Monday, 2016-11-21

sdake	cool - lots of peole have tried :)	00:00
Pavo	doesn't matter, if he doesn't reboot ARP would still show .25 being used	00:00
sdake	our docs have a bunch of contribs	00:00
v1k0d3n	thinking as i'm doing this, so it's really clear for users...including the HA proxy and TLS docs.	00:00
sdake	the reason ha proxy can be disabled at all is for third party hardware firewall usage	00:00
sdake	such as F5	00:00
Pavo	prechecks would have failed	00:00
sdake	Pavo roger	00:01
*** dave-mccowan has joined #openstack-kolla		00:01
v1k0d3n	makes sense. definitely	00:01
sdake	v1k0d3n alot of people disable haproxy to workaorudn the "I dont' have a free IP in my network" problem	00:01
sdake	then set the VIP to their host	00:01
v1k0d3n	sure, i get that.	00:01
sdake	that works AIO	00:02
sdake	but its wrong and should not be recommended	00:02
v1k0d3n	so auto set up bridge interfaces.	00:02
v1k0d3n	easy/good way to work around that and have a single nic box.	00:02
v1k0d3n	great for an AIO	00:02
sdake	yup but then they go multinode or tls	00:02
sdake	and bammo they are super confused	00:02
v1k0d3n	gets working, secures with TLS. win/win.	00:02
Pavo	not if you plan on using VLANs are provider networks	00:02
v1k0d3n	so set up bridges for multi-node.	00:02
v1k0d3n	win win there too	00:03
v1k0d3n	great abstraction. doing it for docker anyway.	00:03
v1k0d3n	VLAN's work to though.	00:03
v1k0d3n	OSA does it. i do some crazy stuff for OSA	00:03
v1k0d3n	so server is up. working on globals.	00:03
Pavo	if you use 1 nic only for aio you have to have sub interfaces and the main NIC with no IP	00:04
sdake	ya - that just leads to trouble supporting this stuff making those recommendations pavo ;)	00:04
v1k0d3n	so internal (admin) nic is kolla_internal_vip_address: 192.168.70.25, right?	00:04
Pavo	yes	00:04
sdake	v1k0d3n your machine's ip is what?	00:04
v1k0d3n	Pavo: https://github.com/v1k0d3n/traveling-circus/blob/master/deploy-openstack/roles/hosts-prep/template/interfaces.j2	00:05
kollabot1	traveling-circus/interfaces.j2 at master · v1k0d3n/traveling-circus · GitHub	00:05
sdake	that will only work if you disable tls	00:05
v1k0d3n	machine is 192.168.70.25	00:05
v1k0d3n	sorry!!!	00:05
v1k0d3n	wrong	00:05
v1k0d3n	.20	00:05
sdake	cool	00:05
sdake	so do you want to run with tls?	00:05
v1k0d3n	yes	00:05
sdake	I'd recommendgetting aio going without tls first	00:05
v1k0d3n	i have two interfaces	00:05
sdake	without haproxy	00:06
v1k0d3n	one without an IP, however it is on a subnet with a /22	00:06
sdake	rather with haproxy	00:06
v1k0d3n	192.168.4.0/22	00:06
v1k0d3n	that is my "public"	00:06
v1k0d3n	can we work through what the config should look like?	00:06
sdake	your big banging the config	00:06
sdake	baby steps ;)	00:06
v1k0d3n	my night is running out and i want to get a solid config according to what you guys are saying i need	00:07
sdake	but if you want to big bang it we can do that	00:07
v1k0d3n	i understand.	00:07
v1k0d3n	atom bomb	00:07
v1k0d3n	:)	00:07
v1k0d3n	jk	00:07
v1k0d3n	trust you guys.	00:07
v1k0d3n	so anyway...globals	00:07
v1k0d3n	working on that	00:07
sdake	#kolla_external_vip_address: "{{ kolla_internal_vip_address }}"	00:07
sdake	this line should be .25	00:07
Pavo	so external vip should be an address out of 192.168.4.0/22	00:07
sdake	pavo his dns doesn't resolve .4	00:08
Pavo	he just said that was is "public"	00:08
sdake	his dns only resolves .1	00:08
v1k0d3n	sdake: my internal can resolve yes...	00:08
v1k0d3n	i want admin to be 70...	00:08
v1k0d3n	4 is external	00:08
v1k0d3n	i can make dns anything i want....i rule my own dns.	00:08
v1k0d3n	dns is my bizzatch at my home.	00:08
sdake	ok, well here is what you need	00:09
sdake	you need whatever resolves to horizon.v1k0d3n.com to match that external VIP	00:09
v1k0d3n	Pavo: internal is the 70.25?	00:09
Pavo	v1k0d3n yeap	00:09
v1k0d3n	this is getting too confusing.	00:09
v1k0d3n	and we're only dealing with 2 interfaes :)	00:09
sdake	we could add more if you like ;)	00:10
Pavo	I would recommend for ease of IDing use 192.168.4.25 as external if its not being used	00:10
*** eaguilar has joined #openstack-kolla		00:10
v1k0d3n	Pavo: so external is an address that i create on the 4.0/22 right?	00:10
v1k0d3n	could be anything (which i will make .25 also.	00:10
Pavo	just easier to know that .25 on both networks point to horizon	00:10
Pavo	v1k0d3n yeap	00:10
v1k0d3n	right. ok...so ... recap! :)	00:11
v1k0d3n	kolla_internal_vip_address: "192.168.70.25"	00:11
v1k0d3n	enable_haproxy: "yes"	00:11
v1k0d3n	kolla_external_vip_address: "192.168.4.25"	00:11
sdake	that might work	00:11
sdake	try prechecks	00:11
v1k0d3n	lol	00:11
Pavo	still not done yet	00:11
v1k0d3n	hold on. i need fqdn	00:11
Pavo	you have 2 more things to do	00:11
v1k0d3n	Pavo: is that right?	00:12
Pavo	yeap add domain name to and uncomment the tld sections	00:12
Pavo	tls	00:12
v1k0d3n	so internal fqdn i want the hostname.jinkit.com (galvatron.jinkit.com).	00:12
Pavo	sections	00:12
v1k0d3n	and then external i want openstack.jinkit.com (again...dns is my world. i own it!)	00:12
v1k0d3n	:)	00:13
Pavo	sure	00:13
Pavo	I always go IP address for internal stuff, but thats me	00:13
Pavo	I am better to remeber numbers than names	00:13
sdake	pavo that skips tls	00:13
Pavo	what skips tls?	00:14
sdake	going to hte internal vip	00:14
v1k0d3n	http://pastebin.com/4GSzHMtw	00:14
kollabot1	getting-closer-yo.yaml - Pastebin.com	00:14
Pavo	no no I wasn't saying change it to a IP	00:14
Pavo	I was just saying myself just types IPs instead of names when dealing with internal stuff	00:14
v1k0d3n	is that wrong?	00:14
sdake	what ip does openstack.jinkit.com resolve to?	00:15
Pavo	looks correct	00:15
Pavo	still not done though	00:15
v1k0d3n	sdake: i will make it resolve to 192.168.4.25 (of course)	00:15
sdake	cool	00:15
sdake	lgtm	00:15
v1k0d3n	right. now uncomment tls and generate?	00:15
sdake	i'd recommend commenting out magnum and lbaas as well	00:16
sdake	and any other stuff you turned on	00:16
sdake	too many variables to sort out with all the stuff turned on at once	00:16
v1k0d3n	ok. so the point was to test magnum	00:16
v1k0d3n	and worked before.	00:16
Pavo	and I would recommend uncommenting #enable_central_logging: "no" and changing it to enable_central_logging: "yes"	00:16
v1k0d3n	but we can troubleshoot that later i guess.	00:16
Pavo	so you can use kibana to TS	00:16
v1k0d3n	great call there.	00:17
v1k0d3n	nice catch...i missed it.	00:17
sdake	v1k0d3n then will begin your journey into setting up kibana ;-)	00:17
sdake	took me about 8 hours to figure out	00:17
v1k0d3n	oh, also...	00:18
v1k0d3n	do i need openvswitch Pavo?	00:18
Pavo	yes	00:18
v1k0d3n	i noticed you had enabled on yours...i had disabled, but things were working....	00:18
v1k0d3n	hmmm	00:18
v1k0d3n	ok	00:18
Pavo	well I use ovs	00:18
sdake	v1k0d3n if its disabled, it defaults to on	00:18
Pavo	but its up to you	00:18
sdake	ovs = openvswitch	00:18
v1k0d3n	ok...i thought so	00:18
v1k0d3n	anything else i may be missing?	00:20
*** Pavo has quit IRC		00:21
v1k0d3n	prechecks so far are ok	00:21
*** Pavo has joined #openstack-kolla		00:21
Pavo	not that I can see	00:21
v1k0d3n	Pavo: do you use magnum or know much about enabling it?	00:22
v1k0d3n	taking sdake advice of not enabling for now...	00:23
v1k0d3n	but want to use that along wiht at least LBaaS	00:23
sdake	magnu mis a bit tricky because the data plane needs to be able to access the control plane for waitcoditions to work	00:23
v1k0d3n	so guys...ok to kolla-a pull and deploy?	00:23
v1k0d3n	makes sense, but this is AIO...so?	00:24
sdake	v1k0d3n networking is... complicated	00:25
sdake	so yup give it a go	00:25
v1k0d3n	networking is always complicated.	00:27
*** sdake_ has joined #openstack-kolla		00:27
Pavo	I haven't used magnum yet	00:27
v1k0d3n	i can't wait until someone wants to bring up scaling issues with flannel and kolla-k8s. :-/	00:27
*** imcsk8 has quit IRC		00:28
v1k0d3n	Pavo: are you using heat?	00:28
Pavo	yes	00:28
v1k0d3n	or aodh?	00:28
Pavo	aodh?	00:28
Pavo	whats that?	00:29
v1k0d3n	do you need heat + something else...or when you alarming or ceilometer?	00:29
v1k0d3n	sorry...that was messing. two incomplete thoughts!	00:29
v1k0d3n	lol	00:29
Pavo	I use heat, cinder, swift and ceph as the backend for those	00:29
*** sdake has quit IRC		00:30
v1k0d3n	so 1. when services need two things (for insstance magnum needs barbican) do you need to have both installed or does the top item install both? may be a good q for sdake_	00:30
v1k0d3n	and 2. do you use alarming and ceilometer?	00:30
*** yingjun has joined #openstack-kolla		00:30
*** yingjun has quit IRC		00:30
*** yingjun has joined #openstack-kolla		00:31
Pavo	I tried to use maruno but for some reason kolla doesn't add all the necessary things for it to be enabled in horizon after its been enabled in globals	00:31
sdake_	v1k0d3n 1. globls.yaml isn't smart enough to figure out its dependnecies	00:31
sdake_	v1k0d3n 2. i havne't used it persoanlly. Jeffrey4l uses it often	00:31
Pavo	v1k0d3n I use kibana for alarming	00:31
sdake_	Pavo yup we are aware of that, i think pbourke has some workarounds for that that he can share - but perhaps not	00:32
Pavo	yeah sdake_ you told me that once, haven't heard anything from pbourke yet	00:32
sdake_	Pavo did you msg him on the topic?	00:32
Pavo	only in here	00:32
sdake_	try in the mornings, he is eu timezone	00:32
Pavo	ok if I m up early enough, I'm on leave for the next week lol	00:33
sdake_	sounds good ;)	00:33
Pavo	I would love to start helping with updating docs also, "cough" sdake_ was gonna walk me through it one day	00:34
Pavo	:P	00:34
*** bjolo has quit IRC		00:34
sdake_	pavo ya sorry been busy with dayjob lately	00:37
Pavo	no problem I understand that	00:37
sdake_	pavo and making the repo split happen	00:37
v1k0d3n	sdake_: are there some docs on ehat would be needed to get magnum working (if all these tests succeed)?	00:39
sdake_	v1k0d3n doubtful	00:39
v1k0d3n	i mean magnum docs aren't really going to cover the kolla parts exactly.	00:39
v1k0d3n	this is what would be nice to have other teams contribute into kolla...	00:39
sdake_	kolla deploys as our upgstream recommends	00:39
v1k0d3n	that way, they just write their own docs on how to get it going and contribute those docs to kolla.	00:39
sdake_	v1k0d3n been down that path, and we did have some success with it	00:40
v1k0d3n	"enable these items"	00:40
v1k0d3n	well...it worked for the summit.	00:40
v1k0d3n	so people are going to want to try what they see :)	00:40
sdake_	no, i mean it worked prior to the summit	00:40
v1k0d3n	right.	00:40
sdake_	the challenge always comes in getting people to write docs	00:40
sdake_	they are happy to write the implementation :)	00:40
v1k0d3n	and recorded to have worked for the summit too.	00:40
v1k0d3n	ok...no love guys...	00:41
v1k0d3n	at all	00:41
v1k0d3n	Pavo and sdake_	00:41
Pavo	deploy without errors?	00:41
sdake_	need more details	00:41
v1k0d3n	Pavo: no errors	00:41
Pavo	anything fail?	00:41
v1k0d3n	sdake_: need to know where to look	00:41
v1k0d3n	no failures at all guys.	00:42
sdake_	whats not working precisely?	00:42
v1k0d3n	localhost : ok=293 changed=126 unreachable=0 failed=0	00:42
Pavo	go to the IP instead of the FQDN and see if you get self sign cert	00:42
v1k0d3n	sdake_: pretty simple really... https://galvatron.jinkit.com = This site can’t be reached	00:42
sdake_	run kolla-ansible post-deploy	00:42
sdake_	this will create an admin-openrc.sh in /etc/kolla	00:42
v1k0d3n	192.168.70.25 refused to connect.	00:43
Pavo	try to go to https://192.168.70.25	00:43
v1k0d3n	it redirects for sure...	00:43
v1k0d3n	that works	00:43
v1k0d3n	https://192.168.70.25/auth/login/?next=/	00:43
Pavo	or https://192.168.4.25	00:43
v1k0d3n	but still fails.	00:43
Pavo	what fails?	00:43
v1k0d3n	page cannot be reached.	00:43
Pavo	make sure to clear your certs in your browser	00:44
sdake_	ok instead of testing out horizon lets test out keystone	00:44
sdake_	run kolla-ansible post-deploy	00:44
sdake_	this will create admin-oepnrc.sh in /etc/kolla	00:44
v1k0d3n	ok...	00:44
sdake_	copy admin-openrc.sh to your machine your connecting from	00:44
v1k0d3n	so used a browser i have never even opened before...(once ever)	00:44
v1k0d3n	firefoz	00:44
v1k0d3n	same issue	00:44
Pavo	did you do systemctl disable firewalld	00:45
Pavo	and systemctl stop firewalld	00:45
Pavo	because it sounds like a firewall issue to me	00:46
v1k0d3n	sdake_: where is admin-openrc.sh hiding out again?	00:46
v1k0d3n	there's no firewall on this host...	00:46
Pavo	in /etc/kolla	00:46
v1k0d3n	ubuntu and it's disabled.	00:46
v1k0d3n	and what i'm going through is just a router. no firewall rules at play.	00:47
v1k0d3n	there is no openrc file in /etc/kolla.	00:47
sdake_	did you run kolla-ansible post-deploy?	00:47
sdake_	admin-openrc.sh	00:48
v1k0d3n	ok sorry, got it.	00:49
v1k0d3n	endpoints seem ok	00:49
v1k0d3n	what do you want me to check out. soured openrc sdake_	00:49
v1k0d3n	Pavo: 14.04	00:50
*** imcsk8 has joined #openstack-kolla		00:50
v1k0d3n	no systemd and there is absolutely, positively no firewall running :)	00:50
sdake_	v1k0d3n run openstack user list	00:50
Pavo	yeah I never used ubuntu	00:50
v1k0d3n	i promise.	00:50
v1k0d3n	it was working before certs issue	00:50
sdake_	do you have this line in your admin-openrc.sh file? export OS_CACERT=/Users/sdake/demo/haproxy-ca.crt	00:50
v1k0d3n	sdake_: ok one sec	00:51
*** hfu has joined #openstack-kolla		00:51
sdake_	haprxoy-ca.crt comes from /etc/kolla/certificates i believe	00:51
v1k0d3n	sdake_: no that is not in openrc file	00:51
sdake_	is the openrc file one you copied?	00:51
*** hfu has quit IRC		00:51
v1k0d3n	huh?	00:51
sdake_	from /etc/kolla/admin-openrc.sh	00:51
*** hfu has joined #openstack-kolla		00:52
v1k0d3n	that is the only file i have...from /etc/kolla/admin-openrc.sh	00:52
v1k0d3n	yes	00:52
v1k0d3n	that file. no mention of cert	00:52
sdake_	ok - looks like a bug in post-deploy	00:52
sdake_	add that line	00:52
sdake_	need to tell your client (openstack) what cert your using	00:52
sdake_	or tls will fail to validate	00:53
Pavo	wait what?	00:53
v1k0d3n	ok, added	00:53
sdake_	so openstack endpoint list should produce a list of endpoints...	00:53
v1k0d3n	but wondering how this impacts web SSL to horizon?	00:53
sdake_	lets see if keystoen works first ;)	00:54
sdake_	keystone has its given name for a reason ;)	00:54
v1k0d3n	ok. so what now?	00:54
sdake_	source admin-openrc.sh	00:54
v1k0d3n	did it alreay	00:54
sdake_	then openstack endpoint list	00:55
sdake_	what happened?	00:55
v1k0d3n	did that already too	00:55
v1k0d3n	got the endpoints, just like i did before (said endpoints look good).	00:55
sdake_	try nova list	00:55
Pavo	ok can someone try https://ddi.hopto.org again please	00:55
sdake_	doesnt work pavo	00:56
v1k0d3n	sdake_: ERROR (AttributeError): 'X509' object has no attribute '_x509'	00:56
v1k0d3n	Pavo: no go man	00:56
sdake_	v1k0d3n try openstack instance list	00:56
sdake_	i think thats the command	00:56
sdake_	if not you will have to hunt for it	00:56
sdake_	openstack cli taking over, people stop maintaining their clients for the most part	00:56
Pavo	grrr I see you guys are getting forwarded	00:57
v1k0d3n	'openstack server list' produces 'X509' object has no attribute '_x509'	00:57
Pavo	but its wierd	00:57
sdake_	v1k0d3n try with --debug	00:57
Pavo	ok try it again sdake_	00:58
v1k0d3n	Pavo: same thing	00:58
v1k0d3n	omg sdake_ tons of garbage man	00:59
Pavo	grrr	00:59
* sdake_ speculates pavo is secretly running a click spamming campain :)		00:59
Pavo	lol	00:59
sdake_	v1k0d3n good paste the garbage	00:59
Pavo	no just TSing	00:59
Pavo	seriously look at this tcpdump	00:59
Pavo	http://pastebin.com/e1NWx9bN	00:59
kollabot1	19:58:37.918060 IP cpe-71-75-150-120.carolina.res.rr.com.49844 > 192.168.1.250.h - Pastebin.com	01:00
Pavo	port forwarding is working	01:00
Pavo	but for some reason its not working	01:00
v1k0d3n	http://pastebin.com/52BJPRCz	01:00
kollabot1	nasty-error.txt - Pastebin.com	01:00
v1k0d3n	think the x509 error gives a nice indication that it's certificate related?	01:00
v1k0d3n	i have no clue. this is frustrating.	01:03
Pavo	do you have a certificates folder in /etc/kolla?	01:03
sdake_	v1k0d3n pip show python-novaclient	01:03
v1k0d3n	Pavo: yes.	01:04
*** hfu has quit IRC		01:04
v1k0d3n	sdake_: http://pastebin.com/J8MYKtnu	01:04
kollabot1	more.txt - Pastebin.com	01:04
sdake_	k, let me check which version i have - moment	01:04
*** sdake has joined #openstack-kolla		01:05
v1k0d3n	so...guys...	01:06
v1k0d3n	something is terribly wrong here...	01:06
sdake	v1k0d3n try openstack image list	01:06
v1k0d3n	i went to http....and it goes through intermit	01:06
v1k0d3n	just saying.	01:06
Pavo	show us your globals again	01:07
v1k0d3n	sdake: all of them are ging an x509 error.	01:07
sdake	but openstack endpoint list does not?	01:07
sdake	so, that haproxy-ca.crt file is typically 700 and owned by root	01:08
sdake	perhaps openstack client having trouble reading it	01:08
v1k0d3n	http://pastebin.com/eW4CFMs6	01:08
kollabot1	globals.yml - Pastebin.com	01:08
sdake	try copying it somewhere else	01:08
v1k0d3n	Pavo:	01:08
sdake	debug up the stack not down the stack ;)	01:08
Pavo	this could be an issue	01:09
Pavo	#kolla_external_vip_interface: "{{ network_interface }}"	01:09
*** sdake_ has quit IRC		01:09
sdake	pavo ya thats an issue	01:09
sdake	pavo actually i'm not sure that it is..	01:09
sdake	anyway i'd like to take a look at this permissions idea first	01:09
Pavo	2 subnets can't be on same interface	01:09
openstackgerrit	Duong Ha-Quang proposed openstack/kolla-ansible: Specify 'become' for only neccesary tasks (default roles) https://review.openstack.org/398684	01:09
kollabot1	Gerrit Code Review	01:09
sdake	pavo right - run my internal and external on one subnet	01:10
sdake	so that is a delta i have from the setup v1k0d3n is doing	01:10
v1k0d3n	Pavo: those are two interfaces, two subnets though	01:15
v1k0d3n	em1 = 192.168.70.x/24 and em2 = 192.168.4.x/22	01:15
*** eaguilar has quit IRC		01:15
Pavo	neutron_external_interface: "em2" can not have an IP on it	01:16
v1k0d3n	it doesn't	01:16
Pavo	but kolla_external_vip_address: "192.168.4.25" will be put on em1	01:17
Pavo	also kolla_internal_vip_address: "192.168.70.25"	01:17
Pavo	will be put on em1	01:17
*** tonanhngo has joined #openstack-kolla		01:17
Pavo	because you have network_interface: "em1"	01:17
Pavo	neutron_external_interface: "em2" is used by neutron	01:18
Pavo	not anything else	01:18
v1k0d3n	i think this is exactly why kolla-ansible AIO should set up bridge interfaces.	01:18
Pavo	look at your interfaces I don't know the cmd in ubunti	01:18
v1k0d3n	you have one ip...great...we configure the rest for you using bridges.	01:18
Pavo	in CentOS it is ip addr	01:18
v1k0d3n	Pavo: em2 has no interface ip address	01:18
Pavo	I give you an example in a moment	01:19
v1k0d3n	it's just up without an ip	01:19
Pavo	yeah but look at em1	01:19
Pavo	it probably has 3 IPs	01:19
v1k0d3n	it is connected to a network lan segment with 192.168.4.0/22	01:19
Pavo	the host IP and your internal vip and external vip	01:19
*** tonanhngo has quit IRC		01:19
v1k0d3n	no it only has 1 ip address	01:19
Pavo	hmmm	01:19
v1k0d3n	it has the 20 address...	01:20
v1k0d3n	and that's it	01:20
Pavo	then what has your internal and external vip because the globals show it should be on network_interface: "em1"	01:20
v1k0d3n	this is something really strange here....honestly....	01:20
sdake	ya - config problem	01:20
Pavo	I have never done a aio deployment before but thats how multinode works	01:20
v1k0d3n	if i got to 192.168.70.20 or 25 or 4.25 or any of the dns names.	01:21
v1k0d3n	first time fails.	01:21
sdake	multinode and aio work the same way pavo	01:21
v1k0d3n	remove the SSL (http://.....) it goes through.	01:21
v1k0d3n	wth	01:21
sdake	v1k0d3n i'd be focused on why glance and nova don't work ;-)	01:21
Pavo	it adds internal and external to network interface unless you tell it to use a different interface for external by using kolla_external_vip_interface:	01:21
v1k0d3n	and on firefox i have literally blown everything away. cache, certs, etc.	01:21
Pavo	did you restart firefox after deleteing certs?	01:22
openstackgerrit	Li Yingjun proposed openstack/kolla-ansible: Fix network bw configuration for cloudkitty https://review.openstack.org/400011	01:24
kollabot1	Gerrit Code Review	01:24
v1k0d3n	sdake: can you help me understand why just connecting to 192.168.70.25 causes some of these issues?	01:25
v1k0d3n	Pavo: yes	01:25
sdake	v1k0d3n 70.25 is your host, your not going through tls or haproxy	01:26
sdake	i told you what i think is causing the x509 cert error	01:26
sdake	file permission read error on ca-cert.crt	01:26
*** eaguilar has joined #openstack-kolla		01:27
Pavo	can someone try https://ddi.hopto.org again please	01:27
*** duonghq has joined #openstack-kolla		01:27
sdake	sup DuncanT	01:27
v1k0d3n	Pavo: same issue man. :-( sorry	01:27
sdake	duonghq	01:27
v1k0d3n	sdake: so you think by changing permissions to root and 777 would fix it?	01:28
v1k0d3n	sorry, i missed that until now when i looked up and reread your statement.	01:28
v1k0d3n	want me to tear down again and rebuild?	01:29
sdake	v1k0d3n so here is what i'd do	01:29
sdake	v1k0d3n sudo cp /etc/kolla/ca-cert.crt /home/v1k0d3n	01:29
v1k0d3n	and just fwiw....the host ip is .20....	01:29
sdake	then change your admin-openrc.sh to reference /home/v1k0d3n instead	01:30
v1k0d3n	haproxy is handling requests for .25 (because we changed the ip, remember)?	01:30
sdake	then change permissions on the admin-openrc.sh to 700 owned by v1k0d3n	01:30
sdake	v1k0d3n this is problem with big bang deployments and debugging - too many variables	01:30
sdake	trying to do one thing at a time here ;)	01:30
v1k0d3n	we're only doing one thing at a time...we're doing TLS.	01:30
v1k0d3n	i can back off of TLS.	01:31
v1k0d3n	let's remove TLS and redeploy.	01:31
sdake	cool	01:31
v1k0d3n	what lines should i uncomment.	01:31
sdake	currrent paste?	01:31
sdake	of globals.yml	01:31
v1k0d3n	http://pastebin.com/eW4CFMs6	01:31
kollabot1	globals.yml - Pastebin.com	01:31
sdake	(note you will need to reboot because our destroy is not smart enough to deal with vips)	01:31
sdake	but reboot after the destroy :)	01:32
v1k0d3n	yeah that's fine. destroy.	01:32
duonghq	hi sdake	01:32
v1k0d3n	isn't there a way to clear containers and images too?	01:32
sdake	comment line 29 9haproxy)	01:32
sdake	comment line 42 (external_vip)address)	01:32
sdake	comment line 48 (external_fqdn)	01:32
sdake	comment line 90 (neutron_plugin_agent)	01:33
sdake	comment line 106 (kolla_enable_tls_external)	01:33
sdake	comment line 107 (kolla_external_fqdn_cert)	01:34
*** hfu has joined #openstack-kolla		01:34
sdake	comment line 147 (enable_lbaas)	01:34
*** tonanhngo has joined #openstack-kolla		01:34
sdake	comment line 140 (enable_magnum)	01:35
*** tonanhngo has quit IRC		01:35
sdake	I think that should get you an AIO without haproxy	01:35
sdake	lets see if that works ;)	01:35
*** newmember has joined #openstack-kolla		01:35
*** yingjun has quit IRC		01:37
*** hfu has quit IRC		01:37
*** yingjun has joined #openstack-kolla		01:37
v1k0d3n	rebooting	01:38
sdake	i just noticed a huge problem	01:39
sdake	your on ubuntu 14.04 as well?	01:39
*** liyifeng has joined #openstack-kolla		01:39
sdake	in that case, you want to run ubunbtu containers	01:39
sdake	and probably source at that	01:39
v1k0d3n	omg!	01:39
v1k0d3n	lol	01:39
sdake	but that may or may not be the cause	01:39
sdake	but lets fix that too	01:39
Pavo	sdake try https://ddi.hopto.org again please	01:39
v1k0d3n	i'm completely fine with this.	01:39
v1k0d3n	just adding more to the mix though...to your point	01:40
v1k0d3n	Pavo: no go again man	01:40
sdake	line 15 should be ubuntu	01:40
sdake	line 18 should be source	01:40
*** tovin07 has joined #openstack-kolla		01:40
v1k0d3n	sdake: does that mean that i need to build them locally now?	01:40
sdake	it will pull them	01:40
v1k0d3n	been fetching upstream	01:40
v1k0d3n	ok	01:40
v1k0d3n	just checking	01:40
Pavo	well access log is showing its allowed and letting it through	01:40
sdake	pretty sure ubuntu source is built	01:40
v1k0d3n	one sec Pavo i can give you more if you give me a minute.	01:41
v1k0d3n	a pcap	01:41
Pavo	whos IP is 98.165.68.220	01:41
v1k0d3n	let me get to a place where i'm fetching some containers or something first though	01:41
Pavo	and whos IP is 71.75.150.120	01:41
v1k0d3n	fwiw Pavo i am 71.	01:41
sdake	ya ubuntu source 3.0.1 is on dockerhub	01:42
Pavo	ok ACl log is showing its getting there, so it has to be a TLS issue for me	01:42
sdake	no idea which my ip is pavo	01:42
sdake	v1k0d3n cn you run pip show kolla as well pls	01:44
v1k0d3n	sdake: http://pastebin.com/WH8apvDm	01:44
kollabot1	new-globals.yml - Pastebin.com	01:44
v1k0d3n	sure	01:45
*** tonanhngo has joined #openstack-kolla		01:45
v1k0d3n	to be fair...this was installed a day ago :)	01:45
v1k0d3n	so hope it's the new one :D	01:45
sdake	well i missed commenting out line 124	01:45
v1k0d3n	sdake: more and more info	01:45
v1k0d3n	https://gist.github.com/v1k0d3n/a9f9851d4eddcf0e5ea9fc017f65154e	01:45
kollabot1	new.file.txt · GitHub	01:45
*** newmember has quit IRC		01:46
sdake	nice - right version of kolla ;)	01:46
v1k0d3n	of course	01:46
v1k0d3n	ok	01:46
*** tonanhngo has quit IRC		01:46
v1k0d3n	so want me to deploy?	01:46
sdake	cna you comment out line 124	01:46
v1k0d3n	already did it.	01:46
sdake	the enable_central_logigng	01:46
v1k0d3n	as you ask	01:46
sdake	cool	01:46
sdake	yup deploy	01:47
sdake	while thats thinking, might sa well remove that ca_cert line out of your admin-openrc	01:47
sdake	and create a toally new shell that doesn't have CA_CERT in the environment	01:47
*** tovin07_ has joined #openstack-kolla		01:49
sdake	v1k0d3n where is this cisco sit ethat has haproxy set to no, i'll ge tthat fixed	01:52
v1k0d3n	sdake: actually it's included in the globals.yaml for the mitaka cisco developer learning center OVA.	01:53
v1k0d3n	i think chris is that guys name?	01:53
sdake	hmm chris rings no bells	01:54
sdake	got a link?	01:54
sdake	what is an OVA	01:54
sdake	;)	01:54
sdake	still leraning my way around this place	01:54
v1k0d3n	let me search.......	01:54
v1k0d3n	trying to help Pavo too with a pcap and running this.	01:54
v1k0d3n	it's a google search away	01:54
sdake	ok - we can do it later	01:54
v1k0d3n	i litterally have to google search for it every time	01:54
Pavo	don't worry about me, get yours fixed first	01:55
Pavo	I can TS later	01:55
sdake	ok - i'll take a look at that later then	01:55
v1k0d3n	i actually hate these cisco links too (or how the person links things). every link is like inception that leads me right back to where i was.	01:55
v1k0d3n	useful links only pleaes :)	01:55
v1k0d3n	one link to where it's actually located iis helpful	01:55
v1k0d3n	lol	01:55
v1k0d3n	https://communities.cisco.com/community/developer/openstack/blog/2016/02/25/trying-openstack-using-kolla	01:56
kollabot1	OpenStack: Trying OpenStack Using Kolla \| Cisco Communities	01:56
sdake	v1k0d3n lol	01:56
sdake	ahh chris ricker	01:56
sdake	duh	01:56
sdake	don't know why that didn't ring a bell	01:56
v1k0d3n	yup	01:56
sdake	ya that thing is probably permanent ;)	01:57
sdake	since its a blog post	01:57
sdake	not sure i can get it fixed ;(	01:57
v1k0d3n	fix the OVA that he has uploaded ;)	01:58
v1k0d3n	then all good	01:58
sdake	i think that ws like a learning project - not sure he even has it anymore	01:59
v1k0d3n	ok sdake i can access 192.168.70.20	01:59
v1k0d3n	back to the beginning	01:59
sdake	cool nova list works?	01:59
v1k0d3n	oh yeah, he has it.	01:59
sdake	not back to the beginning	01:59
v1k0d3n	said he was going to do more and more with it	01:59
v1k0d3n	;)	01:59
sdake	cool - i'll shoot him an email :)	01:59
openstackgerrit	Li Yingjun proposed openstack/kolla-ansible: Update repo in documentation https://review.openstack.org/400017	01:59
kollabot1	Gerrit Code Review	01:59
sdake	so the reason your not back at the beginning is because your now running haproxy	01:59
sdake	which is a dramtic difference	02:00
sdake	i'd like to check out the basics of that - like does it work	02:00
sdake	openstack servers list	02:00
sdake	openstack image list	02:00
sdake	openstack endpoints list	02:00
v1k0d3n	nova list command works, but nothing there.	02:00
sdake	it might be images	02:00
sdake	cool it should b eempty	02:00
v1k0d3n	yes, all works...not using cert so works.	02:00
sdake	sweet	02:00
v1k0d3n	so now what? back to the beginning.	02:01
sdake	ok, so now, lets change a couple things - can you give me a current paste	02:01
v1k0d3n	(which is good...working.	02:01
v1k0d3n	btw Pavo you there?	02:01
Pavo	yeap	02:01
v1k0d3n	i'm not gettting anything anymore. that address not even talking back on my end.	02:01
v1k0d3n	dst unreachable	02:01
v1k0d3n	sdake: of globals?	02:02
sdake	yup of globals.yaml	02:02
v1k0d3n	https://gist.github.com/v1k0d3n/a9f9851d4eddcf0e5ea9fc017f65154e	02:03
kollabot1	new-globals.yml · GitHub	02:03
v1k0d3n	i'm going to keep using that for each output	02:03
v1k0d3n	from now on. pastebin was getting too...bleh...no more. don't like it.	02:03
sdake	change line 42 to 192.168.70.26	02:04
sdake	and make sure 26 is unused	02:04
v1k0d3n	sdake: huh?	02:04
v1k0d3n	you mean 192.168.70.25?	02:04
*** tonanhngo has joined #openstack-kolla		02:04
sdake	25 = internal 26 = external - same subnet	02:04
Pavo	yeah I am redeploying	02:04
v1k0d3n	remember....i have DNS pointing to .25 already. i want to keep dns as much intact as possible.	02:04
*** tonanhngo has quit IRC		02:05
sdake	ok 26 external 25 internal	02:05
sdake	rather 25 external, 26 internal	02:05
sdake	sorry tire d;)	02:05
sdake	and watching 300 atm	02:05
sdake	the key is on the same subnet	02:06
sdake	so .70	02:06
sdake	em1 = .70 right?	02:06
v1k0d3n	yes 70 subnet	02:06
v1k0d3n	alright, done.	02:06
sdake	sweet, so wht we are after is an AIO on one subnet ;)	02:06
sdake	with TLS enabled	02:06
v1k0d3n	ok. now what?	02:07
sdake	106 uncomment	02:07
v1k0d3n	106 and 107, correct?	02:07
sdake	just 106	02:07
v1k0d3n	or does 107 assume location automatically?	02:07
sdake	yup its a default	02:07
v1k0d3n	ok	02:07
v1k0d3n	just checking	02:07
sdake	no sense setting it twice ;)	02:07
v1k0d3n	next?	02:07
sdake	destroy/deploy	02:07
sdake	the idea of 107 is you may have certificates that you paid good money for in a different location	02:08
v1k0d3n	well, destroy reboot deploy??	02:08
sdake	ya sound sgood	02:08
v1k0d3n	also...what about removing images? do we care?	02:08
v1k0d3n	or should i keep?	02:09
v1k0d3n	i would assume keepoing should be fine....	02:09
v1k0d3n	also, no haproxy yet either...correct?	02:09
sdake	don't remove images	02:10
sdake	dont change any haproxy settings	02:10
sdake	we definately need haproxy ;)	02:10
sdake	just change thos elines i mentioned	02:10
sdake	and new paste - i'll verify before deploy if you like	02:10
openstackgerrit	Li Yingjun proposed openstack/kolla-ansible: Notification needed for searchlight https://review.openstack.org/400022	02:13
kollabot1	Gerrit Code Review	02:13
sdake	so onc ea long long time ago i worked at a linux co that did support	02:14
sdake	my #1 question was this:	02:14
sdake	https://www.linkedin.com/groups/49301/49301-6204851788525465603	02:14
kollabot1	Sign Up \| LinkedIn	02:14
sdake	infomagic	02:14
sdake	for those that are in the wayback machine ;-)	02:15
sdake	my #1 question may have been "how do I setup xwindows"	02:15
sdake	i don't remember	02:15
sdake	those two were tied probably :)	02:15
sdake	"how big should I make /var'	02:16
sdake	uhh, as big as you need it?"	02:16
sdake	that answer was always unsatisfiyign :)	02:16
sdake	linux in 94 and whatnot was painful	02:17
sdake	xwindows didn't just work out of the box	02:17
v1k0d3n	sdake: reason i ask about haproxy is because you had me disable it.	02:18
Pavo	ok just try ddi.hopto.org	02:18
sdake	when did I have you disable it?	02:18
sdake	I had you comment out enable haproxy:yes	02:18
sdake	or no	02:18
sdake	or whatever it was	02:18
sdake	it defaults to yes	02:18
sdake	v1k0d3n paste new globals and i'll dc it foryou	02:18
sdake	our arrows will blot out the sun!	02:19
sdake	then we will fight in the shade	02:19
v1k0d3n	sdake: https://gist.github.com/v1k0d3n/a9f9851d4eddcf0e5ea9fc017f65154e	02:19
kollabot1	new-globals.yml · GitHub	02:19
Pavo	sdake anything at ddi.hopto.org?	02:19
sdake	so your dns resolves 25 to your external network name?	02:20
v1k0d3n	huh?	02:20
sdake	v1k0d3n you said 25 was special becaue its your dns hostname	02:20
sdake	you want that to be your external ip	02:20
sdake	and the other your internal	02:20
sdake	internal is totally internal - has no dns name	02:20
v1k0d3n	i have dns set up for galvatron.jinkit.com at 70.25	02:20
sdake	ok, cool, so swap around 26 and 25 in globals.yml	02:21
v1k0d3n	i have openstack.jinkit.com at 4.25	02:21
*** Pavo has quit IRC		02:21
sdake	ok, we will use galvatron for now	02:21
*** Pavo has joined #openstack-kolla		02:21
v1k0d3n	ok	02:21
v1k0d3n	and haproxy?	02:21
v1k0d3n	commented. i guess default is to use	02:22
v1k0d3n	?	02:22
*** eaguilar has quit IRC		02:22
v1k0d3n	Pavo: no love man	02:22
sdake	haproxy defaults to yes v1k0d3n	02:22
Pavo	I think I know what the issue is	02:22
Pavo	I see the request coming in	02:22
sdake	v1k0d3n so as the config stands, its enabling haproxy - so we are good to go once you move those ips around ;)	02:22
Pavo	and its hitting the server on those ports	02:22
Pavo	but nothing going back	02:22
v1k0d3n	ok	02:23
*** tonanhngo has joined #openstack-kolla		02:24
Pavo	v1k0d3n try it one more time please	02:24
* sdake sets up a ping bot for pavo ;)		02:24
v1k0d3n	Pavo: changed this time at least...	02:25
Pavo	I don't have ICMP forwarded	02:25
v1k0d3n	this time completely times out with no reponce.	02:25
v1k0d3n	sure you don't have an async route issue going on?	02:25
v1k0d3n	i do that all the time.	02:25
Pavo	its possible	02:25
v1k0d3n	from this end...	02:25
*** tonanhngo has quit IRC		02:25
v1k0d3n	that's what i looks to be.	02:25
v1k0d3n	it's going out and never returns.	02:26
v1k0d3n	no boomerang	02:26
Pavo	can you get to ddi.hopto.org:3000	02:26
v1k0d3n	sdake: we forgot certs creation	02:26
v1k0d3n	so i need to destroy reboot	02:26
sdake	pavo yup that works	02:26
v1k0d3n	man...this is taking all freaking night.	02:26
Pavo	then it has to be my servers	02:27
v1k0d3n	sunday night...this isn't good	02:27
sdake	v1k0d3n oops sorry about that on the certs creation	02:27
sdake	ya need to destroy and reboot unfortunately and create certs	02:27
Pavo	looks like I am gonna complete reinstall OS on all	02:27
sdake	pavo its probbably not your servers ;)	02:27
v1k0d3n	this needs to be so extremely clear in docs, and i highly suggest setting up bridge ports automatically for users who have a single interface for AIO	02:27
sdake	v1k0d3n ya its a challenge	02:28
v1k0d3n	the OSA team learned from this, and this is one thing they do extremely well. AIO deployments, just work out of the box.	02:28
sdake	v1k0d3n we havne't eve ngot to the hard part yet	02:28
v1k0d3n	and that's how an AIO should be.	02:28
sdake	i evaled osad some time ago - 2015 i think and it took 8 days to install	02:28
v1k0d3n	AIO should be totally brainless. "i'm here to learn..."	02:29
sdake	it is brainless ;)	02:29
sdake	once you do it once	02:29
sdake	i've done it hundreds of times unfortunately :(	02:29
sdake	the doing it once part is hard	02:30
sdake	and the docs are not ideal	02:30
v1k0d3n	OSA under 10 commands, with full TLS on a single interface. can we get kolla-ansible to that?	02:30
sdake	unforutnately docs dont write themselves	02:30
sdake	no idea on single interface	02:30
sdake	we dont implement that at this time	02:30
*** bjolo has joined #openstack-kolla		02:30
v1k0d3n	could use an interface setup similar to this: https://github.com/v1k0d3n/traveling-circus/blob/master/deploy-openstack/roles/hosts-prep/template/interfaces.j2	02:31
kollabot1	traveling-circus/interfaces.j2 at master · v1k0d3n/traveling-circus · GitHub	02:31
sdake	on multiple interface should be pip install - modify globals yam - kolla-ansible certificates - kolla-ansible deploy	02:31
sdake	4 commands	02:31
v1k0d3n	no..it's not that at all.	02:31
sdake	v1k0d3n i dont do ubuntu so i dont know how to parse that file	02:32
v1k0d3n	current docs are not simple for kolla yet.	02:32
*** zhubingbing has joined #openstack-kolla		02:32
v1k0d3n	definitely not 4 command.	02:32
sdake	preaching to choir	02:32
sdake	they are actually as simple as they can be at present	02:33
sdake	for the aio case ;)	02:33
sdake	so where ya at - deploy - ?	02:33
v1k0d3n	i think they can be easier...just saying.	02:34
v1k0d3n	deploying.	02:34
sdake	right we know the docs need work	02:34
sdake	people do work on them	02:34
sdake	the thing kolla lacks above all else is a professional information architect	02:34
v1k0d3n	this is more than docs in this case.	02:34
sdake	that is, someone that can formulate our information in our brains into documentation	02:35
sdake	its a rough gig, and not many people can tackle it	02:35
sdake	lana (docs ptl) had suggested she would see if she could this cycle	02:35
v1k0d3n	not sure i can even touch that one.	02:35
sdake	ya - its hard project to do right :)	02:37
sdake	i struggle focusing on it myself (the docs thing)	02:37
sdake	osad has had that since the beginning	02:38
sdake	that is why their docs rock ;)	02:38
v1k0d3n	so TLS works to .25 but not to .26	02:39
v1k0d3n	probably because of the galvatron.jinkit.com resolution (assumption, without getting into sniffing out packets in this case).	02:40
sdake	right v1k0d3n	02:40
sdake	.26 = internal network	02:40
sdake	internal network doesn't have tls	02:40
sdake	we do not have intenral TLS	02:40
v1k0d3n	you mean kolla in general?	02:41
v1k0d3n	or in our config?	02:41
sdake	kolla in general	02:41
v1k0d3n	(well my current config i mean).	02:41
v1k0d3n	ok. good to know.	02:41
sdake	kolla doesn't use tls internally	02:41
v1k0d3n	so now what?	02:41
sdake	the assupmtion being that network is secure	02:41
sdake	this would caus e adouble tls hit on each connection	02:42
sdake	we have debated adding it	02:42
sdake	but it makes thins more complicated for not alot of gain	02:42
sdake	ok so nwo you have my network setup	02:42
sdake	i'll tell you waht i do	02:42
sdake	and what I htink your going to have to do	02:42
sdake	I have a wireless router	02:42
v1k0d3n	ok...	02:43
sdake	I use the DMZ port forwrading feature to forward each external port on my dyndns to my external networks VIP	02:43
v1k0d3n	well, hold on...	02:43
sdake	e.g. in yoru case I would point my port forwards for openstack.jenkin.com to 0.25	02:43
v1k0d3n	i'm telling you what i need.	02:43
sdake	right	02:43
sdake	i'm explaining my setup	02:44
sdake	so - tls does work :)	02:44
v1k0d3n	i need to use the 192.168.4.0/22 subnet for my hosts and external access.	02:44
*** tonanhngo has joined #openstack-kolla		02:44
sdake	you want to share neutron with your external vip?	02:44
v1k0d3n	no, i'm asking how i need to set up if i want to allow access to hosts on that external subnet of 192.168.4.x/22.	02:45
*** tonanhngo has quit IRC		02:45
v1k0d3n	so those hosts are going to have 1 to 1 mappings to external. that net is my public float range.	02:46
v1k0d3n	i'm so far away from what i originally had that i don't know where i need to go now. i'm confused because we drilled back so far without looking at what i had or the intention.	02:46
sdake	openstack doesn't work that way	02:46
v1k0d3n	dude.	02:47
v1k0d3n	ok.	02:47
v1k0d3n	that doesn't make sense.	02:47
sdake	hae you got htis model to deploy some where else?	02:47
sdake	here is the problem - neutron totally takes over em2	02:47
v1k0d3n	i can't argue the architecture. i'm telling what i need.	02:47
sdake	em2 = .4	02:47
sdake	rather	02:48
sdake	em2 = right, .4	02:48
v1k0d3n	we can't tell people "that's not how openstack works". we will lose users.	02:48
sdake	you are putting an external VIP in your neutorn network	02:48
sdake	i am not a netowrking expert	02:49
v1k0d3n	right now i have to get back to what i had...	02:49
sdake	its a struggle for me to get neutron working at all :)	02:49
sdake	you have tls working	02:49
v1k0d3n	which was working minus the TLS.	02:49
sdake	thats more then what you had before	02:49
sdake	oh gotcha	02:49
sdake	well, if your willing to wait	02:49
v1k0d3n	the most important askpect is how the network worked.	02:49
sdake	can hae a cat consult with your tomororw who is a networking expert	02:50
sdake	its possible i'm wrong	02:50
v1k0d3n	192.168.4.x/22 was my external pool. 192.168.70.25 was my openstack horizon interface and API access.	02:50
sdake	he wrote part of the tls implementation	02:50
*** yuanying has quit IRC		02:50
v1k0d3n	that's what i want...but i want TLS on that 4 link...because....well....that just makes sense. that's where user traffic is going...	02:50
sdake	ok, well thats what you got now	02:50
v1k0d3n	no...it's not what have.	02:51
sdake	lag	02:51
sdake	moment	02:51
*** Jeffrey4l has quit IRC		02:51
*** yuanying has joined #openstack-kolla		02:51
sdake	ok so 70.25 is what you want as your openstack horizon interface?	02:51
sdake	I thought it was 4.25?	02:52
sdake	what you have now is 70.25 as your openstack interface - with tls	02:52
v1k0d3n	well, i'm really confused.	02:52
v1k0d3n	so i want users to access horizon, and manage instances over .4.x/22	02:52
v1k0d3n	that needs TLS.	02:53
sdake	and you want to have a float in that ssame network?	02:53
v1k0d3n	but internally, i need to mnage things too right?	02:53
sdake	define "manage instances"	02:53
v1k0d3n	i guess i'm confused because OSA i can put anything where i want...anywhere. TLS everywhere. all good.	02:53
sdake	do you mean connect to instances ?	02:53
v1k0d3n	and frankly...TLS needs to be anywhere and everywhere for security reasons.	02:54
v1k0d3n	even if it's internal...it still neesd to be locked down.	02:54
sdake	so do you mea nconnect to instances?	02:54
v1k0d3n	we don't have architecture diagrams for kolla, is that right?	02:54
sdake	that is incorrect	02:54
v1k0d3n	oh ok	02:54
sdake	although i'm not sure where the ones i drew went	02:55
v1k0d3n	one sec...let me try to find.	02:55
sdake	so maybe lsot forever	02:55
v1k0d3n	haha this is confusing.	02:55
sdake	i had diagrams- gliffy cratered	02:55
sdake	so - do you want to connect ot he machines on .4?	02:55
sdake	via SSH	02:55
v1k0d3n	so sorry man. i'm trying to just get this working and move on to dev kolla-k8s. wanted to have an AIO to do some of that dev work though.	02:56
sdake	the VMs you got running there	02:56
v1k0d3n	i want to understand the whole thing better. it's not exactly clear to me.	02:56
v1k0d3n	i have two nets....	02:56
v1k0d3n	so its not confusing.	02:56
sdake	two routed the internet networks?	02:57
v1k0d3n	192.168.70.x/24 that is private. that is where i want my administration API's. super secrets stuff i want to protect.	02:57
v1k0d3n	that needs TLS. it's super secret.	02:57
*** harlowja has quit IRC		02:57
v1k0d3n	then i have 192.168.4.x/22	02:57
v1k0d3n	that is where my internet user traffic comes in over.	02:57
v1k0d3n	they access their VM's over that net.	02:58
v1k0d3n	and there is an API that is available to them out there.	02:58
*** dmsimard has quit IRC		02:58
v1k0d3n	again, it needs to be TLS...it's user auth.	02:58
sdake	how do you connect traffic from .4.x to .70.x?	02:58
v1k0d3n	there is a router for 4 and 70	02:59
sdake	type of router?	02:59
*** dmsimard has joined #openstack-kolla		02:59
v1k0d3n	not sure that really matters? but ubiquiti.	03:00
sdake	ok, so a hardware router?	03:00
sdake	it matters a whole bunch	03:00
sdake	you see i dont have a router in my setup	03:00
sdake	so your setup may be different becasue of the router	03:00
v1k0d3n	yes, very good hardware router	03:00
sdake	dave-mccowan is the dude to tlak to	03:00
v1k0d3n	good for home nerds who want to spend too much on routers :)	03:00
sdake	he is a networking pro, a security pro, and implemented parts of the tls in kolla	03:01
sdake	i'd like to hear what comes of that conversation - so i can teach others	03:01
sdake	it really needs to be documented	03:01
v1k0d3n	well, one thing worries me....	03:01
v1k0d3n	you said that kolla can't support tls on two interfaces.	03:01
sdake	not sure i said that	03:02
v1k0d3n	i'm so off track i don't know how to get back	03:02
sdake	i said we have no internal tls implemenation	03:02
v1k0d3n	let me try and find my orig pastebin. that should help.	03:03
sdake	keep a copy of what you got	03:03
sdake	it will help you setup tls when dave-mccowan is about	03:03
sdake	something has to connect the exteranl VIP to the intenral VIP	03:04
sdake	that something in my network si the fact that they are on the same network	03:04
sdake	you want to put the external vip on a different network which is also your provider network	03:04
v1k0d3n	so "internal" is what?	03:04
sdake	internal = management network	03:04
sdake	.70	03:04
v1k0d3n	but what rides on that...neutron?	03:05
sdake	no, neutron rides on .4	03:05
sdake	neutron api neutron server of course run on .70	03:05
sdake	but the neutron ips are doled out on .4	03:06
sdake	you se ekeepalive puts an ip somewhere in that .4 range	03:06
v1k0d3n	ok, that works. definitely need that in my case	03:06
sdake	whereever you specify	03:06
v1k0d3n	so a flip of what i currently have.	03:06
sdake	your config is as i described above minsu the keepalived puts an ip somewhere on .4	03:07
v1k0d3n	so the internal vip i would want on .70.25	03:07
v1k0d3n	and external i would want on 40.25	03:07
sdake	.4.25 you mean?	03:07
v1k0d3n	sorry yes	03:07
sdake	cool, so i think that may work - if your floating range is big enough - problem you have is you have no interface in your machine to bind a .4 address to	03:08
v1k0d3n	do i need to have an external FQDN as well, i guess...correct?	03:08
Pavo	shouldn't api use loopback on aio deployments, seems like it would make it better	03:08
sdake	ya i run with external fqdn	03:08
v1k0d3n	what do you mean? that's where em2 is coming in.	03:08
v1k0d3n	look at the config again. there are two interfaces.	03:09
sdake	right, typically i leave em2 completely uncofugred	03:09
sdake	i dont understand ubuntu config files ufnortunately	03:09
sdake	wrong person to look at that :(	03:09
sdake	if you configure em2 with a route and whatnot so it can find the router, and do its routing thing whatever the hell that is	03:10
sdake	neutron implodes the em2 route	03:10
sdake	keepalived's binding to the port fails	03:10
*** awiddersheim has quit IRC		03:10
sdake	so i'm not sure how to get keepalived to bind to a .4 port on your machine	03:10
sdake	really out of my area of expertise - not a netowrking expert	03:11
*** awiddersheim has joined #openstack-kolla		03:11
sdake	;)	03:11
sdake	dave-mccowan on other hand could tell you if it would work or not	03:12
sdake	dave-mccowan and if so what to do	03:12
sdake	:)	03:12
*** jascott1 has quit IRC		03:12
sdake	but we can experiment if you like	03:12
sdake	v1k0d3n my understanding of openstack is this is why people use firewlal softwre- to forward stuff to an intenral TLS endpoint	03:13
sdake	rather hardware	03:13
*** tonanhngo has joined #openstack-kolla		03:14
*** tonanhngo has quit IRC		03:15
*** tonanhngo has joined #openstack-kolla		03:27
*** tonanhngo has quit IRC		03:27
*** zhurong has joined #openstack-kolla		03:27
sdake	night all	03:28
sdake	v1k0d3n hit up dave-mccowan in the morning - he can either get you going or tell you its not possible ;)	03:28
v1k0d3n	later man	03:28
sdake	v1k0d3n i'm glad we confirmed tls works for you :)	03:28
v1k0d3n	i'm working these interfaces to do what i need	03:28
sdake	step in right direction	03:28
v1k0d3n	actually it's not the way i need	03:29
v1k0d3n	gotta figure out.	03:29
v1k0d3n	or find the gap if there is one.	03:29
sdake	v1k0d3n thats a small victory atleast ;)	03:29
v1k0d3n	but definitely have some ideas how to make an AIO possibly easier for folks.	03:29
sdake	cool that would be helpful	03:30
sdake	cncf gives projects 20k for documentation contractors	03:31
sdake	per year	03:31
sdake	pretty sweet	03:31
v1k0d3n	how does that work?	03:32
sdake	on that note, i'm out :)	03:32
sdake	not sure on the mechanics	03:32
v1k0d3n	my wife is a tech writer...	03:32
sdake	cool	03:32
sdake	if she is looking for a gig, they are probably hiring in some way	03:32
sdake	but i don't know for sure	03:32
sdake	i'm just getting involved in cncf - only been to one conference	03:33
*** hfu has joined #openstack-kolla		03:33
v1k0d3n	i hear ya	03:33
v1k0d3n	cool man	03:34
v1k0d3n	thanks for the help	03:34
v1k0d3n	definitely know more than i did...extremely happy for that!	03:34
sdake	yup - this is how we learn	03:34
sdake	on irc ;)	03:34
sdake	eveyrone learns together - its pretty sweet	03:34
sdake	i expect other group chat tools are similar	03:34
sdake	i've leraned more by watching here then i've tought ;)	03:35
*** yuanying has quit IRC		03:46
*** tonanhngo has joined #openstack-kolla		03:48
*** yuanying has joined #openstack-kolla		03:48
*** tonanhngo has quit IRC		03:48
*** sdake has quit IRC		03:51
*** hfu has quit IRC		03:53
*** kollabot1 has quit IRC		03:55
*** kollabot has joined #openstack-kolla		03:55
*** yingjun has quit IRC		03:57
*** severion has joined #openstack-kolla		03:58
*** zhurong has quit IRC		03:58
*** zhurong has joined #openstack-kolla		03:59
*** v1k0d3n has quit IRC		04:01
*** v1k0d3n has joined #openstack-kolla		04:04
*** tonanhngo has joined #openstack-kolla		04:04
*** tonanhngo has quit IRC		04:06
*** severion has quit IRC		04:06
*** fragatina has quit IRC		04:07
*** fragatina has joined #openstack-kolla		04:07
*** dave-mccowan has quit IRC		04:12
*** tonanhngo has joined #openstack-kolla		04:13
*** v1k0d3n has quit IRC		04:15
*** severion has joined #openstack-kolla		04:15
*** yingjun has joined #openstack-kolla		04:18
*** v1k0d3n has joined #openstack-kolla		04:18
*** severion has quit IRC		04:20
*** zhurong has quit IRC		04:26
*** Jeffrey4l has joined #openstack-kolla		04:42
*** Jeffrey4l has quit IRC		04:43
*** Jeffrey4l has joined #openstack-kolla		04:44
*** v1k0d3n has quit IRC		04:54
*** senk has joined #openstack-kolla		04:57
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Add octavia docker image https://review.openstack.org/399896	05:07
kollabot	Gerrit Code Review	05:07
*** zhurong has joined #openstack-kolla		05:12
openstackgerrit	Jeffrey Zhang proposed openstack/kolla-ansible: Use tox to build gate images https://review.openstack.org/400051	05:30
kollabot	Gerrit Code Review	05:30
*** zhurong has quit IRC		05:31
*** senk has quit IRC		05:34
*** zhurong has joined #openstack-kolla		05:36
*** mdnadeem has joined #openstack-kolla		05:50
*** mdnadeem has quit IRC		05:51
*** mdnadeem has joined #openstack-kolla		05:53
*** unicell1 has quit IRC		05:53
*** unicell has joined #openstack-kolla		05:53
*** yingjun has quit IRC		06:31
*** yingjun has joined #openstack-kolla		06:34
*** liyifeng has quit IRC		06:36
*** sp__ has joined #openstack-kolla		06:42
*** yingjun_ has joined #openstack-kolla		06:47
*** prameswar has joined #openstack-kolla		06:47
*** yingjun has quit IRC		06:49
*** liyifeng has joined #openstack-kolla		06:49
*** yingjun_ is now known as yingjun		06:53
*** Satya_ has joined #openstack-kolla		06:55
Satya_	hi	07:10
*** zhurong has quit IRC		07:16
*** senk has joined #openstack-kolla		07:17
openstackgerrit	Surya Prakash Singh proposed openstack/kolla-ansible: use uuidutils instead of uuid.uuid4() https://review.openstack.org/399847	07:28
kollabot	Gerrit Code Review	07:28
*** prameswar has quit IRC		07:28
*** sp__ has quit IRC		07:33
*** magicboiz has joined #openstack-kolla		07:42
*** prameswar has joined #openstack-kolla		07:43
zhubingbing	hi sdake	07:45
prameswar	/msg NickServ identify pram@780	07:47
*** matrohon has joined #openstack-kolla		07:55
*** matrohon has quit IRC		08:02
*** matrohon has joined #openstack-kolla		08:02
*** NachoDuck has quit IRC		08:06
*** shardy has joined #openstack-kolla		08:07
*** skramaja has joined #openstack-kolla		08:07
*** saneax-_-\|AFK is now known as saneax		08:07
*** NachoDuck has joined #openstack-kolla		08:08
*** Pavo has quit IRC		08:21
*** Pavo has joined #openstack-kolla		08:21
*** awiddersheim has quit IRC		08:27
*** awiddersheim has joined #openstack-kolla		08:27
*** skramaja_ has joined #openstack-kolla		08:34
*** skramaja has quit IRC		08:34
openstackgerrit	zhubingbing proposed openstack/kolla-ansible: test kolla-ansible branch https://review.openstack.org/400109	08:34
kollabot	Gerrit Code Review	08:34
*** awiddersheim has quit IRC		08:37
*** awiddersheim has joined #openstack-kolla		08:37
*** senk has quit IRC		08:39
openstackgerrit	zhubingbing proposed openstack/kolla: test for kolla https://review.openstack.org/400111	08:39
kollabot	Gerrit Code Review	08:39
*** skramaja_ has quit IRC		08:45
*** skramaja_ has joined #openstack-kolla		08:45
*** awiddersheim has quit IRC		08:48
*** egonzalez90 has joined #openstack-kolla		08:48
*** awiddersheim has joined #openstack-kolla		08:48
*** NobodyCam has quit IRC		08:49
*** NobodyCam has joined #openstack-kolla		08:52
*** skramaja_ is now known as skramaja		08:54
openstackgerrit	zhubingbing proposed openstack/kolla-ansible: add panko role https://review.openstack.org/400122	08:55
kollabot	Gerrit Code Review	08:55
Jeffrey4l	any core reviewer around? please ack https://review.openstack.org/399898 which blocked kolla master.	09:03
kollabot	Gerrit Code Review	09:03
*** sp__ has joined #openstack-kolla		09:22
*** senk has joined #openstack-kolla		09:24
*** Serlex has joined #openstack-kolla		09:27
*** gfidente has joined #openstack-kolla		09:27
*** gfidente has joined #openstack-kolla		09:27
*** sp__ has quit IRC		09:31
*** tovin07_ has quit IRC		09:33
*** athomas has joined #openstack-kolla		09:37
openstackgerrit	Merged openstack/kolla: Run init-once in kolla-ansible folder https://review.openstack.org/399898	09:39
kollabot	Gerrit Code Review	09:39
*** yingjun has quit IRC		09:42
*** sp__ has joined #openstack-kolla		09:48
*** liyifeng has quit IRC		10:03
*** tovin07_ has joined #openstack-kolla		10:04
*** tovin07_ has quit IRC		10:08
*** sp__ has quit IRC		10:08
*** Satya_ has quit IRC		10:10
*** liyifeng has joined #openstack-kolla		10:16
*** Pavo has quit IRC		10:21
*** Pavo has joined #openstack-kolla		10:21
*** sp__ has joined #openstack-kolla		10:26
*** zhubingbing has quit IRC		10:29
*** tonanhngo has quit IRC		10:31
*** senk has quit IRC		10:32
openstackgerrit	Javier Castillo Alcíbar proposed openstack/kolla-ansible: Fix ceilometer not sending logs to heka https://review.openstack.org/400168	10:33
kollabot	Gerrit Code Review	10:33
*** senk has joined #openstack-kolla		10:35
*** athomas has quit IRC		10:36
*** senk has quit IRC		10:36
*** senk has joined #openstack-kolla		10:36
*** senk has quit IRC		10:37
*** bachp has joined #openstack-kolla		10:41
*** athomas has joined #openstack-kolla		10:41
openstackgerrit	howard lee proposed openstack/kolla: Fix few typos in doc https://review.openstack.org/400174	10:43
kollabot	Gerrit Code Review	10:43
*** Oscarl has joined #openstack-kolla		10:44
*** portdirect_away is now known as portdirect		10:44
*** duonghq has quit IRC		10:51
*** Oscarl has quit IRC		10:58
openstackgerrit	Vladislav Belogrudov proposed openstack/kolla-ansible: Use kolla_internal_vip_address for glance_api servers https://review.openstack.org/400187	10:58
kollabot	Gerrit Code Review	10:58
*** tovin07_ has joined #openstack-kolla		11:05
*** msimonin has joined #openstack-kolla		11:09
openstackgerrit	Jeffrey Zhang proposed openstack/kolla-ansible: fix ci gate https://review.openstack.org/398501	11:26
kollabot	Gerrit Code Review	11:26
openstackgerrit	Jeffrey Zhang proposed openstack/kolla-ansible: Use tox to build gate images https://review.openstack.org/400051	11:27
kollabot	Gerrit Code Review	11:27
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Add octavia docker image https://review.openstack.org/399896	11:27
kollabot	Gerrit Code Review	11:27
*** sp__ has quit IRC		11:34
*** hkominos has joined #openstack-kolla		11:34
*** tovin07_ has left #openstack-kolla		11:34
hkominos	Hi guys. I am considering Kolla for a test deployment. Can you tell me if it will run on ARM ?	11:35
*** tovin07_ has joined #openstack-kolla		11:35
*** zhubingbing has joined #openstack-kolla		11:43
*** Jeffrey4l has quit IRC		11:45
portdirect	hkominos: dont think anyones tried that yet :)	11:46
portdirect	hkominos: but dont see any reason why it should'nt	11:47
*** sdake has joined #openstack-kolla		11:48
*** mliima has joined #openstack-kolla		11:49
mliima	morning guys	11:49
portdirect	morning :)	11:49
portdirect	mliima: you core?	11:50
mliima	yes, i'm	11:50
portdirect	cool :) if you could have alook at this: https://review.openstack.org/#/c/399033/2 I'm pretty keen to get it merged, as we can't sort out the thingas at the kolla end untill it is	11:51
kollabot	Gerrit Code Review	11:51
portdirect	I've just got zuul to have a look at it again	11:51
mliima	portdirect, i'm waiting recheck	11:53
mliima	ok?	11:53
portdirect	mliima: cool, cheers man :)	11:53
*** sdake_ has joined #openstack-kolla		11:54
*** sdake has quit IRC		11:56
sdake_	morning pepeps	12:00
egonzalez90	morning sdake_	12:01
portdirect	sdake_: do you sleep or just recharge? ;) also morning all!	12:03
sdake_	uhh went to bed at 10pm last ngiht	12:03
sdake_	its 5am now	12:03
sdake_	dunno 6-7 hrs is good for me	12:03
sdake_	7 hrs is ideal	12:03
*** senk has joined #openstack-kolla		12:04
sdake_	when i get 7 hrs i feel competley ready to go for the day	12:04
sdake_	6 hrs not as much	12:04
sdake_	5 hrs - grumpy :)	12:04
sdake_	how old are ya portdirect	12:04
*** dave-mccowan has joined #openstack-kolla		12:04
sdake_	when you get older you need less sleep	12:04
sdake_	i'm 42	12:04
sdake_	dave-mccowan rareo u in	12:04
portdirect	32 going on 14... though I know that one - I was doing the Mad Scientist schedule untill recently, though find 6 hours sorts me out atm.	12:06
dave-mccowan	hi sdake_	12:06
sdake_	dave-mccowan i've got a question relate to external tls	12:06
sdake_	actually it cme from someone doing a deployment	12:06
sdake_	do you ahve a moment for me to explain?	12:06
dave-mccowan	sure	12:06
sdake_	they have a private network .70.z	12:06
sdake_	and a public network .4.z	12:07
sdake_	sorry	12:10
sdake_	got distracted	12:10
sdake_	so on their public network they have their neturon network interface	12:10
sdake_	and intend to serve via a VIP and floating IP range users	12:10
sdake_	on the .4.z network	12:10
sdake_	they have two interfaces in their box	12:10
sdake_	and a real router connecting .70.z and .4.z	12:11
sdake_	not like some software route or something, but a real hardware router	12:11
sdake_	forgot the brand name	12:11
sdake_	does that model work?	12:11
*** rhallisey has joined #openstack-kolla		12:13
*** shardy is now known as shardy_lunch		12:14
sdake_	dave-mccowan ^^	12:14
sdake_	actually it should because the controller nodes are different then the compute	12:15
sdake_	as long as the network node is differnet, i think haproxy would work properly	12:16
sdake_	thoughts?	12:16
rhallisey	brb	12:17
sdake_	egonzalez90 can i get acks on	12:17
sdake_	https://review.openstack.org/399600	12:17
kollabot	Gerrit Code Review	12:17
sdake_	https://review.openstack.org/#/c/399582/	12:17
kollabot	Gerrit Code Review	12:17
sdake_	reviews on the second ^^	12:17
sdake_	pbourke ^^	12:17
-openstackstatus- NOTICE: We are currently having capacity issues with our ubuntu-xenial nodes. We have addressed the issue but will be another few hours before new images have been uploaded to all cloud providers.		12:19
dave-mccowan	sdake_ i'm thinking. it doesn't seem like a great idea, but i'm still trying to work out why.	12:20
*** Pavo has quit IRC		12:21
sdake_	dave-mccowan why = neutron takes over the interface, so keepalived can not bind a vip on the .4 interface	12:21
*** Pavo has joined #openstack-kolla		12:21
sdake_	since there is no .4 interface ever setup	12:21
sdake_	how else would someone connect to the external vip?	12:22
sdake_	via a third party hardware gateway?	12:22
dave-mccowan	sdake_ there's a warning in globals.yaml comment not to assign an ip address on the neutron_external_interface.	12:23
*** msimonin has quit IRC		12:24
dave-mccowan	sdake_ i think what you described has the kolla_external_vip_address on the same interface as the neutron_external_interface	12:24
sdake_	thats correct	12:24
sdake_	dave-mccowan i guess at issue is whre to put the external vip	12:31
sdake_	if we put it on the .70 net, how to access from the external network (which is .4)	12:31
*** tonanhngo has joined #openstack-kolla		12:32
*** tonanhngo has quit IRC		12:35
*** magicboiz has quit IRC		12:38
*** liyifeng has quit IRC		12:39
dave-mccowan	sdake_ The goal seems to make sense: The kolla external vip needs to be routable from a public space. The per-tenant neutron routers need a subnet that is routable from a public space. I think the two need to be on separate subnets though. if an operator is constrained to a /24, i think they could slice it into two subnets to make it work.	12:41
*** Jeffrey4l has joined #openstack-kolla		12:41
*** yingjun has joined #openstack-kolla		12:42
sdake_	he has a /22	12:42
dave-mccowan	britthouser would know	12:42
sdake_	dave-mccowan thanks a bunch	12:43
sdake_	dave-mccowan if v1k0d3n asks, i sent him your way, i'd tell him that one liner	12:43
sdake_	and point him at britt :)	12:43
* dave-mccowan scrolling back. was he also asking for TLS on the internal network?		12:44
sdake_	pavo did say in linux you can't have two subnets on the same interface	12:44
sdake_	ye was indeed	12:44
sdake_	which we don't implement	12:44
dave-mccowan	sdake_ yep	12:45
*** Jeffrey4l has joined #openstack-kolla		12:45
sdake_	confirming pavo's assertion?	12:45
sdake_	i honestly dont know :)	12:45
sdake_	I guess I should get qualified in this area	12:45
sdake_	but it seems so pointless	12:46
sdake_	million people at cisco know networking way better then me	12:46
*** Jeffrey4l has quit IRC		12:47
portdirect	sdake_: you can have more than one subnet per interface	12:49
*** Jeffrey4l has joined #openstack-kolla		12:49
*** sp_ has quit IRC		12:50
*** senk_ has joined #openstack-kolla		12:51
*** senk has quit IRC		12:51
*** Jeffrey4l has quit IRC		12:52
*** Jeffrey4l has joined #openstack-kolla		12:52
*** tonanhngo has joined #openstack-kolla		12:54
*** senk has joined #openstack-kolla		12:55
*** tonanhngo has quit IRC		12:55
*** senk_ has quit IRC		12:56
*** yingjun has quit IRC		12:59
*** prameswar has quit IRC		12:59
*** yingjun has joined #openstack-kolla		13:00
*** sdake has joined #openstack-kolla		13:04
*** yingjun has quit IRC		13:04
*** yingjun has joined #openstack-kolla		13:06
*** sdake_ has quit IRC		13:07
*** shardy_lunch is now known as shardy		13:07
openstackgerrit	Li Yingjun proposed openstack/kolla-ansible: Fix network configuration for cloudkitty https://review.openstack.org/400011	13:08
kollabot	Gerrit Code Review	13:08
*** tonanhngo has joined #openstack-kolla		13:15
*** matrohon has quit IRC		13:15
*** tonanhngo has quit IRC		13:16
*** matrohon has joined #openstack-kolla		13:16
*** yingjun has quit IRC		13:21
*** yingjun has joined #openstack-kolla		13:21
openstackgerrit	Mauricio Lima proposed openstack/kolla: Add a section regarding share migration https://review.openstack.org/399715	13:21
kollabot	Gerrit Code Review	13:21
openstackgerrit	Mauricio Lima proposed openstack/kolla: Add a section regarding share migration https://review.openstack.org/399715	13:22
kollabot	Gerrit Code Review	13:22
*** lamt has joined #openstack-kolla		13:24
*** yingjun has quit IRC		13:25
*** Jeffrey4l has quit IRC		13:26
*** tonanhngo has joined #openstack-kolla		13:35
*** eaguilar has joined #openstack-kolla		13:36
*** srwilkers has joined #openstack-kolla		13:36
srwilkers	good morning everyone	13:36
*** tonanhngo has quit IRC		13:37
*** v1k0d3n has joined #openstack-kolla		13:38
portdirect	o/	13:44
*** eaguilar_ has joined #openstack-kolla		13:45
*** eaguilar has quit IRC		13:46
*** mdnadeem has quit IRC		13:47
*** skramaja_ has joined #openstack-kolla		13:53
*** skramaja has quit IRC		13:54
openstackgerrit	Mauricio Lima proposed openstack/kolla: Add a section regarding share migration https://review.openstack.org/399715	13:59
kollabot	Gerrit Code Review	13:59
*** tonanhngo has joined #openstack-kolla		13:59
*** tonanhngo has quit IRC		14:02
*** inc0 has joined #openstack-kolla		14:03
inc0	good morning	14:04
*** v1k0d3n has quit IRC		14:05
*** eaguilar_ has quit IRC		14:05
*** v1k0d3n has joined #openstack-kolla		14:08
mliima	morning inc0	14:08
*** sp__ has joined #openstack-kolla		14:09
v1k0d3n	morning all	14:13
*** magicboiz has joined #openstack-kolla		14:15
*** fguillot has joined #openstack-kolla		14:15
*** tonanhngo has joined #openstack-kolla		14:15
*** tonanhngo has quit IRC		14:16
sdake	v1k0d3n sup	14:17
sdake	tlaked to dave-mccowan this morning	14:17
sdake	v1k0d3n he siad what you want may work - I think he siad you need to split up your /22 into two subnets	14:17
sdake	one for the VIP	14:17
sdake	and one for the floating network	14:17
sdake	if I parsed him correctly	14:18
sdake	he said britthouser would know for sure	14:18
sdake	sup inc0	14:18
sdake	inc0 say - re the plugins in ansible for roles	14:18
sdake	inc0 did the ansible cats give positive feedback on the idea or what?	14:18
inc0	sdake, no feedback whatsoever	14:18
sdake	didn't you present it in a meeting?	14:19
sdake	i thought you said it went well?	14:19
inc0	on meeting feedback was ok	14:19
inc0	asked me to make PR to start discussion	14:19
sdake	cool well thats where it matters	14:19
inc0	PR is crickets	14:19
sdake	roger	14:19
sdake	so is your PR complete and high quality?	14:19
inc0	no, it's PoC	14:19
sdake	cool	14:20
inc0	but I don't want to work on idea that's bad, so I'd love some feedback about general arch	14:20
sdake	amybe thats why its crickets	14:20
sdake	did you try asking on #ansible-devel?	14:20
inc0	not last week, too crazy	14:20
sdake	right	14:20
inc0	I'll come back to the topic when we'll solve immediate issues	14:20
inc0	like gates	14:20
*** Pavo has quit IRC		14:21
sdake	right - good point	14:21
sdake	just wondering where that work was :)	14:21
*** Pavo has joined #openstack-kolla		14:21
sdake	like what state it was in	14:21
sdake	our repo split has consumed most eveyrone for a week or more	14:21
sdake	can I get some reviews on this 1 liner: https://review.openstack.org/#/c/399600/1	14:22
kollabot	Gerrit Code Review	14:22
*** hkominos has quit IRC		14:22
dave-mccowan	sdake v1k0d3n yea, i don't think you want your kolla_external_vip_address inside your neutron tenant router subnet, but if you split your address space into two subnets, you can put them both within your reserved /22.	14:24
* sdake hates modifyign README.md - always lots of comments :)		14:25
sdake	inc0 mind weighing your thoughts on https://review.openstack.org/#/c/399600/1	14:25
kollabot	Gerrit Code Review	14:25
sdake	so i can get em all done at once	14:25
sdake	rhallisey mind weighing your thoughts on https://review.openstack.org/#/c/399600/1 so i can get it done all at once	14:25
kollabot	Gerrit Code Review	14:25
inc0	sdake, what more do you need there?	14:25
sdake	inc0 did you already leave a comment?	14:26
sdake	inc0 just a review - so i dont have to go over it again and again :)	14:26
inc0	you remove docker dir from kolla-ansible	14:26
inc0	my comment was +2	14:26
sdake	oh	14:26
sdake	wrong review	14:26
sdake	sorry	14:26
v1k0d3n	sorry dave-mccowan just getting started...scrum meeting. one sec, i will read back	14:26
sdake	moment	14:26
sdake	https://review.openstack.org/#/c/399582/	14:27
kollabot	Gerrit Code Review	14:27
sdake	inc0 rhallisey ^	14:27
*** Bico_Fino has joined #openstack-kolla		14:27
*** kbyrne has quit IRC		14:27
*** kbyrne has joined #openstack-kolla		14:28
*** yingjun has joined #openstack-kolla		14:29
*** zhongshengping has joined #openstack-kolla		14:29
*** newmember has joined #openstack-kolla		14:30
*** yingjun has quit IRC		14:30
*** zhongshengping has quit IRC		14:30
v1k0d3n	so dave-mccowan i can create as many networks as i want. should i have three interfaces? i really just want external users to have access to horizon with TLS, and internal admins to also access horizon over a different link (with TLS) so i can split endpoint API's (admin vs what users need, nova claims, nuetron claims, etc).	14:30
*** yingjun has joined #openstack-kolla		14:30
*** zhongshengping has joined #openstack-kolla		14:30
v1k0d3n	dave-mccowan i think sdake was saying something about TLS could only be on one interface because an "internal" interface was assumed to be trusted?	14:32
*** rhallisey has quit IRC		14:32
v1k0d3n	i don't remember honestly...i most likely misunderstood that.	14:32
dave-mccowan	v1k0d3n so i guess there are two questions. one about neutron managed subnets and one about admin interfaces?	14:33
*** tonanhngo has joined #openstack-kolla		14:33
*** zhongshengping has quit IRC		14:33
openstackgerrit	Merged openstack/kolla-ansible: Remove docker reference related to bandit from tox.ini https://review.openstack.org/399600	14:33
kollabot	Gerrit Code Review	14:33
*** tonanhngo has quit IRC		14:34
v1k0d3n	dave-mccowan: yes.	14:34
v1k0d3n	so here is what things look like on my end...	14:34
*** rhallisey has joined #openstack-kolla		14:34
dave-mccowan	v1k0d3n let's talk about the two things separately to make sure we don't confuse/conflate the two.	14:35
*** yingjun has quit IRC		14:35
v1k0d3n	192.168.4.0/22 << needs to be the "public" network.	14:35
v1k0d3n	as in addresses are handed out by that pool.	14:35
dave-mccowan	v1k0d3n so that's the neutron managed subnet?	14:35
v1k0d3n	i am just assigning those directly to the instances.	14:35
britthouser	So the 192.168.4.0/22 are assigned to instances, not any of the underlying servers or VIPs?	14:37
v1k0d3n	on my "real" router....a ubiquiti edgerouter pro....i have a single interface (eth4) connected with a 4.1 address. neutron is connected via "flat" and hands out dhcp to instances on taht subnet.	14:37
britthouser	so this is technically called “provider” network	14:38
v1k0d3n	britthouser: this is what i'm really trying to understand.	14:38
v1k0d3n	yes, that's provider...correct.	14:38
v1k0d3n	192.168.70.x is where admins connect to horizon.	14:38
v1k0d3n	endpoints to control users, ssh to the AIO host, etc.	14:39
v1k0d3n	management traffic for admin.	14:39
v1k0d3n	if i need another interface...fine. but that's the setup currently.	14:39
v1k0d3n	if i need another interface for outside users, than fine. originally i was going to put them on provider, with SSL (my misunderstanding of course), but i was going to have outside users connect to 4.25	14:40
britthouser	so you’re trying do both of those subnets on the same networking interface?	14:40
*** senk has quit IRC		14:40
*** jtriley has joined #openstack-kolla		14:40
sdake	britthouser yup - this is where I get stuck :)	14:40
v1k0d3n	i think that question is going to lead to confusion. these are separate interfaces.	14:40
dave-mccowan	v1k0d3n for server admin stuff (ssh) you need a real address on an interface. for horizon connectivity you need a VIP address that keepalived and haproxy manages to you can load balance across controller nodes.	14:40
v1k0d3n	i'm not even sure how or where that idea came from sdake...i never mentioned they were same interface.	14:41
sdake	v1k0d3n em2 = neutron interface = your .4 network?	14:41
sdake	britthouser thanks btw ;)	14:42
v1k0d3n	em2 is currently 4.x/22, correct.	14:42
sdake	britthouser know ure busy with othe rthings	14:42
britthouser	my pleasure sdake. :smiley:	14:42
sdake	britthouser rescue us in this scenario please ;)	14:42
britthouser	so you cn do it on the same physical interface, you’d just have to do some extra bridge setup on the host. But it sounds like that is not the path you’re heading down?	14:43
sdake	britthouser directions plz	14:43
sdake	v1k0d3n sounds like you need some extra brige setup, so sounds like it is possible	14:44
sdake	britthouser note v1k0d3n is on ubuntu	14:44
sdake	britthouser not sure if your familiar with their networking scripts on that platform	14:44
v1k0d3n	britthouser i can do either. i suggested to sdake that for AIO hosts...just do these things by default and use bridging interfaces...so that users are in question in the future. similar to OSA.	14:45
sdake	britthouser if not, a descripton would help ;)	14:45
v1k0d3n	OSA does a good job of this. "you have a single interface and you're new to the project....GREAT...let's set this up using bridging".	14:45
sdake	v1k0d3n i do not make up the entirety of the kolla community - this is somethign that should probablybe recordedi na blueprint	14:45
britthouser	I’m reading the scrollback, but still not 100% clear on the ask. Can you restate real quick?	14:45
inc0	v1k0d3n, bridging part usually gets people lost in intial OSA	14:46
sdake	britthouser how do you setup the bridge interfaces to support em2 = neutron = .4 = running vip = running horizon	14:46
inc0	it's really non-trivial to get bridging work	14:46
sdake	ya kolla as a project sort of punts on advanced networking configuration	14:48
sdake	i dont know if that is the right answer	14:48
sdake	but thats what happens today	14:48
britthouser	So lets start here: <http://docs.openstack.org/security-guide/_images/1aa-network-domains-diagram.png>	14:48
britthouser	What you’re asking is that the “external” and the API be bridged together/	14:49
sdake	britthouser keep in mind he is on an AIO install	14:50
sdake	britthouser v1k0d3n also has two network interfaces	14:50
*** prameswar has joined #openstack-kolla		14:50
sdake	the two network interfaces are connected via a real hardware router	14:50
sdake	i think that diagram is cool, but thats a "real" deployment	14:51
sdake	the diagram is how i'd setup openstack, but i'd have a seprate network for ceph	14:51
sdake	sbezverk_	14:51
sdake	v1k0d3n so sbezverk_ is a super networking nerd	14:52
britthouser	Yeah, but its a good starting point to talk about what networks are needed. And then its just a matter of deciding which networks you want to combine on to the same interface	14:52
sdake	v1k0d3n i'm sure him and britt can get ou rolling :)	14:52
britthouser	i.e. where todo the host bridging	14:52
britthouser	so looking at that diagram, v1k0d3n, which two networks are you wanting to bridge together?	14:53
sdake	britthouser end goal is running external TLS on .4 network	14:53
sdake	running internal haproxy on .70	14:53
britthouser	ok so external TLS = .4 = API network	14:53
sdake	haproxy needs an interface to bind its VIP to in the .4 network	14:54
britthouser	internal haproxy = .70 = mgmt interface	14:54
*** tonanhngo has joined #openstack-kolla		14:54
sdake	unforutnately i think our api network and mgmt network are the same thing :)	14:54
britthouser	and then bridge the neutron network onto the API it sounds like, right?	14:54
sdake	in v1k0d3n's case, the API network is on .70	14:55
*** tonanhngo has quit IRC		14:55
britthouser	Yeah I think in Kolla’s default config, the API/mgmt are not seperated.	14:56
sdake	there is no mgmt interface	14:56
britthouser	but is there a spoon? =P	14:56
sdake	everything binds to the api network	14:57
*** newmember has quit IRC		14:57
sdake	which is typically em1 or eth0	14:57
sdake	or whatever other madness dbus spits out	14:57
britthouser	yup makes sense.	14:57
britthouser	and then em2/eth1 is for neutron tenant networks	14:58
*** ppalacios has joined #openstack-kolla		14:58
sdake	right	14:58
britthouser	i.e. “guest” in that diagram	14:58
britthouser	so is v1k0d3n wanting to have two subnets on kolla’s em1/eth0?	14:59
sdake	i think two on em2	14:59
sdake	one for external_VIP	14:59
sdake	and oen for his floating range	14:59
sdake	em1 = api network = insecure = hidden from outside world	14:59
*** prameswar has quit IRC		15:00
britthouser	just keeping with the terminology from the diagram: em1 = mgmt network = insecure = hidden from outside world.	15:00
britthouser	and he wants to put API and external on the same network.	15:00
britthouser	that is doable.	15:00
britthouser	by convention, the external interface is attached to a bridge named br-ex	15:01
britthouser	doesn’t have to be named br-ex, but it almost always is	15:01
sbezverk_	britthouser: for AIO scenario that is what I always use	15:02
*** gfidente has quit IRC		15:02
sbezverk_	britthouser: I disable haproxy with keepalived and use management ip for all services, like horizon etc..	15:03
britthouser	does that answer the question v1k0d3n?	15:04
sbezverk_	all you need is to plug openstack external interface to br-ex, the rest works automgically	15:05
*** gfidente has joined #openstack-kolla		15:06
*** gfidente has joined #openstack-kolla		15:06
*** skramaja_ has quit IRC		15:06
*** TxGirlGeek has joined #openstack-kolla		15:07
dave-mccowan	bringing this to globals.yml, we could pick an address on br-ex to assign for kolla_external_vip_address and give br-ex as the interface for neutron_external_interface?	15:09
dave-mccowan	britthouser ^^	15:10
sdake	sbezverk_ pls dont' reocommend haproxy for this scenario, v1k0d3n is using TLS (which demands haproxy)	15:11
*** senk has joined #openstack-kolla		15:11
sbezverk_	sdake: I see, never used tls in AIO scenario	15:11
v1k0d3n	sorry guys dealing with something. be back in a min then i can answer some of these questions.	15:11
sdake	sbezverk_ it does work	15:11
v1k0d3n	just got pulled into something.	15:11
*** saneax is now known as saneax-_-\|AFK		15:12
britthouser	I think so dave-mccowan.	15:12
*** Bico_Fino_ has joined #openstack-kolla		15:14
*** zhubingbing has quit IRC		15:15
*** Bico_Fino has quit IRC		15:15
*** Bico_Fino_ is now known as Bico_Fino		15:15
sdake	sbezverk_ it being TLS	15:15
dave-mccowan	v1k0d3n for your other question, kolla doesn't implement an option for two horizon endpoints. (that would be a good feature to add). if you log into horizon as a an admin, you get the admin dashboard. if you log into horizon as a project-admin, you get the project dashboard. but, it's the same endpoint for both.	15:15
sdake	sbezverk_ the problem is haproxy provides the TLS encoding/decoding	15:15
sdake	sbezverk_ so if you turn off haproxy, enable_tls doesn't work ;)	15:15
*** jtriley has quit IRC		15:15
*** tonanhngo has joined #openstack-kolla		15:17
*** tonanhngo has quit IRC		15:17
*** senk has quit IRC		15:19
sbezverk_	sdake: I got it the first time ;-) you commented about it.. all I said that I just never used it in this scenario..	15:19
sdake	sbezverk_ roger	15:20
*** Pavo has quit IRC		15:23
*** dmsimard is now known as dmsimard\|away		15:24
*** Pavo has joined #openstack-kolla		15:25
*** newmember has joined #openstack-kolla		15:29
*** Pavo has quit IRC		15:29
v1k0d3n	ok guys...catching up. sorry for the wait.	15:30
v1k0d3n	so in order... :)	15:31
*** Pavo has joined #openstack-kolla		15:32
v1k0d3n	inc0: bridging can throw people off, but there are two great things about OSA...abstraction around the interfaces (make them do whatever you want with bridging), and OSA AIO is rock solid...it just works even with a single interface. we could take this page from their book for only the AIO scenario (at least i think it would help users get started, and less questions about AIO about external/internal V	15:33
v1k0d3n	IPS).	15:33
inc0	yeah, I agree	15:33
inc0	but one difference is that in OSA you manually create bridges and whatnot	15:34
inc0	in Kolla it's Kolla	15:34
inc0	so we'd need to include brctl stuff to prerequirements	15:34
*** jtriley has joined #openstack-kolla		15:34
*** tonanhngo has joined #openstack-kolla		15:35
sdake	inc0 i think you missed this earlier where I said kolla sort of punts on advanced network config	15:35
sdake	inc0 i remember settign up the osic cluster...	15:35
sdake	getting bonding setup, getting vlans setup, all that stuff	15:36
sdake	kind of black magic	15:36
inc0	interface.vlantag works	15:36
sdake	i know it doess	15:36
inc0	yes, never gonna happen in Kolla	15:36
inc0	we don't bond/bridge/vlan-tag ifaces for you	15:36
inc0	neither is OSA tbh	15:36
sdake	ya just pointing out we punted in the past	15:36
inc0	Fuel is only deployment tool I know that kinda does that	15:36
sdake	wasn't making an argument for or against	15:36
v1k0d3n	ok back, read through (well, tried to follow) most of it.	15:37
*** tonanhngo has quit IRC		15:37
sdake	inc0 to me, it seems super tricky to get right	15:37
inc0	networking is hard	15:37
sdake	inc0 i had thought the host setup could do this at some point	15:37
inc0	most of the time	15:37
sdake	inc0 but networking is hard	15:37
sdake	right	15:38
sdake	jinx :)	15:38
sdake	as my wife says "Your company didn't build their empire because networking was easy." :)	15:38
inc0	and keep in mind that we did really simple arch	15:38
sdake	inc0 i think kolla's network arch meets the requirements??	15:38
inc0	depends on requirements	15:39
v1k0d3n	ok. so	15:39
inc0	we still don't have calico	15:39
inc0	for exmaple	15:39
v1k0d3n	am i bridging here?	15:39
inc0	and v1k0d3n could say word or two about that part	15:39
sdake	britthouser v1k0d3n is about	15:39
inc0	or VNF	15:39
sdake	dave-mccowan v1k0d3n is about if your available to assist	15:39
inc0	v1k0d3n, please explain me what you want to do	15:39
v1k0d3n	oh for the love of god...VNF's.	15:39
*** Bico_Fino has quit IRC		15:40
v1k0d3n	ok, so looking at diagram britthouser and dave-mccowan...	15:40
sdake	v1k0d3n right one ping will do - it makes therir clients beep	15:40
sdake	v1k0d3n its meeting time at cisco unfortunately	15:40
v1k0d3n	sorry	15:40
portdirect	OVN is in progess - Just waiting on stable repos from the guys upstrem then I whould be ablt to drop that :D	15:41
sdake	US/EMEA crossover	15:41
sdake	v1k0d3n all good due	15:41
*** Pavo has quit IRC		15:41
sdake	v1k0d3n most cos that have distributed teams reserve the hours of 7am-10am pst for meetings	15:42
sdake	because of the US/EMEA timezone crossover	15:42
sdake	portdirect ovn is a replacement for ovs ?	15:43
*** Bico_Fino has joined #openstack-kolla		15:43
sdake	inc0 calico is a replacement for ovs?	15:43
inc0	sdake, totally differet things	15:43
*** Pavo has joined #openstack-kolla		15:43
inc0	both of time	15:43
portdirect	that was the original idea i think, but not anymore	15:43
sdake	portdirect right - that seemed like goal early on - where is it now?	15:44
v1k0d3n	oh boy...	15:44
v1k0d3n	this convo is going to get messy :)	15:44
inc0	yes, let's please not talk about these stuff at this moment	15:44
portdirect	yerp	15:45
v1k0d3n	lol!	15:45
inc0	ovn, nfv, vnf	15:45
inc0	vn seems like favorite letters to some	15:45
inc0	f is close third	15:45
britthouser	don’t forget nova has n and v as well.	15:46
sean-k-mooney	i think marketing people just like adding the letter v to things	15:46
v1k0d3n	AVI Networks.	15:47
v1k0d3n	v and n	15:47
v1k0d3n	:D	15:47
inc0	volla	15:47
inc0	nvolla	15:47
britthouser	did we answer your question v1k0d3n?	15:47
v1k0d3n	just kidding. that;'s different though.	15:47
inc0	or rather, vnolla	15:47
britthouser	vanilla - that should be the next SDN startup.	15:47
*** harlowja_at_home has joined #openstack-kolla		15:48
*** Pavo has quit IRC		15:48
inc0	v1k0d3n, sooo...again, what you were trying to achieve and had issues with	15:48
inc0	?	15:48
inc0	on networkign side?	15:48
v1k0d3n	ok...i have two interfaces on an AIO host. 192.168.4.x/22 and 192.168.70.x/24	15:48
sean-k-mooney	sdake: re ovn it is a contoler that sits ontop of ovs and replaces the neutron agents	15:48
v1k0d3n	tell me what to do with them. :-/	15:48
inc0	one api interface another one neutron external	15:49
v1k0d3n	i came from OSA...where you could pretty much assign anything to anything.	15:49
v1k0d3n	so i'm not sued to having limitations	15:49
v1k0d3n	used to bridging interfaces.	15:49
inc0	on l2 you still have flat networking on well..flat network	15:49
v1k0d3n	not sued. used :) totally different.	15:49
v1k0d3n	so the flat network is 192.168.4.0/22	15:50
v1k0d3n	since that is the provider network.	15:50
inc0	yeah, neutron_external_interface goes there	15:50
v1k0d3n	so that is "external".	15:50
v1k0d3n	ok	15:50
inc0	consider this	15:51
inc0	if you create flat network	15:51
v1k0d3n	we'll	15:52
v1k0d3n	sorry	15:52
inc0	it will require dedicated interface	15:52
v1k0d3n	before we get too into the weeds.	15:52
v1k0d3n	that's normal openstack, right?	15:52
inc0	yeah	15:52
inc0	that's neutron external interface	15:52
inc0	pretty much	15:52
v1k0d3n	sorry, juggling things and i'm trying to focus.	15:52
v1k0d3n	so does that get TLS?	15:52
*** unicell has quit IRC		15:53
inc0	TLS is irrelevant on this front, this is networking for VMs	15:53
*** unicell has joined #openstack-kolla		15:54
inc0	TLS will be important there: https://github.com/openstack/kolla/blob/master/doc/production-architecture-guide.rst#interface-configuration	15:54
kollabot	kolla/production-architecture-guide.rst at master · openstack/kolla · GitHub	15:54
inc0	kolla_external_vip_interface	15:54
inc0	has to exist on network node	15:54
inc0	defaults to api_iface	15:54
*** tonanhngo has joined #openstack-kolla		15:55
*** rhallisey has quit IRC		15:56
*** tonanhngo has quit IRC		15:56
*** gfidente has quit IRC		15:58
dave-mccowan	inc0 just a warning the kolla "api_interface" really sits on the management network in the diagram http://docs.openstack.org/security-guide/_images/1aa-network-domains-diagram.png, so conversations can get confusing due to that.	15:58
inc0	yeah, but other interfaces just defaults to this	15:59
inc0	you still can specify them	15:59
*** newmember has quit IRC		16:00
inc0	dave-mccowan, so tbh this diagram is not entirely accurate when we're talking about secure deployment	16:00
v1k0d3n	dave-mccowan: i see 4 interfaces in there?	16:00
v1k0d3n	or 4 nets, is that right?	16:01
britthouser	well that diagram comes from the security guide.....	16:01
dave-mccowan	v1k0d3n here's the "official" description of each http://docs.openstack.org/security-guide/networking/architecture.html	16:02
kollabot	OpenStack Docs: Networking architecture	16:02
sdake	inc0 i got v1k0d3n setup with tls earlier	16:05
sdake	inc0 the problem is the tls external endpoint is on the wrong network	16:05
* inc0 making accurate network diagram		16:06
sdake	inc0 to getit on the right network, i dont know how	16:06
sdake	inc0 because em2 = neutron network = external VIP ip	16:06
v1k0d3n	sdake: that was single interface.	16:08
v1k0d3n	now i need to add the provider i guess and that's it, right?	16:08
sdake	i don't know how to do what you want, britthouser probably does	16:09
sdake	you will probably have to create some bridges it sounds like	16:10
v1k0d3n	im getting so confused, i'll be honest	16:11
*** kristian__ has joined #openstack-kolla		16:11
sdake	v1k0d3n that is because you are doing something nobody has done before i suspect ;)	16:12
sdake	v1k0d3n i mean someone has probably done it, just not in this particular community	16:12
*** tonanhngo has joined #openstack-kolla		16:13
sdake	v1k0d3n wait until youcn connect with britthouser	16:13
kristian__	Hi. Is someone here experienced with gpu passthrough on openstack kolla here that can help me? More info is here https://bugs.launchpad.net/nova/+bug/1642419	16:13
openstack	Launchpad bug 1642419 in OpenStack Compute (nova) "GPU Passthrough isn't working" [Medium,New]	16:13
kollabot	Bug #1642419 “GPU Passthrough isn't working” : Bugs : OpenStack Compute (nova)	16:13
*** portdirect has quit IRC		16:13
*** tonanhngo has quit IRC		16:14
*** harbor has joined #openstack-kolla		16:14
*** harbor is now known as portdirect		16:14
sdake	kristian__ did i catch an offer ther to test it on your server?	16:15
sdake	kristian__ i'm not entirely sure how to get that to run but willing to take a look if you have an env setup	16:15
sdake	my servers dont have gpus	16:15
kristian__	sdake: If it would be possible you can try to set it up on my server	16:16
sdake	what do you need, public ssh key?	16:16
*** Pavo has joined #openstack-kolla		16:16
kristian__	yeah	16:16
inc0	sdake, dave-mccowan v1k0d3n https://drive.google.com/file/d/0B9SxQBJsT7y2bmtKNDM1ZVladEU/view?usp=sharing	16:16
kollabot	Untitled Diagram.html - Google Drive	16:16
*** unicell has quit IRC		16:17
*** unicell has joined #openstack-kolla		16:17
portdirect	sdake: i had a bit of a look yesterday and drew a blank - seems to be a libvirt issue of some sort, but i've not played with that shiz in ages :/	16:17
*** gfidente has joined #openstack-kolla		16:17
britthouser	they is realy fuzzy for some reason inc0 - I cant’ really read the words	16:17
openstackgerrit	Paul Bourke (pbourke) proposed openstack/kolla: Install neutron-lbaas in neutron-server https://review.openstack.org/393435	16:18
kollabot	Gerrit Code Review	16:18
inc0	open it in draw.io	16:18
kristian__	portdirect we will see if it will work	16:20
inc0	http://imgur.com/a/6bSK6 britthouser	16:20
kollabot	Imgur: The most awesome images on the Internet	16:20
portdirect	kristian__: hopefully - be a great thing to get documented	16:20
kristian__	or update the docs	16:21
openstackgerrit	Paul Bourke (pbourke) proposed openstack/kolla-ansible: Allow operators to use 'fallback mode' for Ceph disks https://review.openstack.org/398373	16:21
kollabot	Gerrit Code Review	16:21
kristian__	also how can I fix this if my quota is bigger than 40?	16:21
kristian__	Quota exceeded for cores: Requested 96, but already used 0 of 40 cores	16:21
kristian__	also I know but theoretically it should be possible	16:21
portdirect	kristian__: http://docs.openstack.org/admin-guide/cli-set-compute-quotas.html	16:22
kollabot	OpenStack Docs: Manage Compute service quotas	16:22
*** Pavo has quit IRC		16:23
dave-mccowan	inc0 looks good.	16:23
inc0	as you can see only network nodes has any exposure to internet	16:23
*** Pavo has joined #openstack-kolla		16:23
inc0	this is precisely why we run haproxy on network nodes	16:23
kristian__	portdirect: but that should be the same if I applied defaults from horizon or no?	16:24
*** sdake_ has joined #openstack-kolla		16:24
inc0	also I haven't add storage networking and trunked vlans there	16:24
inc0	but you get the general idea	16:24
dave-mccowan	inc0 and i've learned something. i've always considered network node and controller node on the same server. i didn't know kolla allowed them to be separate.	16:24
portdirect	kristian__: I dont really use horizon for any admin stuff - so not sure what you can do there. sorry	16:25
Pavo	morning everyone	16:25
kristian__	ok	16:25
kristian__	will try it from cli	16:25
Pavo	ok need someone to test ddi.hopto.org and tell me if they can get to it please	16:25
inc0	dave-mccowan, you can modify nodes your services run on any way you like	16:25
inc0	Pavo, horizon looks good:)	16:25
Pavo	ok think I figured the issue out	16:25
Pavo	so when I use kolla external vip it doesn't go through	16:26
Pavo	but when I port forward to kolla internal vip it works	16:26
Pavo	no firewalls or ACLs	16:26
*** sdake has quit IRC		16:27
Pavo	so something is being configured wrong by kolla on external vip	16:27
Pavo	or the containers are being configured wrong for networking somehow	16:27
*** jgriffith has quit IRC		16:28
Pavo	because I can see people request when I am port forwarding to the external vip but nothing is going back to them	16:28
inc0	Pavo, soo...external vip should land on network node	16:28
*** sdake has joined #openstack-kolla		16:28
inc0	check if it's there	16:28
Pavo	yes it should	16:28
inc0	on correct interface	16:28
Pavo	yeap	16:28
inc0	ip a should show it	16:28
Pavo	this is network/controller node	16:29
Pavo	http://paste.openstack.org/show/589901/	16:29
kollabot	Paste #589901 \| LodgeIt!	16:29
Pavo	kolla internal vip is 192.168.4.250, kolla external vip is 192.168.1.250	16:29
inc0	ok, so IPs are correct	16:29
Pavo	I have my external vip on interface eth4	16:29
inc0	mind checking haproxy conf?	16:30
Pavo	how?	16:30
inc0	docker exec -it haproxy bash	16:30
Pavo	ok now?	16:30
inc0	cat /etc/haproxy/haproxy.cfg	16:30
inc0	we should have both endpoints configured there	16:31
inc0	for each service	16:31
*** sdake_ has quit IRC		16:31
inc0	with TLS configuration on external	16:31
Pavo	http://paste.openstack.org/show/589903/	16:31
kollabot	Paste #589903 \| LodgeIt!	16:31
Pavo	no TLS yet	16:31
Pavo	until I figure this out then I will turn TLS on	16:31
inc0	well, check for example if you have keystone_external setup	16:32
Pavo	don't know what you mean by that	16:32
inc0	https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/haproxy/templates/haproxy.cfg.j2#L64	16:33
kollabot	kolla-ansible/haproxy.cfg.j2 at master · openstack/kolla-ansible · GitHub	16:33
inc0	I see some more magic done to Horizon	16:34
Pavo	this is my haproxy conf	16:34
Pavo	http://paste.openstack.org/show/589903/	16:34
kollabot	Paste #589903 \| LodgeIt!	16:34
*** tonanhngo has joined #openstack-kolla		16:34
*** tonanhngo has quit IRC		16:35
inc0	192.168.3.3:80 <- is this right?	16:35
Pavo	not for external	16:35
Pavo	external is 192.168.1.250	16:35
inc0	but for interlan?	16:35
inc0	internal	16:35
Pavo	no	16:35
Pavo	thats API	16:35
Pavo	OpenStack API is 192.168.3.0	16:35
Pavo	management is 192.168.4.0	16:36
Pavo	external is 192.168.1.0	16:36
inc0	but your controller is 3.3 right?	16:36
inc0	so that should be fine	16:36
inc0	although that means your internal vip might be incorrect	16:36
Pavo	for openstack api yes controller/network node is 192.168.3.3	16:36
inc0	internal vip address should be in api network	16:37
Pavo	really?	16:37
inc0	yeah, this is API endpoint	16:37
Pavo	I thought it was for management access	16:37
inc0	we don't really touch your mgmt	16:37
Pavo	hmmm ok	16:37
Pavo	let me reconfigure	16:37
inc0	so this will be address nova will talk to neutron with	16:37
Pavo	one sec	16:37
inc0	but I doubt it's an issue here	16:38
inc0	do ss -plant \| grep 80 later plz	16:38
Pavo	on controller/network?	16:38
*** portdirect is now known as portdirect_away		16:38
inc0	check if there is stuff listening on 192.168.1.250:80	16:38
inc0	yeah	16:38
Pavo	doesn't look like it	16:39
Pavo	http://paste.openstack.org/show/589909/	16:40
kollabot	Paste #589909 \| LodgeIt!	16:40
Pavo	wait there is	16:40
Pavo	http://paste.openstack.org/show/589910/	16:40
kollabot	Paste #589910 \| LodgeIt!	16:40
Pavo	I did a ss -plant \| grep 192.168.1.250 instead	16:41
inc0	yeah	16:41
inc0	soo	16:41
Pavo	LISTEN 0 128 192.168.1.250:80 : users:(("haproxy",pid=19869,fd=23))	16:41
inc0	horizon is being listened on	16:41
inc0	check logs if you access 192.168.1.250	16:41
Pavo	I can access horizon on both 192.168.1.250 and 192.168.4.250	16:41
inc0	horizon access log should show something	16:41
inc0	ok so what was the issue?:)	16:41
Pavo	I can only access horizon on 192.168.1.250 internally	16:42
*** jascott1 has joined #openstack-kolla		16:42
Pavo	not when I port forward from outside	16:42
Pavo	but when I port forward from outside to 192.168.4.250 I can access it	16:42
inc0	hmm...	16:43
Pavo	exactly	16:43
Pavo	:P	16:43
Pavo	beating my head around this	16:43
Pavo	see check this, try ddi.hopto.org again	16:43
Pavo	I have it port forwarding to 192.168.1.250	16:44
Pavo	can you access it?	16:44
inc0	Pavo, try to add this line https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/haproxy/templates/haproxy.cfg.j2#L191	16:44
kollabot	kolla-ansible/haproxy.cfg.j2 at master · openstack/kolla-ansible · GitHub	16:44
inc0	to external endpoint declaration	16:44
Pavo	ummm how would I do that?	16:44
inc0	https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/haproxy/templates/haproxy.cfg.j2#L212	16:46
kollabot	kolla-ansible/haproxy.cfg.j2 at master · openstack/kolla-ansible · GitHub	16:46
inc0	above this line in your kolla-ansible installation dir;)	16:46
Pavo	so add http-request del-header X-Forwarded-Proto above bind {{ kolla_external_vip_address }}:80	16:47
Pavo	is that what you are wanting me to do inc0?	16:48
inc0	sorry, below this line	16:48
inc0	but otherwise yeah	16:48
inc0	and it probably doesn't matter above or below	16:49
Pavo	so.... add http-request del-header X-Forwarded-Proto below bind {{ kolla_external_vip_address }}:80	16:49
inc0	yeah	16:49
Pavo	ok done gonna reconfigure really quick	16:49
Pavo	should I also change my internal vip to my 3.0network?	16:50
Pavo	or leave that right now to test this?	16:50
inc0	it should work either way	16:50
Pavo	ok one sec	16:50
inc0	but later yeah, I'd change that as well	16:51
Pavo	its running reconfigure	16:51
Pavo	reconfigure whould allow this change correct?	16:52
Pavo	I shouldn't have to destory and edeploy?	16:53
Pavo	redeploy?	16:53
*** Satya_ has joined #openstack-kolla		16:53
inc0	nah	16:53
Pavo	ok	16:53
*** rhallisey has joined #openstack-kolla		16:53
*** tonanhngo has joined #openstack-kolla		16:54
*** tonanhngo has quit IRC		16:55
Satya_	Hi	16:56
Satya_	anyone please traige https://bugs.launchpad.net/kolla-ansible/+bug/1642878	16:57
openstack	Launchpad bug 1642878 in kolla-ansible "RabbitMQ should communicate through a different network rather than api_network" [Undecided,Confirmed] - Assigned to Satya Sanjibani Routray (satroutr)	16:57
kollabot	Bug #1642878 “RabbitMQ should communicate through a different ne...” : Bugs : kolla-ansible	16:57
Pavo	ok inc0 done can you access ddi.hopto.org?	16:58
v1k0d3n	so inc0 sdake any updates on what i need to do?	16:59
v1k0d3n	inc0: had a little issues looking at your digram.	16:59
v1k0d3n	diagram	16:59
egonzalez90	Pavo: I can't	16:59
Pavo	ok one sec lets switch port forward to internal vip and see if you can	17:00
egonzalez90	Connected to ddi.hopto.org (75.76.141.226) port 80	17:00
egonzalez90	but curl -vvv connects	17:00
*** harlowja_at_home has quit IRC		17:00
Pavo	try agai please	17:00
egonzalez90	but dont retrieve horizon	17:00
inc0	nope:/	17:00
inc0	v1k0d3n, what issues?	17:01
Pavo	ok so that didn't work	17:01
Pavo	let me destroy, reboot and redeploy	17:01
inc0	Pavo, also play around this config	17:01
inc0	it seems like this is an issue	17:01
inc0	and check horizon logs	17:01
Pavo	the haproxy?	17:02
egonzalez90	can you access to keystone from external vip?	17:02
inc0	yeah, I'd bet	17:02
Pavo	ok	17:02
sdake	this is BDWNF in 3.0.1: [WARNING]: Unable to find '/etc/kolla/config/keystone/domains' in expected paths.	17:02
Pavo	what does that mean sdake?	17:03
*** egonzalez90 has quit IRC		17:07
v1k0d3n	sorry. my mornings are depressingly busy. so i wasn't able to follow along.	17:09
britthouser	so v1k0d3n - looking that teh diagram inc0 sent. The one difference if is you are doing provider instead of floating IP, right?	17:10
britthouser	So if you did floating IP, you could use the same subnet for both your external VM acces and your external (TLS) API access, b/c they would both be on network node.	17:11
v1k0d3n	britthouser: correct.	17:11
*** tovin07_ has quit IRC		17:11
v1k0d3n	in fact provider can be float in this case	17:11
britthouser	But with provider networks, those go straight to compute node and by-pass the network node	17:11
*** bmace has quit IRC		17:11
britthouser	so it seems like you’re only option left is to put both TLS and non TLS on same network.	17:11
*** bmace has joined #openstack-kolla		17:12
britthouser	does that make sense?	17:12
v1k0d3n	ok, let's back up a second	17:12
v1k0d3n	i can add an interface	17:12
v1k0d3n	let's say i have the most perfect amount of interfaces needed.	17:12
v1k0d3n	typically openstack = 4, right?	17:12
v1k0d3n	not including special cases like vxlan, etc.	17:12
inc0	more for storage;)	17:13
v1k0d3n	well, yes.	17:13
inc0	well, what you want to do is to add TLS interface on node where haproxy lives	17:13
inc0	in short	17:13
Pavo	oh btw I am getting this during deploy with 3.0.1	17:13
Pavo	http://paste.openstack.org/show/589914/	17:13
kollabot	Paste #589914 \| LodgeIt!	17:13
*** tonanhngo has joined #openstack-kolla		17:14
britthouser	Yeah if you can make your host look like the diagram, then all the better.	17:14
inc0	Pavo, mind adding bug to resolve this deprecation?	17:14
Pavo	sure if you walk me through how to do a bug report	17:15
Pavo	lol	17:15
Pavo	I know I'm sad	17:15
britthouser	if not, then you’l have to setup some bridging to combine segments. But not all segments combine, as we see with provider/API	17:15
*** tonanhngo has quit IRC		17:15
inc0	Pavo, https://bugs.launchpad.net/kolla	17:16
kollabot	Bugs : kolla	17:16
inc0	top-right corner -> report a bug	17:16
britthouser	inc0 - we should really have that diagram in our guides. The API networking living on network node is definitely more secure, but definitely nonstandard.	17:16
rhallisey	hi kollabot	17:16
rhallisey	..	17:17
inc0	britthouser, agree, I'll extend it with storage networking and provider networks and upload it somewhere	17:17
britthouser	And if we can use the same network names as the security guide, I think it would be less confusing to people coming to kolla from other distros.	17:17
britthouser	sounds great inc0	17:17
inc0	britthouser, yeah but then we'd need to translate it to our nomenclature	17:17
rhallisey	sdake, you didn't give kollabot much brains	17:17
Pavo	ok think I did it right	17:18
Pavo	https://bugs.launchpad.net/kolla/+bug/1643633	17:18
openstack	Launchpad bug 1643633 in kolla "DEPRECATION WARNING during deployment" [Undecided,New]	17:18
kollabot	Bug #1643633 “DEPRECATION WARNING during deployment” : Bugs : kolla	17:18
sdake	rhallisey that wasn't my doing :)	17:18
inc0	yup Pavo looks good	17:18
inc0	neither was mine	17:18
inc0	kollabot is something I found out myself today	17:18
rhallisey	kollabot, what is the answer to life, universe and everything?	17:19
Pavo	lol	17:20
rhallisey	that's a bug..	17:20
*** matrohon has quit IRC		17:21
jascott1	kollabot wfa what is the answer to life the universe and everything?	17:22
kollabot	Input interpretation Answer to the Ultimate Question of Life, the Universe, and Everything	17:22
kollabot	Result 42	17:22
kollabot	(according to the book The Hitchhiker's Guide to the Galaxy, by Douglas Adams)	17:22
Pavo	nice	17:22
jascott1	rhallisey if you say kollabot help it will pm you with commands	17:23
Pavo	ok redeployment done	17:23
jascott1	i dont think worlfram is listed but its 'wfa' prefix	17:23
rhallisey	ha	17:23
rhallisey	nice!	17:23
Pavo	but still no access to external vip from outside	17:23
*** kollabot has quit IRC		17:24
Pavo	and now no access to internal vip from outside	17:24
*** kollabot has joined #openstack-kolla		17:24
Pavo	inc0 how do I access horizon logs	17:25
inc0	/var/lib/docker/volumes/kolla_logs/_data	17:25
rhallisey	kollabot wfa hi	17:25
kollabot	Input interpretation Hello.	17:25
kollabot	Response Hello, human.	17:25
rhallisey	:)	17:26
*** Serlex has quit IRC		17:26
Pavo	inc0 /var/lib/docker/volumes/kolla_logs/_data/horizon/horizon-access.log is blank	17:27
inc0	ehh, always something:(	17:28
Pavo	and inc0 /var/lib/docker/volumes/kolla_logs/_data/horizon/horizon.log only shows this http://paste.openstack.org/show/589920/	17:29
kollabot	Paste #589920 \| LodgeIt!	17:29
*** Serlex has joined #openstack-kolla		17:29
Pavo	lol wtf is Dashboard with slug "developer" is not registered	17:29
*** TxGirlGeek has quit IRC		17:30
*** TxGirlGeek has joined #openstack-kolla		17:30
*** Bico_Fino has quit IRC		17:35
*** Bico_Fino has joined #openstack-kolla		17:35
*** tonanhngo has joined #openstack-kolla		17:35
*** Serlex has quit IRC		17:35
*** portdirect_away is now known as portdirect		17:35
*** tonanhngo has quit IRC		17:36
*** eaguilar has joined #openstack-kolla		17:40
*** Bico_Fino has quit IRC		17:41
openstackgerrit	Mauricio Lima proposed openstack/kolla-ansible: Remove docker from kolla-ansible https://review.openstack.org/398320	17:47
kollabot	Gerrit Code Review	17:47
*** eaguilar has quit IRC		17:51
*** tonanhngo has joined #openstack-kolla		17:54
portdirect	Pavo: is horizon running for you?	17:55
portdirect	Pavo: take it thats from source?	17:55
*** tonanhngo has quit IRC		17:55
Pavo	doing a redeployment atm because internal and external vips are not acting correct	17:55
Pavo	not that I know of I did a pip install kolla	17:56
portdirect	Pavo: was refering to your developer bug - I'm staying out of your network issues - because there are much better kolla minds on it than mine :)	17:56
sdake	so re //dev/shm	17:56
Pavo	ah ok that is what ever version pip installs currently	17:57
sdake	and a host bindmount	17:57
sdake	we already host bindount /dev	17:57
Pavo	think its 3.0.1	17:57
sdake	is proper syntax /dev:/dev:shared	17:57
*** TxGirlGeek has quit IRC		17:57
*** sayantani has joined #openstack-kolla		17:57
sdake	or /dev:/dev followed by /dev/shm:/dev/shm?	17:57
*** unicell has quit IRC		17:57
portdirect	Pavo: was meaning source images? not the version of kolla. sorry I wasn;t that clear with my original question.	17:57
Pavo	no I build my images	17:58
Pavo	which are 3.0.1	17:58
portdirect	Pavo: from source or packages? (as in do you use 'kolla-build --type binary' or 'kolla-build --type source', if you dont use an option i think it defaults to binary? )	17:59
Pavo	I only do a kolla-build --registry deployer.local:4000 --push but I have a kolla-build.conf file that has install_type = rdo	18:00
Pavo	I guess its binary portdirect	18:01
*** TxGirlGeek has joined #openstack-kolla		18:02
*** sdake_ has joined #openstack-kolla		18:07
*** TxGirlGeek has quit IRC		18:08
portdirect	Pavo: cheers - yeah that'll do a build with the rdo rpm's I sont think it should be a show stopper, but suggests that this file has been left in the packaging (i think): https://github.com/openstack/horizon/blob/stable/newton/openstack_dashboard/contrib/developer/enabled/_9001_developer.py	18:08
kollabot	horizon/_9001_developer.py at stable/newton · openstack/horizon · GitHub	18:08
*** athomas has quit IRC		18:08
Pavo	I think the issue might be when using different interfaces for internal vip and external vip	18:10
Pavo	gonna redeploy with on the same interface	18:10
*** sdake has quit IRC		18:11
*** sayantani01 has joined #openstack-kolla		18:12
*** pbourke has quit IRC		18:13
*** Bico_Fino has joined #openstack-kolla		18:13
*** harlowja has joined #openstack-kolla		18:14
*** pbourke has joined #openstack-kolla		18:14
*** tonanhngo has joined #openstack-kolla		18:14
*** tonanhngo has quit IRC		18:15
*** Pavo has quit IRC		18:16
*** jgriffith has joined #openstack-kolla		18:16
*** jgriffith has quit IRC		18:16
*** Pavo has joined #openstack-kolla		18:16
*** portdirect is now known as portdirect_away		18:17
*** sayantani01 has quit IRC		18:18
*** senk has joined #openstack-kolla		18:20
*** senk has quit IRC		18:24
*** Satya_ has quit IRC		18:24
*** unicell has joined #openstack-kolla		18:29
kristian__	portdirect: gonna try with 3.0.0	18:37
kristian__	I think that worked	18:38
*** ipsecguy_ has joined #openstack-kolla		18:44
Pavo	ok well having internal and external vips on same interface doesn't work	18:46
*** ipsecguy has quit IRC		18:46
inc0	Pavo, yeah I was wondering if it will work	18:50
inc0	both of them are in same network tho?	18:50
*** tonanhngo has joined #openstack-kolla		18:50
Pavo	I tried both ways, having on same net and having in different nets	18:51
*** tonanhngo has quit IRC		18:52
*** TxGirlGeek has joined #openstack-kolla		18:52
Pavo	just don't understand why it works if I port forward to internal vip and not when I port forward to external vip	18:52
Pavo	just doesn't make any sense	18:52
Pavo	at all	18:52
kristian__	gpu passthrough doesnt work on 3.0.0-3.0.2 :(	18:55
*** ipsecguy has joined #openstack-kolla		18:56
Pavo	kristian__ are you using a custom nova.conf file for pci passthrough?	18:57
*** ipsecguy_ has quit IRC		18:58
*** kristian__ has quit IRC		19:00
*** senk has joined #openstack-kolla		19:01
*** shardy has quit IRC		19:01
Bico_Fino	Kolla 4.0.0.0b1 is stable to run? I’m trying get up some ironic-xx containers with 3.0.1 and getting a lot of errors.	19:05
*** TxGirlGeek has quit IRC		19:06
*** TxGirlGeek has joined #openstack-kolla		19:06
sdake_	Bico_Fino use 3.0.1 pls	19:15
sdake_	ironic is not ready for bmaas	19:15
Bico_Fino	sdake_:thanks!	19:15
sdake_	Bico_Fino not ewe think bifrost is ready to go tho	19:15
sdake_	may have some usability problems	19:16
sdake_	who knows - if you use it and find any report bugs pls :)	19:16
*** tonanhngo has joined #openstack-kolla		19:17
Bico_Fino	I’m getting some malformed config.js’s	19:17
*** TxGirlGeek has quit IRC		19:17
sdake_	in ironic bare metal?	19:17
*** tonanhngo has quit IRC		19:17
*** TxGirlGeek has joined #openstack-kolla		19:17
sdake_	or in bifrost?	19:17
Bico_Fino	ironic-inspector	19:17
sdake_	ya, that is a WIP	19:17
sdake_	people are working on it - but its far from done	19:17
Bico_Fino	Also ironic-api	19:18
*** sp__ has quit IRC		19:18
Bico_Fino	The idea is to run ironic-ui from Kolla	19:20
Bico_Fino	I already installed ironic-ui on horizon container.	19:20
*** diogogmt has joined #openstack-kolla		19:26
openstackgerrit	Mauricio Lima proposed openstack/kolla-ansible: Remove docker from kolla-ansible https://review.openstack.org/398320	19:31
kollabot	Gerrit Code Review	19:32
*** TxGirlGeek has quit IRC		19:33
*** TxGirlGeek has joined #openstack-kolla		19:34
*** TxGirlGeek has quit IRC		19:41
*** TxGirlGeek has joined #openstack-kolla		19:41
*** kklimonda has quit IRC		19:45
*** Bico_Fino has quit IRC		19:48
*** TxGirlGeek has quit IRC		19:50
*** kklimonda has joined #openstack-kolla		19:53
*** AndChat407721 has joined #openstack-kolla		19:54
*** AndChat407721 has quit IRC		19:58
*** TxGirlGeek has joined #openstack-kolla		19:59
*** TxGirlGeek has quit IRC		20:03
*** TxGirlGeek has joined #openstack-kolla		20:03
*** senk has quit IRC		20:04
*** senk has joined #openstack-kolla		20:05
Pavo	ok think I am getting closer	20:06
Pavo	someone try and get to https://ddi.hopto.org please	20:06
*** senk has quit IRC		20:06
Pavo	looks like its redirecting to localhost for some reason	20:06
jascott1	pavo no good	20:07
inc0	Pavo, tls error	20:07
jascott1	i didnt get tls	20:07
jascott1	i just got ERR_CONNECTION_CLOSED	20:07
Pavo	wehn i try from my phone I get redirected to https://localhost/ddi.hopto.org	20:08
Pavo	for unknown reason	20:09
Pavo	and that is using internal vip as port forwarding	20:09
Pavo	again when I use external vip for port forwarding, nothing	20:09
Pavo	kolla_external_vip_interface: is the interface that should be facing the internet correct?	20:12
Pavo	or the IP from kolla_external_vip_address: should be the IP that I am port forwarding to with port 443 correct?	20:13
Pavo	is this correct?	20:15
*** Pavo has quit IRC		20:16
*** Pavo has joined #openstack-kolla		20:16
Pavo	or am I thinking of these settings the wrong way	20:16
*** javcasalc has joined #openstack-kolla		20:17
*** TxGirlGeek has quit IRC		20:18
inc0	Pavo, well, yeah, but with port forwarding, I'm not quite sure how TLS works	20:18
Pavo	should be no different	20:18
Pavo	443 is ssl which is what TLS is setting up	20:18
Pavo	correct	20:18
Pavo	and even without TLS just straight port 80 should go to the kolla external vip address with port forwarding	20:19
*** TxGirlGeek has joined #openstack-kolla		20:19
Pavo	but for some reason when I have port forwarding going to external vip nothing from outside but when I port forward to internal vip it works from outside	20:20
Pavo	which just doesn't make sense	20:20
Pavo	I am literally about to punch my computer screen	20:20
Pavo	lol	20:20
inc0	Pavo, internal endpoint doesn't use TLS	20:21
sdake_	pavo tls may require some special magic to port forward	20:21
sdake_	pavo iirc it has something to do with ssl termination	20:21
sdake_	setting in your firewall	20:22
inc0	yeah, SSL doesn't hadnle super eaily	20:22
Pavo	would love to know what this "magic" is that is required	20:22
sdake_	pavo idk - depends on the router your using	20:22
sdake_	i'm using a netgear wrt and it handles my tls forwards correctly	20:22
Pavo	but without TLS normal port 80 should again be on the external vip interface	20:23
sdake_	lemme check the config	20:23
sdake_	see if anything comes up	20:23
sdake_	is it not?	20:23
Pavo	I am using a Asus RT-AC68P with advancedtomato and everything else port forwarding is working perefectly for	20:23
sdake_	so your nova port forwards work?	20:24
inc0	Pavo, if you enable tls, haproxy will redirect :80 to :443	20:24
inc0	yeah, try using APIs with external endpoints as sdake suggests	20:24
Pavo	sdake_ without TLS and port forward to my external vip no one can get to my stuff from outside, but if I port forward to my internal vip they can	20:24
Pavo	what do you mean by using APIs external endpoints?	20:25
sdake_	define stuff - do you mean openstack endpoint list fails?	20:25
*** tonanhngo has joined #openstack-kolla		20:25
sdake_	pavo the above is an openstack endpoint call ^^	20:25
Pavo	hang on I'll show you	20:25
Pavo	destroying again and rebooting	20:25
*** TxGirlGeek has quit IRC		20:26
Pavo	then I will deploy without TLS	20:26
sdake_	nah keep tls on	20:26
*** tonanhngo has quit IRC		20:26
Pavo	ok then I will post my globals	20:26
sdake_	sounds good	20:26
sdake_	so port 80 and 443 are special ports	20:26
sdake_	if you ahve a wireless thingy connecting to the internet, it often has a "web management" feature	20:27
sdake_	the web management feature and port forwarding conflict	20:27
sdake_	since web management wants to run on port 80	20:27
sdake_	I port forward my horizon from 8000 to 443 internally	20:27
Pavo	I have my web interface as port 8082	20:28
Pavo	for wireless router	20:28
*** TxGirlGeek has joined #openstack-kolla		20:28
sdake_	what about the wireless part?	20:28
sdake_	rather the tls part?	20:28
Pavo	only allowing http on port 8082 from inside	20:29
sdake_	ok, pavo, lets focus on one thing	20:29
sdake_	and that is lets see if keystone works externally	20:29
sdake_	you can do it with or without tls	20:29
sdake_	use an external endpoint	20:29
sdake_	then we can go up the stack ;)	20:29
Pavo	ok hang on gotta redeploy	20:29
* sdake_ having flashbacks of yesterday		20:29
Pavo	agree sdake_ lol	20:30
*** javcasalc has quit IRC		20:31
Pavo	here is my globals sdake_ and inc0 http://paste.openstack.org/show/589953/	20:33
*** newmember has joined #openstack-kolla		20:33
kollabot	Paste #589953 \| LodgeIt!	20:33
*** javcasalc has joined #openstack-kolla		20:34
v1k0d3n	portdirect_away: you there man?	20:35
v1k0d3n	when you get back...let me know.	20:35
v1k0d3n	have some info for you.	20:35
*** javcasalc has quit IRC		20:37
inc0	Pavo, let's try get external to work without SSL ok?	20:37
*** TxGirlGeek has quit IRC		20:38
Pavo	ok but that will require me to stop this deployment and reboot and redeploy again	20:38
*** tonanhngo has joined #openstack-kolla		20:38
Pavo	so stop?	20:38
inc0	yeah	20:38
Pavo	ok destroying	20:39
inc0	let's get your port forwarding right before we move on	20:39
Pavo	ok	20:39
inc0	then we'll add tls without redeploying	20:39
Pavo	yeah just a reconfigure	20:39
*** tonanhngo has quit IRC		20:40
*** TxGirlGeek has joined #openstack-kolla		20:42
Pavo	ok this is my network layout	20:43
Pavo	https://www.gliffy.com/go/publish/11309187	20:43
kollabot	Gliffy Diagram \| Kolla Stack	20:43
Pavo	inc0 sdake_ this is my globals without TLS	20:46
Pavo	http://paste.openstack.org/show/589957/	20:46
kollabot	Paste #589957 \| LodgeIt!	20:46
inc0	looks good	20:46
Pavo	this is my port forwarding	20:46
Pavo	https://www.dropbox.com/s/tsadjhv6k6dasww/Screenshot%202016-11-21%2015.46.17.png?dl=0	20:46
Pavo	now redeploying without TLS	20:46
Pavo	one sec	20:46
*** eaguilar has joined #openstack-kolla		20:47
*** TxGirlGeek has quit IRC		20:48
*** ppalacios has quit IRC		20:49
*** TxGirlGeek has joined #openstack-kolla		20:50
sdake_	pavo open a port forward for keystone plz	20:51
Pavo	what port?	20:52
sdake_	5000	20:52
sdake_	to 5000 on your external ip	20:52
sdake_	wich looks to be 250	20:52
Pavo	so like this	20:53
Pavo	https://www.dropbox.com/s/kwwc4nt3310jxol/Screenshot%202016-11-21%2015.53.06.png?dl=0	20:53
sdake_	yup	20:53
Pavo	done	20:53
Pavo	deployment almost done too	20:53
Pavo	its on Cinder	20:53
*** tonanhngo has joined #openstack-kolla		20:54
*** TxGirlGeek has quit IRC		20:55
Pavo	hmm I might have to open ports up for all endpoints because (item={u'interface': u'public', u'url': u'http://ddi.hopto.org:8776/v2/%(tenant_id)s'	20:55
*** tonanhngo has quit IRC		20:55
Pavo	well maybe not, it should be using internal vip for all api communication right	20:55
Pavo	ok deployment done	20:56
Pavo	so inc0 sdake_ can you get to ddi.hopto.org	20:56
sdake_	pavo i need your admin-openrc.sh	20:57
sdake_	pavo bingo you do need to open up atleast keystone	20:57
sdake_	pavo and anything else you expect horizon to communicate with	20:57
*** TxGirlGeek has joined #openstack-kolla		20:57
sdake_	pavo send me your admin-openrc.sh to stdake@cisco.com plz	20:57
jascott1	pavo i still cant access it	20:58
sdake_	ERR_CONNECTION_REFUSED	20:58
sdake_	on port 5000	20:58
Pavo	sdake_ sent	20:58
sdake_	how many engineers does it take to screw in a lightbulb?	20:59
sdake_	less then to setup a network ;-)	20:59
Pavo	lol	20:59
*** ipsecguy_ has joined #openstack-kolla		20:59
Pavo	seriously it has to be something really really stupid because I am a network engineer	21:00
Pavo	and this should not be doing this	21:00
Pavo	lol	21:00
Pavo	what do you get when you curl -vv ddi.hopto.org	21:00
*** sdake has joined #openstack-kolla		21:01
sdake	[14:00:45] <sdake>pavo can you paste your OS_AUTH_URL line into email, cisco's firewall killed the link	21:01
sdake	rather into irc :)	21:01
Pavo	lol ok	21:01
*** TxGirlGeek has quit IRC		21:01
*** TxGirlGeek has joined #openstack-kolla		21:01
Pavo	wait that IP in that is my internal vip address	21:01
Pavo	which I do not have port forwarded	21:01
sdake	ok i need your external ip address	21:01
Pavo	should be http://ddi.hopto.org:35357/v3	21:02
sdake	pavo also please forward 35357	21:02
Pavo	but the port isn't 5000	21:02
Pavo	ok	21:02
Pavo	done	21:03
Pavo	you got the username and password right in the email?	21:03
*** ipsecguy has quit IRC		21:03
sdake	yup	21:03
Pavo	k	21:03
sdake	35357 doesn't appear to be forwarding properly	21:03
sdake	try curl 250:35357	21:04
Pavo	try again	21:04
sdake	see if it responds internally	21:04
*** TxGirlGeek has quit IRC		21:04
Pavo	change the fort forward to internal vip	21:04
*** sdake_ has quit IRC		21:04
Pavo	nope I get connection refused internally	21:05
Pavo	when I try to curl 3.250 which is internal vip it just hangs	21:07
inc0	h,,	21:12
inc0	hmm	21:12
inc0	horizon local works?	21:12
inc0	(including actually logging to it?)	21:12
Pavo	yeah but only when using external vip address	21:13
Pavo	can not access it from using internal vip address	21:13
Pavo	one sec	21:14
*** kristian__ has joined #openstack-kolla		21:15
*** tonanhngo has joined #openstack-kolla		21:15
*** rhallisey has quit IRC		21:15
*** tonanhngo has quit IRC		21:16
*** Pavo_ has joined #openstack-kolla		21:16
Pavo_	brb gotta restart computer	21:18
*** Pavo_ has quit IRC		21:18
*** fguillot has quit IRC		21:19
*** Pavo has quit IRC		21:19
*** dave-mccowan has quit IRC		21:24
sdake	kristian__ so taking a look at your box i ahve two ideas	21:25
sdake	either we make /dev:/dev:shared	21:25
kristian__	ok Im listening	21:25
sdake	or /dev and /dev/shm and bindmounts	21:25
sdake	so its going to take two tries before i'm out of ideas :)	21:26
kristian__	:D	21:26
sdake	after this deploy finishes please do the config and run the test	21:26
kristian__	fortunetly I can redeploy in 5 min :D	21:26
kristian__	ok	21:26
*** eaguilar has quit IRC		21:28
*** Pavo has joined #openstack-kolla		21:29
Pavo	ok I'm back	21:30
openstackgerrit	Merged openstack/kolla: Install mkfs.vfat tool in ironic-conductor image https://review.openstack.org/399957	21:30
kollabot	Gerrit Code Review	21:30
*** jascott1 has quit IRC		21:32
kristian__	sdake: going to launch	21:32
*** TxGirlGeek has joined #openstack-kolla		21:32
*** jascott1 has joined #openstack-kolla		21:32
kristian__	it will error out	21:32
kristian__	sdake: still the same cpuid error	21:33
*** jascott1 has quit IRC		21:33
sdake	ok take 2	21:34
*** tonanhngo has joined #openstack-kolla		21:34
*** tonanhngo has quit IRC		21:35
*** harbor has joined #openstack-kolla		21:35
*** harbor is now known as portdirect_away_		21:35
*** portdirect_away_ is now known as portdirect_at_ho		21:35
*** portdirect_at_ho is now known as portdirect_		21:36
sdake	kristian__ need to make /dev shared just like /run is	21:37
sdake	lemme read docs moment	21:37
kristian__	ok	21:37
sdake	k rebooting	21:41
kristian__	I saw	21:41
sdake	if this doesn't work we will need to wait for the cats in nova to diagnose those logs	21:41
kristian__	ok	21:41
kristian__	online	21:41
sdake	[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..	21:43
sdake	that looks like trouble	21:43
kristian__	sdake: for me?	21:44
sdake	nah for others kristian__	21:44
kristian__	oh ok	21:44
kristian__	sdkade: deployed	21:46
kristian__	going to set it up	21:46
*** jascott1 has joined #openstack-kolla		21:46
*** Pavo has quit IRC		21:46
sdake	k	21:46
*** Bico_Fino has joined #openstack-kolla		21:47
sdake	make sure to launch a normal instance too	21:47
sdake	to make sure that part still works :)	21:47
*** goldyfruit has quit IRC		21:47
*** Pavo has joined #openstack-kolla		21:49
kristian__	ok	21:51
kristian__	gpu one will give the same error	21:52
sdake	ok out of ideas	21:52
sdake	nova team to the rescue hopefully	21:52
kristian__	ok	21:53
kristian__	normal works but gpu one will leave the same error	21:53
sdake	cool	21:53
sdake	well leave that shared in there	21:53
kristian__	ok	21:53
sdake	got a link to the bug?	21:54
kristian__	are you going to contact openstack-nova team?	21:54
kristian__	yes	21:54
sdake	yes via the bug	21:54
kristian__	https://bugs.launchpad.net/nova/+bug/1642419	21:54
openstack	Launchpad bug 1642419 in OpenStack Compute (nova) "GPU Passthrough isn't working" [Medium,New]	21:54
kollabot	Bug #1642419 “GPU Passthrough isn't working” : Bugs : OpenStack Compute (nova)	21:54
*** fragatina has quit IRC		21:55
*** tonanhngo has joined #openstack-kolla		21:55
*** srwilkers has quit IRC		21:55
*** tonanhngo has quit IRC		21:56
portdirect_	sdake/kristian__: you guys been talking offline? had an idea but dont want to rehash ground you've already been over.	22:03
*** Pavo has quit IRC		22:03
kristian__	portdirect_ go on	22:04
portdirect_	I've got no real experience with apparmour - but have you checked that out in this case?	22:05
kristian__	log in to my server with those same creds I gave you yesterday	22:05
portdirect_	2 mins	22:06
kristian__	ok	22:06
*** sdake_ has joined #openstack-kolla		22:07
*** Pavo has joined #openstack-kolla		22:08
jascott1	kollabot seen v1k0d3n	22:10
kollabot	v1k0d3n was last seen in #openstack-kolla at Mon Nov 21 2016 20:35:12 GMT+0000 (UTC)	22:10
*** sdake has quit IRC		22:10
v1k0d3n	what;'s wth teh recent kollabot stuff.	22:11
v1k0d3n	lol	22:11
jascott1	my contribution ;)	22:11
jascott1	since slack didnt work out so far thought we might stuff some of that functionality into a bot	22:12
*** jrich523 has quit IRC		22:12
jascott1	v1k0d3n should I be able to install anyting from the aic repo?	22:12
*** Pavo has quit IRC		22:12
jascott1	i was creating glance to get a feel of the implementation but dont know how to get mariadb up	22:13
v1k0d3n	ah, ok...gotcha.	22:13
v1k0d3n	jascott1: which stuff were you looking at?	22:13
*** jrich523 has joined #openstack-kolla		22:13
v1k0d3n	oh the helm stuff?	22:13
jascott1	ya	22:14
*** Pavo has joined #openstack-kolla		22:14
v1k0d3n	so we're currently curating a few helm charts along with some other folks who have been working on stackanetes previously to get a PoC going.	22:15
v1k0d3n	eventually we want to use for a PoC, which is non-opinionated like the SAP stuff....and then we want to clean up and hand over to kolla for the parts that are useful.	22:16
v1k0d3n	inc0: said he wanted to see a PoC, so we offered.	22:16
v1k0d3n	thing is...people are working on helm anyway. i thought we'd break this work up, but apparently not.	22:16
v1k0d3n	this was all when there were discussions after discussions about init vs entrypoint vs operators....	22:17
v1k0d3n	we have a hard date of jan 1 to show to our internal teams.	22:17
v1k0d3n	we need this working, and sharing completely out in the clear.	22:17
*** fragatina has joined #openstack-kolla		22:18
sbezverk_	v1k0d3n: I can share helm chart for openvswitch and vswitchd working already ;-)	22:18
sbezverk_	btw vswitch uses entrypoint container to wait for ovs db scoket..	22:19
*** TxGirlGeek has quit IRC		22:20
*** Pavo has quit IRC		22:21
jascott1	v1k0d3n so should I be able to install db?	22:21
*** Pavo has joined #openstack-kolla		22:22
sdake_	v1k0d3n rather then doing a huge helm code dump, best practice is to do one component at a time	22:23
v1k0d3n	sbezverk_: that would be awesome.	22:23
v1k0d3n	for PoC?	22:23
sdake_	ya even for a poc	22:23
sdake_	just pick out one	22:23
v1k0d3n	jascott1: you should be able to install the db i believe...	22:23
sdake_	there is a whole slew of helm charts that need work	22:23
*** TxGirlGeek has joined #openstack-kolla		22:24
v1k0d3n	well, we need compoents to talk to each other. meaning, create a multi-app helm deployment, and for our part....showing how a developer of "nova" would for instance make changes to nova which would then change the container, which would change helm, and then redeploy into k8s.	22:25
*** jtriley has quit IRC		22:25
v1k0d3n	we have a massive open source openstack development team.	22:25
jascott1	v1k0d3n thanks... I tried to install but it just keeps running db seed job. Will look into it.	22:26
Pavo	ok I have ddi.hopto.org:4000 being port forwarded to 192.168.1.250:80 can anyone get to it?	22:26
jascott1	pavo no worky for me	22:27
Pavo	yeah nvm forgot I have to deploy again lol	22:27
Pavo	if this doesn't work then there is something seriously wrong with either my router or how kolla is assigning these addresses	22:28
Pavo	and I don't think its my router because my other port forwarding is working on a different machine	22:28
*** TxGirlGeek has quit IRC		22:28
Pavo	ie .... ddi.hopto.org:3000	22:29
Pavo	which should go to my Gogs server	22:29
*** TxGirlGeek has joined #openstack-kolla		22:31
jascott1	pavo that one worked	22:33
Pavo	yeap	22:33
*** Bico_Fino has quit IRC		22:34
*** Bico_Fino has joined #openstack-kolla		22:42
*** tonanhngo has joined #openstack-kolla		22:49
*** tonanhngo has quit IRC		22:50
*** Serlex has joined #openstack-kolla		22:51
portdirect_	v1k0d3n: you mentioned getting some docs of your dev env up - if you have anything (I can deal with mega rough :) ) it would be great - I'd like to work from the other end from sbezverk_ and kfox1111 and get the db/keystone running (unless you already have) so we can build up from there.	22:51
jascott1	v1k0d3n: FYI w/ mariadb seed log->peer-finder.py: urllib2.HTTPError: HTTP Error 500: Internal Server Error	23:02
*** rhallisey has joined #openstack-kolla		23:03
*** Serlex has quit IRC		23:03
*** tonanhngo has joined #openstack-kolla		23:04
*** kristian__ has quit IRC		23:05
*** Pavo has quit IRC		23:06
*** tonanhngo has quit IRC		23:06
*** Pavo has joined #openstack-kolla		23:06
*** portdirect_ has quit IRC		23:07
*** harbor has joined #openstack-kolla		23:07
*** harbor is now known as portdirect_		23:07
*** portdirect_ is now known as portdirect__		23:07
*** lamt has quit IRC		23:08
*** lamt has joined #openstack-kolla		23:13
v1k0d3n	sorry guys. was away. one sec.	23:22
* v1k0d3n reading		23:22
v1k0d3n	portdirect_away: are you talking about the helm bits?	23:23
portdirect__	yeah	23:23
*** goldyfruit has joined #openstack-kolla		23:24
portdirect__	think I found what your working on at aic-helm ?	23:25
*** tonanhngo has joined #openstack-kolla		23:25
*** tonanhngo has quit IRC		23:26
*** Pavo has quit IRC		23:29
*** Pavo has joined #openstack-kolla		23:30
Pavo	ok think I am just gonna give up on this	23:30
Pavo	grrrrr	23:30
Pavo	anyone try ddi.hopto.org:4000	23:30
Bico_Fino	nope	23:32
Pavo	this is straight up BS	23:32
Bico_Fino	don’t open Pavo	23:32
Pavo	port forwarding is working	23:32
Pavo	ACCEPT IN=vlan2 OUT=br0 SRC=177.32.52.182 DST=192.168.1.250 LEN=64 TOS=0x00 PREC=0x00 TTL=46 ID=8408 DF PROTO=TCP SPT=52894 DPT=80 SEQ=3388183135 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A30B755870000000004020000)	23:32
Pavo	thats is from the router logs	23:34
Pavo	so you can see its allowing it and its going to the correct ip and port	23:34
Bico_Fino	maybe the return?	23:35
Pavo	its NAT shouldn't matter on return	23:36
Pavo	ok gonna turn the swith into a dummy switch, maybe its vlans issue	23:39
Pavo	which I can not see how but who knows	23:39
*** ntpttr has quit IRC		23:39
*** lamt has quit IRC		23:40
*** tonanhngo has joined #openstack-kolla		23:41
*** ntpttr has joined #openstack-kolla		23:41
*** openstack has joined #openstack-kolla		23:43
*** Pavo has quit IRC		23:45
*** Pavo has joined #openstack-kolla		23:45
*** AnswerGuy has joined #openstack-kolla		23:47
*** rhallisey has quit IRC		23:50
*** Pavo has quit IRC		23:54
*** unicell has quit IRC		23:59
*** unicell1 has joined #openstack-kolla		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!