| *** ttsiouts has joined #openstack-containers | 00:00 | |
| *** ttsiouts has quit IRC | 00:33 | |
| openstackgerrit | jacky06 proposed openstack/magnum-tempest-plugin master: Remove six https://review.opendev.org/725653 | 01:20 |
|---|---|---|
| *** xinliang has joined #openstack-containers | 01:39 | |
| *** sapd1_x has quit IRC | 01:41 | |
| *** xinliang has quit IRC | 02:03 | |
| *** sapd1_x has joined #openstack-containers | 02:19 | |
| *** sapd1_x has quit IRC | 02:29 | |
| *** ttsiouts has joined #openstack-containers | 02:30 | |
| *** ttsiouts has quit IRC | 02:39 | |
| *** ttsiouts has joined #openstack-containers | 02:39 | |
| *** sapd1_x has joined #openstack-containers | 02:43 | |
| openstackgerrit | Merged openstack/magnum master: [ci] Remove unnecessary container build tasks https://review.opendev.org/719774 | 02:57 |
| *** vishalmanchanda has joined #openstack-containers | 03:03 | |
| *** ttsiouts has quit IRC | 03:04 | |
| *** ramishra has joined #openstack-containers | 03:37 | |
| *** ykarel|away is now known as ykarel | 03:54 | |
| *** openstack has joined #openstack-containers | 04:22 | |
| *** ChanServ sets mode: +o openstack | 04:22 | |
| *** udesale has joined #openstack-containers | 04:40 | |
| *** ttsiouts has joined #openstack-containers | 05:01 | |
| *** ttsiouts has quit IRC | 05:33 | |
| *** belmoreira has joined #openstack-containers | 06:53 | |
| *** ttsiouts has joined #openstack-containers | 07:04 | |
| *** yolanda has joined #openstack-containers | 07:14 | |
| *** openstackstatus has quit IRC | 07:46 | |
| *** openstack has joined #openstack-containers | 07:49 | |
| *** ChanServ sets mode: +o openstack | 07:49 | |
| *** ttsiouts has quit IRC | 08:07 | |
| *** ttsiouts has joined #openstack-containers | 08:07 | |
| LarsErikP | so.. this was removed from stein? https://opendev.org/openstack/magnum/commit/d95ba4d1fff69df506928339bb9eb3472bb4f3d1 | 08:09 |
| LarsErikP | in addition to what I mentioned yesterdat, when I try to run a k8s cluster, flannel is never installed it seems | 08:10 |
| openstackgerrit | Merged openstack/magnum-ui master: Imported Translations from Zanata https://review.opendev.org/725491 | 08:27 |
| *** ykarel is now known as ykarel|lunch | 08:45 | |
| *** flwang1 has joined #openstack-containers | 08:58 | |
| flwang1 | anybody around? | 09:00 |
| flwang1 | shall we cancel this meeting? | 09:00 |
| *** strigazi has joined #openstack-containers | 09:00 | |
| flwang1 | strigazi: ping | 09:01 |
| strigazi | flwang1: o/ | 09:01 |
| flwang1 | strigazi: Bharat won't join today | 09:01 |
| strigazi | I saw the etherpad | 09:01 |
| flwang1 | so I assume just you and me, we can have open discussion or the meeting, up to you | 09:01 |
| strigazi | let's do the open discussion logged as a meeting :) | 09:02 |
| flwang1 | #startmeeting | 09:02 |
| openstack | flwang1: Error: A meeting name is required, e.g., '#startmeeting Marketing Committee' | 09:02 |
| flwang1 | #startmeeting magnum | 09:02 |
| openstack | Meeting started Wed May 6 09:02:37 2020 UTC and is due to finish in 60 minutes. The chair is flwang1. Information about MeetBot at http://wiki.debian.org/MeetBot. | 09:02 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 09:02 |
| *** openstack changes topic to " (Meeting topic: magnum)" | 09:02 | |
| openstack | The meeting name has been set to 'magnum' | 09:02 |
| flwang1 | strigazi: i just approved the labels spec | 09:02 |
| flwang1 | ttsiouts can start the work now | 09:03 |
| strigazi | #topic labels override | 09:03 |
| ttsiouts | o/ | 09:03 |
| flwang1 | strigazi: i kind of agree with you that we shouldn't use the config option to 'break' the api | 09:03 |
| strigazi | I left a comment about the name, I did some deep reseach on wording | 09:04 |
| flwang1 | so i'm ok leave it as False | 09:04 |
| flwang1 | strigazi: yep, i saw that. and I appreciate your work | 09:04 |
| strigazi | It turns out merge is more to the point... I think I initially proposed override :( | 09:05 |
| openstackgerrit | Merged openstack/magnum-specs master: Magnum Labels Override https://review.opendev.org/716571 | 09:05 |
| strigazi | Based on method overriding | 09:05 |
| ttsiouts | so should we go with 'merge' instead? | 09:05 |
| ttsiouts | if so, I need to change the spec also | 09:06 |
| strigazi | I think since we are just on the name discussion and for the "real" issues we have agreement, we can start polishing the implementation | 09:06 |
| flwang1 | strigazi: are you saying that you're voting 'merge'? | 09:06 |
| strigazi | the name will be just a sed | 09:06 |
| flwang1 | strigazi: +1 | 09:06 |
| flwang1 | ttsiouts: pls focus on the code part | 09:07 |
| ttsiouts | flwang1: sure | 09:07 |
| flwang1 | we can continue the name discussion there and update the spec later | 09:07 |
| ttsiouts | since we are discussing about this now, could we we decide on the name now also? | 09:07 |
| ttsiouts | I think we all need this to get merged asap | 09:08 |
| strigazi | naming is "hard" but it's a detail. Without brtknr we will go back to drawing when he joins | 09:08 |
| flwang1 | ttsiouts: i have approved the spec already | 09:08 |
| strigazi | So it is megred too \o/ | 09:09 |
| ttsiouts | \o/ | 09:09 |
| flwang1 | yep, i think strigazi and I agree to use 'merge', but we'd like to get a 'yes' from brtknr anyway :) | 09:09 |
| ttsiouts | great! | 09:09 |
| strigazi | so for you it's a go :) | 09:10 |
| ttsiouts | flwang1, strigazi: great! thanks a lot for your effort | 09:10 |
| flwang1 | ttsiouts: thank you! | 09:11 |
| flwang1 | strigazi: move on? | 09:11 |
| strigazi | yes | 09:11 |
| strigazi | For nodes list | 09:12 |
| flwang1 | yes | 09:12 |
| strigazi | flwang1: we go with ng node list | 09:12 |
| strigazi | and then we see? | 09:12 |
| flwang1 | i have got new comments from Thomas and i'm happy with it | 09:13 |
| flwang1 | did you see it? | 09:13 |
| flwang1 | strigazi: IIUC, currently, we just need the nodes list based on a given NG | 09:14 |
| strigazi | flwang1: exactly what I was typing | 09:14 |
| flwang1 | and i think we have no choice, we need to build it in memory but query heat and nova | 09:14 |
| strigazi | flwang1: for an nodegroup, you can get the nodes with one heat call | 09:15 |
| flwang1 | the tricky part maybe the pagination, but i prefer to leave the pagination later, are you ok with that? | 09:15 |
| flwang1 | strigazi: yep, i know, i should say 'may be need call nova (or not)' | 09:15 |
| flwang1 | because Thomas mentioned he need the status and reason of the instance, so i'm not 100% sure if heat can provide that info or not | 09:16 |
| strigazi | flwang1: we don't need calls to nova at this point. 1. heat does many calls to nova already. 2. We cut through the stack | 09:16 |
| flwang1 | that's details | 09:16 |
| flwang1 | i will figure out | 09:16 |
| *** dioguerra has joined #openstack-containers | 09:17 | |
| flwang1 | are you ok do the pagination later? | 09:17 |
| strigazi | flwang1: We can get status from heat too. | 09:17 |
| strigazi | yes | 09:17 |
| flwang1 | wonderful | 09:17 |
| strigazi | assuming we support up to 1000 nodes? | 09:17 |
| strigazi | or there is no max? | 09:18 |
| strigazi | flwang1: ^^ we just return all the info we have | 09:19 |
| flwang1 | what's the max size cluster in cern? | 09:19 |
| flwang1 | k8s can support 5k i think | 09:19 |
| flwang1 | but i don't think it's a common case in prod | 09:19 |
| flwang1 | especially given it's a one NG, not the whole cluster | 09:20 |
| strigazi | I don't think we go over 500 atm | 09:20 |
| strigazi | only for testing. Anyway, pagination lter | 09:20 |
| strigazi | I'll leave a comment on gerrit | 09:21 |
| flwang1 | cool | 09:21 |
| flwang1 | thanks, man | 09:21 |
| strigazi | One more from me: Support Helm v3 https://review.opendev.org/#/c/720234/ | 09:22 |
| strigazi | Do you agree since we refactor to do a metachart? | 09:22 |
| strigazi | I have all info about it in gerrit | 09:22 |
| flwang1 | i haven't gone through all the comments there, but as long as we don't break v2, i'm ok with that | 09:23 |
| flwang1 | do you have any concern? | 09:25 |
| strigazi | it is fully compatible with v2 | 09:25 |
| strigazi | the charts we use are simple. Users/Operators could pick v3 or v3 | 09:26 |
| strigazi | the charts we use are simple. Users/Operators could pick v3 or v2 | 09:26 |
| flwang1 | then i'm happy | 09:26 |
| *** ykarel|lunch is now known as ykarel | 09:27 | |
| strigazi | Next, this can be merged | 09:28 |
| strigazi | https://review.opendev.org/#/c/725391/ | 09:28 |
| *** k_mouza has joined #openstack-containers | 09:29 | |
| strigazi | some eventlet nonsense but needed | 09:29 |
| flwang1 | done | 09:29 |
| strigazi | I think that's it | 09:29 |
| strigazi | I'll finish the storyboard clean up now, and we are fully on with reviews and tasks. | 09:30 |
| flwang1 | strigazi: if you have time, it would be nice if you can take a look https://review.opendev.org/#/c/714347/ | 09:32 |
| strigazi | This is a mapping? | 09:34 |
| flwang1 | what do you mean 'mapping'? | 09:34 |
| strigazi | [az1, az2, foo] master-0 -> master-1 -> az2 master-2 -> foo | 09:34 |
| flwang1 | yes | 09:34 |
| flwang1 | master0-> az1, master 1> az2, master2 -> foo | 09:35 |
| strigazi | There is no other way? server group spread on AZs? | 09:37 |
| flwang1 | can server group spread on AZs automatically? | 09:37 |
| flwang1 | i don't know,i need to do some research | 09:37 |
| flwang1 | i have another question about multi masters | 09:38 |
| strigazi | I checked, not | 09:38 |
| strigazi | I checked, no | 09:38 |
| flwang1 | IIRC, you mentioned that there is no LB (eg. octavia ) in CERN | 09:38 |
| strigazi | This changed two weeks afo | 09:39 |
| strigazi | This changed two weeks ago | 09:39 |
| flwang1 | so how do you use multi masters? | 09:39 |
| strigazi | Today we are opening multimaster to all users. | 09:39 |
| flwang1 | so user can use ip0, ip1 and ip2 to access the k8s api? | 09:40 |
| strigazi | one virtual ip | 09:40 |
| flwang1 | e.g. a 3 master nodes | 09:40 |
| flwang1 | can magnum support the virtual IP without lb? | 09:40 |
| flwang1 | i even don't know that | 09:41 |
| strigazi | there is no LB (eg. octavia ) in CERN -> This changed two weeks ago | 09:41 |
| flwang1 | ok | 09:41 |
| flwang1 | i mean before that | 09:41 |
| strigazi | or 4 weeks? ttsiouts when we opened LB | 09:41 |
| strigazi | before that single master only | 09:42 |
| flwang1 | aaaaaaaaahhh | 09:42 |
| flwang1 | fair enough | 09:42 |
| flwang1 | i'd like to introduce a new field for cluster creation | 09:42 |
| strigazi | master-lb-enabled ? | 09:42 |
| flwang1 | clever boy | 09:43 |
| strigazi | excellent | 09:43 |
| strigazi | +2 | 09:43 |
| flwang1 | do you want to understand more background? | 09:43 |
| flwang1 | in CC, we're providing 2 templates for each version | 09:43 |
| strigazi | not differnt CTs for single VS multi-master | 09:43 |
| flwang1 | dev and prod | 09:44 |
| flwang1 | one of the main difference is the lb | 09:44 |
| strigazi | yeap, got it | 09:44 |
| flwang1 | we'd like to merge it to one | 09:44 |
| strigazi | same here | 09:44 |
| flwang1 | and along with the labels merging, it would make our life much easier | 09:45 |
| strigazi | sounds good to me | 09:45 |
| flwang1 | fantastic | 09:45 |
| strigazi | I think ttsiouts implement the two features with the biggest influence to remove user pain | 09:46 |
| strigazi | * implemented | 09:46 |
| strigazi | labels are coming fast | 09:46 |
| flwang1 | which 2? | 09:46 |
| flwang1 | labels and ? | 09:46 |
| strigazi | nodegroups and labels | 09:46 |
| flwang1 | right | 09:46 |
| flwang1 | yes | 09:46 |
| flwang1 | nodegroup is a very good one | 09:47 |
| strigazi | different flavors with ngs, no hacks for labels | 09:47 |
| flwang1 | i really appreciate the contribution from CERN | 09:47 |
| strigazi | ttsiouts++ | 09:47 |
| flwang1 | kudos on ttsiouts | 09:47 |
| ttsiouts | strigazi, flwang1: thank you guys for all the reviews and ideas! | 09:48 |
| flwang1 | strigazi: can i book you for another 12 mins? | 09:48 |
| strigazi | ttsiouts: :) flwang1: Anything else? I mean to discuss not for ttsiouts | 09:48 |
| strigazi | tell me | 09:49 |
| flwang1 | i proposed a patch about the security group hardening | 09:49 |
| strigazi | right, you restored it | 09:49 |
| flwang1 | but my original one was too strict, i'd like to improve it to set the security group rules based on the FIP and LB setting | 09:49 |
| flwang1 | or maybe a new label from user to set the security rules dynamically | 09:50 |
| flwang1 | in short, by default, it will be same as now | 09:51 |
| flwang1 | but it can be hardened if user prefer to | 09:51 |
| flwang1 | i know it may be not sounds very charming for CERN or StackHPC, but i believe mnaser will like it | 09:52 |
| flwang1 | strigazi: ^ | 09:52 |
| flwang1 | and CityNetworks | 09:52 |
| strigazi | +1, I think we can have some reasonably secure default sec-groups. What do you want to pass on cluster creation? | 09:52 |
| strigazi | extra rules? | 09:54 |
| flwang1 | for example, if lb enabled, then master nodes shouldn't open port to 0.0.0.0/0, but only the fixed network range of the cluster | 09:54 |
| strigazi | or in th CT | 09:54 |
| flwang1 | i'm still in the design | 09:54 |
| flwang1 | in CC, we just hardcode the rules now | 09:54 |
| flwang1 | but it doesn't fit for upstream | 09:54 |
| flwang1 | but before i put more effort to dig, i'd like to get a general approval from you guys | 09:55 |
| flwang1 | to make sure community like the improvement direction | 09:55 |
| strigazi | does this help? https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#check-required-ports | 09:55 |
| flwang1 | yes, and actually we know all the port clearly so far. and we verified with sonobuoy | 09:56 |
| flwang1 | i just need a new design to update the security group rules on the air | 09:56 |
| flwang1 | and it would be a bit hard, i can imagine | 09:57 |
| strigazi | If we follow what this link says plus a way to pass a security group per nodegroup you don't need anything else, no? | 09:57 |
| flwang1 | let me give you an example, if user is using flannel, should we allow calico port? | 09:58 |
| strigazi | no | 09:58 |
| flwang1 | or it's ok if it's only allowed within the network scope? | 09:58 |
| flwang1 | is it ok | 09:58 |
| *** ttsiouts has quit IRC | 09:58 | |
| strigazi | as mentioned here, no: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#worker-node-s | 09:59 |
| strigazi | the bgp ports are closed. | 09:59 |
| *** ttsiouts has joined #openstack-containers | 09:59 | |
| strigazi | So they need to open within the cluster network only if calico is used | 10:00 |
| flwang1 | right, that's easy | 10:00 |
| flwang1 | ok | 10:00 |
| flwang1 | i will refactor the patch and invite you guys to review it | 10:00 |
| flwang1 | thank you all your valuable input | 10:00 |
| strigazi | sure thing | 10:01 |
| flwang1 | have a nice day, ttyl | 10:01 |
| strigazi | bye | 10:01 |
| flwang1 | o/ | 10:01 |
| strigazi | don't forget to end the meeting | 10:01 |
| strigazi | flwang1: ^^ | 10:01 |
| strigazi | #endmeeting | 10:02 |
| strigazi | I don't think I can do it | 10:02 |
| *** flwang1 has quit IRC | 10:05 | |
| *** born2bake has quit IRC | 10:10 | |
| *** born2bake has joined #openstack-containers | 10:10 | |
| *** xinliang has quit IRC | 10:24 | |
| *** ttsiouts has quit IRC | 10:27 | |
| *** ttsiouts has joined #openstack-containers | 10:30 | |
| *** frickler has joined #openstack-containers | 10:31 | |
| openstackgerrit | Merged openstack/magnum master: Monkey patch original current_thread _active https://review.opendev.org/725391 | 10:31 |
| frickler | #endmeeting | 10:31 |
| *** openstack changes topic to "OpenStack Containers Team | Meeting: every Wednesday @ 9AM UTC | Agenda: https://etherpad.openstack.org/p/magnum-weekly-meeting" | 10:31 | |
| openstack | Meeting ended Wed May 6 10:31:15 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 10:31 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-05-06-09.02.html | 10:31 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-05-06-09.02.txt | 10:31 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-05-06-09.02.log.html | 10:31 |
| *** pcaruana has quit IRC | 10:31 | |
| *** ttsiouts has quit IRC | 10:48 | |
| *** pcaruana has joined #openstack-containers | 10:50 | |
| *** pcaruana has quit IRC | 10:57 | |
| *** livelace has joined #openstack-containers | 11:01 | |
| *** pcaruana has joined #openstack-containers | 11:02 | |
| *** jmlowe has quit IRC | 11:03 | |
| *** jmlowe has joined #openstack-containers | 11:05 | |
| *** ttsiouts has joined #openstack-containers | 11:25 | |
| *** ttsiouts has quit IRC | 11:30 | |
| *** ttsiouts has joined #openstack-containers | 11:32 | |
| *** xinliang has joined #openstack-containers | 11:46 | |
| *** sapd1_x has quit IRC | 11:59 | |
| *** dioguerra has quit IRC | 12:03 | |
| *** livelace has quit IRC | 12:13 | |
| *** xinliang has quit IRC | 12:20 | |
| *** udesale_ has joined #openstack-containers | 12:23 | |
| *** udesale has quit IRC | 12:26 | |
| *** ykarel is now known as ykarel|afk | 12:38 | |
| *** livelace has joined #openstack-containers | 13:34 | |
| *** ttsiouts has quit IRC | 13:39 | |
| *** ykarel|afk is now known as ykarel | 13:54 | |
| *** livelace has quit IRC | 13:59 | |
| *** livelace has joined #openstack-containers | 14:01 | |
| *** ttsiouts has joined #openstack-containers | 14:08 | |
| *** ttsiouts has quit IRC | 14:13 | |
| *** ttsiouts has joined #openstack-containers | 14:22 | |
| *** jhesketh has quit IRC | 14:22 | |
| *** belmoreira has quit IRC | 14:25 | |
| *** udesale_ has quit IRC | 14:38 | |
| *** ttsiouts has quit IRC | 14:38 | |
| *** belmoreira has joined #openstack-containers | 14:44 | |
| *** jhesketh has joined #openstack-containers | 14:51 | |
| *** belmoreira has quit IRC | 14:54 | |
| *** belmoreira has joined #openstack-containers | 14:56 | |
| *** jmlowe has quit IRC | 15:08 | |
| *** jmlowe has joined #openstack-containers | 15:09 | |
| *** belmoreira has quit IRC | 15:11 | |
| *** ttsiouts has joined #openstack-containers | 15:13 | |
| *** ttsiouts has quit IRC | 15:18 | |
| *** belmoreira has joined #openstack-containers | 15:23 | |
| *** ykarel is now known as ykarel|away | 15:23 | |
| *** belmoreira has quit IRC | 15:36 | |
| *** belmoreira has joined #openstack-containers | 15:40 | |
| *** ttsiouts has joined #openstack-containers | 16:05 | |
| *** ttsiouts has quit IRC | 16:23 | |
| *** ttsiouts has joined #openstack-containers | 16:41 | |
| *** born2bake has quit IRC | 16:45 | |
| *** born2bake has joined #openstack-containers | 16:45 | |
| *** ttsiouts has quit IRC | 16:51 | |
| *** born2bake has quit IRC | 16:51 | |
| *** k_mouza has quit IRC | 17:10 | |
| *** irclogbot_2 has quit IRC | 17:20 | |
| *** irclogbot_1 has joined #openstack-containers | 17:23 | |
| *** livelace has quit IRC | 17:44 | |
| *** ttsiouts has joined #openstack-containers | 17:45 | |
| *** ttsiouts has quit IRC | 17:49 | |
| *** born2bake has joined #openstack-containers | 17:49 | |
| *** livelace has joined #openstack-containers | 18:03 | |
| *** k_mouza has joined #openstack-containers | 19:25 | |
| *** yolanda has quit IRC | 19:33 | |
| *** k_mouza has quit IRC | 19:57 | |
| *** belmoreira has quit IRC | 19:58 | |
| *** belmoreira has joined #openstack-containers | 20:10 | |
| *** redcavalier has joined #openstack-containers | 20:10 | |
| *** flwang1 has joined #openstack-containers | 20:13 | |
| flwang1 | #endmeeting | 20:13 |
| flwang1 | brtknr: ping | 20:14 |
| brtknr | flwang1: hi | 20:14 |
| brtknr | how's it going | 20:14 |
| flwang1 | brtknr: yesterday, we discussed if we should use 'merge' instead of 'override', strigazi and I are happy to go for 'merge', is it ok for you (as a native speaker)? | 20:15 |
| flwang1 | did you see the last comments from strigazi on the spec? | 20:15 |
| brtknr | I was in favour of merge early on :) | 20:15 |
| brtknr | But someone the consensus moved towards override so glad we're back at merge again | 20:16 |
| brtknr | I am not 100% native speaker | 20:16 |
| flwang1 | brtknr: wonderful | 20:16 |
| brtknr | My first language is Nepalese :) | 20:16 |
| flwang1 | that's OK, as a Chinese, I'm sure you're English is better than me :D | 20:17 |
| flwang1 | your | 20:17 |
| brtknr | How long have you lived in NZ? | 20:17 |
| flwang1 | 6 years | 20:17 |
| flwang1 | but before that, I worked for IBM for almost 5 years, and use English daily | 20:18 |
| brtknr | Cool | 20:20 |
| brtknr | Sorry I gotta run, didnt get much sleep last night because of little babies crying all night, I'm exhausted today | 20:22 |
| brtknr | Hope you and your family are keeping safe, good day! | 20:22 |
| redcavalier | Hi, I realize this is a development channel but I have a quick question regarding openstack-magnum which may sound dumb, but there doesn't seem to be any obvious answer in the documentation. May I ask here? | 20:22 |
| *** belmoreira has quit IRC | 20:25 | |
| flwang1 | redcavalier: go ahead | 20:31 |
| flwang1 | i'm listening | 20:31 |
| redcavalier | flwang1: alright, on my openstack setup, my provider external network is completely isolated from the openstack API network. When provisionning a kubernetes cluster, it appears that the instances need to connect to the magnum api endpoints as well as other components and magnum needs to contact the kubernetes https cluster. Is there a way around this, or is it simply how magnum was designed? | 20:33 |
| redcavalier | contact the kubernetes cluster through https* sorry | 20:34 |
| flwang1 | redcavalier: do you mean your provider network can't talk to the openstack control plane? | 20:34 |
| redcavalier | exactly | 20:34 |
| redcavalier | I mean I could setup a proxy between each network, but I want to know if magnum itself as a solution for this or not. | 20:36 |
| flwang1 | i don't think there is a workaround i'm aware of | 20:37 |
| redcavalier | Alright | 20:37 |
| flwang1 | redcavalier: is it a private cloud deployment btw? | 20:37 |
| redcavalier | hybridcloud. We have customers, but they only have access to the instances, not the openstack plane. We're a hosting company. | 20:38 |
| flwang1 | right, that makes sense | 20:38 |
| flwang1 | i think a proxy is the good way | 20:39 |
| flwang1 | and you can set the proxy in the template | 20:39 |
| flwang1 | which has been well tested | 20:39 |
| redcavalier | Oh? I'll have to read up on this because I didn't think it would fix my issue when I saw the option. However, thank you for the hint, that gives me something to tell my boss. | 20:41 |
| flwang1 | redcavalier: by default, the proxy is used for image pulling | 21:22 |
| redcavalier | flwang1: I see, that's probably why I didn't see it as an option. | 21:25 |
| flwang1 | but i think it can be also used for the purpose of talking to openstack control plane | 21:26 |
| flwang1 | if it can't work, feel free to propose a patch to fix it :) | 21:26 |
| redcavalier | Sure, if I can suggest or contribute somehow I will. | 21:29 |
| flwang1 | redcavalier: may i know which company you're working for? | 21:33 |
| redcavalier | We're called PlanetHoster. We're a fairly small hosting company based in Montreal, Canada. We've been using openstack for several years now and we just started looking into containers on top of openstack. | 21:34 |
| jrosser | the instances only need to be able to contact the openstack public api endpoint. I fixed a bug in heat specifically to make this work with an isolated control plane | 21:55 |
| jrosser | redcavalier: ^ that’s info for you | 21:58 |
| redcavalier | @jrosser Ok, but doesn't magnum need to connect to the kubernetes cluster? I was under that impression because right now I've set it so that communication only works one way, and my kubernetes setup, while provisionned, is in a tainted state. I thought magnum needed to do some configuration itself? That said, I'm running this on rocky. | 22:01 |
| jrosser | there are two things, the heat agent in the created vm needs to talk to the openstack public api endpoint, that can be made to work with a config setting in heat | 22:02 |
| redcavalier | yea, that works | 22:02 |
| jrosser | and if the magnum service needs to talk https from the control plane to the vm the. you need a outbound proxy from the control plane (or nat) | 22:03 |
| jrosser | two different problems imho | 22:03 |
| jrosser | I can’t remember if that control plane to vm communication is needed, it’s been a while | 22:04 |
| jrosser | but I have had this working with control plane and provider networks not routable to each other, just an outbound proxy from the control plane | 22:05 |
| redcavalier | I see. Right now on my staging environment I have a proxy setup (put a haproxy on my network node) so everything beside https communication works. What I understand is that there should be a way to provision my kubernetes cluster without the nodes showing up as tainted when cluster provisionning is finished. | 22:08 |
| jrosser | I meant a forward proxy like squid, not haproxy | 22:10 |
| jrosser | if your control plane can NAT our to the VM then that’s not an issue | 22:10 |
| jrosser | it depends how isolated your isolated networks really are | 22:10 |
| redcavalier | yea, I understand, that's something I'll have to bring up with the person in charge of that. | 22:13 |
| jrosser | fwiw I did this with squid and made it work, it’s non trivial though | 22:13 |
| redcavalier | Truth be told, the only thing I really needed to know if it was possible to keep the full isolation. As soon as I was told I needed a proxy, I had my answer. I'm happy to know that it's possible to keep a certain level of isolation though, thank you. | 22:16 |
| *** threestrands has joined #openstack-containers | 22:20 | |
| *** redcavalier has quit IRC | 22:35 | |
| openstackgerrit | Feilong Wang proposed openstack/magnum master: [WIP] Add master_lb_enabled to cluster https://review.opendev.org/726017 | 22:52 |
| *** livelace has quit IRC | 23:07 | |
| *** born2bake has quit IRC | 23:18 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!