Friday, 2016-02-26

« Thursday, 2016-02-25 Index Saturday, 2016-02-27 »
*** sdake has quit IRC00:00
odyssey4mecloudnull unfortunately no git history - but that can't be helped I guess00:02
odyssey4mecool - thank you for doing that00:03
odyssey4melemme get my vote it00:03
odyssey4mehopefully they can vote it through tomorrow00:03
jmccroryhow does the initial commit get into those repos? could the history be extracted and pushed or is it only through gerrit?00:05
odyssey4mecloudnull ^ you'll have to explain, I'm out for the night00:06
jmccrorylater, odyssey4me00:08
*** cloudtra_ has quit IRC00:21
*** sdake has joined #openstack-ansible00:22
*** daneyon has quit IRC00:28
*** eil397 has joined #openstack-ansible00:32
*** sdake has quit IRC00:36
openstackgerritMichael Carden proposed openstack/openstack-ansible: Remove deprecated config variables  https://review.openstack.org/28155500:37
*** izaakk has quit IRC00:37
*** izaakk has joined #openstack-ansible00:47
openstackgerritMerged openstack/openstack-ansible: Add Kilo to Liberty upgrade scaffold  https://review.openstack.org/28382300:49
openstackgerritMerged openstack/openstack-ansible: Docs: Explanation of dynamic inventory  https://review.openstack.org/28445700:49
*** eil397 has quit IRC00:57
*** keedya has quit IRC01:23
*** daneyon has joined #openstack-ansible01:28
*** daneyon_ has joined #openstack-ansible01:30
*** skamithi has joined #openstack-ansible01:31
*** daneyon has quit IRC01:33
*** retreved has joined #openstack-ansible01:35
*** keedya has joined #openstack-ansible01:55
*** keedya has quit IRC01:58
*** weezS has quit IRC02:18
*** fawadkhaliq has joined #openstack-ansible02:48
*** abitha has quit IRC02:49
*** izaakk has quit IRC02:57
openstackgerritStanley Kamithi proposed openstack/openstack-ansible-specs: Virtual AIO Using Vagrant  https://review.openstack.org/28509003:20
*** fawadkhaliq has quit IRC03:32
*** markvoelker has quit IRC03:51
*** daneyon_ has quit IRC03:54
*** brad[] has quit IRC04:17
*** appprod0 has joined #openstack-ansible04:18
appprod0is there any specific reason cinder is the only service that tries to verify the VIP/port? https://github.com/openstack/openstack-ansible/blob/11.2.9/playbooks/roles/os_cinder/tasks/cinder_backends.yml#L16-L2204:23
appprod0just curious, ran into this on an install where the VIP wasn't working for a few services, commended out os-cinder-install.yml and setup-openstack.yml completed, but the other services were still broken. it seems like cinder is the only one that actually checks the VIP during install04:25
*** skamithi has left #openstack-ansible04:38
appprod0ah, would help if i read the second task. it uses cinder client04:39
*** markvoelker has joined #openstack-ansible04:51
*** markvoelker has quit IRC04:56
*** fawadkhaliq has joined #openstack-ansible04:58
*** rgogunskiy has quit IRC05:10
*** severion has joined #openstack-ansible05:12
*** sdake has joined #openstack-ansible05:13
*** v1k0d3n has quit IRC05:14
*** cemmason has joined #openstack-ansible05:20
*** sdake has quit IRC05:23
*** asettle has joined #openstack-ansible05:37
*** asettle has quit IRC05:42
*** javeriak has joined #openstack-ansible06:17
*** javeriak has quit IRC06:18
*** javeriak has joined #openstack-ansible06:18
*** javeriak_ has joined #openstack-ansible06:21
*** javeriak has quit IRC06:23
*** rgogunskiy has joined #openstack-ansible06:30
*** markvoelker has joined #openstack-ansible06:53
*** markvoelker has quit IRC06:57
*** asettle has joined #openstack-ansible07:14
*** asettle has quit IRC07:19
*** javeriak_ has quit IRC07:27
*** swati_ has joined #openstack-ansible07:52
*** furlongm_ has joined #openstack-ansible07:52
*** furlongm has quit IRC07:52
*** zhangjn has quit IRC08:02
*** sdake has joined #openstack-ansible08:02
*** sdake has quit IRC08:04
*** admin0_ has joined #openstack-ansible08:06
*** zhangjn has joined #openstack-ansible08:07
*** admin0_ has quit IRC08:11
*** admin0_ has joined #openstack-ansible08:11
*** swati_ has quit IRC08:17
*** mikelk has joined #openstack-ansible08:22
*** jiteka has quit IRC08:27
*** jiteka has joined #openstack-ansible08:33
*** markvoelker has joined #openstack-ansible08:53
*** markvoelker has quit IRC08:57
*** asettle has joined #openstack-ansible08:59
odyssey4meappprod0 it checks the service to validate that it's ready before moving on to the next action which is to interact with the service09:02
*** asettle has quit IRC09:04
*** metral has quit IRC09:14
*** appprod0 has quit IRC09:14
*** metral_zzz has joined #openstack-ansible09:16
*** metral_zzz is now known as metral09:16
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Add support for the nova_api db  https://review.openstack.org/27493209:18
*** appprod0 has joined #openstack-ansible09:19
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497709:22
*** appprod0 has quit IRC09:23
matttodyssey4me: so what are we doing regarding caps?09:28
matttare we pushing those reviews through to unblock gate?09:28
*** appprod0 has joined #openstack-ansible09:28
odyssey4mesetuptools pulled the broken versions, so everything's working regardless09:28
odyssey4mebut that doesn't help production - right09:29
odyssey4meso I've proposed https://review.openstack.org/284977 - what do you think?09:29
*** electrofelix has joined #openstack-ansible09:30
odyssey4mealso, kevin has proposed https://review.openstack.org/#/q/status:open+topic:repeatable-build - your thoughts?09:30
odyssey4meunfortunately those two patches kevin's done are dependent and our gating can't do dependent patches between repositories just yet - I'm working on fixing that today09:31
*** mgoddard_ has joined #openstack-ansible09:31
*** v1k0d3n has joined #openstack-ansible09:32
*** appprod0 has quit IRC09:33
*** severion has quit IRC09:35
*** mgoddard has quit IRC09:35
*** fawadkhaliq has quit IRC09:37
*** mattt has quit IRC09:37
*** appprod0 has joined #openstack-ansible09:37
*** mattt has joined #openstack-ansible09:38
odyssey4memattt ^09:39
*** asettle has joined #openstack-ansible09:40
*** appprod0 has quit IRC09:42
*** bsv___ has joined #openstack-ansible09:43
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518809:45
*** appprod0 has joined #openstack-ansible09:47
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489609:47
*** appprod0 has quit IRC09:51
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518809:51
matttodyssey4me: did cloudnull do that in conjunction with your review?09:51
matttbecause if not i'm not sure what that solves09:52
*** asettle has quit IRC09:52
odyssey4memattt he did that after our discussion about the issue where the repo server isn't using the upper constraints09:52
matttbut pip, setuptools, and wheel aren't in upper constraints09:53
matttso what does that give us09:53
odyssey4meso now what's happening is that the repo build process installs what it needs, but uses the upper constraints in the install process09:53
*** asettle has joined #openstack-ansible09:53
odyssey4meso that's where my patch comes in09:53
odyssey4memy patch aims to fix pip, wheel and setuptools at a specific version for each tag09:53
matttmy word09:53
odyssey4mewhenever we bump the sha, we update the versions of those files09:53
odyssey4methis we we get to keep up to date, but we also ensure that we're always at the same version for any given tag - no surprises09:54
odyssey4mewhat was tested is what is delivered09:54
odyssey4memy patch isn't fully complete - changes need to also go into the pip install role, but I wanted to field the idea and see what everyone thought09:55
matttodyssey4me: ok, i was just about to ask where the rest of it is09:55
*** appprod0 has joined #openstack-ansible09:56
odyssey4memattt different repositories, so I need to work out how to make this a bit more automatic09:56
matttthere's def. no issue with pip upgrading itself between tags right?09:56
odyssey4meI was thinking that perhaps the pip install role should not have any restrictions, and a group var can be used to provide the restrictions09:56
odyssey4memattt keeping up to date with pip versions is exactly what sigmavirus24_awa, pypa and infra have all recommended09:57
odyssey4meso yeah - as long as what was tested is what is delivered then we have a fully repeatable experience09:57
matttk09:58
matttno real major objection then09:58
odyssey4mebefore pip8 came out we used to do this all the time anyway :p09:58
mattti think it would be easier to review if all changes can be put into a single review when this is ready tho09:58
odyssey4meyup, lemme WIP it and add the missing machinery09:58
odyssey4methanks for the review thus far though09:58
*** gparaskevas has joined #openstack-ansible09:59
*** asettle has quit IRC10:00
*** asettle has joined #openstack-ansible10:00
*** appprod0 has quit IRC10:00
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-pip_install: Provide the option to specify a list of requirements when installing pip  https://review.openstack.org/28470110:05
*** appprod0 has joined #openstack-ansible10:05
matttodyssey4me: in https://review.openstack.org/#/c/284977/, would you not need some validation to ensure what pypi returns is compatible with openstack requirements?10:05
matttbecause with taht you could be installing stuff blacklisted by openstack10:06
odyssey4memattt sure, that's fair - I can work something out - can you add a comment to the patch to remind me?10:07
admin0_what ? you guys are still awake ?10:09
odyssey4mechecking those pins against upper constraints would be a good idea10:09
odyssey4meadmin0_ we just woke up :) we work from the uk10:09
admin0_oh :D10:09
admin0_ok10:09
matttodyssey4me: yep sure10:09
admin0_i thought from the US10:09
admin0_ok10:09
* admin0_ is in NL10:09
*** appprod0 has quit IRC10:09
odyssey4meadmin0_ there are quite a few US-based people in the community, but there are a few of us Europeans lurking10:10
odyssey4meso o/ over the channel to you :p10:10
admin0_:)10:10
matttadmin0_: should have swung round for the openstack-ansible summit last week!10:11
admin0_well, next time  .. . i am waiting for  my 5 year residence permit ..and then will apply for a UK visa10:11
* admin0_ is originally from Nepal10:11
*** javeriak has joined #openstack-ansible10:12
admin0_i have relatives in reading,Uk .. plan to visit them soon ..10:12
matttadmin0_: hah, odyssey4me and i are both in reading10:12
admin0_hmm10:13
admin0_oh :D10:13
admin0_nice10:13
admin0_i plan to host a party ( for my anniversary ) .. might call you guys :D10:13
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518810:14
admin0_for us(nepalese) , we do not need to meet before to invite in parties :D10:14
admin0_it can be a start of knowing as well :D10:14
admin0_\o/10:14
*** appprod0 has joined #openstack-ansible10:14
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518810:14
odyssey4melol, sounds like fun :)10:15
* admin0_ adds odyssey4me and mattt to the invitigation checklist :D 10:16
admin0_invitation*10:16
odyssey4meadmin0_ have you made progress in doing the setup you wanted for one install using another's keystone?10:17
admin0_not yet .. tonight is the plan to do that10:17
*** appprod0 has quit IRC10:19
matttadmin0_: there are a lot of nepalese in reading for some reason10:19
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518810:19
admin0_odyssey4me: i have https://www.openstackfaq.com/ and i had planned something else .. but now i have a change of mind ..   .. i am going to re-format that site and do questions like … 1. how to install liberty using ansible, 2. how to installl liberty wtih another keystone , 3, how to install liberty with hosted database and rabbitmq , 4. how to install liberty as econd region10:20
odyssey4meadmin0_ why not just do each of those as a blog post?10:21
odyssey4meadmin0_ alternatively, why not submit them to our repository as documentation - perhaps an appendix per scenario?10:22
*** appprod0 has joined #openstack-ansible10:23
admin0_i will do that10:23
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489610:24
admin0_how to install liberty while driving :D ( all using ansible )10:25
*** dalees has quit IRC10:25
*** appprod0 has quit IRC10:27
odyssey4meadmin0_ haha, great!10:28
*** ScarZy has joined #openstack-ansible10:30
*** appprod0 has joined #openstack-ansible10:32
*** appprod0 has quit IRC10:37
*** dalees has joined #openstack-ansible10:38
*** admin0_ has quit IRC10:40
*** admin0 has joined #openstack-ansible10:40
*** appprod0 has joined #openstack-ansible10:42
*** appprod0 has quit IRC10:46
*** appprod0 has joined #openstack-ansible10:51
bsv___what is the difference between the eth0 and eth1 NIC's in figure 3.2 (http://docs.openstack.org/developer/openstack-ansible/liberty/install-guide/targethosts-networkexample.html) when speaking of functionality?10:52
bsv___The guide is mixing up (or forgot to use the correct color in the diagram) two networks.10:53
*** markvoelker has joined #openstack-ansible10:54
bsv___Does the service bind on eth1, and then leave eth0 for pure management?10:54
bsv___eth1 is marked as "Management Network", but it seems to be more like a Service/API Network?10:55
*** appprod0 has quit IRC10:55
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for plugins  https://review.openstack.org/28521710:57
*** markvoelker has quit IRC10:58
*** appprod0 has joined #openstack-ansible11:00
tiagogomes___Hmm, I can't use the metadata service inside a VM. The neutron metadata agent has "Unauthorized" in the log11:03
*** appprod0 has quit IRC11:04
*** gparaskevas has quit IRC11:05
tiagogomes___argh, I restart it and now it works. Odd11:05
*** appprod0 has joined #openstack-ansible11:09
*** spotz_zzz is now known as spotz11:11
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Add testing for dynamic_inventory.py  https://review.openstack.org/24222511:12
*** appprod0 has quit IRC11:13
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Add relnote for openstack_host_systat_ rename  https://review.openstack.org/28523711:18
*** appprod0 has joined #openstack-ansible11:18
*** appprod0 has quit IRC11:23
Bofu2Ubgmccollum thanks for the tag and update on that, perfect. :)11:26
Bofu2Urolling my cassandra cluster today so it should make a big difference ha11:26
*** appprod0 has joined #openstack-ansible11:27
*** appprod0 has quit IRC11:32
*** appprod0 has joined #openstack-ansible11:37
odyssey4memattt here's a fun one, and now I see how this all starts to unravel if we pin pip/setuptools/wheel - the latest virtualenv requires setuptools 20.0 and wheel 0.29.011:41
*** appprod0 has quit IRC11:41
matttadd another pin to the list :P11:42
odyssey4meturtles all the way down11:42
odyssey4memattt would you mind giving https://review.openstack.org/285188 a review - it'll help move this all along11:43
matttsure gimme a sec11:44
*** appprod0 has joined #openstack-ansible11:46
*** appprod0 has quit IRC11:50
*** appprod0 has joined #openstack-ansible11:55
*** woopstar has joined #openstack-ansible11:56
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497711:57
woopstarHi there. When running the os-cinder-install playbook, when it comes to task "Add apt pin preferences", the cinder_scheduler_container suddenly becomes unresponsive. I've looked at the container, at eth0 is DHCP as usual, eth1 is configured for the container network, but seems not brigded correctly suddenly. Cannot ping from physical host to the co11:58
woopstarntainer ip. It's the only container that gives error. Rest it working perfectly11:58
woopstarAny ideas what to look for?11:59
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497711:59
*** appprod0 has quit IRC11:59
odyssey4mewoopstar it sounds to me like it has nothing to do with that task, but instead something to do with something else happening in the background12:01
odyssey4meis the container online?12:01
woopstarThe lxc.network.veth.pair is set in the config file for the container. And the value (interface) exists12:01
woopstaryeah, container is online and i can attach to it12:02
*** asettle has quit IRC12:02
woopstarbut the eth1 network (container network) is not working. Only eth0 (lxc 10.0.3.0/24 network) works12:02
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497712:02
odyssey4memattt how does ^ look to you? I think that's about it - mancdaz thanks for the previous review - if you could take a peek again at what I think is a final version that'd be awesome12:03
odyssey4mewoopstar so it seems to me that you have something to look into - I'm afriad I'm not able to help with that - I really suck at networking :/12:04
*** appprod0 has joined #openstack-ansible12:04
*** hlkv6 has joined #openstack-ansible12:04
hlkv6hello12:04
woopstar:( Odd thing is. Other container on the server is working perfectly. The api container12:04
woopstarit has a equally eth1 network, and that ip is working as it should12:05
woopstarand the container not working does have the interface and does have an ip :( But it cannot connect from the physical host to it12:06
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497712:07
odyssey4me^ updated commit msg mattt mancdaz12:07
odyssey4mehlkv6 hi there!12:07
*** appprod0 has quit IRC12:08
*** ccesario has quit IRC12:12
*** krotscheck_dcm is now known as krotscheck12:13
*** appprod0 has joined #openstack-ansible12:13
matttodyssey4me: wondering if we're going to hit any bumps with https://review.openstack.org/#/c/285188/12:15
odyssey4memattt what sort of bumps are you thinking of?12:16
matttwell by dumping a role into the root of the project's dir12:16
matttand then including that in ANSIBLE_ROLES_PATH12:16
odyssey4meit doesn't go into the root - it goes into the parent12:16
matttah ok, that's better12:17
odyssey4mehmm, did I get the level wrong?12:17
odyssey4meso basically you have 'workspace/<location of all clones>'12:17
*** appprod0 has quit IRC12:18
odyssey4meso openstack ansible is in the path 'workspace/openstack-ansible' and any depending clone goes into 'workspace/myawesomerole'12:18
matttodyssey4me: i think your path is wrong then12:18
matttwhich is why i was confused12:18
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518812:21
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for plugins  https://review.openstack.org/28521712:21
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for plugins  https://review.openstack.org/28521712:22
*** appprod0 has joined #openstack-ansible12:22
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497712:23
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489612:23
*** asettle has joined #openstack-ansible12:24
odyssey4memattt are you happy with https://review.openstack.org/284701 though? it's the fundamental base patch to activate all this12:24
mattti have no idea, i've not looked yet :)12:24
*** ccesario has joined #openstack-ansible12:25
*** appprod0 has quit IRC12:27
mattti'll look once i am done with hter other 2 you just asked me to look at :)12:27
* mattt operates at normal human speeds12:28
odyssey4me:)12:28
mattti just wnat to make sure this depends-on change actually does what we expect12:28
mattti think you'd find out pretty quickly if it doesn't12:28
matttbut let's just square it away now12:29
odyssey4meyeah, that's why I'm gating the others on top of that - to verify it12:29
*** sdake has joined #openstack-ansible12:29
matttah ok12:29
*** appprod0 has joined #openstack-ansible12:32
matttodyssey4me: https://review.openstack.org/#/c/284701 could use a test12:35
matttodyssey4me: or rather, i think this functionality should be tested12:35
matttodyssey4me: i suppose functionality isn't changing and the test can go in a separate review12:35
matttodyssey4me: i'll put the test through on top of https://review.openstack.org/#/c/28470112:36
*** appprod0 has quit IRC12:36
*** markvoelker has joined #openstack-ansible12:40
Bofu2Umorn12:40
*** appprod0 has joined #openstack-ansible12:41
*** woopstar has quit IRC12:43
odyssey4memattt good plan12:43
odyssey4meo/ Bofu2U how goes it?12:44
Bofu2Unot too shabby12:44
Bofu2Uabout to start really pushing it today12:44
Bofu2Uso, fingers crossed lol12:44
Bofu2Uthat and trying to renegotiate a colo deal for a cage.12:44
*** markvoelker has quit IRC12:44
Bofu2U#serverlyfe12:44
Bofu2Uhow about you, odyssey4me ?12:45
*** bsv___ has quit IRC12:45
*** appprod0 has quit IRC12:45
odyssey4memattt I'll figure out a patch on top of https://review.openstack.org/284977 which verifies that we aren't implementing any versions that are blocked in global-requirements - I think it's more important to get this done right now, I can verify that manually for now.12:45
*** MCoLo has quit IRC12:48
*** appprod0 has joined #openstack-ansible12:50
*** appprod0 has quit IRC12:54
*** appprod0 has joined #openstack-ansible12:59
openstackgerritMatt Thompson proposed openstack/openstack-ansible-pip_install: Test version of pip being installed  https://review.openstack.org/28528413:02
matttodyssey4me: circling back13:02
odyssey4memattt so I see in the gate test that the pip install isn't upgrading pip to the expected version, as it's already installed13:02
odyssey4meI also see that the depends-on patch isn't having the desired effect13:03
*** appprod0 has quit IRC13:04
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497713:04
*** cemmason has quit IRC13:05
*** cemmason has joined #openstack-ansible13:06
odyssey4memattt so I've made the update to ensure that pip does the upgrade13:07
odyssey4mebut I'm thinking that perhaps the depends-on needs to be more like - if there happens to be another folder in the workspace root, remove any folder by the same name (minus the 'openstack-ansible-' prefix) in /etc/ansible/roles/ and move the folder from the workspace there13:08
odyssey4meit's a bit clunky :/13:08
*** appprod0 has joined #openstack-ansible13:08
odyssey4meheh, I just realised why it's not working13:10
odyssey4methe role name is different to the repo name - so I need to make sure that the folder is appropriately renamed13:10
matttah yeah13:11
mhaydenmornin'13:11
*** appprod0 has quit IRC13:13
*** MCoLo has joined #openstack-ansible13:15
matttodyssey4me: is gating broken at the minute?  no right13:17
matttif so is there a mad rush to get these patches in?13:17
odyssey4memattt nope, but we do need to do a release for kilo and liberty and I'm not feeling good about releasing another tag until we sort this out13:17
*** appprod0 has joined #openstack-ansible13:17
odyssey4methat said, I suppose we could do it regardless as things are working13:18
odyssey4methis isn't a blocker right now I suppose13:18
odyssey4meit just means that the tags now and before will never be consistent deployments13:19
*** markvoelker has joined #openstack-ansible13:20
*** appprod0 has quit IRC13:22
*** retreved has joined #openstack-ansible13:22
*** ric has joined #openstack-ansible13:23
*** spotz is now known as spotz_zzz13:25
*** brad[] has joined #openstack-ansible13:25
*** appprod0 has joined #openstack-ansible13:27
matttodyssey4me: yeah, i just think rather than rushing through a solution we should get it right13:27
odyssey4meyep13:28
*** cemmason1 has joined #openstack-ansible13:30
*** appprod0 has quit IRC13:31
*** cemmason has quit IRC13:31
*** fawadkhaliq has joined #openstack-ansible13:36
*** appprod0 has joined #openstack-ansible13:36
*** appprod0 has quit IRC13:40
*** woodard has joined #openstack-ansible13:41
*** automagically_ is now known as automagically13:41
*** woodard has quit IRC13:42
*** woodard has joined #openstack-ansible13:43
openstackgerritMerged openstack/openstack-ansible: Doc: Minor grammar and typo fixes  https://review.openstack.org/28158913:44
*** javeriak has quit IRC13:44
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518813:44
*** appprod0 has joined #openstack-ansible13:45
*** ric has quit IRC13:47
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518813:48
*** appprod0 has quit IRC13:49
*** rgogunskiy has quit IRC13:50
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489613:52
odyssey4memattt how annoying - as it turns out it doesn't get cloned there - now I need to figure out where it does get cloned13:54
*** appprod0 has joined #openstack-ansible13:54
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: [WIP] Gate: Enable 'Depends-On' cross-repo dependent patching for roles  https://review.openstack.org/28518813:56
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489613:57
*** appprod0 has quit IRC13:58
*** johnmilton has joined #openstack-ansible14:00
*** skamithi13 has joined #openstack-ansible14:00
*** appprod0 has joined #openstack-ansible14:03
*** appprod0 has quit IRC14:08
*** zhangjn has quit IRC14:08
*** skamithi has joined #openstack-ansible14:08
*** zhangjn has joined #openstack-ansible14:09
*** Bjoern_ has joined #openstack-ansible14:11
*** Bjoern_ is now known as Bjoern_zZzZzZzZ14:11
*** Bjoern_zZzZzZzZ is now known as Bjoern_14:12
*** appprod0 has joined #openstack-ansible14:12
*** appprod0 has quit IRC14:17
*** karimb has joined #openstack-ansible14:17
*** karimb has quit IRC14:17
*** jaypipes is now known as sicklypipes14:22
*** appprod0 has joined #openstack-ansible14:22
mhaydendon't post emoji to gerrit -- you'll get a 50014:22
automagicallyI always knew Gerrit was no fun14:24
*** appprod0 has quit IRC14:26
*** Mudpuppy has joined #openstack-ansible14:31
*** appprod0 has joined #openstack-ansible14:31
*** appprod0 has quit IRC14:35
*** sdake has quit IRC14:35
matttodyssey4me: i'm killing this one: https://review.openstack.org/#/c/283657/14:37
*** keedya has joined #openstack-ansible14:38
*** appprod0 has joined #openstack-ansible14:40
*** kencjohnston has joined #openstack-ansible14:41
*** appprod0 has quit IRC14:44
*** KLevenstein has joined #openstack-ansible14:47
*** appprod0 has joined #openstack-ansible14:49
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Ansible galaxy issues workaround  https://review.openstack.org/28082214:53
*** appprod0 has quit IRC14:54
*** fawadkhaliq has quit IRC14:55
*** appprod0 has joined #openstack-ansible14:58
*** appprod0 has quit IRC15:03
openstackgerritMerged openstack/openstack-ansible-pip_install: Provide the option to specify a list of requirements when installing pip  https://review.openstack.org/28470115:05
*** sdake has joined #openstack-ansible15:05
*** sigmavirus24_awa is now known as sigmavirus2415:07
*** appprod0 has joined #openstack-ansible15:08
*** cemmason1 has quit IRC15:08
*** appprod0 has quit IRC15:12
*** ShannonM has joined #openstack-ansible15:12
*** galstrom_zzz is now known as galstrom15:15
*** asettle has quit IRC15:16
*** appprod0 has joined #openstack-ansible15:17
*** joseg has joined #openstack-ansible15:17
*** woodard has quit IRC15:21
*** appprod0 has quit IRC15:21
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Cosmetic PLUMgrid doc updates  https://review.openstack.org/28535515:23
*** appprod0 has joined #openstack-ansible15:26
lbragstadcloudnull quick question on https://github.com/os-cloud/openstack-ansible-os_keystone/blob/master/tasks/main.yml#L62-L6415:27
lbragstadcloudnull I am setting `keystone_service_setup` to false yet I still have the keystone_multi_ldap.yaml plays run?15:28
odyssey4memhayden if your emoji is an ascii emoji, does it blend?15:30
*** appprod0 has quit IRC15:30
odyssey4memattt good call15:31
cloudnullmorning15:31
*** raddaoui has joined #openstack-ansible15:31
cloudnulllbragstad: are they running, or skipped?15:31
odyssey4melbragstad does it run, or does it skip?15:32
odyssey4mehaha, that's what I get for processing in serial :p15:32
odyssey4meo/ cloudnull15:33
lbragstadodyssey4me cloudnull \o/15:33
cloudnullhows it ?15:33
lbragstadafter running that play - I do see the domains directory in /etc/keystone15:33
*** asettle has joined #openstack-ansible15:34
cloudnulllbragstad: https://github.com/os-cloud/openstack-ansible-os_keystone/blob/master/tasks/keystone_pre_install.yml#L62-L8015:34
cloudnullthe dirs are created in an earlier set of tasks15:35
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Use current, but pinned versions of pip, setuptools and wheel  https://review.openstack.org/28497715:35
*** appprod0 has joined #openstack-ansible15:35
odyssey4mecloudnull ^ how do you like that option for pinning pip/setuptools/wheel, but still also keeping up to date?15:35
odyssey4meautomagically jmccrory when you're online, please also peek at it15:35
* cloudnull looking15:36
* automagically looking15:36
cloudnull+2 LGTM15:37
openstackgerritJesse Pretorius (odyssey4me) proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489615:37
cloudnullw/ the change in pip install to allow for package pass through15:37
lbragstadcloudnull ah - ok15:37
cloudnullthis should work well15:37
odyssey4meyeah, I think this is really good - the role for pip_install is generic and the specifics are in the orchestration, as it should be15:38
lbragstadcc dolphm ^15:38
odyssey4methe only thing missing now is a validation that the versions we're set to use are not versions that are currently blocked in global-requirements... I'll manually check for that on SHA bumps for now and implement a check at a later time15:39
*** appprod0 has quit IRC15:40
odyssey4mecloudnull I think that https://review.openstack.org/284896 might need the up to date pip/setuptools/wheel in order to work properly - virtualenv is spitting errors out during the venv builds15:40
openstackgerritKevin Carter proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489615:41
*** neilus has quit IRC15:41
cloudnullI just updated per mattt suggestion to have it use a separate task file.15:42
*** spotz_zzz is now known as spotz15:42
cloudnullodyssey4me:  w/ the dependent patches it should work. are the errors coming from setuptools ?15:43
odyssey4mecloudnull http://logs.openstack.org/96/284896/6/check/gate-openstack-ansible-dsvm-commit/ee2b248/console.html#_2016-02-26_14_41_50_56515:44
*** appprod0 has joined #openstack-ansible15:44
openstackgerritKevin Carter proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489615:45
cloudnullmaybe the --no-download option was removed ?15:46
cloudnulli made the repo-build patch depend on your pip updaterator patch15:47
cloudnullso maybe that'll help15:47
*** sdake has quit IRC15:47
cloudnullversion 14.0.6 seems to have it15:48
*** appprod0 has quit IRC15:49
cloudnullit seems 13.1.2, which was being used in that run, does not15:49
odyssey4mehmm, why was that version being used - that's odd15:50
odyssey4meupper-constraints has the current version, as I recall15:50
cloudnulland our current master os-u-c file https://github.com/openstack/requirements/blob/332278d456e06870150835564342570ec9d5f5a0/upper-constraints.txt15:51
cloudnullis constraining it https://github.com/openstack/requirements/blob/332278d456e06870150835564342570ec9d5f5a0/upper-constraints.txt#L35615:51
cloudnullhead of master has the updates we'd need https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L36915:52
palendaebgmccollum: RE: the convo last night about global_overrides being merged - I *think* it'll be merged based on how we have the environment defined, with https://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/openstack_environment.yml being basically empty and the env.d files populating it15:53
cloudnullif i change the option to never-download instead of no-download itll be compatible with both versions.15:53
*** appprod0 has joined #openstack-ansible15:53
*** cloudtrainme has joined #openstack-ansible15:54
openstackgerritKevin Carter proposed openstack/openstack-ansible: Added the pip packages for the repo-build process  https://review.openstack.org/28489615:54
*** woodard has joined #openstack-ansible15:55
cloudnullodyssey4me: ^ thatll do i t15:55
*** asettle has quit IRC15:56
*** izaakk has joined #openstack-ansible15:57
odyssey4mehaha, of course - that makes sense15:57
matttthanks cloudnull15:57
*** appprod0 has quit IRC15:58
cloudnullthanks for reviewing it mattt :)15:58
palendaeWill anyone else have a chance to test https://review.openstack.org/#/c/272652/ today? I gave it a shot a few weeks ago and it appeared to work, but more eyes doesn't hurt15:59
*** asettle has joined #openstack-ansible16:00
*** woodard has quit IRC16:00
*** cloudtrainme has quit IRC16:02
*** appprod0 has joined #openstack-ansible16:03
openstackgerritMerged openstack/openstack-ansible: Automate setting of glance_api_version  https://review.openstack.org/28350816:04
matttpalendae: i'll start building my kilo now to test it, but may not get that review updated before i head out today16:04
palendaemattt: Thanks16:04
openstackgerritMerged openstack/openstack-ansible: Update PLUMgrid Appendix Doc paths  https://review.openstack.org/28456416:04
SamYaplehey how are you guys dealing with the "show_image_direct_url" security hole with ceph?16:05
SamYaplelast i remember you were just setting the option and having the security hole be present16:05
*** cloudtrainme has joined #openstack-ansible16:06
cloudnullmattt: ^16:07
*** appprod0 has quit IRC16:07
matttSamYaple: yeah not aware of us doing anything out of the ordinary there16:07
cloudnullsorry SamYaple im not that in the know about about ceph.16:08
odyssey4mesigmavirus24 your review of the approach in https://review.openstack.org/284977 would be appreciated, as the resident pip wizard :)16:08
SamYaplesame boat with Kolla. I was considering running a second glance-api server, one internal for show_image_direct_url, one external without the bad option16:08
palendaeSamYaple: In Ceph itself, or the client side stuff?16:08
palendaeCeph install, rather16:08
matttSamYaple: that's an interesting approach16:09
SamYaplepalendae: this is a setting in glance-api16:09
palendaeAhh, ok16:09
SamYapleits needed to do CoW stuff16:09
matttpalendae: it leaks your storage details iirc16:09
palendae=\16:09
SamYaplemattt: and you can read random files like... /etc/shadow16:09
odyssey4meSamYaple refresh my memory on the issue? if you use ceph, then you kinda need glance v2, but glance v2 shows the image url publically and that's exposing too much info, even if it's inaccessible?16:09
odyssey4meoh wow, that's rather lovely16:10
SamYapleodyssey4me: with show_image_direct_url you can read /etc/shadow on the system (they may have fixed _that_) but its still a security hole16:10
SamYapleits needed for ceph to be useful since ceph requires that for CoW cloning16:10
SamYapleit returns the rbd://<location> mapping16:10
cloudnulllooks like the ceph docs still recommend setting that http://docs.ceph.com/docs/master/rbd/rbd-openstack/16:10
SamYapleoh its a hard requirements16:10
SamYapledoubt that going to change16:11
odyssey4mewell, I suppose we could work around it - as you're clearly thinking of doing - but the fact of the matter is that this is an issue in glance itself, it seems, and should be fixed there16:11
matttSamYaple: i thought that was fixed no?16:11
SamYaplemattt: glance docs and nova people still say its a security risk16:11
matttsigmavirus24: do you recall?  i thought we addressed this some time ago16:11
SamYapleit may have been lessened (like you can no longer read /etc/shadow) but the docs still say its bad16:11
cloudnullsigmavirus24 stevelle ^16:12
*** appprod0 has joined #openstack-ansible16:12
odyssey4methat said, if you're looking for ideas, then perhaps an easy one would be to put glance behind apache and do rewrites based on the location of the client - that's assuming that glance can run as a wsgi process (it couldn't in grizzly)16:12
cloudnullidk that it can now either.16:12
odyssey4methe alternative is what I used to do - which was to implement a reverse proxy (Apache) as the public endpoint for all services - that way you have more flexibility to do what you need for information that goes through to non-internal clients16:14
SamYaplethis issue came up in https://review.openstack.org/#/c/205282/ again so i assumed it was still a security issue16:14
*** logan- has quit IRC16:14
sigmavirus24mattt: what are we talking about?16:14
*** logan- has joined #openstack-ansible16:14
sigmavirus24allowing the user to see/user locations?16:14
sigmavirus24Or CoW with ceph?16:14
sigmavirus24I'm a little lost16:14
odyssey4mesigmavirus24 the weather16:14
Nepocgood morning, my day is looking better. I slogged my way through all my ssl issues. If anyone is interested I have the system working with a custom ca, individual certs for each endpoint and ssl termination.16:14
* odyssey4me is a helper16:14
automagicallyNepoc: Awesome, any changes needed?16:15
odyssey4meNepoc very cool - it'd be great if you could write up a blog about what you did :)16:15
NepocPlenty :)16:15
matttsigmavirus24 SamYaple : https://review.openstack.org/#/q/233a71022e0ee90ddacc05126a0bc7265c1ad16616:15
matttis what i was thinking16:15
odyssey4meNepoc alternatively, add your notes to an etherpad and we can work through them16:15
NepocI should be able to write something up in a week or two16:15
sigmavirus24mattt: I'm still confused about what we're talking about16:15
SamYaplesigmavirus24: direct_url in glance. its needed for CoW in ceph. its still a security issue though yes?16:16
stevellewasn't part of the point of retiring v1 glance to get away from that?16:16
sigmavirus24SamYaple: it used to be at least16:16
sigmavirus24stevelle: no v2 still has image-locations16:16
odyssey4memattt and we no longer have that as we've reverted to using pure upstream policies16:16
NepocI'm currently implementing a WAF installer for Openstack16:16
automagicallyNepoc: +1 to the etherpad. We could definitely see how your changes relate to the work that went into https://review.openstack.org/#/c/277199/16:16
sigmavirus24But only if the op turns it on16:16
*** appprod0 has quit IRC16:16
SamYaplesigmavirus24: and for ceph its kinda a requirement16:16
matttodyssey4me: yeah i was thinking about that, i recall you stripped that out16:16
sigmavirus24That said, there was an issue where a user could delete all image locations and then replace the locations with a fake one16:16
SamYaplewithout it no CoW sigmavirus2416:17
sigmavirus24SamYaple: it's a requirement for CoW, not for Ceph16:17
sigmavirus24SamYaple: right, ceph can operate without CoW though16:17
stevelleI thought v2 had a way to manage that, or am I thinking of another glance security issue16:17
SamYaplesigmavirus24: yea but it would be mostly worthless i think16:17
sigmavirus24It's slower, but it's still possible as I understand it16:17
SamYapleit is16:17
SamYapleeach image just has to be downloaded and repushed into the cluster16:17
SamYapleno cloning16:17
sigmavirus24SamYaple: I don't disagree. You could restrict image location deletion though and I think that'd be roughly safer16:17
SamYaplesigmavirus24: could that still leak other files with a crafted "get"?16:18
SamYapleIIRC you has to set image location to a file then download the "image"16:18
SamYaplecoolj: ping, i think you did this once16:18
odyssey4mepalendae have you tested https://review.openstack.org/272652 ? if so, please add your review!16:20
palendaeodyssey4me: I did in the review at Feb 15 3:03 PM; I've not updated those findings since there hasn't been a material change in the code from what I can see16:21
matttmancdaz: you mentioned something about show_image_direct_url the other day, what issue were referring to?16:21
*** appprod0 has joined #openstack-ansible16:21
cloudnullNepoc: +1 I'd love to read about the SSL bits you've worked through. especially as automagically and I have been working on the ssl termination reviews.16:21
palendaeRealize that's kind of lost in the noise though16:21
sigmavirus24SamYaple: so what other files could it leak16:21
mancdazmattt it was something that needs to be enabled to allow cow between glance pool and cinder pool16:21
*** skamithi has quit IRC16:21
sigmavirus24I've honestly forgotten that OSSN, so maybe I'm forgetting that getting the list of locations did something funky16:22
*** skamithi has joined #openstack-ansible16:22
SamYaplesigmavirus24: at the time, whatever files the user running glance had access to. this included /etc/shadow16:22
SamYaplesigmavirus24: i dont know about now16:22
matttyeah the only issue i'm aware of is https://bugs.launchpad.net/glance/+bug/1400966, and i thought it was fixed16:24
openstackLaunchpad bug 1400966 in OpenStack Security Advisory "[OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493)" [Critical,Fix released] - Assigned to Grant Murphy (gmurphy)16:24
matttsounds like SamYaple is referring to something else16:24
sigmavirus24SamYaple: ah we implemented a fix for that as I recall16:24
sigmavirus24That should be fine now16:25
palendaeodyssey4me: Want me to run that test again and report back?16:25
sigmavirus24SamYaple: so yeah, multiple_locations = True should be fine (or whatever the config setting is)16:25
*** appprod0 has quit IRC16:26
matttSamYaple: do you have something indicating the bug you are referring to?16:26
odyssey4mepalendae up to you, I'm just looking to rustle up more reviews from people who actually tested the patch16:29
palendaeodyssey4me: Yeah, understood16:29
*** skamithi has quit IRC16:29
palendaeodyssey4me: Just making sure that previous test met expectations16:30
odyssey4mepalendae also, considering you're now documenting your patches - I thought a fresh eye on what was done would be good16:30
*** appprod0 has joined #openstack-ansible16:30
palendaeFair enough16:30
palendaeI'll spin up an AIO and run it16:30
palendaeSince the surround code calling the playbook did change16:30
palendaesurrounding*16:31
Nepoccloudnull: Send me a url to etherpad and I'll dump in everything16:31
matttmancdaz: enabling that is a bit revealing, but with rbd it's a bit cryptic and really isn't going to reveal a whole lot to the end user16:31
odyssey4meNepoc you're able to create an etherpad yourself at any time: https://etherpad.openstack.org/16:31
NepocAh ok16:32
cloudnullNepoc:  https://etherpad.openstack.org/p/osa-ssl-termination16:32
matttmancdaz: i know if you're using swift or something then it's really dangerous16:32
NepocQuick question, is there anyway to pull the host definitions from the openstack_user_config.yml into a user_blah.yml file?16:32
*** skamithi has joined #openstack-ansible16:33
automagicallyNepoc: Take a look at conf.d16:33
palendae^ We started adding new host definitions into conf.d, but some of the existing ones haven't been migrated out by default yet16:34
automagicallyNepoc: and for docs: https://review.openstack.org/#/c/284457/7/doc/source/developer-docs/inventory.rst,unified16:34
*** appprod0 has quit IRC16:34
palendaeautomagically, Nepoc: Now merged and prettily rendered - file:///Users/nola7999/projects/openstack-ansible/doc/build/html/developer-docs/inventory.html#developer-inventory16:37
odyssey4melogan- does https://review.openstack.org/284977 meet your requirements?16:37
palendaeautomagically, Nepoc: Let me try again - http://docs.openstack.org/developer/openstack-ansible/developer-docs/inventory.html16:38
Nepochehe16:38
odyssey4me:)16:38
*** appprod0 has joined #openstack-ansible16:39
NepocI was hoping to consolodate all the "somekindof_hosts: host1: ip: 1.2.3.4" definitions into one yaml file.16:40
logan-yeah I think that makes sense thanks16:40
cloudnullNepoc:  in conf.d/ you can do that nova_compute.yml in one file glance.yml in another .16:43
cloudnullwe do that with swift now16:43
SamYaplesigmavirus24: mattt: i do not have a bug. so you are saying direct_url is safe for use? no security risk?16:43
cloudnullbut you could do others too16:43
NepocSo I could do ... all_nodes.yml?16:43
openstackgerritNolan Brubaker proposed openstack/openstack-ansible: Add notes on running the upgrade script  https://review.openstack.org/28541916:43
cloudnullNepoc:  yes16:43
sigmavirus24odyssey4me: that looks okay to me16:43
matttSamYaple: there is a security risk of course16:43
sigmavirus24SamYaple: I believe so yes16:43
Nepoccloudnull: excellent16:43
sigmavirus24I mean there isn't 0 security risk16:44
matttSamYaple: because it leaks your storage backend details16:44
sigmavirus24But I'd say it's low16:44
*** appprod0 has quit IRC16:44
matttSamYaple: but i'm not aware of being able to overwrite files etc.16:44
sigmavirus24mattt: openstack wants glance to do that all the time anyway16:44
sigmavirus24"We don't want to download image data through glance. Let us access the backend on its own because we want to just get it from wherever the source is"16:44
matttsigmavirus24: yeah if you do an image-show w/ v2 api it will show you your backend, which IIRC can leak your swift details if you have a swift backend16:44
odyssey4mesigmavirus24 be gentle, that's my first 'from scratch' python tool :)16:44
sigmavirus24mattt: shouldn't because people shouldn't be swift creds in the swift urls16:45
odyssey4mefor the project, at least16:45
sigmavirus24That should be in glance's conf16:45
SamYaplemattt: so your saying its just informational leakage though? no data can be leaked. interesting16:45
sigmavirus24mattt: I don't think we should be generating swift urls with credentials in them anymore in glance16:45
SamYaplei guess there is some misinformation floating around16:45
matttSamYaple: i'm not saying that no16:45
*** mgoddard__ has joined #openstack-ansible16:45
matttSamYaple: i'm just saying the only issue i'm aware of :)16:45
matttsigmavirus24: i'll need to look, i know i checked like a yaer or two ago and it was a problem16:46
sigmavirus24mattt: can we confirm that's still a problem with kilo/liberty/mitaka glance?16:46
sigmavirus24mattt: yeah, I saw the bug from ~2 years ago16:46
sigmavirus24The bug also wanted a migration to fix those urls for the administrator16:46
sigmavirus24which no one ever wrote :/16:46
*** jiteka1 has joined #openstack-ansible16:46
*** jiteka has quit IRC16:46
SamYaplemaybe i should have brought this up in #glance i thought that was a permant issue and wanted to see if you guys wrote a workaround, but it sort of sounds like it might not even be an issue16:47
matttSamYaple: can you keep us posted with what you find?16:47
matttSamYaple: you've got me all hot and bothered now16:47
* SamYaple plan is working perfectly16:48
*** appprod0 has joined #openstack-ansible16:48
*** mgoddard_ has quit IRC16:49
*** Bjoern_ is now known as BjoernT16:50
lbragstadcloudnull another os_keystone ansible question for you16:51
cloudnullshoot16:51
lbragstadcloudnull if i opt out of deploying a database behind keystone - can i shutoff the galera-client install stuff too?16:52
vdo /j #nodejitsu16:52
openstackgerritNolan Brubaker proposed openstack/openstack-ansible: Add notes on running the upgrade script  https://review.openstack.org/28541916:52
lbragstador skip the galera client install based on https://github.com/rackerlabs/capstone-deploy/blob/master/deploy.yaml#L3516:52
automagicallylbragstad: You should be able to16:52
cloudnulllbragstad: yes that should be possible.16:52
*** mikelk has quit IRC16:53
lbragstadcloudnull is that already supported and I'm just not seeing it?16:53
*** appprod0 has quit IRC16:53
matttare we really looking to backport https://review.openstack.org/284937 to kilo ?16:54
mattti know it's a bug and all but ....16:54
odyssey4melbragstad cloudnull this is why I don't think that should be a role dep - it should instead be implemented via the playbook16:54
matttif so, we should fix the sysstat issue and leave the variables as they are16:54
cloudnullodyssey4me:  that would be a lot slower.16:55
cloudnullwe just need a param16:55
odyssey4memattt yeah, I'd agree with that - the backport should be a backport in principle, but not an exact cherry pick16:55
odyssey4methis is assuming we even want that to be backported16:55
lbragstadcloudnull a parameter to turn off the galera client install?16:55
palendaelbragstad, cloudnull: I don't think we can do conditional installs of galaxy roles. mrda ran into this with the ironic role and openstack_openrc16:56
automagicallyYou can conditionalize the metadata dependency though16:56
*** weezS has joined #openstack-ansible16:56
palendaeTrue16:57
lbragstadbut the playbooks aren't run on galaxy install are they?16:57
palendaeMight be a better way to do it16:57
palendaeNo16:57
odyssey4mehow would doing that be different from simply telling the playbook to execute the role?16:57
cloudnulllbragstad: https://github.com/os-cloud/openstack-ansible-os_keystone/pull/216:57
odyssey4meI'm not against the idea - I just want to understand the implications.16:57
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Automate setting of glance_api_version  https://review.openstack.org/28418216:57
*** appprod0 has joined #openstack-ansible16:58
cloudnullodyssey4me:  deps are rendered 1 on a host where roles are executed everywhere the playbook touches regardless.16:58
cloudnullalso if the keystone role has a DB then its required that the DB clients be present.16:59
cloudnullso a dep makes more sense.16:59
odyssey4mecloudnull sure, but what if the user wants to use mysql, not mariadb - or postgresql ofr that matter16:59
cloudnullor DB2 for that matter17:00
*** tiagogomes___ has quit IRC17:00
odyssey4mecloudnull also, WUT? ;)17:00
*** tiagogomes has joined #openstack-ansible17:00
admin0what processes adds bridges to the vlans ? the neutron-linuxbridge-agent right ?17:00
odyssey4metell me the bit about the deps again, in laymans terms :p17:00
admin0if that misses, or the vlans are not there, is there a manual way to add them ?17:00
admin0somehow for new networks, i have the interfaces, btu they are not added to the bridges . for some, they arein the bridge, but the bridge is not in the VM17:01
odyssey4meadmin0 if you're talking about bridges created by networks which are built in openstack - then the neutron agent does those17:01
cloudnullodyssey4me:  http://docs.ansible.com/ansible/playbooks_roles.html#role-dependencies17:01
cloudnull"By default, roles can also only be added as a dependency once - if another role also lists it as a dependency it will not be run again."17:02
*** appprod0 has quit IRC17:02
*** joseg has quit IRC17:03
odyssey4mecloudnull ah, so your concern is that it would run multiple times because multiple plays execute against the same hosts17:03
openstackgerritAndy McCrae proposed openstack/openstack-ansible: Fix typo in swift_rings_check.py.j2  https://review.openstack.org/28543517:03
cloudnullodyssey4me:  yes17:03
cloudnulllbragstad:  so with https://github.com/os-cloud/openstack-ansible-os_keystone/pull/2/files if you have the DB disabled it wont run the galera_client role17:03
cloudnullif you can give that a go and post in the PR it'd be appreciated.17:04
cloudnullwe're still waiting on getting that role into the OS namespace.17:04
*** electrofelix has quit IRC17:04
odyssey4mecloudnull ok, then I'm game for implementing vars - this goes towards the discussion around implementing code paths based on vars instead of tags though17:04
cloudnullhuh?17:05
lbragstadcloudnull sure thing - can I pass a PR to my ansible requirements file?17:06
cloudnullim not sure this has anything to with tagging .17:06
odyssey4mecloudnull we discussed before, and at the mid cycle, vars can be used to activate code paths - in marketing speak, we can implement var-based implementation of 'life cycle events' :p17:06
odyssey4meanyway, that's a tangent17:07
*** appprod0 has joined #openstack-ansible17:07
cloudnullim lost. how is that related to adding a conditional to the dep?17:07
odyssey4methat's adding a code path based on a var setting17:07
odyssey4meyou were against that before :)17:07
odyssey4mewe'll discuss it again at the summit, as I think we're going to have to do something like that17:08
*** asettle has quit IRC17:08
cloudnullwe have vars that activate code paths all over the place.17:08
cloudnullgalera, rabbit, nova, etc17:08
lbragstadfederation17:08
cloudnull^ that17:09
cloudnullthis is not new.17:09
cloudnullmaybe im just confused here.17:09
odyssey4meheh, exactly - so I'd like to formalise some standard path activators as a pattern17:09
lbragstadso - making all code paths dependent on setting specific variables?17:09
odyssey4mesome examples - maybe you want to install, but not configure or start services... and maybe you want to not install, but configure and start services17:10
odyssey4meother examples - you want to configure a set of features17:10
cloudnullthe start service thing i can get behind. the not install but do other magic, no17:10
odyssey4meeffectively the default is to do what we do today - everything17:10
cloudnulluse a tag17:10
odyssey4mebut allow the playbook to set a var that turns off key actions17:11
odyssey4meplaybooks can't do tags17:11
odyssey4meso to do that you'd need a human, or a wrapper script17:11
*** Mudpuppy_ has joined #openstack-ansible17:11
*** appprod0 has quit IRC17:11
*** KLevenstein_ has joined #openstack-ansible17:11
odyssey4methis means, for instance, that you could do staged implementations - an example would be to deploy the new code, implement the configs, but not restart the services until you're ready to17:12
cloudnullwe can already do that, use a tag17:13
*** xek__ has joined #openstack-ansible17:13
cloudnullI think we need to standardize on how we've implemented the tags17:13
odyssey4meif tags are the preferred option, then we need to standardise tags properly and implement the code paths according to a standardised set of tags17:13
odyssey4meright now it's the wild west :)17:14
cloudnullbut adding vars all overthe place is the re-invention of the wildwest17:14
*** admin0 has quit IRC17:14
*** gfa_ has joined #openstack-ansible17:14
odyssey4meI'm ok with either option. But it's a discussion that needs to be had.17:14
cloudnullif we could have starard tags for config, install, etc and use them everywhere we'd solve that17:14
cloudnulland i dont think we're going to get away from vars activating code paths.17:15
cloudnullwe need both.17:15
*** Trident has joined #openstack-ansible17:15
*** neillc_ has joined #openstack-ansible17:15
*** ggillies_ has joined #openstack-ansible17:16
*** kmARC_ has joined #openstack-ansible17:16
odyssey4mewhy choose, when you can have it all!17:16
*** appprod0 has joined #openstack-ansible17:16
*** sshen_ has joined #openstack-ansible17:16
cloudnullwe'd need both.17:17
cloudnullcoherent tags should be a priority though17:17
cloudnullif ansible ever lets a pay set tags at run time it'd solve for both17:18
cloudnullbut we'll likely be waiting for ansible 317:18
odyssey4meyep17:18
automagically+1 on the discussion of tags vs vars17:20
*** KLevenstein has quit IRC17:20
*** Mudpuppy has quit IRC17:20
*** xek_ has quit IRC17:20
*** Bofu2U has quit IRC17:20
*** miguelgrinberg has quit IRC17:20
*** krotscheck has quit IRC17:20
*** loquacities has quit IRC17:20
*** McMurlock has quit IRC17:20
*** mgariepy has quit IRC17:20
*** gfa has quit IRC17:20
*** sshen has quit IRC17:20
*** neillc has quit IRC17:20
*** hughsaunders has quit IRC17:20
*** admiralboom has quit IRC17:20
*** dolphm has quit IRC17:20
*** nwonknu has quit IRC17:20
*** kmARC has quit IRC17:20
*** ggillies has quit IRC17:20
*** bapalm has quit IRC17:20
*** Tridde has quit IRC17:20
*** jcannava has quit IRC17:20
*** KLevenstein_ is now known as KLevenstein17:20
odyssey4mecloudnull FYI, to make 'depends-on' actually pull in a clone of the dependent repo/path requires us to implement a whole different way of pulling in the roles17:20
*** krotscheck has joined #openstack-ansible17:20
*** appprod0 has quit IRC17:20
cloudnullyuk17:20
*** miguelgrinberg_ has joined #openstack-ansible17:21
*** bapalm has joined #openstack-ansible17:21
*** dolphm has joined #openstack-ansible17:21
odyssey4meI'll work on it next week. It's going to need us to implement options when we bootstrap ansible - one is to use galaxy, another to use the git sources (I think this should be an option), and another is to use zuul-cloner.17:21
*** miguelgrinberg_ is now known as miguelgrinberg17:21
jmccrorymorning all17:21
automagicallymorning17:21
*** hughsaunders has joined #openstack-ansible17:21
*** jcannava has joined #openstack-ansible17:21
cloudnullmorning17:21
odyssey4meFor the gate we would need to use zuul-cloner, which is the thing that's instrumented to do what we need.17:22
cloudnullso zuul-cloner will pull in the depends on change ?17:22
odyssey4meyep17:23
cloudnullcan we force zuul-cloner to run  ?17:23
*** loquacities has joined #openstack-ansible17:23
odyssey4meSo I figured I'd make an adjustment to bootstrap-ansible to allow different ways of grabbing the roles, and just set the gate to use zuul-cloner.17:23
cloudnullIE let our scripts do all the things they already do, then have zuul-cloner blowaway what it needs ?17:23
*** Mudpuppy_ is now known as Mudpuppy17:24
odyssey4meat this point I don't know enough17:24
cloudnullme neither.17:24
*** nwonknu has joined #openstack-ansible17:24
odyssey4meI spent the whole day building something to work with what I thought was going on, then discovered that everything I thought I knew was a lie.17:24
cloudnullyou've stepped into the OpenStack zone!17:25
odyssey4meie https://review.openstack.org/285188 was a waste of time17:25
spotz:(17:25
*** appprod0 has joined #openstack-ansible17:25
odyssey4mebut it's there as yet another WIP patch in my list to remind me to get back to it, as this will be a critical feature for work going forward17:25
odyssey4meit would certainly smooth the glide path on the magical journey17:25
odyssey4meand yes, it's 17:30 on a friday :)17:26
odyssey4mesliante!17:26
cloudnullgate is 2.5 hours behind now.17:26
cloudnull:(17:26
odyssey4me*slainte17:26
cloudnullafk a bit17:27
odyssey4meI'm out for the weekend. Have a great day everyone!17:27
*** mgariepy has joined #openstack-ansible17:27
lbragstadodyssey4me o/17:27
automagicallyodyssey4me enjoy your weekend17:28
*** McMurlock has joined #openstack-ansible17:28
*** admiralboom has joined #openstack-ansible17:29
*** appprod0 has quit IRC17:30
*** v1k0d3n has quit IRC17:33
*** BjoernT has quit IRC17:34
*** sdake has joined #openstack-ansible17:34
*** appprod0 has joined #openstack-ansible17:34
*** galstrom is now known as galstrom_zzz17:35
*** cloudtrainme has quit IRC17:37
*** appprod0 has quit IRC17:39
*** raddaoui has quit IRC17:40
*** appprod0 has joined #openstack-ansible17:43
*** appprod0 has quit IRC17:48
*** eil397 has joined #openstack-ansible17:48
*** eil397 has left #openstack-ansible17:49
*** appprod0 has joined #openstack-ansible17:50
*** appprod0 has quit IRC17:56
*** appprod0 has joined #openstack-ansible17:59
*** shanec_ has joined #openstack-ansible18:03
*** appprod0 has quit IRC18:05
openstackgerritMajor Hayden proposed openstack/openstack-ansible-security: Security: Check for grub.cfg first  https://review.openstack.org/28548318:16
*** mgoddard__ has quit IRC18:17
*** mgoddard has joined #openstack-ansible18:17
*** Mudpuppy has quit IRC18:22
*** Mudpuppy has joined #openstack-ansible18:22
cloudnullanyone need help on anything ? Gate is >3 hours behind so I've got some time to kill :)18:26
openstackgerritKevin Carter proposed openstack/openstack-ansible: Remove deprecated config variables  https://review.openstack.org/28155518:29
spotzwow18:31
*** v1k0d3n has joined #openstack-ansible18:33
openstackgerritMerged openstack/openstack-ansible: Cosmetic PLUMgrid doc updates  https://review.openstack.org/28535518:33
*** abitha has joined #openstack-ansible18:33
*** v1k0d3n is now known as Guest4669618:34
*** turtle-learner has joined #openstack-ansible18:35
*** admin0 has joined #openstack-ansible18:36
openstackgerritMerged openstack/openstack-ansible: Release note for dynamic inventory args change  https://review.openstack.org/28475718:36
*** Guest46696 has quit IRC18:37
stevellecloudnull: care to give my gnocchi role a once-over?18:38
cloudnullsure sure18:38
stevellehttps://github.com/stevelle/openstack-ansible-gnocchi -- I know it's a bit behind the state of the art for our OS roles but it should only be pretty close18:39
stevelledocs and tests are the current work queue, then I'll work on getting it caught up on the tweaks18:40
cloudnullit looks pretty close.18:43
cloudnulldoes gnocchi have an http proxy header that it can set ?18:44
cloudnullsomething similar to https://review.openstack.org/#/c/277199/8/playbooks/roles/os_heat/defaults/main.yml18:44
cloudnullhttps://review.openstack.org/#/c/277199/8/playbooks/roles/os_heat/templates/heat.conf.j218:44
*** abitha has quit IRC18:44
stevellecloudnull: I believe so. I haven't done the TLS enablement work.18:45
cloudnullok18:45
cloudnullwas just curious18:45
stevelleand no docs so every feature is fun18:45
cloudnullreading through the defaults18:45
stevelleAt this point I think the best bet would be to put Apache in as a reverse-proxy instead of doing mod_wsgi18:46
cloudnulldoes gnocchi support mod_wsgi ?18:47
*** jiteka1 has quit IRC18:47
stevelleyeah, I have that set as default behavior now. not doing venvs correct since mattt fixed them for other services18:48
stevellethere's a var to have it run standalone though for dev tinkering18:48
*** agireud has quit IRC18:55
cloudnullstevelle:  this all looks good to import into the namespace18:56
stevellenice, thx18:56
*** agireud has joined #openstack-ansible18:57
*** tiagogomes has quit IRC19:01
*** galstrom_zzz is now known as galstrom19:02
jmccroryhey cloudnull, whenever you get a moment, what prevents splitting out existing role histories for independent repos?19:03
cloudnullnothing really. if you have a good way to do it we can get it done.19:04
*** admin0 has quit IRC19:05
*** admin0 has joined #openstack-ansible19:05
*** permalac has joined #openstack-ansible19:05
jmccrorythis worked for me in the past https://help.github.com/articles/splitting-a-subfolder-out-into-a-new-repository/19:05
cloudnullill try that on the os_ roles19:06
cloudnullit was a mess at my last go19:06
cloudnullbut ill try it again19:07
*** raddaoui has joined #openstack-ansible19:12
*** Mudpuppy_ has joined #openstack-ansible19:16
*** Mudpuppy has quit IRC19:16
*** Mudpuppy_ has quit IRC19:17
*** Mudpuppy has joined #openstack-ansible19:18
openstackgerritBjoern Teipel proposed openstack/openstack-ansible-rabbitmq_server: Adding ERLANG VM tuning parameters  https://review.openstack.org/28489919:24
openstackgerritBjoern Teipel proposed openstack/openstack-ansible: Adding release notes for erlang VM tuning parameters  https://review.openstack.org/28550619:24
*** skamithi14 has joined #openstack-ansible19:29
*** raddaoui has quit IRC19:29
*** raddaoui has joined #openstack-ansible19:30
openstackgerritBjoern Teipel proposed openstack/openstack-ansible: Adding release notes for erlang VM tuning parameters  https://review.openstack.org/28550619:30
*** Bjoern_ has joined #openstack-ansible19:31
Nepoccloudnull: just when I thought I had everything ironed out with ssl offloading... half of my setup broke19:31
automagicallyNepoc: oh no, what happened19:31
cloudnull^ ++19:32
*** skamithi13 has quit IRC19:32
Nepoccloudnull: I have some other playbooks that run various nova commands such as "nova --insecure list"... I get back "stderr: /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:100: InsecurePlatformWarning: A true SSLContext object is not available"19:33
NepocFollowed by "InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised"19:34
automagicallyNepoc: But that should be a warning only, not a failure19:34
cloudnullthat should be just a warning.19:34
cloudnullit shouldnt be stopping the services from running.19:35
admin0hmm .. anyone seen this before ? ERROR 1932 (42S02): Table 'keystone.user' doesn't exist in engine19:35
admin0a new 3 cluster openstack install19:35
Nepocautomagically: Technically everything is running... except my additional playbooks19:35
admin03 controller node standard ansible install19:35
admin0but it had data before reboot :D19:36
admin0test data .. so phew !19:36
Nepoccloudnull: any ideas on getting the ca in the right place so i don't have any errors?19:36
cloudnulladmin0: seems like the the keystone db migration has not run ?19:36
Nepoccloudnull: also I can then drop the --insecure which is breaking my other playbooks19:36
admin0well, it had data ..   ( a test clsuter ) .. we shut it down .. now its up ..  and says that19:37
cloudnullis the db cluster in a bad state?19:37
cloudnullmaybe its out of sync ?19:37
admin0hmm.. would out of sync cause this ?.. table not found19:38
cloudnullNepoc: /etc/ssl/certs normally -- then update the certs --  http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html19:38
cloudnulladmin0: if the cluster was split brained or having replications issues i guess it could.19:39
openstackgerritBjoern Teipel proposed openstack/openstack-ansible: Adding release notes for erlang VM tuning parameters  https://review.openstack.org/28550619:39
admin0hmm. .. i am going to reformat, redo the OS .. and retry , but this time with a managed mysql19:39
cloudnullis this our galera cluster ?19:40
admin0ansible created cluster :D19:40
cloudnullIE mariadb + galera3 deployed from our playbooks ?19:40
admin0yes sir19:40
cloudnullhave you rebootstrapped the cluster after bringing it back online ?19:40
admin0yep19:40
Nepoccloudnull: I did that, still complains19:40
cloudnull:'(19:41
cloudnullto both the last replies19:41
Nepochaha19:41
* admin0 goes back to reformating the clsuter again 19:41
admin0*cluster19:41
cloudnulladmin0: is the table missing on all of the cluster nodes ?19:41
admin0tables are there, data seems to be there19:41
admin0just mysql select says not there19:41
admin0and everything is just stuck :)19:41
admin0i want to re-do it anyway19:42
cloudnullim going with cosmic rays ....19:42
cloudnull:)19:42
admin0brb19:42
cloudnullkk.19:42
cloudnullNepoc: if you execute the command manually does it complain ?19:44
*** kencjohnston has quit IRC19:44
cloudnulland is it complaining on the deployment node as well as the one of the api nodes ?19:44
NepocI'll let you know shortly, currently rebuilding19:44
lbragstadcloudnull another question on the os_keystone role ;)20:05
cloudnulljmccrory: thanks for the tip. i modified it a bit but have saved all of the history. IE https://github.com/os-cloud/openstack-ansible-repo_build20:05
cloudnulllbragstad: shoot20:05
lbragstadcloudnull have there been any discussions around breaking the install of dependencies into the installation of optional deps and required deps?20:06
palendaeNone that I'm aware of20:06
cloudnullpip/apt packages?20:06
palendaeThough I think we should probably look into using the role meta files to define that20:06
palendaecloudnull: I took it to mean ansible role deps20:06
lbragstadcloudnull pip packages - https://github.com/os-cloud/openstack-ansible-os_keystone/blob/master/defaults/main.yml#L360-L37620:07
palendaeOh! Nevermind then20:07
lbragstadcloudnull actually - I could just override those20:07
* lbragstad facepalm20:07
cloudnullyou can override them20:07
lbragstadsweet20:08
cloudnullwe have no plans as of yet to seperate optional and required deps20:08
*** woopstar has joined #openstack-ansible20:11
NepocAnother question/thought... why was haproxy chosen over pound?20:11
woopstarWhen running the haproxy-install playbook on a clean setup, it fails at the task "haproxy_server | Create haproxy service config files" with the following: 'msg': 'AnsibleError: host not found: [', 'failed': True20:12
*** javeriak has joined #openstack-ansible20:15
*** javeriak has quit IRC20:16
*** javeriak has joined #openstack-ansible20:16
*** raddaoui has quit IRC20:17
*** galstrom is now known as galstrom_zzz20:17
cloudnullNepoc: there was no real reason20:18
cloudnullits just something many of us know20:19
cloudnullim sure there are better solutions than haproxy but it works20:19
NepocOkay, we used pound here for our previous openstack deployment and the configuration is dead simple for ssl termination20:19
NepocI'm considering swapping it out if I have no more luck today20:20
NepocIf I do I'll share the playbook20:20
*** ShannonM has quit IRC20:20
*** alejandrito has joined #openstack-ansible20:20
*** javeriak_ has joined #openstack-ansible20:21
*** javeriak has quit IRC20:21
*** yarkot_ has joined #openstack-ansible20:22
NepocOut of curiosity how many people are working on the openstack-ansible project?20:23
admin0Nepoc:  i am testing it out .. install it 2-4 times per day :D20:24
NepocHaha sounds like what I do20:24
admin0but i am no developer yet20:24
palendaeNepoc: Active contributors? Mmmm, not sure20:25
NepocAcceptable answer :)20:25
*** yarkot_ has quit IRC20:26
admin0well, i will start to contribute20:26
admin0need to undstand fully what it does first20:26
palendaehttp://stackalytics.com/?module=openstack-ansible is a way to guess20:26
admin0i will contribute on documentation for sure20:26
palendaeThough No idea why Monty's so high on there cause I don't think he's provided many patches. Nor does he work for Racksapce20:26
palendaelol wut20:27
palendaeTHat's odyssey4me http://stackalytics.com/?user_id=jesse-pretorius&project_type=openstack&release=mitaka&company=&metric=marks&module=openstack-ansible20:27
admin0no irc nicknames there .. http://stackalytics.com/?module=openstack-ansible20:27
palendaeadmin0: No20:27
admin0boo :D20:27
admin0should be there as well20:27
palendaeBut for rough number20:27
admin0so we know who his who20:27
palendaeI'm only #11 :(20:28
admin0i am #0 :D20:28
admin0maybe -1111111120:28
admin0#11 sounds much much better20:28
NepocNext random question, is the move to Ansible 2.0 on the horizon?20:29
admin0yes ( far far horizon ) .. that i know so far20:29
admin0from camping here20:29
NepocYeah I thought I saw it pop by a few times20:29
palendaeNepoc: Yeah, people are trying it out, but there seem to be some bugs with 2.0 still, and it appears that using 2.0 will require a hard cut over in terms of playbook compatibility20:31
NepocOh joy...20:31
palendaeThe people who have looked closest at it aren't confident in switching yet, at least on this project20:31
NepocGood :)20:32
admin0ok guys .. my cluster is done ..   lets say i have one hardware node called c11 with 172.29.236.11  .. and i installed mysql here .. what do I need to do such that:   1. i can pass the mysql host/user/pass so that ansible uses this database .. and 2. i tell the system to install haproxy in here20:33
Nepocmagic20:33
admin0:)20:33
admin0and myabe tell the system its the network node also ( all metal )20:34
admin03 birds with 1 stone :D20:34
admin0with 1 ansible20:34
NepocIf you're asking what I assume you're asking you just need to set the IP for all the host types to that20:34
NepocSounds like you're almost doing a AIO20:35
* admin0 has never done an AIO 20:35
admin0aio = all in 1 server stuff right20:35
Nepocyeah20:35
admin0nah .. i got 8 servers to play wtih20:35
Nepochaproxy one is pretty easy check in /etc/openstack_deploy/conf.d/haproxy.yml.example20:36
NepocIf you want to run the galera node on hardware you might need to change this /etc/openstack_deploy/env.d/galera.yml20:40
admin0thanks .. looking at those20:41
admin0well, haproxy is fairly straightforward20:43
admin0galera, could not make sense of it20:43
admin0how to map it to metal/existing user/pass/host20:44
NepocI just looked through the playbooks... Looks like a lot of work to me.20:45
admin0oh20:46
admin0ok20:46
admin0next stop, how to enable/add a new cluster as region2 in an exitsing clsuter20:47
NepocThough I wouldn't settle for my answer, cloudnull/palendae... anyone else might have a better idea20:47
admin0https://review.openstack.org/#/c/284449/20:47
admin0i know from there odyssey4me  knows this :D20:48
admin0if it provides keystone commands I need to enter in some add-as-region2.txt file, i would be happy20:48
stevelleadmin0: to make playbook run on hardware, update file in env.d/ as in https://github.com/openstack/openstack-ansible/blob/ac7bb0306fa2337238771a6591f4875b49ff56a4/etc/openstack_deploy/env.d/haproxy.yml#L3120:48
stevellethough I think you got that20:49
admin0yep :)20:49
admin0that part is clear to me20:49
admin0is_metal: true is the magic for anything that i want to shift from container to metal20:50
stevelleyup20:50
stevellenow next step I'm confused about the region2 bit20:51
admin0ok .. the ansible is focused on new environemnt right ?20:51
*** ShannonM has joined #openstack-ansible20:51
stevellesure20:51
admin0i want to setup a  new cluster, but as region2 .. ( reuse existing keystone )20:51
admin0so everything is new .. except it shares just the keystone20:52
stevelleyou say new "cluster"20:52
admin0so in an existing keystone, its added ( either manually or automatically ) as a region220:52
stevelleyou're not talking about clustering galera right? :)20:52
admin0no no20:53
stevellethat's it's own thing20:53
admin0group of computers thrown together and called a cloud :D20:53
stevellegive me a sec to try and put this together.20:53
woopstar:D20:53
admin0how do i refer to a group of systems where openstack is setup20:53
stevelleadmin0: do you want keystone services (and presumably containers) in the deployment or do you want to exclude keystone entirely from region2 and just point region2 services at existing keystone api?20:54
admin0ok.. i have 10 computers in roomA and where i setup openstack-ansible and its running .. now I have another room, where i have 10 more computers .. I can install ansible again, but it will be 2nd openstak .. means 2 sets of username , password, horizon etc ..   instead, I want to setup openstack in room2, but add it as region2 in exisitng keystone20:54
admin0well, exclude keystone entirely20:54
admin0assume there is one keystone out there20:55
stevelleok, first thing. for all the os_* services you do deploy, you will want to configure them as "region2" (or whatever name you pick). you need to add overrides to your user_variables for this: (cinder_service_region, neutron_service_region, etc)20:58
admin0maybe a good idea to move this to user_config one place20:58
admin0insead of using overrides for all20:58
admin0maybe it can be my first contribution :D20:58
admin0\o/20:58
admin0first thing noted down on the todo20:59
stevelleI think this might work as an example file or content in docs, keeping it up to date as variables shift is a little work but might be worth it20:59
*** woodard has joined #openstack-ansible21:01
admin0stevelle: so 1. change all those variables   2. set keystone containers to zero i think .. waiting for 3.21:02
stevellenext thing is you have to tell all the os_* service where to find keystone.  So override: keystone_service_adminurl  and keystone_service_internaluri21:03
admin03. check21:04
admin0does the endpoint need to be added beforehand or after ansible-setup here ?21:04
woopstarHave you guys considered adding LetsEncrypt to the project?21:04
stevelleadmin0: question not clear21:04
admin0i mean when i am setting up a new cluster, do I need to add the endpoints beforehand to keysotne21:05
admin0or the ansible scripts never do a keystone call to verify that its running and working as it should21:05
stevelleadmin0: you don't have to add region2 endpoints. the playbooks will do that. See also tasks/cinder_service_add.yml -- Also you need to override keystone_auth_admin_token with the token from region121:06
stevelleall the os_* services have a service_add like task list21:07
admin0ok21:07
admin0so i am installing liberty .. the other keystone, what might be the minimum version requirement there ?21:07
admin0can a icehouse or juno also work ?21:07
admin0or that other one needs to be upgraded first to liberty21:08
stevelleI am going to bet you will have a bad time trying to use a juno Keystone.21:08
admin0ok ..  can a icehouse or juno install just work fine with only keystone upgraded to liberty21:09
stevelleOne of the other things to note is Liberty wants to deploy with Keystone V3, so support for that is a reasonable lower bound on your keystone unless you want to further mess with things21:09
admin0i have environments with icehouse and juno, and i want to add liberty as region2 to existing keystone21:09
stevelleI can't make any claims to knowledge about whether you can get that to work.21:09
stevelle(I dunno)21:09
admin0ok21:09
admin0my thought was irrespective of the openstack version,  keystone can be upgraded independently21:10
admin0but will need to test this21:10
*** skamithi14 has quit IRC21:11
stevellekeystone is pretty serious about backward compat but that icehouse to liberty is a big jump21:11
*** skamithi13 has joined #openstack-ansible21:11
*** yarkot_ has joined #openstack-ansible21:13
stevellein case I missed another variable for configuring region2 services, the key places you can look to identify possible issues is the *_service_add.yml task file in each service, and then peek at the *.conf.j2 file in the service role's template. You can probably work out what other variables you would need to set (like if keystone is running insecure there are vars for that)21:13
admin0stevelle: my case for this is here: https://blueprints.launchpad.net/openstack-ansible/+spec/enable-installation-as-alternate-region  in the opening arguments :D21:13
stevelleI remember getting the outline earlier this week21:14
*** alejandrito has quit IRC21:16
stevelleadmin0: there will be other vars that probably will need to be overridden but this is the starting point for finding them21:16
admin0all noted down21:16
*** woopstar has quit IRC21:18
*** javeriak_ has quit IRC21:19
*** weezS has quit IRC21:23
*** johnmilton has quit IRC21:24
*** ShannonM has quit IRC21:29
*** yarkot_ has quit IRC21:29
*** bsv has joined #openstack-ansible21:35
cloudnullok, i've had enough cloud for today. bbl21:36
spotzlater cloudnull!21:37
admin0have a great weekend21:37
*** agireud has quit IRC21:41
*** jamielennox is now known as jamielennox|away21:43
*** agireud has joined #openstack-ansible21:43
*** cloudtrainme has joined #openstack-ansible21:55
*** spotz is now known as spotz_zzz21:57
openstackgerritNate Potter proposed openstack/openstack-ansible: Check for AODH host before adding alarm_connection  https://review.openstack.org/28439221:58
openstackgerritNolan Brubaker proposed openstack/openstack-ansible: Add upgrade config change tools  https://review.openstack.org/28556421:59
*** KLevenstein has quit IRC22:07
*** raddaoui has joined #openstack-ansible22:10
bgmccollumhe'll be back...he always comes back.22:15
NepocWell some mild success... though I have no idea why the certificates are not valid with the ca imported.22:20
openstackgerritNolan Brubaker proposed openstack/openstack-ansible: Upgrades: Cleanup RabbitMQ / vhost  https://review.openstack.org/27265222:25
*** keedya has quit IRC22:34
admin0so for galera,  in env.d, i see  galera_container: belongs to: infra_containers and shared-infra_containers ..  so i can remove those 2 lines, and put say  belongs to:  galera_phsical_host, and then in the user_config, put    galera_physical_host:  ?22:37
admin0is that how its mapped ?22:37
stevellenot exactly.  we need better docs for the skeleton22:38
admin0help me understand and i will write the docs :D22:42
admin0i want to have a section called mysql_hosts:22:42
admin0and for that,  i need to do  galera_container: belongs to mysql_hosts  and in properties is_metal = true :D22:43
stevelleyou want galera on the host instead of in a container?22:45
admin0yes sir22:45
*** raddaoui has quit IRC22:45
stevellehttps://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/env.d/galera.yml#L30 add "is_metal = true" as a property22:45
stevellethat should do it just like it did for haproxy22:46
admin0but in haproxy, we have haproxy_hosts22:47
stevellerather : instead of =22:48
admin0and how/under what heading do I specify the hosts22:48
admin0because the mysql server will be doign just mysql  .. no other infra services there22:48
*** neillc_ is now known as neillc22:49
admin0mysql will not be a part of infra_hosts or shared_infra_hosts22:49
admin0galera_container: belongs to galera_containers , and in user_config,    galera_hosts: ?22:51
admin0right now, say  galera, rabbit and memcache ,, all belong to infra_containers and shared-infra_containers  ..  suppose, I want to install them on metal on a different host that is not a part of the infra ..    in that case, I do need to create that new group right ?22:54
*** abitha has joined #openstack-ansible22:55
stevelleok, the symmetry isn't there so it's a little messy22:56
stevelletrying to work out the simplest model22:56
admin0http://pastebin.com/YSph7AYe  — like this ?22:57
stevellefirst I would use galera_hosts instead of database_hosts for consistency22:58
admin0yes for only galera, .. suppose if i want to run memcache, rabbit and mysql on a group of servers on metal , i can do something like high_mem_ssd_hosts    on openstack_user_config .. and on each service i want to run,  do the belong to:  high_mem_ssd_container  ..and is_metal: true23:00
admin0is that how mapping is done  ?23:00
stevelleditto for database_containers23:00
stevelleyou can't just make up a name without defining it somewhere else23:00
admin0so there is a third  file also where mapping is used ? .. i thought it was just beteen the env.d and user_config23:01
admin0*between23:01
stevelleWhere Things Live are defined by the merge of: openstack_user_config.yml and conf.d/*23:02
stevelleWhat Things goes to the openstack_environment.yml and env.d/*23:02
stevellethat much you get23:02
stevelleif a label is used in the Where side, you must define it in the What side23:02
NepocYeah I made a custom node ovs_hosts, I had to enter it into env.d and openstack_user_config.yml23:04
admin0stevelle: .. so is this understanding correct then? http://pastebin.com/Xy3PYNcF23:05
stevellehmm, not quite yet23:06
stevellestill piecing together something to show you23:06
admin0ko23:06
admin0ok23:06
Nepochttp://pastebin.com/h40sJCpk23:06
NepocI'll laugh if that's not supposed to work :)23:07
admin0Nepoc:  .. i get the openstack_user_config.yml bit .. but i do not see where what is using the ovs_hosts ?23:08
stevelleNepoc and admin0: this is my equivalent to adding a new os_* service for either bare metal or containered. similar to your ovs. https://github.com/stevelle/openstack-ansible-gnocchi/tree/master/ext/openstack_deploy23:08
stevellebut I'll go back to building my etherpad to show you23:08
*** sigmavirus24 is now known as sigmavirus24_awa23:08
NepocThe playbook determines what uses which hosts23:09
stevellehttps://etherpad.openstack.org/p/ZhfQsOBkwp23:10
*** Bjoern_ has quit IRC23:12
*** skamithi has quit IRC23:12
admin0i see it .. so no matter what you do,  the infra_containers and shared-infra_containers is always evaluated  ..23:13
Nepocfor galera the playbook shows hosts: galera_all23:15
NepocSo you can define something new that is part of galera_all23:15
Nepocphysical_skel:23:16
Nepoc  my_galera_hosts:23:16
Nepoc    belongs_to:23:16
Nepoc      - galera_all23:16
Nepocoops23:16
Nepocspam23:16
NepocUnless I'm just wrong, but I "believe" it works23:17
NepocIt will also add it to anything under shared-infra_hosts if I'm not mistaken23:20
NepocSo everything that is grouped by the shared-infra_hosts  you would need to break out I think23:23
admin0cat haproxy.yml | sed 's/haproxy/highRAM_SSD/g'   >  env.d/highRAM_SSD.yml   #  \o/ \o/  \o/23:23
admin0and then use the highRAM_SSD_hosts: mapping :D ?23:24
admin0definately not a thing for friday evening chat :)23:24
Nepochaha23:27
Nepocno probably not... speaking of which I've been at the office for longer than I can remember. Time to go home23:27
admin0i was thinking to run database on metal directly on DB_HOSTS ( say for example ) and  instead of infra_hosts, create new group called NEUTRON_HOSTS (which physically have different network cards that do checksum offloading) .. .. so 1 new group for metal, 1 new group for containers ( both not infra, shared etc ) ..23:27
admin0this is difficult to grasp :D23:27
NepocYeah I bashed my head into the wall a few times getting it into my head23:28
Nepocanyways! Have a good weekend everyone!23:28
stevelleNepoc: may have given you a good lead there23:28
admin0:)23:29
stevellesomewhere between the pad and that you should find something23:29
stevellejust doing and adhoc ansible -m ping of the highRAM_SSD_hosts group should help you see how you're doing along the way23:30
*** johnmilton has joined #openstack-ansible23:30
admin0stevelle, so to create cotainers on specialized hosts, say NEUTRON_HOSTS, i  can cat/sed/replace  os-infra.yml to NEUTON-HOSTS.yml right ? that creates the new contianer-group and i just map services to this group via user_config.yml .. for is_metal:true stuff, I just do the physical_skel ?23:31
admin0i will understand if there is a workign example of the new files or new groups23:31
stevellerunning the galera nodes on metal really wouldn't necessarily buy you much would it?23:31
stevelleso long as it's on the right hardware23:32
admin0well, i am an integrator/consultant ..  there are customers who have ( thier awesome dba team/department ) insisting that all DB needs to be on X hardware23:32
*** retreved has quit IRC23:33
stevelleyeah, it would be on that hardware, just running chrooted :)23:33
stevellenot like there is a big virtualization cost there23:33
admin0but as soon as I understnad this mapping . i think i can map anything anywhere :D23:33
admin0you want it in your hardware sir, why not .. let me re-map for you .. viola . done23:33
admin0:D23:33
stevellenot my problem23:34
admin0yeah23:34
stevelleso service by service in env.d just point it at the right parent23:35
admin0well in my ofice, i need the mysql on a high-io stuff, and the neutron containers on a dedicated hosts which have better cards for checksum offloading23:35
admin0so trying to understand this mapping better23:35
stevelleand create the right parents as you're saying by defining the structure similar to os-infra or shared-infra files23:35
admin0will use example of haproxy for is_metal possibility services23:35
admin0and will us example of os_infra for the neutron group23:36
admin0and see if it works23:36
admin0the etherpad was useful23:36
*** skamithi13 has quit IRC23:36
* admin0 gives a big pizza to stevelle 23:36
stevelleg/l23:37
admin0err.. whats a g/l ?23:37
stevellegood luck23:37
admin0:D23:37
admin0thanks23:37
admin0how do devs undstand all this ?23:38
admin0is this a yml thing :D ?23:38
admin0or a anisble thing23:39
admin0or a rackspace/nasa thing :D23:39
stevelleapplication of copious amounts of salt fat sugar and often alcohol until the concepts penetrate23:39
stevelleymmv23:40
*** skamithi13 has joined #openstack-ansible23:40
* admin0 goes to gulp redlabel whiskey 23:40
admin0Nepoc: banging the head in the wall was not the way :D ..  need alcohol and sugar23:40
stevellejust different forms of the same stuff there23:41
Nepoclol23:42
admin0stevelle: this mapping concept will not change soon right ?  i spend weeks to let it penetrate and viola .. changed in the next patch :D23:42
NepocI don't drink and rarely consume sugar... the wall was the best option23:42
stevelleadmin0: I'm not aware of a plan to change it this week. No guarantees for what might happen in June23:43
stevellewe won't likely be reducing the flexibility23:44
admin0and i left puppet and ceph thinking its in ansible . how hard could it be :D23:44
admin0https://github.com/stevelle/openstack-ansible-gnocchi/tree/master/ext/openstack_deploy seems to help23:46
stevellegood23:50
*** sdake has quit IRC23:53
*** sdake_ has joined #openstack-ansible23:53
stevelle\o out23:56
« Thursday, 2016-02-25 Index Saturday, 2016-02-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!