Wednesday, 2018-08-15

« Tuesday, 2018-08-14 Index Thursday, 2018-08-16 »
*** slagle has joined #openstack-containers00:24
*** Nel1x has joined #openstack-containers00:31
*** sgrasley has quit IRC00:37
*** hongbin has joined #openstack-containers00:44
*** slagle has quit IRC00:48
*** ricolin has joined #openstack-containers02:19
*** dave-mccowan has quit IRC02:19
*** openstack has joined #openstack-containers02:35
*** ChanServ sets mode: +o openstack02:35
*** ramishra has joined #openstack-containers02:37
*** cbrumm has quit IRC02:53
*** Nel1x has quit IRC03:11
*** hongbin has quit IRC03:23
*** hongbin has joined #openstack-containers03:28
*** hongbin_ has joined #openstack-containers03:48
*** hongbin has quit IRC03:50
openstackgerritjacky06 proposed openstack/magnum master: Pin get-pip.py to 3.2  https://review.openstack.org/58042404:02
*** hongbin_ has quit IRC04:14
flwangimdigitaljim: around?04:20
*** pcaruana has joined #openstack-containers05:12
*** Bhujay has joined #openstack-containers05:18
*** mattgo has joined #openstack-containers05:50
*** mattgo has quit IRC06:19
*** adrianc has joined #openstack-containers06:41
*** mattgo has joined #openstack-containers06:55
openstackgerritShuo Liu proposed openstack/magnum master: change http to https  https://review.openstack.org/59193907:23
*** mattgo has quit IRC07:33
*** mattgo has joined #openstack-containers07:52
*** sgordon has quit IRC08:08
mattgostrigazi, Hi, you mentioned that you posted a link to configure Magnum to run a local discovery service for etcd. I missed it, could you please repost it ?08:28
*** flwang1 has joined #openstack-containers08:40
flwang1strigazi: pls ping me when you're online08:45
strigazimattgo: http://paste.openstack.org/show/727709/08:50
mattgostrigazi, thank you. So you're running etcd discovery service inside a k8s container that was first spawned with Magnum, correct ?08:58
strigaziyes08:59
strigazimattgo: yes08:59
* strigazi is going to a physical meeting08:59
mattgostrigazi, My concern is that you still need the public discovery service for this first k8s cluster08:59
mattgostrigazi, but I guess you could also setup the local discovery service on the controller node09:00
strigazimattgo: we had a cluster running already09:02
mattgostrigazi, understood, thank you09:06
*** brtknr has joined #openstack-containers09:08
*** salmankhan has joined #openstack-containers09:22
*** ricolin has quit IRC09:29
*** rtjure has joined #openstack-containers09:35
*** dave-mccowan has joined #openstack-containers10:12
*** adrianc has quit IRC10:30
*** adrianc has joined #openstack-containers10:50
*** ricolin has joined #openstack-containers11:20
*** ykarel has joined #openstack-containers12:37
*** zul has joined #openstack-containers12:42
*** ykarel is now known as ykarel|away12:49
*** ykarel|away has quit IRC13:17
*** pbourke has quit IRC13:55
*** pbourke has joined #openstack-containers13:57
*** hongbin has joined #openstack-containers14:17
*** mattgo has quit IRC14:30
*** mattgo has joined #openstack-containers14:33
*** Bhujay has quit IRC14:33
*** markguz_ has joined #openstack-containers14:36
*** markguz_ has quit IRC14:36
*** markguz_ has joined #openstack-containers14:37
*** mattgo has quit IRC14:38
*** zul has quit IRC14:39
imdigitaljimflwang1: flwang: im here if you are14:43
strigaziimdigitaljim: https://review.openstack.org/#/c/589214/914:45
imdigitaljimthank you, i just comment back, all good catches, ill make the changes14:46
imdigitaljimim doing a bit of back and forth with our code until we converge so a few mistakes :(14:47
strigaziI think we should be explicit in bash vs sh, also this way shellcheck is happier :)14:48
imdigitaljimalso, this works with sh14:49
imdigitaljimbut i can gladly switch it to bash if you'd prefer14:49
strigazieg configure-minion is bash and others14:50
strigazilet's go for bash14:50
imdigitaljimsounds good14:50
openstackgerritAkihiro Motoki proposed openstack/magnum-ui master: Drop nose dependencies  https://review.openstack.org/59206914:51
openstackgerritJim Bach proposed openstack/magnum master: cleanup config-k8s-masters.sh, added roles to nodes on startup  https://review.openstack.org/58921414:55
strigaziimdigitaljim: maybe "added roles" should be removed from the commit msg?14:55
strigaziDo we add roles somewhere?14:56
openstackgerritJim Bach proposed openstack/magnum master: cleanup config-k8s-masters.sh, added roles to nodes on startup  https://review.openstack.org/58921414:57
imdigitaljimyeah14:57
imdigitaljimmaster role is added14:57
imdigitaljimkubelet args14:57
imdigitaljim"--node-labels=node-role.kubernetes.io/master=\"\""14:57
*** ramishra has quit IRC15:03
*** livelace has joined #openstack-containers15:25
strigaziimdigitaljim: I think in 590346 we can drop the second make-certm thoughts?15:31
strigaziimdigitaljim: or make-cert and make-cert-client should converge in a way15:32
imdigitaljimyeah we can definitely do that15:32
imdigitaljimit would at most leave some unused artifacts on the minion15:32
imdigitaljimbut thats not a big issue15:32
strigaziimdigitaljim: we should not generate the master certs15:32
imdigitaljimwhich where?15:32
imdigitaljimthe admin cert?15:33
strigaziimdigitaljim: in the minion, if we use the same script15:33
strigaziyes15:33
imdigitaljimoh yeah15:33
strigazihowever15:33
imdigitaljimwe could make it in a conditional15:33
imdigitaljim(another PR)15:33
strigaziif we have the trust creds in the node15:33
strigaziif someone takes over a minion he can take over the cluster15:34
imdigitaljimyeah15:34
imdigitaljimi was thinking that as well15:34
imdigitaljimthat is an attack vector15:34
imdigitaljimwe could deploy it as another file15:34
imdigitaljimand software deployment to delete it or something?15:34
imdigitaljimalthough kind of a hack15:34
strigaziwe don't have a solution for this at the moment15:34
imdigitaljimor wait15:35
imdigitaljimwe could deploy the minion with the Trust token15:35
strigaziwe could invalidate the trust user after cluster creation15:35
imdigitaljimand it would eventually just expire15:35
strigaziwe could,15:35
imdigitaljimor if we can set a custom ttl on the token for like 15 minutes15:36
strigazistill with what you said and what I just mentioned if someone takes it at that time it is still a problem.15:36
strigazimuch smaler problem15:36
strigazithe issue is when doing a cluster update15:37
strigaziwe should generate a token or trust again15:37
strigazibecause new nodes will need it again15:37
imdigitaljimwhat use cases are a token needed on a minion after startup?15:40
*** mattgo has joined #openstack-containers15:40
strigaziimdigitaljim: today you create a cluster with N nodes and all minmions get a token15:41
strigaziimdigitaljim: next week the app was super successful and you want more nodes15:41
imdigitaljimoh you mean on the cluster updates15:42
strigaziimdigitaljim:  the new nodes will need to authenticate with magnum to get the cluster ca15:42
imdigitaljimcouldnt you just generate a new token in that case and update the param?15:42
strigaziyes15:42
imdigitaljimas you do the update15:42
strigaziimdigitaljim: in that case we need to make the minion config a software deployment15:42
strigaziimdigitaljim: because if it is the same resource group in heat and we change the user-data15:43
strigaziimdigitaljim: heat will replace the servers15:43
strigaziimdigitaljim: makes sense?15:43
imdigitaljimyeah15:43
imdigitaljimdefinitely15:43
imdigitaljimwe can look into that15:43
strigaziimdigitaljim: fyi fedora-coreos meeting in ~1hr https://apps.fedoraproject.org/calendar/meeting/9282/15:43
imdigitaljimmaybe a story for now?15:43
strigaziimdigitaljim: https://review.openstack.org/#/c/561858/15:44
strigaziimdigitaljim:  https://review.openstack.org/#/c/561858/1/magnum/drivers/k8s_fedora_atomic_v1/templates/kubeminion.yaml@38315:44
strigazino one looked into it15:44
strigaziI mean to review15:44
strigaziI'm going home, to attend the meeting from there15:45
imdigitaljimsee ya15:45
*** adrianc has quit IRC15:48
*** adrianc has joined #openstack-containers15:48
*** itlinux has joined #openstack-containers15:52
*** FracKen has joined #openstack-containers15:54
openstackgerritMerged openstack/magnum master: [k8s] Set order in kubemaster software deployments  https://review.openstack.org/59159215:56
*** sayalilunkad has quit IRC16:16
*** sayalilunkad has joined #openstack-containers16:20
*** sayalilunkad has quit IRC16:32
*** Bhujay has joined #openstack-containers16:33
*** sayalilunkad has joined #openstack-containers16:47
*** ricolin has quit IRC16:50
*** sayalilunkad has quit IRC16:51
*** sayalilunkad has joined #openstack-containers16:52
*** openstackstatus has joined #openstack-containers16:56
*** ChanServ sets mode: +v openstackstatus16:56
*** sayalilunkad has quit IRC17:09
*** salmankhan has quit IRC17:13
*** ykarel has joined #openstack-containers18:11
*** livelace has quit IRC18:15
*** markguz_ has quit IRC18:18
*** Nisha_away has joined #openstack-containers18:25
Nisha_awayflwang, hi18:26
*** Nisha_away has quit IRC18:36
*** adrianc has quit IRC18:41
*** salmankhan has joined #openstack-containers18:41
*** salmankhan has quit IRC18:46
*** markguz_ has joined #openstack-containers18:55
*** markguz_ has quit IRC18:59
openstackgerritFeilong Wang proposed openstack/magnum master: Fix Keystone URL joining issue  https://review.openstack.org/59218119:07
*** openstackgerrit has quit IRC19:19
*** ykarel has quit IRC19:29
*** imdigitaljim has quit IRC20:00
*** flwang1 has quit IRC20:05
*** mattgo has quit IRC20:45
*** mattgo has joined #openstack-containers20:53
*** mattgo has quit IRC21:02
*** openstackgerrit has joined #openstack-containers21:22
openstackgerritFeilong Wang proposed openstack/magnum master: Fix Keystone URL joining issue  https://review.openstack.org/59218121:22
*** rcernin has joined #openstack-containers21:29
*** imdigitaljim has joined #openstack-containers22:03
imdigitaljimback22:03
imdigitaljimsorry dc'd22:03
flwangimdigitaljim: thanks for the link, i didn't notice that patch22:05
flwangand I think that one is better than mine, so I just abandoned mine22:05
imdigitaljimyeah i wasnt sure from the description but i was pretty sure they were the same problem22:05
flwangi think it's a regression issue by devstack or keystone22:06
imdigitaljimalso https://review.openstack.org/#/c/589214/22:06
imdigitaljimif you would check that22:06
flwangthough the way doing url joint in magnum is not good for sure22:06
flwangimdigitaljim: it's on my list, the code looks good for me, just need some testing22:07
imdigitaljimgreat thanks man!22:07
flwangimdigitaljim: thank you for the great work22:09
flwangimdigitaljim: btw, in blizzard, are you happy using 3 dedicated master nodes without running workload on that?22:10
imdigitaljimwe run a light workload on them22:11
imdigitaljimcontrol plane stuff mostly22:11
*** livelace has joined #openstack-containers22:11
imdigitaljimno "customer related" pods22:12
*** FracKen has left #openstack-containers22:17
flwangimdigitaljim: ok, i see.22:18
*** imdigitaljim has quit IRC22:18
flwangso not sure if i asked before, are you interested in the architecture like GKE/Gardener, totally hide the master noes to end users?22:18
*** itlinux has quit IRC22:22
*** FracKen has joined #openstack-containers22:22
*** livelace has quit IRC23:16
*** livelace has joined #openstack-containers23:17
*** rcernin has quit IRC23:18
*** rcernin has joined #openstack-containers23:19
« Tuesday, 2018-08-14 Index Thursday, 2018-08-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!