#openstack-meeting-4 log

16:34:14 <SamYaple> #startmeeting kolla
16:34:15 <openstack> Meeting started Wed Dec 30 16:34:14 2015 UTC and is due to finish in 60 minutes.  The chair is SamYaple. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:34:16 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:34:18 <openstack> The meeting name has been set to 'kolla'
16:34:27 <SamYaple> #rollcall
16:34:42 <rhallisey> #topic rollcall
16:34:46 <rhallisey> ^
16:35:06 <inc0> o/
16:35:11 <SamYaple> thanks rhallisey
16:35:22 <rhallisey> SamYaple, I can't set it copy paste that
16:35:30 <SamYaple> #topic rollcall
16:35:35 <rhallisey> cool
16:35:36 <rhallisey> hi!
16:35:37 <inc0> o/
16:35:45 <SamYaple> because I have started teh meeting I am the only one who can change topic?
16:35:50 <rhallisey> ya
16:36:34 <SamYaple> ok we will give a few for the meeting for people to join
16:36:49 <SamYaple> nihilifer: ping
16:37:12 <SamYaple> hello ajafo
16:37:19 <ajafo> hi
16:38:20 <Jeffrey4l> 0/
16:38:24 <Jeffrey4l> \o/
16:38:25 <SamYaple> o/
16:38:28 <Jeffrey4l> Just forgot.
16:38:34 <Jeffrey4l> sorry.
16:38:37 <SamYaple> no problem
16:38:47 <SamYaple> waiting until 16:40 for rollcall
16:40:14 <SamYaple> #topic binary-ubuntu
16:40:25 <SamYaple> #link  https://blueprints.launchpad.net/kolla/+spec/binary-ubuntu
16:40:47 <SamYaple> So on this topic, ajafo has been doing alot of work to add in binary support for ubuntu
16:41:08 <SamYaple> on the ML it was pointed out that canonical is attempting to do newer packages in the mitaka-staging repo
16:41:20 <SamYaple> that repo however, only has some mitaka packages and some liberty packages
16:41:39 <SamYaple> that has been my experince with cloud-archive from the beginning, half complete-ness
16:41:53 <SamYaple> because of that at least for now, I would suggest _not_ switching to the staging repo
16:42:10 <SamYaple> this means the original plan would stick in place of using liberty packages until mitaka is actually released
16:42:16 <SamYaple> thoughts?
16:42:29 <Jeffrey4l> agreed.
16:43:01 <ajafo> at this moment imho it's right way
16:43:28 <Jeffrey4l> I saw nova 13.0.0 is updated few hours ago. we are told the mitaka staging will prepared in one week after the new year. So we can switch to that after that.
16:43:43 <SamYaple> well you are doing most of the work ajafo, so I will trust your opinion here. as Jeffrey4l we can always change later
16:44:03 <SamYaple> ajafo: do you have anything you would like to add on the subject of binary-ubuntu?
16:44:24 <ajafo> nothing else only  sorry @all for my first commit and lots of mistakes at the beginning
16:44:37 <ajafo> now should be better
16:44:42 <SamYaple> no need to apologies. it was a good commit! just large
16:44:53 <SamYaple> thank you for your work, it is appreciated
16:45:01 <ajafo> thanks
16:45:10 <SamYaple> #topic kolla ansible docker module
16:45:21 <SamYaple> this will be short since it has been discussed before
16:45:31 <SamYaple> the docker module is ready for review
16:45:35 <SamYaple> #link https://review.openstack.org/#/c/248812/
16:45:53 <SamYaple> it allows us to remove the docker 1.8.2 and docker-py 1.5.0 pinning and move on
16:46:10 <SamYaple> please all eyes are useful on that patch because it is a major change for kolla-ansible
16:46:24 <SamYaple> any questions or concerns on this subject?
16:46:45 <rhallisey> none
16:46:47 <Jeffrey4l> no
16:47:15 <SamYaple> wonderful, moving on
16:47:24 <SamYaple> #topic ssl all the things
16:47:38 <SamYaple> #link https://blueprints.launchpad.net/kolla/+spec/ssl-kolla
16:48:05 <SamYaple> This is a new blueprint i created with the goal to turn all of the interprocess traffic into ssl encrypted traffic for kolla
16:48:14 <rhallisey> excellent
16:48:26 <SamYaple> this was discussed at the last midcycle and there were no objections, just some questions about performance
16:48:37 <SamYaple> as far as I can tell there are no performance issues on modern hardware
16:48:53 <SamYaple> with the exception being rabbitmq ssl intercommunication is... tricky
16:49:03 <inc0> well security > performance in business really
16:49:13 <Jeffrey4l> yes. SSL should be used everywhere for security.
16:49:21 <SamYaple> my idea for how to proceed on this is as follows, please tell me if this approach is flawed:
16:49:26 <inc0> and since performance hit is almost non-existent, for me it's no-brainer
16:49:56 <SamYaple> we need to generate certs internally for kolla to use. it is not practical to tie into an external CA at this time
16:50:20 <SamYaple> we can generate a CA and then sign on the other certs and distrubute that self-signed trusted CA to all the nodes and services
16:50:32 <SamYaple> this means all the internal communication is signed and trusted, but its all self-signed
16:50:35 <inc0> let's make this optional and allow people to put their own certs plz
16:50:48 <SamYaple> inc0: thats not practical was my point
16:50:58 <SamYaple> we need to generate certs _per_ _node_
16:51:25 <inc0> I'm thinking about situations where people already have certs deployed
16:51:26 <SamYaple> the external communication through haproxy would have a cert of the users choosing (either provided or self-signed)
16:51:45 <SamYaple> but do people care about interprocess communication? or just external
16:52:00 <SamYaple> my thoughts were it was just external communication that mattered and there they can provide the certs
16:52:36 <inc0> ok, if someone will want this optional, he/she can always implement it
16:52:38 <Jeffrey4l> SamYaple is right. Deploy only one cert to all service is not a good idea.
16:52:58 <SamYaple> inc0: thats fair, if it can be done reasonably
16:53:19 <inc0> it should, I'm not to worried
16:53:29 <SamYaple> so the plan is generate CA and then sign certs based on that (generating a cert per node).
16:53:40 <SamYaple> external haproxy can be provided by the deployer
16:53:41 <ajafo> I don't know how it'll be realized but if by some kind of script it can be splited on part to generate and part to deploy certs, and then if someone have certs maybe he could be only deploy them by script?
16:54:32 <SamYaple> ajafo: it may be possible to do that, ill put up a patchset, can you describe how to accomplish that based on the patchset?
16:54:33 <ajafo> if no then we can ganerate certs to the same place and then deploy it the same way as external certs
16:55:12 <ajafo> I can try
16:55:20 <SamYaple> thank you.
16:55:29 <SamYaple> ok thats all i have on this subject. other thoughts about ssl?
16:56:06 <Jeffrey4l> What the OPs need to provide? a CA?
16:56:20 <SamYaple> Jeffrey4l: nothing. They will need to provide nothing by default
16:56:40 <SamYaple> we can generate the CA and the certs (since this traffic never leaves the internal network)
16:57:15 <Jeffrey4l> I know this case. What about the "if someone will want this optional, he/she can always implement it"
16:57:38 <Jeffrey4l> don't we support custom the CA/certs?
16:57:48 <SamYaple> i dont have a problem if someone provides a CA, its the matter of "how well does the code do it"
16:57:58 <Jeffrey4l> ok
16:57:59 <SamYaple> im trying to avoid bloated or bad code
16:58:22 <SamYaple> i have a few ideas on the subject of how to do this, but i cant garuntee it works
16:58:40 <SamYaple> i can gaurantee that the kolla generated ca and certs will work
16:58:58 <Jeffrey4l> Great. wait for you PS.
16:59:05 <SamYaple> cool
16:59:13 <SamYaple> anything else on ssl?
16:59:35 <SamYaple> ok thats all i have
16:59:40 <SamYaple> #topic open-discussion
16:59:46 <SamYaple> who would like the floor?
17:00:28 <rhallisey> at some point I'm going to try out kolla kube.  Probably won't be until after the midcylce
17:00:56 <SamYaple> rhallisey: cool. i feel like kolla-mesos and kolla-kube will be very similiar implemntations
17:01:16 <SamYaple> are you planning on starting a kolla-kube repo?
17:01:27 <rhallisey> ya
17:01:33 <Jeffrey4l> Will kolla-mesos/kolla-kube be merged back into kolla code base?
17:01:39 <SamYaple> Jeffrey4l: no
17:01:40 <rhallisey> no
17:01:48 <SamYaple> infact the plan is to pull out the ansible code
17:01:50 <SamYaple> to kolla-ansible
17:02:02 <SamYaple> kolla will be for building containers
17:02:27 <Jeffrey4l> ok.
17:02:47 <Jeffrey4l> So where the ansible code go?
17:03:08 <SamYaple> kolla-ansible repo (has not been created yet)
17:03:11 <Jeffrey4l> seeit.
17:04:18 <SamYaple> ok well everyone I do not have anything else today. Would we like to end early?
17:04:46 <Jeffrey4l> yep
17:05:01 <SamYaple> 1 minute until i end meeting unless i hear otherwise
17:05:59 <rhallisey> got nothing
17:06:03 <SamYaple> thanks for coming out everyone!
17:06:08 <SamYaple> live long and kolla
17:06:11 <SamYaple> #endmeeting