| *** ueha has joined #openstack | 00:01 | |
| *** aolivo1 has quit IRC | 00:05 | |
| *** benj_ has quit IRC | 01:37 | |
| *** benj_ has joined #openstack | 01:59 | |
| *** yamak16 has joined #openstack | 01:59 | |
| *** jelabarre-rh has quit IRC | 02:06 | |
| *** andrewbogott_ has joined #openstack | 02:44 | |
| *** rlandy|bbl is now known as rlandy | 03:14 | |
| *** rlandy has quit IRC | 03:14 | |
| *** Tahoe has joined #openstack | 03:25 | |
| *** Tahoe has quit IRC | 04:12 | |
| *** gregraka has quit IRC | 05:55 | |
| *** slaweq_ has joined #openstack | 06:00 | |
| *** slaweq has left #openstack | 06:02 | |
| *** slaweq_ has quit IRC | 06:03 | |
| *** slaweq_ has joined #openstack | 06:03 | |
| prometheanfire | ozzzo: that didn't work either (can't alter rbac policies when they are in use by anything, so only way to go is to recreate everything, not really possible in prod :P | 06:15 |
|---|---|---|
| prometheanfire | for our use, removing allocation pools works well enough, though users can still manually create ports, if they do so they may get hands slapped hard | 06:16 |
| * prometheanfire might write a monitor for that... | 06:16 | |
| *** soniya29 has joined #openstack | 06:21 | |
| *** soniya29 has quit IRC | 06:22 | |
| *** soniya29 has joined #openstack | 06:25 | |
| *** soniya29 has quit IRC | 06:25 | |
| *** soniya29 has joined #openstack | 06:26 | |
| *** Tahoe has joined #openstack | 06:30 | |
| *** lvdombrkr has joined #openstack | 06:34 | |
| Tahoe | ? | 06:40 |
| Tahoe | I can't see any chat history. | 06:41 |
| frickler | prometheanfire: that sounds like a bug to me, let me know if you will create one. slaweq_ ^^ | 06:43 |
| frickler | Tahoe: you can find logs for all openstack-related channels at http://eavesdrop.openstack.org/irclogs/ in case you missed something | 06:43 |
| *** jengbers has joined #openstack | 06:44 | |
| prometheanfire | frickler: the error I get back is explicit about not supporting changing in use rbac policies | 06:44 |
| prometheanfire | RBAC policy on object FOO_UUID cannot be removed because other objects depend on it. | 06:44 |
| prometheanfire | `openstack network rbac set --target-project PROJ_UUID RBAC_UUID` was the command | 06:45 |
| prometheanfire | if you still think it's a bug I'll report it | 06:46 |
| slaweq_ | prometheanfire: frickler: IIRC if there are any objects which are using rbac policy, You can't remove it | 06:46 |
| frickler | prometheanfire: so that means if I share a network with two projects that use it, I couldn't add a third one. maybe it would be a new feature instead of a bug, but I'm going to need that myself soonish | 06:46 |
| prometheanfire | it's a set operation, not removal, maybe it's not using the right code path? | 06:46 |
| slaweq_ | so You should first "unshare" resources | 06:46 |
| prometheanfire | I can't do that either | 06:46 |
| prometheanfire | `os network set --no-share network_uuid` Unable to reconfigure sharing settings for network 'NAME'. Multiple tenants are using it. | 06:47 |
| prometheanfire | I don't see ports | 06:47 |
| frickler | prometheanfire: which version are you using? I'll do some testing myself, too | 06:48 |
| prometheanfire | hmm, maybe there's another network | 06:48 |
| prometheanfire | ussuri, | 06:48 |
| prometheanfire | or of the client? | 06:48 |
| frickler | prometheanfire: no, neutron version, not sure if it also might be an issue with the client. need some time to set up a test myself | 06:49 |
| frickler | so ussuri answers my question | 06:49 |
| prometheanfire | ussuri client too :D | 06:50 |
| *** soniya29 has quit IRC | 06:50 | |
| prometheanfire | you know an easy way to figure out what's using that network, I don't see ports though 'Multiple tenants are using it.' | 06:50 |
| prometheanfire | maybe it gives the error when any project is using it | 06:51 |
| *** malikobaid has joined #openstack | 06:52 | |
| frickler | prometheanfire: I'd need to check the code paths for that | 06:54 |
| frickler | prometheanfire: do you have a full traceback? that might help | 06:54 |
| *** soniya29 has joined #openstack | 06:55 | |
| prometheanfire | it looks like neutron is throwing it | 06:55 |
| prometheanfire | right now I've traced it back to either ensure_no_tenant_ports_on_network or _validate_projects_have_access_to_network | 06:56 |
| prometheanfire | in neutron | 06:56 |
| prometheanfire | which is called by _validate_shared_update, which mentions going from true to false, which I'm doing | 06:56 |
| prometheanfire | ok, so the network was originally created via openstack-ansible as a provider network, then used by another project | 07:00 |
| prometheanfire | so the network is owned by project A, and used by project B, because of this the network cannot set unshared because then it will conflict with project b (since now it's only allowed to be used by project a) | 07:00 |
| prometheanfire | can't update the network owner to be project b or set unshared :| | 07:01 |
| prometheanfire | frickler: what process / service runs the neutron db code? neutron/db/db_base_plugin_v2.py#L281 | 07:02 |
| prometheanfire | so I can check for traceback | 07:02 |
| prometheanfire | eh, server container did show anything | 07:04 |
| *** rpittau|afk is now known as rpittau | 07:05 | |
| *** malikobaid___ has joined #openstack | 07:06 | |
| *** gwaewion has quit IRC | 07:07 | |
| *** genekuo has joined #openstack | 07:11 | |
| *** aa has joined #openstack | 07:16 | |
| *** aa has quit IRC | 07:16 | |
| prometheanfire | hmm target project has to be singular or everyone, and has to include the source project when shared | 07:24 |
| prometheanfire | or seems to | 07:24 |
| *** andrewbonney has joined #openstack | 07:32 | |
| prometheanfire | frickler: would you agree that I seem to have drawn myself into a corner? | 07:33 |
| *** slaweq has joined #openstack | 07:35 | |
| prometheanfire | changing shared or the rbac for shared seems to call 'update_network' which calls '_validate_shared_update', which fails when network created by project a tries to grant access to only project b | 07:35 |
| prometheanfire | in that scenario you'd think both project a and project b would have access | 07:36 |
| prometheanfire | I think maybe https://github.com/openstack/neutron/blame/3b3398b8c5c0d597e0995ab7fdccef6d64d456cf/neutron/db/db_base_plugin_v2.py#L295 should be '> 2', not '> 1' | 07:37 |
| prometheanfire | if (len(tenant_ids) > 1 or len(tenant_ids) == 1 and original.tenant_id not in tenant_ids) | 07:38 |
| *** slaweq_ has quit IRC | 07:41 | |
| prometheanfire | ohh, I did it | 07:46 |
| prometheanfire | frickler: workaround was setting a new rbac for each of the projects that have access to network/subents/ports (so bootstrap project and user project, or a and b) | 07:47 |
| prometheanfire | then you can set --no-share | 07:47 |
| *** slaweq_ has joined #openstack | 08:05 | |
| *** slaweq_ has quit IRC | 08:11 | |
| *** CeeMac has joined #openstack | 08:15 | |
| frickler | prometheanfire: oh, it seems I misunderstood your initial issue. when you said "remove shared policy" I read "remove projects from the rbac list", not "remove the --shared property from the network" | 08:18 |
| prometheanfire | heh | 08:21 |
| prometheanfire | I find reading comprehension is something I struggle with too :P | 08:21 |
| frickler | but then, things might actually be working as designed, I'd think | 08:27 |
| prometheanfire | nah, can still have logic errors and other types | 08:31 |
| *** fuhrmannb has joined #openstack | 08:34 | |
| *** fuhrmannb has quit IRC | 08:36 | |
| *** fuhrmannb|2 has joined #openstack | 08:38 | |
| *** soniya29 has quit IRC | 08:57 | |
| *** jpward has quit IRC | 09:11 | |
| *** TMM has quit IRC | 09:17 | |
| *** TMM has joined #openstack | 09:17 | |
| *** jangutter has joined #openstack | 09:48 | |
| *** jangutter_ has quit IRC | 09:54 | |
| *** Tahoe has quit IRC | 09:55 | |
| *** isabek has joined #openstack | 09:56 | |
| *** isabek has left #openstack | 09:57 | |
| *** jangutter has quit IRC | 10:01 | |
| *** jangutter has joined #openstack | 10:02 | |
| *** jengbers has quit IRC | 10:05 | |
| *** jangutter has quit IRC | 10:14 | |
| *** jangutter has joined #openstack | 10:15 | |
| *** yamak16 has quit IRC | 10:21 | |
| *** jangutter has quit IRC | 10:23 | |
| *** jangutter has joined #openstack | 10:24 | |
| *** soniya29 has joined #openstack | 10:28 | |
| *** jengbers has joined #openstack | 10:31 | |
| *** jengbers has quit IRC | 10:34 | |
| *** genekuo has quit IRC | 10:38 | |
| *** genekuo has joined #openstack | 10:39 | |
| *** jengbers has joined #openstack | 10:42 | |
| *** malikobaid has quit IRC | 10:49 | |
| *** ueha has quit IRC | 11:01 | |
| *** soniya29 has quit IRC | 11:22 | |
| *** osmanlicilegi has quit IRC | 11:38 | |
| *** genekuo has quit IRC | 11:38 | |
| *** genekuo has joined #openstack | 11:38 | |
| *** rlandy has joined #openstack | 11:49 | |
| *** aolivo1 has joined #openstack | 12:00 | |
| *** osmanlicilegi has joined #openstack | 12:00 | |
| *** genekuo has quit IRC | 12:04 | |
| *** aolivo1 has quit IRC | 12:08 | |
| *** osmanlicilegi has quit IRC | 12:11 | |
| *** jelabarre-rh has joined #openstack | 12:15 | |
| *** osmanlicilegi has joined #openstack | 12:35 | |
| *** malikobaid___ has quit IRC | 12:44 | |
| *** osmanlicilegi has quit IRC | 12:46 | |
| *** soniya29 has joined #openstack | 12:52 | |
| *** rlandy is now known as rlandy|training | 12:54 | |
| *** osmanlicilegi has joined #openstack | 12:55 | |
| *** gregraka has joined #openstack | 13:05 | |
| *** lowercase has joined #openstack | 13:28 | |
| *** rpittau is now known as rpittau|afk | 13:37 | |
| *** jengbers has quit IRC | 13:41 | |
| *** jengbers has joined #openstack | 13:41 | |
| *** rlandy|training is now known as rlandy | 13:43 | |
| *** jengbers has quit IRC | 13:43 | |
| *** soniya29 has quit IRC | 14:14 | |
| *** aolivo1 has joined #openstack | 14:19 | |
| *** heilerich has joined #openstack | 14:39 | |
| *** gmann is now known as gmann_afk | 14:40 | |
| heilerich | Hi everyone! I am trying to connect a machines on a tenant network to services on a shared (internal) network using neutron-ovn, but I am having difficulties :( | 14:50 |
| heilerich | I created a port on the shared network. Then, I added that port to the default router on the tenant network. Lastly, I created a static route on the tenant router to the shared network subnet with the shared network router as the gateway. Sadly it's not working. Meaning I can't seem to connect from a machine on the tenant network to a service on the shared network. | 14:50 |
| heilerich | Does anyone have any pointers on how to debug this issue? Or should I go about this using an entirely different approach? | 14:50 |
| *** gregraka has quit IRC | 14:59 | |
| *** gmann_afk is now known as gmann | 15:13 | |
| *** engine has joined #openstack | 15:20 | |
| *** khyr0n has quit IRC | 15:32 | |
| *** gregraka has joined #openstack | 16:02 | |
| *** rlandy is now known as rlandy|brb | 16:10 | |
| *** jelabarre-rh has quit IRC | 16:28 | |
| *** engine_ has joined #openstack | 16:35 | |
| *** engine has quit IRC | 16:36 | |
| *** rlandy|brb is now known as rlandy | 16:42 | |
| *** fuhrmannb|2 has quit IRC | 17:22 | |
| *** TMM has quit IRC | 17:27 | |
| *** TMM has joined #openstack | 17:28 | |
| *** engine_ has left #openstack | 17:43 | |
| *** engine has joined #openstack | 17:46 | |
| *** andrewbonney has quit IRC | 17:46 | |
| *** lvdombrkr has quit IRC | 18:04 | |
| *** engine_83 has joined #openstack | 18:13 | |
| *** engine has quit IRC | 18:20 | |
| *** lowercase has quit IRC | 18:51 | |
| *** tinwood has quit IRC | 18:55 | |
| *** tinwood has joined #openstack | 18:58 | |
| *** khyr0n has joined #openstack | 18:59 | |
| *** engine__38 has joined #openstack | 19:24 | |
| *** engine__38 has quit IRC | 19:29 | |
| *** engine_83 has quit IRC | 19:30 | |
| *** lvdombrkr has joined #openstack | 19:37 | |
| *** gfidente|afk has quit IRC | 20:42 | |
| *** servagem has quit IRC | 21:14 | |
| *** gmann is now known as gmann_afk | 21:51 | |
| *** jangutter_ has joined #openstack | 21:59 | |
| *** jangutter_ has quit IRC | 21:59 | |
| *** jangutter_ has joined #openstack | 22:00 | |
| *** jangutte_ has joined #openstack | 22:01 | |
| *** jangutte_ has quit IRC | 22:01 | |
| *** jangutter_ has quit IRC | 22:01 | |
| *** jangutter_ has joined #openstack | 22:02 | |
| *** jangutter_ has quit IRC | 22:02 | |
| *** jangutter_ has joined #openstack | 22:04 | |
| *** jangutter has quit IRC | 22:06 | |
| *** John_W has joined #openstack | 22:29 | |
| *** rlandy has quit IRC | 23:01 | |
| *** leifmadsen has quit IRC | 23:06 | |
| *** gregraka has quit IRC | 23:08 | |
| *** leifmadsen has joined #openstack | 23:15 | |
| *** aolivo1 has quit IRC | 23:18 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!