Saturday, 2015-07-25

*** kebray has joined #openstack-app-catalog03:45
*** kebray has quit IRC06:08
kfox1111_docaedo: Does the chef entry replace the correct one in the right order? I'm not sure the correct ordering. if it is, then I'm ok +ing it.19:14
j^2yeah i created it whith what docaedo wanted20:27
j^2with what i think he wanted i mean20:27
kfox1111_has any work been done on a heat template to go along with it?20:28
kfox1111_its really handy to have a cinder volume to go along with chef servers.20:28
kfox1111_that way you can destroy/rebuild the vm quickly and keep your server's data safe on the volume.20:29
kfox1111_j^2: Approved. Should go through shortly.20:30
j^2rock on20:32
openstackgerritMerged stackforge/apps-catalog: Added the Chef logo for the main page
j^2kfox1111_: i know little about heat to be honsest20:32
j^2this was my excuse to start learning it though20:32
j^2any suggestions on tutorials or anything to help bootstrap me?20:33
kfox1111_I have e presentation I've been writing that might help. its not quite done yet...20:39
j^2anything would me helpful :D20:39
kfox1111_I've got some examples I've been doing that may help too.20:39
j^2oh nice.20:39
j^2i’ve started working with the jjb too, that is suprisely hard if you are coming from nothing20:40
kfox1111_I've been putting most of what I've been doing out here:
kfox1111_One of the simplest is under mgmt.20:40
kfox1111_The Init template creates a formatted cinder volume with stuff in it.20:41
kfox1111_the Mgmt.yaml template consumes the volume and hydrates it unto a workable server.20:41
kfox1111_Its a pretty old template though. doesn't use too much of the yaml features heat has now.20:42
j^2ah ok, cool, but it’s something to start with20:42
kfox1111_   is a newer one by the looks of it.20:43
kfox1111_a little easier to read. might be a better starting point.20:43
kfox1111_np. let me know if you have any questions. :)20:43
kfox1111_the #heat chanel is also quite responsive when I've had issues.20:43
kfox1111_gota head out. talk to you later.20:43
openstackgerritJJ Asghar proposed stackforge/apps-catalog: Chef Server Link was wrong
j^2*facepalm* the link was missing “server” ^^^21:28
openstackgerritMerged stackforge/apps-catalog: Chef Server Link was wrong
openstackgerritJJ Asghar proposed stackforge/apps-catalog: It's placed under images not glance-apps
kfox1111_docaedo: sent an email to the list. Curious if some integration with the TripleO folks would be in order.22:11
j^2kfox1111_: can you +1 +2 that review, it seems there is different glance-apps and glance-images?22:11
kfox1111_I as going to, but docaedo looks like got to it first.22:12
j^2oh i mean22:13
kfox1111_oh. just a sec...22:13
j^2thanks, yeah didnt realize theres glance-apps and glance-images22:13
j^2wow, that’s what happens when you try to cargo cult i guess22:14
kfox1111_me neither. good catch. :)22:14
kfox1111_Should be much better when we get stuff merged into one yaml file.22:15
kfox1111_we can use the same identifier everywhere then.22:15
j^2kfox1111_: makes sense22:15
openstackgerritMerged stackforge/apps-catalog: It's placed under images not glance-apps
j^2:rockon: thanks!22:16
kfox1111_np. thanks for catching the error and proposing the fix so fast. :)22:16
j^2i really do want to become active in this project22:17
j^2it’s a great idea for openstack as a whole22:17
j^2the best thing i can do is keep up with what i’m trying to propose :D22:17
kfox1111_yeah. its a big help. :)22:18
kfox1111_One of the groups I work with at PNNL is using Chef. Its great to see the bar lower for setting up a working Chef server. :)22:19
j^2yep, there is one bug with it though, i wrote up a workaround today. They plan on a fix for 12.3 which should be a release or two away22:20
j^2that’s assuming youre lazy like me and use self signed stuff22:20
j^2other than that, that chef server is good enough to run 10,000s of nodes if needed22:21
kfox1111_ah. yeah.22:22
j^2btw, the image was built:
j^2we’re internally debating on the iptables thing22:23
j^2i’m pushing for it, it seems that this should be as secure as possible and the majority of the “best practises” possible22:23
kfox1111_iptables for the openstack version?22:25
j^2on the image for centos6 and the glance image and chef server22:25
j^2just have 22 80 and 443 open nothing else22:25
j^2that’s all you need for a standalone chef server22:25
kfox1111_Yeah. I can see that. We've been doing something very different.22:25
j^2yeah there’s like 6-7 different ways to set up a chef server that isn’t standalone22:26
kfox1111_we've been doing it all with heat. using a custom security group with the vm.22:26
j^2ahh interesting22:26
kfox1111_there are 2 main advantages to doing it that way.22:26
kfox1111_1, security group changes are easier to manage from within the cloud. updates apply automatically.22:26
kfox1111_and 2, its more secuire if something gets comped. if someone gets into the vm, they can not touch the firewall since it exists outside of the vm.22:27
j^2yeah that’s how AWS tells you to do it, per my aws cohort. being i can’t mandate it i thought iptables was a good….copromise22:28
kfox1111_so are you a chef guy? what do you spend most of your time on?22:29
kfox1111_might make it configurable ala cloud-init.22:31
kfox1111_#!/bin/bash no-setup-iptables or something. Then if you wrap it in a heat template, you can disable that piece.22:32
j^2 :D22:33
j^2kfox1111_: yeah i work for chef22:33
j^2i’m the Chef “OpenStack” dude22:34
j^2anything openstack and chef related comes through me22:34
j^2kfox1111_: nice, on the cloud-init thing22:34
kfox1111_cool. :)22:34
kfox1111_I'm sure we'll be chatting more on that subject at some point. :)22:36
j^2sounds great22:36
j^2part of my job is to attempt to elevate the chef community in the openstack community, so anything i can do to help or whatever don’t hesitate to ask22:37
j^2hence the glance image, i thought it was a pretty easy get to get more people start playing with chef in/on/with openstack22:38
j^2and obviously i dog food this too; its how i build my chef server in my clouds22:38
kfox1111_cool. :)22:38
kfox1111_I can think of a few ways to really enhance things.22:39
j^2i’d love to hear em22:40
j^2any chance you’re going to either the ops meetup or toyko?22:40
kfox1111_one big one that I've almost written a few times is a better bootstrapping mechanism. chef has a problem in that it assumes it is driving the show.22:40
kfox1111_slight chance. Not sure. :/22:40
kfox1111_so Heat has this awesome feature called autoscaling.22:41
kfox1111_it creates/destroyes vm's as needed.22:41
kfox1111_you can say, "I want between 3 and 10 of this heat template"22:41
kfox1111_and it will make it so. :)22:41
kfox1111_but the knife bootstrap thing totally doesn't work with it.22:42
kfox1111_chef needs some kind of integration with nova or heat such that when it launches things, it can bootstrap the node on your behalf.22:42
j^2sounds like a feature request to knife openstack?22:43
j^2heat template support?22:43
kfox1111_maybe? I'm not sure it belongs in knife, or is just a new kind of heat resource?22:43
kfox1111_or if it belongs as a nova plugin somehow.22:44
j^2it doesn’t seem very radical, it seems like something that should be there already22:44
kfox1111_it would be nice if you coud associate a chef server with a keystone tenant,22:44
kfox1111_and all vm's built in that tenant are automatically enrolled to the server.22:44
kfox1111_no boot strap needed.22:44
j^2You given me something to think about22:46
j^2There is something here though22:46
kfox1111_another thing would be chef as a service. provide one chef instance at the cloud operator to tenants so they don't have to manage their own server. maybe tie it into the horizon dashboard too. that would be awesome. :)22:47
kfox1111_it could tie into the previous feature too.22:48
j^2Chef 12 should be able to do that what your suggestioning22:48
j^2The cloud operator22:48
kfox1111_You'd need keystone integration for authentication and hopefully some kind of dashboard integration too.22:49
j^2Oh that's true Keystone integration would be the hard part22:49
j^2I have to learn more about how to do that though22:49
kfox1111_I don't think it would be too hard to do. just a bit of work to have a ui that lets you create/fetch admin keys for a tenant.22:50
kfox1111_and map the keystone tenants to a chef one somehow.22:50
j^2Be nice if there were Shared keys though22:51
j^2Shuffle requires a pem so in theory we could take that from Keystone22:51
kfox1111_yeah. the admin key would be for the whole tenant. but with the ui like that, the users coudl self provision their chef admin keys if they wanted. then the op doesn't have to be involved.22:51
j^2I think there's something really here22:52
kfox1111_really basic horizon integration could just bring you to the right place in the chef web ui. nicer integration would actually embed it somehow.22:53
kfox1111_the third integration point I'd releally like to see, but somewhat behind the first 2, is security related.22:54
j^2Could you explain that22:54
kfox1111_encrypted databags really don't work well with the heat autoscaling model either. some kind of easy barbican integration would be nice.22:54
kfox1111_so encrypted data bags are associated with a node by search usually.22:54
kfox1111_but the query has to be vetted by and admin, or else any vm can add the attribute to get a given key and get access to it automatically.22:55
kfox1111_'by an admin'22:55
kfox1111_but requiring an admin to verify a node should get a key doesn't work when the vm should get it automatically to make autoscaling work. :/22:56
j^2i think i follow yeah, that is a challange22:56
kfox1111_I've been working a different angle to let vm's get keystone users so it can talk to barbican.22:57
kfox1111_if that makes it through, vm's can get access to the secrets they need.22:58
kfox1111_chef just needs to be able to fetch them when needed from barbican.22:58
kfox1111_so maybe some encrypted databag comptable abstraction layer that can pull from either encrypted databags or from barbican would help.23:00
kfox1111_that way existing cookbooks don't have to be rewritten.23:00
j^2so i get it barbican becomes the data store for the data bags23:02
*** kebray has joined #openstack-app-catalog23:02
kfox1111_Those are the big thinkgs I can think of.23:11
kfox1111_probably a bunch of minor things that would be nice to have's.23:12
kfox1111_oh. one more I'd kind of like to see, which might be much harder, is multiple servers...23:16
kfox1111_can be dangerious, but the intent is, the tenant wants to use config management for config mangaement. setting stuff up, configing it, etc.23:17
kfox1111_the cloud operator itself may want to manage all the vm's themselves via chef also, to ensure all security updates are applied, etc.23:17
j^2yeah as i get my head wrapped around heat no reason why i couldnt create an HA template23:20
kfox1111_that would be awesome. :)23:21
j^2Got to go baby is crying till Monday23:21
kfox1111_have a good one. :)23:23

Generated by 2.14.0 by Marius Gedminas - find it at!