Thursday, 2017-01-26

« Wednesday, 2017-01-25 Index Friday, 2017-01-27 »
*** hongbin has quit IRC00:33
*** portdirect is now known as portdirect_travl00:40
*** limao has joined #openstack-kuryr00:41
*** huikang has joined #openstack-kuryr01:06
*** yedongcan has joined #openstack-kuryr01:26
*** huikang has quit IRC01:41
*** huikang has joined #openstack-kuryr01:41
*** huikang has quit IRC01:47
openstackgerritdengshaolin proposed openstack/fuxi: Replace hardcode values with OptGroup in config setting  https://review.openstack.org/41537803:05
*** hongbin has joined #openstack-kuryr04:10
janonymousirenab: ping04:19
*** hongbin has quit IRC04:56
*** hongbin has joined #openstack-kuryr04:56
*** hongbin_ has joined #openstack-kuryr05:09
*** hongbin has quit IRC05:11
*** hongbin_ has quit IRC05:21
irenabjanonymous, hi05:27
janonymousirenab: i was trying the ssl doc : http://tech.paulcz.net/2016/01/secure-docker-with-tls/ Openssl section05:28
irenabjanonymous, did it work for you?05:28
janonymousi have a few doubts:05:28
janonymousIn openssl genrsa -out ~/.docker/ca-key.pem 2048 ..-out did you gave same paths?05:28
janonymousAlso in openssl req -x509 -new -nodes -key ~/.docker/ca-key.pem \05:29
janonymous    -days 10000 -out ~/.docker/ca.pem -subj '/CN=docker-CA'  what did you mentioned in /CN05:29
janonymousirenab: testing it now05:29
irenabjanonymous, I just copied the cert, ca and key files into the path you suggested, didn't change anything in the commands05:29
irenabjanonymous, then when I restarted docker-engine, I added TLS arguments to the service invocation line05:30
janonymousalso you copied certs from ~/.docker/ or /etc/ssl ?05:31
janonymousand did you generated both client and server certs05:31
janonymousirenab: sry for a lot of questions, i will try this out now.05:31
irenabjanonymous, followed all the instructions, justr did manually, not with the container they suggest as an alternative05:31
irenabboth client asnd server05:32
irenab --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/cert.pem --tlskey=/etc/docker/ssl/key.pem"05:32
irenabcheck the files that are required for invocation, this is where I copied them from to the /var/lib/kuryr/certs05:33
janonymousohkay, will check and get back05:34
irenabjanonymous, I was running all in one machine, maybe it is easier since both server and client are local05:34
janonymousby all-in-one you mean devstack on single node or something else?05:35
irenabyes05:39
irenaband docker client is also invoked from  the devstack node05:40
janonymousDo you have that env now?05:40
janonymousirenab: ^^05:40
irenabjanonymous, no ...05:40
irenabBut I can deploy05:40
irenabwill take some time though05:41
irenablet me kick it for now05:41
janonymousmine was giving  error05:41
janonymoushttp://paste.openstack.org/show/596537/05:42
janonymousirenab: can you record your termnal this time05:42
janonymous:) it would be helpful to me05:42
irenabjanonymous, try to copy all 3 cert files into /var.../kuryr/cert05:49
irenaband then restart kuryr and docker05:49
irenabmaybe its the matter of access permissions05:49
janonymousirenab: yeah, tried that... scp -r /etc/docker/ssl/* /var.../kuryr/certs/05:50
irenabtry this05:52
irenab$ export DOCKER_TLS_VERIFY=105:52
irenab$ export DOCKER_CERT_PATH=~/.docker05:52
irenab$ docker info05:52
irenabdocker info05:52
irenabdoes it work?05:52
irenabcheck that client and docker are ok with certs05:53
janonymouslemme check05:55
janonymoushttp://paste.openstack.org/show/596541/05:59
janonymousirenab: Is sudo /usr/bin/docker daemon -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/var/lib/kuryr/certs/ca.pem --tlscert=/var/lib/kuryr/certs/cert.pem --tlskey=/var/lib/kuryr/certs/key.pem --cluster-store etcd://localhost:5001 correct? i mean /var/lib/kuryr/certs/* are copied from /etc/docker/ssl/*06:05
irenabjanonymous, as far as I remember yes. Seems it worked for you06:07
irenabby default kuryr uses port 4001 for etcd. I changed it, sinc eI am deploying with Dragonflow and it uses 4001 for REdis06:08
irenabjanonymous, my devstack is not ready yet, so cannot check currently06:09
*** janonymous has quit IRC06:13
*** janonymous has joined #openstack-kuryr06:13
*** saneax has joined #openstack-kuryr06:34
*** saneax is now known as saneax-_-|AFK06:46
*** yedongcan has left #openstack-kuryr07:31
apuimedostill dealing with the certs patch reproduction irenab janonymous ?07:38
*** yamamoto has quit IRC07:41
janonymousapuimedo: yeah, was trying to get it done07:41
apuimedo:-)07:52
apuimedogood!07:52
*** yamamoto has joined #openstack-kuryr08:16
*** limao has quit IRC09:17
openstackgerritJaivish Kothari(janonymous) proposed openstack/kuryr-kubernetes: Remove link to modindex  https://review.openstack.org/42559709:38
*** garyloug has joined #openstack-kuryr09:41
irenabapuimedo, I deployed it again and it worked for me. Waiting for janonymous to confirm if it works for him09:49
apuimedocool09:50
apuimedoirenab: did you finally agree with ivc_ on anything regarding your comment ot https://review.openstack.org/#/c/423903/09:51
apuimedos/ot/to/09:51
ltomasbohave anyone tried kuryr-kubernetes with native-ovs?09:53
ltomasboI saw VIF support was added, but I'm getting some errors, most probably missing some configuration step09:54
ltomasboI'm getting this:  Error adding network: No 'kuryr_kubernetes.cni.binding' driver found, looking for 'VIFOpenVSwitch'09:55
ltomasbothough I see it is preceded by trying to use eth0, while the nic name is different09:56
ltomasboNetworkPlugin cni failed on the status hook for pod 'busybox-sleep' - Unexpected command output Device "eth0" does not exist.09:56
ltomasbo with error: exit status 109:56
apuimedoltomasbo: both vikas and irenab have tried it09:58
ltomasboany quick tip where to change that? is it kuryr.conf?09:58
apuimedoltomasbo: bare-metal?09:59
ltomasboyep09:59
ltomasboI think it is getting the wrong nic name, and failing to load the binding driver10:02
*** devvesa has quit IRC10:08
apuimedoirenab: any idea?10:10
*** devvesa has joined #openstack-kuryr10:23
apuimedoltomasbo: paste me your local.conf10:32
apuimedoplease10:33
ltomasbosure10:33
ltomasbohttp://paste.openstack.org/show/596554/10:34
ltomasboI used that one, to try the loadbalancer stuff10:34
ltomasbobut then I when to /opt/stack/kuryr-kubernetes10:35
ltomasboand did a checkout of the master (to have ovs-native support)10:35
ltomasboand restarted screen kuryr services10:35
irenabapuimedo, just back to my desk, checking logs10:57
irenabapuimedo, do you have any reference how to move bp from one launchpad project to another10:59
irenabltomasbo, I think that the service patch requires rebase11:00
ltomasboI just used the master one11:01
ltomasbowithout the service support11:01
ltomasbo(although I also tried with rebasing service patch too)11:01
irenabltomasbo, from the beginning?11:01
ltomasbosame error11:01
irenabsetup install?11:02
ltomasbono11:02
ltomasbojust when to /opt/stack11:02
ltomasboand inside kuryr-kubernetes11:02
ltomasboI fetch the current master branch11:02
ltomasboand restarted the kuryr-kubernetes services11:02
irenabI think you need to run kury-kubernetes setup install11:04
irenabor just restack with master11:04
apuimedoirenab: I'll do it and if it works, I'll tell you how11:06
apuimedoxd11:06
apuimedoirenab: link to the bp?11:06
irenabhttps://blueprints.launchpad.net/kuryr/+spec/kuryr-k8s-integration11:07
ltomasboirenab, umm, ok, that is different from other openstack components11:07
irenabto move it to kuryr-kubernetes11:07
ltomasbogoing to try that11:07
irenabltomasbo, just due to the stevedor stuff it maybe required if initially you deployed ref to services patch11:08
apuimedowhere the hell was that option to move it...11:09
apuimedopffff11:09
apuimedolaunchpad doesn't like me11:09
irenabapuimedo, I didn't find it ...11:09
apuimedoYay!11:09
apuimedoI succeeded!11:09
apuimedohttps://blueprints.launchpad.net/kuryr-kubernetes/+spec/kuryr-k8s-integration11:09
apuimedothe button is "Re-target blueprint"11:09
irenabapuimedo, wow! You are my hero for today :-)11:09
apuimedoirenab: I'm like JF with Jira xD11:10
irenabapuimedo, xD11:10
*** openstackgerrit has quit IRC11:17
*** pc_m has quit IRC12:01
*** pc_m has joined #openstack-kuryr12:10
*** garyloug has quit IRC12:46
*** garyloug has joined #openstack-kuryr13:04
apuimedoirenab: ivc_: I was thinking about the loadbalancer type13:09
apuimedomy current thought is to have a minimal kubernetes kuryr cloudprovider that does:13:10
apuimedo1. Create a thirdparty resource with the IP request13:10
apuimedo2. Wait for the service to be annotated with a fip resource13:11
apuimedokuryr controller will watch for the third party resource and handle the rest13:11
apuimedothis way we don't need to have OSt credentials for the cloud provider13:12
apuimedoif we preferred to have credentials, We'd just create the fip from the kubernetes cloud provider, annotate and wait13:14
irenabapuimedo, what is this about?13:27
ivc_apuimedo sounds good13:34
apuimedoivc_: I'm now checking k8s code to see if it is possible13:35
apuimedoirenab: loadbalancer service type13:35
ivc_so we'll implement 'loadbalancer type' as just an fip on top of service's LB, right?13:35
apuimedoI'm afraid that it may be problematic and that we'll have to have different code for bare metal and pod-in-vm13:36
apuimedoivc_: that's right13:36
apuimedoin any case13:36
apuimedoonly variation is.. How13:36
apuimedo:-)13:36
ivc_should not be much of a problem. instead of calling external APIs k8s will just call itself13:37
ivc_and if it has to be a sync call you can just 'wait' for 'ready' flag on annotation13:38
ivc_i like it :)13:38
apuimedolol13:39
apuimedo //GCE requires that the name of a load balancer starts with a lower case letter.13:39
apuimedo ret := "a" + string(service.UID)13:39
apuimedothat's not in gce specific cloud provider btw13:40
apuimedo:-)13:40
ivc_i wonder why they use uid instead of namespace/name13:40
ivc_uids are so human-unfriendly13:41
apuimedono idea13:42
apuimedohttps://github.com/kubernetes/kubernetes/blob/master/pkg/cloudprovider/cloud.go#L8813:42
apuimedoso we can't put annotation to the service from there13:42
apuimedoI'll have to check if at least we can create the thirdparty resource13:42
apuimedo(which is the preferred option anyway)13:42
*** dimak_ has joined #openstack-kuryr14:01
*** saneax-_-|AFK is now known as saneax14:11
*** dimak_ has quit IRC14:33
*** gsagie has joined #openstack-kuryr14:47
*** tonanhngo has joined #openstack-kuryr14:52
*** tonanhngo has quit IRC14:53
*** tonanhngo has joined #openstack-kuryr14:53
*** tonanhngo has quit IRC14:58
*** hongbin has joined #openstack-kuryr15:21
hongbinapuimedo: hi antoni, want your opinion on this bp, do you think if it is a good idea?15:26
hongbinhttps://blueprints.launchpad.net/kuryr-libnetwork/+spec/existing-subnetpool\15:26
apuimedoah, I saw in the morning that you added me as approver15:27
apuimedolet's take a look15:27
apuimedohongbin: sounds good. I'd like to hear limao and janonymous's thoughts on it15:28
apuimedobut reusing is always good15:28
hongbinapuimedo: thx15:28
apuimedohongbin: can you add more about "to specify the name of subnetpool, however, it is only used for handling overlapping cidr."15:29
apuimedothe current usage15:29
hongbinapuimedo: ack15:30
apuimedoI'd like if the bp explained exactly how it is used now15:30
apuimedoand how the proposed change will affect usages15:30
apuimedothanks hongbin15:30
apuimedo:-)15:30
hongbinyes, will add the details.15:30
hongbinapuimedo: thanks for the feedback15:31
apuimedoyou're welcome!15:32
*** garyloug has quit IRC15:37
*** garyloug has joined #openstack-kuryr15:44
*** openstackgerrit has joined #openstack-kuryr16:24
openstackgerritLuis Tomas Bolivar proposed openstack/kuryr-libnetwork: [WIP] Moving from device_owner to tagging  https://review.openstack.org/42577216:24
openstackgerritMerged openstack/fuxi: Replace hardcode values with OptGroup in config setting  https://review.openstack.org/41537816:34
apuimedoltomasbo: pretty big change there!16:47
apuimedoWe gave up on the device_owner thing with Neutron?16:47
ltomasbowe'll it seems it is used in other places too, and armax told me that it is a field that should have never been exposed16:48
ltomasboso, it will be probably safer in the future to go for tags16:49
ltomasbohttps://review.openstack.org/#/c/419028/316:49
ltomasboyou can see the discussions there16:49
ltomasboapuimedo: what's your opinion on this?16:51
*** saneax is now known as saneax-_-|AFK16:52
apuimedoltomasbo: I think that gui wise it sucks16:52
ltomasboI tried it with the tagging support for ports and it works, though it is an extra call to neutron to include the tag16:52
apuimedosince guis everywhere expose this16:53
apuimedoand not an arbitrary tag we use16:53
apuimedoltomasbo: maybe this should be raised in the openstack mailing list16:53
apuimedoadding [horizon]16:54
ltomasboso, you would like to push more for reverting and keep using device_owner?16:55
ltomasboI just tested the tags, and created the patch as a way of not loosing the code (if needed)16:56
ltomasboto be honest, we are not using that field that much, it was just used at deleting the port at kuryr-libnetwork, and we even remove it from there16:58
ltomasboso, I did not have a strong opinion on what's better16:59
ltomasbothis other one I think is more important: https://review.openstack.org/#/c/42188017:00
apuimedoltomasbo: I'm just sorry to lose the visibility it gave17:00
*** saneax-_-|AFK is now known as saneax17:00
ltomasbobut I'm not getting the feedback from armax, as I'm not sure about the ironic complain here (not sure about the trunk port support at ironic)17:00
*** tonanhngo has joined #openstack-kuryr17:05
apuimedoltomasbo: are you aware if nova marks the ports it manages in any way?17:08
apuimedoOr it just leverages its own db?17:08
*** tonanhngo has quit IRC17:10
ltomasboI think it is marked as nova:compute17:11
apuimedoltomasbo: so we should add [nova] to the email thread then17:14
apuimedosince their nova:compute for the parent is gonna get overwritten, won't it?17:14
*** devvesa has quit IRC17:14
ltomasbono, it remains for the parent port17:14
apuimedomeh... That's a pity that we can't get them involved then17:16
ltomasbo:D17:16
*** tonanhngo has joined #openstack-kuryr17:31
*** david-lyle has quit IRC17:59
*** v1k0d3n has quit IRC18:35
*** v1k0d3n has joined #openstack-kuryr18:43
*** garyloug has quit IRC18:52
*** saneax is now known as saneax-_-|AFK19:31
*** gsagie has quit IRC19:35
*** david-lyle has joined #openstack-kuryr19:45
*** dougbtv_ has joined #openstack-kuryr20:53
*** dougbtv has quit IRC20:54
*** dougbtv_ is now known as dougbtv20:54
*** yamamoto has quit IRC21:30
*** yamamoto has joined #openstack-kuryr22:11
*** neiljerram has quit IRC22:45
*** saneax-_-|AFK is now known as saneax23:02
*** pmannidi has joined #openstack-kuryr23:14
*** david-lyle has quit IRC23:51
*** david-lyle has joined #openstack-kuryr23:54
« Wednesday, 2017-01-25 Index Friday, 2017-01-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!