Tuesday, 2019-08-27

« Monday, 2019-08-26 Index Wednesday, 2019-08-28 »
*** threestrands has joined #openstack-lbaas00:24
*** hongbin has joined #openstack-lbaas00:37
*** rcernin has quit IRC01:13
*** rcernin has joined #openstack-lbaas02:13
*** psachin has joined #openstack-lbaas03:33
*** ramishra has joined #openstack-lbaas03:36
*** hongbin has quit IRC04:13
*** gcheresh has joined #openstack-lbaas05:18
*** gcheresh has quit IRC05:27
*** trident has quit IRC07:00
*** trident has joined #openstack-lbaas07:10
*** ivve has joined #openstack-lbaas07:17
*** sapd1_x has joined #openstack-lbaas07:25
*** threestrands has quit IRC07:32
*** rcernin has quit IRC07:40
*** nmagnezi has joined #openstack-lbaas08:06
*** tkajinam has quit IRC08:07
*** gcheresh has joined #openstack-lbaas09:03
openstackgerritCarlos Goncalves proposed openstack/octavia master: Add VIP access control list  https://review.opendev.org/65962609:05
*** ajay33 has joined #openstack-lbaas09:31
*** psachin has quit IRC09:37
*** psachin has joined #openstack-lbaas09:41
*** psachin has quit IRC09:48
openstackgerritCarlos Goncalves proposed openstack/octavia master: Add new algorithm SOURCE_IP_PORT  https://review.opendev.org/67246309:56
openstackgerritCarlos Goncalves proposed openstack/python-octaviaclient master: Add support for SOURCE_IP_PORT algorithm  https://review.opendev.org/67241609:58
*** sapd1_x has quit IRC09:59
*** cgoncalves has quit IRC10:04
*** cgoncalves has joined #openstack-lbaas10:04
*** tesseract has joined #openstack-lbaas11:11
openstackgerritCarlos Goncalves proposed openstack/python-octaviaclient master: Add support to VIP access control list  https://review.opendev.org/65962711:53
*** gcheresh has quit IRC12:10
*** gcheresh has joined #openstack-lbaas12:12
*** gcheresh has quit IRC12:26
*** KeithMnemonic has joined #openstack-lbaas13:14
*** boden has joined #openstack-lbaas13:17
*** ajay33 has quit IRC13:46
*** Vorrtex has joined #openstack-lbaas14:17
*** Vorrtex has quit IRC14:17
*** Vorrtex has joined #openstack-lbaas14:19
openstackgerritSwaminathan Vasudevan proposed openstack/octavia master: (WIP): Modify the diskimage elements to support SUSE packages  https://review.opendev.org/67846015:54
openstackgerritCarlos Goncalves proposed openstack/octavia master: Add VIP access control list  https://review.opendev.org/65962616:01
*** ivve has quit IRC16:22
*** amotoki is now known as amotoki_16:42
*** psachin has joined #openstack-lbaas16:53
*** cjloader has joined #openstack-lbaas16:58
*** boden has quit IRC17:22
*** boden_ has joined #openstack-lbaas17:22
*** ivve has joined #openstack-lbaas17:25
*** ivve has quit IRC17:26
*** ivve has joined #openstack-lbaas17:27
colin-friendly reminder to anyone who changes amp OS distributions, however obvious it may seem the username for key based ssh auth will change with the distribution heh17:28
colin-had to ask someone before realizing centos for centos, ubuntu for ubuntu, etc17:29
*** psachin has quit IRC17:29
*** tesseract has quit IRC17:30
*** psachin has joined #openstack-lbaas17:33
cgoncalvescloud-user for RHEL :)17:34
johnsomcirros for cirros.17:35
cgoncalvesbut, but... no more cubswin:) password :(17:44
*** psachin has quit IRC17:45
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892317:54
johnsomLet's see if that works.... grin17:55
johnsomAt least it will setup devstack in the gates for a more realistic PKI deployment.17:55
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892318:07
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892318:08
johnsomArgh, tabs18:08
cgoncalveswhat happened to State of Denial? :D18:17
johnsomlol, I forgot about that. That might be a worthy nit comment to put it back18:18
*** ramishra has quit IRC18:43
colin-do we override the `hosts` section of /etc/nsswitch.conf in diskimage builder for amphora?18:45
colin-to specifically only use the `files` value?18:45
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892318:46
johnsomcolin- We completely disable DNS and hostnames in nssswitch18:46
johnsomhttps://opendev.org/openstack/octavia/src/branch/master/elements/no-resolvconf/finalise.d/99-disable-resolv-conf18:47
colin-what's our position with that, don't want the added dependency service wise?18:52
colin-speed?18:52
johnsomBoth. Amphora do not naturally have a path to DNS infrastructure (private nets only use case), We don't have a need for DNS inside the amphora, it significantly improves startup time as there is always some new package that thinks it needs to go out to the internet, and it's nice to have anything that attempts to do DNS fail fast.18:53
colin-i see. it makes it really difficult to access anything from the amphora. i'm disinclined to fork the diskimage builder to write individually maintained host file entries18:56
colin-any suggestions?18:56
johnsomYeah, in general the amphora are not setup by default to call out to anything....19:02
johnsomIf you must, I would recommend you create local DIB elements that customize it to your liking.19:03
johnsomhttps://opendev.org/openstack/octavia/src/branch/master/diskimage-create19:03
johnsomThere are environment variables that allow you to manipulate the DIB process.  Of interest would be "DIB_LOCAL_ELEMENTS" that allows you to define a list of local elements. All elements have a ordering number, so you can create local elements that override settings we make by default.19:04
johnsomPersonally, I consider the amphora an "un-trusted" element and don't want it to be able to do much of anything beyond what we have it doing. I.e. I don't want it to be able to look up DNS names and reach out to the outside world. I.e. make it hard to pull in hostile packages, etc.19:06
johnsomThey are not "pets" as the saying goes....19:07
*** gcheresh has joined #openstack-lbaas19:22
johnsomI am screaming but you all can't hear it....19:46
johnsomusage: ca args19:47
johnsomunknown option --days19:47
johnsomcentos7 and it's ancient code....19:47
johnsomYes, I did it wrong, but at least ubuntu's version acknowledges that openssl has been in the wrong and accepts it.19:48
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892319:49
*** Vorrtex has quit IRC20:15
*** gcheresh has quit IRC20:30
*** nmagnezi has quit IRC20:42
*** nmagnezi has joined #openstack-lbaas21:01
*** ivve has quit IRC21:25
colin-understood. i think the days of stric egress may be in the rear view mirror for me21:54
colin-will look into a customization of the builder21:54
*** boden_ has quit IRC21:59
*** trident has quit IRC22:05
*** trident has joined #openstack-lbaas22:13
*** rcernin has joined #openstack-lbaas22:15
johnsomrm_work I'm looking at https://review.opendev.org/#/c/667484, should additive only also do updates? It's not clear to me if that is add-only or (add and update)-only23:00
*** tkajinam has joined #openstack-lbaas23:06
openstackgerritMichael Johnson proposed openstack/octavia master: Use dual intermediate CAs for devstack  https://review.opendev.org/67892323:28
openstackgerritMerged openstack/octavia master: Force DIB Python version for py2 in diskimage-create  https://review.opendev.org/67380523:49
« Monday, 2019-08-26 Index Wednesday, 2019-08-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!