Friday, 2015-11-06

« Thursday, 2015-11-05 Index Saturday, 2015-11-07 »
*** tnarg has quit IRC00:03
*** tnarg has joined #openstack-ansible00:04
*** tnarg has quit IRC00:08
*** cloudtrainme has quit IRC00:10
*** jimchou has quit IRC00:15
*** CheKoLyN has quit IRC00:19
*** tlian has quit IRC00:34
*** tnarg has joined #openstack-ansible00:40
*** tlian has joined #openstack-ansible00:41
*** tnarg has quit IRC00:43
*** tnarg has joined #openstack-ansible00:43
*** jmccrory_ has joined #openstack-ansible00:45
*** tnarg_ has joined #openstack-ansible00:46
*** tnarg has quit IRC00:49
*** tlian has quit IRC00:52
*** mss_ has quit IRC00:56
*** tlian has joined #openstack-ansible00:57
*** jaybeers has quit IRC01:06
bgmccollumanyone seen this before? -- OSError: [Errno 17] File exists: '/openstack/log' -- http://paste.openstack.org/show/ikkBlzNDOUynwT9yPfln/01:09
bgmccollumrace?01:09
*** Bjoern_ is now known as Bjoern_zZzZzZzZ01:10
bgmccollumme thinks so, because of delegate_to: two tasks to same host, both check if path exists, if it doesn't, both try to create. first create succeeds, second fails as it already exists.01:15
Sam-I-Amdouble creation means its created more betterer?01:15
cloudnullbgmccollum: is that  on an AIO ?01:16
bgmccollumcloudnull: multinode01:17
cloudnullansible 2.0  ?01:17
bgmccollum1.901:17
cloudnullin a rerun was it fixed ?01:18
bgmccollumthat tasks might need to be set to serial 1 to prevent races...however rare01:18
bgmccollumcloudnull : unfortunately, it was a jenkins job, and it tears down after success and failure01:18
bgmccollumand no retries, since that was removed in RPC01:18
cloudnullive not seen that specifically, however making it serial would render it stupid slow01:19
cloudnullso its already using the full path https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/lxc_container_create/tasks/container_create.yml#L4001:20
bgmccollumcloudnull : maybe create the intermediary paths segments before that task...01:20
bgmccollumi think its checking each segment individually for existence, and creating it if it doesn't exist...instead of a strait mkdir -p type of thing...01:21
bgmccollumand if you time it just right...boom errno 1701:21
cloudnullwell it seems to have exploded on /openstack/log01:21
cloudnullto fix that in a more controlled way we can create the various openstack skel dirs in https://github.com/openstack/openstack-ansible/blob/master/playbooks/roles/openstack_hosts/tasks/main.yml01:22
bgmccollumyeah...which indicates its trying to create each segment individually...01:22
cloudnullwhich would only execute once on each host01:22
*** sdake has quit IRC01:22
cloudnullthen each container creates its specific log dir as needed.01:22
cloudnullbut the first segment would be already covered01:22
bgmccollumyeah, create the skel dirs... /openstack /openstack/log /openstack/backup etc...01:23
bgmccollumi seem to recall hitting this way back too...but the retry logic that used to be in RPC would just pave over it and continue on...now its getting exposed as an issue01:23
cloudnullyou mind raising an issue for it ?01:23
*** sdake has joined #openstack-ansible01:24
bgmccollumon it..01:24
*** galstrom is now known as galstrom_zzz01:25
bgmccollumcloudnull: hah...marked as invalid -- https://bugs.launchpad.net/openstack-ansible/+bug/142625401:27
openstackLaunchpad bug 1426254 in openstack-ansible "Race creating /openstack/log" [Low,Invalid] - Assigned to Hugh Saunders (hughsaunders)01:27
*** Bjoern_zZzZzZzZ is now known as Bjoern_01:27
openstackgerritKevin Carter proposed openstack/openstack-ansible: Fix race condition for /openstack directories  https://review.openstack.org/24229101:31
*** galstrom_zzz is now known as galstrom01:31
cloudnullif you wouldnt mind reviewing things :)01:31
bgmccollumlooking...thanks01:32
openstackgerritKevin Carter proposed openstack/openstack-ansible: Fix race condition for /openstack directories  https://review.openstack.org/24229101:32
cloudnullf5 had commit message type01:32
cloudnulltypo01:32
cloudnullth720: around still ?01:34
cloudnullRE: During the neutron install, we are getting the following error message: msg: neutron fact collection failed: unable to find migration with revision 59cb5b6cf4d ?01:34
cloudnullmattt:  ^^ -cc01:35
*** gouthamr_ has joined #openstack-ansible01:37
*** gouthamr has quit IRC01:41
*** Bjoern_ has quit IRC01:50
bgmccollumcloudnull: going to drop patch into build pipeline and see how it goes :D01:51
cloudnullsweet01:52
*** galstrom is now known as galstrom_zzz01:53
bgmccollumcloudnull: interestingly, i was able to trigger the race again...01:55
cloudnulleven with that patch  ?01:55
cloudnullok, i have to run , but let  me know what you find out01:57
bgmccollumwithout the patch...i kicked off a new build, thinking it wouldn't happen again...but it did01:57
cloudnull:(01:57
cloudnullsame error ?01:57
bgmccollumits building with the patch now, ill update the bug and review01:57
cloudnullkk01:57
bgmccollumlater01:57
cloudnullcu later01:58
*** hybridpollo has quit IRC02:04
openstackgerritByron McCollum proposed openstack/openstack-ansible: Add retry and delay to RabbitMQ queue mirroring setup.  https://review.openstack.org/24230602:12
*** galstrom_zzz is now known as galstrom02:12
openstackgerritByron McCollum proposed openstack/openstack-ansible: Add retry and delay to RabbitMQ queue mirroring setup.  https://review.openstack.org/24230602:13
*** galstrom is now known as galstrom_zzz02:20
*** rebase has quit IRC02:51
*** k_stev has joined #openstack-ansible03:11
*** cbaesema has joined #openstack-ansible03:11
*** k_stev has quit IRC03:19
*** rebase has joined #openstack-ansible03:19
*** rebase has quit IRC03:19
*** tnarg_ has quit IRC03:20
openstackgerritByron McCollum proposed openstack/openstack-ansible: Add retry and delay to RabbitMQ queue mirroring setup.  https://review.openstack.org/24230603:21
*** jmccrory_ has quit IRC03:22
*** mss has joined #openstack-ansible03:23
*** mss has quit IRC03:29
*** skamithi has joined #openstack-ansible03:31
*** skamithi has quit IRC03:36
*** sdake has quit IRC03:36
*** k_stev has joined #openstack-ansible03:37
*** cbaesema has quit IRC03:44
*** cbaesema has joined #openstack-ansible03:44
*** k_stev has quit IRC03:52
*** galstrom_zzz is now known as galstrom03:53
*** tlian has quit IRC04:10
*** subscope has joined #openstack-ansible04:18
*** fawadkhaliq has joined #openstack-ansible04:20
*** k_stev has joined #openstack-ansible04:21
*** k_stev has quit IRC04:22
*** sdake has joined #openstack-ansible04:35
*** sdake has quit IRC04:53
*** gouthamr has joined #openstack-ansible04:54
*** gouthamr_ has quit IRC04:56
*** shausy has joined #openstack-ansible04:57
*** sdake has joined #openstack-ansible04:58
*** subscope has quit IRC05:02
*** woodard_ has quit IRC05:05
*** subscope has joined #openstack-ansible05:05
*** galstrom is now known as galstrom_zzz05:09
*** javeriak has joined #openstack-ansible05:21
*** javeriak_ has joined #openstack-ansible05:27
*** javeriak has quit IRC05:27
*** Mudpuppy has quit IRC05:35
*** javeriak_ has quit IRC05:47
*** javeriak has joined #openstack-ansible05:49
*** wabu_ is now known as wabu05:58
*** javeriak has quit IRC05:59
*** sdake has quit IRC06:00
*** sdake has joined #openstack-ansible06:00
*** woodard has joined #openstack-ansible06:06
*** woodard has quit IRC06:10
*** mss has joined #openstack-ansible06:13
*** mss has quit IRC06:24
*** javeriak has joined #openstack-ansible06:24
*** phiche has joined #openstack-ansible06:25
*** subscope has quit IRC06:26
*** phiche has quit IRC06:28
*** openstackgerrit has quit IRC06:31
*** openstackgerrit has joined #openstack-ansible06:32
*** gouthamr_ has joined #openstack-ansible06:33
*** gouthamr has quit IRC06:36
*** phiche has joined #openstack-ansible06:37
*** phiche has quit IRC06:40
*** phiche has joined #openstack-ansible06:43
*** phiche has quit IRC06:47
*** phiche has joined #openstack-ansible06:50
*** phiche has quit IRC07:06
*** javeriak has quit IRC07:10
*** sdake has quit IRC07:14
*** sdake has joined #openstack-ansible07:14
*** fawadkhaliq has quit IRC07:19
*** sdake has quit IRC07:26
*** sdake has joined #openstack-ansible07:27
*** fawadkhaliq has joined #openstack-ansible07:34
*** sdake_ has joined #openstack-ansible07:40
*** sdake has quit IRC07:42
*** phiche has joined #openstack-ansible07:47
*** javeriak has joined #openstack-ansible07:50
*** javeriak has quit IRC07:51
*** javeriak has joined #openstack-ansible07:51
*** fawadkhaliq has quit IRC07:52
*** javeriak_ has joined #openstack-ansible07:54
*** javeriak has quit IRC07:55
*** fawadkhaliq has joined #openstack-ansible07:58
matttodyssey4me_: did anyone actually test those neutron fact changes or look at the question i posed in the liberty review?  :P08:07
*** karimb has joined #openstack-ansible08:17
evrardjpmattt: I didn't, sorry08:24
*** gouthamr_ has quit IRC08:27
matttevrardjp: shame on you!  :P08:29
evrardjpI know, right? ;)08:31
*** sdake_ has quit IRC08:33
*** agireud has quit IRC08:37
*** agireud has joined #openstack-ansible08:37
*** andyhky has quit IRC08:42
*** openstackstatus has quit IRC08:42
*** tiagogomes_ has joined #openstack-ansible08:44
*** andyhky has joined #openstack-ansible08:44
*** javeriak_ has quit IRC08:50
*** shausy has quit IRC08:53
*** karimb has quit IRC08:54
*** shausy has joined #openstack-ansible08:55
*** subscope has joined #openstack-ansible08:57
*** subscope has quit IRC08:58
*** karimb has joined #openstack-ansible09:01
evrardjpfor fun I did this: git diff kilo..liberty | wc -l09:04
evrardjpsomeone want to guess how many changes? ;)09:04
evrardjpthe job that was done is impressive, that's just what I want to say. And ofc, a thank you.09:05
persiaevrardjp: you might find `git diff --stat ...` or `git diff --shortstat ...` interesting.09:10
evrardjpI didn't know that command09:11
evrardjpit's cool :)09:11
*** javeriak has joined #openstack-ansible09:12
*** haojing has joined #openstack-ansible09:16
*** subscope has joined #openstack-ansible09:18
*** haojing has quit IRC09:24
openstackgerritXiaBing Yao proposed openstack/openstack-ansible: remove another vars_files definition  https://review.openstack.org/24241409:58
*** fawadkhaliq has quit IRC10:10
*** slotti has joined #openstack-ansible10:17
*** javeriak_ has joined #openstack-ansible10:51
*** javeriak has quit IRC10:54
*** javeriak has joined #openstack-ansible10:55
*** javeriak_ has quit IRC10:55
*** javeriak_ has joined #openstack-ansible10:56
*** javeriak has quit IRC11:00
*** subscope has quit IRC11:41
*** subscope has joined #openstack-ansible11:43
*** ybabenko has joined #openstack-ansible11:49
*** javeriak_ has quit IRC11:53
*** javeriak has joined #openstack-ansible11:54
*** shausy has quit IRC12:04
*** karimb has quit IRC12:07
*** karimb has joined #openstack-ansible12:08
*** misc_ is now known as misc12:25
*** javeriak_ has joined #openstack-ansible12:27
*** javeriak has quit IRC12:30
*** javeriak has joined #openstack-ansible12:30
*** javeria__ has joined #openstack-ansible12:31
*** javeriak_ has quit IRC12:31
*** javeriak has quit IRC12:35
*** ybabenko has quit IRC12:39
*** ybabenko has joined #openstack-ansible12:41
*** mgoddard_ has joined #openstack-ansible12:43
*** mgoddard has quit IRC12:44
*** mgoddard__ has joined #openstack-ansible12:44
*** rady has joined #openstack-ansible12:44
*** mgoddard_ has quit IRC12:48
mhaydenbuenos dias13:18
*** mss has joined #openstack-ansible13:20
*** tlian has joined #openstack-ansible13:21
*** mss has quit IRC13:25
*** javeria__ has quit IRC13:35
*** cbaesema has quit IRC13:37
openstackgerritMatt Thompson proposed openstack/openstack-ansible: Update neutron_migrations_facts  https://review.openstack.org/24056013:45
*** cloudtrainme has joined #openstack-ansible13:45
*** subscope has quit IRC13:53
*** alkari has joined #openstack-ansible13:54
*** ybabenko has quit IRC14:02
mhaydenif someone has a spare moment, could you peek at https://review.openstack.org/#/c/242101/ ? it's a small doc adjustment for osas14:05
*** slotti has quit IRC14:06
*** subscope has joined #openstack-ansible14:06
*** javeriak has joined #openstack-ansible14:12
*** sdake has joined #openstack-ansible14:16
*** alkari has quit IRC14:26
*** jimchou has joined #openstack-ansible14:32
openstackgerritMajor Hayden proposed openstack/openstack-ansible: AIO bootstrap in Ansible  https://review.openstack.org/23952514:33
mhaydenpalendae: thanks for giving the aio stuff a quick look14:33
*** subscope has quit IRC14:35
*** ybabenko has joined #openstack-ansible14:57
*** spotz_zzz is now known as spotz14:58
*** ybabenko has quit IRC15:01
*** alejandrito has joined #openstack-ansible15:04
*** gouthamr has joined #openstack-ansible15:10
*** javeriak has quit IRC15:10
*** gouthamr_ has joined #openstack-ansible15:11
palendaemhayden: Yep15:11
mhaydenwhat's special about that pypa script for installing pip?15:13
mhaydeni keep wondering if we could just get a tarball from pypi and install it that way15:13
spotzmhayden Would a package work if it could be put in a public repo?15:13
mhaydenit seems like the site fails kinda frequently :)15:13
mhaydenspotz: what kind of package?15:14
palendaemhayden: Their get-pip.py script? iirc it holds a compressed copy of pip inside of itself15:14
spotzAren't you guys ansibleizing specifically for ubuntu, in which case a deb15:14
palendaeWe try to avoid installing python-related things from .debs15:14
spotzahh15:15
mhaydenyeah, ubuntu/debian mangle python-related things regularly :|15:15
*** gouthamr has quit IRC15:15
*** karimb has quit IRC15:16
spotzhehe15:17
mhaydeni notice that we reinstall pip a few times within osa15:18
mhaydenfor example, bootstrap-ansible.sh installs it15:18
mhaydenso does bootstrap-aio.sh15:18
mhaydenand i think one of the first few playbooks does it too15:18
mhaydeni'm not sure if it's worth carrying the get-pip.py script in our repo, though15:19
mhaydenthat could get hairy15:19
palendaeBootstrap ansible makes sense, since you need to get all the python stuff for Ansible to work15:19
palendaeI think the playbooks are then installing on the rest of the hosts15:19
spotzand you run that before the bootstrap-aio.sh, but in theory it shouldn't hurt being there twice15:20
evrardjpwhat wouldn't hurt is to install pip everywhere by default. Not related, but I'm just explaining a small frustration of NOT finding pip on memcached containers ;)15:22
evrardjppip or virtualenv15:22
evrardjpor both15:22
evrardjpsorry for the off-topic15:22
evrardjpon another topic, what do you think of using reno when tagging OSA releases?15:23
evrardjphttp://docs.openstack.org/developer/reno/design.html15:23
mhaydeni prefer las vegas15:23
mhaydenoh, you mean software15:23
evrardjpmhayden :D15:23
mhaydentrololololol15:24
* mhayden has had his coffee15:24
palendaelol, another NIH openstack project15:24
palendaeSince we don't have release notes now, kind of a moot point. But something to manage them wouldn't be a bad idea15:25
evrardjpI think it would help readability on the long run15:26
matttevrardjp: i think odyssey4me_ has already been looking into reno15:27
evrardjpand help build quicker upgrade path15:27
matttevrardjp: https://review.openstack.org/#/c/241592/15:27
*** woodard has joined #openstack-ansible15:28
mhaydenso i joined in the openstack-security team meeting yesterday to talk about the possibility of us using anchor to make an initial CA for openstack-ansible services15:28
mhaydenCA being Certificate Authority15:28
mhaydenthey said it's a simple, self-contained pecan service and offered some help integrating it15:29
* mhayden doesn't know pecan15:29
evrardjpmattt, I'll read that, thanks15:29
evrardjpmhayden, I don't know that either, but it's in my to-read list15:30
mhaydenlooks like anchor runs on the network and you pass it a CSR for signing15:31
mhaydenso everything is done via API calls15:31
mhaydenit would be a significant undertaking to 1) add anchor 2) generate a bunch of certs prior to osa deployment 3) remove self-sign code from individual osa roles15:31
mhaydeni'm not sure if there's enough value in doing it15:32
palendaemhayden: Pecan's a Zope-ish web framework. But lighter weight15:32
evrardjpmhayden, like https://letsencrypt.org/ ?15:32
mhaydenletsencrypt is still a little rough around the edges and requires some funky plugins15:32
mhaydenIIRC, your machines must check in with letsencrypt regularly15:32
matttwould be nicer if you coudl use letsencrypt tho :)15:32
mhaydenand there's a limit on registrations/certs right now15:32
matttboo :(15:32
palendaeYeah15:32
palendaeWas gonna say - doesn't that require internet access?15:32
palendaeI know some of our installs are air-gapped15:33
mhaydenyeah, it needs some time15:33
mhaydenletsencrypt looks amazing, but it needs some time15:33
mhaydenpalendae: nuclear facilities? ;)15:33
evrardjpmhayden, anchor seems far better in our case15:33
evrardjpour -> openstack-ansible15:33
palendaemhayden: I can't tell :)15:33
mhaydenif i can get this darned aio bootstrap out the door, i'd be willing to toss a spec together15:33
mhaydenor at least a mailing list proposal before a spec15:33
evrardjpbecause we won't use it in our company, because we have all this PKI stuff internally15:34
mhaydenevrardjp: right15:34
mhaydenthe most value will come from those users who choose to roll with the defaults15:34
*** woodard has quit IRC15:34
mhaydenor, some users may opt to provide trusted certs for keystone/horizon but they don't care about the others15:34
evrardjpindeed15:34
palendaeI would think (but don't know) most installers would have their own PKI setup15:34
mhaydenif it was me, i'd probably deploy with trusted certs for any endpoints my consumers would hit directly15:34
mhaydenespecially for auth15:34
evrardjpmhayden, that's what we do15:35
mhaydenbut nova <-> rabbitmq connections wouldn't need that level of security (that's just me)15:35
mhaydenevrardjp: glad to know my thinking is on the right track! :P15:35
evrardjpit's a pragmatic view that I share :)15:35
* mhayden fistbumps evrardjp15:35
evrardjpwe could have all the components using SSL, but all the openstack components aren't that fond of it15:36
mhaydentrue15:36
mhaydenthe rabbitmq encryption seems to be okay15:36
mhaydenworks well in aio setups15:36
mattt"tested in an AIOP"15:36
mattt*AIO15:36
mattt:P15:36
mhaydenmattt: haha, it shouldn't be that different across the network15:37
mhaydenno different than unencrypted15:37
mhaydenthe TCP connection setup is the same, with a little added TLS negotiation15:37
palendaeEncrypt down to the RAM15:37
mhaydenbut nova keeps a connection open to rabbit, so it's not like it's reconnecting and renegotiating constantly15:37
mhaydenanyone doing fosdem this year?15:37
evrardjpit would be nice to have a view of how many deployer use which of the following scenarii: http://docs.openstack.org/security-guide/secure-communication/secure-reference-architectures.html#cryptographic-separation-of-external-and-internal-environments15:37
*** javeriak has joined #openstack-ansible15:38
evrardjpsorry for my english and for the typos, but I guess you understand what I meant :p15:38
mhaydenyup15:38
mhaydenwow, you're better at english than i am -- i didn't know scenarii was a word!15:38
* mhayden looked it up15:38
*** javeriak has quit IRC15:38
*** javeriak has joined #openstack-ansible15:39
evrardjpmhayden, it's latin ;)15:39
matttmhayden: don't you even latin bro15:39
mhaydenBREH15:39
evrardjpmhayden, I should be at the fosdem15:39
mhaydeni'd like to go this year15:40
evrardjpit's close to my home ;)15:40
mhaydenneed to see if i can get some time to work in the UK office so i can harass mattt with canada jokes15:40
evrardjpIf no problem with my schedule, I'll be there and even help to hold the OpenStack stand (if any)15:40
evrardjpabout nova and rabbit, I've seen plenty of cases when it's reconnecting and renegotiating in the past15:41
* mattt pre-emptively books some vacation15:41
evrardjpof reconnections/renegotiations*15:41
matttmhayden: you should -- last time you were in UK you didn't spend any time in the office did you?15:42
*** javeriak_ has joined #openstack-ansible15:42
*** javeriak has quit IRC15:44
*** cloudtrainme has quit IRC15:51
*** ysm has joined #openstack-ansible15:51
*** javeriak_ has quit IRC15:54
*** phiche has quit IRC15:56
*** rajalokan has joined #openstack-ansible16:03
*** sdake_ has joined #openstack-ansible16:03
*** greg_a has joined #openstack-ansible16:06
*** sdake has quit IRC16:06
*** phalmos has joined #openstack-ansible16:07
*** jaypipes is now known as leakypipes16:09
*** mss has joined #openstack-ansible16:10
*** javeriak has joined #openstack-ansible16:13
*** phalmos has quit IRC16:16
*** gouthamr_ has quit IRC16:17
*** gouthamr has joined #openstack-ansible16:19
*** phalmos has joined #openstack-ansible16:25
*** skamithi has joined #openstack-ansible16:27
*** sdake_ is now known as sdake16:28
*** cloudtrainme has joined #openstack-ansible16:31
*** greg_a has quit IRC16:35
*** cloudtrainme has quit IRC16:36
*** tnarg has joined #openstack-ansible16:37
mhaydenmattt: unfortunately, i didn't16:41
mhaydeni was like "we should totally go" and my wife was like "i'm going to hurt you"16:41
evrardjp:)16:42
evrardjpcome to fosdem with your wife, it's gonna be interesting.16:42
matttshe won't enjoy fosdem, i can assure you of that :)16:44
matttplenty of other things for her to do in brussel tho16:44
evrardjpI confirm16:44
*** mgoddard_ has joined #openstack-ansible16:45
*** karimb has joined #openstack-ansible16:46
*** ysm has quit IRC16:47
*** mgoddard__ has quit IRC16:48
*** mgoddard_ has quit IRC17:01
*** mgoddard has joined #openstack-ansible17:01
*** rajalokan has quit IRC17:09
*** skamithi has quit IRC17:15
*** skamithi has joined #openstack-ansible17:17
*** daneyon has joined #openstack-ansible17:18
*** ysm has joined #openstack-ansible17:20
bgmccollumanyone running kilo head with rabbit affinity set to 3?17:22
*** luckyinva has quit IRC17:26
*** subscope has joined #openstack-ansible17:30
*** rajalokan has joined #openstack-ansible17:33
bgmccollumhttps://bugs.launchpad.net/openstack-ansible/+bug/151366817:35
openstackLaunchpad bug 1513668 in openstack-ansible "RabbitMQ: unable to connect to node: nodedown during `Enable queue mirroring`" [Undecided,In progress] - Assigned to Byron McCollum (byron-mccollum)17:35
*** Jezogwza_ has joined #openstack-ansible17:37
bgmccollummhayden: ^ might be related to change https://github.com/openstack/openstack-ansible/commit/52a644757031ee7e65d5399611e5d020686f98f0 --- thoughts?17:39
*** ysm has quit IRC17:39
*** jimchou has quit IRC17:45
*** ysm has joined #openstack-ansible17:45
*** ysm has quit IRC17:59
mhaydenbgmccollum: hmm, let me look right quick18:00
*** gouthamr_ has joined #openstack-ansible18:02
*** gouthamr has quit IRC18:03
mhaydendoes queue mirroring require the rabbit nodes to talk to one another?18:04
mhaydenit's been a while since i've been down this path18:04
mhaydenoh, finally got to the bottom of your bug report18:07
mhaydenso /etc/rabbitmq seems to have 755 on the directory18:08
mhayden(which is the default)18:08
*** ysm has joined #openstack-ansible18:08
mhaydenbgmccollum: so going 0750 -> 0755 broke the mirrored queues?18:09
*** gouthamr has joined #openstack-ansible18:22
mhaydenbgmccollum: doing a little testing right quick18:23
jmccroryfrom that log, it looks like directory permissions are only 755 on the first node, 750 on the other two. should be set correctly from the task though https://github.com/openstack/openstack-ansible/blob/kilo/playbooks/roles/rabbitmq_server/tasks/rabbitmq_pre_install.yml#L54-L5718:24
mhaydenjmccrory: you might be right on that one18:25
*** gouthamr_ has quit IRC18:25
mhaydenlooks like we might need an explicit permission setting for the directory as well as the cert/ke18:25
mhaydeny18:25
jmccroryand if it's running as rabbitmq, it wouldn't have access to a root:root 750 folder18:25
mhaydenright18:26
mhaydenprobably belongs in rabbitmq_ssl_key_distribute.yml18:26
mhaydenbgmccollum: want me to toss an patch out there?18:27
*** rady has quit IRC18:38
*** cloudtrainme has joined #openstack-ansible18:38
openstackgerritMajor Hayden proposed openstack/openstack-ansible: Fixing /etc/rabbitmq permission bug  https://review.openstack.org/24259518:42
mhaydenbgmccollum: ^^18:42
*** rady has joined #openstack-ansible18:43
*** jmckind has joined #openstack-ansible18:44
*** cloudtrainme has quit IRC18:55
*** tiagogomes_ has quit IRC18:57
*** cloudtrainme has joined #openstack-ansible19:01
*** alkari has joined #openstack-ansible19:05
spotzls19:07
spotzwoops:)19:07
*** ysm has quit IRC19:08
*** eil397 has joined #openstack-ansible19:12
bgmccollummhayden: thanks...19:13
bgmccollummhayden: dropping patch in my build pipeline for testing19:15
*** cloudtrainme has quit IRC19:18
*** karimb has quit IRC19:22
*** cloudtrainme has joined #openstack-ansible19:25
* mhayden crosses fingers for bgmccollum19:28
*** ysm has joined #openstack-ansible19:29
*** galstrom_zzz is now known as galstrom19:31
*** openstackstatus has joined #openstack-ansible19:34
*** ChanServ sets mode: +v openstackstatus19:34
*** alkari has quit IRC19:36
*** ysm has quit IRC19:36
*** cloudtrainme has quit IRC19:37
-openstackstatus- NOTICE: Gerrit will be offline at 20:00-20:15 UTC today (starting 20 minutes from now) for scheduled project rename maintenance19:39
*** phalmos has quit IRC19:43
*** jmckind is now known as jmckind_19:51
*** phalmos has joined #openstack-ansible19:52
*** cloudtrainme has joined #openstack-ansible19:55
*** ysm has joined #openstack-ansible19:59
*** mgoddard_ has joined #openstack-ansible20:00
-openstackstatus- NOTICE: Gerrit is offline until 20:15 UTC today for scheduled project rename maintenance20:00
*** ChanServ changes topic to "Gerrit is offline until 20:15 UTC today for scheduled project rename maintenance"20:00
*** galstrom is now known as galstrom_zzz20:01
*** mgoddard has quit IRC20:03
*** skamithi has quit IRC20:05
*** skamithi has joined #openstack-ansible20:05
*** jroll is now known as tjroll20:07
*** jmckind_ is now known as jmckind20:08
*** rady has quit IRC20:10
mhaydenOMGERRIT20:11
*** cloudtrainme has quit IRC20:12
*** skamithi has quit IRC20:23
*** rady has joined #openstack-ansible20:24
*** Mudpuppy has joined #openstack-ansible20:35
*** ChanServ changes topic to "Topic: Launchpad: https://launchpad.net/openstack-ansible Weekly Meetings: https://wiki.openstack.org/wiki/Meetings/openstack-ansible || Repo rename from stackforge/os-ansible-deployment to openstack/openstack-ansible happens Sept 11 2015 23:00 to 23:30. See https://review.openstack.org/#/c/200730/"20:35
*** k_stev has joined #openstack-ansible20:36
*** tnarg_ has joined #openstack-ansible20:37
*** tnarg has quit IRC20:40
*** cloudtrainme has joined #openstack-ansible20:44
*** gouthamr has quit IRC20:45
*** karimb has joined #openstack-ansible20:47
*** karimb has quit IRC20:47
*** karimb has joined #openstack-ansible20:48
*** cloudtrainme has quit IRC20:55
*** harlowja_ has joined #openstack-ansible20:56
*** harlowja has quit IRC20:56
*** openstackgerrit has quit IRC21:01
*** openstackgerrit has joined #openstack-ansible21:02
prometheanfireneat21:07
*** galstrom_zzz is now known as galstrom21:09
*** cloudtrainme has joined #openstack-ansible21:10
*** k_stev has quit IRC21:25
*** gouthamr has joined #openstack-ansible21:25
*** k_stev has joined #openstack-ansible21:25
*** admiralboom has joined #openstack-ansible21:35
*** subscope has quit IRC21:39
*** phalmos has quit IRC21:41
*** javeriak has quit IRC21:50
*** galstrom is now known as galstrom_zzz21:54
*** alejandrito has quit IRC21:56
*** antonym has joined #openstack-ansible22:00
mhaydenis it possible to get a role from within openstack's github into ansible-galaxy?22:01
*** August1914 has joined #openstack-ansible22:01
*** August1914 has quit IRC22:03
*** August1914 has joined #openstack-ansible22:03
*** August1914 has quit IRC22:04
*** rady has quit IRC22:05
*** August1914 has joined #openstack-ansible22:05
*** daneyon has quit IRC22:10
*** rady has joined #openstack-ansible22:18
*** August1914 has left #openstack-ansible22:23
*** August1914 has joined #openstack-ansible22:24
*** August1914 has quit IRC22:26
*** August1914 has joined #openstack-ansible22:26
mhaydenso i'm wondering if i should make hard failures in openstack-ansible-security configurable...22:28
bgmccollumwhats an example of a hard failure that you might want to ignore?22:28
mhaydenhttps://gist.github.com/major/1b97999a7ec7dfce076822:29
mhaydeni converted those from debug to fail22:29
mhaydenbut i'm wondering if there should be a "skip failure checks" variable of some sort22:29
mhaydenso that the playbook won't die right there22:29
bgmccollumwhat about generating a report of "failing" items...but not actually hard fail...22:30
mhaydenmight be useful22:31
bgmccollumi haven't looked too close, but are mosts of the items just auditing, or does it bring the system into compliance where possible?22:31
mhaydenthe vast majority of the role actually brings the system into compliance22:32
bgmccollumbring_into_compliance: [true, false]22:32
bgmccollumreport_compliance: [true, false]22:32
mhaydenbut the particular example i noted would change pam configs22:32
mhaydenwhich is scary22:32
mhaydenso i created exceptions for some of those really sensitive changes22:32
mhaydenand i just search for certain bad things and report on them so a deployer could consider how they want to fix it22:32
bgmccollumwell_do_it_live: [true, false]22:32
*** greg_a has joined #openstack-ansible22:32
mhaydenlol22:33
bgmccollummaybe a separate preflight audit for those scary items...generate a report, with details how the deployer can fix them manually...then an option to skip the preflight audit, so the other tasks to do bring the system into compliance are applied...22:34
bgmccollumor a var for each task...warn (debug), or fail22:35
bgmccollumbut thats tedious to maintain22:35
*** rady has quit IRC22:36
bgmccollumwarn (debug), fail, or fix (default)...so you could override to fail or warn based on your comfort22:36
mhaydengood ideas22:37
mhaydeni'll ponder22:37
mhaydendid the rabbit fix work, bgmccollum ?22:37
bgmccollumit should, but im having other transient failures because the successerator was removed from RPC...22:37
* mhayden whistles22:38
bgmccollumi manually chmod'd the directory, and ran the playbooks on a different environment, and it got past that part...so id say yeah it worked22:38
mhaydenwoot22:39
mhaydenokay, i'm going to go enjoy some rush hour traffic on I-3522:39
mhaydeny'all have a good one22:39
bgmccollummhayden +1'd review22:40
bgmccollummhayden: adios22:40
stevelle_mhayden: so ignore_errors: yes seems like someone someone can optionally add to a playbook to collect a complete set of sensitive changes?22:40
bgmccollumstevelle_ mhayden: still would need to coalesce the warnings, else they just scroll by and you might not even notice anything was wrong...22:43
stevelle_I would disagree that this needs to be done.  Text processing as an exercise for the reader22:44
*** stevelle_ is now known as stevelle22:44
stevelledon't use that flag unless you know it's failing anyway22:45
bgmccollumwhat do you mean you didn't parse the 16MB log file for things that might be interesting...22:45
bgmccollum;)22:45
stevellealso don't run -vvvv22:45
stevelleunless you need to22:45
stevelleyour shell has all the tools you need to coalesce is my point22:46
*** ysm has quit IRC22:46
bgmccollumyou shell has all the tools to deploy openstack ;)22:47
stevellewhich is why ansible uses it to do everything22:47
bgmccollumthen why use ansible?22:48
bgmccollumconvenience?22:48
stevellenot entirely sure I need to defend the use of ansible here :P22:50
stevelleI think I would agree with the idea of segregating the audit vs the mutator tasks22:50
bgmccollumall im saying is, you shouldn't set the expectation that a role is going to bring a system into security compliance, but only in certain circumstance, and not easily surface those exceptions in a user friendly manner, rather than expecting the user to whip up their own log parses22:51
stevellethat would also make it easier to report on22:51
*** k_stev has quit IRC22:51
*** greg_a has quit IRC22:51
bgmccollumso in some what agreement :)22:51
stevelleansible does report the outcome of tasks, already, and operating linux is not something you can make idiot proof. some ability to perform text manipulation shouldn't be out of the question for the operator22:52
stevellecertainly not a closed question of how much you do to help, in my mind, but I'm skeptical of trying to do too much22:53
bgmccollumare ignored fails tallied? debugs certainly not in the summary22:53
stevelleI would need to play with ignore_errors to see if that idea is valid22:54
*** jmckind is now known as jmckind_22:58
*** jmckind_ has quit IRC23:00
*** tnarg_ has quit IRC23:18
*** tnarg has joined #openstack-ansible23:19
*** tnarg_ has joined #openstack-ansible23:20
*** tnarg has quit IRC23:24
*** mgoddard_ has quit IRC23:30
*** spotz is now known as spotz_zzz23:31
*** cloudtrainme has quit IRC23:31
Guest28399anyone know where openstack gets it's nova hypervisor-stats from? it's showing my local_gb as 5GB only, while cinder has plenty of space23:37
Guest28399it's causing failures to spawn new instances because the aggregatediskfilter assumes there is not enough space available23:38
Guest28399(if i disable the aggregatediskfilter, everything works correctly)23:38
*** Mudpuppy has quit IRC23:47
« Thursday, 2015-11-05 Index Saturday, 2015-11-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!