Wednesday, 2015-10-14

*** BjoernT has quit IRC		00:02
openstackgerrit	Merged openstack/openstack-ansible: Removed unnecessary comment in the user_secrets for ceph variable https://review.openstack.org/233152	00:03
*** scarlisle has quit IRC		00:03
openstackgerrit	Merged openstack/openstack-ansible: Use inventory instead of hostfile parameter https://review.openstack.org/231870	00:08
openstackgerrit	Merged openstack/openstack-ansible: Updates the lint check to ignore templates https://review.openstack.org/231101	00:18
*** tlian2 has joined #openstack-ansible		00:26
*** tlian has quit IRC		00:28
*** darrenc_afk is now known as darrenc		00:36
*** sdake has joined #openstack-ansible		00:43
*** markvoelker has quit IRC		00:47
*** tlian2 has quit IRC		00:55
*** sdake has quit IRC		00:58
*** sdake has joined #openstack-ansible		01:02
*** tlian has joined #openstack-ansible		01:03
*** markvoelker has joined #openstack-ansible		01:48
openstackgerrit	Bjoern Teipel proposed openstack/openstack-ansible: Implement Neutron LBAAS using haproxy https://review.openstack.org/220365	01:49
*** markvoelker has quit IRC		01:53
*** daneyon has joined #openstack-ansible		01:53
*** daneyon_ has joined #openstack-ansible		01:56
*** daneyon has quit IRC		01:59
openstackgerrit	Merged openstack/openstack-ansible: Update Cinder Configuration for Liberty https://review.openstack.org/227205	02:01
*** sdake has quit IRC		02:06
*** sdake has joined #openstack-ansible		02:08
*** sdake_ has joined #openstack-ansible		02:29
*** sdake has quit IRC		02:30
*** markvoelker has joined #openstack-ansible		02:49
*** markvoelker has quit IRC		02:53
*** spotz_zzz is now known as spotz		02:57
*** woodard has quit IRC		03:10
*** sdake_ has quit IRC		03:14
*** sdake has joined #openstack-ansible		03:23
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Updated the repo-build process https://review.openstack.org/230716	03:28
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Updated the repo-build process https://review.openstack.org/230716	03:39
*** markvoelker has joined #openstack-ansible		03:50
*** markvoelker has quit IRC		03:54
*** tlian has quit IRC		04:21
openstackgerrit	Merged openstack/openstack-ansible: Added LC_ALL to openrc https://review.openstack.org/232388	04:26
*** markvoelker has joined #openstack-ansible		04:50
*** markvoelker has quit IRC		04:55
*** shausy has joined #openstack-ansible		05:17
*** pellaeon has quit IRC		05:18
*** jwitk0 has joined #openstack-ansible		05:32
jwitk0	Hey guys whats the latest OSAD release that should be used to deploy Kilo?	05:32
jwitk0	11.2.3 ?	05:32
stevelle	jwitk0: that looks like a pretty good choice	05:35
*** shausy has quit IRC		05:35
*** shausy has joined #openstack-ansible		05:35
*** markvoelker has joined #openstack-ansible		05:51
*** markvoelker has quit IRC		05:56
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Switch from MySQL-python to PyMySQL https://review.openstack.org/233172	06:18
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Nova Configuration for Liberty https://review.openstack.org/227839	06:19
*** Mudpuppy has quit IRC		06:26
*** spotz is now known as spotz_zzz		06:37
*** sdake_ has joined #openstack-ansible		06:43
*** neilus1 has joined #openstack-ansible		06:45
*** sdake has quit IRC		06:46
*** markvoelker has joined #openstack-ansible		06:52
*** ashishjain has joined #openstack-ansible		06:53
ashishjain	Hello	06:54
ashishjain	Finally I am able to stabilize my osad setup	06:54
ashishjain	I have a question on openrc file which refers to v3.0 of the openstack api	06:55
ashishjain	whenever I run it says 404 not found	06:56
ashishjain	however when I modify to export OS_AUTH_URL=http://192.168.30.6:5000/v2.0/ it seems to be running fine	06:56
*** markvoelker has quit IRC		06:56
ashishjain	What shall I do to make v3.0 of the api work?	06:56
*** sdake_ has quit IRC		06:57
*** subscope has joined #openstack-ansible		06:59
*** openstackgerrit has quit IRC		07:01
*** openstackgerrit has joined #openstack-ansible		07:01
*** ggillies has quit IRC		07:10
*** subscope has quit IRC		07:26
odyssey4me	I think you mean v3 of the Keystone API? OpenStack has many API's at different versions.	07:27
odyssey4me	jwitk0 yes, the latest tagged version	07:28
odyssey4me	ashishjain if you can pastebin your openrc (feel free to edit the password) then I can look at that	07:30
odyssey4me	ashishjain but it sounds to me like you have a misconfiguration	07:30
ashishjain	odyssey4me: here is the paste http://paste.openstack.org/show/476223/	07:33
ashishjain	odyssey4me: If I change the the export OS_AUTH_URL=http://192.168.30.6:5000/v3.0 to export OS_AUTH_URL=http://192.168.30.6:5000/v2.0/ I am able to make atleast neutron work	07:34
ashishjain	However their is another catch when I use the same setting(v2.0) with glance I am bombed with the message "glance image-list An auth plugin is required to fetch a token"	07:35
ashishjain	odyssey4me: Yes I mean v3.0 of keystone api	07:37
odyssey4me	ashishjain can you also please pastebin your service catalogue	07:38
odyssey4me	execute: openstack endpoint list	07:38
odyssey4me	ok, the problem is that you have v3.0 instead of v3 in the URL	07:39
odyssey4me	how did that happen?	07:39
*** kerwin_bai has joined #openstack-ansible		07:39
ashishjain	odyssey4me: actually sorry ... I changed v3 to v2.0 and than forgot to remove .0 when changing it back to 3	07:43
ashishjain	Looks like its working fine .... thanks a lot for your help	07:44
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update rabbitmq-server to v3.5.6-1 https://review.openstack.org/233700	07:45
*** markvoelker has joined #openstack-ansible		07:53
*** markvoelker has quit IRC		07:57
*** mgoddard has joined #openstack-ansible		08:10
*** trash has left #openstack-ansible		08:16
*** Mudpuppy has joined #openstack-ansible		08:22
*** bapalm has quit IRC		08:23
*** bapalm has joined #openstack-ansible		08:26
*** Mudpuppy has quit IRC		08:27
*** neilus1 has quit IRC		08:33
*** neilus has joined #openstack-ansible		08:33
*** finchd has quit IRC		08:35
*** wabu has quit IRC		08:35
*** wabu has joined #openstack-ansible		08:35
*** spotz_zzz is now known as spotz		08:37
*** finchd has joined #openstack-ansible		08:38
*** spotz is now known as spotz_zzz		08:47
*** gparaskevas has joined #openstack-ansible		08:51
*** markvoelker has joined #openstack-ansible		08:53
*** subscope has joined #openstack-ansible		08:54
*** gparaskevas has quit IRC		08:55
*** tiagogomes_ has joined #openstack-ansible		08:57
*** harvy has joined #openstack-ansible		08:58
*** markvoelker has quit IRC		08:58
*** subscope has quit IRC		09:01
*** subscope has joined #openstack-ansible		09:01
ashishjain	Hello	09:10
ashishjain	Hitting another issue while spawning a vm	09:10
ashishjain	The error says "Unable to mount image /var/lib/nova/instances/5cb913f2-bdec-48c7-9507-741ac4250e41/disk with error libguestfs installed but not usable (cannot find any suitable libguestfs supermin, fixed or old-style appliance on LIBGUESTFS_PATH (search path: /usr/lib/guestfs)). Cannot resize.'	09:11
ashishjain	update-guestfs-appliance	09:12
ashishjain	Ubuntu documentation says "http://manpages.ubuntu.com/manpages/trusty/man1/guestfs-faq.1.html"	09:12
ashishjain	When I try to run the command on my compute node I get the following "sudo apt-get install libguestfs-tools" which means libguestfs in not installed.	09:12
ashishjain	Does Kilo expect to have this on the compute node?	09:13
*** kerwin_bai has quit IRC		09:23
mattt	ashishjain: is that actually preventing the VM from spawning?	09:23
mattt	99% sure i've seen that before but it didn't stop the VM from coming up	09:24
tiagogomes_	Hi, I got this error with the kilo branch http://paste.openstack.org/show/476228/	09:26
mattt	tiagogomes_: not rebuilt your repo server recently ?	09:27
tiagogomes_	I did a fresh install	09:27
mattt	WUT	09:27
tiagogomes_	My openstackgit is always empty	09:29
ashishjain	matt: Yes you are correct	09:29
tiagogomes_	Because I think it is being excluded on the rsync of the upstream repo	09:29
ashishjain	mattt: Shall I install libguestfs manually	09:29
mattt	tiagogomes_: ah you have to build the repo not sync it	09:29
ashishjain	mattt: I can do it but I am just wokdering that if I did not run my playbooks properly	09:29
ashishjain	*wondering	09:30
tiagogomes_	but I did a fresh install	09:30
mattt	tiagogomes_: ok one sec ... so you're running kilo right	09:30
tiagogomes_	matt yes	09:30
ashishjain	mattt: Is installing libguesfs on compute node one of parts of osad?	09:30
mattt	tiagogomes_: this is a problem which someone hasn't accounted for	09:31
mattt	tiagogomes_: repo-install.yml which you presumably ran does the clone, but i'm not sure the upstream repo has the git bits	09:31
mattt	tiagogomes_: so what i'm proposing is you don't clone from the upstream repo but run the build of the python packages, etc. locally in your repo container instead	09:32
tiagogomes_	mattt `repo_mirror_excludes: /openstackgit`	09:32
mattt	tiagogomes_: so instead of running repo-clone.yml you can run repo-build.yml, this is the default behaviour in master (liberty) now	09:32
mattt	tiagogomes_: tbh i have no idea what the idea there is, perhaps odyssey4me knows	09:33
ashishjain	tiagogomes_: Are you using gitlab?	09:33
mattt	tiagogomes_: but personally i'd always recommend repo-build.yml instead of repo-clone.yml, it's quite a long task to run but it will cause you less grief than cloning	09:33
mattt	ashishjain: sec, looking at your question now as i don't know :P	09:33
* tiagogomes_ doesn't like the idea to monkeypatch the repo		09:34
tiagogomes_	I think will just revert the commit	09:34
mattt	tiagogomes_: honestly repo-build.yml is the way forward	09:34
mattt	tiagogomes_: that is also what our gate job does	09:34
*** shausy has quit IRC		09:34
*** shausy has joined #openstack-ansible		09:35
mattt	tiagogomes_: only catch is if you previously ran repo-clone.yml i believe you have to wipe /var/www/repo on your repo containres otherwise you run into some issues	09:35
ashishjain	tiagogomes_: Try this out http://10.3.0.100:8181/openstackgit/spice-html5.git	09:35
ashishjain	Not sure but I hit a similar issue and appending .git helped me	09:35
ashishjain	mattt: Sure	09:35
tiagogomes_	ashishjain my openstackgit is empty	09:35
tiagogomes_	mattt so the plan is to patch kilo to use repo-build instead of repo-clone?	09:37
mattt	tiagogomes_: i didn't think so, it was a change in master and up	09:37
mattt	tiagogomes_: but i think whoever backported the spice-html5 change didn't account for the fact that kilo still uses repo-clone.yml	09:37
tiagogomes_	well, the deployment right now is broken, so it needs to be fixed somehow	09:38
mattt	yeah so you could start by filing a bug and we take it from there :)	09:38
*** subscope has quit IRC		09:39
ashishjain	mattt: it indeed is part of os-nova-install.yml	09:39
ashishjain	I will rerun the playbook	09:39
ashishjain	mattt: thanks	09:39
mattt	ashishjain: ok cool, odd that it didn't get installed the first time around tho?	09:40
ashishjain	mattt: For me playbooks have failed many many times and so something would have lead it to skip stuff	09:43
mattt	tiagogomes_: you creating the bug or shall i ?	09:44
tiagogomes_	mattt not at the moment, I can create it in 30m if you want	09:44
mattt	tiagogomes_: i'll put it through, but if you want to move the build along nuke /var/www/repo on the repo containers and run repo-server.yml and repo-build.yml	09:46
tiagogomes_	mattt ok, thanks	09:47
mattt	tiagogomes_: it may just be a case of removing that exclude from kilo so it can sync properly as http://rpc-repo.rackspace.com/openstackgit/ does exist	09:49
tiagogomes_	mattt I'll try that, because it should take less time	09:50
mattt	tiagogomes_: i'll put that change through, it seems like the only option to me	09:50
tiagogomes_	mattt cool, so are you creating the bug?	09:51
mattt	tiagogomes_: https://bugs.launchpad.net/openstack-ansible/+bug/1505978	09:52
openstack	Launchpad bug 1505978 in openstack-ansible "Kilo still defaults to repo-clone-mirror.yml but does not sync openstackgit" [Undecided,New]	09:52
tiagogomes_	mattt ta	09:52
*** markvoelker has joined #openstack-ansible		09:54
openstackgerrit	Matt Thompson proposed openstack/openstack-ansible: Remove /openstackgit from repo_mirror_excludes https://review.openstack.org/234698	09:57
*** markvoelker has quit IRC		09:58
mattt	^^^ tiagogomes_	09:58
*** subscope has joined #openstack-ansible		10:22
openstackgerrit	Merged openstack/openstack-ansible: Switch from MySQL-python to PyMySQL https://review.openstack.org/233172	10:26
*** spotz_zzz is now known as spotz		10:38
odyssey4me	tiagogomes_ mattt sorry - was afk for a bit - yes, it would seem that we need to ensure that either the clone process also builds the git repo, or we need to have a copy of the bits upstream for the clone process	10:45
odyssey4me	that's a definite bug	10:46
odyssey4me	heh, oh nice mattt I see you have a review to fix? tiagogomes_ if you can feedback whether that works in the review it'd be great	10:46
*** spotz is now known as spotz_zzz		10:48
* tiagogomes_ already did		10:50
*** markvoelker has joined #openstack-ansible		10:55
*** markvoelker has quit IRC		11:00
*** neilus has quit IRC		11:04
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update stable/liberty SHA's to Liberty RC3 https://review.openstack.org/234730	11:17
*** manas has joined #openstack-ansible		11:21
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Remove oslo.versionedobjects 0.11.0 block https://review.openstack.org/234733	11:23
*** gparaskevas has joined #openstack-ansible		11:27
*** spotz_zzz is now known as spotz		11:41
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Remove WebOb 1.5.0 cap https://review.openstack.org/234742	11:41
odyssey4me	mattt are you still testing and reviewing https://review.openstack.org/#/q/status:open+project:openstack/openstack-ansible+branch:master+topic:bp/enable-venv-support-within-the-roles,n,z ?	11:46
*** spotz is now known as spotz_zzz		11:51
*** subscope has quit IRC		11:54
*** markvoelker has joined #openstack-ansible		11:56
*** subscope has joined #openstack-ansible		11:57
*** markvoelker has quit IRC		12:00
*** markvoelker has joined #openstack-ansible		12:00
*** manas has quit IRC		12:02
*** persia has quit IRC		12:02
*** persia has joined #openstack-ansible		12:03
*** manas has joined #openstack-ansible		12:05
*** spotz_zzz is now known as spotz		12:06
*** subscope has quit IRC		12:07
mattt	odyssey4me: not at the minute not	12:08
mattt	*no	12:08
odyssey4me	mattt how are you feeling about reviews generally?	12:13
odyssey4me	to me it seems good - they clearly work	12:13
odyssey4me	dolph added a good query which applies to keystone & horizon which I think warrants an update, perhaps - cloudnull will need to check that out	12:14
mattt	odyssey4me: well we found the bug yesterday, not had time to go back and retest everything since	12:14
mattt	but yesterday it didn't work	12:14
mattt	now why the gate was passign i have absolutely no idea	12:14
mattt	super confusing	12:14
mattt	so i'd like to just test them all together again and give it all a once-over before +2ing	12:15
odyssey4me	mat it looks like the sha updates which include yesterday's fixes are good: https://review.openstack.org/234730	12:17
odyssey4me	mattt ^	12:17
mattt	odyssey4me: why not remove versionedobjects and WebOb in one review?	12:20
odyssey4me	mattt the jury's still out on whether the updates resolve all the issues :)	12:20
odyssey4me	I split them up to test them properly.	12:21
mattt	imagine you could have added them to the bump sha review to test :P	12:21
odyssey4me	mattt if the sha bump works, which it did, I didn't want to delay that merge if the other pin removals didn't work	12:23
*** woodard has joined #openstack-ansible		12:23
odyssey4me	the sha bump is more important to move along than the pins	12:23
*** neilus has joined #openstack-ansible		12:24
*** Mudpuppy has joined #openstack-ansible		12:24
mattt	i didn't know we were racing against the clock	12:24
mattt	odyssey4me: going to be circling back to the venv stuff in a few mins, had to look at some ceph stuff this morning	12:25
mattt	so hopefully we can get those moving shortly	12:25
odyssey4me	mattt ah, thanks	12:26
odyssey4me	ideally I'd like to release our liberty branch as close as possible to upstream's release, and the venv work is part of that	12:26
odyssey4me	our planned release date is the end of next week, and I'd like the current stream of patches to have some basking time	12:27
odyssey4me	*baking	12:27
mattt	yeah makes sense	12:27
odyssey4me	besides - the next batch of work relates to the upgrading of kilo to liberty, and the gate split out... the sooner we can get onto that work, the better	12:28
odyssey4me	more gate tests will expose issues faster	12:28
*** Mudpuppy has quit IRC		12:29
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Nova Configuration for Liberty https://review.openstack.org/227839	12:33
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update stable/liberty SHA's to Liberty RC3 https://review.openstack.org/234730	12:33
*** spotz is now known as spotz_zzz		12:35
*** vdo has joined #openstack-ansible		12:36
odyssey4me	mattt it looks like https://review.openstack.org/234733 is good	12:41
*** subscope has joined #openstack-ansible		12:43
mattt	k	12:45
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: [WIP] Check existing pip.conf in OpenStack-CI https://review.openstack.org/234768	12:48
cloudnull	odyssey4me: what should i go look at ?	12:49
cloudnull	morning btw.	12:49
odyssey4me	morning cloudcull	12:49
odyssey4me	dolphm raised a good question in https://review.openstack.org/229513 which will also apply to https://review.openstack.org/229226	12:50
odyssey4me	if his suggestion works, it may result in a bit more optimisation there (we don't need to hack the wsgi script)	12:50
mattt	keystone_bin: "{{ keystone_venv_bin }}"	12:55
mattt	guess if his comment is true there then we have a good few updates to do	12:56
mattt	but i thought you could just run the bin like that	12:56
odyssey4me	mattt I was talking about this comment, actually: https://review.openstack.org/#/c/229513/12/playbooks/roles/os_keystone/templates/keystone-wsgi.py.j2,cm	12:57
mattt	yeah that i have absolutely no idea about :)	12:58
*** javeriak has joined #openstack-ansible		12:59
*** mgoddard has quit IRC		13:03
*** tlian has joined #openstack-ansible		13:07
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: [WIP] Check existing pip.conf in OpenStack-CI https://review.openstack.org/234768	13:09
*** subscope has quit IRC		13:11
cloudnull	openstackgerrit: i added responses in https://review.openstack.org/#/c/229513	13:15
cloudnull	mattt: you are right you can simply run the bin and it will execute within the venv	13:15
cloudnull	the installation within a venv has either #! to the venv python or an activate_this call which forces it to use the venv'd python	13:16
odyssey4me	thanks cloudnull for responding to dolphm - my vote is back to +2 for keystone & horizon	13:18
*** subscope has joined #openstack-ansible		13:19
*** javeriak has quit IRC		13:23
*** javeriak has joined #openstack-ansible		13:23
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3864{2,5,7,9}, V-38651: Umask adjustments https://review.openstack.org/233120	13:28
*** subscope has quit IRC		13:28
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38623: rsyslog file permissions https://review.openstack.org/234331	13:29
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38546: Disable IPv6 system-wide https://review.openstack.org/234333	13:30
*** cloudtrainme has joined #openstack-ansible		13:34
*** Mudpuppy has joined #openstack-ansible		13:35
*** Mudpuppy has quit IRC		13:35
*** Mudpuppy has joined #openstack-ansible		13:36
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-51391: Initialize AIDE https://review.openstack.org/234264	13:38
mhayden	palendae: added a configurable exclusion list in https://review.openstack.org/234264	13:38
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38637, V-3866{3,4,5}: Verify auditd pkg contents https://review.openstack.org/232767	13:38
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3857{4,6,7}: Password hashing algorithms https://review.openstack.org/233071	13:38
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38655: Mount w/noexec exception https://review.openstack.org/233147	13:39
*** subscope has joined #openstack-ansible		13:39
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-386**: Disabling various unneeded services https://review.openstack.org/233198	13:39
mhayden	pardon the rebasing... ;)	13:39
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3865{6,7}: Samba https://review.openstack.org/233215	13:39
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38643: World writable files https://review.openstack.org/233216	13:39
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38658: Password reuse restrictions https://review.openstack.org/233219	13:39
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38659, V-38662, V-38693: Encrypted storage exception docs https://review.openstack.org/233221	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38660: SNMPv3 https://review.openstack.org/233226	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-386{67,70,95,96,98}, V-38700: Run AIDE via cron https://review.openstack.org/233231	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38678: Auditd space_left size https://review.openstack.org/233237	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38671: Remove sendmail https://review.openstack.org/233242	13:40
mhayden	had some fun merge conflicts ;)	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38672: Remove netconsole service https://review.openstack.org/233243	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38680: Audit log capacity notifications https://review.openstack.org/233247	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3869{2,4}: Lock inactive accounts https://review.openstack.org/233255	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3867{4,6}: X windows https://review.openstack.org/233259	13:40
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38675: Restrict core dumps https://review.openstack.org/233261	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38679: Disable DHCP client docs https://review.openstack.org/233262	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38684: Max concurrent sessions https://review.openstack.org/233264	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38682: Disable bluetooth modules https://review.openstack.org/233270	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38687: VPN connectivity (exception docs) https://review.openstack.org/233273	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-53481: Auditd disk space + single-user mode https://review.openstack.org/233276	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38702: FTP daemon logging https://review.openstack.org/233279	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-51337: Use an LSM at boot https://review.openstack.org/233284	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-51875: Symlink for docs https://review.openstack.org/233285	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38622: Restricted mail relaying https://review.openstack.org/234204	13:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38683: Check for non-unique usernames https://review.openstack.org/234209	13:41
*** evrardjp has quit IRC		13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38681: GID's in /etc/passwd & /etc/group https://review.openstack.org/234215	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-51739: LSM device labeling exception https://review.openstack.org/234227	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38699: Public directories exception https://review.openstack.org/234235	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-386{85,90}: Temporary/emergency accounts (exception) https://review.openstack.org/234237	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-58901: sudo requires auth https://review.openstack.org/234239	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38697: Sticky bit (exception) https://review.openstack.org/234249	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-51391: Initialize AIDE https://review.openstack.org/234264	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: Docs overhaul https://review.openstack.org/234439	13:42
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38496: Lock system accounts other than root https://review.openstack.org/232012	13:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38498: Audit log file permissions https://review.openstack.org/232056	13:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38500: No UID 0 accounts except root https://review.openstack.org/232070	13:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38501, V-38573: Disable accounts after failed logins https://review.openstack.org/232074	13:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3851{1,2,3}, V-38686: IPv4 security controls https://review.openstack.org/232088	13:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3851{4,5,6,7}: Disabling certain network protocols https://review.openstack.org/232129	13:43
*** subscope has quit IRC		13:44
*** mnestheu1 has joined #openstack-ansible		13:44
*** subscope has joined #openstack-ansible		13:44
*** cloudtrainme has quit IRC		13:44
*** mnestheu1 is now known as scarlisle		13:44
*** evrardjp has joined #openstack-ansible		13:45
*** javeriak_ has joined #openstack-ansible		13:50
*** evrardjp has quit IRC		13:51
*** javeriak has quit IRC		13:53
*** javeriak has joined #openstack-ansible		13:56
*** javeriak_ has quit IRC		13:56
*** neilus has quit IRC		13:58
*** evrardjp has joined #openstack-ansible		13:58
*** KLevenstein has joined #openstack-ansible		14:00
*** manas has quit IRC		14:00
*** k_stev has joined #openstack-ansible		14:01
*** jwagner_away is now known as jwagner		14:01
*** sigmavirus24_awa is now known as sigmavirus24		14:02
*** cloudtrainme has joined #openstack-ansible		14:03
*** cloudtrainme has quit IRC		14:06
palendae	mhayden: Cool on the exclusion list - that may actually be a more general issue to resolve; is this role just for use with openstack-ansible, or ansible and openstack installs?	14:06
*** gcivitella has joined #openstack-ansible		14:11
*** k_stev has quit IRC		14:16
mattt	cloudnull: sorry kevin, lots of trivialish comments in the glance venv review	14:18
*** alop has joined #openstack-ansible		14:19
*** k_stev has joined #openstack-ansible		14:24
*** phalmos has joined #openstack-ansible		14:43
odyssey4me	mhayden I would expect that the security role is for use for any host? why should it just be for openstack, or for openstack-ansible environments? it's pretty generic as far as I can see	14:50
mattt	odyssey4me: was kinda thinking this too :P	14:51
mattt	i didn't see what the overlap with openstack-ansible was	14:51
palendae	^	14:51
odyssey4me	mattt I see openstack-ansible simply as a custodian.	14:51
odyssey4me	And openstack-ansible may consume the role at some point in time in the future.	14:52
mhayden	there are some things that are skipped for openstack envs	14:53
mhayden	so it has some openstack specific configurations	14:53
mhayden	my goal was to make it drop in compatible with openstack-ansible	14:54
mhayden	does that make sense?	14:55
odyssey4me	:) a tool in the toolbox - it makes absolute sense	14:55
palendae	Sure. I think the goal of splitting out roles was to make them all more general	14:55
mhayden	it could be used outsude of openstack ansiblr	14:55
mhayden	wow phone keyboard fail	14:55
*** cloudtrainme has joined #openstack-ansible		14:56
mattt	nah, i think it's great if it can be designed ot not tear an openstack-ansible deploy apart :)	14:56
mattt	but it does seem to be very limiting making it only work on an openstack-ansible deploy	14:56
bgmccollum	mhayden: could the openstack specific configs be controlled via role parametrization?	14:57
mhayden	another goal is to make it deployable to OS envs without disruptions	14:57
mhayden	bgmccollum: possibly. what are you thinking?	14:57
*** javeriak has quit IRC		14:57
*** cloudtrainme has quit IRC		14:58
bgmccollum	mhayden: you said some parts are skipped for openstack envs...so the parts being skipped could be controlled via role parameters	14:58
mhayden	thats what i put in defaults/main.yml	14:59
palendae	^	14:59
mhayden	and that yml is heavily docunented	14:59
*** cloudtrainme has joined #openstack-ansible		15:00
*** phalmos has quit IRC		15:01
*** spotz_zzz is now known as spotz		15:02
*** ashishjain has quit IRC		15:03
cloudnull	mattt: i've updated the glance venv review. let me know what you think and ill hope to getting the changes in	15:04
mattt	cloudnull: ok will have a peek, thanks !	15:12
cloudnull	no thank you sir	15:12
*** cloudtrainme has quit IRC		15:23
*** jwagner is now known as jwagner_away		15:23
*** cloudtrainme has joined #openstack-ansible		15:24
*** spotz is now known as spotz_zzz		15:24
*** spotz_zzz is now known as spotz		15:25
*** mgoddard has joined #openstack-ansible		15:26
mhayden	bgmccollum / palendae: would you suggest having openstack-ansible-security outside of openstack somewhere?	15:28
*** sdake has joined #openstack-ansible		15:29
palendae	mhayden: Maybe just on galaxy...though to me it seems a bit bizarre not putting security measures directly in relevant roles, honestly	15:29
odyssey4me	palendae it's an experiment of sorts	15:29
bgmccollum	mhayden: just depends on the scope...its its meant to be a general role...then maybe yes? and OSA can source it...and pass in its desired config...	15:29
mhayden	palendae: i suggested that but it was shot down quickly ;)	15:29
odyssey4me	perhaps some stuff belongs in roles, but perhaps not - until they're expressed fully we won't know	15:29
odyssey4me	also, we can (and I'd like to) register this role into galaxy	15:30
palendae	odyssey4me: Security seems important enough to me to not be directly in roles, but it's already going down this road	15:30
mhayden	however, i'd like to review the openstack security guide and begin applying some of those recommendations in openstack-ansible via configurables	15:30
odyssey4me	it is pretty much as applicable as the galera role	15:30
*** KLevenstein has quit IRC		15:30
mhayden	like communicating between services over ssl, etc	15:30
palendae	Er, that was worded poorly	15:30
odyssey4me	the point is that just because it's there now, doesn't mean that it can't be implemented differently in the future	15:31
odyssey4me	for now the scope was to do it thusly	15:31
palendae	I understand. Just saying, I'm not sure I see security as a thing that should be a separate role	15:31
odyssey4me	mhayden you should definitely work on doing the security guide thing in the roles during the mitaka cycle	15:32
odyssey4me	something you could also propose is for the security role to be consumed by the playbooks with the appropriate switches turned on or off	15:32
bgmccollum	are there scenarios that one wouldnt want security for free?	15:32
palendae	^	15:33
odyssey4me	?	15:34
palendae	If I understand the question - why would you want a (for example) galera role that doesn't include any security measures?	15:34
bgmccollum	if its hassle free from the deployers perspective...then by all means...make it as secure as humanly possible	15:35
*** KLevenstein has joined #openstack-ansible		15:36
mhayden	odyssey4me: it's on my list ;)	15:36
*** sdake has quit IRC		15:36
*** KLevenstein has quit IRC		15:36
odyssey4me	that's a broad question	15:37
odyssey4me	why would you not want to use ssl comms for all web services?	15:37
mhayden	well i did add an SSL/TLS listener to rabbitmq... ;)	15:37
*** KLevenstein has joined #openstack-ansible		15:37
*** sdake has joined #openstack-ansible		15:37
odyssey4me	you wouldn't want it as a developer because it makes debugging hell, and creates an extra layer of complexity	15:38
odyssey4me	it's fine to be layered on top, but not as a base	15:38
odyssey4me	the same applies to many security things	15:38
odyssey4me	most of the stuff in the role could probably be implemented by default as it's not in the same category	15:39
odyssey4me	but some of it most definitely is a hinder to the development process, and some to the operational process - they're things you want to opt-in to	15:39
palendae	Sure, but then you opt in on the specific service	15:39
palendae	e.g. on the galera role	15:40
odyssey4me	exactly, but then that gets done by the playbook	15:40
palendae	Right...and then I don't see a reason for a separate role to exist	15:40
palendae	Put things where they're used	15:41
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Nova Configuration for Liberty https://review.openstack.org/227839	15:42
odyssey4me	the purpose of the role is specific	15:43
odyssey4me	the security role is to apply security best practises	15:43
odyssey4me	on a general host level	15:43
odyssey4me	if we take those tasks and put them into other roles, we'll be duplicating code all over the place - and maintaining that will become very unwieldy	15:44
palendae	So galera securing will be duplicated everywhere?	15:44
odyssey4me	keeping it in a purpose specific role simplifies its use, and its maintenance	15:44
bgmccollum	i can see there being a separate role for host security best practices...generic to be used outside the confines of OSA...	15:45
odyssey4me	if the task is galera server specific, then perhaps it does belong in the galera role	15:45
*** mgoddard_ has joined #openstack-ansible		15:45
bgmccollum	there there is the securing of OS bits...which should be in their relevant OSA roles	15:45
*** gparaskevas has quit IRC		15:45
bgmccollum	*then	15:45
palendae	I can see locking things down along those lines	15:45
odyssey4me	right, so openstack-ansible is simply a custodian of ansible roles which are used in an openstack environment - and a publisher of playbooks to consume those roles in specific use-cases which are common to its consumers	15:46
odyssey4me	there is no reason why the project can't host roles that aren't specifically openstack related	15:47
palendae	I don't think anyone's disagreeing there	15:47
mhayden	i look at security on two levels here: 1) host security and 2) openstack services security	15:47
palendae	What I'm saying is, if that role grows service-specific security, like galera, or rabbit, or whatever, I think that's the incorrect place	15:47
mhayden	#1 is where openstack-ansible-security comes in	15:47
*** mgoddard has quit IRC		15:48
mhayden	#2 is the openstack security guide	15:48
bgmccollum	seems pretty clear cut to me	15:48
bgmccollum	+1	15:48
odyssey4me	palendae I agree with you there.	15:48
odyssey4me	mhayden also agreed	15:48
bgmccollum	my only point was that openstack-ansible-security shouldn't have any bias towards being applied to an openstack environment...if the intent is that it could be used outside OSA	15:50
mhayden	bgmccollum: i'm 100% in agreement	15:51
bgmccollum	or is the intent that its supposed to be used in an openstack environment, but not necessarily a OSA deployed environment?	15:51
mhayden	but i'm in a bit of a hard place here with this many reviews in flight ;)	15:51
bgmccollum	the good news is...code is malleable...and time in infinite	15:52
palendae	mhayden: It is a lot, and you don't really have established reviewers on that repo, do you?	15:53
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: Don't require latest auditd version https://review.openstack.org/234856	15:53
mhayden	palendae: right, and no	15:54
mhayden	there are 7 reviews with a +1, one with a +2 and +1	15:55
mhayden	the rest are empty	15:55
palendae	How does one get a +2?	15:56
mhayden	but i'm trying to be as responsive as possible when folks suggest changes ;) wink wink	15:56
mhayden	palendae: i normally buy cloudnull beer for that	15:56
palendae	And what is your merge criteria?	15:56
palendae	mhayden: I mean, how does one get core reviewer status on that repo?	15:57
mhayden	palendae: it's attached to openstack-ansible	15:57
palendae	Nothing's going to merge if it needs 2 +2s and there's < 2	15:57
palendae	Mm	15:57
palendae	Ok	15:57
mhayden	palendae: https://review.openstack.org/#/q/status:open+project:openstack/openstack-ansible-security,n,z	15:57
mhayden	palendae: i put some suggested criteria here -> http://lists.openstack.org/pipermail/openstack-dev/2015-October/076929.html	15:58
odyssey4me	right now the core is shared - if the need arises in the future for that to change, it can change	15:58
mattt	palendae: you should be able to +2 stuff	15:58
palendae	mattt: I removed myself from core	15:58
mhayden	that's hardcore	15:58
mattt	well there's that.	15:58
mhayden	somehow mattt has the ability for a -3.14 ;)	15:58
*** mgoddard_ has quit IRC		15:59
odyssey4me	I'm certainly pro the idea of having role-specific cores.	16:00
*** sdake_ has joined #openstack-ansible		16:00
palendae	odyssey4me: I was more asking to see where the bottle neck for mhayden getting his reviews	16:00
* mhayden assumes everyone is busy		16:01
mhayden	:)	16:01
*** sdake has quit IRC		16:01
mhayden	and usually when i mention security at the office, people think of this: https://41.media.tumblr.com/1721e235dbe9f5af7ee331c74e739655/tumblr_nj8bb5TKYs1u2qrtko1_500.jpg	16:01
odyssey4me	yeah, it's the same problem we're all having - people are allocated to work and don't seem to have time to do them	16:01
palendae	mhayden: I'm not sure how many people who have core were aware. Maybe that's my own detachment though	16:01
mattt	the upside is that mhayden's changes are small	16:02
mattt	there's just a lot of them :P	16:02
mhayden	yeah some changes are docs only	16:02
bgmccollum	mhayden: is the best way to run this...add to role dependencies...then build a playbook to apply the roles to all hosts (and containers?) ?	16:02
mhayden	should i funnel the docs only stuff to folks like KLevenstein and Sam-I-Am that are docs wizards? :)	16:02
mattt	palendae: guess you didn't see this	16:02
mhayden	bgmccollum: that would work find	16:02
mhayden	s/find/fine/	16:02
mattt	palendae: https://goo.gl/03qZPi	16:02
mhayden	i built an AIO box, then rsynced up the role	16:03
mhayden	ran it against localhost	16:03
mhayden	i've also run it from my laptop with a server via ssh	16:03
mattt	i did the same	16:03
palendae	mattt: I did, but also not core. I didn't know that his repo got added there, though	16:03
palendae	I wasn't sure if it was communicated that OSA cores are needed to help those reviews along	16:03
mattt	palendae: well they are in teh queue, so i'd imagine people know :P	16:03
KLevenstein	mhayden: there’s an rpcdocs launchpad group. we get some things where it’s not clear what docs changes need to be made, so any clarity you can provide when assigning will help a lot.	16:03
palendae	mattt: ¯\_(ツ)_/¯	16:04
bgmccollum	mhayden: should the role be applied to the containers as well?	16:04
mhayden	KLevenstein: sweet	16:04
palendae	Assumptions )	16:04
mhayden	bgmccollum: hosts only	16:04
*** mgoddard has joined #openstack-ansible		16:05
mhayden	another option might be to hop on a hangout and i can take questions on the commits and/or go over each super-briefly	16:05
mhayden	i'm willing to do whatever's needed on my end	16:05
odyssey4me	mhayden you can get anyone to review them	16:07
mhayden	cool -- the openstack security team was eager to review some	16:08
mhayden	i hopped in their mtg last week	16:08
odyssey4me	with two or more +1's on it (ideally with a substantive comment), I don't give it much more than a cursory review	16:08
*** javeriak has joined #openstack-ansible		16:08
odyssey4me	the role is not being actively used by anything yet, so there's no real impact when mistakes are made	16:09
*** subscope has quit IRC		16:09
*** gcivitella has quit IRC		16:09
mhayden	i could mark the "docs only" reviews as such	16:12
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38655: Mount w/noexec exception [docs only] https://review.openstack.org/233147	16:13
mhayden	like that ^^ (if it helps)	16:13
odyssey4me	mhayden the reality is that most of that stuff needs reviews by people who understand their purpose	16:13
mhayden	gotcha	16:13
mattt	odyssey4me: i'll fire through some of those changes tonight to review	16:13
mattt	s/odyssey4me/mhayden/	16:13
palendae	Yeah, even if I had +2 power, I'd feel reeeeeeally uncomfortable without others more knowledgeable weighing in	16:13
mattt	palendae: there is no one more knowledgeable	16:14
mattt	major can't review his own stuff :P	16:14
odyssey4me	yup	16:15
palendae	mattt: People from openstack security maybe?	16:15
odyssey4me	yeah, ideally the reviewers need to come from the broader community	16:15
mattt	yeah but they're not openstack-related stuff	16:15
mattt	i think most sys admins can agree what is sensible and not	16:15
palendae	That's why i don't have +2 - I don't feel comfortable saying "Well, no one else can review it so I might as well"	16:15
odyssey4me	mhayden perhaps you should frame it more generally so that people don't think it's specific to openstack-ansible	16:15
odyssey4me	they need to know that it's primarily the STIG documentation, and an ansible role which then deploys the recommendations	16:16
mhayden	odyssey4me: not sure if i should send more mail quite yet :)	16:16
mhayden	unless you mean place that information elsewhere	16:16
odyssey4me	mhayden there was a suggestion to use the [security] tag in the ML, instead of the [openstack-ansible] tag	16:17
odyssey4me	as the role is generic, I would recommend that	16:17
mhayden	i did that here: http://lists.openstack.org/pipermail/openstack-dev/2015-October/076929.html	16:17
mattt	mhayden: could query the ansible community in general	16:17
odyssey4me	perhaps the operatory community would be keen too - so perhaps give it a bit and send one there too	16:17
*** sdake_ is now known as sdake		16:18
mhayden	mattt: i do owe robyn some markdown for a blog post...	16:18
mattt	also a great way for someone on the openstack fringes get involved w/ an openstack project	16:18
mhayden	mattt: quite true	16:19
mattt	mhayden: let it rain	16:20
*** kukacz has joined #openstack-ansible		16:20
*** cloudtrainme has quit IRC		16:20
stevelle	so much energy and words this morning	16:22
*** cloudtrainme has joined #openstack-ansible		16:26
stevelle	The OSAS stuff is a pretty large stack of reviews and it won't get done in a day. I'm trying to make sure I'm putting a vote on at least a couple a day. The MTA related ones are earmarked for today, for instance.	16:27
*** cloudtra_ has joined #openstack-ansible		16:29
cloudnull	on an aside https://review.openstack.org/#/q/starredby:cloudnull+status:open,n,z these need to get reviewed and specifically when ready we need to think about backporting the L3HA commits	16:31
*** javeriak has quit IRC		16:32
*** cloudtrainme has quit IRC		16:32
palendae	stevelle: You and your scheduled approach to stuff	16:36
*** javeriak has joined #openstack-ansible		16:38
mhayden	thanks, stevelle !	16:39
*** jasondotstar_ has joined #openstack-ansible		16:39
*** sdake has quit IRC		16:43
*** another_larsks has joined #openstack-ansible		16:44
mhayden	thanks as well, palendae ;)	16:44
palendae	mhayden: Welcome.	16:44
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement glance venv support https://review.openstack.org/229221	16:46
cloudnull	mattt: i updated that pr if you can have a look i'd appreciate it	16:46
cloudnull	if good then ill apply it to all of the patches	16:47
*** tlian has quit IRC		16:48
*** finchd-also has joined #openstack-ansible		16:49
*** sdake has joined #openstack-ansible		16:49
openstackgerrit	Merged openstack/openstack-ansible: Update stable/liberty SHA's to Liberty RC3 https://review.openstack.org/234730	16:50
*** vdo has quit IRC		16:50
*** finchd has quit IRC		16:50
*** jaypipes has quit IRC		16:50
*** robak has quit IRC		16:50
*** lkoranda has quit IRC		16:50
*** larsks has quit IRC		16:50
*** toddnni has quit IRC		16:50
*** metral has quit IRC		16:50
*** jasondotstar has quit IRC		16:50
*** dstanek has quit IRC		16:50
*** bapalm has quit IRC		16:50
openstackgerrit	Merged openstack/openstack-ansible: Redirect "apt-get install -y" stdin to /dev/null https://review.openstack.org/233331	16:50
openstackgerrit	Merged openstack/openstack-ansible: Only wait for SSH if the container config has changed https://review.openstack.org/231379	16:50
odyssey4me	mattt cloudnull there was a bug in the api-paste.ini leftover from the ec2/s3 excise - it's fixed now and has passed the gate: https://review.openstack.org/227839	16:53
*** another_larsks is now known as larsks		16:53
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Only wait for SSH if the container config has changed https://review.openstack.org/234890	16:53
*** shausy has quit IRC		16:53
*** phschwartz is now known as phschwartz_aw		16:54
*** tlian has joined #openstack-ansible		16:54
tiagogomes_	Hi, right now am I am setting up a flat and a vlan network like this: http://paste.openstack.org/show/476286/ . I wounder if I really need eth11 and eth12, isn't one interface enough? They are both connected to the same bridge	16:56
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Remove oslo.versionedobjects 0.11.0 block https://review.openstack.org/234733	16:57
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Remove WebOb 1.5.0 cap https://review.openstack.org/234742	16:58
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update rabbitmq-server to v3.5.6-1 https://review.openstack.org/233700	16:59
*** Bjoern_ has joined #openstack-ansible		16:59
*** metral has joined #openstack-ansible		16:59
*** bapalm has joined #openstack-ansible		16:59
*** metral has quit IRC		17:07
*** bapalm has quit IRC		17:07
*** robak has joined #openstack-ansible		17:07
*** jaypipes has joined #openstack-ansible		17:07
*** toddnni has joined #openstack-ansible		17:07
*** lkoranda has joined #openstack-ansible		17:08
*** vdo has joined #openstack-ansible		17:08
*** metral has joined #openstack-ansible		17:10
*** bapalm has joined #openstack-ansible		17:10
*** manas has joined #openstack-ansible		17:13
openstackgerrit	Merged openstack/openstack-ansible: Archive Keystone to Keystone Federation rst content https://review.openstack.org/211747	17:17
openstackgerrit	Bjoern Teipel proposed openstack/openstack-ansible: Adding missing vfat packages for the nova config_drive https://review.openstack.org/233809	17:20
*** javeriak has quit IRC		17:21
*** javeriak has joined #openstack-ansible		17:22
*** dstanek_ has joined #openstack-ansible		17:22
*** phschwartz_aw is now known as phschwartz		17:23
*** dstanek_ has quit IRC		17:23
*** dstanek has joined #openstack-ansible		17:24
openstackgerrit	Merged openstack/openstack-ansible-security: V-38671: Remove sendmail https://review.openstack.org/233242	17:24
*** Bjoern_ is now known as BjoernT		17:27
*** javeriak has quit IRC		17:31
*** javeriak_ has joined #openstack-ansible		17:31
bgmccollum	cloudnull: running new upgrade out of kilo branch...nova install failes...no space-html5 in repo...seeing the following -- http://paste.openstack.org/show/476293/	17:38
bgmccollum	*spice-html5	17:38
odyssey4me	bgmccollum you want this: https://review.openstack.org/234698	17:39
*** jasondotstar_ is now known as jasondotstar		17:39
bgmccollum	odyssey4me: thx...	17:39
*** sdake has quit IRC		17:39
odyssey4me	bgmccollum that was reported earlier today by tiagogomes_	17:40
bgmccollum	nod	17:40
*** javeriak_ has quit IRC		17:40
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Archive Keystone to Keystone Federation rst content https://review.openstack.org/234908	17:41
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-386**: Disabling various unneeded services https://review.openstack.org/233198	17:43
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3867{4,6}: X windows https://review.openstack.org/233259	17:44
*** phalmos has joined #openstack-ansible		17:47
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Remove /openstackgit from repo_mirror_excludes https://review.openstack.org/234698	17:52
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-38622: Restricted mail relaying https://review.openstack.org/234204	17:54
*** javeriak has joined #openstack-ansible		17:55
mhayden	stevelle: just added docs and made that one configurable ^^	17:55
stevelle	looking again. Not sure that you can readily assert that mynetworks is reasonably restrictive which is the hard part of this one.	17:56
*** javeriak_ has joined #openstack-ansible		18:36
*** sdake has joined #openstack-ansible		18:38
*** sdake has joined #openstack-ansible		18:39
mhayden	stevelle: right, but if inet_interfaces = localhost, mynetworks isn't so important	18:40
mhayden	since postfix will be listening for mail only on lo	18:40
*** javeriak has quit IRC		18:40
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Neutron Configuration for Liberty https://review.openstack.org/234926	18:40
*** sdake_ has joined #openstack-ansible		18:43
*** sdake has quit IRC		18:43
*** jwagner_away is now known as jwagner		18:46
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Neutron Configuration for Liberty https://review.openstack.org/234926	18:46
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Neutron Configuration for Liberty https://review.openstack.org/234926	18:49
stevelle	mhayden: I understand that, and inet_interfaces should present a lower surface area than mynetworks, just wanted to ensure the play didn't prevent someone from intended behavior.	18:50
stevelle	your fix is better than meddling with mynetworks	18:50
mhayden	i see what you're saying	18:50
*** sdake_ has quit IRC		18:51
*** sdake has joined #openstack-ansible		18:51
*** javeriak_ has quit IRC		18:52
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement keystone venv support https://review.openstack.org/229513	18:59
cloudnull	d34dh0r53 odyssey4me mattt ^ that was updated to ensure the keystone-install tag was there and that the venv ownership was root instead of the keystone user.	19:01
*** KLevenstein_ has joined #openstack-ansible		19:01
d34dh0r53	ahh, cool	19:01
d34dh0r53	cloudnull: are you going to update the others?	19:01
*** KLevenstein has quit IRC		19:01
*** KLevenstein_ is now known as KLevenstein		19:01
cloudnull	yes	19:01
cloudnull	im making the same change to the others too	19:01
cloudnull	that was based on feedback on the glance venv pr	19:01
*** KLevenstein has quit IRC		19:02
cloudnull	however i wont do it for the horizon venv because horizon needs to own most of the files .	19:02
d34dh0r53	ok, in the process of testing them so I'll hold off till you're done	19:03
cloudnull	at this point glance keystone and horizon are good to go	19:03
lbragstad	cloudnull bug report - http://openstack-weekly-reports.lbragstad.com/weekly-bug-reports/openstack-ansible-weekly-bug-report.html	19:05
d34dh0r53	cloudnull: cool, thanks	19:05
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement neutron venv support https://review.openstack.org/230726	19:05
cloudnull	d34dh0r53: neutron is good	19:05
cloudnull	:)	19:05
cloudnull	lbragstad: thats awesome	19:05
cloudnull	-cc openstackgerrit	19:05
cloudnull	bah...	19:05
cloudnull	-cc odyssey4me	19:05
lbragstad	cloudnull it scrubs LP every 15 minutes for new bugs	19:07
lbragstad	cloudnull if you'd like it to be more often, let me know	19:07
cloudnull	thats probably good :)	19:07
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement swift venv support https://review.openstack.org/230733	19:08
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement ceilometer venv support https://review.openstack.org/229212	19:09
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement heat venv support https://review.openstack.org/229225	19:10
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement cinder venv support https://review.openstack.org/225463	19:11
*** cloudtra_ has quit IRC		19:12
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-3867{4,6}: X windows https://review.openstack.org/233259	19:13
mhayden	stevelle / odyssey4me: flipped this to use fail module -> https://review.openstack.org/#/c/233259/	19:14
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement aodh venv support https://review.openstack.org/233401	19:14
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement nova venv support https://review.openstack.org/230727	19:16
cloudnull	d34dh0r53 mattt odyssey4me all updated	19:17
d34dh0r53	bon	19:17
cloudnull	ty sir	19:19
*** scarlisle has quit IRC		19:21
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: V-386{67,70,95,96,98}, V-38700: Run AIDE via cron https://review.openstack.org/233231	19:23
openstackgerrit	Major Hayden proposed openstack/openstack-ansible-security: Replace debug with fail https://review.openstack.org/234942	19:29
*** manas has quit IRC		19:30
odyssey4me	lbragstad that bug report is quite useful	19:35
*** KLevenstein has joined #openstack-ansible		19:35
odyssey4me	are they updated regularly?	19:35
*** sdake has quit IRC		19:35
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Seperated out Telemetry Alarming (Aodh) https://review.openstack.org/232224	19:35
*** sdake has joined #openstack-ansible		19:36
lbragstad	odyssey4me the bug reports are rebuilt every 15 minutes, for each project.	19:38
openstackgerrit	Kevin Carter proposed openstack/openstack-ansible: Implement aodh venv support https://review.openstack.org/233401	19:38
lbragstad	odyssey4me they only every publish bugs that are in "workable" status... so things that aren't "fix committed", "fix released", "invalid", etc...	19:42
odyssey4me	lbragstad cool - I'd like a lot more than that, but this is a start.	19:42
odyssey4me	sigmavirus24 weren't you also working on some data extraction stuff?	19:42
sigmavirus24	hm?	19:43
sigmavirus24	for GitHub a bit yeah	19:43
sigmavirus24	not quite like that	19:43
odyssey4me	lbragstad ideally I'd like to have a way of catching orphaned bugs - either by not being allocated, or by being old	19:43
lbragstad	odyssey4me this is the code - https://github.com/lbragstad/openstack-infra-scripts/blob/master/recent_bugs.py	19:44
lbragstad	odyssey4me i stole it from jogo a long time ago...	19:44
odyssey4me	hah, awesome :)	19:45
*** KLevenstein has quit IRC		20:01
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update Heat Configuration for Liberty https://review.openstack.org/234959	20:05
odyssey4me	stevelle sigmavirus24 d34dh0r53 would you mind briefly reviewing this one - https://review.openstack.org/234742	20:10
d34dh0r53	looks good to me	20:10
odyssey4me	thanks d34dh0r53 & sigmavirus24	20:11
*** KLevenstein has joined #openstack-ansible		20:12
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Allow configuration of config_drive_format inside nova.conf https://review.openstack.org/233806	20:12
odyssey4me	d34dh0r53 sigmavirus24 would you mind voting this backport through the door too - it's only docs: https://review.openstack.org/234908	20:14
openstackgerrit	Merged openstack/openstack-ansible: Remove oslo.versionedobjects 0.11.0 block https://review.openstack.org/234733	20:27
*** cloudtrainme has joined #openstack-ansible		20:51
*** spotz is now known as spotz_zzz		20:51
*** sdake_ has joined #openstack-ansible		20:57
*** sdake has quit IRC		20:59
*** ggillies has joined #openstack-ansible		21:01
*** sdake_ has quit IRC		21:02
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible-specs: Add Liberty Release spec https://review.openstack.org/221189	21:03
d34dh0r53	cloudnull: no aodh in the repo server	21:06
odyssey4me	d34dh0r53 what do you mean?	21:08
d34dh0r53	testing the venv patches and I'm thinking that I'm missing a patch for aodh	21:08
odyssey4me	d34dh0r53 you may be missing this pre-requisite: https://review.openstack.org/232224	21:08
*** kukacz has quit IRC		21:09
odyssey4me	mhayden so let me explain how the current role tests for openstack-ansible-security work for background	21:09
mhayden	odyssey4me: ducking out for a bit, will be back on later -- sorry!	21:10
odyssey4me	mhayden ah ok, tomorrow then	21:10
*** woodard has quit IRC		21:12
*** ggillies has quit IRC		21:14
*** spotz_zzz is now known as spotz		21:16
*** k_stev has quit IRC		21:23
*** thingee has joined #openstack-ansible		21:34
thingee	odyssey4me: ping	21:34
*** KLevenstein has quit IRC		21:34
*** spotz is now known as spotz_zzz		21:38
openstackgerrit	Merged openstack/openstack-ansible-security: V-38622: Restricted mail relaying https://review.openstack.org/234204	21:40
*** phalmos has quit IRC		21:43
*** k_stev has joined #openstack-ansible		21:47
openstackgerrit	Merged openstack/openstack-ansible: Remove /openstackgit from repo_mirror_excludes https://review.openstack.org/234698	21:58
openstackgerrit	Merged openstack/openstack-ansible-security: V-38496: Lock system accounts other than root https://review.openstack.org/232012	21:58
openstackgerrit	Merged openstack/openstack-ansible-security: V-3851{4,5,6,7}: Disabling certain network protocols https://review.openstack.org/232129	21:58
*** sigmavirus24 is now known as sigmavirus24_awa		22:02
*** cloudtrainme has quit IRC		22:05
openstackgerrit	Bjoern Teipel proposed openstack/openstack-ansible: Allow configration of config_drive_format inside nova.conf https://review.openstack.org/233806	22:07
*** k_stev has quit IRC		22:07
openstackgerrit	Merged openstack/openstack-ansible: Implement glance venv support https://review.openstack.org/229221	22:09
openstackgerrit	Merged openstack/openstack-ansible: Adding missing vfat packages for the nova config_drive https://review.openstack.org/233809	22:09
openstackgerrit	Merged openstack/openstack-ansible: Remove WebOb 1.5.0 cap https://review.openstack.org/234742	22:09
openstackgerrit	Merged openstack/openstack-ansible: Archive Keystone to Keystone Federation rst content https://review.openstack.org/234908	22:09
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Implement nova venv support https://review.openstack.org/230727	22:10
openstackgerrit	Jesse Pretorius proposed openstack/openstack-ansible: Update rabbitmq-server to v3.5.6-1 https://review.openstack.org/233700	22:11
*** k_stev has joined #openstack-ansible		22:30
openstackgerrit	Merged openstack/openstack-ansible: Implement keystone venv support https://review.openstack.org/229513	22:36
*** markvoelker has quit IRC		22:43
*** ggillies has joined #openstack-ansible		22:45
*** openstackgerrit has quit IRC		22:46
*** openstackgerrit has joined #openstack-ansible		22:46
openstackgerrit	Bjoern Teipel proposed openstack/openstack-ansible: Correct OS_IDENTITY_API_VERSION as introduced with #1495685 https://review.openstack.org/235008	22:50
openstackgerrit	Bjoern Teipel proposed openstack/openstack-ansible: Correct OS_IDENTITY_API_VERSION https://review.openstack.org/235008	22:52
*** markvoelker has joined #openstack-ansible		22:53
openstackgerrit	Merged openstack/openstack-ansible: Implement cinder venv support https://review.openstack.org/225463	22:54
*** jhesketh has quit IRC		23:00
*** jhesketh has joined #openstack-ansible		23:01
*** k_stev has quit IRC		23:12
thingee	odyssey4me: ping	23:13
*** cloudtrainme has joined #openstack-ansible		23:35
*** markvoelker has quit IRC		23:38
*** jwagner is now known as jwagner_away		23:38
*** elo has quit IRC		23:42
*** elo has joined #openstack-ansible		23:44
*** agireud has quit IRC		23:51
*** agireud has joined #openstack-ansible		23:57
*** mgoddard_ has joined #openstack-ansible		23:57
*** mgoddard has quit IRC		23:57
*** alop has quit IRC		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!