Tuesday, 2018-08-21

« Monday, 2018-08-20 Index Wednesday, 2018-08-22 »
openstackgerritFeilong Wang proposed openstack/magnum master: [k8s] Update cluster health status by native API  https://review.openstack.org/57289700:00
*** hongbin has joined #openstack-containers00:26
*** livelace has quit IRC00:43
*** livelace has joined #openstack-containers00:43
*** janki has joined #openstack-containers01:28
*** ricolin has joined #openstack-containers01:33
*** Bhujay has joined #openstack-containers02:00
openstackgerritFeilong Wang proposed openstack/magnum master: [k8s] Update cluster health status by native API  https://review.openstack.org/57289702:27
*** janki has quit IRC03:06
*** Bhujay has quit IRC03:24
*** Nel1x has quit IRC03:34
*** ramishra has joined #openstack-containers03:40
*** ykarel has joined #openstack-containers04:00
*** udesale has joined #openstack-containers04:00
*** ykarel has quit IRC04:06
*** ykarel has joined #openstack-containers04:07
*** hongbin has quit IRC04:10
*** janki has joined #openstack-containers04:27
*** Bhujay has joined #openstack-containers04:45
*** Bhujay has quit IRC04:51
*** Bhujay has joined #openstack-containers04:53
*** flwang1 has quit IRC04:54
*** ykarel has quit IRC05:07
*** ykarel has joined #openstack-containers05:25
*** janki has quit IRC06:06
*** rcernin has quit IRC06:38
*** rcernin has joined #openstack-containers06:41
*** pcaruana has joined #openstack-containers06:42
*** adrianc has joined #openstack-containers06:51
*** rcernin has quit IRC06:51
strigaziykarel: can you have a look: 59233607:11
strigaziimdigitaljim: http://paste.openstack.org/show/728455/ looks nice07:12
*** mattgo has joined #openstack-containers07:39
openstackgerritOpenStack Proposal Bot proposed openstack/magnum-ui master: Imported Translations from Zanata  https://review.openstack.org/59405407:47
ykarelstrigazi, okk will check07:49
ykarelstrigazi, there are two test case failing, is that a known issue07:52
ykarelNo API token found for service account \"default\", retry after the token is automatically created and added to the service account07:52
strigaziykarel in the functional tests?07:54
ykarelstrigazi, yes and other is TypeError: delete_namespaced_service() takes exactly 4 arguments, which seems related to kubernetes version07:54
strigaziykarel this is known ^^07:54
strigazithe other must be happening because it tries too fast to create something07:55
ykarelstrigazi, okk, +2 +W, for the known issue is there a patch already?07:56
strigaziykarel: no. It needs a change in the params of the client.07:57
ykarelstrigazi, ack07:58
strigaziykarel: where do you see this? No API token found for service account \"default\", retry after the token is automatically created and added to the service account08:03
ykarelamhttp://logs.openstack.org/36/592336/3/check/magnum-functional-k8s/2c671f0/job-output.txt.gz#_2018-08-20_12_01_02_55321408:03
ykarelstrigazi, ^^08:03
*** yankcrime has joined #openstack-containers08:11
*** suanand has joined #openstack-containers08:28
*** olivenwk has joined #openstack-containers08:38
*** flwang1 has joined #openstack-containers08:43
openstackgerritMerged openstack/magnum master: [k8s] Add proxy to master and set cluster-cidr  https://review.openstack.org/59233608:46
flwang1strigazi: around for a quick sync?08:48
strigaziflwang1: I'm going to a 1 hour meeting :(08:49
flwang1strigazi: no problem08:50
openstackgerritFeilong Wang proposed openstack/magnum master: [k8s] Update cluster health status by native API  https://review.openstack.org/57289708:50
flwang1strigazi: i can manage get the versioned object works, but it doesn't work well with wsme types system08:50
flwang1the wsme types can't support CoercedDict well08:51
flwang1as a result,  in the api response, user can't see the 2nd layer dict of the health_status_reason08:53
*** adrianc has quit IRC10:00
*** adrianc has joined #openstack-containers10:09
openstackgerritsuzhengwei proposed openstack/magnum master: service init or heartbeat without hostname  https://review.openstack.org/59411910:20
strigaziflwang1: ping10:24
*** Bhujay has quit IRC10:26
*** ykarel is now known as ykarel|lunch10:29
flwang1strigazi: yes10:46
strigaziflwang1: sync?10:46
flwang1strigazi: let's do it10:47
flwang1except rolling upgrade and health monitoring, anything else we want to get in rocky10:47
strigaziI have a minor one, that came up today. It is for swarm-mode10:48
strigaziMake the default overleynetwork cidr of swarm-mode configurable10:49
strigaziIt conflicts with some of our public ips10:49
strigaziThe current default one10:49
strigaziI guess you are not interested in swarm10:50
flwang1strigazi: yep, you're right10:50
flwang1so let's just focus on the upgrade one and cluster health monitoring?10:51
strigaziyes10:51
flwang1currently, the health monitoring just works, but as i mentioned above, i'm dealing with the wsme types and oslo.versionedobjects10:51
strigazilink to the code?10:52
flwang1https://review.openstack.org/572897 you mean patch link?10:52
strigaziand file10:52
strigazihttps://review.openstack.org/#/c/572897/8/magnum/api/controllers/v1/cluster.py@14110:52
flwang1https://review.openstack.org/#/c/572897/8/magnum/api/controllers/v1/cluster.py@14110:52
flwang1yep10:53
flwang1i'm still testing to figure out the correct way to display the 2 layers nested dict10:53
strigaziin the client?10:53
flwang1client does nothing, the error comes from server side10:54
strigaziThe api can return a valid json10:54
flwang1but we may need a client change to show the two new fields in the table10:54
flwang1api can't return a valid json10:54
strigaziin a string10:55
strigaziif can't, right10:55
flwang1https://review.openstack.org/#/c/572897/8/magnum/drivers/common/k8s_monitor.py@19610:56
flwang1this is current data structure of the health_status_reason10:56
flwang1with current structure, we can basically provide all the info we got from k8s to the cluster auto healer10:56
strigazilooks good10:56
strigaziIs there something that we miss now? can we take this? https://review.openstack.org/#/c/570818/11/magnum/api/controllers/v1/cluster.py10:59
flwang1no, that patch will be updated in favor of the new health status reason structure11:00
flwang1never mind, i will figure out11:00
flwang1i just need your opinions about the whole workflow and the info we can provide with the health_status_reason11:01
flwang1and it would be nice if Ricardo can review it as well11:02
strigaziI'm a little lost on the dependency of the patches. Do we need to decide on 572897 and then update 570818 ?11:02
strigaziWith the current state11:03
strigaziwe will have another periodic task, the one you created sync_cluster_health_status11:04
strigazithat will check the _COMPLETE clusters11:05
strigazior even the ones with the statuses you listed11:05
strigaziand it will update the status accordngly11:05
strigaziif the api doesn't return ok or if any node is not ready the cluster will be unhealthy11:06
strigazimakes sesne?11:06
strigaziflwang1: ^^11:06
flwang1after figure out the working structure, i will update 57081811:06
flwang1firstly11:06
flwang1yep, as i mentioned in the design policy, if any node or api is not in good status, then the overall cluster is unhealthy11:07
flwang1we can improve the algorithm later, for the first version, i'd like to make it strict11:07
strigaziIsn't this strict enough? How it can be stricter?11:08
strigazior more strict11:08
flwang1if you do have concern, we can hide the health_status and health_status_reason attributes for now11:08
strigaziI don't have a concern about it11:09
flwang1i didn't verify, but for example, one of node may have disk pressure, but it's still in ready status11:09
flwang1something like that11:09
strigaziI think we can base the node status only on the Ready field11:09
flwang1because currently, i'm just using the 'Ready' to represent the health status of minion node11:10
*** ykarel|lunch is now known as ykarel11:10
flwang1yep, that's my current design11:10
flwang1but i do want to provide all the conditions of the node for reference11:10
flwang1hence why i'm making the health_status_reason's data structure a little bit 'rich'11:11
strigaziok11:11
strigazinot bad11:11
strigaziwhat we can do11:11
strigaziis leave the reason empty if it is healthy11:11
strigaziand there are no 'issues'11:12
flwang1for the worst case, we can make the health_status_reason as a very simple dict11:13
*** Bhujay has joined #openstack-containers11:13
flwang1e.g. if cluster is UNHEALTHY, then health_status_reason = {"node-0.Ready": False}11:14
flwang1or something like that11:14
strigaziI think it is getting complicated like this. Complicated on the server side11:15
flwang1given it's a dict and only magnum internal auto healer will parse it, we should be OK11:15
flwang1yep11:15
flwang1i know11:15
flwang1we have to balance11:15
strigaziAs a first the simpler to implement and maintain solution sounds ideal to me11:16
flwang1sure, i will continue to investigate and discuss with you later11:18
strigaziwait a moment11:18
strigaziI'm still not sure what we haven't decided yet. It seems to me that only the health_status_reason field is not clear right?11:19
strigaziflwang1: ^^11:20
flwang1yes11:20
flwang1otherwise, it just works for me11:20
strigaziSo the missing part is nested vs not nested dict11:21
flwang1yep11:22
strigaziDoesn't nested dict work?11:23
flwang1with     health_status_reason = wtypes.DictType(str, o_fields.CoercedDict)11:23
flwang1the response will be   "health_status_reason": {"k8scluster-wnd2jvqdmci3-master-0": {}, "api": {}, "k8scluster-wnd2jvqdmci3-minion-0": {}}, "user_id": "6bc2f37c4c424182967b51386270ec1c", "uuid": "cfd56d2b-73f1-4f27-a007-dc3473b681ee", "api_address": "https://172.24.4.19:6443", "master_addresses": ["172.24.4.19"], "node_count": 1, "project_id": "116161cb5f384bfa80c21b6ab0bff625", "status": "CREATE_COMPLETE", "docker_volume_si11:24
flwang1as you can see, the 2nd layer dict is {}11:25
*** udesale has quit IRC11:25
flwang1but it's stored correctly in magnum db11:25
strigaziSo, wsme incompatibility11:25
flwang1we just need to figure out how to make wsme and oslo.versionedobjects work together as we want11:25
flwang1yep, if we can call it 'incompatibility'11:26
flwang1wsme just can't handle the CoercedDict type from oslo.versionedobject11:26
flwang1maybe we need a customized wsme type11:26
strigazithat is one option11:27
strigazithe other is to go for non-nested dict11:27
flwang1yep11:28
flwang1as we discussed above11:28
flwang1but non-nested dict may make the dict looks weird11:28
flwang1will dig11:28
strigaziIMO, it is not bad to go for the flat dict initially11:29
flwang1ok, that's my last sort11:30
flwang1are we on the same page now for the health monitoring?11:32
strigaziyes11:32
strigaziI would go for the flat option11:32
strigazifyi11:32
flwang1btw, i'd like to totally drop the https://github.com/openstack/magnum/blob/master/magnum/drivers/common/k8s_monitor.py#L41 in Stein11:33
flwang1it's useless11:33
strigazi+11:33
strigazi+111:33
strigaziShould we also emit a notification when a cluster is not healthy?11:34
flwang1pls revisit https://review.openstack.org/572249 and let's merge it and backport to Rocky11:34
flwang1then we can drop the pull_data in Stein11:34
strigaziok11:34
flwang1strigazi: it's good to have but i'd like to wait until there is a real user requirement11:35
strigaziYou don't use notification?11:35
strigaziYou don't use notifications?11:35
flwang1we use, but don't consume it much TBH11:35
strigaziWe do, for magnum we are working on it11:36
strigazibut for heat it looks great11:36
flwang1ok, cool, then we can have11:36
strigazieg11:36
flwang1use zaqar queue for status update?11:36
strigaziin the weekend maybe some nodes went unhealthy and then healthy again11:37
flwang1ah, right11:37
strigaziwhich status update?11:37
strigaziWe don't have zaqar11:37
flwang1nevermind then11:37
flwang1back to flat dict, then how do we define the key11:38
flwang1for api, we can just use "api": "ok", but how about minion nodes?11:38
strigaziit needs to be one right?11:39
flwang1using something like "minion-node-1.Ready": False?11:39
strigaziCan we have: {"api": ok, "minion-node-1.Ready": False, "minion-node-2.Ready": True}11:39
flwang1{"api": "ok", "node-0.Ready": True, "node-0.OutOfDisk": False, "node-1.Ready": True, "node-1.OutOfDisk": False, ... ...}11:40
flwang1that's what i'm suggesting above11:40
flwang1that's not perfect, but I think it's clean/clear enough11:40
strigaziit is clear, very clear11:41
flwang1do you want to see the "node-0.OutOfDisk": False11:41
flwang1other conditions except Ready11:41
flwang1if yes, then we need the format "nodename.Ready" otherwise, just "nodename": 'ok'  or "nodename": True11:42
strigaziIt is very good to see all, it just gets a bit heavy.11:42
strigazi5 per node, right?11:43
flwang1yes11:43
strigaziLet's make a quick cound of the data required though11:43
flwang1so how about just use 'Ready', but still key the 'nodename.Ready' format for future11:43
strigazi^^ better than just ok11:43
flwang1can you elaborate?11:44
strigazigive me 5'11:45
flwang1still around?12:06
flwang1strigazi: ^12:11
strigazihere12:11
strigazifor your question12:12
strigazinodename.Ready: True is better than nodename: ok12:12
flwang1ok, then next question, do we want to cover all the 5 for the first version?12:13
strigazihow much space will we need for a 1000 node cluster?12:13
flwang1it could be long, but we're using Text12:14
strigaziText is 5GB i think12:15
flwang1that should be fine12:15
flwang1from another angle, can we fix issue like OutOfDisk?12:15
strigazireplace the node, it is a 'fix'12:16
*** adrianc has left #openstack-containers12:16
flwang1so how about just show the nodename.Ready for now and add more in the future after we figure out the whole picture12:16
strigaziIt sounds good to me12:17
flwang1deal12:17
strigaziIncremental changes are better12:17
strigazilong text is L + 4 bytes, where L < 2^3212:17
strigaziAre we good with health status?12:18
flwang1i feel very good12:19
flwang1question for the rolling upgrade12:20
strigaziupgrades then, did you get the gist of it? Apart from some hypervisor reboot I'll make it fully functional todat12:20
strigazitell me12:20
flwang1i need a series of ready to test patches12:20
flwang1i'm really keen to test it12:20
strigaziThe idea is to provide users with cluster templates and the just follow those12:23
strigaziThe idea is to provide users with cluster templates and they just follow those12:23
flwang1yep, i understand that12:23
strigaziDid you see my patch for adding the heat agent in the minions?12:23
flwang1yep12:23
flwang1i saw that12:23
flwang1is it ready to go?12:24
strigaziThe ssh part12:24
flwang1why do we need the ssh part?12:24
strigazito act as being in the host12:24
strigazisome operations need to be in the same filesystem12:24
strigazieg https://review.openstack.org/#/c/561858/1/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh@15712:25
strigazieg https://review.openstack.org/#/c/561858/1/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh@1612:26
flwang1ok, got12:28
strigaziWe can continue in the meeting if you don't have a question now12:29
flwang1will you upload new patch set today?12:32
strigaziyes12:32
flwang1cool, i just want to give it a try12:32
flwang1to understand it better12:32
strigaziok12:32
flwang1thanks for working on that, i know it's hard one12:33
strigaziIt didn't go as good as I wanted12:33
strigaziIt took too much time12:34
flwang1i can imagine12:34
flwang1but it would be a great feature12:34
strigaziI hope it is12:35
strigaziI need to go, are planing to sleep? :)12:36
strigaziI need to go, are you planing to sleep? :)12:36
flwang1yep12:36
flwang1will we have meeting after 9 hours?12:36
strigaziThanks for staying late Feilong, you have done great work!12:36
strigaziyes12:37
flwang1cool, ttyl12:37
flwang1have a good one12:37
strigazigood night12:37
strigazi@all meeting: https://wiki.openstack.org/wiki/Meetings/Containers#Agenda_for_2018-08-21_2100_UTC12:38
strigaziTuesday, 21 August 2018 21:00UTC12:39
*** pbourke has quit IRC14:06
*** pbourke has joined #openstack-containers14:07
*** suanand has quit IRC14:53
openstackgerritSpyros Trigazis proposed openstack/magnum stable/queens: [k8s] Add proxy to master and set cluster-cidr  https://review.openstack.org/59426414:55
*** hongbin has joined #openstack-containers14:56
*** pcaruana has quit IRC15:09
*** Bhujay has quit IRC15:27
*** ykarel is now known as ykarel|away15:45
*** strigazi has quit IRC15:46
*** strigazi has joined #openstack-containers15:46
*** ramishra has quit IRC15:54
*** itlinux has joined #openstack-containers15:59
*** ricolin has quit IRC16:06
*** olivenwk has quit IRC16:31
*** ykarel|away has quit IRC16:49
*** mattgo has quit IRC16:54
*** robertomls has joined #openstack-containers17:26
*** cbrumm has quit IRC17:42
*** dave-mccowan has quit IRC17:44
*** portdirect has quit IRC17:54
*** cbrumm has joined #openstack-containers17:55
*** robertomls has quit IRC18:27
*** dave-mccowan has joined #openstack-containers18:30
*** dave-mccowan has quit IRC18:35
*** vkmc has quit IRC18:37
*** sahilsinha has quit IRC18:37
*** fungi has quit IRC18:37
*** vkmc has joined #openstack-containers18:40
*** Chealion has quit IRC18:42
*** tobberydberg has quit IRC18:42
*** mnaser has quit IRC18:42
*** fungi has joined #openstack-containers18:48
*** mnaser has joined #openstack-containers19:08
*** robertomls has joined #openstack-containers19:18
*** spiette has quit IRC19:32
*** sdake has quit IRC19:33
*** sdake has joined #openstack-containers19:34
*** spiette has joined #openstack-containers19:36
*** ArchiFleKs has quit IRC19:39
*** robertomls has quit IRC19:43
*** flwang1 has quit IRC19:47
*** robertomls has joined #openstack-containers19:47
*** robertomls has quit IRC20:16
*** robertomls has joined #openstack-containers20:16
*** robertomls has quit IRC20:41
strigaziflwang: imdigitaljim are you here?20:58
*** canori02 has joined #openstack-containers20:59
strigaziI'll wait a bit before starting the meeting21:00
imdigitaljimyeah21:00
imdigitaljimsorry21:00
imdigitaljimim available21:00
strigaziI think flwang will join at some point21:01
strigaziimdigitaljim: let's start then21:01
strigazi#startmeeting containers21:01
openstackMeeting started Tue Aug 21 21:01:48 2018 UTC and is due to finish in 60 minutes.  The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot.21:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:01
*** openstack changes topic to " (Meeting topic: containers)"21:01
openstackThe meeting name has been set to 'containers'21:01
strigazi#topic Roll Call21:01
*** openstack changes topic to "Roll Call (Meeting topic: containers)"21:01
imdigitaljimo/21:02
colin-hi21:02
strigazio/21:02
*** harlowja has joined #openstack-containers21:02
strigazi#topic Announcements21:02
*** openstack changes topic to "Announcements (Meeting topic: containers)"21:02
strigazikubernetes v1.11.2 is up: https://hub.docker.com/r/openstackmagnum/kubernetes-kubelet/tags/21:03
canori02o/21:03
strigazi#topic Blueprints/Bugs/Ideas21:03
*** openstack changes topic to "Blueprints/Bugs/Ideas (Meeting topic: containers)"21:03
strigazihello canori0221:03
imdigitaljimi saw your proxy merge. I'll rebase those other ones and we'll be good to go =]21:04
imdigitaljimon a sidenote we recently switched over to DS proxy as well21:04
imdigitaljimso if you want i can throw a PR for that at some point?21:04
strigaziimdigitaljim: you changed to DS downstream?21:04
imdigitaljimyeah21:05
imdigitaljimmaking motion towards self-hosted21:05
imdigitaljimto make in-place upgrades smoother21:05
strigaziI think it is better to move to DS if we have a plan for most of the components21:05
imdigitaljimwell ill get a PR up for it soon21:06
strigaziyou have only proxt as DS21:06
strigazi?21:06
imdigitaljimyeah currently21:06
imdigitaljimeverything else is static still for now21:06
strigaziand calico is a DS right?21:06
imdigitaljimyes21:06
imdigitaljimand keystone-auth plugin is DS21:06
imdigitaljimfor masters21:06
imdigitaljimnodeSelector: node-role.kubernetes.io/master: ""21:07
imdigitaljimin other words21:07
imdigitaljimccm is the same as well21:07
strigazinode selector can be used for api and sch and cm I guess21:08
imdigitaljimin most deployments that is exactly whats its for21:08
imdigitaljimbut yeah that'd be appropriate too21:08
imdigitaljimand a few tolerations21:09
imdigitaljimi have some concerns about the reliability on self-hosted21:09
imdigitaljimin terms of node reboot21:09
imdigitaljimso i think ill have to plan those out21:09
imdigitaljimand see what our 'competition' does21:10
imdigitaljimbut in general i think our near term goals will be in-place upgrade21:10
strigazistatic pods shouldn't be a problem if kubelet starts21:10
imdigitaljimyeah thats what i was thinking21:11
imdigitaljimexcept we'd probably need to keep etcd static as well21:11
imdigitaljimwithout etcd it cant join21:11
imdigitaljimwhat kubeadm does is it throws up a static set for rejoining21:11
imdigitaljimand then tears it down when reconnected to the clusterr21:11
imdigitaljimwhich i think would be preferable21:11
strigaziWhat do you mean with a static set?21:12
strigazifor single master that I have tried, it is just a static pod, isn't it?21:12
imdigitaljimit ends up being one yes21:12
imdigitaljimi think i'll have to investigate the workflow a little more21:13
imdigitaljimmake sure im also understanding it correctly21:13
strigaziif the data of etcd are in place, rebooting the node isn't a problem21:13
imdigitaljimbut if etcd is self-hosted as well21:13
strigaziusing a static pod or not21:14
imdigitaljimtheres no apiserver online to interact with it21:14
imdigitaljimno?21:14
strigazikubelet can't start pods without an api server21:14
imdigitaljim(multimaster scenario)21:14
imdigitaljimexactly21:14
strigaziIn multimaster I don't know what kubeadm does21:15
strigaziif it converts the static pods to a deployment21:15
strigazior ds21:15
imdigitaljimi think this problem is significantly easier in single master21:15
strigaziwell if, you use static pods, it is the "same" for multi and single master21:16
imdigitaljimyeah21:16
strigaziif reboot one by one21:16
imdigitaljimare you assuming etcd is also self-hosted in this?21:17
strigaziif you reboot all of them in one go maybe the result is different21:17
imdigitaljimor not21:17
strigaziI don't see a diference21:17
strigazikubelet for static pods is like systemd for processes :)21:18
flwangsorry i'm late21:18
colin-welcome21:18
imdigitaljimhttps://github.com/kubernetes/kubeadm/blob/master/docs/design/design_v1.10.md#optional-and-alpha-in-v19-self-hosting21:18
imdigitaljimi believe there are some unaccounted for situations21:19
strigazioh, you mean make even etcd a ds21:20
strigaziI wouldn't do that :)21:20
strigaziit sounds terrifying21:21
imdigitaljimhaha21:21
imdigitaljimyeah just some concerns to look at21:21
imdigitaljimdefinitely possible to overcome though21:21
strigaziok, since flwang is also in,21:22
flwangds for etcd?21:22
colin-yes, mad science lab :)21:22
strigaziI was rebasing the upgrades api and I spent a good three hourds debugging. (ds for etcd, yes)21:23
strigaziThe new change for the svc account keys was "breaking" the functionality21:23
flwangstrigazi: breaking?21:24
strigazibut I finally, figured it out, when magnum creates the dict for params to pass to heat21:24
strigaziit adds and generate the keys for the service account21:25
strigaziand if since it generates every time magnum creates the params it means that the keys will be different21:25
strigazi"breaking" not really breaking21:25
flwangah21:26
flwangso do we need any change for the key generating?21:26
strigazimaybe, but for now I just ignore those two params21:26
strigaziI'll push after the meeting21:26
imdigitaljimthats a crazy issue21:27
imdigitaljimyeah21:27
imdigitaljimmaybe we should save in barbican21:27
imdigitaljimor21:27
flwangstrigazi: ok, i will keep an eye on that part21:27
imdigitaljimwhatever secret backend21:27
imdigitaljimand extract or create depending on update/create?21:27
strigaziwe should do the same thing we do for the ca21:27
imdigitaljimso yeah^21:27
strigaziimdigitaljim we can do that too21:27
strigazithe only thing I don't like is having the secret in barbican and then passing it as a heat paramter21:28
colin-i think that would be useful without too much cost21:28
colin-oh21:28
strigaziIt will stay in heat db for ever21:29
colin-that's lame21:29
imdigitaljimthats true21:29
strigaziencrypted, but still21:29
imdigitaljimcan trustee be extended to allow cluster to interact with barbican?21:29
strigaziyes21:29
imdigitaljim(or secret backend)21:29
strigaziwe don't have to do anything actually, the trustee with the trust can talk to barbican21:30
imdigitaljimyeah21:30
imdigitaljimthats what i was hoping :]21:30
strigazivault or other is different21:30
imdigitaljimi havent actually tried it21:30
imdigitaljimpeople can add support for other backend as they need imho21:30
strigaziLet's see in stein21:30
flwangimdigitaljim: i'm interested in your keystone implementation btw21:31
imdigitaljimoh sure21:31
flwangimdigitaljim: especially if it needs api restart21:31
imdigitaljimive been working through some changes on new features here and we just accepted some alpha customers so we've been tied up21:31
imdigitaljimbut ill revisit those PR's and then some21:31
imdigitaljimwhich api restart?21:32
flwangk8s api server21:32
imdigitaljimoh im not doing a restart, im confused?21:33
strigaziwhy it needs an api restart?21:33
flwangbecause based on testing, you have to restart k8s api server after you got the service URL of keystone auth service21:33
flwangif it's deployed as DS21:33
imdigitaljimoh yeah i havent needed to at all21:33
strigaziflwang: when I tried I didn't restarted the k8s-api21:33
strigaziflwang you can use host-network21:33
imdigitaljim^21:34
imdigitaljimi dont know if you're using gthat21:34
flwangthen I really want to know how  did you do that if you don't deployed it on master21:34
flwangmaster's kubelet21:34
imdigitaljimbut we are doing hostNetwork: true21:34
imdigitaljimi do21:34
imdigitaljim      tolerations:21:34
imdigitaljim      - key: dedicated21:34
imdigitaljim        value: master21:34
imdigitaljim        effect: NoSchedule21:34
imdigitaljim      - key: CriticalAddonsOnly21:34
imdigitaljim        value: "True"21:34
imdigitaljim        effect: NoSchedule21:34
imdigitaljim      nodeSelector:21:34
imdigitaljim        node-role.kubernetes.io/master: ""21:34
imdigitaljimwe're putting most kube-system resources on masters21:35
flwangso your k8s-keystone-auth service is running as DS and not running on master, right?21:35
imdigitaljimnot like dashboards and whatnot21:35
imdigitaljimits running a DS on master21:35
imdigitaljimand not on minion21:35
flwangah, right21:35
flwangthen yes, for that case, it's much easier and could avoid the api restart21:36
imdigitaljimoh okay yeah21:36
flwangso, should we just get the kubelet back on master?21:36
strigaziit seems too reasonable :)21:36
strigazito not get it21:37
imdigitaljimo/ ill be glad to add it back21:37
imdigitaljimalso strigazi: could we make the flannel parts also a software deployment21:37
imdigitaljimare those necesssary to be apart of cloud-init?21:37
strigaziwe could, no they don't21:37
imdigitaljimi've noticed we're nearing the capacity on cloud-init data21:38
flwangif we all agree 'kubelet' back on master, then it's easy21:38
imdigitaljimyeah21:38
flwangwe just need to drop some 'if' check for calico21:38
strigazithat should be enough21:39
imdigitaljimhow do you all feel about leveraging a helm for prometheus/dashboard/etc21:39
imdigitaljiminstead of using our scripts going forwad?21:39
imdigitaljimforward?21:39
imdigitaljimhelm charts and such are much cleaner/easier to maintain21:39
strigaziwe were discussing this today21:39
strigaziyes, we could21:39
flwangto be more clear, should kubelet on master in Rocky?21:40
strigazithe question is21:40
strigaziif we don't put it Rocky, how many user will cherry-pick downstream21:40
strigaziif we don't put it Rocky, how many users will cherry-pick downstream21:40
imdigitaljimi think it would be appropriate for rocky21:40
imdigitaljimstein is a bit far out for such a critical change21:41
flwangStein will be a very long release21:41
flwangthe longest so far IIRC21:41
strigaziyes it will21:42
flwangI think the risk is low and the benefit is big21:42
strigazi+121:42
flwangok, then I will propose a patch this week21:43
flwangI'm glad to see Magnum team is so productive21:43
imdigitaljim\o/21:43
strigazi:)21:43
colin-yeah i think that's worthwhile, it will provide a lot of benefit for consumers21:44
strigaziThe only area we haven't push a lot, is the -1 stable branch21:44
strigaziusually stable and master are in very good shape and are up to date21:45
strigazibut current-stable -1 is a little behind21:45
strigaziI don't know if we can put a lot of effort into old branches21:46
strigazithe ones that we are present here run stable + patches21:47
strigazisince we will push some more patches in rocky should we give it a timeline of two or three weeks?21:49
strigazithe bracnh is cut, packagers will have everything in place, we can do as many releases as we want with non-breaking changes like these21:50
strigazimakes sense?21:50
*** itlinux has quit IRC21:51
strigaziimdigitaljim: flwang colin- canori02 ^^21:51
canori02Makes sense21:51
colin-yeah that seems reasonable21:52
imdigitaljimyeah21:52
imdigitaljimthat sounds great21:52
strigaziimdigitaljim: colin- you use rpms? containers? ansible?21:52
imdigitaljimfor magnum?21:53
strigaziflwang: canori02 you?21:53
strigaziimdigitaljim: yes21:53
imdigitaljimcontainers21:53
strigazikolla?21:53
imdigitaljimpuppet + containers21:54
canori02ansible here21:54
strigaziinteresting we have a spectrum21:54
strigaziwe use puppet + rpms21:54
flwangsorry, was in standup meeting21:55
flwangi'm reading the log21:55
strigazibut we have a large koji infra for rpms21:55
flwangwe're using puppet+debian pkg21:56
strigaziyou deploy on debian sid?21:56
strigaziit is  strech now21:57
strigazianything else folks?21:59
strigazisee you next week or just around21:59
strigazi#endmeeing22:00
strigazi#endmeeting22:00
*** openstack changes topic to "OpenStack Containers Team"22:00
openstackMeeting ended Tue Aug 21 22:00:06 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/containers/2018/containers.2018-08-21-21.01.html22:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/containers/2018/containers.2018-08-21-21.01.txt22:00
openstackLog:            http://eavesdrop.openstack.org/meetings/containers/2018/containers.2018-08-21-21.01.log.html22:00
strigazicanori02: For your coreos patch, it is still doesn't work for me. Is it working with master?22:00
flwangstrigazi: thanks for hosting22:01
flwangstrigazi: what's our strategy for coreOS driver?22:02
flwangshould we try to do more catch up for that driver?22:02
openstackgerritSpyros Trigazis proposed openstack/magnum master: WIP: Add cluster upgrade to the API  https://review.openstack.org/51495922:03
canori02strigazi: I think I had it on 17.0.2. But I'll bring it up to master and fix accordingly. Was it just when providing the custom ca tgat it didn't work for you?22:03
strigaziflwang: you are welcome. yes we should, we should invest in ignition22:04
strigazicanori02: well the base64 way needs also decofing on the driver side22:05
strigazicanori02: yes in the make-cert part is not working22:05
flwangstrigazi: is ignition the replacement for cloud-init on coreos?22:05
strigaziflwang: yes, kind of22:05
flwanggot22:05
strigaziignition runs before the OS boots22:05
flwangstrigazi: thanks for the upgrade api patch ;)22:06
strigazibut it can write config files22:06
canori02It's the replacement for coreos-cloudconfig22:06
strigaziflwang: it needs one more patch for the separating the paramters for master and minioin22:07
strigazicanori02: maybe we can escape the \ in \n22:07
flwangstrigazi: when that patch will be pushed?22:07
strigazithis or we encode in base64 and decode in the nodes22:07
strigaziI'm trying to rebase22:07
flwangstrigazi: great, sorry for pushing22:09
strigaziflwang: thanks for pushing!22:09
*** rcernin has joined #openstack-containers22:10
flwangstrigazi: haha22:11
flwangwe're keen for that feature, so.....22:11
flwanghave a good night, i'm all good for today22:12
colin-ttyl22:12
openstackgerritSpyros Trigazis proposed openstack/magnum master: k8s_atomic: Add upgrade node functionallity  https://review.openstack.org/51496022:18
strigazires22:19
flwangimdigitaljim: still around?22:22
imdigitaljimyeah22:22
flwangimdigitaljim: when you rebase you tidy master patch, could you please consider that we will bring the kubelet back?22:23
imdigitaljimyes absolutely22:23
flwangto make all our life easier ;)22:23
imdigitaljimi was planning to do so22:23
imdigitaljim:]22:23
flwangcool, i will add you as reviewer for the kubelet patch22:23
canori02strigazi: how can I pass a ca to a magnum cluster? I hadn't used that functionality before22:24
imdigitaljimtheres a few variables that exist for it22:24
imdigitaljimif you mean a ca.crt22:25
strigaziflwang: imdigitaljim I think it is cleaner to add kubelet first22:25
strigazicanori02: the ca is passed already22:26
imdigitaljimthats fine too22:26
imdigitaljimi can make a cleanup pass after kubelet22:26
imdigitaljimso flwang just do what you'd need and ill fix it up22:26
flwangstrigazi: yes, that's my plan22:28
flwangimdigitaljim: awesome, thanks22:28
imdigitaljimstrigazi: what is the overall goal of thise upgrade22:29
imdigitaljimwill you upgrading api/scheduler/controller as well?22:30
strigaziall components22:30
strigazithat we have tags for22:30
imdigitaljimawesome22:30
imdigitaljimlook forward to seeing it completed22:31
strigazi:)22:32
*** hongbin has quit IRC22:44
openstackgerritMerged openstack/magnum-ui master: Imported Translations from Zanata  https://review.openstack.org/59405423:40
« Monday, 2018-08-20 Index Wednesday, 2018-08-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!