mrhillsman | adil452100 you never want to shut down all the mariadb clusters at once | 00:10 |
---|---|---|
mrhillsman | find out which one is the master/lead node, and shut the other two down | 00:11 |
mrhillsman | then you should be able to shutdown the lead node after a few moments | 00:12 |
mrhillsman | and start it back without any issues | 00:13 |
masber | good morning, has anyone deployed kolla5? I tried yesterday but was giving me errors, just wondering whether it is ready to use it or not | 00:20 |
adil452100 | <masber> maybe with the master branch you will have some chance to install it right | 00:21 |
adil452100 | <masber> The only thing I can say is it isn't yet production ready | 00:21 |
adil452100 | <masber> A lot of things don't work out of box | 00:22 |
adil452100 | <masber> You must troubleshoot a lot to get things working | 00:22 |
masber | adil452100, I see, I got confused because I installed it using pip so I thought it was ready | 00:23 |
adil452100 | <masber> The PyPi package is full of bugs, don't use it if you want to save time | 00:23 |
adil452100 | <masber> use the master git version instead | 00:23 |
masber | adil452100, I see, I will try again later, thank you | 00:24 |
adil452100 | <masber> for kolla and kolla-ansible | 00:24 |
adil452100 | <mrhillsman> thank you, you confirmed my thought | 00:25 |
SamYaple | mrhillsman: just to clarify a bit, there is no master/lead in a galera cluster | 00:26 |
SamYaple | however most clusters use haproxy loadbalancing with active/passive so ther eis one recieving all the reads and writes | 00:26 |
SamYaple | most openstack services these days no longer have deadlocks and can work with active/active writes | 00:26 |
mrhillsman | apologies, the one that is set as primary | 00:28 |
SamYaple | mrhillsman: well again, not to be pedantic, but just to make sure people dont lose data, not the one thats set primary, the one with the most recent data | 00:29 |
SamYaple | which is not neccessarily the one set primary in haproxy | 00:30 |
mrhillsman | has the non -1 seqno | 00:30 |
SamYaple | because that one could be down | 00:30 |
SamYaple | mrhillsman: that only happens when its shutdown proerply | 00:30 |
SamYaple | a running galera cluster has -1 | 00:30 |
SamYaple | on all nodes | 00:30 |
mrhillsman | ah ok | 00:32 |
*** dave-mccowan has joined #openstack-kolla | 00:36 | |
*** hieulq has joined #openstack-kolla | 00:37 | |
SamYaple | mrhillsman: not trying to be pedantic, its just important for data integrity reasons :) | 00:38 |
mrhillsman | haha, no worries | 00:41 |
mrhillsman | stupid interwebs went down for a moment | 00:42 |
mrhillsman | correct comment adil452100 is that you never want to shut them all down at once if you want to avoid manual recovery | 00:45 |
mrhillsman | there's quite a few articles re this online - http://galeracluster.com/documentation-webpages/restartingcluster.html - i have used this one before | 00:46 |
*** duonghq has joined #openstack-kolla | 00:47 | |
mrhillsman | SamYaple better ^ ? | 00:49 |
SamYaple | for sure | 00:50 |
SamYaple | just trying to spread knowledge :) | 00:50 |
mrhillsman | no doubt ;) | 00:50 |
*** xinliang has joined #openstack-kolla | 01:05 | |
*** zhenguo has joined #openstack-kolla | 01:06 | |
*** tovin07_ has joined #openstack-kolla | 01:14 | |
*** caowei has joined #openstack-kolla | 01:34 | |
*** dave-mccowan has quit IRC | 01:49 | |
adil452100 | Thank you guys | 01:54 |
adil452100 | <SamYaple> <mrhillsman> Is watcher horizon dashboard broken ? | 01:55 |
adil452100 | I have tried so many times today to add to the horizon container via globals.yml and kolla-ansible reconfigure without success | 01:56 |
adil452100 | The error displayed with : docker logs horizon is | 01:57 |
adil452100 | cp: cannot stat '/usr/lib/python2.7/site-packages/watcher_dashboard/local/enabled/_*[^__].py': No such file or directory | 01:57 |
*** caowei has quit IRC | 02:01 | |
*** caowei has joined #openstack-kolla | 02:02 | |
*** Pavo has joined #openstack-kolla | 02:03 | |
openstackgerrit | Jinxing Fang proposed openstack/kolla-ansible master: Remove discard configuration https://review.openstack.org/502422 | 02:05 |
*** zhangfei has joined #openstack-kolla | 02:41 | |
mrhillsman | adil452100 have not tried using it | 02:42 |
mrhillsman | i know that there was(are?) issues with horizon in pike | 02:42 |
* mrhillsman is running ocata | 02:42 | |
adil452100 | Ok | 02:43 |
*** adil452100 has quit IRC | 02:57 | |
*** daidv has joined #openstack-kolla | 03:14 | |
*** Pavo has quit IRC | 03:19 | |
*** Pavo has joined #openstack-kolla | 03:34 | |
*** gkadam has joined #openstack-kolla | 03:35 | |
*** mdnadeem has joined #openstack-kolla | 03:37 | |
*** Pavo has quit IRC | 03:55 | |
*** jaosorior has joined #openstack-kolla | 04:07 | |
openstackgerrit | Merged openstack/kolla-ansible stable/pike: fix wrong keystone_authtoken settings https://review.openstack.org/510323 | 04:08 |
spsurya | morning all | 04:16 |
openstackgerrit | Merged openstack/kolla-ansible master: Remove discard configuration https://review.openstack.org/502422 | 04:29 |
*** coolsvap has joined #openstack-kolla | 04:42 | |
*** ntpttr_laptop has joined #openstack-kolla | 04:48 | |
*** ArminderSingh has quit IRC | 04:50 | |
*** janki has joined #openstack-kolla | 04:53 | |
*** ntpttr_laptop has quit IRC | 04:54 | |
*** ArminderSingh has joined #openstack-kolla | 04:54 | |
*** jascott1 has quit IRC | 05:15 | |
*** jascott1 has joined #openstack-kolla | 05:16 | |
*** jascott1 has quit IRC | 05:20 | |
spsurya | honza: ping... | 05:21 |
spsurya | regarding this | 05:21 |
spsurya | https://review.openstack.org/#/c/508869/ | 05:21 |
*** jascott1 has joined #openstack-kolla | 05:31 | |
spsurya | coolsvap: https://review.openstack.org/#/c/498332/ | 05:53 |
spsurya | can you please review | 05:54 |
coolsvap | spsurya: sure looking at it | 05:54 |
spsurya | coolsvap: saw your TC candidacy...that is nice :) | 05:56 |
coolsvap | spsurya: can you add reference for your doc changes in https://etherpad.openstack.org/p/kolla-doc-restructure at bottom | 05:58 |
coolsvap | so that its tracked and we do not have multiple changes for the same thing | 05:59 |
coolsvap | the current situation is I sometime get lost in doc changes | 06:01 |
coolsvap | which is covering what and whether or not its duplicate | 06:01 |
spsurya | coolsvap: the PS i given is generic one not only specific to doc | 06:01 |
spsurya | i changed in .sh file too | 06:02 |
openstackgerrit | jiangpch proposed openstack/kolla-ansible master: add zun-wsporxy into zun role https://review.openstack.org/510410 | 06:02 |
coolsvap | agreed | 06:02 |
coolsvap | it still has doc changes as well :) put it in others | 06:03 |
spsurya | coolsvap: thanks | 06:04 |
spsurya | may be later i will add another one with https://etherpad.openstack.org/p/kolla-doc-restructure at bottom | 06:04 |
*** unicell has joined #openstack-kolla | 06:10 | |
*** hachi__ has joined #openstack-kolla | 06:18 | |
*** skramaja has joined #openstack-kolla | 06:21 | |
*** unicell1 has joined #openstack-kolla | 06:22 | |
*** unicell has quit IRC | 06:23 | |
*** hachi__ has quit IRC | 06:30 | |
*** hachi__ has joined #openstack-kolla | 06:30 | |
*** unicell1 has quit IRC | 06:37 | |
*** igordc has quit IRC | 06:48 | |
*** igordc has joined #openstack-kolla | 06:50 | |
*** genek has quit IRC | 06:53 | |
*** serlex has joined #openstack-kolla | 07:03 | |
*** pcaruana has joined #openstack-kolla | 07:08 | |
openstackgerrit | Christian Berendt proposed openstack/kolla-ansible master: Restart services after a change in the external ceph configuration https://review.openstack.org/507888 | 07:16 |
openstackgerrit | Christian Berendt proposed openstack/kolla-ansible master: Add placement section to neutron.conf https://review.openstack.org/508075 | 07:17 |
*** yingjun has joined #openstack-kolla | 07:18 | |
*** magicboiz has joined #openstack-kolla | 07:31 | |
*** genek has joined #openstack-kolla | 07:34 | |
openstackgerrit | Jeffrey Zhang proposed openstack/kolla master: Use upgrade rather than create_schema for wather database https://review.openstack.org/510427 | 07:38 |
*** egonzalez has joined #openstack-kolla | 07:41 | |
*** shardy has joined #openstack-kolla | 07:55 | |
*** hrw has joined #openstack-kolla | 08:04 | |
*** jascott1 has quit IRC | 08:07 | |
*** jascott1 has joined #openstack-kolla | 08:08 | |
*** Radziu has joined #openstack-kolla | 08:08 | |
openstackgerrit | jiangpch proposed openstack/kolla-ansible master: Make haproxy proxy to the right glance_api backend https://review.openstack.org/510436 | 08:10 |
*** jascott1 has quit IRC | 08:12 | |
*** dougsz has joined #openstack-kolla | 08:17 | |
*** gfidente has joined #openstack-kolla | 08:35 | |
*** hachi__ has quit IRC | 08:36 | |
*** kbaegis1 has joined #openstack-kolla | 08:41 | |
*** kbaegis has quit IRC | 08:43 | |
*** Radziu has quit IRC | 08:45 | |
*** jmccarthy has joined #openstack-kolla | 08:46 | |
*** manheim has joined #openstack-kolla | 08:56 | |
*** dciabrin has quit IRC | 09:12 | |
*** athomas has joined #openstack-kolla | 09:14 | |
*** dciabrin has joined #openstack-kolla | 09:31 | |
*** yingjun has quit IRC | 09:31 | |
*** blallau has joined #openstack-kolla | 09:48 | |
*** egonzalez has quit IRC | 09:50 | |
openstackgerrit | Merged openstack/kolla-ansible stable/ocata: Add ovs section in neutron lbaas configuration https://review.openstack.org/505571 | 09:59 |
*** egonzalez has joined #openstack-kolla | 10:03 | |
openstackgerrit | jiangpch proposed openstack/kolla master: Fix horizon doesn't handle static files error https://review.openstack.org/510461 | 10:06 |
*** pbourke has quit IRC | 10:08 | |
*** jascott1 has joined #openstack-kolla | 10:09 | |
*** pbourke has joined #openstack-kolla | 10:10 | |
*** tovin07_ has quit IRC | 10:13 | |
*** duonghq has quit IRC | 10:15 | |
openstackgerrit | Chason Chan proposed openstack/kolla master: Add EC2API to Kolla providing images list https://review.openstack.org/510466 | 10:18 |
openstackgerrit | Chason Chan proposed openstack/kolla-ansible master: Add EC2API to kolla-ansible supporting service list https://review.openstack.org/510468 | 10:21 |
*** genek has quit IRC | 10:25 | |
*** daidv has quit IRC | 10:29 | |
*** caowei has quit IRC | 10:32 | |
*** zhangfei has quit IRC | 10:41 | |
*** leeuwenrjj has joined #openstack-kolla | 10:43 | |
*** lpetrut has joined #openstack-kolla | 10:43 | |
leeuwenrjj | Hi, very short newbie question for building containers: Can I somehow select which OpenStack version I will build from packages? It looks like I can give any location for building from source | 10:45 |
leeuwenrjj | But not from packages | 10:45 |
*** hachi_ has joined #openstack-kolla | 10:51 | |
hrw | morning | 10:52 |
hrw | leeuwenrjj: stable/pike builds pike. stable/ocata builds ocata | 10:52 |
hrw | leeuwenrjj: and they use latest packages available | 10:52 |
spsurya | leeuwenrjj: for ocata : 4.0.0 and for Pike : 5.0.0 | 10:53 |
leeuwenrjj | Yes, so if I want to build something older then the original kolla version. Then I would need to build from source? (We want to first migrate to containers and after that upgrade) | 10:53 |
spsurya | leeuwenrjj: IIUC you have build the images and want to run container | 10:54 |
openstackgerrit | Merged openstack/kolla-ansible master: Fluentd: remove apache record_transformer filter https://review.openstack.org/501974 | 10:54 |
openstackgerrit | Merged openstack/kolla-ansible master: Fluentd: fix Mariadb mysqld_safe log not match https://review.openstack.org/502169 | 10:55 |
hrw | handy command for checking multiarch containers: "docker run --rm mplatform/mquery debian" | 10:55 |
leeuwenrjj | So we currently run Kilo. So we want to move that first to containers and upgrade to pike when the components are containerized. | 10:56 |
hrw | I wonder how good Kolla was during Kilo cycle. | 10:57 |
leeuwenrjj | So we need to deploy Kilo containers first and then do all the upgrades. Which should be a lot easier when the services are running in containers. | 10:57 |
leeuwenrjj | Are there many specifics in the build process for the openstack version? I would assume changing the repo should be good enough. e.g. the config files will come from outside of the container during runtime in our case. | 10:58 |
*** magicboiz has quit IRC | 11:00 | |
*** magicboiz has joined #openstack-kolla | 11:00 | |
hrw | leeuwenrjj: I do not know is Kolla able to build Kilo images | 11:02 |
*** jaosorior has quit IRC | 11:05 | |
*** rhallisey_ has joined #openstack-kolla | 11:05 | |
*** jaosorior has joined #openstack-kolla | 11:05 | |
spsurya | leeuwenrjj: IIRC upgrade working Since newton | 11:11 |
*** kbaegis1 has quit IRC | 11:11 | |
*** kbaegis has joined #openstack-kolla | 11:12 | |
*** egonzalez has quit IRC | 11:19 | |
*** jmccarthy has quit IRC | 11:19 | |
manheim | hrw I also tried to build. Kilo env but gave up... | 11:20 |
*** jmccarthy has joined #openstack-kolla | 11:20 | |
openstackgerrit | Merged openstack/kolla-ansible master: Allow use of external ceph as cinder backup backend https://review.openstack.org/510153 | 11:22 |
*** egonzalez has joined #openstack-kolla | 11:26 | |
openstackgerrit | Marcin Juszkiewicz proposed openstack/kolla stable/pike: base: use ceph/jewel on ubuntu https://review.openstack.org/505786 | 11:30 |
leeuwenrjj | FYI: It looks like with a little edit in the docker file I can remove the Ocata reference and replace it by Kilo. | 11:34 |
*** coolsvap has quit IRC | 11:35 | |
leeuwenrjj | Not everything will build (e.g. keystone complains about barbican packages) but we happened to already upgrade keystone. | 11:35 |
*** shardy is now known as shardy_lunch | 11:40 | |
nhlfr | pbourke: hey. what's the status of https://blueprints.launchpad.net/kolla/+spec/mount-sources? | 11:40 |
nhlfr | to get it implented, do we need to add the similar stuff like here https://review.openstack.org/#/c/454690/ to the other openstack components? | 11:41 |
*** sambetts|afk is now known as sambetts | 11:44 | |
dasTor | hi, just a short question, my deployment fails currently with: Restart fluentd container FAILED! => {"changed": false, "failed": true, "msg": "Unknown error message: Tag pike not found in repository docker.io/kolla/ubuntu-binary-fluentd"} | 11:44 |
dasTor | docker images | grep fluent show that i already have the image: 192.168.0.21:5000/kolla/ubuntu-binary-fluentd 5.0.0 b091562cc890 | 11:45 |
dasTor | why isn't kolla pulling it from my local registry? | 11:45 |
*** ansiwen[q] has joined #openstack-kolla | 11:46 | |
nhlfr | dasTor: what did you set in Docker options in /etc/kolla/globals.yml? | 11:49 |
nhlfr | I mean, docker_registry and docker_namespace options | 11:49 |
dasTor | docker_registry: "192.168.0.21:5000" | 11:50 |
dasTor | nothing else | 11:50 |
*** magicboiz has quit IRC | 11:52 | |
nhlfr | dasTor: ok. does your registry have valid ssl certificate? if not, did you specify it as an insecure registry in /etc/docker/daemon.json? | 11:52 |
dasTor | when i tried before, it said The requested image does not exist: 192.168.0.21:5000/kolla/ubuntu-binary-fluentd:pike i did a kolla-build -b ubuntu and now i have this error | 11:52 |
dasTor | nhlfr, yes, i set it on the deploy host and all targets | 11:52 |
dasTor | when i didn't it saiod something about https warning | 11:52 |
*** dave-mccowan has joined #openstack-kolla | 11:53 | |
*** manheim has quit IRC | 11:53 | |
*** manheim has joined #openstack-kolla | 11:53 | |
*** dave-mcc_ has joined #openstack-kolla | 11:55 | |
dasTor | if i comment out: openstack_release: "pike" | 11:56 |
dasTor | in globals.yml it still works, strange .... | 11:56 |
*** dave-mccowan has quit IRC | 11:58 | |
pbourke | nhlfr: it's been implemented piece by piece. not that many services are done yet tbh | 12:02 |
pbourke | nhlfr: it's reasonably easy to add a service though if you need | 12:02 |
nhlfr | pbourke: ok, fair enough. I will try to add neutron and kuryr soon | 12:04 |
pbourke | nhlfr: cool, I had made a start on neutron if you want to use that as a starting point | 12:04 |
pbourke | https://review.openstack.org/#/c/507547/ | 12:04 |
*** kbaegis1 has joined #openstack-kolla | 12:04 | |
*** kbaegis1 has quit IRC | 12:05 | |
nhlfr | pbourke: thanks! | 12:06 |
hrw | https://review.openstack.org/#/c/508818/ - can someone +2/+W it? Makes cinder-api work on Debian. It is just s/['ubuntu']/['debian', 'ubuntu']/ change | 12:07 |
*** kbaegis has quit IRC | 12:08 | |
hrw | recheck is in a queue | 12:08 |
spsurya | hrw: done | 12:15 |
hrw | thanks | 12:15 |
*** magicboiz has joined #openstack-kolla | 12:23 | |
*** hachi_ has quit IRC | 12:27 | |
*** genek has joined #openstack-kolla | 12:30 | |
*** gkadam has quit IRC | 12:35 | |
*** shardy_lunch is now known as shardy | 12:40 | |
*** magicboiz has quit IRC | 12:49 | |
*** manheim has quit IRC | 13:01 | |
*** ansmith has joined #openstack-kolla | 13:02 | |
*** magicboiz has joined #openstack-kolla | 13:05 | |
hrw | can I also get some eyes on https://review.openstack.org/#/c/508340/ one? It moves from one Linaro repo to another as we restructured repositories to make two especially for Kolla use (one for master, one for Pike). | 13:10 |
hrw | changes only Debian | 13:10 |
hrw | we provide packages for both aarch64 and x86-64 | 13:10 |
*** manheim has joined #openstack-kolla | 13:10 | |
openstackgerrit | Merged openstack/kolla master: Add tripleo-ui image https://review.openstack.org/508869 | 13:15 |
*** mdnadeem has quit IRC | 13:16 | |
*** skramaja has quit IRC | 13:18 | |
*** janki has quit IRC | 13:18 | |
*** janki has joined #openstack-kolla | 13:18 | |
openstackgerrit | Mick Thompson proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566 | 13:21 |
lvdombrkr | folks, who use letsencrypt certeficates in kolla? | 13:23 |
lvdombrkr | i have question about certeficate renew | 13:23 |
openstackgerrit | Paul Bourke (pbourke) proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566 | 13:30 |
openstackgerrit | Merged openstack/kolla-ansible master: [HyperV] Add pull and precheck actions to nova-hyperv role https://review.openstack.org/508858 | 13:34 |
*** dgonzalez has left #openstack-kolla | 13:39 | |
*** janki has quit IRC | 13:42 | |
openstackgerrit | Paul Bourke (pbourke) proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566 | 13:43 |
*** Pavo has joined #openstack-kolla | 13:50 | |
*** zhangfei has joined #openstack-kolla | 13:54 | |
*** leeuwenrjj has quit IRC | 13:55 | |
*** hrw has quit IRC | 13:58 | |
*** david-lyle has joined #openstack-kolla | 14:08 | |
openstackgerrit | Merged openstack/kolla master: cinder-api: handle Debian too https://review.openstack.org/508818 | 14:12 |
lvdombrkr | folks, who use letsencrypt certeficates in kolla? | 14:19 |
Pavo | morning gents | 14:23 |
Pavo | lvdombrkr that is am amazing idea, if you figure it out please post a solution | 14:23 |
egonzalez | lvdombrkr, looks like nobody uses them | 14:23 |
egonzalez | or nobody in this chat at least | 14:24 |
*** aagate has joined #openstack-kolla | 14:27 | |
*** serlex has quit IRC | 14:28 | |
*** zhangfei has quit IRC | 14:28 | |
*** ntpttr_laptop has joined #openstack-kolla | 14:39 | |
*** ntpttr_laptop has quit IRC | 14:45 | |
*** jmccarthy has left #openstack-kolla | 14:49 | |
*** klindgren has joined #openstack-kolla | 15:35 | |
*** rhallisey_ has quit IRC | 15:36 | |
*** jgriffith_ is now known as jgriffith | 15:41 | |
*** vhosakot has joined #openstack-kolla | 15:42 | |
SamYaple | lvdombrkr: i did when lets encrypt firstlanded, but i dont use kolla-ansible at the moment | 15:43 |
*** ntpttr_laptop has joined #openstack-kolla | 15:53 | |
*** ntpttr_laptop has quit IRC | 15:53 | |
*** zhubingbing__ has joined #openstack-kolla | 15:57 | |
*** egonzalez has quit IRC | 15:58 | |
*** jascott1 has quit IRC | 16:09 | |
*** blallau has quit IRC | 16:12 | |
*** dave-mcc_ is now known as dave-mccowan | 16:13 | |
*** manheim has quit IRC | 16:22 | |
*** lpetrut has quit IRC | 16:23 | |
*** zhubingbing__ has quit IRC | 16:28 | |
*** pcaruana has quit IRC | 16:32 | |
*** jaosorior has quit IRC | 16:33 | |
kfox1111 | second for https://review.openstack.org/#/c/507252/ please. | 16:33 |
*** jaosorior has joined #openstack-kolla | 16:33 | |
*** jascott1 has joined #openstack-kolla | 16:34 | |
*** jaosorior has quit IRC | 16:38 | |
*** jaosorior has joined #openstack-kolla | 16:40 | |
*** jaosorior has quit IRC | 16:53 | |
*** dougsz has quit IRC | 16:59 | |
*** harlowja has joined #openstack-kolla | 17:01 | |
openstackgerrit | Mathias Ewald proposed openstack/kolla-ansible master: Add sensu role https://review.openstack.org/488367 | 17:06 |
*** mewald has joined #openstack-kolla | 17:07 | |
*** manheim has joined #openstack-kolla | 17:11 | |
*** krtaylor_ has joined #openstack-kolla | 17:13 | |
*** krtaylor has quit IRC | 17:14 | |
*** manheim has quit IRC | 17:15 | |
*** athomas has quit IRC | 17:16 | |
*** krtaylor_ has quit IRC | 17:17 | |
*** krtaylor has joined #openstack-kolla | 17:17 | |
*** shardy has quit IRC | 17:18 | |
*** Pavo has quit IRC | 17:24 | |
inc0 | lvdombrkr: hey, I think someone floated idea of having letsencrypt generation built into kolla-ansible | 17:30 |
inc0 | I remember talking about it in PTH | 17:31 |
inc0 | PTG | 17:31 |
*** mgoddard has joined #openstack-kolla | 17:34 | |
vhosakot | yeah, I remember somebody mentioned letsencrypt at the PTG too. | 17:41 |
*** sambetts is now known as sambetts|afk | 17:45 | |
*** mewald has quit IRC | 17:46 | |
*** aagate has quit IRC | 17:54 | |
*** jamesbenson has joined #openstack-kolla | 17:59 | |
openstackgerrit | Merged openstack/kolla-kubernetes master: Remove the resolv.conf workaround https://review.openstack.org/507252 | 18:03 |
kfox1111 | rwellum: thx. | 18:07 |
kfox1111 | inc0: might have been tangential to one of our conversations. | 18:07 |
kfox1111 | k8s supports automatic letsencrypt. | 18:07 |
rwellum | yw kfox1111 | 18:10 |
*** pcaruana has joined #openstack-kolla | 18:11 | |
*** jamesbenson has quit IRC | 18:14 | |
*** sambetts|afk has quit IRC | 18:17 | |
*** mgoddard has quit IRC | 18:18 | |
*** dciabrin has quit IRC | 18:19 | |
*** sambetts_ has joined #openstack-kolla | 18:20 | |
*** dciabrin has joined #openstack-kolla | 18:20 | |
*** jamesbenson has joined #openstack-kolla | 18:24 | |
*** serlex has joined #openstack-kolla | 18:29 | |
*** aagate has joined #openstack-kolla | 18:50 | |
inc0 | kfox1111: I think we can't really use it because we run haproxy instead of kube load balancers right? | 18:51 |
kfox1111 | if you fronted your haproxies with ingress, it would work. | 18:51 |
inc0 | well...we could modify haproxy tls to use certs | 18:51 |
inc0 | or that | 18:51 |
inc0 | right | 18:51 |
kfox1111 | I want to do that too. | 18:51 |
kfox1111 | Ideally, you would have 2 layers of tls. | 18:52 |
*** unicell has joined #openstack-kolla | 18:52 | |
SamYaple | inc0: you can do letencrypt in kolla-ansible easily https://yaple.net/2016/07/10/letsencrypt-haproxy-and-auto-renewal/ | 18:52 |
kfox1111 | the user facing termination would be the only thing with the main certs. | 18:52 |
SamYaple | its a little outdated, but its pretty straightforward | 18:52 |
kfox1111 | then it would use local certs from that pod to the services. | 18:52 |
SamYaple | youll jsut want to have a letencrypt container running to serve requests | 18:52 |
kfox1111 | cool. :) | 18:52 |
kfox1111 | I'm really excited for the proposed wild card lets encrypt certs. | 18:53 |
harlowja | has anyone seen this one (and knows the issue) @ https://gist.github.com/harlowja/ce809a62d26dcc63b2b6e932c987de1e ? | 18:53 |
SamYaple | kfox1111: yea i dont know how i feel about that. i like the idea, but wild-card certs are poor security | 18:54 |
SamYaple | i suppose if you are just using it for encryption then its a good thing | 18:54 |
kfox1111 | yeah. its better not to use them, but... | 18:54 |
kfox1111 | its way better then using nothing... | 18:55 |
SamYaple | harlowja: looks like very old libvirt version. what are you trying ot build? | 18:55 |
SamYaple | kfox1111: agreed. ive been slowly cultivating certs for years | 18:55 |
kfox1111 | but when you have a nice seperation of ingress has the widcard, and backends don't, its a bit safer too. | 18:55 |
SamYaple | ive got ~600 unique certs | 18:55 |
kfox1111 | wow. | 18:55 |
kfox1111 | how often do you need to update one? | 18:55 |
SamYaple | 3 months | 18:56 |
kfox1111 | not too bad. | 18:56 |
SamYaple | well they have rate limits you know? so its better to get them in. because you can update as many as you want, but you cant create them all from scratch | 18:56 |
SamYaple | you get like 10 a week or something | 18:56 |
kfox1111 | the problem I have is no path from external to internal. | 18:56 |
kfox1111 | so I'd havve to place some web service externally to gather them, | 18:56 |
SamYaple | so i have one for each service, nova-novncproxy.yaple.net neutron-server.yaple.net cinder-api.yaple.net etc | 18:57 |
kfox1111 | but do something more manual to get them inside. :/ | 18:57 |
SamYaple | hmm yea | 18:57 |
kfox1111 | a few wildcards would be much easier to transfer in, | 18:57 |
SamYaple | i would just run an internal CA in that case | 18:57 |
kfox1111 | we do that. but I kind of hate it. | 18:57 |
SamYaple | then you could actually do client certs | 18:57 |
kfox1111 | it breaks the internet trust model. | 18:57 |
kfox1111 | cause the holder of that ca can spoof anybody. | 18:57 |
SamYaple | oh please the current CAs break the trust model | 18:57 |
SamYaple | how many breaches exist? | 18:58 |
kfox1111 | some have. but they have also been kicked out. | 18:58 |
SamYaple | this is for internal environment anyway | 18:58 |
SamYaple | if someone is already internal and has your CA, you would be screwed anyway | 18:58 |
kfox1111 | the line between internal/external is often fuzzy. :/ | 18:58 |
*** lpetrut has joined #openstack-kolla | 18:58 | |
SamYaple | they would have your wildcard cert and key anyway | 18:58 |
kfox1111 | no, its more nuanced then that. | 18:58 |
kfox1111 | say you work for a compay A, and you also work with collaboration B. | 18:59 |
kfox1111 | both self sign their certs and expect you to load in their CA's into your browser. | 18:59 |
kfox1111 | both could spoof your bank and other sites. | 18:59 |
kfox1111 | yeah, you could keep a whole seperate browser chain of trust for each org. | 18:59 |
kfox1111 | but what a pain.... :/ | 19:00 |
kfox1111 | better if they just had a proper chain of trust. | 19:00 |
*** lpetrut has quit IRC | 19:00 | |
SamYaple | so they have hijacked your dns and have generated false certs | 19:00 |
SamYaple | there are bigger issues there | 19:01 |
*** lpetrut has joined #openstack-kolla | 19:01 | |
kfox1111 | possible. but security is having many walls. | 19:02 |
kfox1111 | one of the collaborations I work with: https://www.opensciencegrid.org/ has a huge number of CA's in its own chain of trust. | 19:02 |
kfox1111 | if any of them has a breach, its a problem. | 19:02 |
kfox1111 | just seems like a bad idea to me. I think in general the main chain of trust is more secure then orgs. | 19:03 |
SamYaple | i hear you. i fall on the otherside of that argument personally | 19:04 |
SamYaple | but i was more refering to a CA per environment for openstack | 19:04 |
kfox1111 | yeah... | 19:06 |
kfox1111 | I really wish there was a way to do a CA per subdomain. | 19:06 |
kfox1111 | not, here's a ca. lets trust it for the world. | 19:07 |
kfox1111 | that part of the internet's very broken. | 19:07 |
*** jrist has quit IRC | 19:07 | |
SamYaple | i like the idea of a blockchain "ca" where each domain is its own blockchain | 19:08 |
SamYaple | you could sync that fairly quickly | 19:08 |
kfox1111 | +1 | 19:09 |
kfox1111 | or, I think you could probably extend the dns security stuff to have a signed https ca record. | 19:09 |
SamYaple | you could have the lax and paranoid setting there too. sync blockchain everytime you query dns (for revocation) or more relaxed for speed | 19:10 |
kfox1111 | probably woudn't need any software at all, other then have the browsers do an extra dns lookup. | 19:10 |
SamYaple | oh jeez. want to talk about internet being broken its dns | 19:10 |
kfox1111 | hehe. | 19:10 |
kfox1111 | yeah, well, thats a whole nother conversation. :) | 19:11 |
SamYaple | up until recently 6 people could *independantly* destroy the internet | 19:11 |
SamYaple | crazy | 19:11 |
kfox1111 | indeed. | 19:11 |
*** dciabrin has quit IRC | 19:18 | |
*** jrist has joined #openstack-kolla | 19:20 | |
harlowja | SamYaple mitaka but perhaps that version is busted | 19:23 |
harlowja | anyway, if nobody else seen, that's ok, i'll figure it out :-P | 19:24 |
SamYaple | harlowja: ah thats probably right for mitaka | 19:25 |
SamYaple | but thats so old you probably wont get much help for it | 19:25 |
SamYaple | newton is about to EOL, mitaka EOL'd 6 months ago | 19:25 |
harlowja | ya, expected so | 19:25 |
harlowja | sad fact is nobody can upgrade that i know of at the pace openstack releases things, ha | 19:26 |
*** manheim has joined #openstack-kolla | 19:40 | |
*** manheim has quit IRC | 19:41 | |
*** manheim has joined #openstack-kolla | 19:54 | |
*** manheim has quit IRC | 19:55 | |
SamYaple | harlowja: no, i agree, but you are over 2 years behind now | 19:57 |
SamYaple | most larger companies skip releases so they have once a year upgrades | 19:58 |
*** manheim has joined #openstack-kolla | 20:05 | |
*** manheim has quit IRC | 20:05 | |
*** dciabrin has joined #openstack-kolla | 20:06 | |
kfox1111 | yeah.... :/ | 20:06 |
kfox1111 | I'm hoping once we get the kolla-kubernetes upgrade gates going, | 20:07 |
kfox1111 | to keep a copy of the mitaka deployment ones around, and the intermediary jobs, | 20:07 |
kfox1111 | so we can test a multi version upgrade. | 20:07 |
kfox1111 | start at mitaka, perform the upgrade jobs for each version up to trunk. | 20:08 |
*** pcaruana has quit IRC | 20:18 | |
*** jamesbenson has quit IRC | 20:22 | |
*** jamesbenson has joined #openstack-kolla | 20:22 | |
*** jamesbenson has quit IRC | 20:23 | |
*** jamesbenson has joined #openstack-kolla | 20:25 | |
*** jamesbenson has quit IRC | 20:26 | |
*** jamesbenson has joined #openstack-kolla | 20:27 | |
*** rhallisey has quit IRC | 20:34 | |
*** manheim has joined #openstack-kolla | 20:50 | |
*** manheim has quit IRC | 20:50 | |
*** hrw has joined #openstack-kolla | 20:56 | |
*** erlon has joined #openstack-kolla | 20:57 | |
*** ansmith has quit IRC | 20:58 | |
*** jamesbenson has quit IRC | 21:00 | |
*** jascott1 has quit IRC | 21:02 | |
*** lpetrut has quit IRC | 21:11 | |
*** jascott1 has joined #openstack-kolla | 21:15 | |
*** jascott1 has quit IRC | 21:18 | |
*** jascott1 has joined #openstack-kolla | 21:20 | |
*** Pavo has joined #openstack-kolla | 21:29 | |
openstackgerrit | Eduardo Gonzalez proposed openstack/kolla master: Re-enable bifrost test_build https://review.openstack.org/465012 | 21:29 |
openstackgerrit | Eduardo Gonzalez proposed openstack/kolla master: Re-enable bifrost test_build https://review.openstack.org/465012 | 21:32 |
*** serlex has quit IRC | 21:33 | |
*** jamesbenson has joined #openstack-kolla | 21:35 | |
*** jamesbenson has quit IRC | 21:38 | |
*** manheim has joined #openstack-kolla | 21:42 | |
*** manheim has quit IRC | 21:42 | |
*** bmace has quit IRC | 21:44 | |
*** bmace has joined #openstack-kolla | 21:45 | |
*** ansmith has joined #openstack-kolla | 21:49 | |
*** Pavo has quit IRC | 21:54 | |
*** jamesbenson has joined #openstack-kolla | 22:00 | |
*** jamesbenson has quit IRC | 22:02 | |
*** jrist has quit IRC | 22:14 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/kolla-kubernetes master: Updated from global requirements https://review.openstack.org/509443 | 22:24 |
*** jrist has joined #openstack-kolla | 22:35 | |
*** gfidente has quit IRC | 22:35 | |
*** manheim has joined #openstack-kolla | 22:52 | |
*** dciabrin has quit IRC | 23:04 | |
*** vhosakot has quit IRC | 23:05 | |
*** vhosakot has joined #openstack-kolla | 23:05 | |
*** MasterOfBugs has joined #openstack-kolla | 23:06 | |
*** dciabrin has joined #openstack-kolla | 23:16 | |
*** manheim has quit IRC | 23:41 | |
*** MasterOfBugs has quit IRC | 23:45 | |
*** manheim has joined #openstack-kolla | 23:48 | |
*** jamesbenson has joined #openstack-kolla | 23:49 | |
*** jtriley has joined #openstack-kolla | 23:52 | |
*** jamesbenson has quit IRC | 23:53 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!