Wednesday, 2016-01-06

*** cleverdevil has quit IRC00:01
*** jordantardif1 has joined #openstack-astara00:12
*** jordantardif has quit IRC00:16
*** jordantardif1 has quit IRC00:24
*** jordantardif has joined #openstack-astara00:30
manjeetssorry ping00:51
adam_gmanjeets, hi00:55
manjeetsi tried login to router using ipv6 address of mgmt00:57
manjeetsis that right one ?00:57
adam_gmanjeets, yes, as user 'astara'00:57
manjeetswhen i check nova instance for router it shows only ipv6 address00:57
adam_gmanjeets, right00:58
manjeetsjust curious does it support ipv4 networks as well ?00:58
manjeetssuppose i create a network with IPv4 subnet range00:58
manjeetsto new router if i add that subnet on interface it should work ?00:59
adam_gmanjeets, that should work. there are some current bugs we're working through around using ipv4 for the management network00:59
adam_gmanjeets, but attaching the router to ipv4 tenant subnets should work fine01:00
manjeetsand one more question is router_ssh_public_key in orchestrator.ini depreciated01:00
manjeetsI am trying which path will work for inserting keypair into router vm01:01
manjeetsssh_public_key or router_ssh_public_key ?01:01
adam_gmanjeets, ssh_public_key is the one to use01:04
adam_grouer_ssh_key_public_key is deprecated since we're supporting more than just routers these days01:04
manjeetsi created a ipv4 tenant network01:06
manjeetsand added subnet to router interface01:07
manjeetsattached instance to that network01:07
manjeetsstill not able to ping the instance01:07
manjeetsneither able to login to router vm01:07
manjeetsits still asking for password01:08
manjeetsi updated ssh_public after stacking was done. should i restack or it should work  once you update /etc/astara/orchestrator.ini ?01:09
adam_gmanjeets, you dont need to restack, but you do need to rebuild your router appliance--the ssh key is injected via cloud-init at boot time01:10
adam_gfirst restart astara-orchestrator to pick up the new path01:10
manjeetsi build a router appliance afterwards01:10
manjeetsokay i did not restarted astara01:10
adam_gastara-ctl resource rebuild $router_id01:10
manjeetsthanks will try that out01:11
adam_gthat'll rebuild the appliance VM with new cloud-init and the newly configured key01:11
*** stanchan has quit IRC01:21
manjeetsadam_g: tried rebuilding router rebuild was succesfull01:36
manjeetsbut its is strill asking for password when i login using ssh astara@ipv6address_mgmt01:37
*** Liuqing has joined #openstack-astara01:47
*** manjeets has left #openstack-astara01:50
*** Liuqing has quit IRC01:52
elocan you load the ssh private key in as the user you are trying to login as?02:11
eloor use the -i flag with ssh to load the ssh private key02:12
*** stanchan has joined #openstack-astara02:21
*** jordantardif has quit IRC02:47
*** stanchan has quit IRC04:32
*** stanchan has joined #openstack-astara04:44
openstackgerritAdam Gandelman proposed openstack/astara: Log rendered cloud-init to debug log
*** stanchan has quit IRC07:19
*** ronis has joined #openstack-astara08:13
*** stanchan has joined #openstack-astara08:26
openstackgerritSwapnil Kulkarni (coolsvap) proposed openstack/astara-appliance: Replace deprecated LOG.warn with LOG.warning
*** Prithiv has joined #openstack-astara11:31
*** prithivm has joined #openstack-astara11:31
*** stanchan has quit IRC15:56
*** ronis has quit IRC16:06
*** prithivm has quit IRC16:11
*** Prithiv has quit IRC16:11
*** prithivm has joined #openstack-astara16:22
*** Prithiv has joined #openstack-astara16:22
*** cleverdevil has joined #openstack-astara17:03
*** prithivm has quit IRC17:11
*** Prithiv has quit IRC17:12
*** manjeets has joined #openstack-astara17:13
*** stanchan has joined #openstack-astara17:13
*** stanchan has quit IRC17:23
*** jordantardif has joined #openstack-astara17:28
*** ronis has joined #openstack-astara17:37
*** stanchan has joined #openstack-astara18:16
*** stanchan has quit IRC18:33
*** stanchan has joined #openstack-astara18:39
*** cleverdevil has quit IRC19:55
*** stanchan has quit IRC20:11
*** manjeets has quit IRC20:11
*** ronis has quit IRC20:15
*** stanchan has joined #openstack-astara20:22
*** manjeets has joined #openstack-astara20:28
openstackgerritAdam Gandelman proposed openstack/astara: Cleanup deleted resource from the tenant resource cache
*** manjeets has quit IRC20:30
*** manjeets has joined #openstack-astara20:31
openstackgerritAdam Gandelman proposed openstack/astara: Adds a new rebalance takeover state
openstackgerritAdam Gandelman proposed openstack/astara: Stop using versioned novaclient in func tests
*** stanchan has quit IRC21:03
*** stanchan has joined #openstack-astara21:09
*** stanchan has quit IRC21:10
*** stanchan has joined #openstack-astara21:10
j_kingis the 'astara-ctl ssh' command really going to be deprecated? the log in is kind of funny.21:15
openstackLaunchpad bug 1524592 in Astara "'astara-ctl ssh' command broken" [Undecided,New]21:15
j_kingspecifically: WARNING: 'astara-ctl ssh' is deprecated in favor of 'astara-ctl ssh' and will be removed in the Mitaka release.21:16
*** cleverdevil has joined #openstack-astara21:24
*** cleverdevil has quit IRC21:37
*** cleverdevil has joined #openstack-astara21:45
*** cleverdevil has quit IRC21:52
*** cleverdevil has joined #openstack-astara21:56
*** owlbot has quit IRC22:05
manjeetswhen i create a network and add its subnet  to router interface should it show that network on ip's of applicance (router vm) ?22:09
manjeetsmy situation is now I am able to access instances if i use already created network thenet and router . But when i create my own network and router its not accessible22:10
adam_gmanjeets, im actually looking into the same issue right now22:17
adam_gmanjeets, see if this helps (its not a fix but a test): add a security group rule to the tenant who owns the instances, allowing ingress traffic on the tenant network22:33
adam_gneutron security-group-rule-create --direction ingress --remote-ip-prefix default22:33
adam_gwhere is the subnet22:33
adam_gthen reboot the tenant instance22:34
adam_gmarkmcclain, whats the plan for this? it looks like we're still dependent on devstack adding that secgroup rule in to allow DHCP from appliance->tenant vm22:38
markmcclainso this is an issue with upstream openstack22:39
adam_gmarkmcclain, is there a bug somewhere to track/22:39
* markmcclain looks22:39
adam_galso, is there some way for us to inject such a rule into tenant groups on subnet create, from the astara-neutron side, in some way that it gets masked to the tenant?22:40
markmcclainI need to file a tracking bug22:40
markmcclainI've chatted with a few neutron cores about making teh default sec group implementation allow traffic from the gateway22:41
markmcclainso that ping etc work22:41
manjeetsi think I am using default sg group where i already added icmp rule22:41
markmcclainif you ping from VM to gateway then everything should work without changes22:41
markmcclainbecause the reply is a known to the firewall22:42
adam_gbut without the secgroup rule to allow the traffic, DHCP gets blocked and theres nothing to ping to begin with22:51
adam_gi thought we added to the secgroup rule via devstack to allow developers to debug connectivity via pinging from router to VM22:51
adam_gbut it turns out we're reliant on that for allowing DHCP through, so each created network needs a tenant created rule22:52
manjeetswill default one not work ?23:02
manjeetsi added the icmp rule to default group and attached that group to vm23:03
adam_gmanjeets, this isn't for ICMP traffic23:05
adam_gmanjeets, the router VM is owned by another tenant, so its traffic to the tenant VM filters through the tenant's  security groups23:05
adam_gmanjeets, by default the DHCP traffic from the router to the tenant vm is being blocked23:06
adam_gneutron security-group-rule-create --direction ingress --remote-ip-prefix default <- allows all ingress traffic from the same subnet, allowing DHCP/etc to make it ot the tenant VM from the router23:07
openstackgerritOpenStack Proposal Bot proposed openstack/astara: Updated from global requirements
manjeetsnow i see there are three security groups  with default name when i tried list as admin23:19
manjeetsi thought there is only single one default which gets applied to everything by default23:20
*** stanchan has quit IRC23:21
manjeetsthanks adam_g: finally its working23:23
manjeetsi've added ingress rule to two other defaults as well and it working now23:24
adam_gmanjeets, cool. unfortutely, requiring tenants to add a security group to get their networking working isn't a long term fix23:24
manjeetsno its admin have to add rule to sg attached to router vm23:24
eloI think phil_h ran into this issue as well with his environment23:24
manjeetsone is tenant will add a rule for its nova instance23:25
adam_gmanjeets, right but thats not a fix either--it should be hands off, automatic and seemless23:25
adam_g(to get DHCP functional, i mean)23:25
manjeetsrouter vm i don't think is accesible by tenant23:25
manjeetsi think on router vm it should be automatically done and nova instance can be done the way tenant wants23:26
adam_gmanjeets, its not, but ATM there needs ot be some action on behalf of the tenant, to allow the traffic from the router vm-- in theory the tenant has no idea there is a router vm, so expecting them to add a secgroup rule is crazy23:27
manjeetsyes i think i added rule as an admin for router vm23:28
manjeetsfor tenant i added rule only for nova instance which are connected to network attached to router23:28
*** owlbot has joined #openstack-astara23:29
manjeetsok got your point its meaningless for adding a rule for vm(router appliance ) that's not accesible to tenant23:31
manjeetsmake sense23:31
manjeetsadam_g: question I did not create any of security group23:32
manjeetsbut by default there are 3 sec groups with same name default23:33
*** stanchan has joined #openstack-astara23:33
manjeetsI've had no idea which one is attached to router appliance and which one is to tenants vm's (instances created by tenant )23:34
manjeetsi added ingress to all 3 then i was able to access23:35
*** stanchan has quit IRC23:56

Generated by 2.14.0 by Marius Gedminas - find it at!