Thursday, 2018-10-04

*** imdigitaljim has quit IRC		00:18
*** imdigitaljim has joined #openstack-containers		00:26
*** dave-mccowan has quit IRC		00:52
*** hongbin has joined #openstack-containers		01:55
*** Bhujay has joined #openstack-containers		02:24
*** ricolin has joined #openstack-containers		02:28
*** ramishra has joined #openstack-containers		02:45
*** Bhujay has quit IRC		03:03
*** ricolin has quit IRC		03:08
*** udesale has joined #openstack-containers		03:14
*** hongbin has quit IRC		03:27
*** ykarel\|away has joined #openstack-containers		04:02
*** cbrumm has quit IRC		04:07
*** imdigitaljim has quit IRC		04:15
*** ianychoi_ has joined #openstack-containers		04:15
*** ianychoi has quit IRC		04:17
*** udesale has quit IRC		05:09
*** udesale has joined #openstack-containers		05:15
*** ykarel\|away is now known as ykarel		05:23
*** udesale has quit IRC		05:53
*** udesale has joined #openstack-containers		05:58
*** fghaas has joined #openstack-containers		06:28
*** serlex has joined #openstack-containers		06:30
*** rcernin has quit IRC		06:38
*** rcernin has joined #openstack-containers		06:38
*** pcaruana has joined #openstack-containers		06:40
*** jaewook_oh has joined #openstack-containers		06:54
*** ttsiouts has joined #openstack-containers		06:59
*** rcernin has quit IRC		07:10
*** ttsiouts has quit IRC		07:16
*** ykarel_ has joined #openstack-containers		07:24
*** ykarel has quit IRC		07:26
*** mattgo has joined #openstack-containers		07:27
*** ykarel__ has joined #openstack-containers		07:28
openstackgerrit	Feilong Wang proposed openstack/magnum-tempest-plugin master: Support k8s testing https://review.openstack.org/604323	07:28
*** ykarel_ has quit IRC		07:30
*** serlex has quit IRC		07:30
*** udesale has quit IRC		07:30
*** ykarel_ has joined #openstack-containers		07:41
*** ykarel__ has quit IRC		07:44
*** ykarel__ has joined #openstack-containers		07:46
*** ykarel__ is now known as ykarel		07:46
*** ykarel has quit IRC		07:47
*** ykarel_ has quit IRC		07:48
*** udesale has joined #openstack-containers		07:53
*** ykarel has joined #openstack-containers		07:54
*** pcaruana has quit IRC		07:55
*** pcaruana has joined #openstack-containers		07:57
*** ttsiouts has joined #openstack-containers		08:00
openstackgerrit	OpenStack Proposal Bot proposed openstack/magnum-ui master: Imported Translations from Zanata https://review.openstack.org/607834	08:02
*** ykarel_ has joined #openstack-containers		08:12
*** ykarel has quit IRC		08:15
*** ykarel__ has joined #openstack-containers		08:20
*** ykarel_ has quit IRC		08:23
*** ykarel_ has joined #openstack-containers		08:23
openstackgerrit	Merged openstack/magnum-tempest-plugin master: fix typo https://review.openstack.org/597993	08:23
*** ykarel__ has quit IRC		08:26
*** serlex has joined #openstack-containers		08:28
*** ykarel__ has joined #openstack-containers		08:45
*** flwang1 has joined #openstack-containers		08:45
*** udesale has quit IRC		08:46
*** ykarel_ has quit IRC		08:48
*** ttsiouts has quit IRC		08:49
*** ykarel_ has joined #openstack-containers		08:49
*** udesale has joined #openstack-containers		08:49
*** ykarel__ has quit IRC		08:51
*** ttsiouts has joined #openstack-containers		08:59
*** ttsiouts has quit IRC		09:04
*** ykarel_ has quit IRC		09:07
*** ykarel_ has joined #openstack-containers		09:07
*** ttsiouts has joined #openstack-containers		09:08
*** ykarel__ has joined #openstack-containers		09:10
*** ykarel_ has quit IRC		09:13
*** ykarel has joined #openstack-containers		09:18
*** ykarel__ has quit IRC		09:19
*** salmankhan has joined #openstack-containers		09:24
flwang1	any Blizzard people around?	09:30
*** ykarel has quit IRC		09:32
*** ykarel has joined #openstack-containers		09:32
*** ykarel_ has joined #openstack-containers		09:35
*** ykarel has quit IRC		09:38
*** ykarel_ is now known as ykarel		09:43
*** Bhujay has joined #openstack-containers		09:48
*** udesale has quit IRC		10:04
*** Bhujay has quit IRC		10:06
*** mattgo has quit IRC		10:11
*** udesale has joined #openstack-containers		10:13
*** ttsiouts has quit IRC		10:21
*** ricolin has joined #openstack-containers		10:29
*** ttsiouts has joined #openstack-containers		10:31
*** udesale has quit IRC		10:39
*** udesale has joined #openstack-containers		10:40
*** mattgo has joined #openstack-containers		10:52
*** pcaruana has quit IRC		11:02
*** pcaruana has joined #openstack-containers		11:02
*** janki has joined #openstack-containers		11:06
*** ttsiouts has quit IRC		11:32
*** slagle has quit IRC		11:51
*** jaewook_oh_ has joined #openstack-containers		12:03
*** jaewook_oh has quit IRC		12:03
*** jaewook_oh_ is now known as jaewook_oh		12:03
*** ttsiouts has joined #openstack-containers		12:07
*** jaewook_oh has quit IRC		12:44
*** fghaas has quit IRC		12:45
*** slagle has joined #openstack-containers		12:47
*** slagle has quit IRC		13:22
*** ykarel_ has joined #openstack-containers		13:36
*** ykarel has quit IRC		13:38
*** slagle has joined #openstack-containers		13:41
*** fghaas has joined #openstack-containers		13:42
openstackgerrit	Theodoros Tsioutsias proposed openstack/magnum-specs master: Introduce magnum nodegroups https://review.openstack.org/607363	13:49
flwang1	eandersson: ping	13:49
*** pcaruana has quit IRC		13:50
*** ykarel_ is now known as ykarel		13:50
*** hongbin has joined #openstack-containers		14:17
*** Bhujay has joined #openstack-containers		14:28
*** fghaas has quit IRC		14:29
*** ykarel is now known as ykarel\|afk		14:32
*** itlinux has quit IRC		14:48
*** jchhatbar has joined #openstack-containers		14:50
*** janki has quit IRC		14:53
colin-	flwang1 o/	15:06
colin-	need review?	15:07
*** ttsiouts has quit IRC		15:11
*** slagle has quit IRC		15:25
*** udesale has quit IRC		15:36
*** mattgo has quit IRC		15:37
*** jchhatbar has quit IRC		15:46
*** ykarel\|afk is now known as ykarel		15:52
*** Bhujay has quit IRC		15:55
*** itlinux has joined #openstack-containers		15:57
*** ykarel_ has joined #openstack-containers		16:18
*** ykarel_ is now known as ykarel\|away		16:20
*** ykarel has quit IRC		16:20
*** slagle has joined #openstack-containers		16:20
*** Bhujay has joined #openstack-containers		16:34
*** cbrumm has joined #openstack-containers		16:55
*** ykarel\|away has quit IRC		16:58
*** Bhujay has quit IRC		17:01
*** salmankhan has quit IRC		17:04
*** ramishra has quit IRC		17:09
*** pcaruana has joined #openstack-containers		17:17
*** Bhujay has joined #openstack-containers		17:30
*** ricolin has quit IRC		17:44
colby_	Hey Guys,	17:56
colby_	We are running pike version of magnum. If we tell magnum to build kubernetes cluster without floating ip it fails. If we tell it to do floating ip it gives all nodes floating ips and the minions have security group rules allowing all traffic to those nodes (not very secure). Is there a way to fix this so only the master gets floating ip?	17:58
*** ykarel\|away has joined #openstack-containers		17:59
*** pcaruana has quit IRC		18:01
*** ykarel_ has joined #openstack-containers		18:04
*** ykarel\|away has quit IRC		18:07
*** Bhujay has quit IRC		18:20
*** imdigitaljim has joined #openstack-containers		18:36
imdigitaljim	strigazi: you here?	18:36
imdigitaljim	sidenote: im constantly dc'd from IRC lately so hit me on email if you need something btw	18:38
strigazi	imdigitaljim: here	18:39
imdigitaljim	hey	18:41
strigazi	colby_: no, sorry, this is option is not possible. either all nodes will have fips or none. I know it is not great but it is like this atm	18:41
imdigitaljim	so i was looking at your heat-container ssh PR	18:41
imdigitaljim	it looks pretty good but one thing i wanted to see if i missed	18:41
imdigitaljim	do you enforce on the sshd_config to enable rootlogin	18:41
imdigitaljim	you might want to have a sed for PermitRootLogin without-password	18:41
colby_	strigazi: is it possible to change the security group rules then. Seem like allowing all traffic to the minion fips is not ideal.	18:42
strigazi	I generate the ssh key for root in srv magnum. I can take a look in that option too	18:43
strigazi	imdigitaljim: ^^	18:43
strigazi	colby_: you can change them with the neutron API after cluster creation	18:43
strigazi	colby_: no other option is in place atm	18:44
strigazi	colby_: the optimal option is what you proposed	18:44
strigazi	colby_: I have kickstarted the implementation but then I had too many on my plate and since at CERN we didn;t need it it went to the backlog	18:44
colby_	ok thanks for the info	18:45
imdigitaljim	well if sshd_config has PermitRootLogin no	18:45
imdigitaljim	the ssh call from heat didnt work for me	18:46
imdigitaljim	heat-container*	18:46
imdigitaljim	(with the same code as your PR)	18:46
strigazi	hmm	18:46
strigazi	I'll have a look	18:46
imdigitaljim	it gets permission denied	18:46
imdigitaljim	but adding that to sshd_ works like a charm	18:46
imdigitaljim	and its a rather clean solution that the problem	18:46
imdigitaljim	so +1 on that	18:47
strigazi	can you leave a comment in gerrit?	18:47
imdigitaljim	yeah i was in the middle of doing that as we speak	18:47
strigazi	imdigitaljim: btw Theodoros from our team update the nodegroups spec.	18:47
strigazi	imdigitaljim: thx	18:47
imdigitaljim	ok thanks!	18:48
flwang1	imdigitaljim: did you see my email?	18:50
imdigitaljim	oh no	18:50
imdigitaljim	just checked	18:50
imdigitaljim	reading..	18:50
flwang1	imdigitaljim: What's the version of your coreDNS and Calico? With the default versions in Magnum, CoreDNS 1.0.1 and Calico 2.6.7, on k8s v1.11.2	18:50
flwang1	we got http://paste.openstack.org/show/731482/	18:51
flwang1	the dns is not working	18:51
flwang1	and did you do any special change for the coredns or calico config?	18:51
imdigitaljim	etcd 3.3.9 calico v3.2.1 coredns 1.2.0	18:52
imdigitaljim	calico was primarily update the configmap to the newer one	18:53
imdigitaljim	from calico's page	18:53
imdigitaljim	very minor changes	18:53
imdigitaljim	coredns i dont think had any changes but it was missing an important feature	18:53
imdigitaljim	which might be part of your problem?	18:53
imdigitaljim	Corefile: \|	18:54
imdigitaljim	.:53 {	18:54
imdigitaljim	errors	18:54
imdigitaljim	log stdout	18:54
imdigitaljim	health	18:54
imdigitaljim	kubernetes ${DNS_CLUSTER_DOMAIN} ${PORTAL_NETWORK_CIDR} ${PODS_NETWORK_CIDR} {	18:54
imdigitaljim	pods verified	18:54
imdigitaljim	upstream	18:54
imdigitaljim	}	18:54
imdigitaljim	proxy . /etc/resolv.conf	18:54
imdigitaljim	cache 30	18:54
imdigitaljim	}	18:54
imdigitaljim	the upstream part of the kubernetes plugin	18:54
imdigitaljim	oh and k8s version 1.11.3/1.12.0 currently but by next week just 1.12.0	18:54
strigazi	imdigitaljim: I think this is what we have already for coredns	18:54
imdigitaljim	we trickle people over as we upgrade	18:54
imdigitaljim	strigazi: oh was it added since i had a pull	18:55
flwang1	imdigitaljim: it has been added, i mean ${DNS_CLUSTER_DOMAIN} ${PORTAL_NETWORK_CIDR} ${PODS_NETWORK_CIDR} {	18:55
imdigitaljim	https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/core-dns-service.sh#L66	18:55
imdigitaljim	nope	18:55
imdigitaljim	its not there	18:56
flwang1	upstream?	18:56
flwang1	you mean the 'upstream'?	18:56
flwang1	yep, it's not there	18:56
imdigitaljim	https://github.com/coredns/coredns/blob/master/plugin/kubernetes/README.md	18:56
flwang1	cool, let me try	18:57
flwang1	strigazi: can you help try on your side?	18:58
flwang1	wait	19:01
flwang1	seems the option 'upstream' is used to resolve domain name out of pod	19:02
flwang1	but the name 'kubernetes' is a internal name, no?	19:02
flwang1	imdigitaljim: ^	19:02
colin-	yes	19:02
strigazi	i added 'upstream' no change	19:03
colin-	the line two above 'upstream' supports resolution of that record	19:03
colin-	the one begining with 'kubernetes'	19:03
colin-	https://coredns.io/plugins/kubernetes/	19:06
flwang1	and based on the command result, the pod can reach the coreDNS pod, but coreDNS pod failed to parse 'kubernetes', so probably something wrong between coredns and k8s?	19:06
strigazi	hmm, heapster is resolved with nslookup	19:07
strigazi	but kubernetes no	19:07
colin-	the NXDOMAIN response in your paste certainly suports an inability to look that record up	19:07
colin-	can you share the output of your coredns configmap? kubectl -n kube-system get configmap coredns -o yaml	19:08
colin-	oops did not mean to paste the command, was on my clipboard	19:08
flwang1	http://paste.openstack.org/show/731517/	19:09
flwang1	strigazi: does that mean nslookup should also work for other user customized service?	19:10
colin-	is the dnsPolicy set on your busyboxy pod?	19:10
strigazi	dnsPolicy?	19:10
colin-	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	19:11
flwang1	we didn't do anything about the pod	19:11
flwang1	just the original image to create the pod	19:11
colin-	so default probably	19:12
colin-	The Pod inherits the name resolution configuration from the node	19:12
colin-	if the node isn't consulting the coredns service by default then the busyboxy pod may not for the same reason	19:12
imdigitaljim	dnsPolicy: ClusterFirstWithHostNet i think he might be referring	19:13
imdigitaljim	wanna try that?	19:13
*** ykarel__ has joined #openstack-containers		19:13
flwang1	im trying	19:13
*** ykarel__ has quit IRC		19:14
*** ykarel__ has joined #openstack-containers		19:14
*** ykarel_ has quit IRC		19:15
colin-	or maybe ClusterFirst since you aren't using host networking on that busybox pod	19:15
flwang1	colin-: good point	19:16
*** ykarel_ has joined #openstack-containers		19:17
flwang1	http://paste.openstack.org/show/731519/	19:19
flwang1	no luck	19:19
flwang1	strigazi: ?	19:19
*** ykarel__ has quit IRC		19:20
colin-	10.254.0.10 is the ClusterIP for your 'kube-dns' svc right?	19:20
flwang1	yes	19:20
strigazi	yes	19:20
flwang1	http://paste.openstack.org/show/731520/	19:21
*** ykarel__ has joined #openstack-containers		19:21
flwang1	i have to go to office in mins, will be back soon. only slept 3 hours, very sleepy, need some coffee now	19:22
*** ykarel_ has quit IRC		19:23
strigazi	it seems that it worked now	19:24
strigazi	I'll do one more test	19:25
*** ykarel__ has quit IRC		19:26
flwang1	how?	19:29
strigazi	pods in kube-system can not reach the kubernetes service	19:29
strigazi	only in the default ns	19:29
strigazi	I'll validate the config of coredns once more	19:30
flwang1	is it because some network policy of calico?	19:30
strigazi	probably	19:31
strigazi	but i don't have experience with it	19:31
flwang1	but the busybox is in default ns	19:31
flwang1	i still can't get the point	19:31
flwang1	i have to run now	19:31
flwang1	will be back in 30 mins	19:32
strigazi	ok	19:32
*** flwang1 has quit IRC		19:36
*** mattgo has joined #openstack-containers		19:37
strigazi	export KUBECONFIG=/opt/stack/clusters/kube/config	19:40
*** serlex has quit IRC		19:40
strigazi	i'm getting crazy here, in a centos pod i can nslookup kubernetes but in a busybox?	19:41
strigazi	i also pasted my clipboard? cool	19:42
*** slagle has quit IRC		19:43
strigazi	imdigitaljim: colin- can you have a look into this: http://paste.openstack.org/raw/731522/	19:52
strigazi	It really doesn't make sense	19:53
strigazi	busy-debug is busybox	19:53
strigazi	debug-1 is custom alpine with nslookup installed	19:54
strigazi	centos-1 is gitlab-registry.cern.ch/linuxsupport/cc7-base where i installed bind-utils	19:54
strigazi	or this one ^^ docker pull cern/cc7-base	19:55
*** slagle has joined #openstack-containers		20:19
*** flwang has joined #openstack-containers		20:24
flwang	strigazi: still around?	20:24
flwang	imdigitaljim: any message i missed?	20:24
strigazi	flwang: no changes wfm http://paste.openstack.org/raw/731523/	20:31
strigazi	busybox didn't work	20:31
flwang	but centos works?	20:32
strigazi	centos and alpine in the example in the paste	20:32
imdigitaljim	yeah ive just been diving around, i havent seen anything that stands out	20:32
flwang	interesting, that's enough i think	20:32
imdigitaljim	strigazi: ^ that sounds promising	20:32
flwang	so only the busybox doesn't work, right?	20:32
strigazi	yes	20:33
flwang	for me, i think centos and alpine are enough for us to continue the release	20:33
strigazi	maybe there is bug in busybox?	20:33
flwang	probably	20:33
strigazi	with flannel in me devstack i had the same problem	20:34
strigazi	s/me/my	20:34
flwang	same problem, means busybox aslo not working?	20:34
strigazi	try with quay.io/strigazi/alpine-nslookup	20:34
flwang	then it should be a problem of busybox	20:34
strigazi	FROM alpine:edge RUN apk add bind-tools	20:35
strigazi	flwang: can you verify?	20:36
flwang	i'm verifying	20:36
strigazi	that works for you	20:36
flwang	shit, do you guys know how to clean the dns server cache?	20:38
*** devananda has quit IRC		20:38
*** slagle has quit IRC		20:39
flwang	i'm getting Error from server: error dialing backend: dial tcp: lookup test-final-6-deipcjvrcnnl-minion-0 on <my dns server>:53: no such host	20:40
strigazi	which dns is that?	20:43
flwang	it's our preprod dns server	20:43
flwang	i mean <my dns server>	20:43
flwang	i'm running the command on master	20:44
flwang	i don't know why it's trying to talk to our local dns server	20:44
strigazi	it shouldn't	20:45
flwang	yep, i know	20:52
strigazi	this must be a config option in pod	20:52
flwang	strigazi: imdigitaljim: colin-: THANK YOU for all you guys help	20:53
flwang	i really really appreciate it	20:53
flwang	i will buy you guys a beer at Berlin	20:53
strigazi	flwang: anytime, let us know how it goes :)	20:53
strigazi	I'm going offline, see you later	20:54
flwang	i will send email to update the status	20:54
strigazi	thanks	20:54
flwang	good night	20:54
strigazi	have a nice day :)	20:54
imdigitaljim	np see ya!	20:54
imdigitaljim	:D	20:54
*** itlinux has quit IRC		21:14
*** itlinux has joined #openstack-containers		21:17
*** devananda has joined #openstack-containers		21:25
*** itlinux has quit IRC		22:05
*** itlinux has joined #openstack-containers		22:22
*** mattgo has quit IRC		22:23
*** itlinux has quit IRC		22:25
*** rcernin has joined #openstack-containers		22:28
colin-	hope it's working now flwang :)	22:49
flwang	colin-: it's working now	22:50
flwang	just something wrong with the busybox images	22:50
flwang	colin-: thank you for all the help	22:50
colin-	of course, any time	22:56
colin-	glad to hear it	22:56
*** hongbin has quit IRC		22:57
flwang	colin-: cheers	23:04
*** slagle has joined #openstack-containers		23:35

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!