#openstack-meeting-3 log

13:03:46 <alexpilotti> #startmeeting hyper-v
13:03:47 <openstack> Meeting started Wed Mar 30 13:03:46 2016 UTC and is due to finish in 60 minutes.  The chair is alexpilotti. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:03:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:03:51 <openstack> The meeting name has been set to 'hyper_v'
13:03:54 <atuvenie> hi all
13:03:57 <abalutoiu_> Hello
13:03:59 <claudiub|2> o/
13:03:59 <sagar_nikam> Hi All
13:04:03 <alexpilotti> hello folks
13:04:05 <claudiub|2> hello
13:04:05 <ionutbalutoiu> Hello
13:04:13 <sonu> hello
13:04:36 <alexpilotti> sagar_nikam sent some topics for the agenda, we can start from there
13:04:51 <sagar_nikam> alexpilotti: sure thanks
13:04:55 <alexpilotti> #topic TLS/SSL/Certs
13:05:09 <alexpilotti> sagar_nikam: would you like to intro the topic?
13:05:19 <sagar_nikam> we have setup a TLS enabled controller
13:05:31 <sagar_nikam> All APIs are https enabed
13:05:52 <sagar_nikam> next we installed nova-compute on hyperv host
13:06:07 <alexpilotti> so all Keystone endpoints have https
13:06:09 <sagar_nikam> and then copied the certs from controller (.crt file) to hyperv host
13:06:18 <sagar_nikam> added this entry in nova.conf
13:06:25 <sagar_nikam> in cafile entry
13:06:31 <sagar_nikam> nova-compute starts
13:06:40 <sagar_nikam> but while performing nova boot
13:06:47 <sagar_nikam> glance download fails
13:06:56 <sagar_nikam> since the https endpoint is not reached
13:07:03 <sagar_nikam> and we get the error
13:07:16 <sagar_nikam> “2016-03-22 11:52:46.273 4808 ERROR nova.compute.manager [instance: a2f491eb-8796-489d-89e4-8cd93fd044cb] SSLError: SSL exception connecting to https://10.1.212.10:9696/v2.0/extensions.json: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)”
13:07:33 <sagar_nikam> this is the issue we are hitting
13:07:40 <sagar_nikam> we are using python 2.7.10 on hyperv host
13:07:50 <sagar_nikam> googling i found this link
13:07:59 <sagar_nikam> http://stackoverflow.com/questions/33140382/troubleshooting-ssl-certificate-verify-failed-error
13:08:03 <alexpilotti> sagar_nikam: here's the Nova code: https://github.com/openstack/nova/blob/master/nova/image/glance.py
13:08:28 <sagar_nikam> the error in that exactly the same we hit
13:08:32 <alexpilotti> under [glance]
13:08:35 <alexpilotti> do you have:
13:08:39 <alexpilotti> protocol = https
13:08:52 <sagar_nikam> and the response in that link suggests the issue is with openssl version used in python 2.7.10
13:09:02 <sagar_nikam> alexpilotti:yes
13:09:05 <alexpilotti> or since it's deprectaed,
13:09:08 <sagar_nikam> it is https
13:09:16 <alexpilotti> api_servers = https://etc ?
13:09:25 <sagar_nikam> going back to python version 2.7.11 has some fixes
13:09:44 <alexpilotti> if you set:
13:09:51 <alexpilotti> api_insecure = True
13:09:53 <alexpilotti> does it work?
13:10:19 <sagar_nikam> entry from nova.conf
13:10:31 <alexpilotti> yes, under [glance]
13:10:37 <sagar_nikam> [glance] api_servers = https://my-ip:9292 protocol = https
13:11:16 <sagar_nikam> i suspect that this issue is got to do with python 2.7.10
13:11:19 <alexpilotti> can you add also api_insecure = True
13:11:24 <alexpilotti> just for a test
13:11:24 <sagar_nikam> alexpilotti: your thoughts ?
13:11:42 <sagar_nikam> alexpilotti: sure, for test i can add that
13:11:51 <alexpilotti> I think it's just related to openssl not being able to verify the cert on the server
13:11:53 <sagar_nikam> but for prod, we need to find a solution
13:12:20 <sagar_nikam> alexpilotti: is it not related to python version
13:12:26 <sagar_nikam> see this change log of python
13:12:28 <alexpilotti> also you need: https://github.com/openstack/nova/blob/master/nova/image/glance.py#L155-L160
13:12:33 <sagar_nikam> https://hg.python.org/cpython/raw-file/53d30ab403f1/Misc/NEWS
13:12:45 <alexpilotti> do you have:
13:12:48 <sagar_nikam> it has a fix for using openssl
13:13:05 <alexpilotti> [ssl] cacert = ca.crt ?
13:13:22 <sagar_nikam> yes
13:13:26 <sagar_nikam> check this entry
13:13:38 <sagar_nikam> [ssl] ca_file = "C:\Users\Administrator\Desktop\ca-certificates.crt"
13:14:02 <alexpilotti> ok then you are good
13:14:02 <sagar_nikam> actually i have ca_file
13:14:10 <sagar_nikam> not cacert
13:14:34 <sagar_nikam> alexpilotti: have your team got SSL/Certs working on hyperv ?
13:14:34 <alexpilotti> did you try with python 2.7.11? just to make sure it's not a openssl issue
13:14:53 <alexpilotti> so far we never had issues
13:14:56 <sagar_nikam> alexpilotti: yes, trying with python 2.7.11
13:15:07 <alexpilotti> this can be easily isolated as well
13:15:13 <sagar_nikam> what was the python version you have used
13:15:23 <alexpilotti> you just have to create a glanceclient:
13:15:24 <alexpilotti> glanceclient.Client(str(version), endpoint, **params)
13:16:23 <alexpilotti> glanceclient.Client("1", "https://xxx", cacert=xxx.crt)
13:16:25 <sagar_nikam> you mean in a test code ?
13:16:31 <alexpilotti> yeah of course
13:16:34 <sagar_nikam> ok
13:16:38 <sagar_nikam> we can try that
13:16:46 <sagar_nikam> just to isolate the issue
13:16:54 <alexpilotti> just run it on any Windows
13:17:03 <alexpilotti> yes, correct
13:17:12 <alexpilotti> we can even go one step further
13:17:27 <sagar_nikam> however i am curious, how did it work in your setup ? which version of python on hyperv host
13:18:41 <alexpilotti> this is what the glanceclient is using: https://github.com/openstack/python-glanceclient/blob/1995046a5f2445b0b125f4a06f852409c6d4a25d/glanceclient/common/https.py#L234
13:19:43 <alexpilotti> ionutbalutoiu: did that environment that you set up have a Glance endpoint too?
13:21:43 <ionutbalutoiu> alexpilotti, no, it was just a deployment with swift + keystone
13:21:51 <ionutbalutoiu> both running on https
13:21:56 <alexpilotti> we can easily replicate the entire setup in devstack
13:21:59 <alexpilotti> USE_SSL=True
13:22:39 <sagar_nikam> alexpilotti: we will try in our setup, can your team try in devstack and let us know your findings
13:23:00 <alexpilotti> sure, it's worth doing a test
13:23:01 <sagar_nikam> hopefully we can find a solution soon
13:23:21 <alexpilotti> I'm quite confident that it's just a configuration issue
13:23:57 <sagar_nikam> sure, if that is a configuration issue, then it is good
13:24:01 <alexpilotti> we're doing some tests today
13:24:19 <sagar_nikam> also are we sure, just copying the certs file to hyperv host is sufficient ?
13:24:42 <sagar_nikam> alexpilotti: thanks. that helps
13:25:05 <alexpilotti> if they get properly passed the urllib3, there should be no issue
13:25:14 <sagar_nikam> ok
13:25:19 <alexpilotti> we'll get back with what we find out ASAP
13:25:26 <sagar_nikam> sure... thanks
13:25:53 <sagar_nikam> we can move to next topic if everybody is done on this topic
13:26:08 <alexpilotti> actually, we should move all of our devstack deployments to TLS, as it's more consistent with real production environments
13:26:50 <alexpilotti> next
13:26:53 <alexpilotti> #topic FreeRDP
13:27:11 <alexpilotti> sagar_nikam: would you like to introduce your request?
13:27:32 <sagar_nikam> sure
13:27:40 <sagar_nikam> freerdp-webconnect
13:27:48 <sagar_nikam> any plans of supporting it on linux
13:27:56 <sagar_nikam> we would like to use it on linux
13:28:20 <alexpilotti> it is already building on Linux
13:28:26 <sagar_nikam> in the same way of novnc
13:29:00 <sagar_nikam> from the last i saw, it was not available
13:29:03 <alexpilotti> it builds on ubuntu and centos afaik, need to double check
13:29:06 <sagar_nikam> can you point me to the link ?
13:29:17 <sagar_nikam> i tried on ubuntu
13:29:19 <sagar_nikam> did not work
13:29:48 <alexpilotti> ubuntu 14.04?
13:29:55 <alexpilotti> what did you run to build it?
13:30:05 <sagar_nikam> also your instructions are for installing it from code, we would like a .deb file
13:30:12 <sagar_nikam> yes ubuntu 14.04
13:30:30 <sagar_nikam> debian file is not available
13:30:56 <alexpilotti> you mean a deb?
13:31:17 <sagar_nikam> yes
13:31:22 <alexpilotti> ATM it needs to be built with ./setup-all.sh -i
13:31:27 <sagar_nikam> deb is not available
13:31:36 <alexpilotti> we dont provide prebuilt debs or rpms
13:31:38 <sagar_nikam> yes correct,
13:32:01 <sagar_nikam> that was my question. any plans of supporting deb or rpm ?
13:32:03 <alexpilotti> but we'd happily accept contributions :)
13:32:24 <alexpilotti> we dont plan to do it in the short term
13:32:47 <sagar_nikam> ok
13:32:57 <alexpilotti> as you know we use mostly windows ATM, so although we support building on Linux, we don't plan to package it
13:33:07 <sagar_nikam> ok
13:33:22 <alexpilotti> you also need to make sure that all dependencies are properly satisfied as well
13:33:50 <alexpilotti> doing a custom deb package based on the compiled binaries shouldn't be too difficult IMO
13:34:12 <sagar_nikam> ok
13:34:45 <sagar_nikam> we will use it as nad when it is available, till that time, we will probably use it on windows
13:34:55 <alexpilotti> sure
13:34:59 <sagar_nikam> we will use it as nad when it is available, till that time, we will probably use it on windows
13:35:13 <alexpilotti> anything else you'd like to add on the topic?
13:35:26 <sagar_nikam> no
13:35:47 <alexpilotti> cool, next:
13:35:53 <alexpilotti> #topic: Newton – Plans for resubmitting FC and cluster patches upstream
13:36:27 <alexpilotti> AFAIK the windows is open now, so we can start resubmitting all the BP specs
13:36:41 <alexpilotti> and ensure that the patches are ready for review etc
13:36:50 <alexpilotti> claudiub|2: can you confirm?
13:37:07 <sagar_nikam> both cluster driver and FC are important, hopefully they get merged in newton
13:37:13 <claudiub|2> bp specs reapproved for n
13:37:41 <alexpilotti> sagar_nikam: yes, they are all here: https://github.com/openstack/nova-specs/tree/master/specs/newton/approved
13:37:57 <sagar_nikam> alexpilotti: can we have these 2 in the top 3 from hyperv for nova core reviewers
13:38:19 <alexpilotti> well, they want 3 patches at a time
13:38:45 <alexpilotti> any preference in the priority between cluster and FC?
13:38:58 <sagar_nikam> cluster first, FC second
13:39:05 <alexpilotti> ok
13:39:31 <alexpilotti> atuvenie: can you please take care of rebasing on master?
13:40:05 <atuvenie> yes
13:40:37 <alexpilotti> also, there are a ton of BPs that are pending approval: https://blueprints.launchpad.net/nova?searchtext=hyper-v
13:40:54 <alexpilotti> claudiub|2: can you please ping johnthetubaguy and ask if they can be reapproved?
13:41:08 <alexpilotti> those are the ones w/o specs (aka trivial bps)
13:41:08 <claudiub|2> sure
13:41:33 <alexpilotti> there are at least 10 of them
13:42:12 <alexpilotti> also the cluster one says "slow progress", should be changed in "needs code review" as soon as patches get rebased
13:42:30 <alexpilotti> I'd also start rebasing the FC ones
13:42:48 <alexpilotti> especially if they aready to go as is
13:43:08 <alexpilotti> sagar_nikam: any other question on this topic?
13:43:33 <sagar_nikam> since we are at the start of M
13:43:42 <sagar_nikam> lets get these patches submitted for review
13:43:52 <sagar_nikam> hopefully we get some review time
13:43:54 <alexpilotti> sagar_nikam: we might need again your +1s on those patches after rebase, BTW
13:44:03 <sagar_nikam> sure
13:44:22 <sagar_nikam> i will work with hemna and kurt to get +1 for FC
13:45:14 <alexpilotti> FC ones should be easier to rebase. lpetrut, can you please take care of those?
13:45:17 <alexpilotti> e.g.: https://review.openstack.org/#/c/258617/
13:45:52 <sagar_nikam> lpetrut: let me know when you need review from hemna and kurt
13:46:02 <alexpilotti> also https://review.openstack.org/#/c/273504/
13:46:22 <alexpilotti> we need to ask johnthetubaguy to remove the -2s, since the BP got re-approved for N
13:46:35 <alexpilotti> lpetrut: you here?
13:46:47 <lpetrut> sagar_nikam: sure
13:47:04 <alexpilotti> there's also the os-brick one w a -2: https://review.openstack.org/#/c/273504/
13:48:13 <lpetrut> since Newton is now open, I guess I should talk with John to remove the -2
13:48:15 <alexpilotti> I'd suggest to start on those ASAP
13:48:34 <alexpilotti> lpetrut: yes, there's no reason to keep them blocked anymore
13:48:43 <alexpilotti> 12' to go
13:48:51 <alexpilotti> anything else on the topic?
13:49:03 <sagar_nikam> no
13:49:09 <alexpilotti> ok, next
13:49:13 <sagar_nikam> sonu: any networking topics
13:49:18 <sagar_nikam> we have 12'
13:49:37 <alexpilotti> #topic wait for Neutron vif events
13:50:18 <alexpilotti> we added support in compute-hyperv for waiting for Neutron when spawning an instance
13:51:20 <alexpilotti> we lose a 6% performance, but it looks like we got rid of the WMI ACL bug
13:51:31 <sagar_nikam> alexpilotti: do we have a bug for it upstream ? any plans of upstreaming it
13:51:39 <alexpilotti> yes, sure
13:51:58 <alexpilotti> not surre if this wont require a BP
13:52:09 <claudiub|2> there's a bp for this already, it's approved
13:52:09 <claudiub|2> https://blueprints.launchpad.net/nova/+spec/hyper-v-spawn-on-neutron-event
13:52:14 <claudiub|2> #link https://blueprints.launchpad.net/nova/+spec/hyper-v-spawn-on-neutron-event
13:52:23 <alexpilotti> here we go :)
13:53:00 <alexpilotti> already reapproved
13:53:08 <alexpilotti> we just need to send up a patch
13:53:09 <sagar_nikam> looking at the BP, it seems a small change
13:53:16 <sagar_nikam> not very complex
13:53:50 <alexpilotti> sagar_nikam: https://github.com/openstack/compute-hyperv/commit/3b117c95285a5cf52be6440f955c8c9c33249a7b
13:54:02 <alexpilotti> here's the compute-hyperv equivalent
13:54:31 <sagar_nikam> ok
13:54:42 <alexpilotti> it can be applied to Nova roughly as is
13:55:10 <alexpilotti> ok, tests and paths need to be changed, but the logic is the same
13:55:25 <alexpilotti> also it's not dependent on anything else
13:55:34 <alexpilotti> 5' to go
13:55:44 <alexpilotti> #topic performance
13:56:33 <alexpilotti> last Rally tests are great, looks like we got ahead of KVM, by a tiny margin on the Hadoop test case :)
13:56:55 <alexpilotti> I'm very happy about all the Mitaka improvements
13:57:29 <alexpilotti> sagar_nikam: any plans to do some performance tests?
13:57:30 <sagar_nikam> how may of these mitaka improvements already upstream ?
13:57:40 <alexpilotti> all the os-win ones
13:58:00 <alexpilotti> luckily a lot of those are os-win specific, so we dont have the Nova bottleneck
13:58:21 <sagar_nikam> we are still on liberty, i know that sonu:'s team is planning scale tests on liberty in few weeks
13:58:42 <alexpilotti> cool
13:58:50 <sagar_nikam> good to know that all changes are in os-win
13:59:17 <sagar_nikam> alexpilotti: we may need some help if scale results point to issues
13:59:23 <sagar_nikam> in liberty
13:59:44 <alexpilotti> sure, happy to help
13:59:49 <sagar_nikam> thanks
13:59:59 <sagar_nikam> we will reach to your team if required
14:00:06 <alexpilotti> we're also going to backport a lot of stuff to Liberty / Kilo as soon as Mitaka is fully released
14:00:18 <alexpilotti> cool thanks!
14:00:21 <alexpilotti> time's over!
14:00:28 <sagar_nikam> thank you all
14:00:32 <alexpilotti> thanks y'all for joining!
14:00:37 <alexpilotti> #endmeeting