Monday, 2014-04-28

« Sunday, 2014-04-27 Index Tuesday, 2014-04-29 »
*** zdin0bot has quit IRC00:13
*** matsuhashi has joined #openstack-ironic00:20
*** zdin0bot has joined #openstack-ironic00:30
*** zdin0bot has quit IRC00:35
*** zdin0bot has joined #openstack-ironic00:44
*** shakamunyi has joined #openstack-ironic00:50
*** shakamunyi has quit IRC00:54
*** datajerk has joined #openstack-ironic01:25
*** nosnos has joined #openstack-ironic01:50
*** zdin0bot has quit IRC01:56
*** zdin0bot has joined #openstack-ironic01:56
*** killer_prince has quit IRC02:22
*** Haomeng has joined #openstack-ironic02:25
*** killer_prince has joined #openstack-ironic02:29
*** datajerk has quit IRC02:50
*** shakamunyi has joined #openstack-ironic02:51
*** shakamunyi has quit IRC02:56
*** coolsvap|afk has joined #openstack-ironic03:05
*** coolsvap|afk is now known as coolsvap03:05
*** zdin0bot1 has joined #openstack-ironic03:08
*** zdin0bot has quit IRC03:09
*** radsy has quit IRC03:37
*** Mikhail_D_ltp has joined #openstack-ironic03:46
*** Mikhail_D_ltp has quit IRC03:53
*** matsuhashi has quit IRC03:54
*** eghobo has joined #openstack-ironic04:02
*** zdin0bot1 has quit IRC04:07
*** nosnos has quit IRC04:10
*** eghobo has quit IRC04:12
*** matsuhashi has joined #openstack-ironic05:04
*** matsuhashi has quit IRC05:10
*** matsuhashi has joined #openstack-ironic05:11
*** nosnos has joined #openstack-ironic05:13
*** matsuhashi has quit IRC05:17
*** matsuhashi has joined #openstack-ironic05:17
*** zdin0bot has joined #openstack-ironic05:24
*** eghobo has joined #openstack-ironic05:28
openstackgerritJosh Gachnang proposed a change to openstack/ironic: Factoring out PXE and TFTP functions  https://review.openstack.org/9023305:51
*** lazy_prince has joined #openstack-ironic05:51
*** zdin0bot has quit IRC05:53
*** shakamunyi has joined #openstack-ironic05:53
*** zdin0bot has joined #openstack-ironic05:54
*** shakamunyi has quit IRC05:58
*** zdin0bot has quit IRC06:05
openstackgerritJosh Gachnang proposed a change to openstack/ironic: Factoring out PXE and TFTP functions  https://review.openstack.org/9023306:05
*** rameshg87 has joined #openstack-ironic06:06
openstackgerritOpenStack Proposal Bot proposed a change to openstack/ironic: Imported Translations from Transifex  https://review.openstack.org/8850806:08
*** zdin0bot has joined #openstack-ironic06:08
*** vkozhukalov has joined #openstack-ironic06:18
*** ifarkas has joined #openstack-ironic06:31
*** viktors has joined #openstack-ironic06:33
*** zdin0bot has quit IRC06:36
*** killer_prince has quit IRC06:42
*** killer_prince has joined #openstack-ironic06:43
*** shakamunyi has joined #openstack-ironic06:54
*** vkozhukalov has quit IRC06:56
*** shakamunyi has quit IRC06:58
*** matsuhashi has quit IRC07:01
*** matsuhashi has joined #openstack-ironic07:03
*** matsuhashi has quit IRC07:23
*** eghobo has quit IRC07:24
*** matsuhashi has joined #openstack-ironic07:25
*** ifarkas has quit IRC07:45
*** ifarkas has joined #openstack-ironic07:45
openstackgerritDmitry Tantsur proposed a change to openstack/ironic: Consider Glance checksum when caching master images  https://review.openstack.org/9039007:49
openstackgerritDmitry Tantsur proposed a change to openstack/ironic: Implement more robust caching for master images  https://review.openstack.org/8538707:49
*** jistr has joined #openstack-ironic07:51
*** yuriyz has joined #openstack-ironic07:51
dtantsurMorning Ironic07:51
*** ndipanov has joined #openstack-ironic07:51
*** shakamunyi has joined #openstack-ironic07:55
*** mrda is now known as mrda_away07:57
Mikhail_D_wkMorning dtantsur :)07:57
Mikhail_D_wkMorning all! :)07:58
*** shakamunyi has quit IRC08:00
*** derekh has joined #openstack-ironic08:03
Haomengmorning dtantsur, Mikhail_D_wk :)08:08
*** vkozhukalov has joined #openstack-ironic08:19
*** viktors has quit IRC08:23
*** viktors has joined #openstack-ironic08:24
*** athomas has joined #openstack-ironic08:26
*** martyntaylor has joined #openstack-ironic08:27
*** lucasagomes has joined #openstack-ironic08:31
romchegMorning folks08:37
yuriyzmorning Ironic08:40
dtantsurmorning romcheg, yuriyz08:45
*** shakamunyi has joined #openstack-ironic08:56
*** shakamunyi has quit IRC09:01
romcheglucasagomes: Hi, around?09:08
openstackgerritGhe Rivero proposed a change to openstack/ironic: Clean oslo dependencies files  https://review.openstack.org/9067009:09
agordeevmorning Ironic!09:20
GheRiveromorning09:20
dtantsurmorning, agordeev, GheRivero09:21
dtantsurGheRivero, could you have a look at https://review.openstack.org/#/c/85387 ? I think it seriously touches code you originally wrote09:22
GheRiverosure. On my way09:23
agordeevmornong GheRivero dtantsur !09:30
openstackgerritMikhail Durnosvistov proposed a change to openstack/ironic: Cleanup mock patch without `with` part 2  https://review.openstack.org/7325609:32
openstackgerritMikhail Durnosvistov proposed a change to openstack/ironic: Cleanup mock patch without `with` part 3  https://review.openstack.org/8653609:32
openstackgerritMikhail Durnosvistov proposed a change to openstack/ironic: Cleanup mock patch without `with` part 1  https://review.openstack.org/7322309:32
openstackgerritMikhail Durnosvistov proposed a change to openstack/ironic: Get rid of the newline "\"  https://review.openstack.org/6679309:32
openstackgerritA change was merged to openstack/ironic: Remove hardcoded node id value  https://review.openstack.org/8843309:35
lucasagomesromcheg, hey :)09:40
openstackgerritLucas Alvares Gomes proposed a change to openstack/ironic: Get rid of the swap partition  https://review.openstack.org/8372609:45
*** mkerrin has quit IRC09:45
agordeevlucasagomes: morning :)09:48
lucasagomesagordeev, good morning :)09:50
lucasagomesgood morning GheRivero dtantsur agordeev yuriyz romcheg :)09:51
dtantsurmorning, lucasagomes :)09:51
*** stephenpearson has joined #openstack-ironic09:51
openstackgerritA change was merged to openstack/python-ironicclient: Updated from global requirements  https://review.openstack.org/8924409:55
dtantsurGheRivero, also, could you have a look at blueprint, explaining all these changes to caching: https://blueprints.launchpad.net/ironic/+spec/pxe-master-images-caching09:55
romcheglucasagomes: https://review.openstack.org/#/c/88448/ Since we don't support XML API, do we need this?09:59
openstackgerritLucas Alvares Gomes proposed a change to openstack/ironic: Consistent partitioning layout  https://review.openstack.org/9067510:01
lucasagomesromcheg, xml still enabled in the api no?10:02
lucasagomesromcheg, I don't think we disabled it in wsme (cuz they didn't have a straight forward way to disable it)10:03
romcheglucasagomes: I think it is, but I remember we agreed that we cannot support it10:03
lucasagomesromcheg, yeah, that's correct10:03
lucasagomesromcheg, :/ idk, I still think that if we do not support we should disable it...10:03
romchegI think it's reasonable to disable it too10:05
*** matsuhashi has quit IRC10:05
*** nosnos has quit IRC10:05
lucasagomesyeah, so while it's enabled, I don't think that patch is complete useless... I mean, it's still there to people try/use so we should fix the problems associated with it10:06
romchegLet's check how to do that. If we cannot do that in wsme, we can easyly do that by a separate hook10:06
lucasagomesyeah, or just send a patch to wsme to allow disabling it10:06
lucasagomesromcheg, https://review.openstack.org/#/c/78108/10:06
romcheglucasagomes: wow10:07
romchegthanks!10:07
lucasagomesromcheg, np... heh I think people don't review much things in ironic10:08
lucasagomeslemme review that patch10:08
lucasagomesin wsme10:08
lucasagomes**10:08
romchegyup10:08
romchegFor the first look I can see that it touches Content-Type but doesn't touch URI extensions10:09
lucasagomesyeah it makes the content type configurable10:11
lucasagomesromcheg, hmmm yeah true... so ".xml" would still return an xml? lemme test10:11
romchegIf Accept is not configured, it checks for the URI extension (.xml or .json)10:12
lucasagomesic10:16
openstackgerritLucas Alvares Gomes proposed a change to openstack/ironic: Use GB instead of MB for swap  https://review.openstack.org/8378810:17
*** coolsvap is now known as coolsvap|afk10:38
openstackgerritLucas Alvares Gomes proposed a change to openstack/ironic: Return error immediately if set_console_mode is not supported  https://review.openstack.org/9037610:43
*** mkerrin has joined #openstack-ironic11:01
*** andreykurilin has joined #openstack-ironic11:26
andreykurilinlucasagomes, hi11:27
andreykurilinlucasagomes, can you approve my patch?:) https://review.openstack.org/#/c/72418/11:28
dtantsurFYI: got a new page for tracking testing on Fedora: https://etherpad.openstack.org/p/IronicTestingOnFedora11:36
dtantsurifarkas, lucasagomes, adam_g ^^^11:41
dtantsurI got tempest/scenario/test_baremetal_basic_ops.py pass on F20 \o/11:48
agordeevdtantsur: congrats!11:53
openstackgerritGhe Rivero proposed a change to openstack/ironic: Clean oslo dependencies files  https://review.openstack.org/9067012:00
ifarkasdtantsur, nice, that's pretty cool!12:08
*** killer_prince has quit IRC12:13
*** rameshg87 has left #openstack-ironic12:19
dtantsurifarkas, lucasagomes could you have a look at https://review.openstack.org/#/c/85387/ again?12:19
ifarkasdtantsur, sure, I will take a look on that12:20
dtantsuralso, if there any cores around, could you land https://review.openstack.org/#/c/73223/ ? This is testing refactoring and it's here since Feb 13.12:21
dtantsurlucasagomes, romcheg ^^^ ?12:21
*** jdob has joined #openstack-ironic12:26
*** lazy_prince2 has joined #openstack-ironic12:36
*** lazy_prince has quit IRC12:36
*** lazy_prince2 is now known as lazy_prince12:37
*** martyntaylor has left #openstack-ironic12:40
*** killer_prince has joined #openstack-ironic12:42
*** rloo has joined #openstack-ironic13:04
lucasagomesandreykurilin, hey, I just tested that patch, there's some problems with it :)13:06
lucasagomes:(13:06
lucasagomesandreykurilin, [stack@localhost python-ironicclient]$ ironic node-list13:07
lucasagomesprint_list() got an unexpected keyword argument 'sortby'13:07
*** jbjohnso has joined #openstack-ironic13:07
andreykurilin lucasagomes, hm...how could I miss that.. i will fix it soon. thanks:)13:13
lucasagomesandreykurilin, np... I will review again after the fix -- apart from that the patch lgtm13:14
openstackgerritAndrey Kurilin proposed a change to openstack/python-ironicclient: Reuse module `cliutils` from common code  https://review.openstack.org/7241813:17
*** matty_dubs|gone is now known as matty_dubs13:18
andreykurilinlucasagomes: already fixed:)13:18
andreykurilinlucasgomes: `grep` did not find more "sortby" argument, except two places that you have been found13:21
openstackgerritLucas Alvares Gomes proposed a change to openstack/ironic: Add ManagementInterface  https://review.openstack.org/8606313:27
lucasagomesandreykurilin, awesome :D thank u!13:27
lucasagomeswe really need to add tests to the shell commands in the client13:28
lucasagomesto capture those errors :/13:28
lucasagomes(not as part of ur patch tho)13:28
NobodyCamgood morning Ironic13:32
matty_dubsMorning NobodyCam13:32
NobodyCammorning matty_dubs :)13:33
lucasagomesmorning NobodyCam matty_dubs :)13:33
lucasagomeshow was the weekend?13:33
NobodyCammorning lucasagomes ... was good13:33
NobodyCam:)13:33
*** rloo has quit IRC13:33
NobodyCamthou I may not be able to be fully here for the jam this morning13:33
matty_dubslucasagomes: Short!13:33
*** rloo has joined #openstack-ironic13:34
NobodyCamThere is very bad weather around here13:34
romchegMorning matty_dubs, NobodyCam13:38
NobodyCammorning romcheg13:39
*** rloo has quit IRC13:41
*** rloo has joined #openstack-ironic13:41
lucasagomesheh matty_dubs +113:42
lucasagomesNobodyCam, oh :( saturday was pretty bad here as well, but sunday was incredible sunny!13:42
lucasagomesandreykurilin, the missing tests is pretty much all the shell modules tests heh13:43
*** lazy_prince has quit IRC13:44
andreykurilinlucasagomes: :-D I will not promise to increase coverage to 100%, but i'll add some new tests:)13:45
NobodyCamlucasagomes: http://weather.weatherbug.com/GA/Atlanta-weather/severe-weather/local-alerts.html13:45
lucasagomesandreykurilin, heh sure! Thank you13:46
lucasagomesNobodyCam, oh :(13:46
NobodyCambeen watching the weather channel all weekend :-p13:49
lucasagomesheh, hope things get better over there before the summit13:50
openstackgerritDavid Shrewsbury proposed a change to openstack/ironic: Implement instance rebuild in nova.virt.driver  https://review.openstack.org/9042913:50
NobodyCamwe may have a window to get into Loyisiana this morning ... if we do we're going to take it13:51
NobodyCamlol Rv's and Tornado's don't mix well .. so we are doing our best to avoid them13:52
NobodyCamLouisiana even :-p... /me needs more coffeee13:52
matty_dubsLOL I thought that was an attempt to immitate a southern accent or something13:54
NobodyCam:)13:56
NobodyCamnope just lack of coffee13:56
ShrewsFYI, the "Baremetal" filter topic for openstack-dev is now "Baremetal-Ironic" and will now filter email subjects with [baremetal] or [ironic].13:59
NobodyCamnice13:59
matty_dubsSilly question -- how do those filters work?14:04
matty_dubsI always just filtered in my mail client based on subject14:04
Shrewsmatty_dubs: you have to log in to http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev and you can select which filters you want14:05
matty_dubsOh, nice! I had no idea that was a thing14:06
Shrewsthat link is at the bottom of every email sent to the ML14:06
Shrews:)14:06
matty_dubsI've always just received *all* of openstack-dev14:06
matty_dubsHa, I knew about the mailman page, but not that you could filter there14:06
Shrewsit's handy14:06
NobodyCamhttp://vortex.accuweather.com/adc2004/pub/includes/columns/newsstory/2014/650x366_04280447_ap685400658243.jpg :-p14:06
ShrewsNobodyCam: hope that's not you!14:07
NobodyCamits not14:07
* Shrews imagines bagels strewn everywhere14:07
NobodyCamjust flashed that on the weather channel14:07
NobodyCamlol14:07
NobodyCamnot the Bagels14:07
*** rwsu has joined #openstack-ironic14:08
*** jgrimm has joined #openstack-ironic14:13
*** linggao has joined #openstack-ironic14:16
*** shakamunyi has joined #openstack-ironic14:29
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 90 minutes. See: https://wiki.openstack.org/wiki/GerritUpgrade14:30
NobodyCamoh that is goin to impact the review jam14:32
lucasagomesNobodyCam, ping re onva resource tracker... if I have two nodes, both of them have 512 ram, 10 gb disk, 1 cpu, the resource tracker should AUDIT 1024 ram, 20gb disk, 2 cpus, am I right?14:32
NobodyCam*CORES* ^^^^^^^^^^^14:32
lucasagomesouch :/14:32
NobodyCamlucasagomes: yes I think so .. but that is kinda not true14:33
*** mdenny has joined #openstack-ironic14:33
lucasagomesNobodyCam, right... I'm taking a look at it, cause it doesn't14:33
lucasagomesit seems to pick only one node to report right now14:33
* lucasagomes is taking a look14:34
openstackgerritDmitry Tantsur proposed a change to openstack/ironic: Consider Glance checksum when caching master images  https://review.openstack.org/9039014:35
openstackgerritDmitry Tantsur proposed a change to openstack/ironic: Implement more robust caching for master images  https://review.openstack.org/8538714:35
*** zdin0bot has joined #openstack-ironic14:40
openstackgerritAleksandr Gordeev proposed a change to openstack/ironic-python-agent: Fix unexpected stevedore traceback in tests  https://review.openstack.org/9075614:40
*** killer_prince is now known as lazy_prince14:43
*** shakamunyi has quit IRC14:44
*** lazy_prince is now known as killer_prince14:46
NobodyCambrb14:46
openstackgerritDmitry Tantsur proposed a change to openstack/ironic: Consider Glance checksum when caching master images  https://review.openstack.org/9039014:46
devanandag'morning, all14:50
dtantsurdevananda, morning14:50
matty_dubsHowdy devananda14:51
lucasagomesdevananda, morning14:53
devanandaNobodyCam: hmm, gerrit downtime is an hour from now.14:54
devanandalucasagomes: no -- rt will audit TWO compute nodes, each with 512mb14:54
lucasagomesdevananda, right... because when I see the AUDIT logs14:55
lucasagomesdevananda, it seems to be reporting 1 node only14:55
lucasagomes2014-04-28 15:55:17.690 AUDIT nova.compute.resource_tracker [-] Free ram (MB): 51214:56
lucasagomesonce that node get's deploying, not AUDIT is shown anymore14:56
NobodyCamdevananda: good morning14:56
lucasagomesdevananda, or, if that node has no properties, the rt is reporting:14:57
lucasagomes2014-04-28 15:57:02.248 AUDIT nova.compute.resource_tracker [req-5e51f002-7eb0-4e80-a413-977909693ef5 None None] Free ram (MB): 014:57
lucasagomes2014-04-28 15:57:02.248 AUDIT nova.compute.resource_tracker [req-5e51f002-7eb0-4e80-a413-977909693ef5 None None] Free disk (GB): 014:57
lucasagomes2014-04-28 15:57:02.248 AUDIT nova.compute.resource_tracker [req-5e51f002-7eb0-4e80-a413-977909693ef5 None None] Free VCPU information unavailable14:57
devanandalucasagomes: right. we've a bug there. try adam_g's patch14:58
devanandalucasagomes: it should report 0 resources for nodes taht are deployed and errored14:58
devanandalucasagomes: not hide them (which is the current broken behavior)14:58
lucasagomesdevananda, right lemme try with his patch (I think i did but it's the same)14:59
lucasagomes1 sec14:59
lucasagomesdevananda, yup same15:00
lucasagomesdevananda, I will open a bug about it15:00
devananda:( thanks15:02
lucasagomesdevananda, https://github.com/openstack/nova/blob/master/nova/virt/xenapi/driver.py15:02
lucasagomesops https://github.com/openstack/nova/blob/master/nova/virt/xenapi/driver.py#L45515:02
lucasagomeshttps://github.com/openstack/nova/blob/master/nova/virt/vmwareapi/driver.py#L32415:02
lucasagomesthey seems to be using get_host_status, which is the sum of the resources of all nodes avaiable15:03
lucasagomesperhaps we should do the same in Ironic15:03
rloohi, is there a bug bash?15:03
*** shakamunyi has joined #openstack-ironic15:04
rlooerr, a review jam?15:04
devanandarloo: hi! I'm getting the etherpad cleaned up15:04
devanandahttps://etherpad.openstack.org/p/IronicReviewDay15:04
lucasagomesrloo, we didn't start yet15:04
rloook, let me know when you are starting :-)15:04
*** killer_prince is now known as lazy_prince15:05
devanandalucasagomes: yes, but are those returning stats for the instances on the current (local)host?15:06
devanandalucasagomes: or for the whole (federated) cluster?15:06
Shrewshrm, with latest master branch in devstack, i'm now getting: "oslo.config.cfg.DuplicateOptError: duplicate option: rpc_backend"15:06
lucasagomesShrews, delete the .pyc from the openstack/common/rpc/15:07
devanandaShrews: i was getting that a bit last week, but then updated everything and it's fine15:07
*** pradipta has joined #openstack-ironic15:07
devanandathat -- and git pull in every dir in /opt/stack/15:07
lucasagomesit's because of the oslo.message that now deletend all the openstack/common/rpc/* stuff, but you need to clean ur git repo to get rid of the *pyc15:07
lucasagomesdevananda, I think on the localhost... I'll investigate15:08
lucasagomesdevananda, the problem is that ironic doesn't have a way to filter the nodes that is being managed by a specific host (from outside, internally we do)15:09
Shrewslucasagomes: thx15:09
lucasagomesShrews, np15:09
openstackgerritA change was merged to openstack/ironic: Fix bypassed reference to node state values  https://review.openstack.org/8840315:10
devanandalucasagomes: well, and nova-compute is managing *all* ironic nodes, in a sense15:12
devanandalucasagomes: and with >1 n-cpu, they are all managing all nodes15:12
devanandaso - folks who want to do reviews -- i'm adding things here: https://etherpad.openstack.org/p/IronicReviewDay15:13
devanandafeel free to, you know, review, discuss, etc :)15:13
lucasagomesdevananda, hmm, right15:14
lucasagomesdevananda, I opened the bug (https://bugs.launchpad.net/ironic/+bug/1313779) will do some investigation15:15
lucasagomesat least it doesn't affect the deployment, I deployed both nodes and the scheduler pick them and all15:15
lucasagomesit just the audit that looks broke15:15
openstackgerritDavid Shrewsbury proposed a change to openstack/ironic: Implement instance rebuild in nova.virt.driver  https://review.openstack.org/9042915:19
rloodevananda: https://review.openstack.org/#/c/88711/3/ironic/common/driver_factory.py. Did you see these comments?15:19
devanandarloo: thanks. no :)15:23
rloolucasagomes: https://review.openstack.org/#/c/86063/12/ironic/drivers/base.py. That whole issue about the node being avail in task.15:24
devanandahm, I dont know if tripleo is enabling pxe_ssh yet15:24
*** viktors is now known as viktors|afk15:24
rloolucasagomes: there was a patch awhile ago to remove the node. but did we ever decide/clean up task so that it had exactly one node?15:25
*** yuriyz has quit IRC15:25
lucasagomesrloo, it was something that me devananda and comstud were discussing last week15:27
lucasagomesrloo, right now we don't use multiple-node locks and will be refactored out of the taskmanager15:27
lucasagomesrloo, I also opened a but about the redundant 'node' parameter in the driver interfaces to track the work of removing it from the interface15:27
rloolucasagomes: is there a bug open about refactoring taskmanager?15:28
lucasagomesrloo, https://bugs.launchpad.net/ironic/+bug/131263215:28
lucasagomesrloo, hmm not that I know15:28
openstackgerritJarrod Johnson proposed a change to stackforge/pyghmi: Correct sensor offset for byte 5 state values  https://review.openstack.org/9077815:28
lucasagomesdevananda, comstud ^ there's one?15:28
*** rloo has quit IRC15:28
*** rloo has joined #openstack-ironic15:29
rloolucasagomes: https://review.openstack.org/#/c/61859/.15:29
lucasagomesrloo, I see, will link that bug with this one15:30
-openstackstatus- NOTICE: Gerrit downtime for upgrade begins in 30 minutes. See: https://wiki.openstack.org/wiki/GerritUpgrade15:30
*** rloo has quit IRC15:31
*** rloo has joined #openstack-ironic15:31
rloolucasagomes: thx. i think there should be a bug to refactor taskmanager too15:31
lucasagomesrloo, +1 yeah, idk if comstud is work on that... if not I can give it a go15:32
*** dwalleck has joined #openstack-ironic15:32
rloolucasagomes: thx. otherwise if the refactoring isn't done, i think removing the node arg is somewhat wrong.15:33
lucasagomesrloo, :( I can put it back, devananda  any opnion here ^ ?15:33
* lucasagomes really wants that base interface to get merged to unlock the rest of the work15:33
rloolucasagomes: i am fine with the change as long as there is a note about other change/bug.15:34
lucasagomesrloo, I left a comment on that patch, as a TODO, opening a bug and referencing there would be fine?15:34
lucasagomesrloo, ack15:34
rloolucasagomes: yeah, fine with me anyway. I seem to recall where we had such a change in something else ;)15:34
lucasagomes:D15:35
*** zdin0bot has quit IRC15:35
*** zdin0bot has joined #openstack-ironic15:35
devanandaa) comstud's refactoring of taskmanager is great. b) we should make taskmanager only take one node, since that's all it actually ever does today. c) we can remove the node param from most driver interfaces. but yes, it should be tracked somewhere15:36
devanandaoh, and b') any multi-node operations we might need to eventually do won't be do-able with the originally planned approach because that was not written with the hash ring in mind15:37
devanandaso we'd have to refactor that code anyway, and basically want to pass multiple locks around (rather than multiple nodes in a single lock)15:38
*** coolsvap|afk is now known as coolsvap15:38
devanandaalso, wouldnt' it be neat if taskmanager used taskflow lib at some point? :)15:39
openstackgerritDevananda van der Veen proposed a change to openstack/ironic: Remove 'fake' and 'ssh' drivers from default enabled list  https://review.openstack.org/8871115:39
lucasagomesdevananda, hmm I dunno much taskflow, but sounds a bit overkill15:39
rloothx devananda. so we need to make sure there is a bug to track the refactoring of taskmanager. the other stuff is being tracked.15:41
rlooha ha, one day, taskflow will be in everything ;)15:41
lucasagomes:)15:42
*** zdin0bot has quit IRC15:53
*** eghobo has joined #openstack-ironic15:57
ShrewsSo, why isn't the full disk space being reported for 'df -k' here?   http://pastebin.com/dfB454QC16:00
Shrewsfor vda3, that is16:00
Shrewsthat should be with a 1G ephemeral and 9G root16:02
* devananda goes afk for a bit16:04
lucasagomesShrews, ? /dev/vda1              1032088     34052    945608   3% /mnt16:07
lucasagomes^ that's ur ephemeral being reported by df -k16:07
Shrewslucasagomes: yeah, that's correct. but vda3?16:07
lucasagomes/dev/vda3               174536     10132    155405   6% /16:07
lucasagomes^16:07
lucasagomesohhh16:07
Shrewsthat's no where near 9G16:07
*** rloo has quit IRC16:08
*** rloo has joined #openstack-ironic16:08
lucasagomeslooking16:08
Shrewsthis is my flavor def: http://paste.openstack.org/show/77470/16:08
lucasagomesShrews, can u run, df -Th16:09
lucasagomesfor  amore human readble unit sizes16:09
*** Mikhail_D_ltp has joined #openstack-ironic16:10
Shrewslucasagomes: -T not supported on cirros, but: http://paste.openstack.org/show/77471/16:10
lucasagomesah16:10
lucasagomescirros :(16:10
lucasagomesyeah16:10
lucasagomesShrews, so the fs is that size because the image is that size16:12
lucasagomeswe are not resizing the filesystem16:12
lucasagomeswe only dd that image to the partition and that's it16:12
Shrewslucasagomes: so this is intentional then?16:13
*** matty_dubs is now known as matty_dubs|lunch16:13
lucasagomesShrews, thinking...16:13
lucasagomesShrews, tools like cloud-init have a growroot tools to do it16:14
lucasagomesShrews, idk whether we should use those tools, or make ironic resize it16:14
Shrewsi mean, that's fine, afaic. i just wanted to know the reason  :)16:14
lucasagomesShrews, right, yeah the reason is that we don't resize the fs to occupy the whole disk after copying the image to the disk... now I dunno whether ironic should do it or not16:15
lucasagomesresizing fs's is not the most neat thing to do :D16:15
lucasagomesalthough growing the fs should be fine16:15
lucasagomesthe whole partition*16:16
lucasagomesdevananda, do u think we should resize the root partition fs after copying the image to the disk? ^16:16
Shrewsimo, i would think a user would expect the full space to be available (for log growth and what not).16:18
lucasagomesI think as well... but dunno whether we should use ironic to do it or rely on tools like cloud-init to do so16:19
Shrewsat the very least, it's confusing for simple minds such as myself  :)16:19
lucasagomesimo I don't see problem in having ironic to do it16:19
*** vkozhukalov has quit IRC16:19
Shrewsah, yeah. i don't know which one should handle it.16:20
lucasagomesShrews, yeah, because, if we want to resize we probably need to introspect in the image to see what fs it's use16:21
lucasagomesand then use ntfsresize for ntfs16:21
lucasagomesresize2fs for linux fs's16:21
lucasagomesetc...16:21
* Shrews lunches16:27
devanandaironic shouldn't do that, in part because init does it, and in part because the user may not want that16:32
devanandaShrews: if you build your image from dib (rather than using cirros) you should get one that auto-resizes16:33
devanandafor tempest testing, i think cirros is probably sufficient (after all, that's what the rest of devstack's tests use)16:33
JayFI've seen cloud-init resize filesystem/partitions to fill disks properly on hardware (with the needed patches to read configdrive off a partition, which are upstream now iirc)16:33
devanandaJayF: exactly16:33
JayFand I agree that we should let tools like cloud-init do that work for us on first boot16:33
lucasagomes+116:35
lucasagomesso let cloud-init do it for us16:35
-openstackstatus- NOTICE: Gerrit is unavailable until further notice for a major upgrade. See: https://wiki.openstack.org/wiki/GerritUpgrade16:36
*** ChanServ changes topic to "Gerrit is unavailable until further notice for a major upgrade. See: https://wiki.openstack.org/wiki/GerritUpgrade"16:36
*** newell_ has joined #openstack-ironic16:40
*** ifarkas has quit IRC16:41
*** shakamunyi has quit IRC16:46
*** ndipanov is now known as ndipanov_gone16:47
*** jistr has quit IRC16:54
*** derekh has quit IRC16:54
*** lazy_prince is now known as killer_prince16:54
*** harlowja_away is now known as harlowja17:00
*** lucasagomes is now known as lucas-afk17:09
*** matty_dubs|lunch is now known as matty_dubs17:09
*** dwalleck has quit IRC17:13
*** shakamunyi has joined #openstack-ironic17:13
*** hemna has joined #openstack-ironic17:19
*** dwalleck has joined #openstack-ironic17:24
*** stephenpearson has quit IRC17:32
*** shakamunyi has quit IRC17:35
*** killer_prince is now known as lazy_prince17:38
*** lazy_prince is now known as killer_prince17:38
*** lazy_prince2 has joined #openstack-ironic17:38
*** eghobo has quit IRC17:44
hemnaj #openstack-infra17:44
hemnabah17:44
*** eghobo has joined #openstack-ironic17:44
*** john-n-seattle1 has quit IRC17:44
*** john-n-seattle has joined #openstack-ironic17:49
matty_dubsdtantsur: Hey, have you run into "AMQP server on localhost:5672 is unreachable: [Errno 111] ECONNREFUSED" on F20 + devstack?17:51
matty_dubsIt seems to have fallen over and now I can't even find the service17:51
dtantsurmatty_dubs, is it Fedora?17:52
matty_dubsYeah, 2017:52
*** datajerk has joined #openstack-ironic17:52
*** athomas has quit IRC17:52
dtantsur$ systemctl status rabbitmq-server.service  ?17:52
matty_dubsBingo!17:53
matty_dubsFor some reason I wasn't finding that17:53
dtantsurok, and what is there?17:53
matty_dubsApr 17 16:32:03 dhcp-57-107.bos.redhat.com rabbitmqctl[18699]: Stopping and halting node 'rabbit@dhcp-57-107' ...17:53
matty_dubsFor who-knows-why17:53
matty_dubsLemme try to restart17:54
matty_dubsI think what threw me off is that bash-completion wasn't finding it, but was showing other r* stuff17:54
dtantsur1. try to restart; 2. I experiences troubles with some lock file out of nothing, so I had to: yum remove rabbitmq-server && ./unstack.sh && ./stack.sh17:54
dtantsur* experiences = experienced17:54
matty_dubsOh, wow17:55
dtantsurI just rebuild my devstack today, so it should work, but this problem does occur sometimes17:56
matty_dubsSeems set now, though now I need to restart some other services that appear to have just stopped trying when AMQP went down17:56
matty_dubsKind of concerning that it randomly stopped/17:56
jristdisable_service rabbit17:56
jristenable_service qpid17:56
jristin my localrc17:56
dtantsurjrist, that may work, but not necessary out-of-box with Ironic17:57
*** coolsvap is now known as coolsvap|afk17:57
dtantsurdefault for openstack is still rabbit, I think17:57
jristconfirm17:57
*** tatyana has joined #openstack-ironic17:58
dtantsurbut I actually tried both and both worked for me (qpid in instack, rabbit in devstack)17:58
matty_dubsdtantsur: BTW, did you say you were looking at beating selinux into submission? I still have to "setenforce 0" to get anything working.17:59
matty_dubswhich makes dwalsh weep: http://stopdisablingselinux.com/17:59
dtantsurmatty_dubs, what's you problems? Can you create a separate section in https://etherpad.openstack.org/p/IronicTestingOnFedora and fill in your experience?18:00
dtantsurmatty_dubs, I'm trying to have a single source of information on what work/does not work on Fedora18:00
matty_dubs    To use Horizon you have to disable SELinux: $ sudo setenforce 018:00
matty_dubs^ also my experience18:00
matty_dubsI forget if there was more that didn't work18:01
dtantsurmatty_dubs, ah, yeah, and that's hard to fix18:01
matty_dubsI tried to hit the dashboard early-on to test18:01
*** lazy_prince2 has quit IRC18:01
dtantsurproblem is horizon tries to access directories that httpd should not access according to SEL18:01
*** killer_prince is now known as lazy_prince18:01
dtantsurI do want to fix it eventually, and any ideas are much appreciated18:02
*** vkozhukalov has joined #openstack-ironic18:05
*** epim has joined #openstack-ironic18:07
*** dwalleck has quit IRC18:11
*** datajerk has quit IRC18:12
*** Mikhail_D_ltp has quit IRC18:13
*** Mikhail_D_ltp has joined #openstack-ironic18:15
*** gmatefi has joined #openstack-ironic18:16
*** datajerk has joined #openstack-ironic18:17
Shrewsdevananda: ping18:19
devanandaShrews: pong18:20
Shrewsdevananda: so, i'm pretty happy with the new rebuild() in 90429. seems to be working well. should i be attempting to validate the type of image requested in the rebuild? e.g., not a whole disk image or whatever18:21
*** jbjohnso has quit IRC18:21
Shrewsi think there was a conversation about that recently18:22
devanandaShrews: awesome. good question. well, we don't have full-disk image support in ironic yet, but please raise that on that bp/review18:22
devanandaShrews: because full disk obviously won't support --preserve18:22
devanandabut it could be rebuilt18:22
devanandaand eg a SAN volume re-attached18:23
*** pradipta is now known as pradipta_away18:35
lucas-afkwow cool now it will be possible to edit the commit message directly on gerrit?18:37
Shrewslucas-afk: i was *just* noticing that. neat18:38
lucas-afkyeah super handy18:38
Shrewsand thank goodness that horrific WIP button that mordred wanted so much has been eradicated! that developer should have been eradicated with it18:41
mordredShrews: :)18:42
mordredShrews: the feature is now on the change voting page, fwiw18:42
jrollwe're still meeting today, yes?18:42
Shrewsmordred: i know  ;)18:43
rloojroll: yes18:44
jrollcool :)18:44
*** agordeev2 has joined #openstack-ironic18:47
*** martyntaylor has joined #openstack-ironic18:48
*** lucas-afk is now known as lucasagomes18:54
*** romcheg1 has joined #openstack-ironic18:54
*** romcheg1 has quit IRC18:55
*** romcheg1 has joined #openstack-ironic18:55
*** martyntaylor has left #openstack-ironic18:56
*** mrda_away is now known as mrda18:57
mrdaGood morning Ironic18:58
*** max_lobur has joined #openstack-ironic18:58
*** dkehn__ is now known as dkehnx19:04
*** openstackgerrit has quit IRC19:04
*** epim has quit IRC19:21
*** epim has joined #openstack-ironic19:23
*** dwalleck has joined #openstack-ironic19:24
*** ChanServ changes topic to "OpenStack Bare Metal Provisioning | Docs: http://docs.openstack.org/developer/ironic/ | Bugs: https://bugs.launchpad.net/ironic | Status: https://etherpad.openstack.org/p/IronicWhiteBoard"19:31
-openstackstatus- NOTICE: Gerrit upgrade to 2.8 complete. See: https://wiki.openstack.org/wiki/GerritUpgrade Some cleanup tasks still ongoing; join #openstack-infra if you have any questions.19:31
*** zdiN0bot has joined #openstack-ironic19:57
*** dwalleck has quit IRC19:59
*** jbjohnso has joined #openstack-ironic20:00
*** dwalleck has joined #openstack-ironic20:00
jroll13:00:49        yuriyz | python-agent does not have any authorization for commands, is this good? <- we assume the agent will run on a trusted network20:01
*** yuriyz has joined #openstack-ironic20:01
jroll13:00:49        yuriyz | python-agent does not have any authorization for commands, is this good? <- we assume the agent will run on a trusted network20:01
JayFI personally wouldn't use an agent whose job is to wipe disks and rewrite firmwares on an untrusted network -- even if there was some authorization built in :)20:01
yuriyzon separate vlan?20:02
*** iron1 has joined #openstack-ironic20:02
devanandajroll: to be clear, IPA (will) use(s) a signed URL when POSTing to ironic-api service20:02
devanandajroll: but doesn't auth commands it receives20:02
devanandajroll: is that the question / point?20:02
*** lucasagomes is now known as lucas-dinner20:02
jrolldevananda: I think so?20:03
yuriyzand agent should be authorized on Ironic API side20:03
jrolldevananda: IMO this should be deployed on a secure network and so I'm not worried about auth20:03
devanandagmatefi: morgabra: so... IIUC, neutron has a concept of PIF and VIF20:04
devanandathey're a bit mangled for ironic because one PIF has 0 or 1 VIF20:04
jbjohnsoafternoon20:04
JayFipa_api_url is being passed in via kernel cli params in our test environment right now, and honestly, if someone manages to steal the IP of our API node on the trusted network or override the values I'm sending over PXE, I have bigger problems than agent auth :)20:05
devananda*and that VIF has an externally determiend MAC20:05
devanandawhereas for usual (virtualized) case, one PIF may have many VIF, all with fake mac addresses20:05
jbjohnsodevananda, I hear I should describe confluent20:05
devanandaJayF: how is ipa talking to ir-api without auth?20:05
morgabradevananda: I don't think neutron has a pif/vif model anywhere I've seen20:05
gmatefinormally, neutron ML2 plugins perform a lookup using binding:host_id, this works for vSwitch attached ports. So, here the point is that the Neutron port needs to be directly bound to TOR ports, rather than to vSwitch ports20:05
jrolldevananda: for testing we're running with noauth20:06
morgabramaybe it's specified on the port models?20:06
*** datajerk has quit IRC20:06
yuriyzshould agent send query to Ironic API w/o keystone token if keystone auth enabled?20:06
jrolldevananda: in the future I was planning on adding those urls to the public urls thing20:06
jrollthat makes them un-authd20:06
*** jgrimm has quit IRC20:06
*** tatyana has quit IRC20:06
yuriyzjroll, yes we need this20:07
jrollyuriyz: need what, specifically?20:07
*** dwalleck_ has joined #openstack-ironic20:08
yuriyzadd nodeless passthru to public api20:08
jrolloh, right20:08
jrollI think that's a pecan config20:08
devanandamorgabra: https://github.com/openstack/nova/blob/master/nova/virt/libvirt/vif.py#L59920:08
jrollwhich brings up another thing - is that supposed to be editable by operators?20:08
devanandajroll: yikes. please dont do that.20:09
jrollyuriyz: my plan is to add the /lookup and /heartbeat endpoints here. does that work for you? https://github.com/openstack/ironic/blob/master/ironic/api/config.py#L3220:09
jrolldevananda: right, that's what I thought20:09
devanandajroll: what the agent POSTs back to ironic-api needs to be auth'd20:09
yuriyzI dont like idea place keystone token on tftp or http server for agent20:09
jrolldevananda: I'm not sure I like that20:10
devanandajroll: we pass keystone token via tftp to the agent today -- it's a bad hack and insecure.20:10
yuriyzI think this is ok20:10
jrollyuriyz: I agree20:10
jrollright20:10
devanandajroll: IMO we should be passing a signed temp url to the agent20:10
jrolland by 'not sure I like that' I mean 'I don't see a good way to do that'20:10
jrollif there is an agent imposter on the network20:10
jrollhow does that stop them?20:10
jrollassuming that is the problem we're trying to solve here20:10
gmatefiIMHO the correct solution would be involvement of the TPM module, i.e building trust relationship at node discovery/registration, and rely on TPM signature after20:11
jbjohnsodevananda, so anyway, confluent is the console/hardware management project I've been doing incorporating pyghmi's support20:11
devanandajbjohnso: gotcha. new project20:11
morgabradevananda: I'm pretty sure the vif/pif is a nova thing, I'll have to look into how that maps to neutron calls20:11
morgabrapart of what I'm figuring out this week20:11
jbjohnsodevananda, https://www.youtube.com/watch?v=G_lDaktYnsQ20:12
*** dwalleck has quit IRC20:12
jbjohnsothat's the service in action20:12
JayFgmatefi: I'd be very -1 to anything requiring TPM chips in nodes ipa is running on20:12
*** yuriyz has quit IRC20:12
jbjohnsogmatefi, jroll fyi I had thoughts on that matter20:14
jbjohnsobasically, pluggable hard authentication schemes20:14
gmatefiJayF: definetly not a generally required solution due to extra TPM costs, only works  in cases when the operator requires enhanced security20:14
jbjohnsoSOL and bridge filtered protocols are two schemes I can think of easy enough to enable20:14
jbjohnsowell SOL or SEL actually..20:15
jbjohnsoSOL or SEL: authenticate by way of BMC20:15
jbjohnsoSwitch: authenticate by way of switch20:15
jbjohnsoSOL/SEL requires BMC and trust relationship established that way20:15
jbjohnsoSwitch method requires a managed switch supporting the right mibs and would break in an architecture that let virtual machines get bridge filter packets out20:16
jrollI simply don't understand the point of authenticating in either direction between ironic and IPA. Anyone running this should have VLANs set up and switched between in such a way that users and ironic will never be on the same network.20:16
jbjohnsoI know off hand that the linux bridge does not let such packets good20:16
jrollif a user can connect to the management network, it's game over, no matter the authentication scheme20:16
JayFIt's hard for me to imagine any situation where running the agent on anything but a private, secured, and trusted network seems like a good idea.20:16
jrollunless the auth scheme is some sort of manual process20:16
jbjohnsowell for me, if a scehme is 'free' to implement (cfg-wise) I'd be all up for further risk mitigation20:17
*** shakamunyi has joined #openstack-ironic20:17
devanandaJayF: will you -1 UEFI support too?20:17
lifelessdevananda: morning20:17
JayFdevananda: UEFI support as an option is good. Requirement for specific hardware (like a TPM chip, or a *requirement* for UEFI boot), seems like a bad idea20:18
jrolljbjohnso: I just don't see how that would not be broken. I'd be thrilled to be proved wrong.20:18
devanandaJayF: you can't totally trust the firmware after a tenant has been on there without TPM/UEFI means you can't trust the whole network any more20:18
devanandalifeless: hi there!20:18
jbjohnsodevananda, UEFI support should be easy.  Shouldn't require so much as a finger lifted by user to enable..20:18
lifelessdevananda: openflow can mitigate that20:18
JayFdevananda: I don't believe that's true, if you have the proper protections in place on the hardware.20:18
devanandalifeless: funny thing, we were talking about that20:19
lifeless:)20:19
devanandalifeless: integration between netron and ToRs's20:19
jbjohnsodevananda, even with that you can't trust after a tenant..20:19
gmatefiJayF: having a separate ironic VLAN per node sounds interesting to control boot server access and so the token, but it is not really a well-scalable solution20:19
iron1iron1:  fyi- my team is workingon uefi support for ironic20:19
* mrda thinks the summit session on multi-tennancy should be interesting :)20:19
devanandalifeless: and then JayF pointed out that the agent should only be run on a fully open trusted network, and therefor doesn't need any auth20:19
jrollmrda: :)20:19
jbjohnsodevananda, TPM or other secure firmware protection scheme still doesn't in practice extend to the entirety of firmware in a system20:20
JayFgmatefi: I was thinking about that being awesome as well, but impractical in most deployment schemes.20:20
devanandagmatefi: vlan-per-node destroys any scalable deployment model20:20
devanandas/destroys/prevents/20:20
lifelessdevananda: uh, I'd want a lot stronger statement than that to discard defense in depth.20:20
jbjohnsojroll, well, I think I'd shy away from it being declared 'untrusted tenant ready' (that's a whole other bunch of problems), but having someone untrusted on the VLAN is something to be avoided, but should not be game over.. in theary20:21
devanandalifeless: same here20:21
lifelessdevananda: our security folk would be rolling in the aisles laughing at the idea of no-auth20:21
JayFjbjohnso: devananda: The only way to trust firmware after a untrusted tenant has been on there is to require signatures on all user servicable hardware or remove the capability to modify the firmware20:21
devanandauh huh20:21
devanandaJayF: precisely20:21
devanandaJayF: and i'd like the agent to support that20:21
devanandadoesn't need to require it -- but it does need t osupport it20:21
JayFdevananda: That sounds more like something the hardware would support than having IPA support it?20:22
jbjohnsois theer any intent of supporting things without a BMC/SEL?20:22
devanandajbjohnso: without a BMC ?20:22
jbjohnsodevananda, yeah, just thinking about auth mechanisms20:22
lifelessnote that 'modifythe firmware' may be undocumented. E.g. the hard drive attack.20:22
jbjohnsodevananda, e.g. push public key via SEL entries20:22
lifelessI don't believe there is *any* hardware available to day which can be trusted after an untrusted tenant has been on it20:23
devanandaJayF: ironic and IPA needs to support the hardware aspects of a trusted boot chain, eventually, IMNSHO20:23
jbjohnsolifeless, correct.  Though practically speaking, that won't stop some people sadly20:23
devanandalifeless: i agree. and yet there are customers who buy jsut that from some vendors20:23
lifelessdevananda: I know20:24
lifelessdevananda: for some workloads it may not matter20:24
jbjohnsoso anyway, in the case of untrusted admins on your vlan20:24
lifelessjbjohnso: huh, assume other machines may get compromised20:24
lifelessjbjohnso: untrusted admins is a different case again20:24
jbjohnsolifeless, well, generically, anyone with admin capbilities for a NIC attached to a vlan20:25
lifelessok20:25
lifelessso every trunked port20:25
lifelessand when VMs are allowed to attach to provider networks, possibly arbitrary VMs too20:25
jbjohnsoit would be wise to at least try to mitigate that risk20:25
devananda20:16:17 < jroll> I simply don't understand the point of authenticating in either direction between ironic and IPA.20:26
jbjohnsoso, PXE is of course a blatant risk in that chain, however you slice it20:26
morgabradevananda: so, I'd like to make a high-level document to write down goals and talk about design for neutron concerns. Etherpad? Wiki?20:26
JayFlifeless: jbjohnso: I disagree with the assertion that it doesn't exist today. It however, does not exist on most off the shelf hardware. That's why I'd say most of the security risk and mitigation has to be done at the hardware engineering / supply chain level, not in Ironic (other than integrations with firmware flashing, etc)20:26
devanandajroll: i'd like to go back to that (i think we got into the weeds talkign about firmware)20:26
morgabraI'm having a hard time keeping it straight in my head20:26
devanandamorgabra: ++20:26
jrollright20:26
lifelessJayF: oh? We could use that for CI :)20:26
devanandamorgabra: feel free to start one and then add a link here so we can track it https://etherpad.openstack.org/p/IronicWhiteBoard20:27
jbjohnsoJayF, I'd be srurpsied at any hardware that really has total 100% protection.  E.g. no ability to write to any non-volatile chip.  No HDD firmware, no nic firmware...20:27
JayFlifeless: I think russell_h has said that Rackspace might be willing to provide some 3rd party CI for some agent integrations in the future. :) Not quite there yet though.20:27
jbjohnsoanyhow, authentication will be non-conventional, but I was planning to do certificate grants based on exactly such non-conventional paths20:27
devanandajroll: leaving a service wide open because you _assume_ the network is trusted does not make any sense to me20:27
jrolldevananda: sure20:28
jrolldevananda: let's back up20:28
jrolldevananda: how do you see this auth working?20:28
devanandalifeless: you'll be interested in http://openstacksummitmay2014atlanta.sched.org/event/754c3678d31f9f74e020b9a1e6f4dece20:28
JayFdevananda: I guess it's hard to imagine how passing credentials of any type -- including a signed URL -- through a pxe or ipxe config could be secure, if anyone on that network could spoof the mac and get that configuration value as well.20:28
jrollin such a way that if someone is on the provisioning vlan they cannot break it?20:28
jrollwhat JayF said20:28
matty_dubsI guess it could at least break replay attacks20:29
matty_dubsBUt that doesn't help if an attacker gets it first20:29
lifelessjroll: I think you're asking the wrong question20:29
jrolllifeless: go on20:29
devanandaJayF: for one, it makes it more difficult for a potential attacker (but, sure, not impossible)20:29
morgabrahttps://etherpad.openstack.org/p/Ironic_Neutron_Integration20:29
jbjohnsojroll, well, with *PXE* and assuming no good filtering, it will be breakable20:29
lifelessjroll: you seem to be asking 'is it possible [today] to be entirely safe' and then using that to say 'don't secure at all'20:29
lifelessjroll: the one doesn't imply the other20:29
morgabraI'm going to try to condense today's discussion and add links to everything20:30
JayFjbjohnso: there is no 'good filtering' for pxe, except that in the ToR switch or simialr20:30
jbjohnsojroll, but the break point is good to be very nicely well defined20:30
lifelessjroll: *clearly* PXE is spoofable20:30
JayFjbjohnso: you can lock down by MAC, but MACs are trivial to spoof20:30
morgabraand try to guess on some next steps :P20:30
jrolllifeless: if it's trivial to break the auth, then why bother20:30
jbjohnsoJayF, right, I was specifically thinking in the switch, but not trusting20:30
lifelessjroll: but other initial boot mechanisms like iLO are out of band and securable20:30
devanandamorgabra: thanks much!20:30
*** agordeev2 has quit IRC20:30
jbjohnsoJayF, jroll I was picturing more https based stuff injected in a secure, authenticated manner20:30
lifelessjroll: making the rest of the architecture weak because the only generic standard we have so far is weak is a poor idea IMO20:30
jrolllifeless: just like I'd just as soon write plain text passwords to a DB as write MD5'd passwords20:31
jbjohnsojroll, so the idea would be, have an authentication scheme with a common chokepoint20:31
jrolllifeless: I'm not putting a dependency on 3rd party propietary boot mechanism20:31
lifelessjroll: not a helpful analogy sorry20:31
lifelessjroll: not asking you to20:31
devanandajroll: pass a secure token via OOB channels, then verify it in the POST back to ironic-api20:31
devanandajroll: there's no passing ofkeys along an unsecured channel necessary20:31
lifelessjroll: just saying I'm not going to support putting end to end insecure code into Ironic Its indefensible20:31
jbjohnsodevananda, you can even avoid passing private keys at all20:31
jrolldevananda: what sort of oob channels?20:31
devanandajroll: and no need to trust the whole network20:31
devanandajroll: via the BMC20:32
*** dwalleck_ has quit IRC20:32
*** Mikhail_D_ltp has quit IRC20:32
jbjohnsojroll, e.g. virtual usb boot device20:32
jrolldevananda: then you're just putting the security on the OOB network20:32
jrolldevananda: same idea no?20:32
devanandajroll: most vendors have a means to do this. iLO driver does it via virtual-floppy20:32
devanandajroll: right! no, not at all20:32
*** zdiN0bot has quit IRC20:32
jbjohnsojroll, and you have a stateful, mutually authenticated scheme20:32
devanandaOOB network *must* be trusted. and it *must* be physically isloated20:32
jbjohnsojroll, the client can auth the BMC and the BMC can auth the client.  PXE lacks that ability20:32
jbjohnsodevananda, well, it doesn't *have* to be, though the documentation should pretend it is20:33
lifelessjroll: what we need is something that is secure *after* the PXE boot step has happened20:33
jbjohnsodevananda, the BMCs with properly strong keys are resilient to unath20:33
lifelessjroll: and then we can work on secureing the PXE boot step as another action item20:33
devanandajbjohnso: all of them, from every vendor, even if they haven't been updated recently? ....20:34
jbjohnsodevananda, I said 'can be' not 'always'20:34
lifelessjroll: for instance, using openflow to prevent arp and ip spoofing / observing from ports on the deployment lan20:34
jbjohnsodevananda, in other words, OOB network should be secured as if you have untrusted guys on it, but probably should keep untrusted guys off of it20:35
*** zdiN0bot has joined #openstack-ironic20:35
jbjohnsolifeless, right, which is one reason I think public key exchange rather than private key injection would be nicer20:35
jrollIMO, even with a good authentication scheme, if your provisioning network is owned, you're owned.20:35
devanandajroll: that's still not an argument to make it _insecure_ by design20:36
jrollI see the point of using that authentication20:36
jbjohnsolifeless, e.g. if you blessed only certain ports for udp ports from ports 4011 or 69, that would suffice even if ip spoofing were possible20:36
jrollusing some authentication *20:36
devanandaright. on that, i'm goign to break for lunch20:36
jbjohnsojroll, well, the point being the authentication at worst doesn't have to do harm20:36
devanandahaven't eaten in ~6hrs20:36
jrollright20:36
jbjohnsojroll, even if you don't trust it, it's mitigating risk20:36
jrollwhat I'm saying is20:36
jrollputting that authentication in, is not a high priority in the short term20:37
jrollfor us.20:37
jbjohnsowell, it might be nice even if the bootstrap for the auth is currently weak to go through the motions20:37
jbjohnsoso that when you go to really mean it, you don't have to rework it as much, but I dunno20:38
jrollthat's fair20:38
JayFI think we have a strong preference for getting things working first, then iterating on things. We're still in the 'get things working' stage, and I think most of us over here viewed the auth pieces as one of the things we'd all iterate on20:38
jroll^20:39
JayFwe're still talking about an ironic driver that's so far under development it still only exists in a gerrit review request :)20:39
jrollheh20:40
jbjohnsoright, I don't know if you have other accesses, but for our rework of HPC provisioning, we are taking a number of analagously weak directives and requiring them to be strongly authenticated with a single 'weaken if you want' point of entry20:40
jbjohnsoit may be that in this architecture you only have one to start with anyway, so having two phase may not make sense20:41
*** jgrimm has joined #openstack-ironic20:41
*** epim has quit IRC20:44
lifelessjbjohnso: I don't understand the blessing of ports thing20:45
jrolljbjohnso: I hear ya20:46
*** epim has joined #openstack-ironic20:49
*** dwalleck_ has joined #openstack-ironic20:49
jbjohnsofor us the first step is getting a normal looking authentication credential from something weird20:49
jbjohnsolifeless, belssing of ports?20:49
jbjohnsolifeless, well, for the xCAT team, the schemes were going to be remote media injected, BMC attested (serial or SEL, haven't decided, SEL if possible probably), and switch attested20:50
jbjohnsoe.g. the FSM os deployment does remote media injected boot payload and keys20:51
jbjohnsoand uses https for all OS payload and callbacks20:51
jbjohnsoboot payload being ~50 megabytes today, next product will have ~700 KB payloads over remote media20:52
jbjohnsooh, the PXE thing20:52
jbjohnsoso if the ToR switch forbids DHCPOFFERs/ProxyDHCPOFFERs from anything but 'blessed' ports20:53
jbjohnsoand tftp port...20:53
jbjohnsoand if it done correctly (in practice I'm skeptical that one should trust any blacklist scheme if possible), then the integrity of the payload should be fine20:54
jbjohnsothough confidentiality might not be20:54
lifelessjbjohnso: well you're saying that even if ip spoofing is possible20:54
lifelessjbjohnso: and with PXE the spoofer would MITM20:54
jbjohnsoso in that sort of scenario, a PXE scheme where a node generates it's own private key and then advertises said public key in a nice way20:54
lifelessjbjohnso: so if you have that, I think you can just get end to end confidentiality on your ethernet :)20:55
jbjohnsolifeless, well, if they sucsesfully spoofed the deployment server ip but could not serve tftp or dhcp or proxydhcp, they couldn't molest the integrity of stuff (though they could DoS)20:55
jbjohnsolifeless, no, not confidentiality20:55
jbjohnsolifeless, integrity20:55
*** dwalleck__ has joined #openstack-ironic20:55
lifelessjbjohnso: yes, I saw what you said. I'm saying I think we can go further.20:56
lifelessjbjohnso: but your point seems to be that a small bit of network support gets us integrity20:56
jbjohnsolifeless, well, I'm just trying to imagine the least secure setup that *could* theoretically be secure20:56
lifelessand if we have integrity we can indeed do DH + SSL from the machines20:56
jbjohnsolifeless, so ideally, we don't ship shared secret, passphrase, or private keys20:56
jbjohnsoand node generates its own private key and then publishes it in a way that can't be tampered with20:57
lifelessjbjohnso: thats DH :)20:57
jbjohnsoe.g. via BMC or bridge filtered protocol.20:57
lifelessjbjohnso: once you have integrity a lot of things have simple existing answers20:57
lifelesssimple-to-use, not simple-to-invent :)20:57
*** zdiN0bot has quit IRC20:58
jbjohnsolifeless, well, integrity within a very limited protocol set20:58
*** gmatefi has quit IRC20:58
*** dwalleck_ has quit IRC20:59
jbjohnsolifeless, which is why I go to things like pushing CSR over SEL, serial, or switch20:59
jbjohnsolifeless, to get the point where you could do client certificate TLS, for example.20:59
*** jdob has quit IRC20:59
jbjohnsoI'd shy away from putting an auth token in somewhere like SEL, that was not necessarily assumed by the designers to be a secret storage21:00
jbjohnsobut public key, who cares21:01
lifelessso I'd like to be able to set ingress filters on ports21:03
lifelesseven trunked ones21:03
lifelessto just say 'unicast frames to X,Y,Z macs only'21:03
lifelessand egress filters likewise, for the source mac21:03
jbjohnsowell, that's not good either21:03
jbjohnsoyou'd have to do port based21:03
lifelessthat gets you integrity and visibility, no ?21:04
jbjohnsomacs can be faked21:04
lifelessright, which is what neutron is all about :)21:04
lifelessjbjohnso: doesn't matter if they fake the mac. thats what 'filters on portsts' is for.21:04
lifelessbah, 'filters on ports'21:04
jbjohnsoyeah, but I just like simpler filtering rules21:04
jbjohnsoif the rule can be 'thou shalt only be able to send source udp port 4011, 69, or 57 if thou art port 3 on switch1'21:05
jbjohnsoI think that's the simplest rule I can imagine in 'vmap' syntax that would facilitate the bare minimum payload delivery integrity21:06
jbjohnsobefore switching to more conventional stuff like TLS21:06
jbjohnsoerr 67 not 5721:06
jbjohnsothen you could put a public key in and then trust that payload to perform a trick without some untrusted puppetmaster mucking the bits21:07
jbjohnsoall switches would have a rule blanket blocking that, except the switch with blessed port21:08
lifelessjbjohnso: so you'd limit yourself to one deployment at a time ?21:09
lifelessjbjohnso: or you're saying you're limiting only the Ironic conductor ?21:09
jbjohnsoonly the deployment server(s)21:10
jbjohnsoyou could extend rules to cover more servers, but deployment targets can go hog wild because they don't use those source ports21:10
jbjohnsowhen it comes to things like security,  my trust of more layers is low21:11
*** matty_dubs is now known as matty_dubs|gone21:11
lifelessjbjohnso: me too - but I have many birds in this area I want to kill21:12
jbjohnsoanyway, so if a scheme abstractly doesn't ever send a private key, then I think it has the highest chance of working in the most constrained environments21:12
lifelessjbjohnso: I want to increase isolation beween bm tenants21:12
jbjohnsowith the lowest chance of being completely screwed over21:12
lifelessjbjohnso: which I think, done well, has the room to secure PXE quite thoroughly too21:12
lifelessjbjohnso: a rogue port in *either* scheme will completely compromise the thing21:13
lifelessjbjohnso: I am not arguing against your scheme btw21:13
lifelessjbjohnso: its compatible with what I want to do at the switch plumbing layer21:13
lifelessjbjohnso: tripleo @ HP has someone starting soon on networking work, so we may see some traction soon21:14
jbjohnsoright, and practically speaking, even if the deployment does all the right things, the deployed OS usage is likely to be lax on security within a vlan21:14
lifelessanother reason for port level security on the switches :)21:15
jbjohnsobut anyway, I was just trying to describe what I think is the worst case that isn't a complete lost cause21:15
lifelessI think its a good design principle21:15
jbjohnsoe.g. it's not absolutely mandatory that a remote media is the only way, but remote media would do things dramatically different21:15
*** dwalleck__ has quit IRC21:15
jbjohnsoremote media is more one way, so deploying a private key into the payload is the logical step.  But with PXE, that would not be kosher21:16
jbjohnsoso if possible, any context should generate their own private key21:16
jbjohnsothe trick being how to deliver the public key unto the authentication framework for blessing21:17
jbjohnsowhich could be serial, SEL, or LLDP21:17
jbjohnsoat least that's all I can think of that wouldn't be crazy odd21:17
JayFhow would you deliver public key via lldp?21:17
JayFthat's really strange21:17
*** max_lobur has quit IRC21:17
jbjohnsoJayF, I have to go, but you can send any ascii data over LLDP21:18
lifelessI'd like tohave one lowest common denominator way21:18
lifelessthats secure and efficient21:18
jbjohnsoJayF, system description you can put base64 encode stuff21:18
lifelessbootstrap a SSL session somehow21:18
lifelessand then we're good21:18
jbjohnsoserial might be tricky for esxi and windows, don't know21:18
JayFjbjohnso: that's certainly interesting, but not sure how it's more secure than trusting the vlan configured by the switch :)21:18
jbjohnsoSEL is easy21:18
jbjohnsoJayF, well, the risk would be whether the guests can get LLDP through21:18
jbjohnsothe BMC is probably the closest thing to a ubiquitous solution21:18
JayFwait, you'd have the agent itself send the lldp?21:19
lifelesswe could encrypt to something only the target machine knows21:19
lifelesse.g. machine serial #21:19
jbjohnsobut have to establish trust with BMC (set the password in a trusted context)21:19
devanandalifeless: OOB delivery seems the LCD, even though it lacks a generic ipmlementation, every vendor has one21:19
jbjohnsolldp can do anything21:19
jbjohnsobut the switch has to support it and do lldp-mib for that to be useless21:19
JayFjbjohnso: except transmit data across layer 2 boundries, which would render it less useful for some deployments21:19
* devananda returns from lunch and tries to catch up21:19
jbjohnsodevananda, what LCD?21:19
*** vkozhukalov has quit IRC21:19
devanandalowest common denominator21:19
devanandasorry21:19
lifelessdevananda: what about encrypting with a passphrase that the agent can pickup from the machine;21:19
lifelessdevananda: for the OOB case the passphrase can be passed OOB21:19
devanandalifeless: if the agent is not used for enrollment, that would be OK.21:20
jbjohnsodevananda, switch filtering on PXE with SEL or Serial I think could be a contender for LCD21:20
lifelessdevananda: for the in-band case where there's no such thing on the machine, put it in the kernel line21:20
jbjohnsoanyway, I'm out for the day21:20
lifelessdevananda: we'd need to be able to enroll e.g. the serial # in Ironic21:20
lifelessjbjohnso: ciao21:20
jbjohnsodevananda, not all have remote media, but almost all switches can do filtering *if* configured right21:21
devanandalifeless: stashing the SN is easy. discovering it means trusting the initial (discovery) agent21:21
lifelessdevananda: or the user's CMDB supplies it21:22
devanandajbjohnso: right, but most server vendors do.21:22
devanandalifeless: yep. if present :)21:22
jrollis it safe to assume that untrusted code running on a box can access any data that the agent running on the same box could access?21:25
*** jbjohnso has quit IRC21:25
jrolle.g. data stored in the BMC21:25
lifelessits accurate, yes.21:26
lifelessexcept again with some non-commodity hardware21:26
jrollof course21:27
lifelesswhere you can sign into a chip and you need that secret to ask it questions21:27
*** epim has quit IRC21:27
lifelessI wouldn't depend on that myself21:27
jrollwell, what I was getting at is that you can't store an authentication secret in the BMC21:27
*** linggao has quit IRC21:28
*** iron1 has quit IRC21:29
devanandajroll: the purpose of passing an auth secret into the host via the BMC is to set up a trusted connection thereafter, and prevent MITM attacks from subsequent communication with that host21:30
devanandajroll: if the host is already compromized (eg, poisoned firmware) there's nothing you can do besides unrack it21:30
jrolldevananda: sure21:31
jrolldevananda: you would have to remove that secret from the bmc at deploy time, yeah?21:31
devanandajroll: saying, essentially, "you can't trust the BMC if the host is poisoned" is orthogonal to securing the network traffic on the IB networks21:31
jrollno, I understand21:32
devanandajroll: right. which is the plan for passing keys via the OOB channel21:32
jrollok21:32
devanandajroll: and one reason why I think using the SN isn't great... but it's better than nothing21:32
JayFWould there be a method for passing keys around via the OOB channel if the OOB channel doesn't support virtual media?21:32
jrolldevananda: yeah, I don't like the SN thing at all, too predictable21:32
JayFLike there's nothing in the DCMI or IPMI standards that allow arbitrary storage of data in the BMC to be read out from the OS?21:33
JayF(I don't think there is, but imbw)21:33
devanandaJayF: possibly... i haven't looked at it because most server-grade hardware has virtual media support21:33
devanandaJayF: i'm not aware of that in the IPMI spec, but jbjohsno would be the one to ask21:33
JayFYeah I don't think it is in the DCMI spec, which is usually the least common denominator for that stuff.21:35
* JayF has definately worked with hardware that doesn't support virtual media via bmc21:36
devanandahemna: hi! around?21:36
hemnaheyas21:44
*** romcheg1 has quit IRC21:46
devanandahemna: question on cinder that google hasn't been able to answer for me21:50
hemnaok I can try and answer :)21:51
devanandahemna: can i specify a raid topology for my cinder volumes when booting an instance?21:51
hemnaThe best you can do is, depending on the driver, specify the RAID topology in the volume type21:51
hemnawhich then applies that volume type at volume creation time.21:51
hemnathe 3PAR drivers support specifying a CPG (which has the raid configuration) during volume creation time via a volume type.21:52
devanandaCPG?21:52
hemnait's a 3PAR thing21:52
devanandai see21:52
devanandaso cinder is exposing driver implementation via the API ?:(21:52
hemnathe raid config is on a CPG on the 3PAR.  Think of a CPG as a pool21:53
hemnaso you can specify the CPG name in the volume type21:53
devanandaah, gotcha21:53
hemnaand that is done by the cinder admin21:53
hemnanot by a user.21:53
*** openstackgerrit has joined #openstack-ironic21:54
devanandaso I can pick a volume from a set of available storage pools, some of which may have been build ahead of time at different raid levels21:54
hemnaa user can specify which volume type they want to use at volume creation time.   At the user will not know what's in the volume type.21:54
hemnaat attach time yah21:54
hemnathe admin creates the volume type, specifies which CPG (Raid level they want)21:54
devanandaso in a previous life, i knew many folks who would attach multiple EBS volumes and build a software raid across them21:54
hemnauser creates a volume and says, use volume type X.21:54
hemnathen attaches that volume.21:54
devanandacause EBS is slow, and striping makes it somewhat faster21:55
hemnano reason why you couldn't do that I suppose21:55
hemnabut the arrays are really good at doing RAID internally21:55
devanandagotcha21:56
devanandabut cinder doesn't expose any API for that21:56
devananda?21:56
hemnano21:57
devanandahemna: k, thx. the background here is that it would be great if we could leverage the cinder API to specify21:57
devanandaRAID layout of local storage when Ironic is provisioning a node21:57
hemnahrmm21:57
devanandait sounds like we could fake that21:57
hemnaso yah, the best you get is passing the volume type21:58
hemnaat volume creation time.21:58
devanandacreate an ironic driver for cinder, define some common storage pools21:58
hemnaand however the admin setup and configured that volume type means whatever raid level.21:58
devanandawhich are really just stubs that pass a RAID spec to the provisioning mechanism21:58
devanandawhich then builds the raid locally on that node21:58
hemnait gets you want you want basically.21:58
devanandaJayF: ^21:59
JayFI've been reading along. Sadly I have exactly no knowledge of cinder, so I'd have to do a bit of research to know what exactly you mean :)21:59
JayFso you're saying the 'driver' would be in the agent, and we'd ship a json file describing the raid array to the agent to make it so on disk?22:00
JayFer, I mean, the driver would interface with the agent22:00
devanandaJayF: the cinder "driver" would create the vol spec that gets passed (via nova) (via ironic) to the agent22:00
JayFthat sounds reasonable to me, and fits with vk's provisioning api bp22:01
devanandayep22:01
devanandamy point is that we should leverage cinder and the existing user APIs for vol creation and attachment22:01
devanandarather than add anything to Ironic's API for that22:01
hemnathe trick with volume types in cinder is, the key/value pairs in the volume types are specific to the volume driver it's assigned to.22:01
JayFalthough I still think we should get Ironic master + IPA booting a server before putting too much effort/design into features like raid22:01
JayFdoes cinder talk partitioning, or just raid?22:01
devanandaJayF: ++22:01
hemnacinder and it's API doesn't really have a concept of RAID22:02
hemnajust volume types22:02
hemnawhich are key/value pairs22:02
hemnathat get passed to the volume drivers22:02
devanandaJayF: the arbitrary partition stuff in that BP disturbes me. It's going way beyond the scope of Ironic22:02
JayFdevananda: If I had my wish, all images would come with partitions baked in and no part of ironic would be in the business of partitioning22:03
JayFbut if the line isn't there, I'm not sure where it should be drawn22:04
devanandahemna: I keep hoping we can avoid implementing, in ironic, a descriptive language for storage layout22:04
devanandahemna: that really seems like it belongs in cinder22:04
hemnayah22:04
jrolldevananda: but would that mean importing from cinder to parse the layout?22:04
jrollalso, where do you see the line with partitioning?22:04
hemnaso if Ironic is going to ask cinder to create volumes, then ironic just needs to be able to pass a volume type along with the creation request22:05
hemnathe layout (raid levels, qos levels) is up to the volume driver itself, at creation time.22:06
devanandaJayF: simle. ironic only supports the partition layout described by nova (root, swap, ephemeral). both swap and ephemeral are optional. the guest can utilize any extra space as they see fit, ironic won't muck with the GPT until the instance is deleted.22:07
devanandahemna: i think we're talking about slightly different things22:07
hemnaok22:07
devanandahemna: and both are interesting :)22:07
JayFdevananda: ephemeral meaning what in the context of nova?22:07
devanandabut i thinik we should only do one22:07
devanandaa) ironic asks cinder to create a new volume and then attaches it to the instance22:07
devanandab) user wants their instance to be deployed by ironic with a local RAID22:08
JayFdevananda: I actually can agree with that, and that means LVM is out of scope...  -- unless a more complex paritioning scheme and/or LVM are baked into a raw image written directly to the disk22:08
devanandai think (a) is backwards -- the user should have already created the cinder vol, then boot an instance in ironic, and then attach the cinder vol themselves22:08
devananda(b) is what i've been talking about22:08
devanandaJayF: in Nova (and EC2) context, ephemeral volume == volume outside of the instance's virtual disk, comprised of another local virtual disk, which will be lost if the instance is rebooted or migrated to antoehr compute host22:09
hemnafor the most part cinder has no idea what is in the volumes it creates, and most of the time are simply empty unpartitioned block devices.22:09
hemnayou could partition that volume any way you like and do local RAID at that point.22:10
JayFdevananda: okay, that's what I thought it might mean, but it seems backward-ish to even have that as an option, but if that's the way it is that's the way it is :)22:10
devanandahemna: by "you", do you mean a user within the instance to which the vol gets attached?22:10
hemnabut that's terribly inefficient for smart arrays that do RAID themselves.22:10
hemnayes22:10
devanandaright. inefficient for any dedicated hardware.22:11
devanandaand completely irrelevant for ironic's case22:11
devanandasince the guest can see any unprovisioned local storage and use mdadm/lvm/etc themselves22:11
hemnayup22:11
devanandaso22:11
devanandathey _alraedy_ have the same functionality22:11
devanandaheh22:11
devanandaJayF: this all backs up my point that any _software_ RAID, or partitioning beyond root/swap/ephemeral on the first local disk, is outside of the scope of ironic22:14
devanandaJayF: when, in the past, I've spoken about RAID support in Ironic, I was specifically referring to _hardware_ RAID config22:14
devanandawhich would present all raid'd disks as a single block device to the host OS22:15
JayFdevananda: the only reason I'd maybe suggest software RAID should be considered into the scope is that a RAID'd root, without hardware assistance, is impossible without ironic integration22:15
JayFall the other things have some method of workaround; bake LVM or a weird partitioning scheme into your image, etc22:15
JayFbut tbh for my use case, I don't think we'd have ironic setup any raid at all, so I don't have a dog in the fight really :)22:15
devanandaJayF: if you need software raid, and you bake it into the image, and ironic only writes it to the first disk -- couldn't you just rebuild the second disk after boot?22:17
JayFHmm.22:17
JayFSo the image would contain a disassembled raid array superblock...22:17
JayFthat would only work for RAID 1 though22:17
devanandaright22:18
JayFnot RAID 0,5,6,1022:18
devanandawhich is all you want for a raid'd root22:18
JayFI've run more than a few production boxes with all the disks in one partiton, and running RAID 5 (years ago), 6, and 1022:18
JayFbut I think that's a reasonable workaround for most cases22:18
devananda(yes, there is a middle ground where the overhead of slicing off 2 disks is greater than the overhead of sharing root and data traffic on the same raid)22:18
JayFYeah I've run more than a few 4 disk, raid 10 servers :)22:19
JayF(although most of them had hardware raid, after working with systems for a while, if I were building them today I'd use MD)22:19
devanandaanything between 4 and 8 disks, that's usually the case22:19
devanandaanything that has a HW BBU and a decent write cache -- use that22:20
devanandaand any time you care about performance of your RAID, you buy that22:20
devanandaso I think there's really no reason for mdadm here, aside from a 2-disk raid'd root + JBOD and no HW BBU22:20
JayFI don't agree with that philosophy wholly, but it's not very relevant to the Ironic conversation :)22:20
devanandawell, it kinda is. you brought it up :)22:21
JayFI'd say it this way, we shouldn't make a value judgement of Hardware RAID > Software RAID, and allow that to impact scoping22:21
JayFthat's what I mean when I say it's not relevant22:21
devanandaah22:21
devanandai'm perfectly happy to make that value judgement, fwiw ;)22:22
JayFif it's in scope it's in scope, and the operator should get to choose HW vs MD raid :)22:22
JayFif you're such a fan of h/w raid I'd suspect HP raid implementations must be better than $other_vendor stuff I've used in the past :P22:22
* devananda doesn't take the bait22:23
JayFOh I'm not trying to bait you, I'm being somewhat serious :)22:23
devanandaJayF: you presume i'm making a value judgement based on HP hardware.22:24
openstackgerritJosh Gachnang proposed a change to openstack/ironic: Factoring out PXE and TFTP functions  https://review.openstack.org/9023322:24
openstackgerritJosh Gachnang proposed a change to openstack/ironic: Adding a reference driver for the agent  https://review.openstack.org/8479522:24
JayFHm. I guess I sorta was, although it wasn't intentional22:25
devanandaJayF: i'm making a value judgement that hw raid > softwre raid based on performance tuning databases for a living22:25
devananda(in a former life)22:25
JayFmy history is much more in monitoring and maintenance than performance tuning, and monitoring statuses across a hetrogenous environment is painful, which is why I've learned to prefer MD in most cases22:26
devanandaalso a fair point :)22:26
*** jgrimm has quit IRC22:27
JayFYeah, that's why I'd just say we should determine scope separately from sw vs hw being better, because both sides are valid to have a preference about22:27
*** zdin0bot has joined #openstack-ironic22:28
JayFalthough I think someone being able to provide a superblock'd raw image, then reassembling on first boot for RAID 1 is a good enough workaround for that use case that I'm very OK tabling the rest until we are a lot further down the road than we are now :)22:28
devananda:)22:28
devanandai agree22:29
devanandaand just to help clarify the scope, ironic should prepare the hw and provision the image on it. it should be as independent as possible from the content of that image.22:30
devanandai would be much happier with whole-disk-images22:30
devanandaand let them autoresize on first boot22:30
JayFYou wouldn't get any argument from me to always require whole-disk-images :)22:31
JayFthat's the case the agent was originally written for, and we're using right now22:31
devanandai dont recall at the moment why we moved away from it back in the early days of nova-bm22:31
*** dwalleck__ has joined #openstack-ironic22:31
devanandalifeless: do you? (why nova-bm used partition images rather than whole disk)22:31
*** zdin0bot has quit IRC22:41
devanandaugh, yea, i can't wait to move to a gerrit-based BP review process22:45
devanandaJayF: fwiw, there's no way in LP for me to reject a blueprint, so i've commented on the BP and etherpad22:46
JayFdevananda: https://review.openstack.org/#/c/86163/ that's the beginnings of the implementation22:47
JayFif you wanted to -1 -2 it with comments there22:48
*** zdin0bot has joined #openstack-ironic22:48
devanandaJayF: in that that API allows arbitrary partition creation, yea, it's a step in the wrong direction22:51
devanandaJayF: otoh, for partition-images, we do need /some/ support22:51
devanandait's the next patch which scares me22:53
*** rloo has quit IRC23:01
*** rloo has joined #openstack-ironic23:02
*** rloo has quit IRC23:03
*** rloo has joined #openstack-ironic23:03
*** lucas-dinner has quit IRC23:06
openstackgerritA change was merged to openstack/ironic-python-agent: Check configdrive size before writing to partition  https://review.openstack.org/8939023:09
*** eguz has joined #openstack-ironic23:10
*** eghobo has quit IRC23:14
openstackgerritJay Faulkner proposed a change to openstack/ironic-python-agent: Make docker image smaller by using Precise  https://review.openstack.org/9084523:18
openstackgerritJay Faulkner proposed a change to openstack/ironic-python-agent: Make docker image smaller by using Precise  https://review.openstack.org/9084523:19
*** hemna is now known as hemna__23:22
Shrewsdevananda: Hey. So, lifeless pointed out something with rebuild() re: my requirement to first power down a node before redeploy. I think my initial reasons for doing this have been eliminated since I no longer call spawn() so it technically is no longer required (and I verified rebuild works without power down). However, perhaps it's still a good idea to do so to shutdown anything that might be writing to the ephemeral partition? Thoughts from either23:52
Shrews you or lifeless?23:52
*** radsy has joined #openstack-ironic23:54
*** radsy has joined #openstack-ironic23:54
« Sunday, 2014-04-27 Index Tuesday, 2014-04-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!