| *** verdurin has quit IRC | 06:01 | |
| *** verdurin has joined #openstack-kayobe | 06:05 | |
| *** egonzalez has joined #openstack-kayobe | 06:40 | |
| *** mgoddard has joined #openstack-kayobe | 08:16 | |
| *** dougsz_ has joined #openstack-kayobe | 08:40 | |
| *** ktibi has joined #openstack-kayobe | 08:57 | |
| *** openstackgerrit has joined #openstack-kayobe | 09:06 | |
| openstackgerrit | Will Szumski proposed openstack/kayobe master: Template inspector.ipxe https://review.openstack.org/588305 | 09:06 |
|---|---|---|
| ktibi | mgoddard, hi | 09:20 |
| mgoddard | morning ktibi | 09:20 |
| ktibi | for yum update, if you update kernel, need to add a grub-config after the update | 09:20 |
| ktibi | e.g => grub2-mkconfig -o /boot/grub2/grub.cfg | 09:21 |
| ktibi | this is for that I recommand to not use '*' because a lot of package need post-tasks | 09:21 |
| ktibi | or maybe need to add a kayobe command for shell | 09:23 |
| ktibi | like kayobe seed host command -a 'service docker restart' | 09:24 |
| mgoddard | does the yum update not also update the grub config? | 09:24 |
| ktibi | When I need to run command on each node for now I use somthing like : "ansible -i "../kayobe-config/etc/kayobe/inventory/overcloud" all -m shell -a 'chmod 700 /home/toto/.ssh' --become" | 09:24 |
| mgoddard | yeah, it could be a useful command | 09:26 |
| mgoddard | maybe you could create one? | 09:26 |
| ktibi | mgoddard, I'll try | 09:29 |
| mgoddard | ktibi: cool | 09:29 |
| mgoddard | ktibi: yankcrime is looking at supporting TLS on the internal APIs. You are running this, right? | 09:29 |
| ktibi | mgoddard, I want run that yes, but not test. Kolla-ansible support that now ? | 09:30 |
| ktibi | for grub, yes yum update support that you have right ! | 09:31 |
| mgoddard | ktibi: not yet. You made a blueprint in kolla ansible for it. Did you do any work or investigation? | 09:31 |
| ktibi | mgoddard, I see review for that | 09:31 |
| ktibi | https://review.openstack.org/#/c/548407/ | 09:31 |
| mgoddard | yes, that was another approach - just use a single API endpoint which is secure | 09:32 |
| yankcrime | and that's only half the story - each service needs configuring to enable tls as well | 09:32 |
| yankcrime | otherwise it's still terminating | 09:32 |
| mgoddard | that's true | 09:33 |
| ktibi | yes, no work on that for now :/ TripleO support that now and use kolla. I think we need to see how this works | 09:34 |
| ktibi | https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/tls_everywhere.html | 09:35 |
| ktibi | yankcrime, they use freeIPA for generate CA and SSL certi for each node | 09:36 |
| yankcrime | thanks ktibi, i'll take a look | 09:43 |
| yankcrime | the PKI side is not a problem, it's getting the ssl configuration for each service generated in a consistent and sane way | 09:44 |
| ktibi | yankcrime, from my exp, we need to add a proxy in front of each service (one proxy for all services on each node). Because the performances are not great if the services carry the SSL | 09:46 |
| ktibi | https://docs.openstack.org/security-guide/secure-communication/tls-proxies-and-http-services.html | 09:47 |
| yankcrime | ktibi: yeah, it's a bit more straightforward if the service supports being run via apache httpd i think | 09:47 |
| ktibi | I think the best way is to use the haproxy container. | 09:48 |
| ktibi | it is already deployed | 09:48 |
| ktibi | each haproxy can bind on the internal IP and the VIP no ? | 09:48 |
| yankcrime | so launch another instance with a different configuration that listens locally? | 09:48 |
| ktibi | yes maybe another instance or the same :/ | 09:49 |
| ktibi | and need to configure all service to bind on localhost | 09:50 |
| ktibi | so USER ==SSL==> VIP EXTERNAL ==SSL==> PROXY (haproxy) ==LOCALHOST/HTTP==> OPK_SERVICE | 09:51 |
| ktibi | or internal_service ==SSL==> VIP INTERNAL ==SSL==> PROXY (haproxy) ==LOCALHOST/HTTP==> OPK_SERVICE | 09:52 |
| mgoddard | I think that's basically what https://review.openstack.org/#/c/548407/ does, isn't it? | 09:57 |
| ktibi | mgoddard, yes I think | 09:58 |
| ktibi | he change api_interface_address with 127.0.0.1 | 09:59 |
| ktibi | so all works with that I think | 09:59 |
| openstackgerrit | Mark Goddard proposed openstack/kayobe master: WIP: Per-host network interface configuration https://review.openstack.org/561228 | 10:04 |
| openstackgerrit | Kevin Tibi proposed openstack/kayobe master: Add commands to run command on hosts https://review.openstack.org/589112 | 10:33 |
| openstackgerrit | Will Miller proposed openstack/kayobe master: Use overlay Docker storage driver for seed-base https://review.openstack.org/589123 | 11:22 |
| verdurin | Do you support consuming an existing Ceph cluster? | 11:29 |
| ktibi | hi verdurin | 11:50 |
| ktibi | I think you use kayobe with a exiting ceph cluster | 11:50 |
| ktibi | with override the global of kolla | 11:50 |
| ktibi | you can use* | 11:51 |
| verdurin | ktibi: makes sense, following https://docs.openstack.org/kolla-ansible/latest/reference/external-ceph-guide.html I suppose | 11:54 |
| *** mgoddard has quit IRC | 12:02 | |
| *** egonzalez has quit IRC | 13:02 | |
| openstackgerrit | Will Miller proposed openstack/kayobe master: DNM: Remove legacy Ironic driver references https://review.openstack.org/588602 | 13:09 |
| *** mgoddard has joined #openstack-kayobe | 13:15 | |
| openstackgerrit | Will Miller proposed openstack/kayobe master: Use overlay Docker storage driver for seed-base https://review.openstack.org/589123 | 13:53 |
| openstackgerrit | Will Miller proposed openstack/kayobe master: DNM: Remove legacy Ironic driver references https://review.openstack.org/588602 | 14:11 |
| openstackgerrit | Mark Goddard proposed openstack/kayobe master: WIP: Per-host network interface configuration https://review.openstack.org/561228 | 14:20 |
| ktibi | mgoddard, do you think we can use somthiings like : kayobe seed host command run --commands command1 arg1 arg2, command2 arg3 arg4 | 14:20 |
| mgoddard | ktibi: it's difficult to know what is part of the command and what is a kayobe argument | 14:24 |
| mgoddard | how do I know that the comma is not part of the command? | 14:24 |
| mgoddard | one command seems easier to manage | 14:24 |
| ktibi | comma and quote maybe ? | 14:24 |
| ktibi | ok I remove with_items so ;) | 14:25 |
| openstackgerrit | Kevin Tibi proposed openstack/kayobe master: Add commands to run command on hosts https://review.openstack.org/589112 | 14:42 |
| openstackgerrit | Mark Goddard proposed openstack/kayobe master: WIP: Per-host network interface configuration https://review.openstack.org/561228 | 15:58 |
| openstackgerrit | Nick Jones proposed openstack/kayobe master: Support installing PyPI packages via a mirror https://review.openstack.org/589221 | 16:32 |
| openstackgerrit | Nick Jones proposed openstack/kayobe master: Support installing PyPI packages via a mirror https://review.openstack.org/589221 | 16:33 |
| *** ktibi has quit IRC | 16:53 | |
| *** dougsz_ has quit IRC | 17:04 | |
| *** mgoddard has quit IRC | 17:07 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!