Friday, 2019-11-29

« Thursday, 2019-11-28 Index Saturday, 2019-11-30 »
*** goldyfruit___ has joined #openstack-containers00:54
*** goldyfruit___ has quit IRC01:20
*** dasp has joined #openstack-containers02:26
*** dasp_ has quit IRC02:29
openstackgerritMerged openstack/magnum stable/stein: Set a fixed cipher suite set for Traefik  https://review.opendev.org/69657303:44
*** ricolin has joined #openstack-containers03:49
*** ricolin has quit IRC03:51
*** ricolin has joined #openstack-containers04:09
*** udesale has joined #openstack-containers04:54
*** namrata has joined #openstack-containers05:48
*** elenalindq has joined #openstack-containers06:07
*** udesale has quit IRC06:07
*** xinliang has joined #openstack-containers06:27
*** udesale has joined #openstack-containers06:37
*** udesale has quit IRC06:39
*** udesale has joined #openstack-containers06:39
*** xinliang has quit IRC06:39
*** udesale has quit IRC06:42
*** jakeyip has joined #openstack-containers06:43
*** udesale has joined #openstack-containers06:52
*** namrata has quit IRC07:06
*** udesale has quit IRC07:13
*** udesale has joined #openstack-containers07:13
*** rcernin has quit IRC07:24
openstackgerritFeilong Wang proposed openstack/magnum master: WIP: [k8s] Support docker storage driver for fedora coreos driver  https://review.opendev.org/69625607:27
*** lpetrut has joined #openstack-containers07:28
*** namrata has joined #openstack-containers07:55
*** ramishra has joined #openstack-containers08:08
*** udesale has quit IRC08:28
*** udesale has joined #openstack-containers08:28
*** udesale has quit IRC08:29
*** trident has quit IRC08:55
*** trident has joined #openstack-containers08:56
*** ricolin has quit IRC09:18
andreinHello everyone09:55
andreinI've read the release notes for magnum 9.0.0 and noticed "When using a public cluster template, user still need the capability to reuse their existing network/subnet, and they also need to be able to turn of/off the floating IP to overwrite the setting in the public template. Now this is supported by adding those three items as parameters when creating cluster."09:55
andreinwhat are the label names I can use to do this?09:56
*** rcernin has joined #openstack-containers10:32
*** pcaruana has joined #openstack-containers10:36
*** rcernin has quit IRC10:49
*** udesale has joined #openstack-containers10:53
andreinI've tried adding fixed_network and fixed_subnet labels with the network/subnet ids I wanted, but it created a new network regardless10:53
brtknrandrein: fixed_network and fixed_subnet are cluster template parameters, not labels10:54
andreinok, so I'm deffinitely missing something here10:55
brtknryou pass it using --fixed-network  and --fixed-subnet args10:56
brtknrnot --labels fixed_network10:56
brtknrnot --labels fixed_network=id10:56
brtknrandrein:10:56
andreinah, I see10:56
namratabrtknr we tried with stable/rocky and kube_tag 1.14.8 and the CLUSTER never gets completed as output of tail -f /var/log/cloud-init-output.log https://seashells.io/v/rwWjN79911:03
namratabrtknr for reference output of  cat /etc/sysconfig/heat-params https://seashells.io/v/5yPmJaqb11:04
brtknrnamrata: tail is not that useful, could you show me journalctl -u heat-container-agent11:04
namratabrtknr https://seashells.io/v/URQGjerm11:06
brtknrare all the kube* services running?11:08
brtknrnamrata:11:10
namratabrtknr https://seashells.io/v/6ncTaakt   kubelet.service is in activating state11:11
namratanot active11:11
brtknrnamrata: that looks bad11:12
namratabrtknr what we tested was adding a new script http://paste.openstack.org/show/786912/ `magnum/drivers/common/templates/kubernetes/fragments/patch-master.sh` and it worked fine and all the pods were running11:13
namratadoes this help in any way where code is breaking11:13
namrataafter this patch-master.sh script http://paste.openstack.org/show/786913/ all the pods were running11:14
andreinbrtknr: I think I found a bug in the docs at https://docs.openstack.org/magnum/latest/user/#k8s-keystone-auth-tag11:16
andreinit links to https://hub.docker.com/r/k8scloudprovider/k8s-keystone-auth/tags/11:16
andreinhowever, the cluster actually deploys https://hub.docker.com/r/openstackmagnum/k8s-keystone-auth/tags11:16
andreinis this a bug in the docs, or in the heat templates?11:17
brtknrandrein: most likely bug in the docs11:22
andreinbrtknr: the one in the docs looks better maintained, there's a lot more labels available there11:23
andreinit has images for v1.13+ while the one under openstackmagnum only has v0.1.0 and v1.14.011:23
tridentbrtknr: So, it seems that at the point part-014 (enable-services-master.sh) is run the master node has not registered. They don't seem to register until after the last three parts (flannell-related) has been run. So, by making the patching the last step instead of i being done in part-014 everything works fine.11:26
tridentbrtknr: Could it be that this is done in a different order in later releases?11:27
brtknrcommit d8df9d0c367943546e2f6498f7e3f5d1396126bc11:28
brtknrAuthor: Feilong Wang <flwang@catalyst.net.nz>11:28
brtknrDate:   Thu Mar 14 16:49:37 2019 +130011:28
brtknr    [fedora-atomic][k8s] Support default Keystone auth policy file11:28
brtknr    With the new config option `keystone_auth_default_policy`, cloud admin11:28
brtknr    can set a default keystone auth policy for k8s cluster when the11:28
brtknr    keystone auth is enabled. As a result, user can use their current11:28
brtknr    keystone user to access k8s cluster as long as they're assigned11:28
brtknr    correct roles, and they will get the pre-defined permissions11:28
brtknr    set by the cloud provider.11:28
brtknr    The default policy now is based on the v2 format recently introduced11:28
brtknr    in k8s-keystone-auth which is getting more useful now. For example,11:28
brtknr    in v1 it doesn't support a policy for user to access resources from11:28
brtknr    all namespaces but kube-system, but v2 can do that.11:28
brtknr    NOTE: Now we're using openstackmagnum dockerhub repo until CPO11:28
brtknr    team fixing their image release issue.11:28
brtknr    Task: 3006911:28
brtknr    Story: 175577011:28
brtknrNOTE: Now we're using openstackmagnum dockerhub repo until CPO11:28
brtknrteam fixing their image release issue.11:28
brtknrwe can perhaps revert this if this issue has been fixed11:28
*** rcernin has joined #openstack-containers12:31
*** goldyfruit___ has joined #openstack-containers12:43
andreinwhat is the CPO team?13:01
andreinI'm guessing cloud-provider-openstack?13:18
andreinflwang: can we revert https://review.opendev.org/#/c/643225/22/magnum/drivers/common/templates/kubernetes/fragments/enable-keystone-auth.sh line 9?13:22
andreinlooks like whatever was broken before was probably fixed, https://hub.docker.com/r/k8scloudprovider/k8s-keystone-auth/tags/13:22
brtknrandrein: perhaps you could propose a patch13:39
brtknrand also update the default tag for Train release13:39
andreinWill do!13:39
andreintrain's default is 1.14.x, right?13:39
*** ramishra has quit IRC13:49
brtknrandrein: 1.15.x i think13:51
brtknrtrain supports 1.16.x but requires podman13:51
brtknrso 1.15.x is better13:51
andreinhttps://review.opendev.org/#/c/685675/6/doc/source/user/index.rst << already outdated? :)13:51
tridentbrtknr: Would you think a patch proposal moving the node patching from enable-services-master.sh to a new separate patch-master.sh script that is run last would be a good idea? Or do you have any other suggestions?13:51
tridentFor stable/rocky that is.13:51
brtknrtrident: sorry what is the context?13:52
*** namrata has quit IRC13:53
tridentbrtknr: The same issue as namrata and elenalindq have been discussing. I am with City Network as well.13:53
tridentbrtknr: So, it seems that at the point part-014 (enable-services-master.sh) is run the master node has not registered. They don't seem to register until after the last three parts (flannell-related) has been run. So, by making the patching the last step instead of i being done in part-014 everything works fine. So could it just be that things are done in a different order in newer releases than rocky so the patch that was cherry13:55
trident picked works there.13:55
brtknrtrident: but it runs in a loop for that reason13:56
brtknror is the loop blocking?13:56
*** spsurya has joined #openstack-containers13:57
tridentbrtknr: Yes, the loop is blocking. So it never gets to running part-015, part-016 and part-017.13:58
brtknrtrident: interesting, wondering why its non blocking in stein13:58
openstackgerritAndrei Nistor proposed openstack/magnum master: Change k8s-keystone-auth docker repo  https://review.opendev.org/69670613:59
tridentbrtknr: They do run them in order, right? And doesn't start running the next part until the previous one is finished. And part-014 never returns.13:59
tridentbrtknr: Ah, so that behaviour is different in >rocky...13:59
brtknrtrident: seems that way14:00
brtknrtrident: because it runs the script inside heat-container-agent rather than via cloud init14:01
tridentbrtknr: Ah, okay!14:02
tridentbrtknr: So, do you think moving that logic so it's run last by adding a new separate script to magnum/drivers/common/templates/kubernetes/fragments and modifying magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml to include it last in kube_master_init would be a good idea?14:06
brtknrtrident: We dont normally modify previous branches, its normally make changes to master then backport14:07
brtknrit is possible a backport with the fix is missing14:07
tridentbrtknr: Hm, okay. I wonder which one that might be in that case.14:10
*** dave-mccowan has joined #openstack-containers14:11
tridentbrtknr: Are you sure that's in stein? And not in train by the way? That's when the enable-service-master.sh script start using ssh to start services for example.14:14
tridentbrtknr: https://github.com/openstack/magnum/commit/05c27f2d7399517c660ea233df816e74d8a75eae14:16
tridentbrtknr: Perhaps this could be related thoguh: https://github.com/openstack/magnum/commit/2ab874a5be951a6eba4f9d4f54c106bc0c53d9b1#diff-75661c66ec3a574f251543009c12d86f ?14:17
tridentAs that in fact makes enable_services be the last script run through cloud-init, right?14:18
brtknrtrident: sorry for the slow response, i have lots of other things to do today but it sounds like you have a good sense of the problem14:28
brtknri can take a look at this on monday14:28
brtknrthis is why we were reluctant to propose fixes for rocky in the first place and now it seems like we may need to revert the changes that we merged yesterday and draw the line at support for v1.14.614:29
tridentbrtknr: Thanks! Yeah, I guess I have quite a good sense of the problem and can work around it locally. Just not sure what would be the right way to handle it in a more permanent manner.14:31
tridentbrtknr: I'll try applying  https://github.com/openstack/magnum/commit/2ab874a5be951a6eba4f9d4f54c106bc0c53d9b1 locally as well and see if that helps. Feels like we easily can end up in dependency hell here.14:33
brtknrtrident: if it doesn't apply cleanly,  best to avoid it14:34
brtknrhence at StackHPC often tend to upgrade magnum before all our openstack services, Catalyst backport most things from master14:35
brtknrI think CERN do a lot of backports too14:35
brtknrif you want to run rocky...  you couuld just loop and backport everything :D14:35
brtknrandrein: magnum-ui release is merged :D14:36
brtknrtrident: basically, if you want to run the latest version of k8s, its important to run the latest version of magnum14:37
brtknrprevious versions only guarentee support for older versions14:37
andreinandrein: Yay! thanks!14:38
brtknrwe don't have the man power to make all previous openstack releases with all versions of k8s... hope that makes sense trident14:38
brtknrtrident: this is because the kubernetes api changes in subtle ways over time and we try to adapt to those changes14:39
*** udesale has quit IRC15:49
*** lpetrut has quit IRC15:52
*** dave-mccowan has quit IRC16:01
*** sapd1 has joined #openstack-containers16:11
*** lpetrut has joined #openstack-containers16:17
*** strobert1 has quit IRC16:21
openstackgerritAndrei Nistor proposed openstack/magnum master: Change k8s-keystone-auth docker repo  https://review.opendev.org/69670616:44
brtknrandrein: left another comment :)16:46
andreinMakes sense!16:47
brtknrandrein: we need to bump the versions in kube-cluster.yaml too16:48
brtknri'd grep for  k8s_keystone_auth_tag16:48
andreinbrtknr: the version is already v1.14.0 in kubecluster.yaml as far as I see16:49
andreindid I miss something?16:50
brtknrandrein: ah so looks like the version got bumped up in Train16:52
andreinyep16:52
brtknrandrein: i g2g, have a good weekend! thanks for submitting those patches16:54
andreinbrtknr: have a good weekend, it was a pleasure working with you this week!16:54
brtknrLikewise :)16:55
openstackgerritAndrei Nistor proposed openstack/magnum master: Change k8s-keystone-auth docker repo  https://review.opendev.org/69670616:55
brtknrandrein: if you get a chance, please test with the new docker repo16:58
andreinI've manually edited the daemonset on my existing clusters and it worked (as in deployed) - i still haven't figured out how to use it yet16:59
*** spsurya has quit IRC17:05
*** lpetrut has quit IRC17:16
*** lpetrut has joined #openstack-containers17:33
*** jmlowe has quit IRC19:56
*** jmlowe has joined #openstack-containers20:13
*** jmlowe has quit IRC20:53
*** elenalindq has quit IRC21:09
*** jmlowe has joined #openstack-containers21:50
*** pcaruana has quit IRC22:03
*** rcernin has quit IRC23:18
*** sapd1 has quit IRC23:56
« Thursday, 2019-11-28 Index Saturday, 2019-11-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!