Friday, 2017-03-17

*** LinStatSDR has joined #openstack-ansible		00:11
cloudnull	xdfil: I don't believe so. should be ok to randomize and go.	00:15
openstackgerrit	Merged openstack/openstack-ansible-os_cinder master: Add support for cinder v3 api https://review.openstack.org/446503	00:16
*** LinStatSDR has left #openstack-ansible		00:18
*** woodard has quit IRC		00:21
*** woodard has joined #openstack-ansible		00:21
openstackgerrit	Kevin Carter (cloudnull) proposed openstack/openstack-ansible-ops master: define the default kernel statically https://review.openstack.org/446790	00:24
*** Jeffrey4l has quit IRC		00:25
*** jrobinson has quit IRC		00:27
*** weezS has quit IRC		00:35
*** sukesh has quit IRC		00:38
*** gouthamr has joined #openstack-ansible		00:38
*** deadnull has quit IRC		00:48
*** acormier has joined #openstack-ansible		00:53
*** SerenaFeng has joined #openstack-ansible		00:59
*** cuongnv has joined #openstack-ansible		01:00
*** MasterOfBugs has quit IRC		01:01
*** acormier has quit IRC		01:02
*** acormier has joined #openstack-ansible		01:02
*** jrobinson has joined #openstack-ansible		01:03
*** acormier has quit IRC		01:08
*** weezS has joined #openstack-ansible		01:19
*** schwicht has joined #openstack-ansible		01:22
*** galstrom_zzz is now known as galstrom		01:26
*** SerenaFeng has quit IRC		01:26
*** SerenaFeng has joined #openstack-ansible		01:37
*** schwicht has quit IRC		01:44
*** schwicht has joined #openstack-ansible		01:45
*** schwicht_at_work has joined #openstack-ansible		01:47
*** schwicht has quit IRC		01:50
*** Jeffrey4l has joined #openstack-ansible		01:53
*** jamielennox is now known as jamielennox\|away		01:56
*** jamielennox\|away is now known as jamielennox		02:01
*** eki__ has joined #openstack-ansible		02:02
eki__	someone interested in trying to help me figure out why I can't ping my openStack routers from my aio host?	02:04
*** schwicht_at_work has quit IRC		02:12
*** jwitko has quit IRC		02:13
*** Jeffrey4l has quit IRC		02:14
*** Jeffrey4l has joined #openstack-ansible		02:14
*** cuongnv has quit IRC		02:29
*** cuongnv has joined #openstack-ansible		02:32
*** sanfern has joined #openstack-ansible		02:33
*** winggundamth has joined #openstack-ansible		02:37
*** sanfern has quit IRC		02:39
*** Jeffrey4l has quit IRC		02:41
*** Jeffrey4l has joined #openstack-ansible		02:41
*** cathrich_ has joined #openstack-ansible		02:47
*** cathrichardson has quit IRC		02:47
*** Mahe has quit IRC		02:48
*** Mahe has joined #openstack-ansible		02:50
*** gouthamr has quit IRC		03:01
*** weezS has quit IRC		03:02
*** acormier has joined #openstack-ansible		03:04
*** weezS has joined #openstack-ansible		03:04
*** jrobinson has quit IRC		03:08
*** galstrom is now known as galstrom_zzz		03:10
*** crushil has joined #openstack-ansible		03:20
*** weezS has quit IRC		03:22
*** SerenaFeng has quit IRC		03:24
*** SerenaFeng has joined #openstack-ansible		03:24
*** acormier has quit IRC		03:27
*** galstrom_zzz is now known as galstrom		03:28
*** SerenaFeng has quit IRC		03:29
*** LinStatSDR has joined #openstack-ansible		03:29
*** weezS has joined #openstack-ansible		03:33
*** markvoelker_ has quit IRC		03:53
*** udesale has joined #openstack-ansible		04:00
*** LinStatSDR has quit IRC		04:05
*** galstrom is now known as galstrom_zzz		04:07
openstackgerrit	Ravi Kumar Boyapati proposed openstack/openstack-ansible-rsyslog_client master: Fix remote logging template https://review.openstack.org/446838	04:14
eki__	I am just going to write the problem, if anyone has any advice it would be awesome.	05:06
eki__	I am installing openstack aoi on a machine with single interface (eth0). The installation works perfectly, everything seems fine. I can create instances, networks,routers and access horizon. The problem is I can't figure out how to configure the routers so the instances can access internet.	05:06
eki__	What should I configure as external network? Is it the br-vxlan or br-vlan networks or my real physical network? There must be few ways to do this, but what would be the correct way of doing this with aoi, or does it simply depend on what I have configured in openstack_user_config.yml, or can I use the default configuration?	05:06
eki__	I have been reading the documentation for a bit but can't figure it out	05:08
eki__	the main problem seems to be that I can't connect to the routers I create	05:10
*** sanfern has joined #openstack-ansible		05:12
*** crushil has quit IRC		05:12
*** Jack_Iv has joined #openstack-ansible		05:24
*** sanfern has quit IRC		05:28
*** sanfern has joined #openstack-ansible		05:28
xdfil	eki__ what is your eth0 config ?	05:31
eki__	first tried with static ip	05:32
xdfil	can i see it?	05:32
eki__	paste here?	05:33
eki__	just nuked the whole install too	05:33
xdfil	idk if that will work	05:33
xdfil	ppl use those paste services	05:33
*** shausy has joined #openstack-ansible		05:34
eki__	http://pastebin.com/NFRgVEtp	05:34
xdfil	logan- I fixed the storwize issue, been working on bgp	05:34
eki__	that is what I have now since I nuked	05:34
eki__	I did have promisc + broadcast before too	05:34
xdfil	logan- trying to figure out how to make the container bgp iface ip static	05:35
eki__	I also tried moving the ip settings to a bridge but I currently don't have real understing what I am supposed to do	05:35
eki__	is it supposed to work as it is on clean install?	05:36
*** NikhilS has joined #openstack-ansible		05:36
xdfil	eki__ make a bridge interface and put the IP from eth0 on the bridge interface instead	05:36
eki__	will do	05:36
xdfil	then you should be able to specify the bridge interface as a flat network in neutron	05:37
eki__	should I name the bridge to something that openstack expects or separete?	05:37
xdfil	br-provider is common	05:37
xdfil	I hate all the bridge names in openstack	05:39
xdfil	i hate wahat the openstack comunity names things	05:39
xdfil	eki__ full disclosure: ive never done an AIO install and I've given people bad advice in the past	05:41
eki__	ok	05:41
xdfil	I don't know what an AIO looks like	05:41
eki__	should be fine :D	05:41
eki__	http://pastebin.com/4b72fktL	05:41
xdfil	i'm already confused by the fact you have no brdiges for trhe containers?	05:41
eki__	I have been hitting my head to wall for a day now	05:41
eki__	xdfil: there will be once I run the installer	05:42
eki__	"nuked the whole thing, and in process to build it from start"	05:42
eki__	sorry shoudl have specified that	05:42
xdfil	ohhhh	05:42
eki__	just running the bootstrap-aio.sh	05:44
eki__	have to take look at the openstack_user_config.ym before running the all the other playbooks	05:45
eki__	xdfil: thanks for helping out :D	05:46
*** weezS has quit IRC		05:48
eki__	http://pastebin.com/feZ7Z25x that is the default openstack_user_config.yml with aio	05:48
eki__	or what was genereated for me	05:48
eki__	there is no mention of eth0 nor br-provider, should there be?	05:49
eki__	and state of my interfaces http://pastebin.com/37R15JGm	05:51
eki__	in my /etc/network/interfaces.d/osa_interfaces.cfg <- automatically generated (http://pastebin.com/pUQUwVmG) there is this line	05:55
eki__	" # To provide internet connectivity to instances"	05:55
eki__	which is on br-vxlan	05:55
eki__	makes me think I am supposed to configure router with external interface on the same network as the br-vxlan ( in my case 172.29.240/22)	05:56
eki__	aand those exact rules are configure for eth0	05:57
eki__	shoudln't those be br-provider	05:57
*** SerenaFeng has joined #openstack-ansible		05:57
eki__	will give this idea a try	05:58
xdfil	just do br-mgmt and br-vlan	05:58
xdfil	but the "flat" onew	05:59
xdfil	but the "flat" one	05:59
xdfil	not the "vlan" one	05:59
eki__	remove others?	05:59
xdfil	yes	05:59
xdfil	you don't need vxlan storage	06:00
*** SerenaFeng has quit IRC		06:00
xdfil	actually	06:00
xdfil	keep both vlan bridges	06:00
eki__	ok	06:00
eki__	so no removing of bridges	06:01
eki__	or just keep the vlan ones	06:01
eki__	aa	06:01
xdfil	i think i see whats going on they share out the br-vlan as vlan 1 to do a provider network	06:01
eki__	brmgmt and br-vlan and br-vlanx	06:01
xdfil	vlans and mgmt	06:02
xdfil	no vlanx	06:02
xdfil	well wait	06:02
eki__	*vxlan	06:02
xdfil	it doesnt mattee	06:02
*** Jeffrey4l has quit IRC		06:02
xdfil	if you want to play with vlanx do it	06:02
xdfil	but you dont need it to do the basic stuff	06:03
eki__	for now I want to figure out how to connect to instance from the host	06:03
xdfil	like connect instances to the internet	06:03
xdfil	ogh	06:03
eki__	and internet	06:03
xdfil	connecting to the host can be anissue	06:03
xdfil	It might not be possible	06:04
eki__	hmmm	06:04
eki__	connecting from the host --> instance?	06:04
*** SerenaFeng has joined #openstack-ansible		06:04
xdfil	yes its a common issue in virtulization	06:05
eki__	how would you connect to it then?	06:05
eki__	from other computer in external network?	06:05
xdfil	yes short answer	06:05
*** jascott1- is now known as jascott1		06:06
xdfil	idk i'm sure if you messed with it it could work, I dont thing the linux bridge is the issue but maybe LXC networking stuff or apparmor would get in your way	06:06
xdfil	maybe what i;m thinking only applys to macvtap	06:07
eki__	hmmm	06:07
eki__	in short no removing of stuff?	06:09
eki__	I will build with the defaults , and this time make the router have ip from external group and try pingin from different host	06:13
eki__	didn't think that would be a problem	06:13
*** Jeffrey4l has joined #openstack-ansible		06:17
*** Amit82 has joined #openstack-ansible		06:34
Amit82	Hi All	06:36
eki__	hi	06:36
Amit82	muxdeamon: Yesterday, you shared your openstack_user_config.yml and /etc/network/interfaces files with me.	06:37
Amit82	could you please tell that in "external_lb_vip_address: openstack.willsher.systems" openstack.willsher.systems corresponds to IP on which interface	06:38
Amit82	?	06:38
*** sanfern has quit IRC		06:38
Amit82	does it bind to ip on en0?	06:38
*** sanfern has joined #openstack-ansible		06:39
*** yolanda has joined #openstack-ansible		06:45
*** McMurlock1 has joined #openstack-ansible		06:54
*** fxpester has joined #openstack-ansible		07:03
*** basilAB_ has quit IRC		07:18
*** SerenaFeng has quit IRC		07:19
*** aetaric has quit IRC		07:19
*** mrhillsman has quit IRC		07:20
*** vaishali has joined #openstack-ansible		07:23
*** basilAB has quit IRC		07:23
*** aetaric has joined #openstack-ansible		07:24
*** basilAB has joined #openstack-ansible		07:26
*** SerenaFeng has joined #openstack-ansible		07:30
*** mrhillsman has joined #openstack-ansible		07:33
*** manheim has joined #openstack-ansible		07:35
*** manheim has quit IRC		07:37
*** manheim has joined #openstack-ansible		07:38
*** manheim has joined #openstack-ansible		07:38
*** pcaruana has joined #openstack-ansible		07:43
*** Jack_Iv has quit IRC		07:52
*** Jack_Iv has joined #openstack-ansible		07:52
*** Jack_Iv has quit IRC		07:56
*** sunjon_ has quit IRC		07:58
*** Jack_Iv has joined #openstack-ansible		08:01
*** sanfern has quit IRC		08:03
*** pmannidi has quit IRC		08:04
*** sanfern has joined #openstack-ansible		08:04
*** DimGR has joined #openstack-ansible		08:06
*** Jack_Iv has quit IRC		08:22
*** sanfern has quit IRC		08:23
*** Jack_Iv has joined #openstack-ansible		08:23
*** Jack_Iv has quit IRC		08:27
*** shausy has quit IRC		08:33
*** shausy has joined #openstack-ansible		08:34
*** udesale has quit IRC		08:41
*** vnogin has joined #openstack-ansible		08:41
*** udesale has joined #openstack-ansible		08:41
admin0	morning all \o	08:45
eki__	morning	08:54
eki__	xdfil: no luck pinging from outside	09:00
eki__	:/	09:00
*** shardy has joined #openstack-ansible		09:01
eki__	is there some security/firewall settings that need to be changed to be able to ping routers?	09:02
*** sanfern has joined #openstack-ansible		09:05
*** david-lyle_ has joined #openstack-ansible		09:18
*** david-lyle has quit IRC		09:18
admin0	check routing :)	09:20
*** lwiecek has joined #openstack-ansible		09:20
*** karimb has joined #openstack-ansible		09:24
*** qiliang27 has quit IRC		09:33
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/mitaka: Update all SHAs for 13.3.17 https://review.openstack.org/446468	09:38
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Update all SHAs for Pike 2017-03-16 https://review.openstack.org/446397	09:40
*** hamza has joined #openstack-ansible		09:43
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/ocata: Revert to setuptools 33.1.1 https://review.openstack.org/446922	09:44
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/newton: Revert to setuptools 33.1.1 https://review.openstack.org/446923	09:45
odyssey4me	andymccr unfortunately the new setuptools just got blocked too - I guess we should hold off those changes indefinitely until we see a month of no changes upstream	09:45
andymccr	odyssey4me: sounds good	09:46
openstackgerrit	Merged openstack/openstack-ansible-repo_build stable/newton: Updates to support ignored packages and external indexes https://review.openstack.org/446719	09:48
odyssey4me	andymccr argh: http://logs.openstack.org/periodic/periodic-openstack-ansible-upgrade-aio-master-ubuntu-xenial/573a6b7/console.html#_2017-03-17_08_06_22_464572	09:48
odyssey4me	the swift deployment failed in the upgrade due to the min_part_hours	09:48
andymccr	odyssey4me: there is a var you can set to get around that - we do that in the swift gate	09:48
odyssey4me	you've worked around that in the role tests right? all we do is add an override var for the AIO config I guess?	09:48
andymccr	swift_pretend_min_part_hours_passed: True	09:49
DimGR	when doing in Ocata 15.0 lxc-container-create.yml --limit neutron_all it complains about http://paste.openstack.org/show/603020/ if i run it without the --limit it finishes fine . is this a user error or bug ?	09:51
*** SerenaFeng has quit IRC		09:57
*** vnogin has quit IRC		10:03
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible master: Bypass min_part_hours check for the AIO https://review.openstack.org/446932	10:04
odyssey4me	andymccr ^	10:04
andymccr	odyssey4me: btw do you still have the failed gate? i think there may be a bug there that can be fixed	10:05
odyssey4me	andymccr what do you mean?	10:05
odyssey4me	DimGR if you want to limit for that playbook you must also include lxc_hosts as the playbook uses host delegation and needs to gather facts from them	10:06
odyssey4me	ie lxc-container-create.yml --limit lxc_hosts,neutron_all	10:06
andymccr	odyssey4me: well there should be no change in the ring so it shouldnt try a rebalance, i think it tries a rebalance and doesnt recognize that there is no change (possibly)	10:07
odyssey4me	andymccr hmm, this is after an upgrade so surely it should need to anyway due to the new code?	10:08
andymccr	odyssey4me: the ring shouldnt change if the hosts/disks haven't afaik, but yeah i'll take a look - i can recreate that pretty easily	10:08
odyssey4me	andymccr that set of task doesn't seem to execute on any conditional except for being the primary in the ring: https://github.com/openstack/openstack-ansible-os_swift/blob/master/tasks/swift_rings.yml#L26	10:10
odyssey4me	https://github.com/openstack/openstack-ansible-os_swift/blob/master/tasks/swift_rings_build.yml#L46	10:10
odyssey4me	there's no conditional to stop it building	10:11
odyssey4me	I'm guessing that you might have meant for the swift_rings_check to produce a result, then for the build to happen if that result was that it was needed?	10:12
*** cuongnv has quit IRC		10:15
*** shausy has quit IRC		10:16
*** shausy has joined #openstack-ansible		10:16
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible stable/newton: Updates to support ignored packages and external indexes https://review.openstack.org/446718	10:18
andymccr	odyssey4me: yeah it'll happen in the execution of the script itself (so swift_rings.py shouldnt try the rebalance so it wouldnt then fail) but that can be fixed :)	10:20
odyssey4me	ah	10:21
odyssey4me	I would think that it'd be better if the script exited with a different return code instead of failing in that condition.	10:21
odyssey4me	ie 0 = success, 1 = fail, 2 = did nothing	10:22
odyssey4me	or something like that	10:22
andymccr	odyssey4me: yeah i thinkso - although i think the problem is we call the ringbuilder swift bits directly now and that will error 1 if you try rebalance and it cant rebalance	10:23
andymccr	so we will need some logic in there but it should be easy enough	10:23
odyssey4me	the alternative would be to add a '--check' parameter which is read only and informs the automation what needs doing	10:23
andymccr	thats a new change in Pike (for our swift role) so it should be fine in Ocata/Newton still	10:23
odyssey4me	perhaps we can get something like that built into the swift tooling so that everyone can benefit from it	10:24
odyssey4me	(similar to what we arranged with keystone)	10:24
*** deadnull has joined #openstack-ansible		10:30
*** deadnull has quit IRC		10:30
odyssey4me	bbiab - off to run some errands	10:32
andymccr	i need to run some errands this afternoon so i probably wont be back online today (or at least much later).	10:37
*** udesale has quit IRC		10:48
*** vnogin has joined #openstack-ansible		10:51
*** smatzek has joined #openstack-ansible		10:52
*** vnogin has quit IRC		10:52
*** vnogin has joined #openstack-ansible		10:52
*** Andrew_jedi has joined #openstack-ansible		10:56
*** rcarrillocruz has quit IRC		11:00
*** karimb has quit IRC		11:04
*** karimb has joined #openstack-ansible		11:06
*** hamza has quit IRC		11:38
*** Jack_Iv has joined #openstack-ansible		11:40
*** Jack_Iv has quit IRC		11:40
*** Jack_Iv has joined #openstack-ansible		11:40
*** winggundamth has quit IRC		11:40
*** shausy has quit IRC		11:51
*** shausy has joined #openstack-ansible		11:51
bww	Hi Amit82: Any luck on AIO external connectivity?	11:51
*** shardy is now known as shardy_lunch		12:04
*** Andrew_jedi has quit IRC		12:07
*** Andrew_jedi has joined #openstack-ansible		12:12
*** LinStatSDR has joined #openstack-ansible		12:14
*** Jack_Iv_ has joined #openstack-ansible		12:15
Amit82	bww: we are able to have external connectivity	12:17
Amit82	but we are not using AIO	12:17
Amit82	we are having two separate machines acting as Controller and Compute node respectively	12:18
*** Jack_Iv has quit IRC		12:18
bww	ok, can you share your deployment configuration and any guides on how you deplyed?	12:20
bww	deployed	12:20
Amit82	I followed the the newton deployment guide	12:20
Amit82	as I have installed Newton release using 14.0.8 tag	12:21
bww	ok, did you have to make any modifications to networking?	12:21
*** LinStatSDR has left #openstack-ansible		12:21
*** woodard has quit IRC		12:24
*** Oku_OS is now known as Oku_OS-away		12:24
*** Oku_OS-away is now known as Oku_OS		12:24
*** woodard has joined #openstack-ansible		12:24
Amit82	bww: I have pasted /etc/network/interfaces from both the nodes and openstack_user_config.yml here: http://paste.openstack.org/show/603118/	12:26
Amit82	hope it helps	12:26
Amit82	We are still facing some issue of loosing connectivity to Compute and Controller node, if we use two NICs	12:27
Amit82	but if we use one extra NIC (eth2) in addition to eth1, for accessing lab n/w, things are working fine	12:28
bww	cool thanks...I am fairly new to deployiong Openstack via Ansible, but getting the hang of it	12:29
*** Jack_Iv_ has quit IRC		12:33
*** markvoelker has joined #openstack-ansible		12:35
*** fandi has joined #openstack-ansible		12:39
*** rpittau has quit IRC		12:41
bww	Amit82	12:45
bww	Is your setup with two servers and the nova is a physical server while the rest of the services like storage, etc are runing on the controller node as LXC containers?	12:46
*** shausy has quit IRC		12:48
Amit82	bww: I am having this example setup: https://docs.openstack.org/project-deploy-guide/openstack-ansible/newton/app-config-test.html#test-environment-config	12:50
Amit82	"Block Storage Host" is not there in my case	12:50
bww	ok cool, so your not running a seprate storage node	12:52
*** Jack_Iv has joined #openstack-ansible		12:52
*** acormier has joined #openstack-ansible		12:52
*** acormier has quit IRC		12:52
*** acormier has joined #openstack-ansible		12:52
*** schwicht has joined #openstack-ansible		12:54
mgariepy	cloudnull, 3.10.0-514.2.2.el7.x86_64	12:54
mgariepy	cloudnull, starting with this image, yum update -y, https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1612.raw.tar.gz	12:55
*** acormier has quit IRC		12:55
*** Amit82 has quit IRC		12:55
*** acormier has joined #openstack-ansible		12:55
*** askb has quit IRC		12:56
*** manheim has quit IRC		12:56
*** manheim has joined #openstack-ansible		12:56
mgariepy	cloudnull, http://paste.openstack.org/show/603127/	12:57
*** acormier has quit IRC		12:57
*** muxdaemon has quit IRC		12:59
*** schwicht has quit IRC		13:03
*** schwicht has joined #openstack-ansible		13:05
*** hamza has joined #openstack-ansible		13:06
*** karimb has quit IRC		13:09
*** esberglu has joined #openstack-ansible		13:13
*** esberglu has left #openstack-ansible		13:13
*** esberglu has joined #openstack-ansible		13:13
*** karimb has joined #openstack-ansible		13:18
openstackgerrit	Merged openstack/openstack-ansible stable/newton: Revert to setuptools 33.1.1 https://review.openstack.org/446923	13:18
*** schwicht has quit IRC		13:21
*** gouthamr has joined #openstack-ansible		13:23
*** muxdaemon has joined #openstack-ansible		13:25
*** hamza has quit IRC		13:29
Andrew_jedi	mgariepy: Hi, quick question, If i want to look for neutron code in CentOS7 then i should like in "/usr/share/nova" directory ?	13:30
Andrew_jedi	s/like/look	13:30
*** muxdaemon has quit IRC		13:32
*** smatzek has quit IRC		13:32
odyssey4me	Andrew_jedi our deployment on CentOS is the same as on Ubuntu for the most part	13:33
odyssey4me	certainly for the venvs	13:33
odyssey4me	ie you'll find the venvs in /openstack/venvs	13:33
*** cathrichardson has joined #openstack-ansible		13:34
*** LinStatSDR has joined #openstack-ansible		13:34
Andrew_jedi	odyssey4me: Ohh, yes, i forgot about the venvs. Actually this particular installation is done via ansible but not using OSA for now. I was looking for the location of the actual code to debug an issue.	13:34
odyssey4me	ah ok	13:34
*** cathrich_ has quit IRC		13:36
openstackgerrit	Merged openstack/openstack-ansible stable/ocata: Revert to setuptools 33.1.1 https://review.openstack.org/446922	13:37
admin0	cannot get telemetry to work on AIO	13:37
admin0	:(	13:37
*** LinStatSDR has left #openstack-ansible		13:38
odyssey4me	admin0 do you have a bug report for it?	13:40
odyssey4me	have you figured out anything particular wrong?	13:40
admin0	i am working on gathering all the data	13:41
odyssey4me	the telemetry stuff is a bit weird	13:41
Andrew_jedi	admin0: It was working for me, what is the problem that you are facing ?	13:42
admin0	i think first issue i face is “how to verify its working” :D	13:42
Andrew_jedi	admin0: Check metrics via ceilometer client, create an autoscaling template and test alarms	13:43
admin0	what API commands would verify that its working .. like i do for openstack server list ; openstack image list ; openstack volume list etc	13:44
*** cpuga has joined #openstack-ansible		13:45
*** schwicht has joined #openstack-ansible		13:45
mgariepy	Andrew_jedi, if you are installing from pkg you can list pkg with `rpm -qa` and file with `rpm -qf <pkg>`	13:47
mgariepy	oops, 'rpm -ql <pkg>'	13:48
mgariepy	to list files. -qf can tell you which package a file belong to.	13:48
Andrew_jedi	mgariepy: Awesome, thanks!	13:48
mgariepy	it's impressive what breaks when you checkout cinder role in place of nova...	13:52
*** crushil has joined #openstack-ansible		13:53
*** FrankZhang has joined #openstack-ansible		13:53
*** hamza has joined #openstack-ansible		13:55
odyssey4me	lol	13:55
*** shardy_lunch is now known as shardy		13:56
*** smatzek has joined #openstack-ansible		13:57
*** woodard has quit IRC		13:58
*** FrankZhang has quit IRC		13:58
*** FrankZhang has joined #openstack-ansible		13:58
Andrew_jedi	mgariepy: just found mitaka code in newton package. :p	14:03
mgariepy	Andrew_jedi, where the pakcage comes from ?	14:04
Andrew_jedi	RDO repo, i am looking for a word in english language to express extreme surprise ...	14:05
*** fabg has joined #openstack-ansible		14:13
*** lwiecek has quit IRC		14:14
Andrew_jedi	mgariepy: Correction. Packages are fine, somebody decided to modify one of package file, figured it out via "rpm --verify".	14:16
mgariepy	hehe	14:16
openstackgerrit	Merged openstack/openstack-ansible-ops master: define the default kernel statically https://review.openstack.org/446790	14:16
Andrew_jedi	mgariepy: :p	14:24
*** cjloader has joined #openstack-ansible		14:24
fabg	odyssey4me: hi, did you have time to see https://bugs.launchpad.net/openstack-ansible/+bug/1670632. I know you have more to do :-) Or did someone encounter the same issue on 14.1.1 ?	14:24
openstack	Launchpad bug 1670632 in openstack-ansible "ceilometer error because gnocchiclient > 3.0 for stable/newton " [Undecided,New] - Assigned to Jesse Pretorius (jesse-pretorius)	14:24
admin0	Andrew_jedi:….. for a word in english language to express extreme surprise => Massively surprized	14:25
Andrew_jedi	admin0: try "flabbergasted".	14:26
admin0	and i thought it was german word :D	14:26
admin0	or nordic	14:26
odyssey4me	fabg yeah, sorry - I've been trying to confirm it but have been side-tracked with other issues	14:27
*** chris_hultin\|AWA is now known as chris_hultin		14:30
fabg	odyssey4me: i understand ;-) I follow the osa community activity and i see the mass of work you slaughter :-)	14:30
*** foutatoro has joined #openstack-ansible		14:33
foutatoro	hi, I try to ping an instance in project network from the namespace of dhcp but I get the error "ping: error while loading shared libraries: libcap.so.2: cannot stat shared object: Permission denied"	14:35
foutatoro	did someboby face in OSA with issue before ?	14:36
*** rpittau has joined #openstack-ansible		14:38
*** cathrichardson has quit IRC		14:39
*** cathrichardson has joined #openstack-ansible		14:39
*** jmckind has joined #openstack-ansible		14:42
*** agrebennikov has joined #openstack-ansible		14:46
*** sc68cal has quit IRC		14:47
*** kstev has joined #openstack-ansible		14:48
*** vnogin has quit IRC		14:48
*** acormier has joined #openstack-ansible		14:50
*** fandi has quit IRC		14:53
*** looking_around has joined #openstack-ansible		14:54
*** looking_around has left #openstack-ansible		14:55
*** Dinesh_Bhor has quit IRC		14:56
*** manheim has quit IRC		14:57
*** marst has quit IRC		14:58
foutatoro	any suggestion ? is it a bug with xenial ? ..	14:58
strattao	for the provider networks specified in the openstack_user_config.yml, do I have to specify a “flat” network?	15:03
*** marst has joined #openstack-ansible		15:04
strattao	or can I just use only a vlan provider network for the br-vlan container bridge connection?	15:04
*** ansibleRhino has joined #openstack-ansible		15:04
*** marst has quit IRC		15:05
admin0	strattao . is it post-install question ?	15:05
*** marst has joined #openstack-ansible		15:05
*** fxpester has quit IRC		15:05
strattao	yes - I get an error saying that the flat network is not defined	15:05
strattao	but I don’t want a flat network…	15:05
*** aludwar has quit IRC		15:05
*** aludwar has joined #openstack-ansible		15:06
*** sanfern has quit IRC		15:06
strattao	and can’t figure out what is expecting to use a flat network	15:06
*** fabg has quit IRC		15:07
*** sanfern has joined #openstack-ansible		15:07
*** messy has quit IRC		15:08
*** NikhilS has quit IRC		15:08
*** hamza has quit IRC		15:10
admin0	strattao: you don’t have to use flat network .. you can use vlan to add exsternal network — http://www.openstackfaq.com/openstack-add-floating-ips/	15:12
*** manheim has joined #openstack-ansible		15:15
*** Jack_Iv has quit IRC		15:20
*** Jack_Iv has joined #openstack-ansible		15:21
*** manheim has quit IRC		15:22
*** acormier has quit IRC		15:28
*** vnogin has joined #openstack-ansible		15:30
*** foutatoro has quit IRC		15:31
*** vnogin has quit IRC		15:34
*** vnogin has joined #openstack-ansible		15:34
openstackgerrit	Tom Jose Kalapura proposed openstack/openstack-ansible-rsyslog_client stable/newton: Fix remote logging template https://review.openstack.org/447036	15:39
agrebennikov	seems st patrick's day killed the channel for today :D	15:41
spotz	agrebennikov: It's not helping it no:)	15:42
spotz	I think our fearless leader may still be in Milan or travelling back	15:43
*** galstrom_zzz is now known as galstrom		15:43
agrebennikov	but usually there is pretty active discussion happening by this time during the week... even on fridays ;)	15:44
spotz	Just blame St. Paddy's:)	15:44
*** crushil has quit IRC		15:45
*** Jack_Iv has quit IRC		15:49
strattao	thanks admin0	15:50
*** hamza has joined #openstack-ansible		16:02
*** xinli has joined #openstack-ansible		16:02
*** vishwanathj has joined #openstack-ansible		16:03
admin0	strattao: were yu able to add the IPs ?	16:04
*** Oku_OS is now known as Oku_OS-away		16:05
*** chris_hultin is now known as chris_hultin\|AWA		16:07
*** muxdaemon has joined #openstack-ansible		16:12
*** MasterOfBugs has joined #openstack-ansible		16:17
*** vishwanathj has quit IRC		16:17
*** shananigans has quit IRC		16:23
*** zz_pwnall1337 is now known as pwnall1337		16:25
*** marst has quit IRC		16:28
*** muxdaemo_ has joined #openstack-ansible		16:33
*** Andrew_jedi has quit IRC		16:36
*** muxdaemon has quit IRC		16:37
*** muxdaemo_ has quit IRC		16:38
*** muxdaemon has joined #openstack-ansible		16:39
*** crushil has joined #openstack-ansible		16:40
*** cmart has joined #openstack-ansible		16:42
*** Jack_Iv has joined #openstack-ansible		16:50
*** ansibleRhino has left #openstack-ansible		16:50
*** vnogin has quit IRC		16:52
*** Jack_Iv has quit IRC		16:53
*** acormier has joined #openstack-ansible		16:57
*** Andrew_jedi has joined #openstack-ansible		16:59
cmart	is anyone here using nova libvirt password/key injection? it seems that libguestfs may be broken for OSA Newton.	17:05
odyssey4me	csmart not as far as I know? although I'd like to understand how it's an OSA issue and not a nova/libguestfs issue?	17:07
odyssey4me	perhaps a config problem?	17:07
odyssey4me	by that I mean nova.conf?	17:07
csmart	odyssey4me: cmart ^	17:08
cmart	odyssey4me, nova.conf looks good, I have "inject_partition = -1", "inject_password = True", "inject_key = True"	17:08
csmart	Man, our nics are a bit too similar...	17:09
cmart	when I launch an instance I get the following in nova-compute.log: "Ignoring error injecting data into image <LocalFileImage:{'path': '/var/lib/nova/instances/0c32099c-c6da-4505-a8a0-69bd26b2bb5f/disk', 'format': 'qcow2'}> (libguestfs installed but not usable (/usr/bin/supermin exited with error status 1."	17:09
odyssey4me	lol	17:09
* csmart goes back to sleep :-)		17:09
csmart	\o	17:09
odyssey4me	hmm, tell me that whatever is trying to do this is running on bare metal - not in a container?	17:10
odyssey4me	whoops, sorry csmart	17:10
*** hamza has quit IRC		17:10
cmart	odyseey4me, yes, this is on a compute host	17:10
odyssey4me	as far as I recall, that function should be happening on the compute hosts - and libguestfs can only build the supermin on a bare metal host	17:10
odyssey4me	hmm, ok, so either we're missing a package, some config or something is broken in ubuntu?	17:11
odyssey4me	can you validate with someone who has done this at all that you have the right config in nova.conf and the right packages - it might be worth pinging the openstack-operators list about it	17:12
csmart	odyssey4me: all good, even I do a double take when cmart talks :-) later	17:12
odyssey4me	of course, one could hope that someone in here has a working setup and can help troubleshoot	17:13
odyssey4me	not sure if logan- or jmccrory make use of that and can help troubleshoot	17:13
odyssey4me	or agrebennikov	17:14
cmart	odyssey4me could do, but the libvirt section of nova.conf looks good according to the various blog entries I've read. I believe this is the code that Nova executes to produce the error: https://github.com/openstack/nova/blob/c6cb5cf1ba0b1483951f3d236c53ff7924f3d7af/nova/virt/disk/vfs/guestfs.py#L76	17:15
cmart	Also, below that error is this: "To see full error messages you may need to enable debugging. Do: export LIBGUESTFS_DEBUG=1 LIBGUESTFS_TRACE=1 and run the command again."	17:16
cmart	(I'm not sure how to pass environment variables to the running Nova service)	17:17
cmart	So I'm unsure if this is an OSA issue at all, just curious if others have gotten this working.	17:17
*** pcaruana has quit IRC		17:18
cmart	overall I'd rather not do it this way and just use cloud-init to inject the SSH key, but we have some years-old images without cloud-init, that we still need to support.	17:23
odyssey4me	yeah, I think the majority of people use cloud-init	17:26
agrebennikov	cmart, sorry, I guess I'm missing the context a little bit... how may I help having baremetals?	17:28
*** muxdaemon has quit IRC		17:29
agrebennikov	odyssey4me, is that still valid?	17:29
cmart	agrebennikov just having a trouble with libvirt key injection on the compute host, which uses libguestfs.	17:30
agrebennikov	config drive you mean?	17:30
odyssey4me	no, the libvirt key injection actually modifies the image on the compute host using libguestfs instead of using cloud-init (which uses config drive) IIRC	17:31
agrebennikov	ah, yeah, sorry... so... we use cloud-init everywhere, but if I only need to change one compute node configuration - I can test it out	17:32
*** woodard has joined #openstack-ansible		17:34
cmart	agrebennikov, only if you feel like trying it out. i'm also continuing to troubleshoot. All I did was set the following three YAML variables:	17:34
cmart	"nova_libvirt_inject_key: True", "nova_libvirt_inject_partition: -1", "nova_libvirt_inject_password: True"	17:35
*** chris_hultin\|AWA is now known as chris_hultin		17:35
cmart	I don't advocate that others go this route if you already use cloud-init and it's working for you! This is only so we can continue supporting some older, cloud-init-less images maintained by our community	17:36
odyssey4me	freebsd?	17:37
xdfil	odyssey4me: What's the appropriate way to give a container a static IP?	17:38
*** chris_hultin is now known as chris_hultin\|AWA		17:38
cmart	odyssey4me nope, customized builds of older Ubuntu and CentOS, which from a security perspective should be phased out, but people have used them for scientific work	17:38
*** muxdaemon has joined #openstack-ansible		17:39
cmart	odyssey4me for example if you want to try to reproduce a genomics study done 3 years ago, we let you launch the exact same image that was used to run the original analysis, so you can hopefully see how the results were obtained. it's a data provenance thing.	17:40
odyssey4me	xdfil you don't, unless you want to hack your inventory.json once the inventory item has already been generated	17:40
*** SerenaFeng has joined #openstack-ansible		17:41
xdfil	I have to for BGP speaker. the physical routers need to peer with the IP address of the dragent	17:41
odyssey4me	cmart ah, yeah - I tried it a few years ago and think I got it right for freebsd	17:42
odyssey4me	but that was back for grizzly, and I don't have access ot that environment any more	17:42
*** Jack_Iv has joined #openstack-ansible		17:42
xdfil	wont the inventory.json get overwritten later on?	17:42
odyssey4me	xdfil once an item is generated it will stay there for the lifetime of the container	17:42
xdfil	ok cool thanks	17:43
odyssey4me	xdfil if you really need a static IP you can set that service to run on_metal and dedicate a host (or hosts) to it instead of using containers	17:43
odyssey4me	that's something useful to do with the network_hosts in large environments	17:43
xdfil	ahh right	17:44
xdfil	ya know what I like that better	17:44
xdfil	way better actually i dont need a br-bgp network anymore	17:45
xdfil	wait... that would mean all the neutron agents would be on metel	17:45
agrebennikov	so cmart if I do that on one of the computes - there still will be cloud-init workflow in place... how do I know if the stuff you need works?	17:46
agrebennikov	or you want to give me an image?	17:46
cmart	agrebennikov it's probably best if you try launching an image with cloud-init disabled or absent. happy to give you one.	17:50
agrebennikov	sure	17:50
agrebennikov	can I just manually change the config of nova on one of the computes?	17:51
agrebennikov	or you want me to do it via osa?	17:51
*** chris_hultin\|AWA is now known as chris_hultin		17:51
agrebennikov	(sure - meant to say "sure, give it to me" ;)	17:51
odyssey4me	xdfil yep, you'd need to dedicate at least two hosts (to allow router migration if one goes down) and all the agents would live on there	17:51
odyssey4me	agrebennikov I don't think it matters - what cmart needs is a working configuration to compare against. How it got there is immaterial.	17:52
agrebennikov	that works...	17:53
odyssey4me	Even if it's some other deployment tool, built using packages or whatever.	17:53
cmart	yes, I did it via OSA but you may not need to. I think all OSA does is template out the vars in nova.conf. how can I send you a 2 GB qcow2 image?	17:53
*** shananigans has joined #openstack-ansible		17:53
agrebennikov	but I'll only do it if you vote for https://review.openstack.org/#/c/444491/2 and https://review.openstack.org/#/c/425997/18 :D	17:53
agrebennikov	cmart, you probably can....	17:53
agrebennikov	if you for example upload to gdrive	17:54
agrebennikov	and send me the link	17:54
cmart	yep, or Amazon S3. give me a few minutes :)	17:54
*** crushil has quit IRC		17:55
*** muxdaemon has quit IRC		17:55
odyssey4me	agrebennikov you asked for it ;)	18:02
odyssey4me	hopefully my review makes sense	18:02
agrebennikov	so essentially you want me to populate the cert back to the deployment host from the galera cert once it is created?	18:04
agrebennikov	*from the galera host	18:04
agrebennikov	odyssey4me,	18:06
odyssey4me	yeah, everything is massively simpler and more reliable when the deployment host is used as a place to pull to and push from	18:08
DimGR	it took me 30 days to figure that out ^^	18:08
odyssey4me	then even self generated certs are 'user configurated', so there's only one way it ever gets there	18:08
odyssey4me	we have a bunch of distribution mechanisms that use delegation which we should ideally get rid of and replace with this simpler, more reliable mechanism	18:09
odyssey4me	ideally every ssl cert generation and placement fits there, and perhaps other things	18:09
odyssey4me	we're ideally hoping to move towards a place where we don't need a ssh service in the containers - it's far more secure	18:10
odyssey4me	right now it's only the container to container delegation that's holding that back as far as I know	18:10
*** cjloader has quit IRC		18:11
odyssey4me	in case you're not aware we already connect to containers via the host, rather than directly via ssh	18:11
*** cjloader has joined #openstack-ansible		18:11
xdfil	odyssey4me: I'm thinking of making the container/infra hosts ( i have 3 ) be bare metal for neutron_agents	18:12
xdfil	you forsee any issues with that?	18:13
*** cjloader has quit IRC		18:13
xdfil	OSA wise	18:13
odyssey4me	xdfil you mean having your infra hosts with all the containers on them also host the agents, but on bare metal instead of in containers?	18:13
xdfil	yes	18:13
*** cjloader has joined #openstack-ansible		18:13
odyssey4me	well, it depends on your use-case	18:13
*** SerenaFeng has quit IRC		18:14
odyssey4me	in that situation if something breaks on your network agent hosts, you also lose a third of your api infrastructure when you need to rebuild the hosts	18:14
odyssey4me	if you're doing that, better to containerise the agents	18:14
odyssey4me	the containers are easy to replace, the host is not	18:14
odyssey4me	if it's a seperate host, then you only affect that one smaller set of services if everything goes belly up	18:15
xdfil	hmmm good points	18:15
odyssey4me	the whole reason we've designed it to be so flexible in terms of service-host allocation is so that you really can spread and scale easily	18:16
odyssey4me	but you can compress if your budget can't handle it, but that compression should be done with services in containers	18:16
*** poopcat has joined #openstack-ansible		18:16
xdfil	in my case I have 8 nodes that are way too beefy to be anything other than compute hosts	18:17
xdfil	3 nodes that are less-beefy more suited for controller work	18:17
xdfil	I think it makes sense, to do bare metal neutron agents on the 3 controller nodes	18:19
odyssey4me	sounds like you should stick to the basic 3 controller model then	18:19
xdfil	I'm just concerned about running into an issue with the OSA runs	18:19
odyssey4me	well, that's up to you - I'd not advise it operationally, but it's your environment :)	18:20
odyssey4me	the other concern is security	18:20
odyssey4me	containers segregate the kernel name spaces for all the services	18:20
odyssey4me	I don't know what effect it will have if your host is holding those services and all the containers with the possibility of namespace clashes or overlap.	18:21
xdfil	so if agents running on metal, and the agent gets compromised it can own all the containers is the security concern	18:21
*** acormier has quit IRC		18:23
*** crushil has joined #openstack-ansible		18:23
*** poopcat has quit IRC		18:24
xdfil	odyssey4me if I configured all the hosts pre-deploy with OVS bridges instead of linux bridges, and specified those bridges in user_settings.yml in place of the br-mgmt/br-vlan would OSA be able to attach containers to them?	18:26
xdfil	slightly off topic, but I'm curious about that	18:27
odyssey4me	I honestly have no clue	18:27
xdfil	:)	18:27
*** jmckind has quit IRC		18:28
*** poopcat has joined #openstack-ansible		18:32
xdfil	odyssey4me another thing I am getting hung up on. If an OVS bridge (say br-tun) is connected to a linux bridge ( say br-vxlan ) which interface do I configure the IP on that neutron uses for local_ip	18:32
odyssey4me	xdfil I honestly have no clue. Networking is something of a dark art to me.	18:37
xdfil	my network instincts tell me that putting an IP on an interface causes it to become a layer 3 interface and it will nto forward layer 2 frames	18:37
odyssey4me	I figure things like that out by trying, failing, then trying again.	18:37
xdfil	odyssey4me: I know I'm just trying to embaras you :)	18:37
xdfil	thanks though	18:37
odyssey4me	The best thing you can do is figure out what you think you need, then try it. Then dig into any problems that arise and try to break it and hack it.	18:38
odyssey4me	Once you've learned, wipe it all and try again.	18:38
odyssey4me	For a new cloud environment, do this many, many times over.	18:38
odyssey4me	.For an existing production cloud - leave it and make sure you have a sufficient lab to test with.	18:39
*** vnogin has joined #openstack-ansible		18:39
xdfil	yeah, i'm time constrained. I'm trying to solve problems without stumbling into unexpected dragons	18:39
odyssey4me	Then once you;ve worked out where you want to be, work out how you get there	18:39
*** poopcat has quit IRC		18:40
odyssey4me	I used to have an old server setup with a bunch of VM's and automation to build, rebuild and do it again and again.	18:40
odyssey4me	Something similar to the multi-node-aio in the ops repo	18:40
odyssey4me	It's a vital tool if you're designing/deploying/supporting/maintaining a cloud.	18:40
*** david-lyle_ is now known as david-lyle		18:43
xdfil	odyssey4me I was looking at inventory.json and the containers don't say DHCP they have addresses. So every time they reboot they will get that same address via DHCP?	18:44
xdfil	but if i destroy/create it will change or stay the same?	18:44
odyssey4me	xdfil the container eth0 is DHCP and NATted through the host, which is why we don't use them... the addresses you're seeing are the br-mgmt and others which are static for the lifetime of the container	18:45
odyssey4me	if you destroy/recreate it will stay the same	18:45
odyssey4me	the only way to change it is to remove it from the inventory, or edit it	18:45
xdfil	hmmm ok mine changed at some point but I dont rememeber what i did	18:46
xdfil	thanks	18:46
odyssey4me	it will only change if you remove it, or remove the inventory entirely	18:46
*** galstrom is now known as galstrom_zzz		18:48
*** poopcat has joined #openstack-ansible		18:52
xdfil	odyssey4me I just noticed OSA didn't connect the agents container to the bridge I defined in user-settings	18:56
*** retreved has joined #openstack-ansible		18:57
xdfil	veth get created during lxc-containers-create?	18:57
odyssey4me	yep	19:00
*** galstrom_zzz is now known as galstrom		19:01
agrebennikov	odyssey4me, can you please make this https://review.openstack.org/#/c/446754/1 happen? I got votes for master, but evrardjp seems to be off today :(	19:08
*** foutatoro has joined #openstack-ansible		19:09
odyssey4me	agrebennikov sure, looks about right - can you add a release note (or edit the existing one) to specify that 'haproxy_bufsize' has been removed in master	19:11
agrebennikov	oh yeah, sorry about that	19:11
odyssey4me	it should be an 'upgrade' release note, and should say that it's been removed, and it should be replaced by using the new tuning option	19:12
agrebennikov	you mean, for backports it will be both "features" and "upgrades"?	19:13
openstackgerrit	Merged openstack/openstack-ansible-haproxy_server stable/ocata: Added Haproxy global tunables https://review.openstack.org/446755	19:14
openstackgerrit	Merged openstack/openstack-ansible-haproxy_server stable/newton: Added Haproxy global tunables https://review.openstack.org/446754	19:14
agrebennikov	oh, wait...	19:15
agrebennikov	why?...	19:15
agrebennikov	odyssey4me,	19:15
agrebennikov	I was about to add the change :)	19:15
agrebennikov	sp is it going to be a separate commit now?	19:17
*** aludwar has quit IRC		19:18
*** aludwar has joined #openstack-ansible		19:19
*** Jack_Iv has quit IRC		19:19
odyssey4me	agrebennikov this should be an edit to the release note in master	19:19
odyssey4me	it'll be a seperate commit	19:20
agrebennikov	aahh	19:20
odyssey4me	the backports are fine as-is as nothing has been removed, only added	19:20
odyssey4me	so in the master patch you've made the feature note which is fine as-is	19:20
odyssey4me	add another portion to the same release note with the heading 'upgrade: '	19:21
agrebennikov	yep	19:21
odyssey4me	with text as described above	19:21
*** Andrew_jedi has quit IRC		19:22
*** Jack_Iv has joined #openstack-ansible		19:23
openstackgerrit	Andrey Grebennikov proposed openstack/openstack-ansible-haproxy_server master: Mentioned haproxy_bufsize option removal https://review.openstack.org/447104	19:24
agrebennikov	odyssey4me, like this? https://review.openstack.org/447104	19:25
odyssey4me	a few tweaks - can I make them for you?	19:28
agrebennikov	sure, thanks you very much!	19:29
openstackgerrit	Jesse Pretorius (odyssey4me) proposed openstack/openstack-ansible-haproxy_server master: Mentioned haproxy_bufsize option removal https://review.openstack.org/447104	19:30
odyssey4me	there we go	19:30
odyssey4me	now when we release pike, anyone who previously tuned with that setting will know to change it	19:31
agrebennikov	exactly	19:31
*** Andrew_jedi has joined #openstack-ansible		19:32
agrebennikov	sorry for my bad language (not native) :P	19:32
agrebennikov	cloudnull, can you please vote here? https://review.openstack.org/447104	19:33
*** rboyapat has joined #openstack-ansible		19:35
rboyapat	core members: can you please review https://review.openstack.org/#/c/446838/	19:35
*** xinli has quit IRC		19:35
*** manheim has joined #openstack-ansible		19:41
openstackgerrit	Merged openstack/openstack-ansible-haproxy_server master: Mentioned haproxy_bufsize option removal https://review.openstack.org/447104	19:42
*** shardy has quit IRC		19:44
*** galstrom is now known as galstrom_zzz		20:13
openstackgerrit	Kyle L. Henderson proposed openstack/openstack-ansible stable/newton: Provide example of using veth pairs for br-vlan https://review.openstack.org/445556	20:17
*** foutatoro has quit IRC		20:24
*** yolanda has quit IRC		20:26
*** manheim has quit IRC		20:26
*** yolanda has joined #openstack-ansible		20:26
*** xinli has joined #openstack-ansible		20:27
jrosser_	odyssey4me: i see earlier you talked about removing ssh from the containers	20:28
*** cpuga has quit IRC		20:29
*** cpuga has joined #openstack-ansible		20:29
jrosser_	is that in progress somewhere, as it would make stuff significantly easier in our situation	20:29
*** cpuga has quit IRC		20:30
odyssey4me	jrosser_ it's not really a planned activity, primarily because no-one has really raised it as a priority	20:30
*** cpuga has joined #openstack-ansible		20:30
*** retreved has quit IRC		20:31
odyssey4me	we did a significant amount of work in Newton to make it possible, but the rest will require someone taking the time to figure out what breaks when openssh is removed from the containers and then it'll take a bit of collective thought to figure out what to do about those things	20:31
odyssey4me	if it's of interest to you, then perhaps you have resources to commit to doing the initial investigation?	20:32
odyssey4me	we could probably collaborate on figuring this stuff out on an etherpad, then work up a spec	20:32
*** crushil has quit IRC		20:32
DimGR	i had major issues too with ssh into containers from not local host	20:33
odyssey4me	but most of us are already tied up with other activities, so we'll definitely need more hands	20:33
*** smatzek has quit IRC		20:34
*** Jack_Iv has quit IRC		20:34
*** cpuga has quit IRC		20:35
*** chris_hultin is now known as chris_hultin\|AWA		20:36
*** cjloader has quit IRC		20:40
*** crushil has joined #openstack-ansible		20:42
*** Andrew_jedi has quit IRC		20:44
jrosser_	odyssey4me: can i ask about the ssh stuff then, currently the deployment host never ssh to the containers?	20:46
*** Jack_Iv has joined #openstack-ansible		20:47
jrosser_	but the containers need to ssh between themselves to distribute certs etc?	20:47
odyssey4me	currently the deployment host connects through the hosts to get to the containers for almost everything	20:50
odyssey4me	we have a connection plugin which makes Ansible connect to the host, then lxc-attach into the container to execute things	20:51
odyssey4me	therefore it does not need openssh running in the container	20:51
odyssey4me	however, we have delegated tasks - for example the os-glance-install.yml playbook targets the glance containers, but delegates the database creation to the galera containers and the rabbitmq vhost creation to the rabbitmq containers	20:52
odyssey4me	when that happens, it requires ssh connectivity between the containers	20:52
jrosser_	ok	20:52
odyssey4me	to prevent that, we would have to change the pattern of how we do these things	20:52
jrosser_	currently we have a service network with provisions all the bare metal, and has the deploment host on it	20:53
jrosser_	this is not the mgmt network though	20:53
jrosser_	and so we get into difficulty	20:53
*** Andrew_jedi has joined #openstack-ansible		20:54
jrosser_	but knowing that the service net does not need to ssh to the containers simplifies things	20:54
jrosser_	it only has to go to all the hosts	20:55
odyssey4me	yeah	20:55
odyssey4me	I'm not sure what would fall out if you do this, but you could also add a different bridge and apply these settings on it instead of on br-mgmt: https://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/openstack_user_config.yml.prod.example#L34-L35	20:56
jrosser_	yes we could	20:56
jrosser_	but the point of the service net is it is more trusted than the mgmt net	20:56
odyssey4me	there's a fair chance that we've made a lot of assumptions about br-mgmt being the network ansible connects to, but that is stuff we should actually clean up	20:56
jrosser_	and very deliberatley isolated from it	20:56
odyssey4me	yep, fair point	20:57
jrosser_	i could never get the deployment host being on mgmt past a security review	20:57
odyssey4me	br-mgmt is meant to be an isolated network with only outgoing internet access anyway	20:58
odyssey4me	it's probably a badly named network	20:58
jrosser_	indeed :)	20:58
jrosser_	im also trying not to have mgmt having outgoing internet access	20:59
odyssey4me	with or without a proxy	20:59
jrosser_	proxy is ok	20:59
jrosser_	nat to internet is not	21:00
odyssey4me	ok, that should work already	21:00
jrosser_	yes	21:00
odyssey4me	it's a bit of a PITA to get right in the beginning, but it works eventually	21:00
jrosser_	we are just crawling from multinode aio to something like that	21:00
odyssey4me	I'm doing a bunch of work to try and make a fully air-gapped deployment work.	21:01
jrosser_	but as you say it is a lot of work to get the environment right	21:01
jrosser_	oh ++ on that	21:01
jrosser_	happy to test things	21:01
odyssey4me	yeah, once we have the whole story worked out and broader testing started in our group we'll start to figure out how to upstream the tooling	21:01
odyssey4me	a lot of it right now is a bit of a hack job	21:02
jrosser_	ideally my service net provides all proxies and packeges etc	21:02
*** xinli has quit IRC		21:02
jrosser_	and mgmt becomes purely api chatter	21:03
*** crushil has quit IRC		21:03
jrosser_	but at the same time i dont want the service net in the containers	21:03
odyssey4me	but the basic stuff we're doing it preparing all packages, repo data, etc in a pipeline - then tooling the deployment to stage either offline or online, then execute the normal build using the staged data	21:03
jrosser_	so thats a bit chicken/egg atm	21:03
*** rboyapat has quit IRC		21:04
odyssey4me	yeah, it'd be nice to figure that out - I expect it can be done with what's already there - perhaps with a few patches to ensure we're looking the right things up the right way	21:04
*** rboyapat has joined #openstack-ansible		21:04
*** McMurlock1 has quit IRC		21:06
*** rboyapat has quit IRC		21:07
jrosser_	i also need to think about the implications of things like bare metal network nodes where the service net and provider nets come together with little isolation	21:08
jrosser_	thats feeling a little less separated than regualar infra nodes currently	21:08
*** foutatoro has joined #openstack-ansible		21:19
*** cjloader has joined #openstack-ansible		21:24
*** cjloader has quit IRC		21:28
odyssey4me	yeah, unfortunately ironic doesn't really separate things properly just yet as far as I know - it puts all projects on the same provisioning network, so you'd have to do a ton of ACL's to secure it	21:29
*** Andrew_jedi has quit IRC		21:32
*** kstev has quit IRC		21:32
*** gouthamr has quit IRC		21:33
*** Jack_Iv has quit IRC		21:34
*** Jack_Iv has joined #openstack-ansible		21:35
*** Jeffrey4l has quit IRC		21:35
*** schwicht has quit IRC		21:36
*** Jeffrey4l has joined #openstack-ansible		21:36
*** Jack_Iv has quit IRC		21:39
*** esberglu has quit IRC		21:41
*** esberglu has joined #openstack-ansible		21:41
*** esberglu has quit IRC		21:46
*** karimb has quit IRC		21:51
*** gouthamr has joined #openstack-ansible		21:57
openstackgerrit	German Eichberger proposed openstack/openstack-ansible-os_octavia master: [WIP] Adds iptables rules to protect octavia server container https://review.openstack.org/447151	22:03
dankolbrs	Hi all, I submitted https://bugs.launchpad.net/openstack-ansible/+bug/1673889 . Feel free to yell at me here or in there if I missed anything or left anything out	22:05
openstack	Launchpad bug 1673889 in openstack-ansible "Nova services do not restart on N->O upgrade" [Undecided,New]	22:05
cmart	odyssey4me and agrebennikov, I solved the libvirt key injection issue. in Ubuntu the kernel is non-readable to non-root users by default, so nova could not read the kernel and launch the supermin!	22:21
*** schwicht has joined #openstack-ansible		22:21
odyssey4me	cmart interesting - so how did you solve it? does it need a rootwrap edit?	22:21
cmart	well just now I solved it with `sudo chmod 0644 /boot/vmlinuz*`	22:22
odyssey4me	if so, then it's actually a nova bug which you can patch :)	22:22
odyssey4me	hmm, I expect that nova may be interested in it - if you could put together a bug report to describe the error output, the config bits and the packages/platform then we could perhaps engage with some of the nova crew to see what to do about it	22:23
odyssey4me	johnthetubaguy may have some insight	22:23
*** foutatoro has quit IRC		22:25
cmart	ok. it is an Ubuntu-specific bug. something needs to make sure that the user running libguestfs (in our case nova) can read the compressed kernel files in /boot. it sounds like there have been years of handwringing over this between libguestfs, Ubuntu, and various other projects	22:25
odyssey4me	cmart sure, but that's exactly the purpose of the rootwrap files	22:25
odyssey4me	they're effectively files which implement sudoer capabilities	22:26
cmart	is rootwrap a nova-ism or an OSA-ism?	22:26
odyssey4me	https://github.com/openstack/nova/blob/master/etc/nova/rootwrap.d/compute.filters	22:26
cmart	aha	22:26
odyssey4me	rootwrap itself is a python wrapper which is implemented for priveleged commands - it reads that file to figure out what it's allowed to do, or not	22:27
odyssey4me	but it's basically a sudoers file	22:27
cmart	ok. and if the config for "what can run as root" is maintained in nova, i'll write up the bug against nova. should be a simple fix. Thanks odyssey4me and agrebennikov for helping me triage!	22:29
odyssey4me	cmart note this though: https://github.com/openstack/nova/blob/424972e2f03c42b76d47775b016d3ec2d001632f/nova/conf/libvirt.py#L147-L153	22:29
cmart	ya - what about?	22:30
odyssey4me	actually, more importantly https://github.com/openstack/nova/blob/424972e2f03c42b76d47775b016d3ec2d001632f/nova/conf/libvirt.py#L169-L181	22:30
odyssey4me	libguestfs appears to be broken, so there's that	22:30
odyssey4me	but if libguestfs is not there, nbd will be used	22:30
odyssey4me	the long term fix is to get the libguestfs fix into nova	22:31
odyssey4me	the short term fix may be to make sure libguestfs is not there	22:31
agrebennikov	cmart, nice stuff :)	22:31
odyssey4me	if OSA puts it there, we can remove that quickly	22:31
odyssey4me	any patches into nova will take time, and are not likely to be backported	22:31
odyssey4me	of course we'd like you to validate that removing it helps :)	22:32
cmart	unfortunately nbd as a fallback doesn't help you if you set inject_partition to -1, meaning libguestfs must be available to find the correct partition to mount https://github.com/openstack/nova/blob/424972e2f03c42b76d47775b016d3ec2d001632f/nova/conf/libvirt.py#L185-L198	22:32
agrebennikov	odyssey4me, "patches into nova will take time" should be said like "patches into nova will take forever"	22:32
agrebennikov	:P	22:32
odyssey4me	:) I'm trying to be polite agrebennikov - the nova crew have the hardest job.	22:33
cmart	(and that's how I'm doing it!)	22:33
cmart	ok. thanks guys. I'll get this written up later tonight. gotta scoot and get my taxes done.	22:33
odyssey4me	cmart if anything, you may get advise for alternative ways of achieving the same thing	22:34
agrebennikov	cmart, have fun with taxes ;)	22:34
odyssey4me	happy ot have helped - have a great w/end!	22:34
agrebennikov	odyssey4me, before you leave - can you please look at http://paste.openstack.org/show/603198/ and tell me if it can be accepted as an extention to nova.conf?	22:35
agrebennikov	or there is easier way for doing it	22:36
agrebennikov	it is regarding https://bugs.launchpad.net/openstack-ansible/+bug/1673570	22:36
openstack	Launchpad bug 1673570 in openstack-ansible "With more than one ceph cluster as the backend nova has secret_uuid hardcoded" [Undecided,New]	22:36
agrebennikov	(only in case you are familiar with that part)	22:36
agrebennikov	if not - lets go home	22:37
*** vnogin has quit IRC		22:38
odyssey4me	argh, the whole usage of ceph needs a rewrite	22:40
odyssey4me	unfortunately I don't understand that code, and certainly won't right now - I'm quite tired	22:40
odyssey4me	but now that we have everything integrated we can rewrite all that nonsense which hasn't changed much since kilo	22:41
odyssey4me	it's time we do that	22:41
odyssey4me	to fairly review this I'd have to try and work out the spider web	22:41
odyssey4me	next week we can try and see if logan- or mattt are available to help puzzle it out - they understand it better than most	22:42
logan-	i'll read thru it tonight	22:42
odyssey4me	logan- actually uses it in production, so that helps	22:42
odyssey4me	lol, a logan- lurks in the bushes	22:42
logan-	odyssey4me ;) someone said ceph	22:42
odyssey4me	hahaha	22:43
odyssey4me	how's your upgrade to newton going?	22:43
odyssey4me	sorry, the upgrade from trusty to xenial	22:43
logan-	100% done now :)	22:43
logan-	no more trusty anywhere	22:43
odyssey4me	oh awesome :) good news, well worth a celebration	22:44
agrebennikov	all right, logan- can I bug you on monday morning then?	22:44
odyssey4me	time to look forward again	22:44
odyssey4me	well - probably time to take a break, actually	22:44
logan-	no kidding! great to have it behind. really cool work cloudnull did this week with the repo stuff. I was just reading some of that today	22:44
logan-	agrebennikov: i've got a question for you, 1 sec let me find this older review	22:45
agrebennikov	absolutely	22:45
agrebennikov	topic?	22:45
agrebennikov	I have all mine opened	22:45
logan-	https://review.openstack.org/#/c/409353/ is your bug/patch similar to this one?	22:46
agrebennikov	soooooo not actually :)	22:46
odyssey4me	hmm, yeah - it was michaelgugino who was working on ceph multi back-end things	22:46
agrebennikov	in fact it ia all messed up, and I'd say on the nova side	22:46
odyssey4me	unfortunately we haven't seen him for a while	22:46
logan-	i haven't really read thru your bug yet but i was just curious if its the same/similar thing	22:46
agrebennikov	the main idea - with multi-ceph AND ephemerals in ceph nova can't work	22:47
odyssey4me	yeah, I think it's time to w/end y'all	22:47
agrebennikov	and my past above should cover that	22:47
agrebennikov	yeah, that makes perfect sense	22:47
logan-	ttyl odyssey4me	22:47
logan-	agrebennikov: why doesn't it work? missing libvirt secrets?	22:48
agrebennikov	ok, long story short - with volumes in ceph secret uuid and ceph user can be delivered via rpc from cinder	22:48
logan-	nevermind.. i'll read the bug and patch(es) first and bug you with questions afterwards :P	22:49
agrebennikov	with ephemerals in ceph these params Must be hardcoded in nova.conf on the compute	22:49
logan-	right	22:49
agrebennikov	I have to submit a couple of new params into nova though	22:49
agrebennikov	but it is a separate story	22:49
agrebennikov	let's chat on monday	22:49
logan-	ok sounds good	22:50
logan-	have a good weekend	22:50
agrebennikov	nice. cu then! have a great green-beer evening!	22:50
logan-	yes indeed	22:50
agrebennikov	(if you are here in the us)	22:50
*** schwicht has quit IRC		22:51
logan-	dallas	22:51
logan-	:)	22:51
*** agrebennikov has quit IRC		22:55
openstackgerrit	Merged openstack/openstack-ansible-rsyslog_client master: Fix remote logging template https://review.openstack.org/446838	22:56
*** jbadiapa has quit IRC		23:01
*** vnogin has joined #openstack-ansible		23:02
*** jamesdenton has joined #openstack-ansible		23:12
*** jamesden_ has joined #openstack-ansible		23:16
*** schwicht has joined #openstack-ansible		23:17
*** jamesdenton has quit IRC		23:19
*** markvoelker has quit IRC		23:26
*** DimGR has quit IRC		23:43
*** vnogin has quit IRC		23:47
*** marst has joined #openstack-ansible		23:50
*** crushil has joined #openstack-ansible		23:52
*** acormier has joined #openstack-ansible		23:53
*** acormier has quit IRC		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!