*** mgoddard has joined #openstack-kayobe | 08:05 | |
*** dougsz has joined #openstack-kayobe | 08:14 | |
*** gkadam has joined #openstack-kayobe | 08:35 | |
*** ktibi has joined #openstack-kayobe | 09:53 | |
*** ktibi has quit IRC | 09:54 | |
*** ktibi has joined #openstack-kayobe | 09:55 | |
ktibi | mgoddard, If you have time, very interesting video on openstack security https://www.youtube.com/watch?v=-avXWgRghPM | 10:15 |
---|---|---|
mgoddard | ktibi: looks interesting, thanks for sharing :) | 10:18 |
*** ktibi_ has joined #openstack-kayobe | 10:42 | |
*** ktibi has quit IRC | 10:45 | |
*** ktibi has joined #openstack-kayobe | 10:46 | |
*** ktibi_ has quit IRC | 10:46 | |
*** ktibi has quit IRC | 12:05 | |
*** ktibi has joined #openstack-kayobe | 12:23 | |
ktibi | mgoddard, do you have tested kayobe for deploy flat network ? | 14:13 |
mgoddard | ktibi: no. Are you planning to use one? | 14:14 |
ktibi | mgoddard, I'm trying | 14:14 |
ktibi | for my lab | 14:14 |
ktibi | openstack on openstack ^^ | 14:14 |
mgoddard | ... on openstack? | 14:14 |
ktibi | I think I'am good but missing maybe a conf | 14:14 |
ktibi | yeah I deploy many openstack with kayobe in my main openstack plateform | 14:15 |
ktibi | for dev, qualif, pre-prod envs | 14:15 |
mgoddard | you might be interested in this: https://github.com/markgoddard/beokay | 14:15 |
mgoddard | still a WIP | 14:16 |
mgoddard | and also this: https://storyboard.openstack.org/#!/story/2002009 | 14:16 |
ktibi | ho O_o | 14:17 |
mgoddard | we're trying to improve our deployment pipeline story | 14:17 |
ktibi | very interesting :) | 14:18 |
mgoddard | do you have any good procedures/tips in this area? | 14:18 |
ktibi | but I need multiple kayobe instance and I guess it's one kayobe for multi openstack plateform ? | 14:18 |
mgoddard | one kayobe-config, multiple environments | 14:19 |
ktibi | yes good for manage multiple ENV :) | 14:19 |
ktibi | for me, I deploy a new kayobe and all openstack plateform with a heat stack | 14:21 |
ktibi | but it's because with work only on integration of kayobe, but I think we will need your feature very soon | 14:22 |
mgoddard | is this just for testing? | 14:22 |
ktibi | we work* | 14:22 |
ktibi | for now yes, like testing the neutron plugin for cisco ACI, ... | 14:23 |
ktibi | mgoddard, my issue on neutron ==> http://paste.openstack.org/show/721168/ | 14:23 |
mgoddard | you're using ACI? | 14:23 |
ktibi | I think the bridge eth5-ovs (the floating network) doesn't have connection with my eth5 | 14:23 |
ktibi | we work on for now, just testing but I think yes | 14:24 |
mgoddard | interesting | 14:24 |
mgoddard | ktibi: you should have a veth pair, called p-eth5-* | 14:28 |
ktibi | I have | 14:29 |
ktibi | p-eth5-phy@p-eth5-ovs & p-eth5-ovs@p-eth5-phy | 14:29 |
mgoddard | is the other end in a bridge? | 14:29 |
mgoddard | and is that bridge connected to eth5? | 14:29 |
ktibi | full conf http://paste.openstack.org/show/721172/ | 14:30 |
ktibi | for now, I can't ping eth5 (eth5 have IP) from my neutron router (have ip in same network | 14:31 |
mgoddard | I think you need to include 'ip address show' | 14:34 |
ktibi | mgoddard, http://paste.openstack.org/show/721173/ | 14:36 |
mgoddard | there's no connection between eth5 and eth5-ovs | 14:38 |
mgoddard | normally I create a bridge, plug eth5 into it, and then kayobe will plug p-eth5-phy into the bridge too | 14:38 |
mgoddard | <network>-interface: breth5 | 14:38 |
mgoddard | <network>_bridge_ports: [eth5] | 14:39 |
mgoddard | <network>_interface: breth5 | 14:39 |
mgoddard | make sense? | 14:39 |
ktibi | mgoddard, ok I'll test | 15:00 |
ktibi | mgoddard, ok because for now I have : external_interface: "eth5" | 15:01 |
ktibi | in my network-interfaces | 15:01 |
mgoddard | if you set: | 15:03 |
mgoddard | external_net_names: | 15:03 |
mgoddard | - <network> | 15:03 |
mgoddard | in etc/kayobe/networks.yml | 15:03 |
mgoddard | that should make this all work | 15:03 |
ktibi | without modift network-interfaces | 15:03 |
ktibi | ? | 15:03 |
mgoddard | yes | 15:04 |
ktibi | I have already external_net_name: external | 15:04 |
mgoddard | oh, I see what you mean now | 15:04 |
ktibi | yes ;) | 15:04 |
mgoddard | ok, so set external_interface: breth5 | 15:04 |
mgoddard | external_bridge_ports: [eth5] | 15:04 |
ktibi | ok: | 15:05 |
ktibi | external_interface: "breth5" | 15:05 |
ktibi | external_bridge_ports: "eth5" | 15:05 |
mgoddard | ^ list | 15:05 |
ktibi | ok => external_bridge_ports: [eth5] | 15:05 |
mgoddard | yes | 15:05 |
mgoddard | we could make it work without a bridge, but I think it would require kayobe changes | 15:06 |
mgoddard | this code is already a bit hairy | 15:06 |
mgoddard | bridge works better when there are vlans | 15:06 |
ktibi | ok but need to redeploy all now | 15:07 |
ktibi | or just reconfigure host ? | 15:07 |
mgoddard | yeah, might work | 15:08 |
ktibi | maybe need to reconfigure OVS no ? | 15:08 |
mgoddard | probably not - the veth is already present | 15:09 |
ktibi | ok I have the bridge | 15:12 |
mgoddard | nice | 15:12 |
ktibi | with two interfaces : eth5 & p-breth5-phy | 15:12 |
ktibi | but I can't ping my gateway now :/ | 15:12 |
mgoddard | the bridge should now have the IP of eth5 | 15:14 |
ktibi | yes | 15:15 |
ktibi | hum no missing to load a module maybe ? | 15:16 |
ktibi | hooo | 15:18 |
ktibi | maybe it's a neutron issue | 15:19 |
ktibi | because I'am on openstack | 15:19 |
ktibi | because bridge use other MAC :/ | 15:19 |
mgoddard | yeah that could be it | 15:19 |
mgoddard | allowed_addresses? | 15:19 |
ktibi | I'll add | 15:19 |
ktibi | but I use same IP | 15:19 |
mgoddard | I think there's a MAC filter too | 15:20 |
ktibi | mgoddard, ho yes :) | 15:26 |
ktibi | neutron port-update 16cfa446-9dbf-40cf-b96f-518a2bd92784 --allowed-address-pairs list=true type=dict mac_address=8a:17:98:d7:ac:3f,ip_address=10.0.6.3 | 15:26 |
ktibi | and works :) | 15:26 |
mgoddard | cool! | 15:27 |
ktibi | So hard to automate that !! | 15:31 |
mgoddard | can you make it a wildcard? | 15:32 |
mgoddard | or disable port security for the port | 15:33 |
ktibi | mgoddard, yes maybe | 15:36 |
ktibi | hum so no change | 15:36 |
ktibi | my router can't ping breth5 | 15:36 |
ktibi | bridge_mappings = physnet1:eth5-ovs | 15:38 |
ktibi | need to reconfigure neutron I think | 15:38 |
mgoddard | oh yes | 15:43 |
mgoddard | also maybe OVS to create breth5-ovs? | 15:43 |
ktibi | OVS have created p-breth5-ovs@p-breth5-phy | 15:46 |
ktibi | but OVS show Interface "phy-eth5-ovs" | 15:47 |
ktibi | maybe need to recreate all OVS structure :/ | 15:47 |
mgoddard | check the OVS role's handlers in k-a | 15:47 |
ktibi | yes --no-security-groups | 15:55 |
ktibi | oups | 15:56 |
ktibi | command: docker exec openvswitch_db /usr/local/bin/kolla_ensure_openvswitch_configured {{ item.0 }} {{ item.1 }} | 15:56 |
*** ktibi has quit IRC | 16:14 | |
*** ktibi has joined #openstack-kayobe | 16:15 | |
ktibi | mgoddard, ok all works :) | 16:18 |
mgoddard | nice! | 16:18 |
ktibi | security disable on port | 16:18 |
ktibi | need to stop rm the container for purge OVS :/ | 16:19 |
mgoddard | are you going to share the scripts you're building for this? | 16:19 |
mgoddard | could be useful for us | 16:19 |
*** ktibi has quit IRC | 16:21 | |
*** ktibi has joined #openstack-kayobe | 16:21 | |
*** dougsz has quit IRC | 17:04 | |
*** mgoddard has quit IRC | 17:06 | |
*** mgoddard has joined #openstack-kayobe | 17:46 | |
*** gkadam has quit IRC | 20:08 | |
*** ktibi has quit IRC | 20:27 | |
*** mgoddard has quit IRC | 21:40 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!