Monday, 2017-07-24

« Sunday, 2017-07-23 Index Tuesday, 2017-07-25 »
*** yangyapeng has joined #openstack-kolla00:00
*** yangyapeng has quit IRC00:05
*** jascott1 has joined #openstack-kolla00:09
*** yangyapeng has joined #openstack-kolla00:09
*** manheim has joined #openstack-kolla00:09
*** jascott1_ has joined #openstack-kolla00:10
*** jascott1 has quit IRC00:10
*** manheim has quit IRC00:14
*** gema has quit IRC00:16
*** jascott1_ has quit IRC00:19
*** jascott1 has joined #openstack-kolla00:19
*** yangyapeng has quit IRC00:20
*** jascott1 has quit IRC00:20
*** jascott1_ has joined #openstack-kolla00:20
*** gema has joined #openstack-kolla00:21
*** duonghq has joined #openstack-kolla00:33
duonghqmorning guys00:33
*** goldyfruit has joined #openstack-kolla00:38
*** zhangfei has joined #openstack-kolla01:02
*** mdnadeem has joined #openstack-kolla01:08
*** goldyfruit has quit IRC01:25
*** ducttap__ has joined #openstack-kolla02:02
*** ducttap__ has quit IRC02:12
*** ducttape_ has joined #openstack-kolla02:19
*** ducttap__ has joined #openstack-kolla02:21
*** ducttape_ has quit IRC02:21
*** ducttap__ has quit IRC02:22
*** ducttape_ has joined #openstack-kolla02:23
*** ducttape_ has quit IRC02:24
*** ducttap__ has joined #openstack-kolla02:24
*** ducttap__ has quit IRC02:28
*** tovin07_ has joined #openstack-kolla02:33
*** ducttap__ has joined #openstack-kolla02:34
*** ducttap__ has quit IRC02:38
*** ducttape_ has joined #openstack-kolla02:38
*** ducttap__ has joined #openstack-kolla02:40
*** ducttape_ has quit IRC02:40
*** ducttap__ has quit IRC02:44
*** sbezverk has quit IRC02:44
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' to necessary tasks (general roles)  https://review.openstack.org/39868202:48
*** zhangfei has quit IRC03:06
*** bmace has quit IRC03:10
*** ducttape_ has joined #openstack-kolla03:19
*** zhangfei has joined #openstack-kolla03:19
*** eaguilar is now known as eaguilar|afk03:19
spsuryamorning all03:22
spsuryaduonghq: morning03:22
duonghqmorning spsurya03:22
*** bmace has joined #openstack-kolla03:23
*** ducttape_ has quit IRC03:31
*** ramishra has joined #openstack-kolla03:39
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' for only necessary tasks (default roles)  https://review.openstack.org/39868403:41
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' for only neccesary tasks (all other roles)  https://review.openstack.org/39868503:42
duonghqspsurya, can you give me some suggestion on  https://review.openstack.org/39868203:42
*** ducttape_ has joined #openstack-kolla03:52
*** ducttap__ has joined #openstack-kolla03:54
*** ducttape_ has quit IRC03:54
*** ducttap__ has quit IRC03:55
spsuryaduonghq:  sure, I will take a look on this and will ping you in EOD if i would have any04:00
duonghqthanks04:00
*** japestinho has joined #openstack-kolla04:01
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' to necessary tasks (general roles)  https://review.openstack.org/39868204:04
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' for only necessary tasks (default roles)  https://review.openstack.org/39868404:13
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' for only neccesary tasks (all other roles)  https://review.openstack.org/39868504:14
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' for only necessary tasks (default roles)  https://review.openstack.org/39868404:19
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Ansible strategy for Rolling upgrade  https://review.openstack.org/48286304:27
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Apply neutron database migration  https://review.openstack.org/40792204:29
*** prateek has joined #openstack-kolla04:48
*** sbezverk has joined #openstack-kolla04:51
*** ducttape_ has joined #openstack-kolla04:53
openstackgerritjimmygc proposed openstack/kolla-ansible master: Disable grafana Getting Started panel  https://review.openstack.org/48593204:56
*** ducttape_ has quit IRC04:58
*** tonanhngo has joined #openstack-kolla05:10
openstackgerritjimmygc proposed openstack/kolla-ansible master: Support customizing grafana home dashboard  https://review.openstack.org/48593105:10
*** mewald has quit IRC05:10
openstackgerritjimmygc proposed openstack/kolla-ansible master: Support customizing grafana home dashboard  https://review.openstack.org/48593105:11
*** jascott1_ has quit IRC05:12
*** jascott1 has joined #openstack-kolla05:13
*** unicell has joined #openstack-kolla05:13
*** jascott1 has quit IRC05:20
*** janki has joined #openstack-kolla05:25
*** gema has quit IRC05:25
openstackgerritjimmygc proposed openstack/kolla-ansible master: Add vmware DVS support to kolla-ansible  https://review.openstack.org/45927005:40
openstackgerritjimmygc proposed openstack/kolla-ansible master: Add vmware DVS support to kolla-ansible  https://review.openstack.org/45927005:42
*** jascott1 has joined #openstack-kolla05:57
*** jascott1 has quit IRC06:02
*** ducttape_ has joined #openstack-kolla06:03
*** mewald has joined #openstack-kolla06:04
*** omenv has joined #openstack-kolla06:06
*** ducttape_ has quit IRC06:08
*** jbadiapa has joined #openstack-kolla06:08
*** japestinho has quit IRC06:10
*** ansmith has quit IRC06:17
*** coolsvap has joined #openstack-kolla06:19
*** ansmith has joined #openstack-kolla06:29
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Ansible strategy for Rolling upgrade  https://review.openstack.org/48286306:38
*** jascott1 has joined #openstack-kolla06:39
*** jascott1 has quit IRC06:43
*** ducttape_ has joined #openstack-kolla06:57
*** manheim has joined #openstack-kolla07:00
*** ducttape_ has quit IRC07:02
*** manheim has quit IRC07:04
*** dixiaoli has joined #openstack-kolla07:04
*** dixiaoli has quit IRC07:06
*** zhangfei has quit IRC07:10
*** zhangfei has joined #openstack-kolla07:10
*** tonanhngo has quit IRC07:13
*** zhangfei has quit IRC07:15
*** japestinho has joined #openstack-kolla07:17
*** jascott1 has joined #openstack-kolla07:20
*** mewald1 has joined #openstack-kolla07:26
*** magicboiz has joined #openstack-kolla07:27
*** jascott1 has quit IRC07:27
*** zhangfei has joined #openstack-kolla07:28
*** rmart04 has joined #openstack-kolla07:29
*** mewald has quit IRC07:29
*** magicboiz has quit IRC07:32
*** rmart04 has quit IRC07:34
*** janki is now known as janki|lunch07:37
*** magicboiz has joined #openstack-kolla07:39
*** rmart04 has joined #openstack-kolla07:43
*** egonzalez has joined #openstack-kolla07:47
*** david-lyle has quit IRC07:50
*** dklyle has joined #openstack-kolla07:50
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572307:56
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572307:57
*** tonanhngo has joined #openstack-kolla08:04
*** jascott1 has joined #openstack-kolla08:04
openstackgerritHelena proposed openstack/kolla-ansible master: Enabled additional .conf files to be read by collectd  https://review.openstack.org/47758008:07
*** tonanhngo has quit IRC08:08
*** jascott1 has quit IRC08:09
*** athomas has joined #openstack-kolla08:09
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Added note  https://review.openstack.org/48572708:11
openstackgerritMerged openstack/kolla-ansible master: Dynamically retrieve the location of ARA to work on both py2 & py3  https://review.openstack.org/48636208:11
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572308:22
openstackgerritMerged openstack/kolla master: Update the documentation link for doc migration  https://review.openstack.org/48515108:26
*** tonanhngo has joined #openstack-kolla08:32
*** dklyle has quit IRC08:32
*** dklyle has joined #openstack-kolla08:33
*** dklyle has quit IRC08:36
egonzalezJeffrey4l, tested mariadb upgrade with your patch and worked fine, awesome!!!08:37
*** tonanhngo has quit IRC08:37
kolla-slack<jeffrey4l> cool08:40
*** janki|lunch is now known as janki08:40
*** jascott1 has joined #openstack-kolla08:42
*** jascott1 has quit IRC08:47
*** david-lyle has joined #openstack-kolla08:47
kolla-slack<jeffrey4l> did anyone see the photo i posted?08:47
egonzalezJeffrey4l, what photo? the workflow in the review?08:48
kolla-slack<jeffrey4l> openstack days china08:49
*** david-lyle has quit IRC08:49
*** david-lyle has joined #openstack-kolla08:50
kolla-slack<jeffrey4l> https://kubernetes.slack.com/files/jeffrey4l/F6CM1JDB6/img_20170724_164020.jpg08:50
openstackgerritPavel Gluschak (scsnow) proposed openstack/kolla master: Ensure interface exists before adding OVS port  https://review.openstack.org/47788408:50
kolla-slack<jeffrey4l> seems post photo in slack do not work for irc.08:52
*** dklyle has joined #openstack-kolla08:53
*** david-lyle has quit IRC08:53
openstackgerritMerged openstack/kolla-ansible master: Optimize reconfiguration for mariadb  https://review.openstack.org/43348008:57
*** manheim has joined #openstack-kolla08:57
*** ducttape_ has joined #openstack-kolla08:58
*** manheim has quit IRC09:00
*** manheim has joined #openstack-kolla09:00
*** jaosorior has joined #openstack-kolla09:02
*** ducttape_ has quit IRC09:03
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572309:11
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572309:15
*** sambetts|afk is now known as sambetts09:16
openstackgerritJuan Badia Payno proposed openstack/kolla master: Changed fluentd repository for CentOS/RHEL/Oraclelinux  https://review.openstack.org/46721909:19
*** tonanhngo has joined #openstack-kolla09:24
*** tonanhngo has quit IRC09:28
egonzalezmewald1, re prometheus images, finally was able to read ENVs from p*-base image?09:35
mewald1egonzalez: yes it worked09:37
numansegonzalez, Hi, i have a question (which seems to be stupid), how are the images pushed to the kolla docker hub (https://hub.docker.com/u/kolla/) ?09:37
numansin kolla docker hub, i don't see neutron-server-odl or neutron-server-ovn ? Is it possible to have them in the docker hub ? if so, how ?09:38
duonghqegonzalez, ping,09:38
egonzaleznumans, those images are only master branch (not pushed yet)09:39
*** jascott1 has joined #openstack-kolla09:39
numansegonzalez, oh ok. so only on the stable branch get pushed ?09:39
egonzaleznumans, images for now are pushed manually, however there is work in progress to do it daily for master and stable branchs09:40
numansegonzalez, ok. is it possible to have the neutron-server-odl/ovn pushed.09:40
egonzaleznumans, if want to use master images for testing there are registries built on each commit https://tarballs.openstack.org/kolla/images/09:41
egonzaleznumans, not now because only stable are pushed09:41
egonzalezduonghq, sup09:41
numansegonzalez, ack. got it.09:41
numansthanks09:41
duonghqegonzalez, if you have free time, can you review the direction of ansible-become ps(s): https://review.openstack.org/#/c/398682/1209:42
egonzalezduonghq, yep, have you read my latest comment in keystone upgrade? https://review.openstack.org/#/c/425446/09:43
duonghqyes, I'll add one more variable for prevent it run at all action09:43
duonghqonly upgrade is needed09:43
egonzalezif we cannot make it with serial/strategy, we can play with handler notify order09:43
*** jascott1 has quit IRC09:44
duonghqya, I'll try both09:44
duonghqthank you09:44
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572309:45
*** japestinho has quit IRC09:47
openstackgerritDuong Ha-Quang proposed openstack/kolla-ansible master: Specify 'become' to necessary tasks (general roles)  https://review.openstack.org/39868209:52
*** serlex has joined #openstack-kolla09:56
*** ducttape_ has joined #openstack-kolla10:04
*** tovin07_ has quit IRC10:05
*** ducttap__ has joined #openstack-kolla10:07
manheimoh, rdo is such a nightmare10:08
*** ducttape_ has quit IRC10:08
*** ducttap__ has quit IRC10:12
egonzalezmanheim, rdo != packstack ;)10:14
*** mdnadeem has quit IRC10:16
manheimtrue, true10:17
*** tonanhngo has joined #openstack-kolla10:18
*** tonanhngo_ has joined #openstack-kolla10:20
*** jascott1 has joined #openstack-kolla10:21
*** tonanhngo has quit IRC10:23
*** tonanhngo_ has quit IRC10:25
*** jascott1 has quit IRC10:25
*** duonghq has quit IRC10:34
*** ansmith has quit IRC10:35
*** eaguilar|afk is now known as eaguilar10:37
*** eaguilar is now known as eaguilar|afk10:37
openstackgerritMerged openstack/kolla-ansible master: Remove warning during kolla_docker execution  https://review.openstack.org/48354410:42
mewald1Someone told me before but I forgot to take a note: how can I generate new release notes?10:55
*** tonanhngo has joined #openstack-kolla11:02
*** kristian__ has joined #openstack-kolla11:06
mewald1egonzalez: would you mind? I could push a patchset for redis now if I knew how to create a new release note11:06
*** tonanhngo has quit IRC11:07
*** kristia__ has joined #openstack-kolla11:09
*** kristian__ has quit IRC11:09
*** zhangfei has quit IRC11:10
*** dciabrin has quit IRC11:11
*** dciabrin has joined #openstack-kolla11:12
openstackgerritMathias Ewald proposed openstack/kolla-ansible master: Fix grafana post-config check  https://review.openstack.org/48637811:13
sean-k-mooneyegonzalez: i think i have made all the changes you requested in https://review.openstack.org/#/c/408872/ except refactoring into the main roles. ill be trying to complete that today11:20
sean-k-mooneyegonzalez: centos packageversions fo docker, runc and systemd are too old though.11:21
sean-k-mooneyegonzalez: the centos host support now works but systemd and docker conflict in how they create cgroups. this has been fixed on ubuntu but not centos11:22
*** jascott1 has joined #openstack-kolla11:23
*** jascott1 has quit IRC11:27
egonzalezmewald1, reno new <title>11:29
egonzalezsean-k-mooney, cool, thanks! is something that need to be fixed in centos docker packages, nothing to do in our side?11:30
*** dciabrin has quit IRC11:31
*** dciabrin has joined #openstack-kolla11:32
*** tonanhngo has joined #openstack-kolla11:34
*** awiddersheim has joined #openstack-kolla11:36
*** tonanhngo has quit IRC11:39
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572311:40
*** awidders_ has quit IRC11:40
*** pbourke_ has joined #openstack-kolla11:45
*** iniazi_ has joined #openstack-kolla11:45
egonzalezsean-k-mooney, when rework the role to be in ansible/roles, please add upgrade, check, prechecks, reconfigure files empty with just three dashes ---11:46
egonzalezor if doing one of those actions with dpdk enabled will fail, also pull.yml11:47
*** iniazi has quit IRC11:48
egonzalezsean-k-mooney, actually reconfigure use - include: deploy.yml and upgrade dont know if something different than deploy is needed11:51
*** ducttape_ has joined #openstack-kolla12:03
sean-k-mooneyegonzalez: to fix the conflict they need to update teh version of systemd as far as i understand. we cant work around it on our end.12:04
*** Tom has joined #openstack-kolla12:05
*** jascott1 has joined #openstack-kolla12:05
egonzalezsean-k-mooney, roger12:05
*** Tom is now known as Guest2219712:05
egonzalezmaybe add a warning in the docs12:05
openstackgerritMerged openstack/kolla master: Add collectd support to telegraf  https://review.openstack.org/48592312:05
openstackgerritMerged openstack/kolla master: Tweaks to allow Horizon dev mode  https://review.openstack.org/47459812:06
sean-k-mooneyegonzalez: sure ill added the other files.  yes ill add a disclaimer to the docs12:06
Guest22197hi, why does the installer trying to get 4.0.2 version while docker hub includes only 4.0.0? is this a known issue?12:06
sean-k-mooneyegonzalez: for reconfigure i may or may not need to tweek the ovs-dpdkctl helper tool. i cant remember if i supprot for example changing bridge names or interfaces. so that might need another patch12:08
*** ducttape_ has quit IRC12:08
egonzalezsean-k-mooney, sure, always that are documented limitations or not tested behaviour is OK with me12:09
mewald1I have a problem in my sensu-client containers: To build the sensu plugins ruby >=2.1.0 is required which is there in ubuntu image by default. CentOS doesn't have it. Any suggestions?12:09
*** jascott1 has quit IRC12:09
*** Guest22197 is now known as tomkolla12:10
sean-k-mooneyegonzalez: upgrade  is also a little tricky, upgradeding form ovs 2.7 to 2.8 should just be replacing the container. same for 2.5->2.6. 2.6->2.7 on the other hand requires different handeling beauce of backwards incompatible changes in ovs so i would prefer to support 2.7+ upgrades only since ubuntu already ships 2.712:11
egonzalezsean-k-mooney, upgrades also apply to dpdk image 5.0.1 to 5.0.2 or to custom tag. ovs may or not may change during that upgrade12:12
egonzalezsean-k-mooney, i mean, ovs version is controlled in dpdk images, i dont mean to upgrade ovs, mean about upgrade actions12:13
sean-k-mooneyegonzalez: the ovs-dpdk image is staticly linked to dpdk is included in the ovs-dpdk image12:13
sean-k-mooneyegonzalez: yes i understand. my assumtion is that you wont change the dpdk/ovs wersion as part of a z stream upgrade which should just replace the containers without modifying the configs12:14
egonzalezsean-k-mooney, yep, maybe just include deploy.yml as with reconfigure action, os same as ovs role:12:15
egonzalez- include: config.yml12:15
egonzalez- name: Flush Handlers12:15
egonzalez  meta: flush_handlers12:15
sean-k-mooneyyep will do. i have to admit i had not spend much time on the reconfiure or upgrade aspects. mind if i put the implementaion of those in followup patches and just have them blank in the base one. https://review.openstack.org/#/c/408872/ is already larger then i would like.12:18
tomkollahi, why does the installer trying to get 4.0.2 version while docker hub includes only 4.0.0? is this a known issue?12:18
egonzalezsean-k-mooney, yep,. leave it blank, we can add bugs for missing tasks12:19
sean-k-mooneyim also planning to add a destory-ovs-dpdk command to handel tear down. in addtion to the normal destroy actions you need to run ovs-dpdkctl uninstall before you delete the config files on the host12:19
openstackgerritMerged openstack/kolla-ansible master: Fix grafana post-config check  https://review.openstack.org/48637812:19
egonzaleztomkolla, ansible is trying to pull latest images 4.0.2, but in dockerhub there is only 4.0.0. you have two options. build your own 4.0.2 images, or change openstack_release: 4.0.0 to use that images12:20
sean-k-mooneyegonzalez:  ovs-dpdkctl uninstall basicaly removes the systemd service files that were installed when deploying and bind the dpdk nics back to the kernel12:20
*** jascott1 has joined #openstack-kolla12:27
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: DNM: test master branch  https://review.openstack.org/45614012:27
*** rhallisey has joined #openstack-kolla12:30
*** ansmith has joined #openstack-kolla12:30
*** jascott1 has quit IRC12:32
*** hrw has quit IRC12:32
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: DNM: test master branch  https://review.openstack.org/45614012:32
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: DNM: test master branch  https://review.openstack.org/45614012:34
*** hrw has joined #openstack-kolla12:34
*** eaguilar|afk has quit IRC12:40
*** eaguilar has joined #openstack-kolla12:41
hawihi there. is there something i shuld know when upgrading from 4.0.0 -> 4.0.2? mariadb fails during upgrade12:53
kolla-slack<jeffrey4l> egonzalez , how about backport the reconfigure mariadb patch? :D12:55
openstackgerritzhouya proposed openstack/kolla-ansible master: Support assigning HA traffic to dedicated interface  https://review.openstack.org/48150312:55
egonzalezJeffrey4l, kind of feature right? but yeah, newton-ocata works fine, bug ocata-ocata and ocata-pike fails so also bug12:56
*** eaguilar has quit IRC12:59
*** tonanhngo has joined #openstack-kolla13:00
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: DNM: test master branch  https://review.openstack.org/45614013:00
*** eaguilar has joined #openstack-kolla13:00
*** rwallner has joined #openstack-kolla13:00
*** rwallner has quit IRC13:01
*** rwallner has joined #openstack-kolla13:01
egonzalezhawi, atm https://bugs.launchpad.net/kolla-ansible/+bug/169250713:02
openstackLaunchpad bug 1692507 in kolla-ansible "mariadb multinode upgrade broken ocata-pike" [Critical,Fix released]13:02
egonzalezhawi, though only affect master, but also affect ocata-ocata upgrade in multinode13:03
egonzalezhawi, is that your case? multinode ocata-ocata upgrade?13:03
egonzalezhawi, mind sharing mariadb.log from a couple of nodes, should be some message as "cannot connect to gcomm: openstack , connection refused" or sth similar13:05
*** pbourke has quit IRC13:06
*** pbourke has joined #openstack-kolla13:07
*** jascott1 has joined #openstack-kolla13:09
*** lucasxu has joined #openstack-kolla13:11
*** jascott1 has quit IRC13:13
*** ducttape_ has joined #openstack-kolla13:15
*** goldyfruit has joined #openstack-kolla13:15
hawiegonzalez: yes, multinode ocata-ocata upgrade13:16
*** rwallner has quit IRC13:17
*** rwallner has joined #openstack-kolla13:17
*** Pedro_Pacheco has joined #openstack-kolla13:20
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572313:22
Pedro_PachecoHello folks! I very  noob in deploy openstack with kolla-ansible. Here is the correct place to take doubts (deploy questions)?  Thks!13:22
egonzalezPedro_Pacheco, yeah, also can ask in ask.openstack.org13:23
*** prateek has quit IRC13:24
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: DNM: test master branch  https://review.openstack.org/45614013:25
sdakemorning folks13:26
Pedro_PachecoThank you, engozalez! I go to started there.13:26
*** srnbckr has joined #openstack-kolla13:26
egonzalezhawi, if can share logs or check https://bugs.launchpad.net/kolla-ansible/+bug/1692507 is your same bug to triage and potentially backport to ocata13:29
openstackLaunchpad bug 1692507 in kolla-ansible "mariadb multinode upgrade broken ocata-pike" [Critical,Fix released]13:29
hawiyes, i can13:29
*** ducttape_ has quit IRC13:29
hawijust a sec13:29
openstackgerritMathias Ewald proposed openstack/kolla master: Add Redis Sentinel  https://review.openstack.org/48629913:29
*** zhangfei has joined #openstack-kolla13:30
*** Pedro_Pacheco has quit IRC13:31
openstackgerritMathias Ewald proposed openstack/kolla master: Add prometheus and related containers  https://review.openstack.org/48488213:32
*** kristia__ has quit IRC13:40
*** kristian__ has joined #openstack-kolla13:41
*** ducttape_ has joined #openstack-kolla13:43
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572314:05
openstackgerritChason Chan proposed openstack/kolla master: Rearrange existing documentation to fit the new standard layout  https://review.openstack.org/48642314:11
*** emccormick has joined #openstack-kolla14:14
egonzalezpbourke, around?14:16
*** zhangfei has quit IRC14:19
sdakeegonzalez sup dude how u been14:32
openstackgerritEduardo Gonzalez proposed openstack/kolla-ansible master: Fix logging collection in gates  https://review.openstack.org/48572314:32
*** zhangfei has joined #openstack-kolla14:32
egonzalezhey sdake , fine, you going to PTG?14:33
sdakeegonzalez quick q - is to to late to merge a change like this considering we have 1 mo to go: https://review.openstack.org/#/c/468632/14:33
sdakeegonzalez yes ptg and australia14:34
sdakeboard meetings at a minimum have to attend14:34
egonzalezsdake, cool, we'll see us at ptg, got TSP for denver14:35
egonzalezsdake, re mariadb, I would not upgrade version now, we just barely fixed a broken upgrade from ocata-master, i dont think we'll have enough time for testing14:36
egonzalezsdake, if some database expert raises help maybe we can make it for pike14:36
*** athomas has quit IRC14:37
sdakefeels dangeorus not to use rdo's mariadb14:37
sdakebut i understand the feeling of risk14:37
*** kristian__ has quit IRC14:39
*** emccormick has quit IRC14:39
*** kristian__ has joined #openstack-kolla14:39
*** athomas has joined #openstack-kolla14:41
*** kristian__ has quit IRC14:43
*** mewald1 has quit IRC14:49
*** jamesbenson has joined #openstack-kolla14:57
openstackgerritJames Benson proposed openstack/kolla-ansible master: Added note  https://review.openstack.org/48572714:57
*** zhangfei has quit IRC14:59
jamesbensonthanks egonzalez, gerrit passed and I have since rebased it again.  :-)14:59
jamesbensonmorning all :-)14:59
*** kristian__ has joined #openstack-kolla15:01
*** kristian__ has quit IRC15:02
*** kristian__ has joined #openstack-kolla15:02
*** kristian__ has quit IRC15:02
*** kristian__ has joined #openstack-kolla15:02
*** lucasxu has quit IRC15:03
openstackgerritMerged openstack/kolla master: Remove python-wsme and python-pecan packages for centos  https://review.openstack.org/48606315:03
*** kristian__ has quit IRC15:07
*** kristian__ has joined #openstack-kolla15:07
rwellumping sbezverk15:11
inc0good morning15:12
sbezverkrwellum pong15:13
sbezverkgood morning inc015:13
*** rmart04 has quit IRC15:13
*** dklyle is now known as david-lyle15:14
rwellumsbezverk - can you look at this nova piece from my cloud.yaml and see if it's correct for 5.x? I'm still having some issues. https://www.irccloud.com/pastebin/qXtAERfw/15:14
jamesbensonmorning inc015:14
rwellumsbezverk - this is what I have for 4.x https://www.irccloud.com/pastebin/46m9V29t/15:14
egonzalezmorning inc015:14
egonzalezinc0, noticed ceph gates randonmly fails due lack of disk, testing gates notices sometimes VMs have 90GB disk and other 30GB https://review.openstack.org/#/c/456140/15:15
*** jascott1 has joined #openstack-kolla15:16
inc0egonzalez: hmm, good to know, infra folk said that /opt will have more stor15:16
inc0I'll dig into thins, thanks15:16
sbezverkrwellum it looks ok, not sure it does not work in your test bed.. I will be on training for a couple of days15:16
sbezverkso will not be able to help much..15:17
rwellumsbezverk: thanks - my major concern was removing: placement_api:15:18
*** jascott1 has quit IRC15:20
*** emccormick has joined #openstack-kolla15:27
*** kristia__ has joined #openstack-kolla15:27
*** kristian__ has quit IRC15:28
sbezverkrwellum it should not matter, absence in cloud.yaml does not mean it will not be started..15:29
jamesbensoninc0: silly question, but I'm a bit stuck on a concept and having trouble fully wrapping my head around it (or something).  Ceph is distributed block/object storage.  VM's live in block storage in ceph.  So when you boot a VM, the VM lives in ceph but the VM itself in openstack might be listed as on a compute node without an OSD.  So in essence, this brings CPU to storage?  Is that correct?15:29
rwellumsbezverk: ack15:29
openstackgerritChason Chan proposed openstack/kolla-ansible master: Rearrange existing documentation to fit the new standard layout  https://review.openstack.org/48665915:29
inc0egonzalez: change you linked seems to fail on mariadb15:31
egonzalezinc0, there are multiple failures, mariadb, horizon, and lack of disk :(15:32
egonzalezi think mariadb is related to disk, horizon is because a recent change15:32
*** janki has quit IRC15:35
egonzalezinc0, this fail due lack of disk http://logs.openstack.org/40/456140/15/check/gate-kolla-ansible-dsvm-deploy-ceph-centos-source-centos-7-2-node-nv/1930a51/console.html15:36
*** coolsvap has quit IRC15:39
*** eaguilar is now known as eaguilar|afk15:40
*** mewald has joined #openstack-kolla15:43
*** iniazi has joined #openstack-kolla15:45
*** kristia__ has quit IRC15:48
*** iniazi_ has quit IRC15:49
*** kristian__ has joined #openstack-kolla15:49
*** eaguilar|afk is now known as eaguilar15:50
*** eaguilar is now known as eaguilar|afk15:50
*** prateek has joined #openstack-kolla15:50
kfox1111jamesbenson: it depends on how you configure ceph.15:50
kfox1111ceph is just remote storage.15:50
kfox1111you can configure vm's to host their root drive on ceph.15:51
kfox1111or you can have the vm's still stored locally on each compute node.15:51
kfox1111cinder volumes are always remote though with ceph.15:51
jamesbensonkfox1111: yeah, I'm just trying to understand that better.  I know on Friday we were chatting about my setup a bit.  And trying to understand how the storage nodes will work with the compute nodes since the computes dont have the 10G15:52
*** kristian__ has quit IRC15:54
*** eaguilar|afk is now known as eaguilar15:55
*** eaguilar is now known as eaguilar|afk15:55
*** vhosakot has joined #openstack-kolla15:56
*** kristian__ has joined #openstack-kolla15:56
inc0egonzalez: so issue is15:56
inc0we're not using devstack gate15:57
inc0so while we have access to volume15:57
inc0it's not getting mounted because we don't use devstack gate node prep15:57
emccormickjamesbenson your hypervisor (probably KVM) uses ceph libraries to mount a volume directly from a given compute host15:58
emccormickso hypervisor process is on a nova node and it mounts the disk from ceph15:58
egonzalezinc0, roger, thanks!15:59
emccormickkind of like if you stuck /var/lib/nova/instances on an NFS server, except in this case nothing actually gets mounted to the compute host itself15:59
inc0I'll try to fix it15:59
egonzalezinc0, will see errors in binary rpm based gates16:00
egonzalez*horizon16:00
*** serlex has quit IRC16:07
openstackgerritEduardo Gonzalez proposed openstack/kolla master: Fix horizon secret_key error  https://review.openstack.org/48668116:07
*** egonzalez has quit IRC16:08
*** omenv has quit IRC16:08
*** jascott1 has joined #openstack-kolla16:10
kristian__hey, could someone help me with networking? When I assign any network (Public and private) to a router with admin state up the port is down. L3 agent logs http://paste.openstack.org/show/616326/. ovs-vsctl http://paste.openstack.org/show/616328/. Router namespace http://paste.openstack.org/show/616329/16:11
*** jamesbenson_ has joined #openstack-kolla16:17
inc0kristian__: hmm...that's curious, can you show me your globals.yml?16:18
kristian__cure16:18
kristian__*sure16:18
vhosakotinc0, Jeffrey4l: Any reason why we are not running the init-runonce script in the kolla repo to check end-to-end OpenStack sanity at kolla gate.  I see it was removed in https://review.openstack.org/#/c/401891/3/tools/deploy_aio.sh.16:19
vhosakotinc0, Jeffrey4l: https://github.com/openstack/kolla/commit/cc6d491c397efc50b96cdc33bebac1d2c2f07f00#diff-d33ddea4b52f4b549350318d57aee9b1L5216:19
kristian__inc0: http://paste.openstack.org/show/616331/16:20
inc0we run it in kolla-ansible code vhosakot16:20
inc0and kolla gate runs kolla-ansible code16:20
*** jascott1 has quit IRC16:20
*** jascott1 has joined #openstack-kolla16:21
inc0kristian__: br0, where do you create br0?16:21
kristian__will paste network interfaces16:21
inc0please16:21
vhosakotinc0: right, I know we run in kolla-ansible :)  but I see init-runonce not run in the kolla gate logs.. let me check more.16:21
kristian__I have only one nic on my node16:21
*** mewald has left #openstack-kolla16:21
vhosakotbr16:22
inc0vhosakot: ah you might be right16:22
inc0I guess that's a bug in gates:)16:23
kristian__inc0: http://paste.openstack.org/show/616333/16:23
vhosakotinc0: I'm starting to work on upgrade gate.. and wanted to know if we need to run upgrade in kolla gate too (for which I need to check if end-to-end OpenStack sanity is first run in kolla gate, and it looks like we don't).. I'll dig more logs and check,.16:23
vhosakotbrb 10 mins... rebooting16:23
inc0vhosakot: just k-ans16:24
inc0for now16:24
vhosakotinc0: cool cool, thanks for the confirmation16:24
*** vhosakot has quit IRC16:24
*** jascott1_ has joined #openstack-kolla16:24
*** jascott1 has quit IRC16:24
inc0kristian__: hmm so I honestly don't know how will ovs behave with linuxbridge like that16:24
kristian__it worked16:24
inc0mind doing docker exec -it openvswitch_vswitchd vsctl show16:25
kristian__I have rebooted the node and redeployed16:25
*** jascott1_ has quit IRC16:25
kristian__inc0: looks like it hung16:25
inc0right16:26
*** jascott1 has joined #openstack-kolla16:26
inc0so we need to debug this16:26
kristian__should I redeploy with linuxbridge?16:26
inc0linuxbridge is not well tested16:26
kristian__ok16:26
inc0you cna try, but I really don't know how it behaves, all our gates and everything runs ovs16:26
kristian__inc0: how could I redeploy it with ovs?16:27
inc0kristian__: with master we allow to configure your own ovs16:27
kristian__also I will be here in maybe 2 hours, but I should be here for 30 min16:28
kristian__Im AIO16:28
inc0single iface is  issue:/16:28
kristian__I know16:29
kristian__ovh16:29
kristian__I dont have vrack compactible server16:29
inc0it will be much easier in Pike16:30
*** jascott1 has quit IRC16:31
*** jascott1 has joined #openstack-kolla16:32
*** jascott1 has quit IRC16:33
kristian__then I cannt wait16:33
kristian__will it be working day0?16:33
inc0well, what will happen is it will allow you to turn off deployment of ovs and use existing ovs16:34
inc0which you could configure yourself16:34
inc0however, let's get this fixed shall we16:34
*** jascott1 has joined #openstack-kolla16:35
kristian__jamesbenson: hey james, you here16:35
kristian__inc0: james helped me to set it up16:35
jamesbensonI'm here16:35
jamesbensonI'm not sure if you've modified your setup since we last chat, but inc0, kristian__ also did some funky stuff with mac spoofing/cloning, I wasn't sure about :-/16:36
kristian__jamesbenson: Im having problems with router ports being down int and ext networks16:36
jamesbensonyeah I've been following :-)16:36
kristian__jamesbenson: I maybe found that solution right in openstack16:36
jamesbensonk16:36
kristian__and its redeployed16:37
jamesbensonawesome16:37
jamesbensonYeah, I haven't had a chance to really test a single eth in my setup here yet...16:37
kristian__let me destroy it, disable lbaas and that stuff16:37
kristian__I have only enabled that worked16:37
jamesbensonk16:37
inc0kristian__: sooo16:37
inc0if you're willing to do some manual hacking16:37
inc0try installing and configuring ovs16:38
inc0manually16:38
kristian__and also the thing why on the first place I redeployed is I couldnt reach the public subnet from the vm, but I could reach it from anywhere else16:38
inc0as in, add veth to ovs and use veth as api_iface16:38
kristian__inc0: I will need to go soon, last ditch for now I will try redeploying with default kolla package config16:39
inc0so16:39
inc0try thins later:16:39
kristian__I will ping you16:39
inc0ok16:39
inc0jamesbenson: that might interest you too in fact16:40
kristian__and jamesbenson if the router ports will work, I will ping you with the mac spoofing in horizon16:40
jamesbensonyeah, I wanted to finish writing the doc with 1 eth16:40
jamesbensonk16:40
kristian__you can put cidrs in there16:40
inc0so what we can test out is:16:40
inc0set https://github.com/openstack/kolla-ansible/blob/stable/ocata/ansible/roles/neutron/defaults/main.yml#L28 this var to false16:41
inc0and manually configure ovs16:41
kristian__inc0: we will, is it possible to deploy pike??16:41
kristian__stable in b2?16:41
inc0well we test it all the time16:42
inc0but it's not as tested as stable would be16:42
inc0for kolla or other projects16:42
kristian__I just need base kolla, serial nova proxy, lbaas and maybe metering16:43
kfox1111jamesbenson: some of it depends on if you are building pets vs cattle.16:43
kfox1111I usually do local storage for vm's as my use case is totally pets.16:43
kfox1111totally cattle I mean.16:43
*** eaguilar|afk has quit IRC16:43
kfox1111I put any data I really care about in cinder volumes for state.16:43
kfox1111blowing out a single vm isn't horible.16:43
kfox1111if you are caring about pets though,16:44
kfox1111if you put the vm in cinder/ceph, its easier to mgirate from host to host.16:44
kfox1111but then your relying on network attached storage for the pet.16:44
jamesbensonkfox1111:  your analogy is very confusing!16:44
inc0yeah if you want live migration at all, use network storage16:44
inc0jamesbenson: you know pets vs cattle analogy?16:45
jamesbenson:-/ I'm thinking not, right now...16:46
jamesbensonlive migration might be helpful for us16:46
inc0no worries, it's been used in conferences a lot16:46
inc0but unless you go to conferences, you might've missed it16:46
jamesbenson(only been to one, in austin)16:46
inc0pets - vm's you don't want to die, you fix them like you cure sick pet16:47
kfox1111jamesbenson: basically,16:47
jamesbensongot it16:47
kfox1111sysadmins precloud are use to giving names to their machines.16:47
jamesbensoncattle can be slaughtered...16:47
inc0cattle - vms which, when fail, you just destroy and move on, like you shoot sick cows16:47
kfox1111lovingly nursing them back to health when they get sick. etc.16:47
jamesbensonyeah16:48
kfox1111but users don't really care about machines. they care about services.16:48
jamesbensonqq: where is /var/lib/nova/instances?  this path doesn't exists for me...16:48
kfox1111in the same way, a user doesn't care if their hamburger comes from one cow, or 10. they just want a tastsy burger. :)16:48
jamesbensonlol...16:48
kfox1111so in the cloud, you have lots of little vm's, and you try not to care about them so much as you care about the service that runs across many of them stays up.16:49
inc0jamesbenson: /var/lib/docker/volumes/nova_compute ...16:49
jamesbensonthanks16:49
*** jascott1 has quit IRC16:49
kfox1111if one gets sick, you don't spend much time on it, because there are a lot of them. you just replace it.16:49
inc0it's docker volume16:49
kfox1111jamesbenson: does that help? :)16:50
kfox1111the cloud really is the industrial revolution of the sysadmin world.16:50
kfox1111rather then hand crafting every machine, you build a production line.16:50
kfox1111but a lot of folks gain a cloud and then treat it as a cheep place to run pets. (which its pretty bad at)16:51
kfox1111because they see terminology/technology that they think feels comfortable from the old ways and don't reevaluate what it means to run in a cloud.16:51
mgkwillinc0: when is pike feature freeze?16:52
jamesbensonyeah I get it16:52
inc0regular projects has it this week, we're 2 weeks later16:52
inc0mgkwill: let's merge odl asap;)16:52
mgkwillinc0: thanks - looking to get odl in before - agreed16:52
inc0it's in merge conflict now16:52
mgkwillinc0: yeah i know, will push update today16:53
inc0cool, thanks Marcus16:53
*** unicell has quit IRC16:54
inc0https://review.openstack.org/#/c/408872/ check dpdk change too16:54
jamesbensonkfox1111: If I run: rbd -p vms ls and it shows me my <<server-id>>_disk does that mean it is backed up on ceph then?  treated as a pet?16:56
*** vhosakot has joined #openstack-kolla16:56
kfox1111jamesbenson: fyi, I haven't gotten live migrate reliably working. I've kind of written it off. but it has been a while since I tried last. so maybe its better now.16:56
kfox1111jamesbenson: yeah, I think that means the vm's ephemeral storage is in ceph.16:56
*** omenv has joined #openstack-kolla16:57
jamesbensonkfox1111: I think this is all of the info: http://paste.openstack.org/show/616339/16:58
kfox1111jamesbenson: yeah. I think its storing everything in ceph.16:59
jamesbensonok, cool!  That's the plan :-)16:59
jamesbensonkeep ceph happy, keep cluster happy :-)16:59
jamesbensonmostly ;-)16:59
inc0jamesbenson: if you do enable_ceph (or external ceph) it'll use ceph to everything unless explicitly said not to16:59
jamesbensonneat17:00
inc0everything means nova, glance and cinder17:00
jamesbensonyeah, this is with external ceph17:00
inc0nova for vm ephemeral disks, glance for images and cinder for volumes17:00
inc0I'm not sure if swift will use ceph by default17:00
jamesbensonback to my original question, processors are on one node, VM is on another... so detaching compute and storage then?17:01
inc0processors?17:01
inc0well vm will run on copute node17:02
inc0storage will be on different17:02
inc0it really just mounts rbd storage to /17:02
vhosakotjamesbenson: the entire VM is not on ceph  :)  I'd say VM's CPU is on compute node, all of the VM's disk are on the storage nodes.17:02
inc0well, not quite, but logic is the smae17:02
jamesbensonyes, but the instance disk is in ceph...17:02
jamesbensonah okay17:02
inc0right17:02
jamesbensonso it mounts the disk locally to bring storage to compute17:02
vhosakotyes17:03
inc0kinda yeah17:03
jamesbensonthat's the logic that I was missing...17:03
inc0if you do lsblk on compute node you'll see ceph disks mounted17:03
jamesbensonyeah17:03
jamesbensonI noticed that17:03
inc0this way live migration is much easier as it doesn't need to copy data on disk17:04
inc0just attaches volume elsewhere17:04
jamesbensonso compute nodes can be in raid 6 for example and have no loss of speed due to the raid level17:04
jamesbensonor raid 5 or whatever17:04
inc0well you need to ask yourself what data on compute node is worth securing17:04
jamesbensonvirtually no data should be on compute node, correct?17:05
inc0because since vms live on ceph, which is already replicated17:05
inc0yeah17:05
vhosakotjamesbenson: yes, the disk must be mounted and partioned first and brought into the VM.  I wrote a blog about it a few months ago -->  https://communities.cisco.com/community/developer/openstack/blog/2017/01/13/how-to-attach-cinderceph-xfs-volume-to-a-nova-instance-in-openstack-horizon17:05
jamesbensonit would just be redundancy for the compute node OS17:05
inc0very little is left that you'd normally care about17:05
inc0right17:05
jamesbenson:-D17:05
jamesbensonnice vhosakot17:05
vhosakotjamesbenson: thanks, need to update it with other filesystem types, my customer was happy with xfs at the time I wrote the blog.17:06
inc0I'd wish I have Vikrams perseverence and write myself :(17:06
jamesbensonin the past we used ceph for everything and live migration was only possible between like nodes, is that still the case.17:06
inc0that's still the case17:06
jamesbensonI write too, but really to just keep notes to myself... best that an ignorant me can completely understand...17:07
vhosakotinc0: haha, yeah, I write blogs so 1) others can refer in the community  2) I can go myself to the blog and refer/update..17:07
jamesbensonditto17:07
inc0yeah that17:07
vhosakotinc0: if I get something working, I'd die to share and save the steps :)17:07
jamesbensonmy userspace is very minimal...17:07
inc0I need to get into this mindset myself17:07
jamesbensonbut documentation!  man, it's key17:07
jamesbensonI'm doing one currently on using external ceph with kolla... with all of the commands, etc.17:08
jamesbensonbecause it took time I don't want to waste again17:08
vhosakotinc0: last time I tried ceph+swift, I failed very well :)17:09
jamesbensonso I'm just trying to understand everything before I write it all down :-)17:09
inc0there is little value of having ceph+swift imho17:09
*** harlowja has joined #openstack-kolla17:09
inc0swift is made to do what ceph dowa17:09
vhosakotinc0: right17:09
inc0does17:09
inc0and ceph rgw already has S3 api17:09
vhosakotyep17:09
jamesbensoninc0: why is that the case?  makes little sense to me.17:09
inc0jamesbenson: what? that swift does what ceph?17:10
jamesbensonno, like node migration17:10
inc0I don't understand, node migration?;)17:11
* inc0 confusing Monday morning17:11
jamesbensonsorry, like node VM migration17:11
inc0are you asking me why ceph helps with vm live migration?17:11
jamesbensonVM's can only live migrate with other similar compute nodes17:11
inc0right17:11
jamesbensonbut why?17:12
inc0if VM is created with certain set of CPU features17:12
inc0access to set of CPU features17:12
inc0unless you migrate it to node with similar CPU17:12
jamesbensonthat level of virtualization can't be replicated then?17:12
jamesbensongotcha17:12
jamesbensonfigured it was that...17:13
inc0well, you can always specify what set of features you want to expose to VM17:13
vhosakotit would be cool if OpenStack can do "node migration" without downtime ;)17:13
inc0and if you use lowest common denomminator across all cpy types in cluster17:13
jamesbensonI figured openstack would register those features and if compatible, allow the migration17:13
inc0you can migrate freely17:13
jamesbensonhmm, maybe do that here then...17:14
inc0vhosakot: evacuate host will try to live migrate all vms from cp17:14
kristian__inc0: jamesbenson deployed, lets hope it works17:14
inc0cpu node17:14
jamesbensonk17:14
inc0jamesbenson: libvirt does17:14
vhosakotinc0: right, that is "compute node migration".. what if we want to migrate a network node? ;)17:14
inc0I don't think nova scheduler takes that into account, but I haven't been following nova in this space for a while17:15
inc0ti migh17:15
inc0t17:15
inc0vhosakot: technically "migration" would be just shutting it down and letting HA do it's thing;)17:15
jamesbensonhmmm, interesting stuff....17:15
vhosakotinc0: if neutron HA works all the time ;)17:15
*** ramishra has quit IRC17:16
jamesbensonhey, I'm going to be deploying that!  Don't be scaring me now!  :-p17:16
inc0moving router IP from one node to another without downtime is a science field of it's own;)17:16
jamesbensonall of networking stuff is a science of it's own to me...17:16
jamesbensongetting better, but still tricky!17:16
vhosakotall the namespaces must be moved first before we think about moving any neutron IP ;)17:17
inc0well, yeah, this one detail has probably books written about it;17:17
vhosakotactually neutron HA router is pretty stable..17:17
* jamesbenson whew17:17
vhosakotHA DHCP was not the best when I last tested17:17
kristian__inc0: its down :(17:17
inc0:/17:17
jamesbenson:-(17:17
inc0kristian__: soo, here's an idea17:17
kristian__dunno how long I will be available17:17
kristian__destroy openstack?17:18
inc0https://github.com/openstack/kolla-ansible/blob/stable/ocata/ansible/roles/neutron/defaults/main.yml#L2817:18
inc0change this to false17:18
inc0install ovs on host manually17:18
inc0or in containers and configure it17:18
inc0rather, better install it with kolla, destroy everything besides ovs17:18
inc0get into ovs container, reconfigure bridges so it'll have ports bridged properly17:19
kristian__inc0: so manually destroy containers? or with kolla-ansible destroy17:19
inc0manually + volumes too17:19
kristian__ok17:19
kristian__let me delete it first17:19
inc0kolla ansible destroy removes containers and volumes17:19
inc0just keep ovs17:19
kristian__so * except neutron_openvswitch_agent17:20
*** jascott1 has joined #openstack-kolla17:20
inc0no17:20
inc0openvswitch_vswitchd and db17:20
kristian__ok17:20
inc0after that http://paste.openstack.org/show/616340/ add this to your globals17:22
inc0configure switches you have in container manually, add external iface to it, make sure bridges and stuff are named correctly17:23
inc0add virtual interface + IP for api_network17:23
jamesbensonkfox1111: sorry one last time back to ceph/VMs/etc.... how do the compute nodes talk to ceph? I have the ceph on a 10G and compute nodes without 10G connection. Is it through the public network?17:23
inc0and try to deploy on top of this. I never tried that but technically if you do it correctly neutron should just use existing ovs containers17:24
inc0make sure br-ex exists and interface specified in neutron_external_interface is in it17:26
kristian__inc0: where in globals to add the paste?17:26
inc0whereever17:26
kristian__ok17:27
inc0ordering in globals doesn't matter17:27
kristian__then also what to do with ovs? Im a noob there17:27
kfox1111jamesbenson: the ceph public network.17:27
inc0kristian__: sooo17:28
inc0you need to add new interface17:28
kristian__its gonna be long :)17:28
inc0ok, let's assume you have eth0 on public network17:28
kristian__also what about the existing br0? and veno0 and veno1?17:28
kristian__correct17:29
inc0(guys if I'm mistaken correct me, imagining ifaces in my head is prone to failure)17:29
inc0you need to create new interface for network interface17:29
kristian__if neutron works in the end, then it should be good or no?17:29
inc0and give it IP in same network, as public17:30
inc0kristian__: we're essentially replicating br0 and veno0+1 in ovs17:30
kristian__ok, but commands17:30
kristian__or ssh is better?17:30
inc0what neutron really needs is name of bridge to which connect flat network17:30
inc0and tha'ts br-ex17:31
jamesbensonthanks kfox111117:31
inc0kristian__: ovh gives you access to console if you mess up network right?17:31
kristian__yeah17:32
inc0cool17:32
kristian__aten viewer17:32
kristian__what its called17:32
inc0so we need to create new virtual interface and add IP of eth0 to it17:32
inc0and remove this IP from eth017:32
*** sambetts is now known as sambetts|afk17:33
inc0then from inside container17:33
kristian__so a virtual interface, not the bridge17:33
inc0ovs-vsctl show - should show you if br-ex exists, if it doesn't run ovs-vsctl --no-wait add-br br-ex17:33
inc0well yeah, interface should have IP and we'll connect interface to bridge with wth017:34
inc0eth017:34
kristian__br-ex is there17:34
inc0ok17:34
kristian__and it doesnt have the public ip of the node17:35
inc0ovs-vsctl --no-wait add-port br-ex eth017:35
inc0ovs-vsctl --no-wait add-port br-ex veth17:35
kristian__ok17:35
inc0then we break our networking17:35
inc0so careful17:36
kristian__ok17:36
inc0ip a flush dev eth0 && ip a add << cidr of eth0 >> dev veth17:37
inc0we remove address from eth0 and add it to interface bridged to it17:38
kristian__cidr?17:38
kristian__or the ip17:38
inc0cidr17:38
kristian__ok17:38
inc0it needs netmask too17:38
kristian__in that same command?17:39
inc0well ip a flush dev eth0 will break network17:39
inc0if you have && it might fix network immediatly17:39
inc0unless we messed something up then we'll need this console of yours;)17:39
kristian__ip 137.87.14.22 and netmask 255.255.255.0, so 137.87.14.0/24?17:39
inc0137.87.14.22/2417:40
kristian__ok17:40
kristian__going to login to the console first17:40
kristian__running the command17:42
kristian__cannt find device veth17:43
kristian__Cannot find device "veth"17:43
kristian__inc0:17:44
inc0well17:44
inc0we need to create this first17:45
kristian__but still have ssh :D17:45
inc0yeah17:45
jamesbensonthe commands I sent you before should create veth1 and veth017:45
inc0yup17:45
kristian__I have that interfaces file jamesbenson17:45
jamesbensonyreah17:45
kristian__route add thing17:46
kristian__for br017:46
kristian__jamesbenson: run that and then run the command inc0 gave me?17:47
kristian__or destroy fully ovs, run the command and deploy openstack?17:47
jamesbensonwell my interfaces should create the veth0 and veth1... once created, you should be able to run inc0's commands17:47
kristian__ok17:48
kristian__ip link add veno0 ...17:48
jamesbensonI'm not trying to butt in too much...17:48
inc0it's hacky no matter what we do17:48
vhosakot137.87.14.22/24 is same as 137.87.14.0/24 :)17:49
inc0btw jamesbenson in Pike something like this might actually be better solution to single iface problem17:49
inc0vhosakot: same network17:49
kristian__File exists for the ip link add17:49
jamesbensoncool17:49
inc0but when you add ip to iface you need to specify ip and network17:49
vhosakotinc0: right, same block of 256 IPs :)17:49
kristian__I only have /28 and its on ovh so assign mac to ips17:50
inc0kristian__: so you already have veno, and you can run my commands with veno instead of verh17:50
vhosakottechnically, 254 usable... can't really use 137.87.14.0 and 137.87.14.255 (broadcast IP) for any host.17:50
kristian__and also Im bombarded with icmps17:50
kristian__inc0: still cannt find device "veth"17:51
kristian__jamesbenson: we are going to celebrate in august17:52
inc0kristian__: replace veth with veno117:54
kristian__ok17:54
kristian__gotta go17:54
inc0or whatever name you used with Jameses command17:54
kristian__will ping you later17:54
inc0good luch17:54
*** kristian__ has quit IRC17:54
inc0luck;)17:54
*** kristian__ has joined #openstack-kolla17:55
*** omenv has quit IRC17:58
*** kristian__ has quit IRC17:59
*** srnbckr has quit IRC18:09
*** serlex has joined #openstack-kolla18:12
*** prateek has quit IRC18:17
*** emccormick has quit IRC18:21
*** emccormick has joined #openstack-kolla18:25
*** srnbckr has joined #openstack-kolla18:27
*** itlinux has joined #openstack-kolla18:53
*** itlinux_ has joined #openstack-kolla18:53
*** ducttape_ has quit IRC19:14
*** manheim has quit IRC19:15
*** ducttape_ has joined #openstack-kolla19:16
*** ducttape_ has quit IRC19:19
*** ducttape_ has joined #openstack-kolla19:19
*** iniazi has quit IRC19:21
*** ducttape_ has quit IRC19:24
*** ducttape_ has joined #openstack-kolla19:35
*** manheim has joined #openstack-kolla19:40
*** manheim has quit IRC19:43
*** manheim has joined #openstack-kolla19:43
*** awiddersheim has quit IRC19:44
*** awiddersheim has joined #openstack-kolla19:44
sbezverkkfox1111: ping19:52
*** mewald has joined #openstack-kolla19:57
openstackgerritMathias Ewald proposed openstack/kolla master: Add sensu images  https://review.openstack.org/48637919:59
openstackgerritMathias Ewald proposed openstack/kolla master: Add sensu images  https://review.openstack.org/48637920:10
mewaldFor sensu client I need to be able to copy some files into the container here and there. For example, for sensu-plugins-ceph there has to be a keyring file. The mailer plugin takes a parameter to a template file, etc. How to deal with these requirements? Is there a mechanism that allows copying arbitrary files into a container? I am not sure how to deal with this atm20:12
openstackgerritMathias Ewald proposed openstack/kolla-ansible master: Add Elasticsearch to Grafana  https://review.openstack.org/48674720:40
*** kristian__ has joined #openstack-kolla20:40
*** emccormick has quit IRC20:42
*** ansmith has quit IRC20:44
*** kristian__ has quit IRC20:44
*** serlex has quit IRC20:46
*** ducttap__ has joined #openstack-kolla20:46
*** mewald has quit IRC20:47
*** ducttape_ has quit IRC20:50
*** kristian__ has joined #openstack-kolla20:50
*** robellison has joined #openstack-kolla20:53
robellisonis there any way of securing the internal API with TLS?20:55
robellisondocs suggest only the external api20:55
*** rhallisey has quit IRC21:02
vhosakotrobellison: kolla has TLS just for the external VIP currently.  Why do you want TLS on the internal network?  will your internal network be an untrusted segment on the public internet (which should not be the case as internal network is always inside the datacenter behind a firewall)21:11
vhosakotrobellison: https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#tls-configuration21:11
*** pc_m has quit IRC21:11
robellisoni'm pretty sure PCI-DSS needs all connections to be encrypted21:12
robellisoneven if they are just control plane21:12
vhosakotrobellison: kolla supports https for the internal network tho --> https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L26321:13
jamesbensonvhosakot, can admin be https based off that that?  line 264?21:14
robellisonthat is interesting.. same certificate i guess?21:15
vhosakotjamesbenson: yes, in that case, your clients need to auth using https as keystone runs https when admin network has https enabled.21:16
vhosakotjamesbenson: https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L44221:16
jamesbensonneat21:17
vhosakotcert21:17
vhosakotrobellison: you can provide certs for external VIP which will be passed to haproxy --> https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L429-L43021:19
robellisoni cant see where to specify the internal cert21:19
robellisondoes anyone run this in large prod environments?21:19
vhosakotrobellison: yeah, no certs for internal network.. let me check the code21:20
vhosakotrobellison: I don't see any certs for the internal network, just https endpoint.21:22
robellisonlooks like it generates it's own certs and distributes them21:23
robellisonin the certificates role21:23
*** emccormick has joined #openstack-kolla21:24
vhosakotrobellison: yes, external certs are created using openssl in https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/certificates/tasks/generate.yml#L22-L3121:25
jamesbensonrobellison: I'm using tls for external, but internal is still http.... granted I did not enable the https option.  But i'm not seeing it int he code besides the group_vars file...21:25
openstackgerritMerged openstack/kolla-ansible master: Improve Swift ring setup sample script  https://review.openstack.org/48250821:25
robellison@jamesbenson: do you run Ceph as well?21:27
jamesbensonyes21:27
vhosakotrobellison: HTTPs is top of TLS21:30
robellisonjamesbenson : i'm strugging to find any decent reference architecutres with Ceph. they all look like they have the Glance/Cinder APIs on the Ceph-client network21:32
robellisonwhich dosn't seem ideal21:32
vhosakotrobellison: right, cinder and glance are ceph clients with ceph.conf.  why do you think this is not ideal? :)21:34
jamesbensonwe use all of the api's with ceph.....21:35
*** ansmith has joined #openstack-kolla21:38
robellisonbecause my understanding is that the containers/servers that host those APIs need to be both public accessible and also on the ceph-client network21:38
robellisonso a compromise would give the attacker full access to everything - all hypervisors and all storage nodes21:38
robellisoni'm looking for ways of separating this so there is never a single system that is both public facing and on the internal ceph-client network21:39
vhosakotrobellison: there must be a secure API network for all the API traffic separate from the public network21:40
*** pc_m has joined #openstack-kolla21:40
robellisonany good diagrams?21:40
robellisonunless the secure API network is still accessible from the public networks?21:41
vhosakotrobellison: https://docs.openstack.org/ocata/networking-guide/  and   https://docs.openstack.org/arch-design/  has nice info21:41
vhosakotnothing except the external VIP must be public-facing.  clients hit the external frontend VIP that haproxy then sends the traffic on the required private network (API/storage/admin/etc)21:43
*** manheim has quit IRC21:43
*** manheim has joined #openstack-kolla21:44
robellisoni've read both of those before, but they dont really clarify21:44
robellisonas i understand it...21:44
robellisonapi user -> haproxy -> cinder -> ceph21:44
*** unicell has joined #openstack-kolla21:45
robellisonso a user would be executing code on cinder (wherever that is running) and that would have unfiltered access to ceph21:45
SamYaplerobellison: technically a user should only be hitting the loadbalancer21:46
robellisonbut that will pass them straight though21:46
SamYaplewell, no, it will load balance thier request21:46
SamYapleits not like the client can talk to ceph directly21:46
SamYapleif you are suggesting that when cinder gets compromised they can access ceph, the answer is "yes"21:46
robellisonany http/s request will end up on the cinder api. regardless of if it is valid or not21:47
SamYaplethe *user cannot talk to ceph directly21:47
robellisonok.. any way around it?21:47
SamYaplethat is cinder though, that doesnt get to ceph21:47
robellisonno, but the server that it is running on is also on the ceph-client network21:47
robellisonso has full access to everything?21:48
vhosakotrobellison: I see more like:   user (using OpenStack CLI)  -->  hits external frontend VIP of haproxy  -->  cinder backend API on the active controller  -->  uses ceph on storage network to do stuff on the remote volume...21:48
SamYaplerobellison: no, it has access to whatever the key it has can access21:48
*** manheim has quit IRC21:48
robellisonIP wise though it has acess to everything21:48
SamYaplefor cinder, that is RX for glance pool, RWX for cinder and RWX for nova i believe21:48
robellisonso lets say apache has a vulnerability that means you can run some remote code via an http/s request21:49
SamYapleif an outside user can execute arbitrary code inside your network, there are bigger security risks21:49
SamYaplethe biggest i can think of is access to memcache which can be used to yank out valid admin tokens21:49
robellisonyeah, thats what we need to protect from. normal would be to terminate those requests in a DMZ and only allow very specific protocols though the firewall21:50
SamYapleyou are welcome to only allow users to talk to the _external_ haproxy endpoint21:50
robellisonbut that will proxy it though21:50
SamYaplebut i mean you are worried about ceph when a user has arbitrary code execution inside your network21:51
SamYaplethats silly. if they can do that, they can have full access to whatever the api had access to21:51
*** eaguilar has joined #openstack-kolla21:51
robellisonyeah that is my point really.. i want to move all the APIs to a DMZ21:51
SamYapleand the api *needs* access to rabbitmq, the database, memcached, and in some cases ceph21:51
robellisoni can see how to do it with most of them, but not cinder/glance when ceph is involved21:52
SamYapleregardless, the api wil lalways have access to the database and rabbitmq21:52
SamYapleso an attacker would too21:52
vhosakotthe most vulnerable/insecure nodes are the controllers IMO as they sit on both the external/public network and the internal network21:52
SamYaplethey could just inject a message that cinder-volume would do all the stuff to ceph21:52
*** jascott1 has quit IRC21:52
*** jascott1 has joined #openstack-kolla21:53
robellisonwe can limit to only rabbitmq and the database though21:53
SamYapleok. so over rabbitmq i can control ceph21:53
robellisonso the attacker would have to be someone with knowledge of openstack21:53
SamYapleyes. they would. to be able to compromise the api21:54
SamYaplethats assumed. yes21:54
robellisonwheras with the API on the internal secure network, you dont have to know it's openstack21:54
vhosakotyes, totally possible to hack the API endpoint21:54
robellisonyou just have full access to a large network of high value targets with no firewalls21:54
robellisoninteresting conversation...21:55
robellisonhow do people usually try and mitigate this?21:55
*** jascott1 has quit IRC21:55
jamesbensonhas anyone tried to impliment openstack-anisble security stig rules?  to harden openstack?21:56
SamYaplerobellison: i firewall malicious users. you can detect abnormal traffic with a number of methods. but at the end of the day, i trust the api isnt compromised21:56
vhosakotrobellison: if API is on the internal network, what would be on the external network then? and what should clinets hit from the public network21:56
SamYaplejamesbenson: well kolla doesnt *need* alot of those rules because we dont run services in the contaienr like... bluetooth *shudders*21:56
vhosakotexternally facing endpoints are always risky :)  not just in OpenStack :)21:56
SamYaplejamesbenson: but kolla-ansible does lock down things where needed, like memcached21:57
jamesbensonand I thought only the network node, theoretically needs to sit publicly?21:57
SamYaplejamesbenson: not even that needs to sit publically. i do double-natting21:57
jamesbensonthe other big security issue with kolla is just the whole, selinux...21:57
robellisonvhosakot : i was hoping something like: user -> haproxy -> api (in dmz) -> message queue ->api (internal) -> ceph21:57
SamYaplefor other reasons than security, but it works out21:57
SamYaplerobellison: thats just getting to ceph in more steps though21:58
jamesbensonfrom my understanding at least21:58
robellisonbut the user will never hit it21:58
vhosakotyes, totally possible to have a DMZ with a public message queue allowing just the OpenStack API TCP ports...21:58
vhosakotrobellison: ^^21:58
SamYaplerobellison: if you compromize the api in the dmz, you can get to ceph...21:58
*** jascott1 has joined #openstack-kolla21:58
robellisonSamYaple : how ? if it is totally firealled off21:59
SamYaplerobellison: message queue messages?21:59
robellisonvhosakot : i cant see how to do it with ceph involved21:59
*** jamesbenson has quit IRC21:59
robellisonSamYaple ; yeah, but they will be correctly formed. the user would not be able to port-scan or try and compromise other hosts22:00
SamYaplerobellison, even correctly formed messages can interact with ceph. but its silly to suggest a user could get arbitary command exectuion on the api but the messages wont have vulnerable points22:01
*** rwallner has quit IRC22:01
*** jascott1 has quit IRC22:01
robellisonyeah they can interact with ceph.. but nothing else22:01
vhosakotthere is _always_ the point of intersection between the public network and the private network, and this is the most insecure/vulnerable point in any cloud22:01
robellisonthat is a lot better than being able to interact with evertyhing with no restriction and no way of intercepting it22:02
SamYapleok. youre acting like ceph is an open book22:02
SamYapleit has authentication22:02
SamYaplethe only service that is an api and has a ceph key is glance. and thats a known security issue22:02
robellisonthere are all the kvm hosts on there as well22:02
*** Manheim has joined #openstack-kolla22:03
robellisonand unfortunately in my scenario, literally the whole network22:03
robellisonSamYaple : not cinder as well?22:03
SamYaplerobellison: only cinder-volume which is only interacted with over message queue22:04
robellisonok cool.. whats the impact of not allowing external users access to glance?22:04
robellisoni guess they can still upload images via horizon?22:04
vhosakotrobellison: are you using OpenStack for a public cloud usecase?22:04
*** itlinux has quit IRC22:04
*** itlinux_ has quit IRC22:04
robellisonvhosakot : that is the intention22:05
SamYaplerobellison: if they only interact through horizon, literally no other api needs to be exposed22:05
vhosakotrobellison: ah..if public cloud, good to throw in the DMZ+rabbit between the fronend public API and the backend private API22:05
SamYapleotherwise you cant really limit glance unfortunately22:05
robellisoni guess i could not deploy glance on the DMZ servers22:06
*** ducttape_ has joined #openstack-kolla22:06
vhosakotrobellison: yes, I agree that the OpenStack docs do not have great info for public cloud usecases.22:06
robellisonand horizon could point to the internal API (through the firewall)22:06
SamYaplelook, i feel you are focusing on the wrong issue here. lets talk about the resources the api absolutely must have access to22:06
SamYaplemessage queue, to which they can do alot22:06
SamYapledatabase, between those two they can do anything in openstack22:06
SamYapledid you know you can initiate a volume transfer between tenants?22:07
vhosakotDDOS'ing the DMZ can break rabbit :)22:07
robellisonas an admin22:07
SamYaplesince they have full admin access to openstack they could read any data out of ceph they wanted22:07
SamYaple(apis are full admins in openstack)22:08
vhosakot^^22:08
SamYapleby default at least. technically you can lock that down with policy.json22:08
SamYaplebut guess what, they compromised the thing that reads the policy.json22:08
SamYapleand they have full db access22:08
*** ducttap__ has quit IRC22:09
SamYapleim not saying you dont hve valid security concerns22:09
robellisonyou can protect the db with conductors now though.. to some extent22:09
SamYaplelibvirt should absolutely be on its own network (or configurable)22:09
SamYaplebut the apis are the _last_ line of defense, not the first22:09
SamYaplethe pipelines are there for you to modify22:10
SamYapleyou can add in whatever security auditing code you want before it hits openstack22:10
*** jgriffith has quit IRC22:10
SamYaplethen proper firewalling and an IDS or similiar22:10
*** jgriffith has joined #openstack-kolla22:10
robellisoni think it would probably be acceptable for a user to only be able to upload images via horizon22:11
robellisonso no access to glance22:11
robellisonthe rest can go in a DMZ if i can find any documentation22:11
robellisoni would feel a lot better having that layer of IPS/etc in between users and internal networks22:12
*** jgriffith has quit IRC22:12
robellisonplus, that is the only way it would get through an audit i suspect22:12
SamYaplerobellison: its not hta simple22:13
vhosakotrobellison: so, block glance port and only allow horizon port so users cannot use glance CLI and are forced to use horizon thru the DMZ/IPS to create an image?22:14
SamYapleso a standard boot command is "openstack server create --flavor 1 --netowkr 123 --image ubuntu server01"22:14
SamYaplebut that right there needs access to glance to actually boot22:14
SamYaplethe user makes a call to glance to look up info about 'ubuntu' as an image22:14
robellisonvhosakot : yeah, if that is possible. that seems to be the API that has the most access22:14
vhosakotrobellison: yes, just block _all_ the ports in the DMZ/IPS except horizon... sounds safe22:15
robellisonSamYaple : is that not dealt with by Nova?22:15
*** jgriffith has joined #openstack-kolla22:15
robellisonnova -> glance -> ceph22:15
*** jgriffith has quit IRC22:16
SamYaplerobellison: nope. you can use --debug to see all the api calls the client actually makes22:16
robellisoni wonder if that needs full access to ceph to do that or just the glance registry22:18
SamYaplerobellison: both the registry and api need access to the database22:18
vhosakotrobellison: blocking OpenStack CLIs for the user will make the user not be able to automate anything as GUI automation is boring sometimes :)22:18
SamYapleand i think they both need access to ceph glance bool22:18
*** jgriffith has joined #openstack-kolla22:19
SamYaplei know the api dumps data and pulls data, but i believe the registry audits the pool22:19
robellisoncomplicated22:19
SamYapleeither way, the API most definetley needs access tothe ceph pool22:19
SamYapleyea glance is probably the worst service we all still use22:19
*** jgriffith has quit IRC22:19
*** awiddersheim has quit IRC22:21
robellisonmaybe some pre-authentication at the edge would be the way to go22:21
SamYapleand you can do that!22:21
SamYaplehell you can do that an integrate it into openstack via pipelines22:21
*** awiddersheim has joined #openstack-kolla22:21
SamYaplebut i would look at apis as the last layer of defense in an attack and protect them accordingly22:22
vhosakotrobellison: https://www.openstack.org/marketplace/public-clouds/ has companies building openstack public cloud22:22
*** emccormick has quit IRC22:22
robellisonvhosakot : yeah, there are a lot of big companies that say they have solutions, but they all seem to assume no security22:23
robellisonflat networks and no firewalls22:23
*** jgriffith has joined #openstack-kolla22:23
robellisonSamYaple : what's pipelines?22:24
SamYaplepaste.ini22:24
vhosakotrobellison: flat network is fine, no fw is not coot :)22:24
SamYapleall the messages for an api go through that22:24
vhosakotcool*22:24
SamYaplerobellison: to be fair, we are dealing with tehcnology that literally has no auth or security.22:24
SamYaplememcache has none22:24
SamYapleqemu's vnc connection.. has none22:25
robellisonyeah there seems to be a fair few worrying bits22:25
robellisonit would be useful if haproxy routed and validated all the api calls22:27
robellisonand did pre-auth22:27
SamYapleit does not, but *you* can via pipelines22:27
SamYaplemind you, these apis are literally hammered on thousands if not millions of times a day22:28
SamYapleautomated tests and otherwise22:28
robellisonSamYaple : cool, i'll have a look at it22:28
SamYapleto be clear, i do not recommend you trying ot validate the api calls before it gets to the service22:28
SamYaplei think there is a good chance you will introduce a security vulnerability22:29
SamYaplebut you *can* do it22:29
robellisoni was thinking just checking that it's an http/s request and the routing was something that exists22:30
robellisonanyway, lots of thinking22:31
SamYaplehaproxy definetely does that22:31
SamYaplemode http vs tcp22:32
robellisoni'm pretty sure you can make it check the routes and verbs etc as well22:33
vhosakotrobellison: what creds must the user supply to pre-auth at the external haproxy VIP in the DMZ?22:34
robellisonvhosakot : hopefully it should be transparrent.. so the same as they would usually22:34
robellisoni'm sure it wouldn't be too hard to re-route the /authenticate method - assuming that's what it is22:35
vhosakotrobellison: so users must auth twice then... pre-auth and then OpenStack's keystone auth?22:35
*** ducttape_ has quit IRC22:36
vhosakotrobellison: you can ship fingerprint recognition pads to all your users ;)22:36
robellisonno, more that without the pre-auth they wouldn't get any further than haproxy (or something with no access to anything else)22:37
robellisonexcept keystone i guess22:37
robellisonaccess to keystone api with no pre-auth. everything else validated that is has a valid token22:39
SamYaplerobellison: if the token doesnt validate in the pipeline the request doesnt even hit the other apis22:40
SamYaplejust saying...22:40
robellisonbut it would be on the API then22:40
robellisonand that API has too much access (glance anyway)22:40
robellisonif it was validated before it got to that server, there is no way an unknown user could hit it22:41
vhosakotthe horizon devs must implement face recognition ;)22:41
*** awiddersheim has quit IRC22:42
SamYaplerobellison: well look, if you really really wanted to, and im not recommending it, you could have a dedicated node that only has the keystone auth validation in the pipeline that doesnt have access to ceph or anything22:42
SamYapleall requests would go through that server (or group of servers) before ferrying onwards22:43
robellisonhaha yeah maybe i'm being too fussy22:43
SamYaplei really think you are22:43
robellisonbut i know i will be asked all of these questions22:43
SamYaplefwiw, i appreciate the skeptisms22:44
*** awiddersheim has joined #openstack-kolla22:44
SamYaplebut i just think you are focusing on the wrong part22:44
vhosakotrobellison: not fussy at all, great discussion about OpenStack public cloud.... I agree public clouds need multiple auths before requests are let in.22:44
SamYaplemaliciuos users can still get valid tokens22:44
robellisonyeah it's just about reducing the risk as much as possible and reducing the impact should the worst happen22:44
SamYaplean *on* that note, i applaud you22:45
SamYaplemake sure to lock down your internal network is the best i can tell you22:45
SamYapleceph-osds chip traffic around with 0 encryption22:45
SamYaplethats by design, you can't change that22:45
SamYaplesecure the network external and have good intrusion detection is th best advice i can give22:46
robellisonyeah thats ok, we can deal with that on a protected network22:46
robellisondont worry... many layers of IPS here :)22:46
SamYapleof note, the apis are mostly all moving to WSGI apps22:47
SamYapleso you can run them behind apache2 or nginx with the added security those offer22:47
SamYaplemostly in the form of malformed packets22:47
*** ducttape_ has joined #openstack-kolla22:47
SamYaplebut there are a tonne of security options for them22:47
vhosakotbrb 10 mins... rebooting22:48
robellisonwell the good thing is that it's not a closed box22:48
robellisonwhat's the view on kolla anyway.. it seems like the way to go to me22:49
robellisoni've looked at a lot of commercial openstack implementations but they all seem too rigid22:50
*** vhosakot has quit IRC22:50
*** ducttape_ has quit IRC22:51
*** ducttape_ has joined #openstack-kolla22:51
robellisonright, i've got to go, but thanks for the interesting thoughts SamYaple, vhosakot22:56
*** eaguilar is now known as eaguilar|afk22:58
*** eaguilar|afk has quit IRC23:00
*** ducttape_ has quit IRC23:02
*** itlinux_ has joined #openstack-kolla23:05
*** itlinux has joined #openstack-kolla23:05
*** itlinux has quit IRC23:10
*** itlinux_ has quit IRC23:10
*** ducttape_ has joined #openstack-kolla23:11
*** manheim_ has joined #openstack-kolla23:12
*** ducttape_ has quit IRC23:12
*** ducttape_ has joined #openstack-kolla23:16
sdakerobellison view on kolla is generally regarded as good, although IMO documentation is poor - for more details check out the analytics bsaed upon the user survey which shows adoption/interest rates increasing: https://www.openstack.org/analytics 4% in deploy 9% in testing / 28% interest rate - pretty much leading the market (atleast for the user survey data recorded)23:58
sdakerobellison if you have further feedback you want to provide to the development team - this is the place to provide it :)23:59
« Sunday, 2017-07-23 Index Tuesday, 2017-07-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!