Monday, 2018-06-18

« Sunday, 2018-06-17 Index Tuesday, 2018-06-19 »
*** rcernin_ has joined #openstack-containers00:34
*** rcernin has quit IRC00:37
*** yamamoto has joined #openstack-containers00:43
*** yamamoto has quit IRC00:48
*** hongbin has joined #openstack-containers01:02
*** yamamoto has joined #openstack-containers01:29
*** yamamoto has quit IRC01:33
*** yamamoto has joined #openstack-containers01:59
*** yamamoto has quit IRC02:04
*** rcernin_ has quit IRC02:09
*** yamamoto has joined #openstack-containers02:14
*** yamamoto has quit IRC02:18
*** markguz has joined #openstack-containers02:19
*** markguz has quit IRC02:23
*** ramishra has joined #openstack-containers02:27
*** yamamoto has joined #openstack-containers02:29
*** yamamoto has quit IRC02:34
*** yamamoto has joined #openstack-containers02:44
*** yamamoto has quit IRC02:49
*** yamamoto has joined #openstack-containers02:49
*** yamamoto has quit IRC02:49
*** ianychoi_ has joined #openstack-containers02:58
*** yamamoto has joined #openstack-containers03:01
*** ianychoi_ has quit IRC03:01
*** ianychoi has quit IRC03:02
*** ianychoi_ has joined #openstack-containers03:02
*** yamamoto has quit IRC03:06
*** yamamoto has joined #openstack-containers03:16
*** yamamoto has quit IRC03:20
*** yamamoto has joined #openstack-containers03:21
*** hongbin has quit IRC03:23
*** udesale has joined #openstack-containers03:51
*** ramishra has quit IRC04:08
*** ramishra has joined #openstack-containers04:10
*** ramishra has quit IRC04:23
*** chhagarw has joined #openstack-containers04:24
*** ramishra has joined #openstack-containers04:26
*** janki has joined #openstack-containers04:40
openstackgerritFeilong Wang proposed openstack/magnum master: Sync service account keys for multi masters  https://review.openstack.org/57602904:48
*** flwang1 has quit IRC04:59
*** rcernin has joined #openstack-containers05:20
*** udesale_ has joined #openstack-containers05:31
*** udesale has quit IRC05:33
*** iranzo has joined #openstack-containers05:54
*** gsimondon has joined #openstack-containers06:03
*** ramishra has quit IRC06:13
*** gsimondon has quit IRC06:14
*** sheel has joined #openstack-containers06:14
*** ramishra has joined #openstack-containers06:14
*** mvpnitesh has joined #openstack-containers06:22
*** chhavi__ has joined #openstack-containers06:26
*** chhagarw has quit IRC06:27
*** udesale__ has joined #openstack-containers06:35
*** pcaruana has joined #openstack-containers06:35
*** udesale_ has quit IRC06:38
*** yolanda__ is now known as yolanda06:43
*** udesale__ is now known as udesale06:54
*** armaan has joined #openstack-containers07:01
*** rcernin has quit IRC07:01
*** gsimondon has joined #openstack-containers07:11
*** belmoreira has joined #openstack-containers07:11
*** janki has quit IRC07:36
*** ktibi has joined #openstack-containers07:49
*** AlexeyAbashkin has joined #openstack-containers07:57
*** janki has joined #openstack-containers08:00
*** armaan has quit IRC08:01
*** armaan has joined #openstack-containers08:01
*** olivenwk has joined #openstack-containers08:04
*** flwang1 has joined #openstack-containers08:07
*** slunkad has joined #openstack-containers08:22
*** mvpnitesh has quit IRC08:23
*** lpetrut has joined #openstack-containers08:23
*** armaan has quit IRC08:23
*** armaan has joined #openstack-containers08:23
*** mgoddard has joined #openstack-containers08:34
*** serlex has joined #openstack-containers08:36
*** mvpnitesh has joined #openstack-containers08:41
*** chhagarw has joined #openstack-containers08:59
*** chhavi__ has quit IRC09:02
*** vijaykc4 has joined #openstack-containers09:03
*** flwang1 has quit IRC09:10
mvpniteshhi all, I'm trying to create a k8 cluster with Openstack pike release, i'm getting the below error09:12
mvpnitesh+ sudo -E atomic install --storage ostree --system --system-package no --set REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt --name heat-container-agent docker.io/openstackmagnum/heat-container-agent:rawhide09:12
mvpniteshpinging docker registry returned: Get http://registry-1.docker.io/v2/: dial tcp 54.152.209.167:80: i/o timeout09:12
mvpnitesh+ systemctl start heat-container-agent09:12
mvpniteshFailed to start heat-container-agent.service: Unit heat-container-agent.service not found.09:12
mvpniteshi'm finding this error at /var/log/cloud-init-out.log09:12
*** salmankhan has joined #openstack-containers09:14
*** salmankhan1 has joined #openstack-containers09:17
*** salmankhan has quit IRC09:18
*** salmankhan1 is now known as salmankhan09:18
*** flwang1 has joined #openstack-containers09:26
*** armaan has quit IRC09:33
*** armaan has joined #openstack-containers09:36
*** armaan has quit IRC09:38
*** armaan has joined #openstack-containers09:42
*** vijaykc4 has quit IRC09:48
*** vijaykc4 has joined #openstack-containers09:49
*** salmankhan has quit IRC09:55
*** armaan has quit IRC09:55
*** armaan has joined #openstack-containers09:57
*** pcichy has joined #openstack-containers09:57
*** salmankhan has joined #openstack-containers09:59
strigazimvpnitesh: It seems you can't reach the docker registry10:03
strigazimnaser: magnum queens? do you have the fixed (for RBAC) queens magnum client?10:03
mvpniteshstrigazi: hi, how can i fix it, any suggestions ??10:04
strigazimnaser: https://docs.openstack.org/releasenotes/magnum/queens.html#upgrade-notes10:04
strigazimvpnitesh: curl -v https://registry-1.docker.io10:05
strigazimvpnitesh: I'll be back in 45' you can mirror all containers like so:10:05
strigazimvpnitesh: https://docs.openstack.org/magnum/latest/user/index.html#container-infra-prefix10:05
mvpniteshstrigazi: I've deleted my cluster, i'll re create it and i'll try10:06
*** vijaykc4 has quit IRC10:41
*** kittens has quit IRC10:44
*** yamamoto has quit IRC10:44
mnaserstrigazi: updated client ended up fixing things. I still have some failing things in terms of k8s conformance tests11:05
mvpniteshstrigazi: Same error, should i add the container-infra-prefix in the labels??11:07
strigazimvpnitesh you need to mirror all images to a local registry if you can not access docker.io from your vms11:08
strigazimvpnitesh: then you can use container_infra_prefix11:08
mvpniteshstrigazi: should i use this container_infro_prefix in cluster-template or at cluster-creation ??11:09
strigazimvpnitesh: it is the same, labels from CT are copied to cluster11:10
strigaziI usually have in CT11:10
mvpniteshstragazi: will it be something like this "magnum cluster-template-create k8s-cluster-template-nitesh --label docker.io/openstackmagnum/kubernetes-apiserver=docker.io/openstackmagnum/kubernetes-apiserver"11:18
mvpniteshis that the i've to to container-infra-prefix ??11:19
strigazi--labels container_infra_prefix="THE_LOCAL_REGISTRY/"11:20
strigazimvpnitesh: Can yo confirm that you don't have internet access from your vms?11:20
strigazimvpnitesh: if you can not access docker.io probably there are a lot of things that you can not access11:21
mvpniteshstragazi: thanks. I've internet access, some times proxy is set and sometimes proxy is not getting set automatically11:21
canori01strigazi: Are there plans to get the CoreOS driver working again?11:26
*** vijaykc4 has joined #openstack-containers11:26
strigazicanori01: no one works on it, people ask about it but no one contributes. My team is using fedora. If you want, I can help you fix it.11:29
canori01yeah, that would be great.  I'll take a stab at it11:30
*** dave-mccowan has joined #openstack-containers11:30
strigazicanori01: excellent, if you give it a go, we can also discuss it tmr in the meeting.11:30
strigazicanori01: You can create a story in storyboard.openstack.org11:31
*** dave-mcc_ has joined #openstack-containers11:33
*** dave-mccowan has quit IRC11:35
openstackgerritSpyros Trigazis proposed openstack/magnum master: [cern] Create admin cluster-role  https://review.openstack.org/57611211:39
openstackgerritSpyros Trigazis proposed openstack/magnum master: k8s_fedora: Create admin cluster-role  https://review.openstack.org/57611211:39
strigazithe [cern] tag was muscle memory11:40
*** armaan has quit IRC11:43
*** armaan has joined #openstack-containers11:43
*** yamamoto has joined #openstack-containers11:45
*** udesale_ has joined #openstack-containers11:49
*** yamamoto has quit IRC11:52
*** udesale has quit IRC11:52
*** yamamoto has joined #openstack-containers11:52
*** udesale_ has quit IRC11:54
openstackgerritSpyros Trigazis proposed openstack/magnum master: k8s_fedora: Create admin cluster-role  https://review.openstack.org/57611211:59
*** ispp has joined #openstack-containers12:00
*** mvpnitesh has quit IRC12:11
*** armaan has quit IRC12:18
*** armaan has joined #openstack-containers12:18
*** serlex has quit IRC12:52
*** vijaykc4 has quit IRC13:02
*** jmlowe has quit IRC13:15
*** flwang1 has quit IRC13:19
*** armaan has quit IRC13:31
*** ispp has quit IRC13:31
*** armaan has joined #openstack-containers13:32
*** belmorei_ has joined #openstack-containers13:33
*** belmoreira has quit IRC13:34
*** canori01 has quit IRC13:35
*** ispp has joined #openstack-containers13:35
*** flwang1 has joined #openstack-containers13:36
*** flwang1 has quit IRC13:41
*** yamamoto has quit IRC13:42
*** yamamoto has joined #openstack-containers13:42
*** udesale has joined #openstack-containers13:48
*** armaan has quit IRC13:52
*** armaan has joined #openstack-containers13:52
*** jmlowe has joined #openstack-containers13:55
*** markguz has joined #openstack-containers13:59
*** sheel has quit IRC13:59
*** flwang1 has joined #openstack-containers14:22
*** canori01 has joined #openstack-containers14:22
*** serlex has joined #openstack-containers14:25
*** hongbin has joined #openstack-containers14:42
*** janki has quit IRC14:44
*** lpetrut has quit IRC15:01
*** lpetrut has joined #openstack-containers15:02
*** dtruong_ has joined #openstack-containers15:07
*** dtruong has quit IRC15:12
*** belmorei_ has quit IRC15:12
*** ispp has quit IRC15:12
*** lpetrut has quit IRC15:13
*** gsimondon has quit IRC15:14
*** ispp has joined #openstack-containers15:15
*** belmoreira has joined #openstack-containers15:15
*** flwang1 has quit IRC15:15
*** udesale_ has joined #openstack-containers15:20
*** udesale has quit IRC15:22
*** udesale_ has quit IRC15:25
*** armaan has quit IRC15:31
*** olivenwk has quit IRC15:36
*** flwang1 has joined #openstack-containers15:40
*** lpetrut has joined #openstack-containers15:47
*** lpetrut has quit IRC15:49
*** ktibi has quit IRC15:49
*** lpetrut has joined #openstack-containers15:49
*** janki has joined #openstack-containers15:51
*** ispp has quit IRC15:52
*** yamamoto has quit IRC15:53
*** yamamoto has joined #openstack-containers15:54
*** yamamoto has quit IRC15:56
*** yamamoto has joined #openstack-containers15:56
*** lpetrut has quit IRC15:56
*** lpetrut has joined #openstack-containers15:58
*** lpetrut has quit IRC16:11
*** AlexeyAbashkin has quit IRC16:11
*** lpetrut has joined #openstack-containers16:16
*** pcaruana has quit IRC16:20
*** dave-mcc_ has quit IRC16:30
*** yamamoto has quit IRC16:36
*** yamamoto has joined #openstack-containers16:36
*** armaan has joined #openstack-containers16:36
*** yamamoto has quit IRC16:41
*** mgoddard has quit IRC17:00
*** iranzo has quit IRC17:30
*** armaan has quit IRC17:37
*** yamamoto has joined #openstack-containers17:38
*** mgoddard has joined #openstack-containers17:39
*** yamamoto has quit IRC17:42
*** janki has quit IRC17:56
flwang1imdigitaljim: ping re the multi master keys18:02
flwang1strigazi: ^18:02
flwang1based on my testing, seems we don't have to sign the keypair by cluster ca18:03
imdigitaljimit in theory works because its still pki but having it be cert/key vs public/private key because the (signed) cert usually contains additional metadata and signed by the CA to verify authenticity18:15
imdigitaljimhttps://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-service-account-key-pair18:15
imdigitaljimk8s the hard way still uses ca signing method18:16
imdigitaljimnot to mention we still have signing methods built into magnum so it still shouldnt be too difficult to integrate it if we still want to go that route18:16
*** dave-mccowan has joined #openstack-containers18:17
*** armaan has joined #openstack-containers18:21
*** armaan has quit IRC18:23
*** pcaruana has joined #openstack-containers18:26
*** AlexeyAbashkin has joined #openstack-containers18:32
*** mgoddard has quit IRC18:34
*** AlexeyAbashkin has quit IRC18:35
flwang1imdigitaljim: but in my testing, if i use a signed cert with the private key, it doesn't work18:38
flwang1public/private key works18:38
*** AlexeyAbashkin has joined #openstack-containers18:38
*** yamamoto has joined #openstack-containers18:39
*** pcaruana has quit IRC18:39
flwang1I also checked KH's guide18:39
flwang1and I assume the signed cert/key should work, but it's not, at least in my testing18:39
flwang1imdigitaljim: ^18:39
imdigitaljimid assume key distribution is correct but maybe perhaps relates to a common problem of the "keyusages" which should contain ["signing", "key encipherment", "server auth", "client auth"],18:41
flwang1imdigitaljim: https://review.openstack.org/#/c/576029/1/magnum/drivers/heat/k8s_fedora_template_def.py18:42
flwang1i'm using the existing sign function18:42
imdigitaljimdoes our api include all 4 of these? I couldnt find x509.OID_SERVER_AUTH18:42
*** salmankhan has quit IRC18:43
flwang1seems the answer is no18:44
flwang1is there any document mentioned the common problem of the 'keyusages'?18:44
*** yamamoto has quit IRC18:44
imdigitaljimi believe x509.KeyUsage(True, False, True, False, False, False, False,18:45
imdigitaljim False, False) covers key encipherment and signing18:45
imdigitaljimbut i never saw a server auth18:45
imdigitaljimbut i wasnt sure if i just missed it18:45
*** AlexeyAbashkin has quit IRC18:45
*** lpetrut has quit IRC18:48
*** jmlowe has quit IRC18:50
flwang1imdigitaljim: is there any document mentioned the common problem of the 'keyusages'?18:52
flwang1in other words, why do we have to contain those 4 items?18:52
openstackgerritJim Bach proposed openstack/magnum master: Added error handling for discoveryurl  https://review.openstack.org/57623318:53
imdigitaljimits in the kelsey hightower stuff18:53
imdigitaljimwhen he uses the -profile=kubernetes in the arg for cfssl18:54
*** armaan has joined #openstack-containers18:54
imdigitaljimthe profile it refers to is https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-service-account-key-pair18:54
imdigitaljimhttps://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#certificate-authority18:54
imdigitaljim ^18:54
imdigitaljim"profiles": {18:54
imdigitaljim      "kubernetes": {18:54
imdigitaljim        "usages": ["signing", "key encipherment", "server auth", "client auth"],18:54
imdigitaljim        "expiry": "8760h"18:54
imdigitaljim      }18:54
imdigitaljim    }18:54
imdigitaljimI guess the common problem might be in my own experience and working with others on TLS18:55
flwang1ok, i see.18:57
flwang1but changing the config of cluster CA is a little bit risky18:57
flwang1i know strigazi probably doesn't like it18:58
imdigitaljimim just suggesting doing what KH is showing to be done18:58
flwang1imdigitaljim: i know18:58
flwang1but18:58
flwang1that changes more and may introduce regression issue we don't know yet18:59
imdigitaljimi would think the branches/tags separate that concern?19:00
imdigitaljimbut maybe theres something procedural im not aware of yet19:00
imdigitaljimso i speak in ignorance :)19:01
flwang1;)19:02
flwang1i will talk with strigazi to figure out a way, personally, i prefer to use a safer way, given it's Rocky-3 and we'd like to backport it to queens19:03
flwang1we can revisit this in Stein to figure out a better way19:03
imdigitaljimi just want the way that works correctly and but also doesn't compromise security :)19:04
imdigitaljimcorrectly for multimaster especially19:05
flwang1no problem, that's my goal as well19:06
flwang1so you still prefer using signed cert/key?19:06
flwang1you mentioned you did the way sharing keys by etcd and it works, so how did  you make the keys? are they public/private key pair or   signed certs/private key pair?19:07
flwang1imdigitaljim: ^19:07
*** jmlowe has joined #openstack-containers19:11
imdigitaljimi used a different bootstrapping method because I did with with centos7. I used kubeadm to simplify the process of the k8s configuration. They use an "sa.key/.pub" that I distributed but I'm not entirely sure if they sign it either tbh. I am just seeing this KH stuff and throwing out open questions :)19:12
imdigitaljimand hopefully we can concretely justify doing approach XYZ19:13
flwang1ok, i see. if kubeadm using sa.key/.pub, then i think we're safe to use pub/private keys19:14
flwang1if we really want to do the same way like KH, we may need the change at https://github.com/openstack/magnum/blob/master/magnum/common/x509/operations.py#L89 to support server auth19:14
*** mgoddard has joined #openstack-containers19:22
flwang1imdigitaljim: thank you for all the good comments19:25
*** mgoddard has quit IRC19:27
flwang1heading to office now, ttyl19:33
*** flwang1 has quit IRC19:33
*** yamamoto has joined #openstack-containers19:40
*** yamamoto has quit IRC19:45
*** armaan has quit IRC20:02
*** armaan has joined #openstack-containers20:02
*** dave-mccowan has quit IRC20:12
*** dave-mccowan has joined #openstack-containers20:13
*** serlex has quit IRC20:25
*** itlinux has joined #openstack-containers20:27
*** armaan has quit IRC20:40
*** armaan has joined #openstack-containers20:41
*** yamamoto has joined #openstack-containers20:41
*** yamamoto has quit IRC20:46
*** dave-mcc_ has joined #openstack-containers20:52
*** dave-mccowan has quit IRC20:54
*** flwang1 has joined #openstack-containers21:05
*** armaan has quit IRC21:27
*** armaan has joined #openstack-containers21:28
*** yamamoto has joined #openstack-containers21:43
*** yamamoto has quit IRC21:49
*** jmlowe has quit IRC21:56
*** itlinux has quit IRC21:59
*** jmlowe has joined #openstack-containers21:59
*** chhagarw has quit IRC22:08
*** jmlowe has quit IRC22:17
*** jmlowe has joined #openstack-containers22:30
openstackgerritJim Bach proposed openstack/magnum master: Added error handling for discoveryurl  https://review.openstack.org/57623322:35
*** rcernin has joined #openstack-containers22:36
*** hongbin has quit IRC22:40
*** yamamoto has joined #openstack-containers22:45
*** yamamoto has quit IRC22:49
*** dave-mcc_ has quit IRC23:16
*** pc_m has quit IRC23:31
*** markguz has quit IRC23:46
openstackgerritFeilong Wang proposed openstack/magnum master: Sync service account keys for multi masters  https://review.openstack.org/57602923:53
« Sunday, 2018-06-17 Index Tuesday, 2018-06-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!