Tuesday, 2017-08-08

« Monday, 2017-08-07 Index Wednesday, 2017-08-09 »
*** schwicht has joined #openstack-kolla00:00
*** ducttape_ has quit IRC00:04
*** yingjun has joined #openstack-kolla00:05
*** itlinux has joined #openstack-kolla00:09
masbergood morning, is there any documentation to enable SR-IOV in kolla-ansible? thank you very much00:14
*** manheim has joined #openstack-kolla00:16
*** ducttape_ has joined #openstack-kolla00:16
*** manheim has quit IRC00:20
*** ducttape_ has quit IRC00:21
*** schwicht has quit IRC00:25
*** harlowja has quit IRC00:25
*** lucasxu has joined #openstack-kolla00:27
openstackgerritMarcus Williams proposed openstack/kolla master: Update OpenDaylight Container to Carbon SR1  https://review.openstack.org/49163800:30
*** ducttape_ has joined #openstack-kolla00:34
*** mnasiadka has joined #openstack-kolla00:43
*** mnasiadka has quit IRC00:47
*** mdnadeem has joined #openstack-kolla00:49
*** ducttape_ has quit IRC00:53
*** schwicht has joined #openstack-kolla00:55
*** mdnadeem has quit IRC00:57
*** lucasxu has quit IRC00:57
duonghqmorning guys01:01
*** ducttape_ has joined #openstack-kolla01:03
*** ipsecguy_ has joined #openstack-kolla01:04
*** ducttape_ has quit IRC01:04
*** ducttape_ has joined #openstack-kolla01:05
*** lucasxu has joined #openstack-kolla01:06
*** ducttape_ has quit IRC01:07
*** ducttape_ has joined #openstack-kolla01:07
*** ipsecguy has quit IRC01:07
*** ducttape_ has quit IRC01:08
*** zhurong has joined #openstack-kolla01:11
*** schwicht has quit IRC01:14
*** yangyapeng has joined #openstack-kolla01:18
*** hieulq has quit IRC01:23
*** zhubingbing has joined #openstack-kolla01:27
*** caowei has joined #openstack-kolla01:27
openstackgerritMerged openstack/kolla-ansible stable/ocata: Add default volume_backend_name for rbd driver in cinder volume  https://review.openstack.org/49120801:30
*** rwsu has quit IRC01:32
zhubingbinghi guys01:34
*** jtriley has quit IRC01:34
*** rwsu has joined #openstack-kolla01:44
openstackgerritLei Xu proposed openstack/kolla master: Add chrony link in README.rst  https://review.openstack.org/49150101:44
openstackgerritLei Xu proposed openstack/kolla master: Add chrony link in README.rst  https://review.openstack.org/49150101:46
openstackgerritMerged openstack/kolla master: Add chrony link in README.rst  https://review.openstack.org/49150101:51
openstackgerritzhubingbing proposed openstack/kolla-ansible master: Move placement-api-access log formate to apache_access  https://review.openstack.org/49142301:58
*** jamesbenson has joined #openstack-kolla02:02
*** jtriley has joined #openstack-kolla02:06
*** jamesbenson has quit IRC02:06
*** ducttape_ has joined #openstack-kolla02:13
*** jtriley has quit IRC02:15
*** afranc has quit IRC02:17
*** ducttape_ has quit IRC02:18
*** aagate has quit IRC02:18
*** jowisz has quit IRC02:18
*** ducttape_ has joined #openstack-kolla02:18
*** rbergeron has quit IRC02:18
*** jowisz has joined #openstack-kolla02:19
*** rbergeron has joined #openstack-kolla02:19
duonghqhi zhubingbing02:20
*** tovin07_ has joined #openstack-kolla02:20
zhubingbinghi02:20
zhubingbinghi <duonghq02:20
openstackgerritPete Birley proposed openstack/kolla-kubernetes master: DNM: Ironic gate test  https://review.openstack.org/49164802:22
*** afranc has joined #openstack-kolla02:22
*** ducttape_ has quit IRC02:23
*** ddyer has quit IRC02:25
*** aagate has joined #openstack-kolla02:26
*** ducttape_ has joined #openstack-kolla02:39
*** schwicht has joined #openstack-kolla02:40
*** mnasiadka has joined #openstack-kolla02:43
*** mnasiadka has quit IRC02:47
*** unicell has quit IRC02:51
*** caowei has quit IRC02:52
*** caowei has joined #openstack-kolla02:52
*** awiddersheim has joined #openstack-kolla02:55
*** ducttap__ has joined #openstack-kolla03:03
*** jtriley has joined #openstack-kolla03:03
*** awiddersheim has quit IRC03:03
*** ducttape_ has quit IRC03:06
*** stefan_bo has joined #openstack-kolla03:08
*** jtriley has quit IRC03:08
*** jtriley has joined #openstack-kolla03:09
*** Teck7 has joined #openstack-kolla03:11
*** stefan_bo has quit IRC03:13
*** jtriley has quit IRC03:14
*** rfxn has quit IRC03:15
*** david-lyle has quit IRC03:16
*** rfxn has joined #openstack-kolla03:17
*** Teck7 has quit IRC03:20
*** david-lyle has joined #openstack-kolla03:23
*** ducttap__ has quit IRC03:24
*** jascott1_ has quit IRC03:24
*** jascott1 has joined #openstack-kolla03:25
*** jascott1 has quit IRC03:26
*** mdnadeem has joined #openstack-kolla03:27
*** jascott1 has joined #openstack-kolla03:27
*** jtriley has joined #openstack-kolla03:30
*** ducttape_ has joined #openstack-kolla03:31
*** yangyapeng has quit IRC03:33
*** jtriley has quit IRC03:35
*** yangyapeng has joined #openstack-kolla03:39
*** dixiaoli has joined #openstack-kolla03:39
*** lucasxu has quit IRC03:43
*** yangyapeng has quit IRC03:47
*** dave-mccowan has quit IRC03:47
*** yangyapeng has joined #openstack-kolla03:47
*** yangyapeng has quit IRC03:52
*** yangyapeng has joined #openstack-kolla03:52
*** yangyapeng has quit IRC03:57
*** yangyapeng has joined #openstack-kolla03:57
*** zhangfei has joined #openstack-kolla04:01
*** yangyapeng has quit IRC04:02
*** yangyapeng has joined #openstack-kolla04:07
*** yangyapeng has quit IRC04:14
*** yangyapeng has joined #openstack-kolla04:15
*** caowei has quit IRC04:26
*** caowei has joined #openstack-kolla04:26
*** Teck7 has joined #openstack-kolla04:27
*** rfxn has quit IRC04:30
*** rfxn has joined #openstack-kolla04:32
*** harlowja has joined #openstack-kolla04:35
*** Teck7 has quit IRC04:36
*** mnasiadka has joined #openstack-kolla04:43
*** duonghq has quit IRC04:46
*** duonghq has joined #openstack-kolla04:46
*** mnasiadka has quit IRC04:48
*** Teck7 has joined #openstack-kolla04:51
*** eswar has joined #openstack-kolla04:54
*** rfxn has quit IRC04:54
eswarHi All........Please let me know if any version 0.6/0.5.0.4 is supported for ubuntu 14.04 as its not mentioned in release notes.04:56
eswarkolla-K8S04:56
*** rfxn has joined #openstack-kolla04:58
*** Teck7 has quit IRC04:59
*** caowei has quit IRC05:01
*** janki has joined #openstack-kolla05:03
*** skramaja has joined #openstack-kolla05:03
*** eswar has quit IRC05:14
*** harlowja has quit IRC05:14
*** eswar has joined #openstack-kolla05:15
*** eswar has quit IRC05:16
*** eswar has joined #openstack-kolla05:23
eswarHi All ..... In https://docs.openstack.org/kolla-kubernetes/latest/deployment-guide.html# its mentioned kolla-k8s is validated on Ubuntu 16.0405:24
eswarjust wanted to know if its supported on ubuntu 14.0405:24
kolla-slack<jascott1> eswar probably best effort but i wouldnt expect official support05:29
jascott1thats just a guess05:30
eswarThanks Justin .... it means its only supported in 16.04 right ..... please correct my understanding ..... any version of kolla-k8s that supports 14.04 ??05:31
*** jamesbenson has joined #openstack-kolla05:38
*** jamesbenson has quit IRC05:42
*** caowei has joined #openstack-kolla05:54
openstackgerritzhubingbing proposed openstack/kolla-ansible master: Move placement-api-access log format to apache_access  https://review.openstack.org/49142306:03
eswarHi All ..... i am new to kolla-k8s .... trying to understand it ..... just wanted to know latest version of kolla-k8s 0.6.0 supports which openstack version docker containers ... is it by default Mitaka ??06:07
*** unicell has joined #openstack-kolla06:12
*** manheim has joined #openstack-kolla06:17
*** coolsvap has joined #openstack-kolla06:27
*** mnasiadka has joined #openstack-kolla06:33
*** dixiaoli has quit IRC06:39
openstackgerritzhangfei gao proposed openstack/kolla-ansible master: mariadb: fix permission issue of /var/run/mysqld  https://review.openstack.org/49168306:42
openstackgerritzhangfei gao proposed openstack/kolla-ansible master: common: fix ansible location  https://review.openstack.org/49168406:42
openstackgerritTaeha Kim proposed openstack/kolla master: Fix ceilometer-compute fails to build in RHEL  https://review.openstack.org/49168506:52
zhangfeiSamYaple: the patch "Remove priviledged mode for nova-api" cause kolla deploy error06:53
zhangfeihttps://bugs.launchpad.net/kolla/+bug/170924406:53
openstackLaunchpad bug 1709244 in kolla "nova : Discovering nova hosts fails" [Undecided,New]06:53
*** gfidente has joined #openstack-kolla06:55
*** serlex has joined #openstack-kolla06:57
*** manheim has quit IRC06:57
*** zhurong has quit IRC06:59
*** pcaruana has joined #openstack-kolla07:00
kolla-slack<egonzalez> zhangfei, the error is fixed in master and work for rpm distros, ubuntu has not packaged the change in nova code base yet07:00
zhangfeicool, which patch? would like to try07:01
*** manheim has joined #openstack-kolla07:01
*** jascott1 has quit IRC07:05
openstackgerritTaeha Kim proposed openstack/kolla stable/ocata: Fix ceilometer-compute fails to build in RHEL  https://review.openstack.org/49169107:05
*** jascott1 has joined #openstack-kolla07:05
kolla-slack<egonzalez> zhangfei https://review.openstack.org/#/c/480765/07:06
*** manheim has quit IRC07:06
zhangfeikolla-slack: thanks07:08
*** manheim has joined #openstack-kolla07:09
*** jascott1 has quit IRC07:10
*** manheim_ has joined #openstack-kolla07:13
*** manheim has quit IRC07:13
*** manheim_ has quit IRC07:17
*** manheim has joined #openstack-kolla07:22
*** manheim has quit IRC07:27
*** dciabrin has quit IRC07:33
*** dciabrin has joined #openstack-kolla07:34
*** duritong has quit IRC07:38
*** duritong has joined #openstack-kolla07:45
*** manheim has joined #openstack-kolla07:49
*** duritong has quit IRC07:50
*** duritong has joined #openstack-kolla07:56
openstackgerritTaeha Kim proposed openstack/kolla master: Fix nova-compute fails to build in RHEL  https://review.openstack.org/49171008:04
*** shardy has joined #openstack-kolla08:06
*** spamferkel has joined #openstack-kolla08:09
*** mgoddard has joined #openstack-kolla08:11
*** itlinux has quit IRC08:11
*** serlex has quit IRC08:14
*** jamesbenson has joined #openstack-kolla08:16
*** yingjun has quit IRC08:20
*** jamesbenson has quit IRC08:20
*** lpetrut has joined #openstack-kolla08:23
openstackgerritTaeha Kim proposed openstack/kolla stable/ocata: Fix nova-compute fails to build in RHEL  https://review.openstack.org/49171508:26
*** spamferkel has quit IRC08:38
*** _tomk_ has joined #openstack-kolla08:40
*** _tomk_ has quit IRC08:42
*** thomask has joined #openstack-kolla08:43
*** thomask has quit IRC08:44
*** _tomka_ has joined #openstack-kolla08:45
*** _tomka_ has quit IRC08:45
*** tosika has joined #openstack-kolla08:46
*** matrohon has joined #openstack-kolla08:51
*** zhangfei has quit IRC08:51
*** zhangfei has joined #openstack-kolla09:04
*** stefan_bo has joined #openstack-kolla09:10
*** manheim has quit IRC09:12
*** manheim has joined #openstack-kolla09:13
*** manheim has quit IRC09:13
*** manheim has joined #openstack-kolla09:15
*** stefan_bo has quit IRC09:15
*** manheim has quit IRC09:16
*** manheim has joined #openstack-kolla09:16
*** manheim_ has joined #openstack-kolla09:17
*** manheim has quit IRC09:20
*** sambetts|afk is now known as sambetts09:20
*** manheim_ has quit IRC09:21
*** kevinz has quit IRC09:36
*** serlex has joined #openstack-kolla09:37
*** shardy has quit IRC09:43
*** kornicameister has quit IRC09:47
openstackgerritVladislav Belogrudov proposed openstack/kolla-ansible master: Add possibility to configure tenant VLANs  https://review.openstack.org/46467509:50
*** shardy has joined #openstack-kolla09:56
*** kornicameister has joined #openstack-kolla10:00
*** tovin07_ has quit IRC10:02
*** yangyapeng has quit IRC10:12
*** yangyapeng has joined #openstack-kolla10:12
*** ruhe has quit IRC10:16
*** ruhe has joined #openstack-kolla10:18
*** yangyapeng has quit IRC10:18
*** zhurong has joined #openstack-kolla10:24
*** ducttape_ has joined #openstack-kolla10:32
*** ducttape_ has quit IRC10:36
*** livelace has joined #openstack-kolla10:43
*** mdnadeem has quit IRC10:53
*** eswar has quit IRC10:58
*** caowei has quit IRC11:00
*** jascott1 has joined #openstack-kolla11:07
*** jascott1 has quit IRC11:12
*** JoseMello has joined #openstack-kolla11:16
*** manheim has joined #openstack-kolla11:22
*** schwicht has quit IRC11:26
*** ismc has quit IRC11:32
*** zhangfei has quit IRC11:35
*** dave-mccowan has joined #openstack-kolla11:40
*** bmace has quit IRC11:47
*** bmace has joined #openstack-kolla11:47
openstackgerritweichuancheng proposed openstack/kolla-ansible master: Add external-ceph-scripts to create configration files  https://review.openstack.org/48998411:57
*** jrist has joined #openstack-kolla11:58
*** mdnadeem has joined #openstack-kolla11:59
openstackgerritOpenStack Proposal Bot proposed openstack/kolla-kubernetes master: Updated from global requirements  https://review.openstack.org/48590512:13
*** eaguilar has joined #openstack-kolla12:17
*** eaguilar has quit IRC12:22
*** eaguilar has joined #openstack-kolla12:22
*** skramaja has quit IRC12:24
*** schwicht has joined #openstack-kolla12:24
*** schwicht has quit IRC12:26
*** rwsu has quit IRC12:28
*** rwsu has joined #openstack-kolla12:29
*** zhurong has quit IRC12:30
matrohongate-kolla-dsvm-build-ubuntu-source-ubuntu-xenial12:33
matrohonhi kolla guys12:33
matrohonis there something wong with the job : gate-kolla-dsvm-build-ubuntu-source-ubuntu-xenial12:34
matrohonit is constantly failing on https://review.openstack.org/#/c/490515/212:34
*** schwicht has joined #openstack-kolla12:34
*** sbezverk has joined #openstack-kolla12:35
*** ismc has joined #openstack-kolla12:39
*** rhallisey has joined #openstack-kolla12:42
*** tvignaud has quit IRC12:47
*** jiriprox has joined #openstack-kolla12:47
*** jiriprox has quit IRC12:49
*** mandre_away is now known as mandre_mtg12:51
*** athomas has joined #openstack-kolla12:53
*** schwicht has quit IRC12:55
*** coolsvap has quit IRC12:56
*** tvignaud has joined #openstack-kolla12:58
*** tvignaud has quit IRC12:58
*** tvignaud has joined #openstack-kolla12:58
*** lucasxu has joined #openstack-kolla13:02
*** jrist has quit IRC13:02
*** clayton has quit IRC13:03
*** clayton has joined #openstack-kolla13:05
*** yangyapeng has joined #openstack-kolla13:05
*** ismc has quit IRC13:06
*** athomas has quit IRC13:06
*** sbezverk has quit IRC13:07
krtaylormorning all13:09
*** yangyapeng has quit IRC13:10
*** schwicht has joined #openstack-kolla13:12
serlexMorning13:13
*** Liuqing has joined #openstack-kolla13:17
*** yangyapeng has joined #openstack-kolla13:19
*** jtriley has joined #openstack-kolla13:23
*** rmart04 has joined #openstack-kolla13:33
*** zhubingbing has quit IRC13:34
*** rmart04 has quit IRC13:38
*** awiddersheim has joined #openstack-kolla13:40
*** ducttape_ has joined #openstack-kolla13:42
*** awiddersheim has quit IRC13:43
*** mdnadeem has quit IRC13:46
*** hongbin has joined #openstack-kolla13:47
*** Liuqing has quit IRC13:58
*** Teck7 has joined #openstack-kolla13:59
*** xinliang has quit IRC14:01
*** rfxn has quit IRC14:03
*** gaoyan has joined #openstack-kolla14:12
*** kiennt has joined #openstack-kolla14:12
*** xinliang has joined #openstack-kolla14:13
*** gaoyan has quit IRC14:15
*** mnasiadka has quit IRC14:22
*** spiette has quit IRC14:28
*** itlinux has joined #openstack-kolla14:28
*** eaguilar has quit IRC14:35
*** eaguilar has joined #openstack-kolla14:35
*** zhubingbing has joined #openstack-kolla14:36
*** eaguilar is now known as eaguilar|afk14:39
*** eaguilar|afk is now known as eaguilar14:43
*** zhangfei has joined #openstack-kolla14:44
*** jtriley has quit IRC14:57
*** jtriley has joined #openstack-kolla14:58
SamYaplezhangfei: you have to be running the latest nova code. i dont recommend testing any master code without using a source based deploy14:59
*** manheim has quit IRC15:00
*** dmsimard is now known as dmsimard|afk15:00
*** jrist has joined #openstack-kolla15:05
zhangfeiSamYaple: thanks, one silly question, how to run the latest nova code? build kolla will get the latest code?15:06
SamYaplezhangfei: yes, but you can't used a "binary" deploy15:07
*** mattmceuen has joined #openstack-kolla15:07
*** jascott1 has joined #openstack-kolla15:09
zhangfeiyes, I am using "source", may try to rebuild nova tomorrow, nova-compute & nova-api, right? or all nova component?15:09
*** lpetrut_ has joined #openstack-kolla15:11
*** stefan_bo has joined #openstack-kolla15:13
*** lpetrut has quit IRC15:14
*** eaguilar is now known as eaguilar|afk15:14
*** jascott1 has quit IRC15:14
*** eaguilar|afk is now known as eaguilar15:16
*** eaguilar is now known as eaguilar|afk15:16
SamYaplezhangfei: technically the only one you need to rebuild is nova-api15:16
SamYaplehowever i dont know what other patches have been pulled in, so youll want to rebuild all of nova15:16
*** lpetrut_ has quit IRC15:17
zhangfeiSamYaple: got it, thanks for suggestion, will have a try tomorrow15:17
*** stefan_bo has quit IRC15:18
*** jtriley has quit IRC15:23
*** sbezverk has joined #openstack-kolla15:23
*** sbezverk_ has joined #openstack-kolla15:24
*** mmehan has joined #openstack-kolla15:24
*** sbezverk has quit IRC15:28
*** vhosakot has joined #openstack-kolla15:28
*** zhangfei has quit IRC15:29
*** eaguilar|afk has quit IRC15:29
*** Ally has joined #openstack-kolla15:30
AllyOnly way i can add new compute\storage node (ceph) is to run deploy -t to bootstrap osd'd on new node then run kolla-ansible reconfigure, is this correct?15:31
AllyThot could run kolla-ansible upgrade to add new node but this always fails as ceph.conf etc not copied into containers15:32
*** rhallisey has quit IRC15:37
tosikahmm, at the moment all my deployment attempts fail during " Create cell0 mappings"15:42
tosikanot sure if i misconfigured it or if it is broken15:43
tosikaanybody else seeing this?15:43
*** JoseMello has quit IRC15:45
*** livelace2 has joined #openstack-kolla15:48
*** janki has quit IRC15:48
*** ntpttr_laptop has joined #openstack-kolla15:50
openstackgerritsean mooney proposed openstack/kolla-ansible master: introduce playbook to ovs with dpdk  https://review.openstack.org/40887215:53
*** krtaylor has quit IRC15:54
sean-k-mooneyinc0: ^ i need to rebuild all my images to fully test https://review.openstack.org/408872 but i think that version will support deploying ovs-dpdk as part of the deploy action15:54
sean-k-mooneyinc0: im going to add the module config as a seperate patch on top. there is already too much in https://review.openstack.org/408872 so i dont want to keep makeing it bigger15:55
*** tonanhngo has joined #openstack-kolla15:56
*** matrohon has quit IRC15:58
s-deanhow do i set the  kolla_internal_vip_address interface it keeps defaulting to the network_interface which is not what i want16:05
*** jtriley has joined #openstack-kolla16:10
*** kiennt has quit IRC16:15
sean-k-mooneys-dean: you could try setting api_interface to something other then network_interface16:16
sean-k-mooneys-dean: but the path to kolla_internal_vip_address will generaly be determinded by your routing table16:16
*** ntpttr_laptop__ has joined #openstack-kolla16:17
*** ntpttr_laptop has quit IRC16:17
sean-k-mooneybasically you should determin the what subnet range mapps to the interface you want to use and select a vip that is free in that range16:17
inc0network_interface is not used for anything else than just to provide default for more detailed interface conf16:20
inc0as sean-k-mooney said, you can specify separate api_interface or tunnel_interface (for things like vxlan)16:20
s-deanim trying to deploy this on a multi node environment, but im a bit confused, i understand that the VIP is meant to be a floating IP16:20
inc0right, managed by keepalived16:20
s-deanbut it keeps check the api interface16:20
s-deanthe api interface is my management network right16:21
inc0well it is floating IP in api_interface network16:21
*** yangyapeng has quit IRC16:21
sean-k-mooneys-dean: the api interface is the interface the openstack service listen on16:21
inc0it will be terminated by haproxy and then haproxy will load balance request to actual API16:21
*** yangyapeng has joined #openstack-kolla16:21
s-deanright ok16:22
s-deando i comment out network_interface16:22
inc0well network interface is used for other stuff too16:23
s-deanconsidering its a default value for other variables16:23
inc0vxlan tunnels, storage and sch16:23
inc0such16:23
inc0these things needs a network too;)16:23
s-deanim specifying my tunnel network16:23
s-deani have tunnel net mgmt net and provider net16:23
inc0well if you specify manually every network you're going to be using16:23
*** krtaylor has joined #openstack-kolla16:23
inc0then you can safely comment network_interface16:24
s-deani wish you guys had kept the terminology the same as in the docs16:24
sean-k-mooneys-dean: maybe it is better to start with describing the topology you would like and we can suggest how to achive that16:24
s-deanok16:24
s-deanthat would be of great help16:24
s-deanok i have 2 bonds on my controller, 3 bonds on my network, and 2 bonds on my compute, i would like a provider network, for floating IP's, one management network for openstack services to communicate on, and on network for VM traffic16:25
s-deanone network for VM traffic16:25
*** yangyapeng has quit IRC16:26
s-deani so from what you have said so far,16:26
inc0right, then I'd say neutron_external_iface => net for floatings16:26
s-deanyup16:26
inc0network_interface => mgmt16:26
inc0and tunnel_interface => cross-vm traffic16:26
inc0reason it's safer to specify network interface too is that as I said it's also used for example for cinder16:27
inc0or ceph16:27
*** ggillies_ has quit IRC16:27
s-deankolla_external_vip_interface ?16:27
*** pcaruana has quit IRC16:27
inc0https://docs.openstack.org/kolla-ansible/latest/production-architecture-guide.html#network-configuration16:27
s-deangot that open right now16:28
inc0external is different16:28
serlexAlly16:28
inc0external_vip_interface is for scenario where you want people to have access to your APIs16:28
sean-k-mooneys-dean: kolla_external_vip_interface that is so you can use a seperate interface for external(internet) facing api calls vs internal(inter servce) api calls16:28
inc0but not mgmt16:28
inc0no openstack service will use external16:29
s-deanso kolla_internal_vip_address, this has to be a floating IP on my management network ?16:29
inc0yes16:29
sean-k-mooneys-dean: yes that is the vip used by openstack services to comunicate16:29
inc0and databases and stuff like that16:30
s-deanok, and if i want to expose said service i use the kolla_external16:30
*** ggillies has joined #openstack-kolla16:30
sean-k-mooneys-dean: yes by default external and internal vips are the same16:30
inc0right16:30
Allyhi serlex16:30
inc0so under the hood it will create new floating in keepalived, new set of endpoints in haproxy16:31
serlexI believe you can add compute node with reconfigure, inc0 can you confirm?16:31
inc0that will NAT to regular service APIs16:31
serlexto an existing running setup*16:31
inc0compute node shouldn't be problem16:31
*** slagle has quit IRC16:31
inc0but use deploy rather than reconfigugre16:31
inc0we had conversation yesterday about moving rabbitmq from 1 node to 3 node cluster and that was funny16:32
inc0but compute node should just work16:32
serlexthere you go, thanks inc0...will it work with ceph-osd node?16:32
inc0yeah I think so16:32
serlexI dont see why not, only thing you can't change with ceph is erasure profile, if you are using it16:33
serlexI think*16:33
Allyserlex, inc0 - thank u. I got it working using configure but its best to use deploy? i was always worried that it would be destructive16:33
sean-k-mooneys-dean: one of the resons for haveing two vips is so that we can have tls enabled on the external side but have it turned off internally so that we only pay the ssl cost form external requests16:35
inc0Ally: we're very very careful to write our plays so it won't be destructive16:35
inc0our plays should be idempotent'16:36
inc0one thing you can do tho16:36
inc0so kolla-ansible is just a shortcut for very long ansible-playbook command16:36
inc0which is displayed as first thing in output16:36
inc0if you use this command isntead of kolla-ansible, you get more flags you can use16:37
inc0and you can for example limit playbook run to just a new node16:37
inc0this will guarantee that it wont touch rest of the nodes16:37
sean-k-mooneydepending on what you want to do you can also use --tags to have only a subset of the roles run16:38
s-deanthanks, i think ive got me head round that now, can i remove localhost from my multinode config ? it complaining that an interface is not found.16:40
sean-k-mooneys-dean: in the deployment section?16:40
Allyinc0 - much appreciated. when adding the combined compute\storage node i first ran kolls-ansible deploy -t ceph to boostrap the disk and then kolla-ansible reconfigure which added new node successfully.16:40
*** zhubingbing has quit IRC16:40
s-deanyeah16:41
Allyinc0 - so better to use ansible-playbook with additional flags to add this new node in one step?16:41
s-deansorry i mean globals.yml16:41
sean-k-mooneys-dean: i think that is only need for the bootstrap role, inc0 it should be safe to comment out correct16:41
s-deansorry im getting confused16:41
sean-k-mooneys-dean:  your refering to [deployment]16:42
sean-k-mooneylocalhost       ansible_connection=local16:42
s-deanyeah16:42
inc0it's used just to do post-deploy16:42
inc0as in, generate admin_openrc16:42
s-deanok, is that all post-deploy does ?16:43
inc0but what's the error?16:43
inc0yes, that's all16:43
sean-k-mooneyinc0: it allso gets picked up by the destroy playbook16:43
*** dmsimard|afk is now known as dmsimard16:43
s-deanits looking for an interface that doesn't exist on my deployment host, in this case bond016:44
inc0I guess we have bug16:44
inc0yeah you can just replace this entry with any node from cluster16:44
sean-k-mooneyinc0: i found that out when i blew away one of my dev deployments for ovs-dpdk16:44
inc0aw16:44
inc0I guess we have all there;)16:44
inc0hosts: all16:45
inc0we should probably fix that16:45
s-deanso in the deployment section, i can replace localhost with controller16:45
sean-k-mooneyya i asked if it was intended behavior or not but got no answer16:45
sean-k-mooneys-dean: ya16:45
sean-k-mooneyits ment to be the name of the host you are doing the deployment form16:45
inc0but really it's just used for this admin generation16:46
*** shardy has quit IRC16:46
s-deani have a separate deployment host from the controller, a VM16:46
*** awiddersheim has joined #openstack-kolla16:46
s-deanok, I can probably generate the admin config from the passwords.yml16:46
s-deanthat is generated?16:46
sean-k-mooneys-dean: you generate the password.yml before you do the deploy16:47
s-deanyeah, of course16:47
sean-k-mooneybut yes you should just be able to copy the admin password form there16:47
tosikaafter deploy, you create the admin-openrc with kolla-ansible post-deploy16:48
tosikayou're right16:48
tosikayou can take the password from there16:48
sean-k-mooneynot sure why it should need to lookup bond0 though. is that what you have set asl the network_interfaces in globales?16:48
s-deanyes16:48
s-deanon my deployment host, it has one interface, which is ens316:49
*** eaguilar has joined #openstack-kolla16:49
inc0it shouldn't, that's why I'm asking what was real error;)16:49
tosikamy deployment attempts still fail during nova cell setup16:49
tosikathis time it is task 'Create base cell for legacy instances'16:50
*** rhallisey has joined #openstack-kolla16:50
s-deanfatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "Please check the api_interface property - interface bond0 not found"}16:50
*** awiddersheim has quit IRC16:51
inc0which task is it?16:51
tosikadid someone else try a deploy using master-branch lately?16:52
*** rhallisey has quit IRC16:52
*** rhallisey has joined #openstack-kolla16:52
*** serlex has quit IRC16:57
*** jtriley_ has joined #openstack-kolla16:58
*** tonanhngo has quit IRC16:58
*** Ally has quit IRC17:01
*** jtriley has quit IRC17:01
*** unicell has quit IRC17:01
sean-k-mooneytosika: i hit that too17:03
sean-k-mooneythat is why im currently rebuilding all my images17:03
*** jtriley_ has quit IRC17:03
sean-k-mooneyim hoping that will fix it but maybe not17:04
kolla-slack<egonzalez> tosika, ubuntu binary or other distro?17:04
sean-k-mooneythere is a kolla slack bridge ?17:04
*** rwsu has quit IRC17:04
sean-k-mooneyalso hi egonzalez17:05
tosikaubuntu, source17:05
*** jtriley has joined #openstack-kolla17:05
kolla-slack<egonzalez> sean-k-mooney yep, in kubernetes slack17:05
*** tonanhngo has joined #openstack-kolla17:06
kolla-slack<egonzalez> tosika, is rabbitmq cluster running properly? Check nova logs17:06
tosikasean-k-mooney: already dumped my images several times an retried with centos, binary and so on17:06
tosikano success until now17:06
*** tonanhngo has quit IRC17:07
sean-k-mooneytosika: mine are almost all rebuilt so ill see if i can reporduce and debug too. that error is currently blocking me testing ovs-dpdk deployment as part of the deploy action17:07
sean-k-mooneyin my case i have not done a full rebuild in 5-6 weeks so its not a bad idea for me to rebuild anyway17:08
kolla-slack<egonzalez> Hrm, i've not seen any cell error for a while, on Friday they were working17:09
sean-k-mooneyegonzalez i hit the same with master playbooks eairler today useing ubuntu source. as i said my images were a few weeks old so the issue is likely on the ansible side17:10
tosikahmm, no logs under /var/log/kolla on all hosts17:12
kolla-slack<egonzalez> tosika, /var/lib/docker/volumes/kolla_logs17:12
tosikathx17:13
s-deandoes kolla place mariadb on the network node ?17:13
tosikanva-api logs that rootwrapper is not able to execute iptables-save17:15
kolla-slack<egonzalez> sean-k-mooney, a change in ansible master last week require a rebuild17:15
sean-k-mooneyegonzalez ya i had assumed that there was a change in the kolla-toolbox or somthing along those lines17:16
kolla-slack<egonzalez> Tosika ^^ images require rebuilding, also ubuntu binary is broken until ubuntu packages nova change17:17
sean-k-mooneyegonzalez we were seeing the issue on ubuntu source though17:17
sean-k-mooneyegonzalez this is what seams to be failing https://github.com/openstack/kolla-ansible/blob/3a68aee3ad4ab5b79e867555b3fe6c5af69c1004/ansible/roles/nova/tasks/simple_cell_setup.yml#L17-L4917:19
sean-k-mooneyactully https://github.com/openstack/kolla-ansible/blob/3a68aee3ad4ab5b79e867555b3fe6c5af69c1004/ansible/roles/nova/tasks/simple_cell_setup.yml#L17-L2817:19
tosikaexactly17:19
kolla-slack<egonzalez> sean-k-mooney any error in logs? Currently gates succeed with cell creation tasks17:20
sean-k-mooneyegonzalez im still rebuilding so cant check. tosika do you have any logs form the deploy17:21
*** yangyapeng has joined #openstack-kolla17:21
tosikathis time it was task: "Create base cell for legacy instances"17:22
tosikasettings were ubuntu, source, master17:22
tosikakolla-ansible (5.0.0.0b4.dev22) from git17:23
kolla-slack<egonzalez> Maybe this? http://logs.openstack.org/84/491684/1/check/gate-kolla-ansible-dsvm-deploy-ubuntu-binary-ubuntu-xenial-nv/2f12533/logs/kolla/nova/nova-api.txt.gz#_2017-08-08_07_02_13_53917:23
tosikamesage was:17:23
tosikafatal: [controlhost -> controlhost]: FAILED! => {"changed": false, "cmd": ["docker", "exec", "nova_api", "nova-manage", "cell_v2", "create_cell"], "delta": "0:00:00.327543", "end": "2017-08-08 18:47:29.938833", "failed": true, "failed_when_result": true, "rc": 137, "start": "2017-08-08 18:47:29.611290", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}17:23
tosikaadding -v to the deploy command does not give more information17:23
tosikawhere can i  get more logs?17:24
kolla-slack<egonzalez> Logs for that task is in nova-api.log17:24
*** eaguilar is now known as eaguilar|afk17:25
kolla-slack<egonzalez> Tosika, likely is the same error in current ubuntu binary gates, if thars the case for source, rebuild with latest code17:25
sean-k-mooneyegonzalez tosika just asked on the nova channel nova-manage cell_v2 create_cell is going direct to the db not calling the api17:26
sean-k-mooneyso its the mysql logs that will likely have the output no?17:26
kolla-slack<egonzalez> But the task is failing in nova api container, check this link failing the same task in gates17:26
*** yangyapeng has quit IRC17:26
kolla-slack<egonzalez> http://logs.openstack.org/84/491684/1/check/gate-kolla-ansible-dsvm-deploy-ubuntu-binary-ubuntu-xenial-nv/2f12533/logs/kolla/nova/nova-api.txt.gz#_2017-08-08_07_02_13_53917:26
tosikanova-api.log just complains about not being able to run iptables-save17:27
tosika2017-08-08 19:26:36.546 7 CRITICAL nova [req-5667f013-a2a3-4273-a128-a09e86296507 - - - - -] ProcessExecutionError17:27
tosika: Unexpected error while running command.17:27
tosikaCommand: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c17:27
tosikaExit code: 117:27
tosikaStdout: u''17:27
tosikaStderr: u'iptables-save v1.6.0: Cannot initialize: Permission denied (you must be root)\n\n'17:27
tosika201717:27
sean-k-mooneyoh haha i know what caused this17:27
sean-k-mooneywe recently droped privlages on nova-api17:28
kolla-slack<egonzalez> Thats what i said need image rebuild17:28
tosikabut user is in sudoers and able to become root without password17:28
SamYaplethe packages either need to be rebuilt or oyu need to rebuild your sources container17:28
*** sambetts is now known as sambetts|afk17:29
SamYapleyou should never run binary packages for your master code, it will always be lagging17:29
sean-k-mooneySamYaple: so is https://github.com/openstack/kolla-ansible/commit/c18615efd54d57f89d1a81729099285ea1fca3a7 related or not17:30
SamYaplethats almost certainly whats causing it, yes sean-k-mooney17:30
tosikawhat do i need to do to rebuild those images? i thoug it would be sufficent to run "destroy --include-images --yes-i-really-really-mean-it" and the do a new deployment17:30
SamYapletosika: if you are using ubuntu-binary the binary packages have not recieved the updated nova source code is my understanding17:31
SamYapleso there is nothing you can do with ubuntu-binary until the packages update17:31
SamYapleif you are using ubuntu-source, then a container rebuild will fix it17:31
tosikayeah, ok. but if I#m using 'source' the code should alwas be cloned from git, right?17:32
sean-k-mooneySamYaple: so does nova manage nolonger call iptables or does that neeed to be reverted. im rebuiling all my images currently from source but it takes years behind our proxies17:32
*** eaguilar|afk is now known as eaguilar17:32
SamYaplesean-k-mooney: the nova-metadata-api no longer pulls in old nova-net code which talked to iptables. the nova-api container should not need to modify iptables in anyway when running from nova master17:33
vhosakotinc0: if PTG same as mid-cycle summit?  my manager is asking :)17:33
vhosakotinc0: is PTG same as mid-cycle summit?  my manager is asking :)17:33
inc0no, not exactly17:33
sean-k-mooneySamYaple: ah thanks that make sense17:33
inc0midcycle is this low key "let's meet in a room"17:33
inc0PTG is full fledged event for all projects17:34
vhosakotinc0: will there be a mid-cycle summit as well for which I need to ask travel funding apart from the PTG? :)17:34
inc0it's much closer to design part of summit17:34
sean-k-mooneySamYaple: in that case ill just sit and wait for the rebuild to finish. i need to start using our caches when building...17:34
inc0no midcycle17:34
vhosakotinc0: cool, thanks for the info.17:34
sean-k-mooneyinc0: out of interest has your travel been approved to the ptg yet. im still waiting for mine17:35
*** aagate has quit IRC17:35
inc0no, we have so much chaos around here that it'll probably get approved week or so before -.-17:35
SamYapleinc0: most teams use the PTG as the midcycle (as that was part of the original intention). does kolla have a midcycle and PTG?17:36
inc0no, we don't have midcycle any more17:36
SamYapleoh ok17:36
SamYapleyea thats like most teams17:36
SamYapleive heard of one or two that still do a mid-cycle, but its all remote17:36
*** aagate has joined #openstack-kolla17:37
sean-k-mooneythe summit is more like a midcycle ceckin now instead with the PTG being the main planning event for kolla nova and neutron from what i have seen17:37
*** sbezverk_ has quit IRC17:37
inc0I think PTG took what was good from both design summit and midcycles17:37
SamYapleindeed17:37
vhosakotyeah, my manager is like "so, you want to go to Colorado (PTG), Australia (summit) and Austin (may be kubeCon)?, where else?, do you want business class flight and chauffeur-driven cars too" :)17:37
SamYaplevhosakot: i mean if he is offering.....17:38
vhosakothahaha17:38
vhosakotI wish :)17:38
inc0I really like that we get 3 days of room and that's it. We're not bound by strict schedule and such17:38
SamYapleinc0: i really like getting a whole bunch of work done17:38
sean-k-mooneyvhosakot: chauffeur too and from work would be nice haha17:38
inc0brb17:38
vhosakotlol17:38
vhosakotI'm like "I can sit on lap in plane and share room" lol ;)17:39
*** ducttape_ has quit IRC17:39
tosikaSamYaple, <egonzalez>: thx, i#m now rebuilding the images. I did not fully understand this until now17:39
*** yangyapeng has joined #openstack-kolla17:40
* sean-k-mooney remind me never to rebuild alll imageage with out using caches again...17:40
sean-k-mooneytosika: you should just need to rebuild the nova images to fix this issue17:41
*** sbezverk has joined #openstack-kolla17:42
*** yangyapeng has quit IRC17:45
*** slagle has joined #openstack-kolla17:45
*** eaguilar is now known as eaguilar|afk17:46
*** aagate has quit IRC17:48
*** eaguilar|afk is now known as eaguilar17:48
*** aagate has joined #openstack-kolla17:49
*** eaguilar is now known as eaguilar|afk17:49
*** ducttape_ has joined #openstack-kolla17:49
*** eaguilar|afk is now known as eaguilar17:51
*** unicell has joined #openstack-kolla17:53
*** livelace2 has quit IRC17:55
*** tonanhngo has joined #openstack-kolla17:55
*** jrist has quit IRC17:57
*** tonanhngo_ has joined #openstack-kolla17:58
*** tonanhngo has quit IRC17:59
*** tonanhngo_ has quit IRC18:02
*** tonanhngo has joined #openstack-kolla18:02
*** itlinux has quit IRC18:04
s-deancan someone just confirm, i got told that kolla does tls out of the box, does this cover every aspect of openstack, mariadb, rabbitmq, and all api's ?18:08
*** gfidente is now known as gfidente|afk18:08
*** ducttape_ has quit IRC18:09
*** ducttape_ has joined #openstack-kolla18:09
*** tosika has quit IRC18:17
*** spiette has joined #openstack-kolla18:17
SamYaples-dean: no18:18
SamYaples-dean: it covers only https at the load balancer and not all services are configured properly to talk https so youll need some overrides18:18
SamYaplefor example in glance-api youll have to add "registry_host_protocol = https"18:19
*** ddyer has joined #openstack-kolla18:19
SamYapleas far as I know Kolla has no mechanisms to all TLS rabbitmq or mariadb at all, nor frontend loadbalancer to backend service with https18:20
SamYaples/all/allow/18:20
s-deanahahahhaa, lovely18:20
*** ducttape_ has quit IRC18:20
vhosakots-dean: no TLS for the api network.  TLS secures public/external VIP by using https for the keystone public URL - https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#tls-configuration  and  https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L27718:21
s-deani've been requested to TLS every openstack service, endpoint etc18:21
SamYaples-dean: openstack-ansible has code for doing that in place. but Kolla and OpenStack-Ansible are very very different ways to deploy18:22
s-deanright ok18:22
s-deansomebody told me kolla could do it18:22
s-deanwas someone from the nova channel18:22
SamYaplemostly in place I guess i should say. im not sure they have the mariadb tls bits18:22
*** ducttape_ has joined #openstack-kolla18:22
s-deani've hand rolled this out, already with everything TLS'ed. just had  a problem with nova-list timing out18:23
s-deanand now im back to square one18:23
s-deanshit18:24
vhosakots-dean: yeah, doing per-service TLS is possible... I know neutron supports TLS thru LB/haproxy config tweaks.18:25
SamYaples-dean: if it makes you feel better, ive done a full tls deploy in kolla, highly customized. but it was over a year ago when i was active in the project18:27
SamYaples-dean: ive also hand rolled TLS18:27
s-deanThis is a night mare, this one guy at my work will not leave it, he wants TLS everywhere. and thanks it does at least i know someone else has went through the pain of having to deploy this stuff with very little documentation.18:29
s-deanI might just try building my own docker containers, i duno, guess ill go read the openstack-ansible docs.18:30
*** lpetrut_ has joined #openstack-kolla18:30
SamYaples-dean: so here is how i would address this. memcached has no support for https/tls/encryption/etc18:31
SamYaplememcached is basically a hard requirement for anything production iwth openstack18:31
SamYapleit needs to be on an isolated, non-routeable network for security (its the only security mechansim you can use for it)18:31
s-deani was going to just firewall that off18:31
SamYaplegreat!18:31
s-deanusing iptables18:31
SamYaplenot so great18:31
s-deanlol18:31
SamYaplemy point is you have a hard requirement on an un-tls-able service18:32
SamYaplenow just roll rabbitmq and mariadb and all the backends into that18:32
SamYaplehowever you secure memcached, do it for the others18:32
SamYapleTLS up the front (the only thing the clients tlak to) and require netowkr security on the back18:32
SamYapleand if you use ceph, even better. cephs osd data replication network is entirely unencrypted too18:33
SamYaplenot to mention the wierd bugs with rabbitmq TLS and openstack services18:33
SamYapleor mariadbs replication issues with rls18:33
SamYapletls*18:33
s-deanhave to upgrade it to OTP 1918:33
s-deanI got rabbitmq,maria,keystone,glance and nova TLS'ed it was this new ocata release that ive been having problems with, nova just wouldnt play nice at all18:34
SamYaplemy go to for these sistuations is "if someone has access to our internal network and can MitM our traffic internally... we have bigger issues"18:35
SamYapleTLS the front end and youre 99% the way to security18:35
*** lpetrut_ has quit IRC18:35
s-deanmate, all my networks are sitting behind a firewall, VM, MGMT, are blocked in my firewall from being accessed by anyone on my network other than me, the provider network is wide open as it should be18:36
s-deanbut this guy thinks that its not enough18:36
sean-k-mooneySamYaple: if you really cant trsh your core network the only option you have left really is to interconnect each of the nodes via a vpn and route all your non encrypted traffic via that18:36
s-deanand wants all the communications internally, to be TLS'ed18:36
SamYaple"show me an attack vector"18:36
s-deanis that what you think i should say to him ?18:37
SamYapleif they can get your unencrypted traffic, they already own all your data as the passwords for all these services are in plain text in config files18:37
SamYaples-dean: absolutely18:37
SamYaples-dean: works for me18:37
SamYaplekeep harping on the hard requirement for unencryptable sevice18:38
s-deanhes wasted around 4 weeks of my time.18:38
SamYaplepurpose assinine solutions like sean-k-mooney just suggested18:38
SamYapleget him to do some work18:38
s-deanhes different department, dev18:38
s-deanim ops18:38
sean-k-mooneySamYaple: hehe i have actully got some really asks for encrypted tenant networks from costomers but so far no one has said they need the same for the openstack internal traffic18:39
*** jascott1 has joined #openstack-kolla18:39
inc0it's nice "hurr durr I'm so security"18:40
sean-k-mooneySamYaple: the vpn sollution was actully also considerd for tunneling remote compute nodes back into centeralised contolers18:40
inc0sean-k-mooney: building ipsec between sites is good idea18:41
s-deanthe only option i can think of for a fast and secure VPN that has decent throughput would be wiregaurd18:41
*** yangyapeng has joined #openstack-kolla18:41
inc0s-dean: or have hardware appliance for that18:41
inc0I'm sure vhosakot would have options for you:P18:41
inc0truth be told, keystone needs memcache18:42
inc0memcache holds tokens, so if you sniff on traffic to it, you get full access to infra18:42
s-deanthe stupid thing is, I rebuilt my company network because there was security concerns, installed 2 Pfsense Firewalls, one INT one EXT and vlan'ed and segmented the entire network. and he still wants TLS everywhere18:43
inc0memcache doesn't support tls18:43
SamYaples-dean: i wasnt insulting you, i was saying that solution is silly for the issue at hand18:43
vhosakotyeah, per=segment combined with per-service full security is a grey area IMO :)18:43
s-deanim in a agreement with you18:43
vhosakots-dean: are you building a public cloud?18:43
inc0so if you MinM for memcache traffic, you're screwed18:43
s-deanprivate18:43
inc0only way to remove MinM potential is total lockout of mgmt network18:44
inc0which means you don't need tls for other stuff in it18:44
inc0that's it18:44
s-deanwhich i have done, using pfsense.18:44
s-deanbut this guy still thinks TLS everywhere18:45
inc0the only "hacker" full TLS would protect you from is hacker that doesn't know openstack and doesn't know it needs memcache18:45
SamYapleinc0: to be fair, these days there is very little that is vulnerable in memcache since now most of the objects get encrypted before storing18:45
SamYaplebut yea, like i said if an attack can MitM in your core network, youve got bigger issues18:46
SamYaplewhy dump the traffic when you have the passwords18:46
*** yangyapeng has quit IRC18:46
vhosakotsean-k-mooney: wow, api-traffic in VPN tunnel... I like the idea.. it is secure for sure :)18:47
inc0vhosakot: but to protect here you'd need mesh of tunnels18:47
sean-k-mooneyvhosakot: haha secure but not nessisairaly scalable or fast18:47
s-deanit would increase your overhead far to much18:47
sean-k-mooneyinc0: or have the vpn tunnel relay the trafic18:48
inc0we're assuming that anything that leaves network adapter can be sniffed18:48
sean-k-mooney*server18:48
inc0well, then you can MinM between node and vpn server18:48
vhosakotinc0: right, we need like an admin tunnel, service/API tunnel, storage tunnel, sounds tough ;)18:48
inc0vhosakot: what I'm saying is you need separate tunnel to evert node in cluster18:48
inc0on every node18:49
sean-k-mooneyinc0: openvpn suports client to client networking where the server routes the traffic between the clientes and its only decrypeted on the openvpn server itself while routeing18:49
s-deanright, think im done with chasing the TLS dragon, might give this a go tomorrow. https://www.wireguard.com/performance/18:49
inc0so you need n! tunnels18:49
s-deanopenvpn does not have the greatest of throughput18:49
vhosakotone-node-to-every-other-node mesh... fun ;)18:50
*** mgoddard has quit IRC18:50
sean-k-mooneyinc0:  you can do it with n tunnesl with openvpn but its n*n for ipsec. anyway vpn should realy only be used for inter site traffic not within the same datacenter18:50
inc0right18:51
inc0we're in crazy town here;)18:51
s-deanI swear working in the software industry makes you lose your mind.18:51
sean-k-mooneyinc0: so looking at https://blog.couchbase.com/memcached-security/ it seams memchace support tls now18:51
*** eaguilar is now known as eaguilar|afk18:52
SamYaplesean-k-mooney: how did you get that from the article?18:52
sean-k-mooneyinc0: actully no it support sasl never mind18:52
s-deansean-k-mooney: I was about to say18:53
sean-k-mooneySamYaple: i misread the wiki articl on sasl18:53
SamYapleyea i think there was some work in openstack to support memcached sasl18:53
inc0can ks use redis as cache?18:53
inc0nvm18:54
inc0redis can't tls too;)18:54
inc0I guss everyone assumes that encryption cost on cache is missing purpose18:55
inc0cache is supposed to be fast18:55
sean-k-mooneyinc0: well if you have a local copy of memcache and just use tls between each memcache instance it should be fine18:56
sean-k-mooneyinc0: we have had aes-ni for years in xeon cpu and most of our competetors too18:56
inc0so each ks uses local memcache exclusively?18:56
SamYaplethats not how memcached is used by keystone!18:57
inc0I know18:57
SamYaple:P18:57
inc0but we can make it18:57
s-deando other openstack services not access memcache ?18:57
SamYapleno it wont serve a purpose inc018:57
inc0I know18:57
SamYaples-dean: all of them do, mostly via keystone_authtoken18:57
inc0but it will solve the TLS issue:P18:57
sean-k-mooneyim sugesting that each service would connect to a loacl memcaced and that they are clustered using tls but local access would not need tls18:57
s-deanthat sounds like a great idea18:58
SamYaples-dean: technically they dont have to, nothing REQUIRES memcached, but y ou need it if you like it to perform at all18:58
s-deanright18:58
inc0SamYaple: I think what's happening is services access ks and ks uses memcache18:58
inc0so if you have local memcache for every ks node18:58
sean-k-mooneySamYaple: you know the other option is to not store stuff in plain texted in memcache in the frist place18:58
inc0and it will access it over 127.0.0.118:59
inc0each ks will have it's own local cache so it should actually work18:59
SamYapleinc0: no the middleware talks directly to keystone18:59
SamYaplesean-k-mooney: blame nova-consoleauth. i think thats the only one that still does it18:59
*** vhosakot has quit IRC18:59
SamYapleinc0: let me say that again. keystone middleware (keystone_authtoken) talks directly to memcached before keystone19:00
SamYaplethats why we have to pass around the shared secret19:00
inc0well then...memcache per node?19:00
sean-k-mooneySamYaple: your should be able to handel that in oslo.cache without needing nova chages though if it uses oslo cache right.19:00
SamYapleinc0: no, eveeryone needs the same list of memcached servers otherwise the cache doesnt work19:00
*** vhosakot has joined #openstack-kolla19:00
inc0:(19:00
SamYaplesean-k-mooney: im not disagreeing :)19:00
sean-k-mooneySamYaple: hehe ill add it to the ever growing list of things i  wish was magically fixed with openstack lol19:01
s-deanis keystone the most important service to protect with TLS in openstack >19:03
s-dean?19:04
SamYaples-dean: i would say all client endpoints are the most important19:04
SamYapleanything on the backend is much less important given the amount of plain text passwords we have in each openstack file19:04
s-deanwhen you use the terminology client, you are referring to users?19:05
*** vhosakot has quit IRC19:05
SamYaples-dean: more or less, yea. anyone interacing with openstack. TLS all those points of interaction19:05
SamYaplereally that just means HTTPS on the load balancer19:05
s-deanright.19:06
*** eaguilar|afk has quit IRC19:08
*** jamesbenson has joined #openstack-kolla19:09
*** vhosakot has joined #openstack-kolla19:10
sean-k-mooneynot to re architect all the thing but looking at oslo.cacche the only backend that seams to support ssl is mongo db so maybe you could use mongo db with the in-memory storage engine if you really needed to encrypte the cache connection19:12
sean-k-mooneystill likely eaiser to encrypte stuff before putting it in the cache with a shared secrete19:13
SamYaplesean-k-mooney: i really dont know why there isn't a oslo.cache encrypt_shared_key=XXX option19:14
sean-k-mooneySamYaple: proably cause no one asked for it yet19:15
SamYaplesean-k-mooney: ive asked for it!19:15
*** manheim has joined #openstack-kolla19:16
SamYaplebut to be fair, i also havent implemented it19:16
*** stefan_bo has joined #openstack-kolla19:16
SamYapleso i cant blame them19:16
*** jtriley has quit IRC19:16
sean-k-mooneyis memcache the only thing that cant be secured with ssl today that openstack uses by defualt19:17
s-deanFrom what i have read, yes. every other component can be secure in one way or another19:17
sean-k-mooneyim excluding ceph currently as you could used another a different storage solution that would support that if you cant secure the osd traffic.19:18
SamYaplesean-k-mooney: i believe so19:18
sean-k-mooneyhum maybe we should see if that is someting we can adress in Queens.19:19
*** stefan_bo has quit IRC19:20
*** manheim has quit IRC19:20
SamYaplesean-k-mooney: honestly, a simple shared secret encrypt string is all it would take19:20
*** robellison has joined #openstack-kolla19:20
SamYapleive just been so busy i havent had a chanceto dig into any of the oslo projects19:20
sean-k-mooneyya and its not like we dont already copy the db password to all the controlers which are the only nodes that run memcached so shared secreate in config is the same as the db passwords we already have19:22
*** eaguilar has joined #openstack-kolla19:22
*** matrohon has joined #openstack-kolla19:22
SamYaplewell not *quite*. a misconfiguration of networking might allow people ot inject into memcached even if memcached can't return ot them with some spoofing19:23
SamYaplebut for the most part, yea i get your point19:23
*** itlinux has joined #openstack-kolla19:25
*** ducttap__ has joined #openstack-kolla19:26
sean-k-mooneySamYaple: well if everything was encrytped and they didn not have the secreate, it would be decrypted as garbage so you sould also need to store a checksum to detect if the value was correct before returning it19:26
SamYaplesean-k-mooney: i would assume that protection is already there since bit flips and what not19:27
SamYapleeither it is valid or not19:27
s-deanis it easier to TLS openstack after you have installed it19:28
s-deangot it working etc19:28
*** gfidente|afk is now known as gfidente19:28
sean-k-mooneySamYaple: well im assuming that you were just encrypting the value not the key so you would want a hash to ensure it is the same thing you put in19:28
*** ducttape_ has quit IRC19:29
*** jamesbenson has quit IRC19:29
sean-k-mooneys-dean: am it depend on if you are jsut doing external tls or not. if it just external tls it should just be changes to haproxy. if its internal also im not sure19:29
SamYapledont forget updating the endpoints....19:30
sean-k-mooneywell with kolla in general once you get your images built and you get a inventory file and globals that work its pretty easy to tear everyting down and redeploy19:31
*** ducttape_ has joined #openstack-kolla19:31
sean-k-mooneyso maybe get to that point and then enable tls. but i have not enabled tls so really not sure what would be easier19:32
SamYaplesean-k-mooney: it was on my todo list, just never got around to it19:32
SamYapleyou understand19:32
sean-k-mooneySamYaple: ? the oslo cache stuff? if so yes19:33
SamYapleno the tls everything19:34
SamYaplewell and the oslo cache stuff19:34
sean-k-mooneyif tls also yes i have never had time to test out the internal and externall tls code in kolla19:34
s-deanI successfully, encrypted mariadb, rabbit, keystone, and glance. but nova just didn't want to work, how important is nova's services can i leave that service unencrypted ?19:34
s-deanstill got the configs19:34
*** ducttap__ has quit IRC19:34
sean-k-mooneys-dean: nova is normally the most used service as it is used to procision all compute resoruces.19:35
SamYaples-dean: to be completely honest, i would not encrypt nova or glance since in Ocata you are still running with eventlet19:35
SamYapleeventlet has pretty awful https support19:35
SamYaplein Pike you should be able to deploy them both as WSGI apps behind apache2/nginx/uwsgi with https support proper19:35
s-deani did notice a massive slow down, so you recommend just keystone19:35
sean-k-mooneywell placement can be run under wsgi right?19:35
s-deanyup19:35
SamYaplesean-k-mooney: *must* be run19:35
SamYaples-dean: yea placement is ok19:36
s-deanplacement i thought was under apache19:36
SamYaples-dean: placement and keystone, that would be it19:36
SamYaples-dean: its still a WSGI app19:36
SamYapleit can be run apache2/nginx/uwsgi19:36
SamYaplekeystone is WSGI as well19:36
SamYaplei personally run keystone with uwsgi19:36
sean-k-mooneythe nova api can also be run under apache with uwsgi in pike too right19:37
SamYaplesean-k-mooney: yea all services can19:37
SamYaplewell most services can. there was a community goal for it19:37
sean-k-mooneyright19:37
sean-k-mooneys-dean: so are you currently standing up an ocata cluster19:38
s-deani hand rolled it out first, then got told that openstack-ansible, and kolla did TLS out the box19:38
s-deanbut yes19:39
SamYaplesome tls, not all of it19:39
sean-k-mooneySamYaple: one thing that would be really nice to add to kolla would be letencrypt support for ha proxy terminated external tls19:39
s-deani got to the dashboard19:39
s-deanthink i left neutron in the end, cause i was so frustrated. deploying kolla was alot easier, less headache19:40
*** yangyapeng has joined #openstack-kolla19:42
SamYaplesean-k-mooney: all my openstack at home is automated lets-encrypted :)19:42
SamYapleopenstack.yaple.net19:42
s-deanwould you say kolla is a superior way to deploy openstack ?19:42
sean-k-mooneySamYaple: hehe i get a 503 is that my office network or something exploded on your side19:43
sean-k-mooneys-dean: people on this irc may be a little biased19:44
sean-k-mooneys-dean: in comparison to devstack yes19:44
SamYaplesean-k-mooney: im in the middle of an upgrade right now. keystone.yaple.net is the only thing up19:44
SamYapleoh thats another thing. i only have 1 port exposed on my firewall.... 443!19:44
SamYapleall my stuff is sni'd19:44
SamYapleall the services... sni!19:45
SamYaplesingle ip address19:45
s-deanhow long you guys been working on openstack ?19:45
SamYaples-dean: ive been around since right after folsom was released19:45
sean-k-mooneySamYaple: are you useing kolla-ansible/k8s at home or someting custom19:45
SamYaplesean-k-mooney: i hand roll these days19:46
s-deanright wow, that must be pretty far back because ive never heard of that release19:46
sean-k-mooneys-dean: about 4 years started with hevana19:46
*** jtriley has joined #openstack-kolla19:46
SamYaplei would use kolla-ansible but it needs some changes to work with the LOCI images and those aren't popular19:46
s-deanand it was the first release x)19:46
SamYaples-dean: its all been alphabetically named19:47
*** yangyapeng has quit IRC19:47
sean-k-mooneySamYaple: i assume your using somting based on your kolla-salt stuff?19:47
SamYapleaustin bexar bexar cactus diablo essex folsom19:47
s-deannice, do you get payed for your contribution or is it volunteer work at openstack ?19:47
SamYaplesean-k-mooney: im actually doing saltstack openstack deploy work for another company now, unreleated to that code. im hoping to make the new stuff public yea19:48
sean-k-mooneygrizzly hevana icehouse juno kilo liberty mitaka netwon ocata and now pike19:48
SamYaples-dean: suprisingly i hve never contributed to openstack code that was used by the company i was employed at19:48
s-deansupport for openstack and salt is very low19:48
s-deani looked at it19:48
SamYapleso you could say its volunteer work19:48
s-deannice19:48
SamYapleall my kolla work was 100% my time19:49
sean-k-mooneys-dean: i work at intel but we done sell or support openstack directly19:49
*** robellison has quit IRC19:50
s-deanwow, im dwarfed by the big leagues, haha. my business is a startup.19:50
SamYaplethat explains the "tls everything". lack of experience and prioritization19:51
SamYaplesorry s-dean, im calling it. youre going under19:51
*** robellison has joined #openstack-kolla19:51
*** robellison has quit IRC19:51
s-deanhaha19:52
s-deanthere is definitely a lack of experience and prioritization.19:53
sean-k-mooneys-dean: one the annowing thing about working at intel is no direct acess to the internet for anything. the good thing is that if anyone cance acess my openstack cloud its ITs fault for not locking down the devleopment labs firewall enough19:54
*** eaguilar is now known as eaguilar|afk19:54
*** eaguilar|afk is now known as eaguilar19:54
inc0you are in startup and you already have different org branches for ops and dev?19:54
*** eaguilar is now known as eaguilar|afk19:54
SamYapleinc0: AS IT SHOULD BE19:55
s-deanahhhh classic, yeah.19:55
s-dean3 man  OPS team.19:55
inc0fuck no, I think being dev in ops team was best learning for both19:55
inc0you don't get this "tls everywhere" bs19:55
SamYapleinc0: its not bs! its the right way to do it19:56
s-deanoh how i wish i could merge the two, but i cant code for shit.19:56
SamYapleit really is19:56
inc0I believe in devops19:56
inc0really, I think if devs would have oncall duty more our software would be better19:56
*** matrohon has quit IRC19:57
s-deanyeah, once things settle down, im gona try learn some go19:57
SamYapleinc0: i dont trust most devs near production19:57
s-deanxD #19:57
s-deanthat makes me laugh19:57
*** eaguilar|afk is now known as eaguilar19:57
inc0right, I'm dev and I don't trust myself19:57
SamYaplean organzation where operations controlls what devs work on, that is an organization that works well19:58
*** eaguilar is now known as eaguilar|afk19:58
s-deanSamYaple: can i just enable debugging on production19:58
inc0but also I've seen ops trying to make their life easier by writing tools19:58
SamYaples-dean: you should probably leave the debug logs on 24/7, yea19:58
inc0in a most horrid way possible19:58
SamYaples-dean: its the best way to troubleshoot19:58
SamYapleinc0: hence operations telling dev what do to19:59
SamYaple"need this thing, go code monkey it, here is a shitty bash script"19:59
sean-k-mooneyspeaking of devops stuff is there an issue with gathering facts in ansible a second time?19:59
inc0sean-k-mooney: well, shouldn't be I guess20:00
inc0if stuff changed during playbook run, you're in for a ride anyway20:00
vhosakotI'm dev and do on-call many times.  I think if I'm DevOps, OpsDev, DevDev or OpsOps ;)20:00
sean-k-mooneyim testing the ovs-dpdk as part of deploy but one of the ip adress needed for neutron  is not available untill after the ovs-dpdk role runs20:01
*** eaguilar|afk is now known as eaguilar20:01
s-deanwish things where run different, but im bottom of the rung and also the youngest in my team. got to have "experience"  to make any decisions in business20:01
inc0lol20:01
inc0yeah, aren't we all like that20:01
sean-k-mooneyhehe i got pulled into debuging kolla-ansible in a wind farm last month because the guy working on it was on vacation20:02
sean-k-mooneythat was fun20:02
SamYaplesean-k-mooney: just do like me and job hop until you come _in_ as most senior experience20:03
inc0lol kolla-ansioble runs a windfarm? we should have a "business run by kolla bingo"20:03
inc0"radiotelescope - bingo!"20:03
sean-k-mooneyinc0: yep we have been working to get kolla ansible chosen as the deployment tool of chich for the eu funded virtuwind project20:04
sean-k-mooneythey have a test deployment scheduled in denmak later this month i think20:04
*** jamesbenson has joined #openstack-kolla20:05
inc0put a server in a wind turbine20:05
vhosakots-dean: after you are experienced, there will be different problems ;)20:05
inc0you get both power and cooling at the same time20:05
*** jemcevoy has joined #openstack-kolla20:06
s-deanim aware20:06
sean-k-mooneyinc0: basically, the project is deploying the turbing monitoring and control systems on openstack . we got them to adopt both openstack and kolla to deploy it20:06
inc0cool stuff20:07
vhosakotsean-k-mooney: cool, do you have a link or pic I can tweet? :)20:07
s-deanthat is pretty cool20:07
s-deanso plenty of openstack jobs then :P20:07
vhosakotsomebody was saying my twitter account looks like an advertising board for kolla :)20:07
inc0http://ska-sdp.org <- this is Kolla too20:07
sean-k-mooneyhaha am im not sure this is the site http://www.virtuwind.eu/20:07
jemcevoyHow can I apply a patch to the horizon spice console to add the ctrl-alt-del button?  https://bugs.launchpad.net/openstack-ansible/icehouse/+bug/1423669 and https://access.redhat.com/solutions/128816320:08
openstackLaunchpad bug 1423669 in spice-html5 (Ubuntu) "CTRL+ALT+DEL Button missing" [Undecided,New]20:08
sean-k-mooneyinc0:  thats the giant telescope yes?20:08
inc0yp20:08
s-deansweet20:08
sean-k-mooneyjemcevoy: with icehouse i dont think we can even build icehouse images20:09
*** jamesbenson has quit IRC20:09
sean-k-mooneyjemcevoy: but in generall you can build from source from a patches local github repo or use a template override to apply the patch as part of kolla build20:09
jemcevoyIt is just adding the button to call ctrl-alt-del so Window can login... This is the redhat solution... <button type="button" onclick="sendCtrlAltDel()">20:10
jemcevoy    Send Ctrl-Alt-Delete20:10
jemcevoy</button> sean-k-mooney20:10
SamYaplejemcevoy: the proper solution is to use novnc!20:11
SamYapleburn spice to the ground20:11
sean-k-mooneySamYaple: actully i had to swap to spice to work around a weird latency issue i had with no vnc20:11
sean-k-mooneyis novnc still unmaintainted20:12
SamYaplesean-k-mooney: its 1: not unmaintained, and 2: spice literally calls itself alpha and beta20:12
jemcevoyI just tried to connect to the container to see where that file is and got the error:  docker exec -it nova_html5proxy bash " nova - no matching entries in passwd file20:12
SamYaplethe latest novnc commit was 4 days ago20:12
sean-k-mooneySamYaple: which one was not maintained was it xvnc20:13
SamYaplesean-k-mooney: spice html5 was over a year ago20:13
SamYaplesean-k-mooney: yea that sounds right20:13
SamYaplehttps://github.com/novnc/noVNC20:13
SamYaplehttps://github.com/SPICE/spice-html520:13
sean-k-mooneywhich ever one devstack used to use 2 or 3 cycles ago i rember the swaped there default but i cant remember what the swaped to/from20:13
SamYaplei know which one i would choose...20:13
inc0oh joy http://www.iflscience.com/environment/unbelievably-massive-volcanic-engine-found-hiding-under-washington/20:14
inc0gotta love living near active volcanoes20:14
sean-k-mooneyinc0: i do here hawaii is quite nice :)20:15
jemcevoyinc0: a yellowstone super volcano in our neighborhood... yikes20:16
vhosakotjemcevoy: why do you need console access in the first place?  DHCP/dnsmasq issues? :)20:16
sean-k-mooneyjemcevoy: if yellowstone erupts i dont think there is anywere that would not notice the effects20:16
sean-k-mooneymaybe mars20:16
s-deanall: have a good night,evening or morning where ever you are. im off home, its getting late. mabey catch you guys in here tomorrow.20:17
*** lucasxu has quit IRC20:17
*** robellison has joined #openstack-kolla20:17
jemcevoyvhosakot: Just to build a Windows image or update the gold image... This customer has like 130GB image once once all the apps are installed and it is painful to export from ceph and then import into glance20:19
sean-k-mooneyinc0: so ya runinng deploy twice works with the dpdk playbook. i need to add gater facts after again to pick up the tunnel ip since we move it form the interface to the ovs bridge20:19
inc0sean-k-mooney: add setup task then20:19
sean-k-mooneyinc0: yep just resetting my environment and ill test that.20:20
jemcevoySamYaple:  how hard it it to switch to vnc?20:20
sean-k-mooneyjemcevoy: its basically just a reconfigure and set the default back to vnc in the global.yml20:21
sean-k-mooneyjemcevoy: you have to manually clean up the spice container yourself however20:21
vhosakotsean-k-mooney: you can add a new task with "gather_facts: yes"20:22
sean-k-mooneyjemcevoy: assuming you have the continers already built20:22
jemcevoyand some nova.conf change too I bet20:22
vhosakotjemcevoy: ah ok, you're building custom images.20:22
jemcevoyI'll ask the when I can run the reconfigure20:23
sean-k-mooneyvhosakot: i was thinking of adding a task to wait for the tunnel ip to show up then have that notify a handeler to gater facts again.20:23
jemcevoyI just built a local repo from centos rpms20:23
jemcevoynot source20:23
inc0sean-k-mooney: sounds good20:24
vhosakotsean-k-mooney: yeah, triggering a handler to gather facts the second time after waiting is a good idea.20:28
sean-k-mooneyvhosakot: is gather_facts enough or should i call setup?20:29
SamYaplejemcevoy: with kolla? its jsut an option20:29
SamYaplejemcevoy: it requires you to hard reboot your instance though to refresh the libvirt.xml20:30
jemcevoysean-k-mooney:  Will a reconfigure deploy the vnc container to the 3 controllers or will I need to do a kolla deploy?20:30
jemcevoySamYaple:  Can't I just restart the libvirt container?20:31
vhosakotsean-k-mooney: yes, you can use the setup module to filter the gathered facts the second time - https://stackoverflow.com/a/3448763920:31
SamYaplejemcevoy: nope. thats unrelated20:31
sean-k-mooneyjemcevoy: am good questing i think it did a deploy then a reconfigure when i went form vnc to spice20:31
SamYaplejemcevoy: nova generates the libvirt.xmls per instance. to get it to generate one with vnc instead of spice requires a hard reboot20:32
SamYapleto regen the xml file20:32
jemcevoySamYaple:  So I will need to reboot each of the three controllers one at a time to keep gallera alive... right....20:33
SamYapleno no no20:33
SamYapleyou misunderstand20:33
SamYaplenova reboot --hard <instance>20:33
SamYaplethe instnace needs to be hard rebooted, you shouldnt need to restart the controllers20:34
jemcevoyOhhh you mean the VMs...20:34
SamYapleyea20:34
SamYaplebut specifically, you need to hard reboot them through nova20:34
jemcevoyThanks... It is the libvirt XML for the instance that need to be regenerated...20:36
jemcevoygotcha20:36
SamYapleyep20:36
*** ducttape_ has quit IRC20:39
*** manheim has joined #openstack-kolla20:40
*** ducttape_ has joined #openstack-kolla20:42
*** manheim has quit IRC20:44
*** ducttape_ has quit IRC20:46
*** awiddersheim has joined #openstack-kolla20:47
*** eaguilar has quit IRC20:48
*** krtaylor has quit IRC20:51
*** awiddersheim has quit IRC20:51
*** sbezverk has quit IRC20:53
*** manheim has joined #openstack-kolla20:55
*** manheim has quit IRC20:58
*** manheim has joined #openstack-kolla20:58
*** manheim has quit IRC20:59
*** manheim has joined #openstack-kolla20:59
*** manheim has quit IRC21:01
*** schwicht has quit IRC21:01
*** ducttape_ has joined #openstack-kolla21:05
*** robellison has quit IRC21:07
*** robellison has joined #openstack-kolla21:08
*** robellison has quit IRC21:08
Reepicheepso my keystone token table is filling up in ocata, https://bugs.launchpad.net/kolla/+bug/163281121:10
openstackLaunchpad bug 1632811 in kolla "Keystone token table filling up" [High,In progress] - Assigned to Mathias Ewald (mewald)21:10
Reepicheepdo you know if we can change the token provider to Fernet on a running system21:12
SamYapleReepicheep: changing to fernet from uuid (or whatever you are using) is absolutely possible21:13
SamYapleit will be an outage of the keystone service though21:13
SamYaplebasically youll want to generate and stage the fernet keys first, make the config update and restart all the keystone services21:14
SamYapleat that point you *may* need to restart some other services if they fail to retrieve new tokens properly21:14
SamYaplebut you shouldnt need to, if you do thats a bug21:14
*** jtriley has quit IRC21:15
inc0SamYaple: btw did you publish this overlay over LOCI to be deployable by kolla-ansible?21:15
SamYaplenope i have not21:18
inc0:(21:18
SamYaplewell i was only talking about pushing the dockerfile for the *images*21:18
SamYapleto really use them kolla-ansible needs to change21:19
inc0right, and keeping compatibility between both LOCI and Kolla images won't be trivial21:19
SamYaplewhat are you talking about? there is no issue doing that...21:20
inc0well we'd need to host config code in both repos21:20
SamYapleyou just need ot move the config files out of the baked in image21:20
SamYaplewhat "both repos"?21:20
inc0there are no config files baked into image...there are scripts21:20
inc0config files are mounted...21:20
ReepicheepThanks SamYaple, I'm reading about that now21:20
SamYapleinc0: you dont drop in paste.ini or policy.json. those are baked in21:20
SamYapleor rootwrap for that matter21:21
SamYaplethose are all configs21:21
SamYapleif its in /etc its a config21:21
*** schwicht has joined #openstack-kolla21:21
inc0hmm I remmeber seeing changes for thaqt21:22
*** sbezverk has joined #openstack-kolla21:22
SamYapleok. so here is where im at. basically you can build the kolla base image. use that base for LOCI images. then run those LOCI images with kolla-ansible *IF* kolla ansible owns every config file in /etc/ itself21:23
SamYaple(and it pushed in extend_start.sh which is not a config file)21:23
SamYapleotherwise i have to generate a bunch of images with the config files baked in, then toss in an extend_start.sh every once in  a while21:24
SamYaplebut honestly, kolla-ansible is very close to being image agonositc, bring your own image21:24
inc0I know, there are only few things that are assumed in image21:24
inc0extended_start being one21:25
SamYaplewell no, extend_start is specifically not required. but things like set_configs, yes thats required21:25
SamYaplehowever, thats where teh LOCI builds from kolla base thing comes in21:25
inc0https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/nova/tasks/config.yml#L115 we have stuff like that21:25
inc0not exactly what you mean but close21:25
inc0extended start is required for bootstrap and stuff21:26
inc0while you could rewrite kolla-ansible to run this code, we don't do it21:26
SamYapleinc0: but if its mounted in at runtime (where i think it belongs anyway) then ther eis no problem21:26
inc0well mounting code on runtime is different discussion. What I'm saying is that it's not that easy today21:27
inc0and I don't thing extended_start will ever be moved to kolla-ansible21:27
inc0that would be enormous breach of ABI21:27
SamYaplewhich ive never heard anyone outside of this channel tlak about in any fashion, just saying21:28
inc0well, our images are being used outside of kolla-ansible21:28
SamYapleare they using all the set_config stuff?21:28
inc0no idea, maybe21:28
inc0can you guarantee they're not?21:29
SamYaplei dont have to? i dont care21:29
SamYaplebut hey. i have no expectations for kolla to be anything other than kolla in kollas own little ecosystem21:29
SamYapleim ok with that21:29
inc0I know you are, what I'm saying is that we can't break this21:29
SamYapleyou absolutely can21:29
SamYapleyou just have t odeprecate it21:29
inc0well, maybe someday, not in Queens at least21:30
SamYapleagain, you aren't telling me something i didnt know. ive given up on changing anyones mind in Kolla21:30
SamYaplei was just doing fun things with the LOCI images21:30
SamYapleyou also have to remember, i have no intention of building rabbitmq or mariadb images21:31
SamYapleif kolla ever wants to consume anything upstream they must inject code into the container anyway21:31
*** manheim has joined #openstack-kolla21:33
inc0yeah I was playing with this and it's not horrible21:33
*** tonanhngo has quit IRC21:33
SamYaplewell my offer always stands. you want to move forward to image agnostic and upstream images AND have community by in, ill do the work21:34
SamYaplethe more choice the better in my opinion21:34
inc0and I agree with you, what I'm saying is I don't want to cause chaos and break our users in the process21:35
SamYapleim 99% sure thats what deprecation cycles are for21:35
SamYapleleaving extend start in the images forever doesnt break anything.21:35
inc0problem with that is if we commit to that, we're commited21:35
SamYapletautologys are tautologys21:36
inc0lol21:36
inc0you know what I mean21:36
SamYapleyea i do21:36
SamYaplemy point is im not going to fight that fight, but im happy to do the work21:36
inc0it's a lot of work, often non trivial and arch-changing21:36
inc0while keeping people happy21:37
SamYaplein this case, not so much21:37
SamYapleits just some extra template files and thats it21:37
inc0well, I'm talking about extended start, set_configs and stuff like that21:37
SamYapleyoure arguing the unknown people who use the kolla images without ansible or k8s might break21:37
SamYapleim saying dont remove set_configs or extended_start21:37
SamYaplejust mount over them21:37
inc0well not all of them are unknown21:37
inc0anyway, it won't happen in Queens for sure21:38
*** tonanhngo has joined #openstack-kolla21:38
SamYapleim doubtful it will ever happen, but my offer to do work will remain21:38
inc0kk, thanks21:38
*** tonanhngo has quit IRC21:43
*** yangyapeng has joined #openstack-kolla21:43
*** jascott1 has quit IRC21:45
*** jascott1 has joined #openstack-kolla21:45
*** jascott1 has quit IRC21:46
*** jascott1 has joined #openstack-kolla21:46
*** yangyapeng has quit IRC21:48
*** jascott1 has quit IRC21:49
*** jascott1 has joined #openstack-kolla21:50
*** tonanhngo has joined #openstack-kolla21:53
*** jascott1 has quit IRC21:54
*** schwicht has quit IRC21:57
*** tonanhngo has quit IRC21:57
*** tonanhngo has joined #openstack-kolla21:59
openstackgerritsean mooney proposed openstack/kolla-ansible master: introduce playbook to ovs with dpdk  https://review.openstack.org/40887222:00
*** awiddersheim has joined #openstack-kolla22:01
*** kolla-slack has quit IRC22:01
*** kolla-slack has joined #openstack-kolla22:01
sean-k-mooneyinc0: ^ that should now deploy ovs-dpdk all in one go as part of standard deploy. ill added the kernel module auto loading as a followup patch tommorow22:01
*** ntpttr_laptop__ is now known as ntpttr_laptop22:01
*** tonanhngo has quit IRC22:03
*** tonanhngo has joined #openstack-kolla22:05
*** awiddersheim has quit IRC22:07
*** tonanhngo has quit IRC22:09
inc0cool sean-k-mooney22:11
*** tonanhngo has joined #openstack-kolla22:11
inc0sean-k-mooney: why not making dpdk part of regular deploy play?22:12
sean-k-mooneyinc0: i have i just also left the independent playbook too22:12
sean-k-mooneyi can delete that in next version if you like22:13
inc0let's remove independent one as it's duplication22:13
inc0yeah22:13
sean-k-mooneycool will do i just did not get around to deleting it.22:13
*** manheim has quit IRC22:15
*** tonanhngo has quit IRC22:16
*** tonanhngo has joined #openstack-kolla22:17
*** tonanhngo has quit IRC22:22
*** tonanhngo has joined #openstack-kolla22:24
*** tonanhngo has quit IRC22:27
*** tonanhngo has joined #openstack-kolla22:28
*** schwicht has joined #openstack-kolla22:30
*** jascott1 has joined #openstack-kolla22:41
*** yangyapeng has joined #openstack-kolla22:44
*** calbers has quit IRC22:45
*** calbers has joined #openstack-kolla22:48
*** yangyapeng has quit IRC22:48
*** vhosakot has quit IRC22:49
*** krtaylor has joined #openstack-kolla22:51
*** schwicht has quit IRC23:05
*** jascott1 has quit IRC23:06
*** rhallisey has quit IRC23:06
*** pbourke has quit IRC23:07
*** pbourke has joined #openstack-kolla23:09
*** ducttape_ has quit IRC23:19
*** rhallisey has joined #openstack-kolla23:20
*** ducttape_ has joined #openstack-kolla23:25
*** jamesbenson has joined #openstack-kolla23:28
*** hongbin has quit IRC23:31
*** jamesbenson has quit IRC23:32
*** gfidente is now known as gfidente|afk23:39
*** yangyapeng has joined #openstack-kolla23:45
*** mattmceuen has quit IRC23:45
*** yangyapeng has quit IRC23:50
*** slagle has quit IRC23:59
« Monday, 2017-08-07 Index Wednesday, 2017-08-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!