Wednesday, 2015-09-23

« Tuesday, 2015-09-22 Index Thursday, 2015-09-24 »
*** k_stev has joined #openstack-ansible00:17
*** k_stev has quit IRC00:17
*** tiagogomes has quit IRC00:34
*** markvoelker has joined #openstack-ansible00:40
*** tiagogomes has joined #openstack-ansible00:47
*** abitha has quit IRC00:57
*** kerwin_bai has joined #openstack-ansible01:46
*** darrenc is now known as darrenc_afk02:21
*** kerwin_bai has quit IRC02:22
openstackgerritJimmy McCrory proposed openstack/openstack-ansible: Configure HAProxy SSL frontends with cipher suite  https://review.openstack.org/22661002:23
*** stevelle_ is now known as stevelle02:31
cloudnulllogan2: did you get it worked out? hash failure typically means that there's a broken link within the repo infra somewhere.02:41
logan2nope it is still happening02:43
logan2i tried blowing away the repo containers and rebuilding from scratch02:43
cloudnullnew deployment ?02:45
logan2broken link tip helps.. here's what I am seeing02:45
logan2http://paste.gentoolinux.info/qavuneduru.coffee02:46
cloudnullthe index process loops through and creates an index.html file with links to all of the build wheels. in href yaprt sets the md5 content type for hashing the wheel.02:46
cloudnullare you cloning the rpc-openstack mirror by chance ?02:47
cloudnullsorry. rpc-repo ?02:47
logan2i believe it is using rpc-repo, not 100% clear on how the whole repo setup works yet02:47
cloudnullkilo / master based deployment?02:48
logan2kilo, yes02:48
logan2roles/repo_server/files/openstack-wheel-builder.py:                'https://rpc-repo.rackspace.com/pools',02:48
*** darrenc_afk is now known as darrenc02:49
logan2http://paste.gentoolinux.info/bahoxosasu.avrasm02:51
logan2looks like it is creating the link to ansible-lint instead of ansible_lint02:51
logan2there are a bunch of broken links in this 11.1.0 directory and at first glance it looks like a lot of them may result from this - vs _ issue02:54
logan2http://paste.gentoolinux.info/ujibuvoqac.avrasm02:55
*** kerwin_bai has joined #openstack-ansible02:55
cloudnullin the mirror the links seem to be fine. http://rpc-repo.rackspace.com/os-releases/11.1.0/02:57
cloudnullwhich likely means there's an issue with the rsync command https://github.com/openstack/openstack-ansible/blob/kilo/playbooks/repo-clone-mirror.yml#L2802:59
cloudnullor maybe it didnt complete ?02:59
logan2i just deleted /var/www/repo, running repo-clone-mirror playbook--guessing that is what builds that dir hopefully03:01
*** markvoelker has quit IRC03:01
logan2appears to be as it is now filling up03:01
cloudnulllet me know how it goes .03:01
logan2links are all good now after rsync completed03:03
logan2thanks!03:03
* logan2 tries repo-build again03:03
* cloudnull trying the same :)03:06
logan2so for a production deployment is it still recommended to clone rpc-repo? or is there a method to rebuild that structure locally03:07
cloudnullin prod, we've been just running repo-build.yml03:08
cloudnullfirst repo-server.yml then repo-build.yml which will recreate that structure locally.03:09
cloudnulland will only build the wheels that are needed for the given deployment.03:09
logan2ahhh ok, so essentially what run-playbooks.sh does. I guess somehow that got messed up earlier when I was trying to get the local git sources worked in and broke all those links.03:10
cloudnullits possible.03:11
cloudnullits also confusing.03:12
cloudnullmaybe we need to remove that from the meta play03:12
*** Manojit has joined #openstack-ansible03:14
ManojitHi after reboot the controller I 'm getting error in running openstack command03:15
ManojitERROR (GatewayTimeout): Gateway Timeout (HTTP 504)03:15
*** markvoelker has joined #openstack-ansible03:16
*** cemmason has joined #openstack-ansible03:17
cloudnullManojit: I assume your loadbalancer is up? is it able to route traffic to the other infra nodes?03:17
cloudnullalso check your galera cluster to make sure its up and showing that its wsrep has nodes in it.03:18
ManojitThe setup is on AIO03:18
cloudnullah03:18
Manojitand haproxy is running03:18
cloudnullyou need to rerun the galera plays to rebootstrap the node.03:18
ManojitI have kept all single container03:19
*** skamithi13 has joined #openstack-ansible03:19
cloudnullon restart it wont bring back the galera cluster automatically from catastrophic failure. this is to prevent data loss.03:19
cloudnullopenstack-ansible galera-install.yml will rebootstrap the galera node(s) and you should be good to go.03:20
cloudnullif it prsents you with a failure , it should also provide the variable required to make it go.03:21
Manojitopenstack-ansible galera-install.yml is failing03:21
logan2well cloudnull thanks for the help, the indexes generated this time so I am going to call it a night and keep hacking on it tomorrow. hopefully it is deploying from my local git branches now. :)03:21
Manojitopenstack-ansible galera-install.yml03:21
cloudnullIE you might need to run: openstack-ansible galera-install.yml -e galera_ignore_cluster_state=true03:21
cloudnulllogan2: have a good one.03:21
cloudnullnice!03:22
cloudnulllogan2: BTW did you get it to go with SSH ?03:22
cloudnullor is it using something else ?03:22
ManojitYes it fixed the isssue..03:23
logan2no i ended up cloning from github to a local http mirror and putting it behind htaccess for now. i even tried using authenticated https against github but it was failing because it seems like the extra @ was messing up yaprt03:23
ManojitThanks cloudnull :)03:23
ManojitI have another issue with provisioning VM..03:24
logan2but if that were fixed I think I could clone directly from github with authenticated https :)03:24
cloudnulllogan2:  ill ping you later maybe we can integrate those features in the yaprt code base so that it can take of those things for you.03:25
cloudnullfor now, have a good night :)03:25
cloudnullManojit: whats up ?03:25
logan2thanks that would be great! ttyl03:25
ManojitGood night..03:25
ManojitUnable to mount image /var/lib/nova/instances/38262ad8-2c67-4f37-870d-0f9d507dd1ea/disk with error libguestfs installed but not usable (/usr/bin/supermin-helper exited with error status 103:26
ManojitI did "update-guestfs-appliance" and restarted nova-compute service03:27
Manojitas root03:27
ManojitStill the issue remains..03:28
ManojitSo it rebooted the box ..03:28
ManojitLet me try again now03:28
cloudnullsorry. what are you wanting to do ?03:29
cloudnulli think i missed part of that03:29
ManojitThe issue is that VM provising is failing with error03:30
ManojitUnable to mount image /var/lib/nova/instances/38262ad8-2c67-4f37-870d-0f9d507dd1ea/disk with error libguestfs installed but not usable (/usr/bin/supermin-helper exited with error status 103:30
cloudnullive not seen that03:31
ManojitSeems it is a bug..03:31
ManojitI saw some bug reported..03:32
*** fawadkhaliq has joined #openstack-ansible03:32
Manojithttps://bugs.launchpad.net/fuel/+bug/146757903:33
openstackLaunchpad bug 1467579 in Fuel for OpenStack "libguestfs doesn't work on Ubuntu without root permissions" [Medium,Confirmed] - Assigned to Alexei Sheplyakov (asheplyakov)03:33
ManojitI tried to follow the work around but still issue persist03:33
cloudnullhave you chmod 0644 /boot/vmlinuz* ?03:34
cloudnullis the perms still 0600 ?03:34
Manojit-rw------- 1 root root 5776416 May  2  2014 /boot/vmlinuz-3.13.0-24-generic -rw------- 1 root root 5821152 Aug 14 18:07 /boot/vmlinuz-3.13.0-63-generic03:35
Manojitlet me do 64403:35
cloudnullin reading https://bugs.launchpad.net/devstack/+bug/1413142 it looks like an issue for Ubuntu + libguestfs .03:35
openstackLaunchpad bug 1413142 in OpenStack Compute (nova) "bad configuration for libguestfs" [Medium,Confirmed]03:35
cooljManojit: try chown -r nova:nova /var/lib/nova03:35
cloudnullcoolj:  for prez!03:35
cloudnull:)03:35
Manojitdone chmod 0644 /boot/vmlinuz*03:37
cloudnullseems like this was a decision made by ubuntu and one they dont want to undo: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/75972503:38
openstackLaunchpad bug 759725 in hobbit-plugins (Ubuntu) "The kernel is no longer readable by non-root users" [Undecided,In progress] - Assigned to Axel Beckert (xtaran)03:38
Manojitlet me try provisioning again03:38
openstackgerritMiguel Alejandro Cantu proposed openstack/openstack-ansible: Add OpenID Connect RP Apache Module[WIP]  https://review.openstack.org/22661703:41
Manojitsome progress..03:45
Manojitbut new error03:45
Manojit2015-09-22 22:40:18.185 6861 TRACE nova.compute.manager [instance: e9ee0175-79c0-4683-8055-02d63cc86205]     _("Unexpected vif_type=%s") % vif_type) 2015-09-22 22:40:18.185 6861 TRACE nova.compute.manager [instance: e9ee0175-79c0-4683-8055-02d63cc86205] NovaException: Unexpected vif_type=binding_failed03:45
cloudnullvif binding issues are generally a problem with the user_config file.03:45
cloudnulltypically we've seen lots of folks running with the flat network entry03:46
cloudnulland not setting up the interface on hostbind_override03:46
cloudnullthat said, if you dont need or want that network type i'd remove it03:46
cloudnullim off to sleep. take care all.03:47
Manojitpls take rest cloudnull..03:48
Manojitthanks for ur help03:49
Manojiti will continue with my timezone people03:49
ManojitMy user_config file looks as default03:51
Manojitcidr_networks:   container: 172.29.236.0/22   tunnel: 172.29.240.0/22   storage: 172.29.244.0/22  used_ips:   - "172.29.236.1,172.29.236.50"   - "172.29.240.1,172.29.240.50"   - "172.29.244.1,172.29.244.50"   - "172.29.248.1,172.29.248.50"  global_overrides:   internal_lb_vip_address: "{{ external_lb_vip_address }}"   external_lb_vip_address: 75.126.87.231   tunnel_bridge: "br-vxlan"   management_bridge: "br-mgmt"   provi03:51
Manojit- network:         container_bridge: "br-vlan"         container_type: "veth"         container_interface: "eth12"         host_bind_override: "eth12"         type: "flat"         net_name: "flat"         group_binds:           - neutron_linuxbridge_agent03:52
Manojitwhere to set hostbind_override on03:53
*** tlian2 has joined #openstack-ansible04:01
*** tlian has quit IRC04:02
*** kerwin_bai1 has joined #openstack-ansible04:13
*** kerwin_bai has quit IRC04:14
*** kerwin_bai1 is now known as kerwin_bai04:14
ManojitI have the network setup as VXLAN both for public and private lan in neutron04:16
Manojiti have two bridge one flat and one vxlan04:17
*** kerwin_bai has quit IRC04:18
*** skamithi13 has quit IRC04:18
*** skamithi13 has joined #openstack-ansible04:18
ManojitHi Team..04:18
Manojitgetting error NovaException: Unexpected vif_type=binding_failed while vm provisioning..04:19
openstackgerritJimmy McCrory proposed openstack/openstack-ansible: Allow protocol to be set per endpoint-type  https://review.openstack.org/22662104:32
*** fawadk has joined #openstack-ansible04:33
*** fawadkhaliq has quit IRC04:35
ManojitDoes anyone experienced "getting error NovaException: Unexpected vif_type=binding_failed" error04:47
*** elo has joined #openstack-ansible05:10
*** elo has quit IRC05:23
*** Manojit has quit IRC05:46
*** kerwin_bai has joined #openstack-ansible05:56
*** elo has joined #openstack-ansible05:57
*** elo has quit IRC06:07
*** fawadk has quit IRC06:14
*** kerwin_bai has quit IRC06:15
*** fawadkhaliq has joined #openstack-ansible06:17
*** cloudnull has quit IRC06:18
*** b3rnard0 has quit IRC06:18
*** b3rnard0 has joined #openstack-ansible06:18
*** cloudnull has joined #openstack-ansible06:21
*** cemmason2 has joined #openstack-ansible06:22
*** cemmason has quit IRC06:24
*** fawadk has joined #openstack-ansible06:32
*** fawadkhaliq has quit IRC06:33
*** tlian2 has quit IRC06:37
*** skamithi13 has quit IRC06:38
*** kerwin_bai has joined #openstack-ansible06:40
*** kerwin_bai1 has joined #openstack-ansible06:45
*** kerwin_bai has quit IRC06:47
*** kerwin_bai1 is now known as kerwin_bai06:47
*** fawadkhaliq has joined #openstack-ansible06:51
*** kerwin_bai has quit IRC06:51
*** fawadk has quit IRC06:52
*** fawadk has joined #openstack-ansible06:58
*** neilus has joined #openstack-ansible06:59
*** fawadkhaliq has quit IRC07:00
*** fawadkhaliq has joined #openstack-ansible07:09
*** fawadk has quit IRC07:10
*** markvoelker has quit IRC07:15
*** javeriak has joined #openstack-ansible07:18
*** elo has joined #openstack-ansible07:31
*** skamithi13 has joined #openstack-ansible07:38
*** fawadkhaliq has quit IRC07:49
*** fawadkhaliq has joined #openstack-ansible07:50
*** cemmason2 has quit IRC07:57
*** javeriak has quit IRC08:13
*** markvoelker has joined #openstack-ansible08:15
*** kukacz has joined #openstack-ansible08:19
*** kukacz has quit IRC08:20
*** markvoelker has quit IRC08:20
*** kukacz|75601 has joined #openstack-ansible08:21
*** kukacz|75601 has quit IRC08:21
*** cemmason1 has joined #openstack-ansible08:22
*** kukacz has joined #openstack-ansible08:28
*** vdo has joined #openstack-ansible08:34
*** gparaskevas has joined #openstack-ansible08:39
*** elo has quit IRC08:42
*** neilus has quit IRC08:47
*** neilus has joined #openstack-ansible08:48
*** neilus has quit IRC08:51
*** neilus has joined #openstack-ansible08:54
*** skamithi14 has joined #openstack-ansible09:29
*** skamithi13 has quit IRC09:33
*** cemmason2 has joined #openstack-ansible09:33
*** gparaskevas has quit IRC09:34
*** cemmason1 has quit IRC09:35
tiagogomeshi, is there a way to disable load balancing for the networking hosts?09:55
tiagogomesI would like that the network hosts behaved more like active/passive09:56
mattttiagogomes: not fully sure i understand the question09:56
mattttiagogomes: are you talking about the neutron-agents container ?09:56
tiagogomesyes, the agents container (and maybe the neutron server container) as well09:58
mattttiagogomes: it makes sense to LB neutron-server09:59
mattttiagogomes: the services in neutron-agents container aren't behind LB last i recall09:59
tiagogomesunder my physical network setup, I think that having two active neutron-agents is not going to perform well10:00
odyssey4metiagogomes the way it works is that networks and routers are scheduled to one or the other agent, not both10:00
mattttiagogomes: that's fine, you can just run one neutron-agents container on the desired host10:00
odyssey4methe stuff is only rescheduled to the other agent if one of them goes down10:01
tiagogomesyes but one or another is problematic to me. I would like to go to always on network host A, unless host A is down10:03
matttodyssey4me: why remove the galera note in https://review.openstack.org/#/c/222831/1/scripts/run-aio-build.sh ?10:15
matttif those details aren't correct can we correct them?10:15
*** gparaskevas has joined #openstack-ansible10:16
*** markvoelker has joined #openstack-ansible10:17
odyssey4metiagogomes as I recall that is how it gets done anyway as the neutron scheduler isn't too smart - unless they've updated the scheduler to be smarter... there may be a scheduler filter option you can use there10:17
odyssey4memattt heh, I thought the old note was still in there - it looks like the existing note is ok10:18
matttodyssey4me: i'm not actually sure if the details are correct, but having something correct written to MOTD would be helpful!10:18
mattt(there is a playbook that will rebootstrap right?)10:19
odyssey4methat was a quick two minute review to try and correct the stuff above it10:19
matttor rather a task10:19
odyssey4mewell, I think the right way is to shut all the containers down, then bring them up in the right order - or something like that10:19
odyssey4meanyway, I'll remove that edit10:19
matttok cool10:20
*** ashishjain has joined #openstack-ansible10:20
ashishjainhello10:20
matttashishjain: howdy10:20
ashishjainmattt: good...howsz u?10:21
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Update the AIO build convenience script  https://review.openstack.org/22283110:21
*** markvoelker has quit IRC10:21
mancdazodyssey4me mattt that note makes no sense10:21
odyssey4memancdaz it's git-harry's fault ;)10:22
mancdazto do this execute: ""10:22
matttashishjain: not bad, how you doing today?10:22
matttmancdaz: yeah that isn't right10:22
ashishjainmattt: Surrounded with issues :)10:23
matttashishjain: well that's not good!  how can we help?10:23
ashishjainmattt: I have got 3 hosts setup for osad - 2 hosts have got all the infra components and one host is log and compute host.10:23
matttk10:24
ashishjainmy compute hosts is unable to ping any container running on one of the infra hosts and vice versa. However communication b/w another infra and compute hosts is just working fine10:25
ashishjainmattt: any clue what may be wrong?10:25
mancdazashishjain a related note on that setup - a 2 node cluster for rabbit/galera is dangerous because if you lose one, the cluster loses quorum and will fail10:25
mancdazso you may as well have only one10:26
ashishjainmacdaz: you got it right...since yesterday I have been facing issues with galera and rabbitmq10:26
mancdazquorum based clusters work best in odd multiples, so 3 would be a minimum for HA10:26
ashishjainmacdaz: how can I get rid of one for time being?10:26
ashishjainsorry for type mancdaz10:27
git-harrymancdaz: odyssey4me yeah, execute nothing and read the manual10:27
git-harrymakes perfect sense10:27
gparaskevasashishjain: on topic are you compute hosts and infra hosts vms on same hypervisor or vms on diferent hypervisors? or physical machines?10:27
mancdazashishjain you'd need to manually remove the galera container from the galera cluster, and same for rabbit10:27
mancdazthe api stuff should be fine10:27
mattti think you're ok w/ 2 rabbit nodes?  galera is def. a problem tho10:28
ashishjaingparaskevas: My setup is on Vbox vms  so computes host, infra host are all vm using same hypervisor.10:29
*** gparaskevas_ has joined #openstack-ansible10:30
ashishjainmatt mancdaz this is just a test setup for now...but the bigger plan is to have osad on industry grade servers , will you recommend the same( one rmq and one galera) even for that?10:30
mancdazashishjain no, at least 310:30
ashishjaingparaskevas_: My setup is on Vbox vms  so computes host, infra host are all vm using same hypervisor.10:30
matttashishjain: minimum 3 for sure10:30
ashishjainmancdaz mattt why 3 ?10:31
ashishjainwhy min 3?10:31
matttashishjain: quorum10:31
mancdazashishjain because of the way quorum based clustering protocols work10:31
ashishjainmattt okay got it10:31
*** gparaskevas has quit IRC10:31
matttashishjain: sorry not sure about your networking issue, sounds like it could be one of many things :(10:32
ashishjainmattt: thanks for this  will make sure to have 3 nodes min for each10:33
odyssey4meashishjain not three nodes min for each - just three hosts to run the controller containers on10:33
odyssey4meashishjain if your compute vm cannot contact your containers, then there clearly is a problem in the way the networking is setup for those hosts or the virtual environment you're using10:34
mancdazashishjain for your test enviornment, you could build an all in one10:34
ashishjainodyssey4me:  got it10:34
odyssey4memake sure you don't have something like mac spoof protection in the hypervisor which prevents networking comms from any mac other than the NIC of the vm10:35
*** javeriak has joined #openstack-ansible10:35
odyssey4mecan the compute host talk to its logging container?10:35
ashishjainodyssey4me: till yesterday everything was fine, since I was not able to spin up an instance ... I jsut rebooted all the vm's and since than all these issues have popped up, initally my nova condutor stopeed talking to galera and since today now host communications have also stopped bw/w one infra and compute10:35
*** willemgf has joined #openstack-ansible10:35
mancdazashishjain is mariadb/mysql actually running on either of the 2 hosts?10:36
*** skamithi14 has quit IRC10:42
*** skamithi13 has joined #openstack-ansible10:42
gparaskevas_if you have vlans there maybe a problem with that i guess...10:46
ashishjainodyssey4me macda sorry got a call10:46
gparaskevas_or after reboot somethng not up10:47
ashishjainodyssey4me : compute hosts can talk to logging container10:47
gparaskevas_galera doesnt come up automatically btw10:47
ashishjaincompute hosts is also able to ping one of the rabbitmq host and not the other one10:47
gparaskevas_and containers take about 10 minuts to come up after reboot10:47
ashishjainmacdaz: yes mariadb is running on 2 different hosts(vm)10:48
ashishjaingparaskevas: the problem now is lxc's on one vm is not reachable from another vm(compute)10:49
ashishjainso as mattt mancdaz has said I need to first get rid of galera and rmq cluster10:50
ashishjainas I am using 2 ndoes10:50
mancdazashishjain no, if both are up things would work10:50
mancdaz2 nodes is risky in case one goes down10:50
mancdazashishjain if you say mariadb is running on both nodes, that should not be an issue10:51
mancdazif you're not able to ping one lxc container on one node, from a container on another node, you've got networking issues that are outside the osa deployment10:51
ashishjainmancdaz looks like rabbitmq is up and running fine on both the nodes, but mariadb is only up on one node10:53
ashishjainmancdaz trying to start it but seems to be hanged10:53
ashishjainmancdaz can you please suggest how can i remove one maria db instance10:54
mancdazashishjain I would stop mariadb on the other node first10:56
ashishjainokay10:57
ashishjaindone10:57
mancdazthen start it back up with 'service mysql start --wsrep-new-cluster'10:58
mancdazthen once it's up, start the other one with 'service mysql start' - it should join the other node in the cluster10:58
mancdazashishjain it may be quicker to just perform a fresh deployment, since we don't know the state of any of the rest of the components and it might take longer to work through those, than it would just to deploy from scratch11:03
mancdazgiven this is just a testing environment11:03
ashishjainmancdaz yes you seem to be correct ... the second mysql instance is not coming up :(11:04
ashishjainmancdaz okay I shall try a new deployment11:05
mancdazashishjain probably easier11:05
mancdazashishjain maybe run an all-in-one?11:05
mancdazdepends what you're testing11:05
ashishjainmancdaz regading the download from rackspace can I re- use  the cache I have downloaded11:05
ashishjainmandaz  I want my test environment to be as close to the actual environment and hence all-in-one will not suite my needs11:06
ashishjainI will have to redo the multi node one11:06
mancdazashishjain then I'd suggest 3 infra nodes11:06
mancdazplus computes/storage11:06
ashishjainmancdaz okay I got a laptop with 8 gb ram11:06
ashishjainand ubuntu on it11:06
mancdazashishjain hmm11:06
ashishjaincan I still have 3 nodes?11:07
mancdazashishjain it's going to be a bit of a squeeze trying to get 3 infra nodes, plus compute, plus then spinning up some instances11:07
ashishjaincan I still have 3 nodes for infra and atleast one for compute ... what could be the ideal RAM and CPU config for these 4 VMs?11:07
ashishjainmancdaz spiining instance is fine I will live with cirros11:08
mancdazashishjain sure, but it takes memory too11:08
ashishjainyesterday I was able to use glance, create network, use horizon etc , while trying to spin up instance was when all the issues started and than trying to fix it up brought my setup to this state :)11:09
mancdazashishjain fyi the aio actually spins up 3 galera containers, and 3 rabbit containers, in a single host11:09
ashishjainso ideally I have eaten half the cake11:09
ashishjainwhat's aio?11:09
mancdazall in one11:09
ashishjainok11:09
mancdazit's a single host, but because everything is container based, you can deploy multiple containers of the same type on a single host11:10
mancdazso you get a 3 node galera cluster, a 3 node rabbit cluster, but only use a single vm11:10
ashishjainmancdaz thats good but more importantly than multiple containers I think setting up the host networking is the one which seems to be slighlty complex.11:11
ashishjainI have use br-mgmt br-vxlan and br-vlan11:11
ashishjainand I want to make sure this config is correct11:11
mancdazashishjain right, but you're dealing with vbox networking, which  is not representative of real world networking11:11
mancdazso you could spend a day dealing with something that's specific to vbox11:11
ashishjainYa I do agree but you know the servers on which I plan to finally deploy openstack has got 2 nic's11:12
ashishjainout of 2 one would go to internet11:12
ashishjainand other would be used to connect with another server with same config and 2 nic cards11:13
ashishjainso ideally I will be using only one nic which is the same as my laptop11:13
ashishjaincurrently I am using vbox11:13
ashishjainbut on those servers I plan to use libvirt(kvm) to spin up the vm's and libvirt bridges to create the 4 network interfaces11:14
ashishjainhere I am using vboxnet0,1,2,3 etc11:14
ashishjainso you see this setup and the one on the servers will be almost similar11:14
mancdazashishjain even putting all infra containers into a single vm, and maybe having one or 2 compute nodes, you're still going to be testing the networking setup11:14
ashishjainahhh mancdaz .. you are correct :D11:15
ashishjainall right I am all set to use aio11:15
ashishjainIs it possible to reuse the cache .... so that no dowloads from internet?11:15
ashishjainjust to speedup the complete process?11:16
mancdazashishjain given that the cache is inside the current deploy, I think not11:16
ashishjainokay mancdaz mattt yesterday pointed out to https://github.com/openstack/openstack-ansible/blob/master/playbooks/repo-install.yml11:17
mancdazodyssey4me how long does the gate usually take?11:17
mancdazashishjain yes that's a play that builds local repo servers, but they get built in containers in the deployment11:17
mancdazso if you destroy those vms from the last deployment, that gets lost11:17
ashishjainI think better approach will to have kilo cache downloaded permanently11:17
*** markvoelker has joined #openstack-ansible11:17
ashishjainmancdaz how can I replicate this -> http://rpc-repo.rackspace.com/11:18
ashishjainpermanently for my use?11:18
ashishjainI think this is where all the cache is downloaded from?11:18
ashishjaincan this be integrated with something like nexus?11:19
mancdazashishjain you can run those plays and keep the containers around somewhere outside the deployment. then you need to point at it when you run a deployment11:19
ashishjainokay but no way to rsync or replicate this http://rpc-repo.rackspace.com/?11:20
ashishjainin my local system?11:20
mancdazashishjain sure, you could just mirror it11:20
ashishjainmancdaz: what kind of repo is this -> http://rpc-repo.rackspace.com/??11:21
mancdazashishjain it's just a set of files really11:22
*** markvoelker has quit IRC11:22
mancdazit's not really a structure repo as such11:22
ashishjainmancdaz: how do I mirror it than?11:22
ashishjainrsync?11:23
mancdazashishjain sure11:23
ashishjainokay wget may also work I guess?11:24
mancdazashishjain yeah there are a ton of tools to do that :)11:24
ashishjainokay cool ... thanks I will try to get the complte content ... this is kilo stuff right?11:25
*** javeriak has quit IRC11:33
mancdazashishjain yeah11:41
mancdazand juno11:41
mancdazand icehouse11:41
mancdazit's all there11:41
ashishjainmancdaz: aah nice! thanks a lot for for your time and help11:45
mancdazashishjain np11:45
*** cristicalin has joined #openstack-ansible11:49
odyssey4memancdaz sorry - was at the consulate collecting my visa - back on thr train now11:54
mancdazodyssey4me np, seems like a normal gate takes around 59 mins11:54
odyssey4memancdaz the gate check completes at around 60-70 mins normally, depending on whether it runs on rax or hp nodepool instances11:55
mancdazodyssey4me I'm just comparing bad/good gate to see where time is being lost because there's no obvious failures that I can see11:55
mancdazodyssey4me k11:55
odyssey4memancdaz is that with regards to https://review.openstack.org/225367 ?11:56
mancdazodyssey4me right11:56
*** skamithi14 has joined #openstack-ansible11:58
odyssey4meashishjain I would recommend against mirroring the whole of rpc-repo. If you use the repo-build play (instead of the repo-sync play) then you will get a local mirror of only the python files you need. You can then also implement your own copy of the image file that's downloaded for the container base, and also implement your own apt mirror. You can then override the default URL's with your own in user_variables so that your own mirror11:58
odyssey4me gets used.11:58
odyssey4meWe don't have roles/plays for building an apt mirror at this point, and I'm working on testing a replacement for the container base image to rather build it locally in https://review.openstack.org/225264 - but that is very, very early and not working just yet.11:59
*** skamithi13 has quit IRC11:59
odyssey4merpc-repo as it stands has a lot of historical stuff which a modern deployment doesn't need - it contains stuff that goes back to Icehouse. :)11:59
odyssey4memancdaz yeah, I get that we could be more surgical and would like to see that - but I don't get why removing all that stuff ends up with a longer than normal build time. It seems odd.12:00
mancdazodyssey4me right, that's what I'm looking at12:01
openstackgerritZhao Lei proposed openstack/openstack-ansible: Remove quotes from subshell call in bash script  https://review.openstack.org/22671412:04
openstackgerritZhao Lei proposed openstack/openstack-ansible: Use pure variable name in $(()) statement  https://review.openstack.org/22671512:05
odyssey4memattt is https://review.openstack.org/226325 something you'd like to see backported to kilo?12:07
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Allow tempest to deploy when no heat in environment  https://review.openstack.org/22672712:12
matttit's pretty trivial, but why not :)12:12
evrardjpwho doesn't deploy heat those days anyway ;)12:13
*** kukacz has quit IRC12:16
openstackgerritChristopher H. Laco proposed openstack/openstack-ansible: Fix for keystone LDAP pkg missing  https://review.openstack.org/22674012:20
*** markvoelker has joined #openstack-ansible12:20
*** fawadkhaliq has quit IRC12:21
*** fawadkhaliq has joined #openstack-ansible12:22
mancdazodyssey4me aside from making the runs take longer, the arp cache flush fix actually doesn't cause breakage12:25
*** woodard has joined #openstack-ansible12:26
odyssey4memancdaz ok, that's good - but I would have thought that removing those bits should make it go faster not slower... so what gives?12:28
mancdazodyssey4me dunno12:28
mancdazodyssey4me just everything seems to take longer :/12:28
evrardjparp cache flush isn't bad to run on first (but it's useless to run that many times), so I agree with the idea of https://review.openstack.org/#/c/225367/12:29
odyssey4meover 30 minutes longer :/12:29
mancdazos-neutron-install.yml 526 seconds, versus 137 seconds in a 'good' gate12:29
mancdazbut it completes just fine12:29
evrardjpcouldn't we do that once in a separate playbook?12:29
odyssey4meevrardjp agreed, but why does not flushing the cache result in such a massive increase in the time taken?12:29
evrardjpinteresting12:30
odyssey4meevrardjp essentially what happens now is that every time the container config changes the container is restarted, and that flushes the cache12:30
*** cemmason2 has quit IRC12:30
evrardjpthat's logical12:30
evrardjpI mean, that makes sense12:31
odyssey4meoh wow, I see that we flush the cache regardless - on every run12:31
odyssey4meso we should perhaps make it conditional instead - flush the cache if the container config changed12:31
mancdazodyssey4me we do it all over the place12:31
evrardjpthat's what I meant12:31
mancdazand we don't need to flush the cache just because we restarted a container12:31
odyssey4memancdaz we only do it after a container config change12:31
mancdazodyssey4me I mean in each playbook12:32
mancdazodyssey4me point being a full cache flush is not needed12:32
odyssey4memancdaz yes, that was necessary after splitting out the container config changes from one place into the multiple playbooks to cut down the down time during an upgrade12:32
odyssey4meand yes I agree, a more surgical approach would be far better12:33
mancdazodyssey4me mostly we don't ever need to do that12:33
odyssey4meit baffles me why not flushing the cache makes it take so much longer...12:33
mancdazregardless, why it takes *longer* is weird12:33
mancdazyes12:34
odyssey4meperhaps we should try an alternative of flushing the cache for just the container that was restarted12:34
odyssey4meit might be that the client connections are still open and aren't properly closed when the container restarts12:34
mancdazodyssey4me that doesn't solve the problem we're trying to solve12:34
odyssey4meso flushing all connections relating to the container might be better?12:34
mancdazodyssey4me we shouldn't ever need to do an entire arp cache flush anywhere12:35
odyssey4meI dunno - I know very little about this level of networking, so I'm just throwing ideas out there. :)12:35
openstackgerritChristopher H. Laco proposed openstack/openstack-ansible: Fix for keystone LDAP pkg missing  https://review.openstack.org/22675012:35
evrardjpgratuitous arp are good on container start12:35
mancdazevrardjp only if the IP changed12:35
mancdazif it didn't, it's not needed12:35
evrardjpin theory12:36
*** ashishjain has quit IRC12:36
evrardjpgratuitous arp isn't really bad per se, that's what I mean12:37
evrardjpflushing arp cache... that's something I find... disruptive12:38
odyssey4meevrardjp yep, that's where this came up - the arp cache flushing affects uptime during upgrades from juno to kilo12:38
evrardjpok12:38
*** skamithi14 has quit IRC12:53
*** skamithi13 has joined #openstack-ansible12:57
mancdazodyssey4me why do we do this https://github.com/openstack/openstack-ansible/blob/master/scripts/run-playbooks.sh#L6613:01
mancdazand this https://github.com/openstack/openstack-ansible/blob/master/scripts/run-playbooks.sh#L6613:01
*** KLevenstein has joined #openstack-ansible13:05
skamithi13odysseyme: what's up? I'm still around. I'm on irc most days. regarding vagrant stuff I thought I said I'd have a first draft by end of Oct. if not that's my plan right now.13:06
*** tlian has joined #openstack-ansible13:11
evrardjpI have a question about rcbops/rpc-openstack/maas/13:26
matttevrardjp: shoot13:27
*** kerwin_bai has joined #openstack-ansible13:27
mattttho i am on a call, so may be slow to respond :)13:27
evrardjpwhy are you using in all the scripts ipaddr from pip, instead of ipaddress which is installed already on far more containers by default?13:27
evrardjpit's just a "ess" to add on a few lines13:27
*** pradk has joined #openstack-ansible13:28
evrardjpthe methods seem the same13:28
evrardjp(at first sight, I'm no expert)13:28
matttevrardjp: i'm not sure personally, let me scan logs ... i'll get back to hyou13:30
evrardjpit's not mandatory but it avoid maintaining packages that do exactly the same thing as others (which are already installed)13:31
matttevrardjp: agree13:31
*** cemmason1 has joined #openstack-ansible13:34
*** k_stev has joined #openstack-ansible13:34
mhaydenmornin'13:38
*** KLevenstein is now known as klev-dentist13:40
matttgit-harry: looks like you initially chose to use ipaddr, do you know why this was used over ipaddress?13:43
git-harrymattt: eh?13:46
matttgit-harry: ha, see evrardjp's question above13:46
odyssey4memancdaz that was added by cloudnull, and I have no idea why that was added - note though that you linked the same line twice13:47
odyssey4meskamithi13 ah, I thought you'd disappeared - do you need any help getting the spec together? have you sorted out your gerrit account?13:49
mancdazodyssey4me oh the other one was https://github.com/openstack/openstack-ansible/blob/master/scripts/run-playbooks.sh#L8413:50
*** cemmason1 has quit IRC13:50
odyssey4memancdaz the reason is apparently for when you use teardown to rebuild: https://github.com/openstack/openstack-ansible/blob/master/scripts/run-playbooks.sh#L8513:51
skamithi13odyssey4me: yeah gerritt acct sorted out I can access review.openstack site.13:51
git-harrymattt: evrardjp no idea, all I can offer is educated guesses13:51
git-harrypatches welcome13:52
odyssey4meskamithi13 great!13:52
skamithi13odyssey4me I'm taking my time. openstack is a beast and its not my day job..so I'm taking it slow.13:54
*** skamithi13 has quit IRC13:58
*** skamithi13 has joined #openstack-ansible13:58
evrardjpgit-harry: what do you prefer for that? PR? it's outside openstack-ansible as it's pure rackspace maas13:59
*** Mudpuppy has joined #openstack-ansible14:00
*** Mudpuppy has quit IRC14:00
*** Mudpuppy has joined #openstack-ansible14:01
matttevrardjp: i'll create a bug for us to look into it14:02
evrardjpit's not really a bug14:03
matttwell no but how else do you capture this in github?  :)14:03
evrardjpit's just a possible improvement14:03
mattts/bug/issue/14:03
matttevrardjp: that's why i wouldn't recommend you just change it, because we'll need to do a bit of testing to ensure it's all good14:04
evrardjpif I patch it, I'll also need to test it ;)14:04
matttevrardjp: ok up to you :)14:04
matttif you want me to create the github issue just let me know14:04
git-harryI think they're the same code so it should be a straight switch14:05
git-harryor basically the same. I think ipaddress is a backport from python 3 and python 3 ipaddress comes from ipaddr14:06
git-harrybut I could be wrong about that14:06
evrardjpit looks like it git-harry14:07
evrardjpjust doing sed -i 's/ipaddr\./ipaddress\./g' * should work ;)14:08
evrardjpor something like that14:08
evrardjpwithout the \ on the second part ofc14:09
*** k_stev has quit IRC14:11
*** k_stev has joined #openstack-ansible14:11
*** willemgf has quit IRC14:14
*** neilus has quit IRC14:14
*** fawadkhaliq has quit IRC14:15
*** phalmos has joined #openstack-ansible14:20
evrardjpI'm not really familiar with yaprt, what should I do if I want to add a pip package on my repository?14:21
matttevrardjp: there are two playbooks to run14:22
evrardjplike for example I'd like to add the pip package django-piwik on my horizon containers, so I'll have my own playbooks/roles to modify what I need, but I need to know what I have to edit14:22
evrardjprepo-build I guess14:22
matttyep and repo-pip-setup.yml14:22
matttyou're not doing this on your prod deploy are you ?14:22
evrardjpnope, but I'll14:22
evrardjpat some point I'll have to14:23
evrardjpnope, but I will*14:23
matttevrardjp: why?  are you planning on using rackspace maas for monitoring?14:24
mattt(you are welcome to use this stuff, just not sure why you would :))14:24
evrardjpthis is something else, I already moved on14:24
mhaydenklev-dentist / Sam-I-Am: is there a doc macro of some sort for making an information box or a warning box of some sort?14:24
evrardjp;)14:24
evrardjpmattt: the maas is used as basis for our monitoring systems14:24
evrardjpthe python scripts are used to partially get the data out for our systems14:25
evrardjpbut that's another story14:25
matttok cool14:25
matttthen opensource patches welcome14:25
mattt:)14:25
evrardjpyeah ofc14:26
evrardjpI'll create an openstack-ansible-zabbix-monitoring when I'll have the time14:26
evrardjpbut I mentionned is something different14:27
odyssey4meevrardjp so we did an additional repo for extra stuff in rpc-openstack14:27
odyssey4meI don't think it's a perfect implementation, but it works14:28
openstackgerritMajor Hayden proposed openstack/openstack-ansible: Merge SSL documentation  https://review.openstack.org/22653314:29
evrardjpI know14:30
evrardjpit's that one right? https://github.com/rcbops/rpc-openstack14:30
evrardjpit's that one that I mention for the change /ipaddr/ipaddress/14:31
evrardjpmentionned*14:31
evrardjpstill for my pip concern, this is something else14:31
evrardjprepo-pip-setup doesn't exist for me mattt14:32
matttevrardjp: https://github.com/rcbops/rpc-openstack/blob/master/rpcd/playbooks/repo-pip-setup.yml14:33
evrardjpok14:33
odyssey4meevrardjp https://github.com/rcbops/rpc-openstack/blob/master/scripts/deploy.sh#L92-L9614:33
odyssey4meyeah, so that's a custom play which uses the pip lockdown role from OSA but adds the extra repo's link and recompiles pip.conf14:34
evrardjpso I shouldn't drop stuff in os-ansible-deployment/playbooks/defaults/repo_packages14:34
odyssey4meand https://github.com/rcbops/rpc-openstack/blob/master/rpcd/playbooks/repo-build.yml is a play which executes the repo build for the custom repo14:35
evrardjpmaybe that only for git14:35
odyssey4meevrardjp of course if you're maintaining a fork then you can simply drop stuff into /playbooks/defaults/repo_pack14:35
odyssey4me...14:35
evrardjpI see what you mean with your "..."14:36
odyssey4meideally we should make the repo system more pluggable I think so that one can simply add more packages if they're needed14:36
evrardjpodyssey4me: indeed14:36
evrardjpI'll just use pip install on my horizon hosts, I'll see what it will do14:37
evrardjpI need to understand this pip process more14:37
odyssey4methe ideal situation for anything that someone wants extra in the repo, whether it be specific wheels needed for storage/network drivers or for additional bits we should allow someone to drop in a file similar to how we do conf.d or env.d and it'll get included in the repo build14:37
evrardjpthat would be awesome14:39
evrardjpor a list of pip extra packages in user_*.yml14:40
matttthat'd be nice yeah14:41
cloudnullMorning. Mancdaz odyssey4me - what did I add ?14:42
cloudnull;-)14:42
odyssey4mecloudnull some stuff into run-playbooks which no-one understands :p14:46
odyssey4memancdaz has been doing tests related to https://review.openstack.org/22536714:46
cloudnullAh good.14:46
odyssey4meit works, but it is super slow and we have no idea why14:46
odyssey4memy guess is that it relates to some sort of tcp timeout which the arp cache flush is taking care of14:47
odyssey4mebut I know nothing about networking :p14:47
odyssey4mecloudnull fyi I'm going to do sha bumps for juno and kilo today - I'm busy prepping the patches now and will do the rpc-repo rebuilds to update them too14:48
odyssey4meI see that keystone has released rc1, so I'll drop in a sha bump for that to see what happens :)14:48
cloudnullSweet. I'll hold your beer.14:51
cloudnullThe commit to remove the flushing bits is slow ?14:52
cloudnullHave we rebased that in a while? I've not looked.14:53
* cloudnull on mobile due to conference call.14:53
prometheanfirelol14:53
prometheanfireandymccr: ping?14:54
andymccrprometheanfire: hello14:54
odyssey4mecloudnull rebased several times, even after the base image improvement the build times out after 90 minutes almost every time14:54
odyssey4methere has been a single successful build within 90 mins and more than 10 fails across both hp and rax instances14:55
cloudnullThat's a bummer.14:55
prometheanfireandymccr: keep wednesday 11:15-11:55 open kthnx14:56
*** phalmos has quit IRC14:56
palendaeSounds like we need Apsu involved there14:56
prometheanfireandymccr: for the conf14:56
andymccrthat sounds ominous prometheanfire ;D14:57
prometheanfirethat's the container session14:57
prometheanfirefor ops14:57
prometheanfireInfrastructure Containers14:57
andymccrcool14:57
prometheanfirethought we could pimp things14:57
andymccrsure sounds good!14:57
prometheanfirehttps://etherpad.openstack.org/p/TYO-ops-meetup https://docs.google.com/spreadsheets/d/1EUSYMs3GfglnD8yfFaAXWhLe0F5y9hCUKqCYe0Vp1oA/edit#gid=148067884214:57
evrardjpI'm off for today, see you tomorrow14:58
prometheanfirecya14:58
matttlater evrardjp14:58
*** phalmos has joined #openstack-ansible15:01
*** cemmason1 has joined #openstack-ansible15:09
*** cemmason1 has quit IRC15:09
*** k_stev has quit IRC15:12
*** phalmos has quit IRC15:13
*** k_stev has joined #openstack-ansible15:16
tiagogomesHi, I am getting this error "One or more undefined variables: 'dict object' has no attribute 'volume_backend_name'" . My user config:   http://paste.openstack.org/show/473775/15:16
tiagogomesanyone has an idea of what is the issue?15:17
*** phalmos has joined #openstack-ansible15:19
*** k_stev1 has joined #openstack-ansible15:19
mattttiagogomes: should cinder_nfs_client and everything underneath be indented ?15:20
logan2heat-engine and heat-api setup is failing due to ceilometerclient: http://paste.gentoolinux.info/ipiqoqepop.mel .. completely fresh containers/repo built this morning.. any ideas?15:20
*** k_stev has quit IRC15:21
klev-dentistmhayden: I think there’s something, but I’d have to look it up15:22
*** klev-dentist is now known as KLevenstein15:22
*** jhesketh has quit IRC15:26
*** jhesketh has joined #openstack-ansible15:27
*** spotz_zzz is now known as spotz15:28
*** alejandrito has joined #openstack-ansible15:33
*** javeriak has joined #openstack-ansible15:34
openstackgerritMerged openstack/openstack-ansible: Remove quotes from subshell call in bash script  https://review.openstack.org/22671415:42
*** cristicalin has quit IRC15:42
*** KLevenstein is now known as klev-awa15:42
*** alop has joined #openstack-ansible15:49
*** jwagner_away is now known as jwagner15:50
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Update juno SHA's - 23 Sep 2015  https://review.openstack.org/22686115:52
prometheanfireanother gentoo user?15:54
*** sdake has joined #openstack-ansible15:57
logan2recovering, sorry. mostly ubuntu these days15:57
*** javeriak has quit IRC16:01
*** javeriak has joined #openstack-ansible16:02
prometheanfireopenstack is working fine for me on it :P16:03
*** sdake has quit IRC16:04
*** javeriak has quit IRC16:06
palendaeprometheanfire: At what scale? :)16:06
*** javeriak has joined #openstack-ansible16:06
palendaeActually am curious about that - assume you have a home lab for it?16:06
*** sdake_ has joined #openstack-ansible16:06
prometheanfirehome lab right now16:07
prometheanfireI have other users with larger deployments16:07
prometheanfirehome lab is 3 nodes atm16:07
prometheanfirewill be 4 eventually16:07
prometheanfireiirc one of my users was in belgium, another in russia, not sure of the others16:08
*** sdake has joined #openstack-ansible16:10
*** elo has joined #openstack-ansible16:14
*** sdake_ has quit IRC16:14
*** phalmos has quit IRC16:17
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Add policy changes required for OSSA-2015-018 / CVE-2015-5240  https://review.openstack.org/22687216:28
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Add policy changes required for OSSA-2015-018 / CVE-2015-5240  https://review.openstack.org/22687416:32
mhaydenodyssey4me: would it be possible for https://review.openstack.org/#/c/226533/ to get a workflow+1? i'd like to use it to fix up my RabbitMQ SSL review16:38
odyssey4memhayden need another core reviewer cloudnull mattt andymccr d34dh0r53 ^16:40
d34dh0r53mhayden: odyssey4me reviewing now16:41
mhaydenodyssey4me: ah, sorry -- still figuring this process out ;)16:41
*** daneyon has joined #openstack-ansible16:43
*** daneyon_ has quit IRC16:43
d34dh0r53mhayden: ask away, that is the process :)16:45
d34dh0r53mhayden: odyssey4me reviewed and +W16:45
stevellemhayden: I'm still confused about the ca_cert16:45
mhaydenso d34dh0r53, what is the secret of life?16:45
d34dh0r534216:45
palendaemhayden: You just need to know the question16:45
odyssey4mestevelle so the ca cert may be dropped regardless of whether someone is using self-signed or user-provided certs16:45
odyssey4meif the ca cert is provided or not provided makes no difference to the self signed process16:46
mhaydenstevelle / odyssey4me: there does arise a sticky situation if a user provides only cert + key and no cacert16:46
stevellethat was my concern, but honestly that can be touched on in a following patch16:46
odyssey4memhayden in that case if the user provides no ca cert then the user expects that the target OS already knows the CA16:46
mhaydeni'd like to synchronize the ssl logic everywhere as well16:47
mhaydenodyssey4me: but the conf files specify a CA file -- which won't exist16:47
mhaydenthat's the larger issue16:47
stevellethe docs state clearly that the ca_cert will be required for any user-provided cert16:47
mhaydenit would be silly to deploy cert/key with no CA16:47
stevelleso relying on the os to know it seems to violate the docs16:47
odyssey4memhayden the apache conf files skip the ca config entry if the ca doesn't exist16:47
mhaydenah, rabbitmq ones don't16:47
* mhayden winks16:47
stevelleexactly16:47
odyssey4memhayden sounds like you need a patch then ;)16:47
mhaydeni'll go over the ssl logic for apache, keystone, rabbit, and horizon later today to ensure they have similar logic16:48
mhaydenin the code, not the docs16:48
odyssey4methere are cases where the ca would already be known to the OS16:48
mhaydenand verify that docs matchf ully16:48
odyssey4mealternatively the deployer may have concatenated the ca cert into the server cert16:48
mhaydenodyssey4me: good point16:48
mhaydendidn't think about that last situation16:48
stevelleit was funny mhayden because I went down a rabbit hole yesterday after reviewing your general security spec yesterday and was looking up what it would take to secure rabbit.  I parked it and went to check reviews and noticed you had already submitted the patcheset for it.16:49
odyssey4meprior to the normalised logic in the ssl certs, that was the expected way of deploying16:49
mhaydenstevelle: oops :)16:49
odyssey4mestevelle nicely picked up - I missed the lack of optional ca cert in the rabbitmq bits :)16:50
odyssey4meluckily it's not yet merged, so mhayden can fix that up :)16:50
odyssey4memhayden you could also rebase your patch on the ssl docs patch, that way you can take care of the docs duplication in the same patch set :)16:50
mhaydenyup - just commented on 22371716:50
mhaydenthat's the plan, odyssey4me  ;)16:50
odyssey4memhayden you can create dependent patches :) want to give that a whirl?16:51
openstackgerritChristopher H. Laco proposed openstack/openstack-ansible: Add net.netfilter.nf_conntrack_max to Swift Storage  https://review.openstack.org/22688016:51
mhaydeni've heard that this christopher h. laco submits good code16:53
mhaydenfrom reputable people16:53
openstackgerritChristopher H. Laco proposed openstack/openstack-ansible: Add net.netfilter.nf_conntrack_max to Swift Storage  https://review.openstack.org/22688016:53
openstackgerritMerged openstack/openstack-ansible: Merge SSL documentation  https://review.openstack.org/22653316:53
mhaydenyay docs16:54
mhaydenwill hopefully get rabbitmq review updated by EOD16:54
odyssey4memhayden it may be best to -w it now quickly to prevent someone else doing the workflow bit :)16:56
*** gparaskevas_ has quit IRC16:57
openstackgerritJimmy McCrory proposed openstack/openstack-ansible: Apply correct websocket URI scheme for spice-html5  https://review.openstack.org/22646216:59
odyssey4memhayden I think that https://review.openstack.org/226533 could do with a backport to kilo :)17:01
*** abitha has joined #openstack-ansible17:01
*** abitha has quit IRC17:02
odyssey4memhayden another thing - I have been toying with the idea for some time to have a role which deploys an internal CA, and another role which can generate a cert on that CA for servers so that plays can request a cert and distribute it appropriately.17:02
odyssey4meI've already done some work in another role I work on in spare time (LoL) to have a working CA - it's far from done, but I thought that it would be way better to replace all self-signed certs with an internal CA.17:04
stevelleodyssey4me: ++17:06
stevellethat was part of my rabbit hole yesterday as well17:06
odyssey4meself signed certs are useless IMO, you may as well not bother17:06
stevelleI almost feel the same way for SSL terminated at the LB17:07
stevelle:)17:07
*** cloudtrainme has joined #openstack-ansible17:08
odyssey4mewell, ssl at the LB is ok in my books as long as your internals are properly protected in other ways17:11
odyssey4meif someone can sniff your internals, you're in trouble regardless17:11
odyssey4mebut using self signed certs for endpoints is just stupid - you end up having to make all clients operate in insecure mode, so they never validate anything - even if a man gets in the middle17:12
*** cloudtrainme has quit IRC17:26
*** skamithi13 has quit IRC17:27
*** cloudtrainme has joined #openstack-ansible17:27
*** skamithi13 has joined #openstack-ansible17:27
openstackgerritMiguel Grinberg proposed openstack/openstack-ansible: Put horizon in its own process  https://review.openstack.org/22688917:30
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Update kilo SHA's - 23 Sep 2015  https://review.openstack.org/22689017:31
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Add ebtables to neutron agent configuration  https://review.openstack.org/21710317:32
*** cloudtrainme has quit IRC17:33
*** phalmos has joined #openstack-ansible17:41
*** jwagner is now known as jwagner_lunch17:44
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Add ebtables to neutron agent configuration  https://review.openstack.org/21710317:49
*** abitha has joined #openstack-ansible18:06
*** kerwin_bai has quit IRC18:09
openstackgerritJesse Pretorius proposed openstack/openstack-ansible: Update Keystone to Liberty RC1  https://review.openstack.org/22691718:16
*** elo has quit IRC18:18
*** phalmos has quit IRC18:23
*** phalmos has joined #openstack-ansible18:36
openstackgerritMerged openstack/openstack-ansible: Fix for keystone LDAP pkg missing  https://review.openstack.org/22675018:42
*** klev-awa is now known as KLevenstein18:44
*** jwagner_lunch is now known as jwagner18:45
*** phalmos has quit IRC18:49
openstackgerritMajor Hayden proposed openstack/openstack-ansible: Add SSL/TLS listener to RabbitMQ  https://review.openstack.org/22371718:56
*** Bjoern_ has joined #openstack-ansible19:06
*** Bjoern_ is now known as BjoernT19:06
*** phalmos has joined #openstack-ansible19:12
*** phalmos has quit IRC19:22
*** phalmos has joined #openstack-ansible19:31
*** cloudtrainme has joined #openstack-ansible19:32
*** cloudtrainme has quit IRC19:37
openstackgerritMiguel Alejandro Cantu proposed openstack/openstack-ansible: Add OpenID Connect RP Apache Module[WIP]  https://review.openstack.org/22661719:56
*** fawadkhaliq has joined #openstack-ansible20:02
*** fawadkhaliq has quit IRC20:05
*** kukacz has joined #openstack-ansible20:19
*** javeriak has quit IRC20:19
*** sdake_ has joined #openstack-ansible20:22
*** alop has quit IRC20:22
*** sdake has quit IRC20:25
*** k_stev1 has quit IRC20:33
mhaydengetting some apt-get failures in jenkins20:42
mhaydenweird20:42
*** sigmavirus24_awa has quit IRC20:54
openstackgerritMerged openstack/openstack-ansible: Configure HAProxy SSL frontends with cipher suite  https://review.openstack.org/22661020:54
*** d34dh0r53 has quit IRC20:55
*** d34dh0r53 has joined #openstack-ansible20:55
*** eglute has quit IRC20:55
*** eglute has joined #openstack-ansible20:55
*** sigmavirus24_awa has joined #openstack-ansible20:58
openstackgerritMiguel Grinberg proposed openstack/openstack-ansible: Put horizon in its own process  https://review.openstack.org/22688921:02
*** mgariepy has quit IRC21:08
*** woodard has quit IRC21:14
*** Mudpuppy_ has joined #openstack-ansible21:33
*** Mudpuppy_ has quit IRC21:34
*** Mudpuppy has quit IRC21:36
*** skamithi14 has joined #openstack-ansible21:48
*** skamithi13 has quit IRC21:50
*** spotz is now known as spotz_zzz21:50
*** k_stev has joined #openstack-ansible21:50
*** kukacz has quit IRC21:52
*** sdake_ has quit IRC21:59
*** k_stev has quit IRC22:00
*** galstrom_zzz is now known as galstrom22:11
*** kerwin_bai has joined #openstack-ansible22:13
*** openstackgerrit has quit IRC22:16
*** openstackgerrit has joined #openstack-ansible22:16
*** galstrom is now known as galstrom_zzz22:21
*** alejandrito has quit IRC22:36
*** KLevenstein has quit IRC22:45
*** jwagner is now known as jwagner_away22:46
openstackgerritseetha ramaiah munnangi proposed openstack/openstack-ansible: Add Administration Capabilites to the Haproxy Stats GUI  https://review.openstack.org/22704222:59
*** phalmos has quit IRC23:39
*** skamithi14 has quit IRC23:55
*** skamithi13 has joined #openstack-ansible23:55
« Tuesday, 2015-09-22 Index Thursday, 2015-09-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!