*** cleverdevil has quit IRC | 00:01 | |
*** jordantardif1 has joined #openstack-astara | 00:12 | |
*** jordantardif has quit IRC | 00:16 | |
*** jordantardif1 has quit IRC | 00:24 | |
*** jordantardif has joined #openstack-astara | 00:30 | |
manjeets | adam_g | 00:51 |
---|---|---|
manjeets | :ping | 00:51 |
manjeets | sorry ping | 00:51 |
adam_g | manjeets, hi | 00:55 |
manjeets | i tried login to router using ipv6 address of mgmt | 00:57 |
manjeets | is that right one ? | 00:57 |
adam_g | manjeets, yes, as user 'astara' | 00:57 |
manjeets | when i check nova instance for router it shows only ipv6 address | 00:57 |
adam_g | manjeets, right | 00:58 |
manjeets | just curious does it support ipv4 networks as well ? | 00:58 |
manjeets | suppose i create a network with IPv4 subnet range | 00:58 |
manjeets | to new router if i add that subnet on interface it should work ? | 00:59 |
adam_g | manjeets, that should work. there are some current bugs we're working through around using ipv4 for the management network | 00:59 |
adam_g | manjeets, but attaching the router to ipv4 tenant subnets should work fine | 01:00 |
manjeets | and one more question is router_ssh_public_key in orchestrator.ini depreciated | 01:00 |
manjeets | ? | 01:00 |
manjeets | I am trying which path will work for inserting keypair into router vm | 01:01 |
manjeets | ssh_public_key or router_ssh_public_key ? | 01:01 |
adam_g | manjeets, ssh_public_key is the one to use | 01:04 |
adam_g | rouer_ssh_key_public_key is deprecated since we're supporting more than just routers these days | 01:04 |
manjeets | okay | 01:06 |
manjeets | i created a ipv4 tenant network | 01:06 |
manjeets | and added subnet to router interface | 01:07 |
manjeets | attached instance to that network | 01:07 |
manjeets | still not able to ping the instance | 01:07 |
manjeets | neither able to login to router vm | 01:07 |
manjeets | its still asking for password | 01:08 |
manjeets | i updated ssh_public after stacking was done. should i restack or it should work once you update /etc/astara/orchestrator.ini ? | 01:09 |
adam_g | manjeets, you dont need to restack, but you do need to rebuild your router appliance--the ssh key is injected via cloud-init at boot time | 01:10 |
adam_g | first restart astara-orchestrator to pick up the new path | 01:10 |
manjeets | i build a router appliance afterwards | 01:10 |
manjeets | okay i did not restarted astara | 01:10 |
adam_g | astara-ctl resource rebuild $router_id | 01:10 |
manjeets | thanks will try that out | 01:11 |
adam_g | that'll rebuild the appliance VM with new cloud-init and the newly configured key | 01:11 |
*** stanchan has quit IRC | 01:21 | |
manjeets | adam_g: tried rebuilding router rebuild was succesfull | 01:36 |
manjeets | but its is strill asking for password when i login using ssh astara@ipv6address_mgmt | 01:37 |
*** Liuqing has joined #openstack-astara | 01:47 | |
*** manjeets has left #openstack-astara | 01:50 | |
*** Liuqing has quit IRC | 01:52 | |
elo | can you load the ssh private key in as the user you are trying to login as? | 02:11 |
elo | or use the -i flag with ssh to load the ssh private key | 02:12 |
*** stanchan has joined #openstack-astara | 02:21 | |
*** jordantardif has quit IRC | 02:47 | |
*** stanchan has quit IRC | 04:32 | |
*** stanchan has joined #openstack-astara | 04:44 | |
openstackgerrit | Adam Gandelman proposed openstack/astara: Log rendered cloud-init to debug log https://review.openstack.org/264049 | 07:01 |
*** stanchan has quit IRC | 07:19 | |
*** ronis has joined #openstack-astara | 08:13 | |
*** stanchan has joined #openstack-astara | 08:26 | |
openstackgerrit | Swapnil Kulkarni (coolsvap) proposed openstack/astara-appliance: Replace deprecated LOG.warn with LOG.warning https://review.openstack.org/264120 | 10:48 |
*** Prithiv has joined #openstack-astara | 11:31 | |
*** prithivm has joined #openstack-astara | 11:31 | |
*** stanchan has quit IRC | 15:56 | |
*** ronis has quit IRC | 16:06 | |
*** prithivm has quit IRC | 16:11 | |
*** Prithiv has quit IRC | 16:11 | |
*** prithivm has joined #openstack-astara | 16:22 | |
*** Prithiv has joined #openstack-astara | 16:22 | |
*** cleverdevil has joined #openstack-astara | 17:03 | |
*** prithivm has quit IRC | 17:11 | |
*** Prithiv has quit IRC | 17:12 | |
*** manjeets has joined #openstack-astara | 17:13 | |
*** stanchan has joined #openstack-astara | 17:13 | |
*** stanchan has quit IRC | 17:23 | |
*** jordantardif has joined #openstack-astara | 17:28 | |
*** ronis has joined #openstack-astara | 17:37 | |
*** stanchan has joined #openstack-astara | 18:16 | |
*** stanchan has quit IRC | 18:33 | |
*** stanchan has joined #openstack-astara | 18:39 | |
*** cleverdevil has quit IRC | 19:55 | |
*** stanchan has quit IRC | 20:11 | |
*** manjeets has quit IRC | 20:11 | |
*** ronis has quit IRC | 20:15 | |
*** stanchan has joined #openstack-astara | 20:22 | |
*** manjeets has joined #openstack-astara | 20:28 | |
openstackgerrit | Adam Gandelman proposed openstack/astara: Cleanup deleted resource from the tenant resource cache https://review.openstack.org/264340 | 20:29 |
*** manjeets has quit IRC | 20:30 | |
*** manjeets has joined #openstack-astara | 20:31 | |
openstackgerrit | Adam Gandelman proposed openstack/astara: Adds a new rebalance takeover state https://review.openstack.org/260748 | 20:47 |
openstackgerrit | Adam Gandelman proposed openstack/astara: Stop using versioned novaclient in func tests https://review.openstack.org/264345 | 20:50 |
*** stanchan has quit IRC | 21:03 | |
*** stanchan has joined #openstack-astara | 21:09 | |
*** stanchan has quit IRC | 21:10 | |
*** stanchan has joined #openstack-astara | 21:10 | |
j_king | is the 'astara-ctl ssh' command really going to be deprecated? the log in https://bugs.launchpad.net/astara/+bug/1524592 is kind of funny. | 21:15 |
openstack | Launchpad bug 1524592 in Astara "'astara-ctl ssh' command broken" [Undecided,New] | 21:15 |
j_king | specifically: WARNING: 'astara-ctl ssh' is deprecated in favor of 'astara-ctl ssh' and will be removed in the Mitaka release. | 21:16 |
*** cleverdevil has joined #openstack-astara | 21:24 | |
*** cleverdevil has quit IRC | 21:37 | |
*** cleverdevil has joined #openstack-astara | 21:45 | |
*** cleverdevil has quit IRC | 21:52 | |
*** cleverdevil has joined #openstack-astara | 21:56 | |
*** owlbot has quit IRC | 22:05 | |
manjeets | when i create a network and add its subnet to router interface should it show that network on ip's of applicance (router vm) ? | 22:09 |
manjeets | my situation is now I am able to access instances if i use already created network thenet and router . But when i create my own network and router its not accessible | 22:10 |
adam_g | manjeets, im actually looking into the same issue right now | 22:17 |
manjeets | ok | 22:28 |
adam_g | manjeets, see if this helps (its not a fix but a test): add a security group rule to the tenant who owns the instances, allowing ingress traffic on the tenant network | 22:33 |
adam_g | ie | 22:33 |
adam_g | neutron security-group-rule-create --direction ingress --remote-ip-prefix 192.168.22.0/24 default | 22:33 |
adam_g | where 192.168.22.0/24 is the subnet | 22:33 |
adam_g | then reboot the tenant instance | 22:34 |
adam_g | markmcclain, whats the plan for this? it looks like we're still dependent on devstack adding that secgroup rule in to allow DHCP from appliance->tenant vm | 22:38 |
markmcclain | so this is an issue with upstream openstack | 22:39 |
markmcclain | s/openstack/neutron/ | 22:39 |
adam_g | markmcclain, is there a bug somewhere to track/ | 22:39 |
* markmcclain looks | 22:39 | |
adam_g | also, is there some way for us to inject such a rule into tenant groups on subnet create, from the astara-neutron side, in some way that it gets masked to the tenant? | 22:40 |
markmcclain | I need to file a tracking bug | 22:40 |
markmcclain | I've chatted with a few neutron cores about making teh default sec group implementation allow traffic from the gateway | 22:41 |
markmcclain | so that ping etc work | 22:41 |
manjeets | i think I am using default sg group where i already added icmp rule | 22:41 |
markmcclain | if you ping from VM to gateway then everything should work without changes | 22:41 |
markmcclain | because the reply is a known to the firewall | 22:42 |
adam_g | but without the secgroup rule to allow the traffic, DHCP gets blocked and theres nothing to ping to begin with | 22:51 |
adam_g | i thought we added to the secgroup rule via devstack to allow developers to debug connectivity via pinging from router to VM | 22:51 |
adam_g | but it turns out we're reliant on that for allowing DHCP through, so each created network needs a tenant created rule | 22:52 |
manjeets | will default one not work ? | 23:02 |
manjeets | i added the icmp rule to default group and attached that group to vm | 23:03 |
adam_g | manjeets, this isn't for ICMP traffic | 23:05 |
adam_g | manjeets, the router VM is owned by another tenant, so its traffic to the tenant VM filters through the tenant's security groups | 23:05 |
adam_g | manjeets, by default the DHCP traffic from the router to the tenant vm is being blocked | 23:06 |
adam_g | neutron security-group-rule-create --direction ingress --remote-ip-prefix 192.168.22.0/24 default <- allows all ingress traffic from the same subnet, allowing DHCP/etc to make it ot the tenant VM from the router | 23:07 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/astara: Updated from global requirements https://review.openstack.org/264410 | 23:13 |
manjeets | now i see there are three security groups with default name when i tried list as admin | 23:19 |
manjeets | i thought there is only single one default which gets applied to everything by default | 23:20 |
*** stanchan has quit IRC | 23:21 | |
manjeets | thanks adam_g: finally its working | 23:23 |
manjeets | i've added ingress rule to two other defaults as well and it working now | 23:24 |
adam_g | manjeets, cool. unfortutely, requiring tenants to add a security group to get their networking working isn't a long term fix | 23:24 |
manjeets | no its admin have to add rule to sg attached to router vm | 23:24 |
elo | I think phil_h ran into this issue as well with his environment | 23:24 |
manjeets | one is tenant will add a rule for its nova instance | 23:25 |
adam_g | manjeets, right but thats not a fix either--it should be hands off, automatic and seemless | 23:25 |
adam_g | (to get DHCP functional, i mean) | 23:25 |
manjeets | router vm i don't think is accesible by tenant | 23:25 |
manjeets | i think on router vm it should be automatically done and nova instance can be done the way tenant wants | 23:26 |
adam_g | manjeets, its not, but ATM there needs ot be some action on behalf of the tenant, to allow the traffic from the router vm-- in theory the tenant has no idea there is a router vm, so expecting them to add a secgroup rule is crazy | 23:27 |
manjeets | yes i think i added rule as an admin for router vm | 23:28 |
manjeets | for tenant i added rule only for nova instance which are connected to network attached to router | 23:28 |
*** owlbot has joined #openstack-astara | 23:29 | |
manjeets | ok got your point its meaningless for adding a rule for vm(router appliance ) that's not accesible to tenant | 23:31 |
manjeets | make sense | 23:31 |
manjeets | adam_g: question I did not create any of security group | 23:32 |
manjeets | but by default there are 3 sec groups with same name default | 23:33 |
*** stanchan has joined #openstack-astara | 23:33 | |
manjeets | I've had no idea which one is attached to router appliance and which one is to tenants vm's (instances created by tenant ) | 23:34 |
manjeets | i added ingress to all 3 then i was able to access | 23:35 |
*** stanchan has quit IRC | 23:56 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!