnull+116:53
* sigmavirus24 doesn't think we'll get that into L16:53
odyssey4meone thing I will say is that our use of groups in roles makes it harder for people who want to use the roles outside of OSAD's general framework - the roles are not as portable16:54
odyssey4mecloudnull sigmavirus24 agreed16:54
prometheanfirecloudnull: I have some of the compute/service split stuff done for nova on our side16:55
prometheanfiregentoo that is16:55
cloudnullso im marking this incomplete at this time too and we'll carry on within the ML.16:55
palendaeodyssey4me: Out of curiosity - have you found people wanting that right now?16:55
odyssey4mepalendae yep, ayoung specifically asked with regards to the federation work16:56
palendaeOk16:56
palendaeI think Keystone's easier since it's at the root of the dependency tree (inside of openstack itself, anyway)16:56
odyssey4meI do think  that increasing the portability and having the roles on ansible galaxy will increase the exposure and the re-use - it's like opening the door to wider use-cases16:57
sigmavirus24odyssey4me: yes but I'm not sure that's exactly the goal of the project necessarily16:57
sigmavirus24Anyway that's a separate discussion altogether16:57
palendaeYeah, sorry16:57
odyssey4mesigmavirus24 sure16:57
sigmavirus241.5 min left16:58
cloudnullyup16:58
cloudnullanything we want to cover within the open issues ?16:58
cloudnullok were done here .16:59
cloudnullthanks everyone!16:59
odyssey4memiguelgrinberg are you around yet?17:00
miguelgrinbergyep, I'm here17:01
odyssey4meI'm done with https://review.openstack.org/194474 - take a look there. I think the way I've done the haproxy configuration there may be of interest to you. :)17:01
miguelgrinbergodyssey4me: nice, so now we need a third option for the SSL terminated at haproxy17:03
odyssey4memiguelgrinberg yeah, if we can also have that option it'd be great17:03
odyssey4meI'm working on a patch that will also ensure that services can be configured to work even when the SSL certificates are self-signed.17:04
miguelgrinbergYes, I think I'll have the haproxy SSL done soon. Had to go look at a problem from support with the horizon solutions catalog, but I'll get back to this later today and try to finish it.17:04
odyssey4meGreat! sigmavirus24 and hughsaunders are still stuck trying to get the keystone module to work properly against the v3 API... something's holding it up17:06
odyssey4mecloudnull it would seem the the get-pip pytohn script tries to grab for rpc-repo?17:10
odyssey4meand for some reason http://rpc-repo.rackspace.com/os-releases/master/pip-7.1.0-py2.py3-none-any.whl appears to be missing - I'm getting master build fails17:10
cloudnullthats likely because im rebuilding maste.r17:11
*** yaya has joined #openstack-ansible17:11
odyssey4meI thought that if you build a local repo then all pip interaction was local17:11
odyssey4meah, that makes sense :p17:11
cloudnullim rebuilding it with the changes coming in https://review.openstack.org/#/c/199126/17:12
*** yaya has quit IRC17:12
odyssey4meok, I think that's my cue to relocate - I'll be back on later to continue with this patch17:12
cloudnullscotch time !17:13
odyssey4mecloudnull heh, good idea :)17:13
cloudnull;)17:13
cloudnullmaster is rebuilt17:15
* cloudnull lunching17:16
*** TheIntern has quit IRC17:25
openstackgerritMerged stackforge/os-ansible-deployment: Move Cinder-volumes to "on metal"  https://review.openstack.org/19518117:44
*** yaya has joined #openstack-ansible17:54
*** TheIntern has joined #openstack-ansible18:01
*** annashen has quit IRC18:03
*** annashen has joined #openstack-ansible18:05
*** cbaesema has joined #openstack-ansible18:09
cloudnullsigmavirus24: https://review.openstack.org/#/c/195226/ can you release this change ?18:17
cloudnullodyssey4me:  https://review.openstack.org/#/c/195397/ can you release this change ?18:18
*** annashen has quit IRC18:23
*** annashen has joined #openstack-ansible18:24
*** andymccr has quit IRC18:25
openstackgerritMerged stackforge/os-ansible-deployment: Set default inventory file for inventory-manage.py  https://review.openstack.org/19914918:26
*** annashen has quit IRC18:28
*** sdake has quit IRC18:36
openstackgerritKevin Carter proposed stackforge/os-ansible-deployment: Moved user_group_vars to defaults  https://review.openstack.org/19921618:37
*** KLevenstein_ has joined #openstack-ansible18:48
*** KLevenstein has quit IRC18:51
*** KLevenstein_ is now known as KLevenstein18:51
*** sdake has joined #openstack-ansible18:52
*** sdake_ has joined #openstack-ansible18:56
odyssey4mecloudnull done :)18:58
*** galstrom_zzz is now known as galstrom18:58
cloudnulltyvm !18:58
cloudnullonly scotch now18:59
Sam-I-Ammmm scotcg18:59
Sam-I-Amh18:59
*** sdake has quit IRC19:00
*** annashen has joined #openstack-ansible19:06
*** yaya has quit IRC19:06
sigmavirus24sssh no reviews. only scotch now19:15
openstackgerritDavid Alfano proposed stackforge/os-ansible-deployment: Sort dynamic inventory files in juno  https://review.openstack.org/19922919:15
*** BjoernT has quit IRC19:19
*** sacharya has joined #openstack-ansible19:19
*** yaya has joined #openstack-ansible19:20
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Implement Ceilometer  https://review.openstack.org/17306719:31
*** mordred has joined #openstack-ansible19:35
odyssey4mesigmavirus24 you around?19:55
sigmavirus24odyssey4me: if having my head inside nova is around, yes :D19:56
odyssey4meyour name is all over just about every google result on this, so I may as well shortcut my way to the answer19:56
sigmavirus24lol19:56
sigmavirus24that sounds bad19:56
odyssey4me# openstack --insecure endpoint list19:56
odyssey4meWARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.19:56
odyssey4meERROR: openstack SSL exception connecting to https://172.29.236.100:5000/v2.0/tokens: [Errno 8] _ssl.c:510: EOF occurred in violation of protocol19:56
odyssey4methat's the haproxy endpoint19:56
odyssey4methen I switch directly to the server:19:56
odyssey4meand it happily works with the same command19:57
sigmavirus24hm19:57
odyssey4mesomething tells me that urllib and requests are not the culprit19:57
sigmavirus24My guess: Something to do with HAProxy and requests using keep-alive19:57
sigmavirus24I have two ideas19:57
sigmavirus24Oh poo19:57
sigmavirus24openstackclient19:58
sigmavirus24hm19:58
odyssey4mekeystone client didn't work either19:58
odyssey4meI can use that if you like?19:58
sigmavirus24No, I'm just used to telling people how to use requests19:58
sigmavirus24=P19:58
sigmavirus24I'm not sure how to attack this when it's behind a cli19:58
odyssey4meheh, I think I see the problem - the haproxy config may be whacked - hang a sec19:59
Sam-I-Amits always haproxy19:59
sigmavirus24Sam-I-Am: yeah proxies like that are always a pain when improperly configured19:59
sigmavirus24I would look at keep-alive settings19:59
odyssey4mebut the reason I actually wanted to contact you was to ask about that environment variable that you thought might remove the need to use --insecure?19:59
odyssey4mewhat is it19:59
sigmavirus24CURL_CA_BUNDLE/REQUESTS_CA_BUNDLE19:59
sigmavirus24point that to a pem file and you're done19:59
sigmavirus24either one works19:59
odyssey4mebugger - I found that one, but hoped it wasn't that - let me try it anyway20:00
sigmavirus24CURL_CA_BUNDLE has the benefit of also helping curl20:00
odyssey4mesigmavirus24 what do you know - it bloody works20:03
odyssey4meand I found a bug in my Keystone SSL patch20:03
sigmavirus24odyssey4me: yw20:03
odyssey4mesigmavirus24 no really, thank you :)20:05
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Keystone SSL cert/key distribution and configuration  https://review.openstack.org/19447420:07
sigmavirus24odyssey4me: I wasn't being sarcastic :D20:09
*** fawadkhaliq has quit IRC20:15
odyssey4mesigmavirus24 meh, although your env variables are nice that'll mean shipping the offending cert to all hosts and containers... aint nobody got time for that :/20:18
odyssey4meit'll be easier to alias the commands for now, until we have a better certificate solution20:18
*** daneyon has quit IRC20:26
openstackgerritTom Jose Kalapura proposed stackforge/os-ansible-deployment: Introduce logrotate in all Openstack containers.  https://review.openstack.org/19927320:53
*** jwagner is now known as jwagner_away20:55
*** daneyon has joined #openstack-ansible21:10
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Enable all services to use Keystone 'insecurely'  https://review.openstack.org/19930721:19
*** sdake_ is now known as sdake21:20
odyssey4mesigmavirus24 hughsaunders miguelgrinberg https://review.openstack.org/199307 is useful for the federation testing, and all sorts of other testing :)21:23
sigmavirus24I don't believe you21:23
sigmavirus24=P21:23
sigmavirus24Also why are you still working21:23
*** JRobinson__ has joined #openstack-ansible21:24
odyssey4mesigmavirus24 well, you know, stuff :p21:24
sigmavirus24and things?21:24
odyssey4meFor hughsaunders' sake, I'll be doing a test tempest run using the above patch to ensure that everything is above board :p21:24
odyssey4methings YES! definitely things :p21:25
cloudnullthings and stuff is where its at!21:30
sigmavirus24Now I'm getting 400s from Keystone with the neutronclient/keystoneclient auth plugin stuff21:31
sigmavirus24Trying to figure out what the magic options are now21:31
sigmavirus24I think I might have figured it out21:31
sigmavirus24But goddamn would this be nice if there were real docs21:31
Sam-I-AmHAHAHAHAHAH21:32
Sam-I-Amreal docs21:32
Sam-I-AmHAHAHAHAHAHAHA21:32
Sam-I-Amyou know, jamie lennox is on irc21:32
sigmavirus24True21:32
sigmavirus24It is that time of day21:32
sigmavirus24I'm pretty sure I have the magic combo down21:32
sigmavirus24If this time doesn't work, I'll bug him21:32
odyssey4mesigmavirus24 you reckon you have it licked?21:33
odyssey4me(like a mad cow)21:33
sigmavirus24needed to add 'project_name', 'project_domain_name', 'user_domain_name' to the neutron section21:33
sigmavirus24If I guessed correctly this tempest run should pass21:33
sigmavirus24and nope21:34
sigmavirus24let me push what I have so I can show him21:34
Sam-I-Amsigmavirus24: this is new stuff for liberty, iirc?21:34
*** alop has joined #openstack-ansible21:34
Sam-I-Amsince neutron/nova stuff wasnt completely updated for kilo21:34
Sam-I-Amit was in neutron i think, but not in nova21:34
palendaesigmavirus24: up up down down left right left right a b select start?21:35
sigmavirus24Sam-I-Am: neutronclient can use a keystoneclient session just fine21:36
sigmavirus24That's what does auth things for neutronclient21:36
sigmavirus24But I can't auth against keystone through that stuff for nova right now so I'm lost21:36
openstackgerritIan Cordasco proposed stackforge/os-ansible-deployment: Upgrade the Keystone library to use v3  https://review.openstack.org/19694321:37
sigmavirus24oh21:37
sigmavirus24I wonder if I have to use internalurl for auth isntead of adminurl21:37
odyssey4mesigmavirus24 for what?21:38
odyssey4meall the current settings use internalurl21:38
sigmavirus24in Nova's config of neutronclient/keystoneclient21:38
odyssey4mein fact they use internaluri (notice the 'i' not the 'l')21:38
Sam-I-Amheh l vs. i.... i see that all the time in #openstack21:38
Sam-I-Amauth_uri and auth_url THANKS JAMIE21:39
alopAnyone really against making osad work on rhel?21:41
odyssey4mealop nope, we're just waiting for someone who's actually interested in doing so to prep a spec/review to do so21:42
alopLike, I think my team and I would be looking to start using it, if we can upstream chaging things from "apt" to be more os agnostic21:42
sigmavirus24alop: I am only because Red Hat maintenance schedules mean I have to support projects for Python 2.6 far past when it's been end-of-lifed upstream21:42
sigmavirus24alop: you'll be interested in prometheanfire's spec to get osad onto gentoo then21:42
sigmavirus24it's being split into two specs21:42
alopalright, I'll take a look21:43
odyssey4mealop we currently have someone who's interested in doing os-ansible-deployment on gentoo - after some discussion he's realised that it's a two step thing: 1) prep everything to handle the different conventions, package names, etc; 2) actually make it go on another platfor21:43
odyssey4me*platform21:43
aloplike, the major architecture stuff, SOLID21:43
Sam-I-Ami'd avoid rhel's kernel if you want to use vxlan21:44
odyssey4mealop definitely make contact with prometheanfire with regards to the first stage spec21:44
alopalright, we'll take a look21:44
odyssey4mesigmavirus24 what was that toolset infra's prepped for projects to specify package deps?21:44
*** JRobinson__ is now known as JRobinson__afk21:45
sigmavirus24odyssey4me: bindep or something?21:45
odyssey4mealop oh yes, https://github.com/openstack-infra/bindep is a key tool to use to simplify the genericising :)21:45
prometheanfirehi?21:45
odyssey4me(just saying)21:45
*** Mudpuppy has quit IRC21:45
prometheanfirebindep is a part of what's needed21:45
prometheanfiredefinitely21:45
alopyeah, checking out the spec21:46
alopbindep is nicer than the pkg-map we use in DIB21:46
odyssey4mealop prometheanfire did identify even the alternative platform enablement in two stages - 1) hosts, 2) containers21:47
openstackgerritMatthew Thode proposed stackforge/os-ansible-deployment-specs: Add standalone swift testing  https://review.openstack.org/19931621:47
prometheanfireheh21:47
odyssey4mestart with prepping the hosts, but use ubuntu containers initially to reduce the work involved... then later move on to converting the containers21:47
prometheanfirecontainers will be a very large undertaking21:48
sigmavirus24alop: assuming not having rhel containers is fine21:48
*** sdake_ has joined #openstack-ansible21:48
alopwell, we can figure out the particulars, first we're just checking to make sure we wouldn't hit ideological opposition21:49
prometheanfirewe?21:50
odyssey4mealop the only place we're a bit stuck on - but perhaps negotiable once you've done the first bit - is deployment of the openstack bits from source :)21:50
alopyeah, the team I'm on21:50
prometheanfirenice, more bodies :D21:50
sigmavirus24prometheanfire: "bodies"21:52
*** sdake has quit IRC21:52
odyssey4mesigmavirus24 re: https://review.openstack.org/196943 I think we need to use the term 'domain_name' in keeping with 'project_name', etc21:54
openstackgerritMerged stackforge/os-ansible-deployment: Updated keystone to use fernet as the default  https://review.openstack.org/19522621:54
sigmavirus24odyssey4me: actually, those are two separate things21:54
sigmavirus24user_domain_name, project_domain_name are different than domain_name21:55
sigmavirus24domain_name is used to scope something to that domain name instead of identifying the domain name for the project/user21:55
odyssey4meespecially with 'default' happening to be the domain ID of the default domain in Keystone v3... and 'Default' being the name... stuff gets confusing21:55
*** radek__ has quit IRC21:55
sigmavirus24Yeah, I have something I have to run to but I'll be pestering Jamie when I get back21:55
sigmavirus24The errors from keystone are woefully unhelpful21:55
dstaneksigmavirus24: you're welcome21:56
*** yaya has quit IRC21:56
odyssey4mehmm - in that case perhaps we need to think up a different term because 'domain' is hella confusing21:56
sigmavirus24dstanek: my interpretation is correct, yes?21:56
odyssey4mein terms of interacting with the library21:56
sigmavirus24oh maybe21:57
sigmavirus24DSLs gonna DSL21:57
dstaneksigmavirus24: depends. some areas are better than others. what issue are you having now?21:57
odyssey4meif I do a command in ansible to create a project in a domain, will I be using 'domain: <the appropriate project domain name>' in the task?21:57
sigmavirus24dstanek: using keystoneclient auth plugins in nova for neutronclient. If you look at the review that odyssey4me linked, I'm getting http://paste.openstack.org/show/353136/ in the nova-api-os-compute logs in the nova-api-os-compute container21:58
*** JRobinson__afk is now known as JRobinson__21:58
odyssey4meor will it be expected to be the domain ID (ie a UUID) ?21:58
sigmavirus24odyssey4me: domain name21:58
sigmavirus24also domain id's are not UUIDs21:58
odyssey4meheh dstanek has seen enough of nova lately :p21:58
sigmavirus24at least the Default's id isn't21:58
dstanekit looks like it's the user id or user name that's missing.22:00
dstanekodyssey4me: yes, nova is not kind to me22:00
odyssey4mesigmavirus24 the domain by the name of 'Default' has an ID of 'default', but any other domains created will have an ID of something like '65cba76f475e4f03bcaf59c253193f30'22:00
sigmavirus24odyssey4me: interesting22:02
sigmavirus24dstanek: yeah I can't figure out why the username is missing22:02
sigmavirus24anyway22:03
sigmavirus24I'll be back later22:03
sigmavirus24oh also22:03
sigmavirus24fun stuff22:03
sigmavirus24one keystoneclient auth plugin says "username" is deprecated in favor of "user-name"22:03
sigmavirus24Meanwhile others just refer to "username"22:03
sigmavirus24wtf22:03
odyssey4mesigmavirus24 you see why I'm suggesting that our arg rather be 'domain_name' when we interact with the library?22:03
*** sacharya has quit IRC22:03
sigmavirus24odyssey4me: which library? our keystone module?22:03
dstaneksigmavirus24: which one? i've never seen anything refer to user-name22:04
odyssey4mesigmavirus24 yep22:04
sigmavirus24I have to run but I'll be back22:04
sigmavirus24dstanek: v3password uses username22:04
odyssey4mesigmavirus24 let me be clear - the task should use 'domain_name: <blah>' explicitly and the ansible keystone library should work out the complexity in the background22:04
*** KLevenstein_ has joined #openstack-ansible22:05
*** KLevenstein has quit IRC22:07
*** KLevenstein_ is now known as KLevenstein22:07
*** galstrom is now known as galstrom_zzz22:10
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Enable all services to use Keystone 'insecurely'  https://review.openstack.org/19930722:15
*** weezS has quit IRC22:19
*** fawadkhaliq has joined #openstack-ansible22:22
*** daneyon has quit IRC22:34
*** KLevenstein has quit IRC22:34
*** andymccr has joined #openstack-ansible22:46
*** annashen has quit IRC22:54
openstackgerritMiguel Grinberg proposed stackforge/os-ansible-deployment: SSL support for haproxy  https://review.openstack.org/19895722:59
*** fawadkhaliq has quit IRC23:02
*** metral has quit IRC23:03
*** andymccr has quit IRC23:09
*** andymccr has joined #openstack-ansible23:10
openstackgerritMiguel Grinberg proposed stackforge/os-ansible-deployment: SSL support for haproxy  https://review.openstack.org/19895723:13
*** andymccr has quit IRC23:18
*** britthouser has quit IRC23:23
*** andymccr has joined #openstack-ansible23:24
*** andymccr has quit IRC23:25
*** andymccr has joined #openstack-ansible23:26
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Enable all services to use Keystone 'insecurely'  https://review.openstack.org/19930723:31
dstanek^ best review title ever23:31
odyssey4medstanek :)23:37
dstanekodyssey4me: if i was osad core i would +2 for the title alone23:43
openstackgerritJesse Pretorius proposed stackforge/os-ansible-deployment: Enable all services to use Keystone 'insecurely'  https://review.openstack.org/19930723:46
odyssey4methere, I think that's the last of it :)23:47
odyssey4medstanek you can always +1 with a comment :)23:47
sigmavirus24odyssey4me: oh we agree them23:49
*** TheIntern has quit IRC23:49
odyssey4mesigmavirus24 good :)23:50
sigmavirus24oh dstanek user-name is in generic password method23:50
odyssey4mesigmavirus24 I had to edit the existing Ansible libraries a bit, and the plays that use them: https://review.openstack.org/19930723:50
sigmavirus24dstanek: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/generic/password.py#L2923:50
sigmavirus24I'll try out username23:51
sigmavirus24should have tried that sooner23:51
sigmavirus24Failing that, I'll bug Jamie23:51
sigmavirus24dstanek: that was it23:58
openstackgerritIan Cordasco proposed stackforge/os-ansible-deployment: Upgrade the Keystone library to use v3  https://review.openstack.org/19694323:58
sigmavirus24now tempest passes locally23:58
sigmavirus24And with that, I say good night23:58
stevellenn23:59
sigmavirus24or not23:59
« Monday, 2015-07-06 Index Wednesday, 2015-07-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!