Monday, 2017-10-09

mrhillsman	adil452100 you never want to shut down all the mariadb clusters at once	00:10
mrhillsman	find out which one is the master/lead node, and shut the other two down	00:11
mrhillsman	then you should be able to shutdown the lead node after a few moments	00:12
mrhillsman	and start it back without any issues	00:13
masber	good morning, has anyone deployed kolla5? I tried yesterday but was giving me errors, just wondering whether it is ready to use it or not	00:20
adil452100	<masber> maybe with the master branch you will have some chance to install it right	00:21
adil452100	<masber> The only thing I can say is it isn't yet production ready	00:21
adil452100	<masber> A lot of things don't work out of box	00:22
adil452100	<masber> You must troubleshoot a lot to get things working	00:22
masber	adil452100, I see, I got confused because I installed it using pip so I thought it was ready	00:23
adil452100	<masber> The PyPi package is full of bugs, don't use it if you want to save time	00:23
adil452100	<masber> use the master git version instead	00:23
masber	adil452100, I see, I will try again later, thank you	00:24
adil452100	<masber> for kolla and kolla-ansible	00:24
adil452100	<mrhillsman> thank you, you confirmed my thought	00:25
SamYaple	mrhillsman: just to clarify a bit, there is no master/lead in a galera cluster	00:26
SamYaple	however most clusters use haproxy loadbalancing with active/passive so ther eis one recieving all the reads and writes	00:26
SamYaple	most openstack services these days no longer have deadlocks and can work with active/active writes	00:26
mrhillsman	apologies, the one that is set as primary	00:28
SamYaple	mrhillsman: well again, not to be pedantic, but just to make sure people dont lose data, not the one thats set primary, the one with the most recent data	00:29
SamYaple	which is not neccessarily the one set primary in haproxy	00:30
mrhillsman	has the non -1 seqno	00:30
SamYaple	because that one could be down	00:30
SamYaple	mrhillsman: that only happens when its shutdown proerply	00:30
SamYaple	a running galera cluster has -1	00:30
SamYaple	on all nodes	00:30
mrhillsman	ah ok	00:32
*** dave-mccowan has joined #openstack-kolla		00:36
*** hieulq has joined #openstack-kolla		00:37
SamYaple	mrhillsman: not trying to be pedantic, its just important for data integrity reasons :)	00:38
mrhillsman	haha, no worries	00:41
mrhillsman	stupid interwebs went down for a moment	00:42
mrhillsman	correct comment adil452100 is that you never want to shut them all down at once if you want to avoid manual recovery	00:45
mrhillsman	there's quite a few articles re this online - http://galeracluster.com/documentation-webpages/restartingcluster.html - i have used this one before	00:46
*** duonghq has joined #openstack-kolla		00:47
mrhillsman	SamYaple better ^ ?	00:49
SamYaple	for sure	00:50
SamYaple	just trying to spread knowledge :)	00:50
mrhillsman	no doubt ;)	00:50
*** xinliang has joined #openstack-kolla		01:05
*** zhenguo has joined #openstack-kolla		01:06
*** tovin07_ has joined #openstack-kolla		01:14
*** caowei has joined #openstack-kolla		01:34
*** dave-mccowan has quit IRC		01:49
adil452100	Thank you guys	01:54
adil452100	<SamYaple> <mrhillsman> Is watcher horizon dashboard broken ?	01:55
adil452100	I have tried so many times today to add to the horizon container via globals.yml and kolla-ansible reconfigure without success	01:56
adil452100	The error displayed with : docker logs horizon is	01:57
adil452100	cp: cannot stat '/usr/lib/python2.7/site-packages/watcher_dashboard/local/enabled/_*[^__].py': No such file or directory	01:57
*** caowei has quit IRC		02:01
*** caowei has joined #openstack-kolla		02:02
*** Pavo has joined #openstack-kolla		02:03
openstackgerrit	Jinxing Fang proposed openstack/kolla-ansible master: Remove discard configuration https://review.openstack.org/502422	02:05
*** zhangfei has joined #openstack-kolla		02:41
mrhillsman	adil452100 have not tried using it	02:42
mrhillsman	i know that there was(are?) issues with horizon in pike	02:42
* mrhillsman is running ocata		02:42
adil452100	Ok	02:43
*** adil452100 has quit IRC		02:57
*** daidv has joined #openstack-kolla		03:14
*** Pavo has quit IRC		03:19
*** Pavo has joined #openstack-kolla		03:34
*** gkadam has joined #openstack-kolla		03:35
*** mdnadeem has joined #openstack-kolla		03:37
*** Pavo has quit IRC		03:55
*** jaosorior has joined #openstack-kolla		04:07
openstackgerrit	Merged openstack/kolla-ansible stable/pike: fix wrong keystone_authtoken settings https://review.openstack.org/510323	04:08
spsurya	morning all	04:16
openstackgerrit	Merged openstack/kolla-ansible master: Remove discard configuration https://review.openstack.org/502422	04:29
*** coolsvap has joined #openstack-kolla		04:42
*** ntpttr_laptop has joined #openstack-kolla		04:48
*** ArminderSingh has quit IRC		04:50
*** janki has joined #openstack-kolla		04:53
*** ntpttr_laptop has quit IRC		04:54
*** ArminderSingh has joined #openstack-kolla		04:54
*** jascott1 has quit IRC		05:15
*** jascott1 has joined #openstack-kolla		05:16
*** jascott1 has quit IRC		05:20
spsurya	honza: ping...	05:21
spsurya	regarding this	05:21
spsurya	https://review.openstack.org/#/c/508869/	05:21
*** jascott1 has joined #openstack-kolla		05:31
spsurya	coolsvap: https://review.openstack.org/#/c/498332/	05:53
spsurya	can you please review	05:54
coolsvap	spsurya: sure looking at it	05:54
spsurya	coolsvap: saw your TC candidacy...that is nice :)	05:56
coolsvap	spsurya: can you add reference for your doc changes in https://etherpad.openstack.org/p/kolla-doc-restructure at bottom	05:58
coolsvap	so that its tracked and we do not have multiple changes for the same thing	05:59
coolsvap	the current situation is I sometime get lost in doc changes	06:01
coolsvap	which is covering what and whether or not its duplicate	06:01
spsurya	coolsvap: the PS i given is generic one not only specific to doc	06:01
spsurya	i changed in .sh file too	06:02
openstackgerrit	jiangpch proposed openstack/kolla-ansible master: add zun-wsporxy into zun role https://review.openstack.org/510410	06:02
coolsvap	agreed	06:02
coolsvap	it still has doc changes as well :) put it in others	06:03
spsurya	coolsvap: thanks	06:04
spsurya	may be later i will add another one with https://etherpad.openstack.org/p/kolla-doc-restructure at bottom	06:04
*** unicell has joined #openstack-kolla		06:10
*** hachi__ has joined #openstack-kolla		06:18
*** skramaja has joined #openstack-kolla		06:21
*** unicell1 has joined #openstack-kolla		06:22
*** unicell has quit IRC		06:23
*** hachi__ has quit IRC		06:30
*** hachi__ has joined #openstack-kolla		06:30
*** unicell1 has quit IRC		06:37
*** igordc has quit IRC		06:48
*** igordc has joined #openstack-kolla		06:50
*** genek has quit IRC		06:53
*** serlex has joined #openstack-kolla		07:03
*** pcaruana has joined #openstack-kolla		07:08
openstackgerrit	Christian Berendt proposed openstack/kolla-ansible master: Restart services after a change in the external ceph configuration https://review.openstack.org/507888	07:16
openstackgerrit	Christian Berendt proposed openstack/kolla-ansible master: Add placement section to neutron.conf https://review.openstack.org/508075	07:17
*** yingjun has joined #openstack-kolla		07:18
*** magicboiz has joined #openstack-kolla		07:31
*** genek has joined #openstack-kolla		07:34
openstackgerrit	Jeffrey Zhang proposed openstack/kolla master: Use upgrade rather than create_schema for wather database https://review.openstack.org/510427	07:38
*** egonzalez has joined #openstack-kolla		07:41
*** shardy has joined #openstack-kolla		07:55
*** hrw has joined #openstack-kolla		08:04
*** jascott1 has quit IRC		08:07
*** jascott1 has joined #openstack-kolla		08:08
*** Radziu has joined #openstack-kolla		08:08
openstackgerrit	jiangpch proposed openstack/kolla-ansible master: Make haproxy proxy to the right glance_api backend https://review.openstack.org/510436	08:10
*** jascott1 has quit IRC		08:12
*** dougsz has joined #openstack-kolla		08:17
*** gfidente has joined #openstack-kolla		08:35
*** hachi__ has quit IRC		08:36
*** kbaegis1 has joined #openstack-kolla		08:41
*** kbaegis has quit IRC		08:43
*** Radziu has quit IRC		08:45
*** jmccarthy has joined #openstack-kolla		08:46
*** manheim has joined #openstack-kolla		08:56
*** dciabrin has quit IRC		09:12
*** athomas has joined #openstack-kolla		09:14
*** dciabrin has joined #openstack-kolla		09:31
*** yingjun has quit IRC		09:31
*** blallau has joined #openstack-kolla		09:48
*** egonzalez has quit IRC		09:50
openstackgerrit	Merged openstack/kolla-ansible stable/ocata: Add ovs section in neutron lbaas configuration https://review.openstack.org/505571	09:59
*** egonzalez has joined #openstack-kolla		10:03
openstackgerrit	jiangpch proposed openstack/kolla master: Fix horizon doesn't handle static files error https://review.openstack.org/510461	10:06
*** pbourke has quit IRC		10:08
*** jascott1 has joined #openstack-kolla		10:09
*** pbourke has joined #openstack-kolla		10:10
*** tovin07_ has quit IRC		10:13
*** duonghq has quit IRC		10:15
openstackgerrit	Chason Chan proposed openstack/kolla master: Add EC2API to Kolla providing images list https://review.openstack.org/510466	10:18
openstackgerrit	Chason Chan proposed openstack/kolla-ansible master: Add EC2API to kolla-ansible supporting service list https://review.openstack.org/510468	10:21
*** genek has quit IRC		10:25
*** daidv has quit IRC		10:29
*** caowei has quit IRC		10:32
*** zhangfei has quit IRC		10:41
*** leeuwenrjj has joined #openstack-kolla		10:43
*** lpetrut has joined #openstack-kolla		10:43
leeuwenrjj	Hi, very short newbie question for building containers: Can I somehow select which OpenStack version I will build from packages? It looks like I can give any location for building from source	10:45
leeuwenrjj	But not from packages	10:45
*** hachi_ has joined #openstack-kolla		10:51
hrw	morning	10:52
hrw	leeuwenrjj: stable/pike builds pike. stable/ocata builds ocata	10:52
hrw	leeuwenrjj: and they use latest packages available	10:52
spsurya	leeuwenrjj: for ocata : 4.0.0 and for Pike : 5.0.0	10:53
leeuwenrjj	Yes, so if I want to build something older then the original kolla version. Then I would need to build from source? (We want to first migrate to containers and after that upgrade)	10:53
spsurya	leeuwenrjj: IIUC you have build the images and want to run container	10:54
openstackgerrit	Merged openstack/kolla-ansible master: Fluentd: remove apache record_transformer filter https://review.openstack.org/501974	10:54
openstackgerrit	Merged openstack/kolla-ansible master: Fluentd: fix Mariadb mysqld_safe log not match https://review.openstack.org/502169	10:55
hrw	handy command for checking multiarch containers: "docker run --rm mplatform/mquery debian"	10:55
leeuwenrjj	So we currently run Kilo. So we want to move that first to containers and upgrade to pike when the components are containerized.	10:56
hrw	I wonder how good Kolla was during Kilo cycle.	10:57
leeuwenrjj	So we need to deploy Kilo containers first and then do all the upgrades. Which should be a lot easier when the services are running in containers.	10:57
leeuwenrjj	Are there many specifics in the build process for the openstack version? I would assume changing the repo should be good enough. e.g. the config files will come from outside of the container during runtime in our case.	10:58
*** magicboiz has quit IRC		11:00
*** magicboiz has joined #openstack-kolla		11:00
hrw	leeuwenrjj: I do not know is Kolla able to build Kilo images	11:02
*** jaosorior has quit IRC		11:05
*** rhallisey_ has joined #openstack-kolla		11:05
*** jaosorior has joined #openstack-kolla		11:05
spsurya	leeuwenrjj: IIRC upgrade working Since newton	11:11
*** kbaegis1 has quit IRC		11:11
*** kbaegis has joined #openstack-kolla		11:12
*** egonzalez has quit IRC		11:19
*** jmccarthy has quit IRC		11:19
manheim	hrw I also tried to build. Kilo env but gave up...	11:20
*** jmccarthy has joined #openstack-kolla		11:20
openstackgerrit	Merged openstack/kolla-ansible master: Allow use of external ceph as cinder backup backend https://review.openstack.org/510153	11:22
*** egonzalez has joined #openstack-kolla		11:26
openstackgerrit	Marcin Juszkiewicz proposed openstack/kolla stable/pike: base: use ceph/jewel on ubuntu https://review.openstack.org/505786	11:30
leeuwenrjj	FYI: It looks like with a little edit in the docker file I can remove the Ocata reference and replace it by Kilo.	11:34
*** coolsvap has quit IRC		11:35
leeuwenrjj	Not everything will build (e.g. keystone complains about barbican packages) but we happened to already upgrade keystone.	11:35
*** shardy is now known as shardy_lunch		11:40
nhlfr	pbourke: hey. what's the status of https://blueprints.launchpad.net/kolla/+spec/mount-sources?	11:40
nhlfr	to get it implented, do we need to add the similar stuff like here https://review.openstack.org/#/c/454690/ to the other openstack components?	11:41
*** sambetts\|afk is now known as sambetts		11:44
dasTor	hi, just a short question, my deployment fails currently with: Restart fluentd container FAILED! => {"changed": false, "failed": true, "msg": "Unknown error message: Tag pike not found in repository docker.io/kolla/ubuntu-binary-fluentd"}	11:44
dasTor	docker images \| grep fluent show that i already have the image: 192.168.0.21:5000/kolla/ubuntu-binary-fluentd 5.0.0 b091562cc890	11:45
dasTor	why isn't kolla pulling it from my local registry?	11:45
*** ansiwen[q] has joined #openstack-kolla		11:46
nhlfr	dasTor: what did you set in Docker options in /etc/kolla/globals.yml?	11:49
nhlfr	I mean, docker_registry and docker_namespace options	11:49
dasTor	docker_registry: "192.168.0.21:5000"	11:50
dasTor	nothing else	11:50
*** magicboiz has quit IRC		11:52
nhlfr	dasTor: ok. does your registry have valid ssl certificate? if not, did you specify it as an insecure registry in /etc/docker/daemon.json?	11:52
dasTor	when i tried before, it said The requested image does not exist: 192.168.0.21:5000/kolla/ubuntu-binary-fluentd:pike i did a kolla-build -b ubuntu and now i have this error	11:52
dasTor	nhlfr, yes, i set it on the deploy host and all targets	11:52
dasTor	when i didn't it saiod something about https warning	11:52
*** dave-mccowan has joined #openstack-kolla		11:53
*** manheim has quit IRC		11:53
*** manheim has joined #openstack-kolla		11:53
*** dave-mcc_ has joined #openstack-kolla		11:55
dasTor	if i comment out: openstack_release: "pike"	11:56
dasTor	in globals.yml it still works, strange ....	11:56
*** dave-mccowan has quit IRC		11:58
pbourke	nhlfr: it's been implemented piece by piece. not that many services are done yet tbh	12:02
pbourke	nhlfr: it's reasonably easy to add a service though if you need	12:02
nhlfr	pbourke: ok, fair enough. I will try to add neutron and kuryr soon	12:04
pbourke	nhlfr: cool, I had made a start on neutron if you want to use that as a starting point	12:04
pbourke	https://review.openstack.org/#/c/507547/	12:04
*** kbaegis1 has joined #openstack-kolla		12:04
*** kbaegis1 has quit IRC		12:05
nhlfr	pbourke: thanks!	12:06
hrw	https://review.openstack.org/#/c/508818/ - can someone +2/+W it? Makes cinder-api work on Debian. It is just s/['ubuntu']/['debian', 'ubuntu']/ change	12:07
*** kbaegis has quit IRC		12:08
hrw	recheck is in a queue	12:08
spsurya	hrw: done	12:15
hrw	thanks	12:15
*** magicboiz has joined #openstack-kolla		12:23
*** hachi_ has quit IRC		12:27
*** genek has joined #openstack-kolla		12:30
*** gkadam has quit IRC		12:35
*** shardy_lunch is now known as shardy		12:40
*** magicboiz has quit IRC		12:49
*** manheim has quit IRC		13:01
*** ansmith has joined #openstack-kolla		13:02
*** magicboiz has joined #openstack-kolla		13:05
hrw	can I also get some eyes on https://review.openstack.org/#/c/508340/ one? It moves from one Linaro repo to another as we restructured repositories to make two especially for Kolla use (one for master, one for Pike).	13:10
hrw	changes only Debian	13:10
hrw	we provide packages for both aarch64 and x86-64	13:10
*** manheim has joined #openstack-kolla		13:10
openstackgerrit	Merged openstack/kolla master: Add tripleo-ui image https://review.openstack.org/508869	13:15
*** mdnadeem has quit IRC		13:16
*** skramaja has quit IRC		13:18
*** janki has quit IRC		13:18
*** janki has joined #openstack-kolla		13:18
openstackgerrit	Mick Thompson proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566	13:21
lvdombrkr	folks, who use letsencrypt certeficates in kolla?	13:23
lvdombrkr	i have question about certeficate renew	13:23
openstackgerrit	Paul Bourke (pbourke) proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566	13:30
openstackgerrit	Merged openstack/kolla-ansible master: [HyperV] Add pull and precheck actions to nova-hyperv role https://review.openstack.org/508858	13:34
*** dgonzalez has left #openstack-kolla		13:39
*** janki has quit IRC		13:42
openstackgerrit	Paul Bourke (pbourke) proposed openstack/kolla-ansible master: Add cinder-volume host configuration to support HA https://review.openstack.org/510566	13:43
*** Pavo has joined #openstack-kolla		13:50
*** zhangfei has joined #openstack-kolla		13:54
*** leeuwenrjj has quit IRC		13:55
*** hrw has quit IRC		13:58
*** david-lyle has joined #openstack-kolla		14:08
openstackgerrit	Merged openstack/kolla master: cinder-api: handle Debian too https://review.openstack.org/508818	14:12
lvdombrkr	folks, who use letsencrypt certeficates in kolla?	14:19
Pavo	morning gents	14:23
Pavo	lvdombrkr that is am amazing idea, if you figure it out please post a solution	14:23
egonzalez	lvdombrkr, looks like nobody uses them	14:23
egonzalez	or nobody in this chat at least	14:24
*** aagate has joined #openstack-kolla		14:27
*** serlex has quit IRC		14:28
*** zhangfei has quit IRC		14:28
*** ntpttr_laptop has joined #openstack-kolla		14:39
*** ntpttr_laptop has quit IRC		14:45
*** jmccarthy has left #openstack-kolla		14:49
*** klindgren has joined #openstack-kolla		15:35
*** rhallisey_ has quit IRC		15:36
*** jgriffith_ is now known as jgriffith		15:41
*** vhosakot has joined #openstack-kolla		15:42
SamYaple	lvdombrkr: i did when lets encrypt firstlanded, but i dont use kolla-ansible at the moment	15:43
*** ntpttr_laptop has joined #openstack-kolla		15:53
*** ntpttr_laptop has quit IRC		15:53
*** zhubingbing__ has joined #openstack-kolla		15:57
*** egonzalez has quit IRC		15:58
*** jascott1 has quit IRC		16:09
*** blallau has quit IRC		16:12
*** dave-mcc_ is now known as dave-mccowan		16:13
*** manheim has quit IRC		16:22
*** lpetrut has quit IRC		16:23
*** zhubingbing__ has quit IRC		16:28
*** pcaruana has quit IRC		16:32
*** jaosorior has quit IRC		16:33
kfox1111	second for https://review.openstack.org/#/c/507252/ please.	16:33
*** jaosorior has joined #openstack-kolla		16:33
*** jascott1 has joined #openstack-kolla		16:34
*** jaosorior has quit IRC		16:38
*** jaosorior has joined #openstack-kolla		16:40
*** jaosorior has quit IRC		16:53
*** dougsz has quit IRC		16:59
*** harlowja has joined #openstack-kolla		17:01
openstackgerrit	Mathias Ewald proposed openstack/kolla-ansible master: Add sensu role https://review.openstack.org/488367	17:06
*** mewald has joined #openstack-kolla		17:07
*** manheim has joined #openstack-kolla		17:11
*** krtaylor_ has joined #openstack-kolla		17:13
*** krtaylor has quit IRC		17:14
*** manheim has quit IRC		17:15
*** athomas has quit IRC		17:16
*** krtaylor_ has quit IRC		17:17
*** krtaylor has joined #openstack-kolla		17:17
*** shardy has quit IRC		17:18
*** Pavo has quit IRC		17:24
inc0	lvdombrkr: hey, I think someone floated idea of having letsencrypt generation built into kolla-ansible	17:30
inc0	I remember talking about it in PTH	17:31
inc0	PTG	17:31
*** mgoddard has joined #openstack-kolla		17:34
vhosakot	yeah, I remember somebody mentioned letsencrypt at the PTG too.	17:41
*** sambetts is now known as sambetts\|afk		17:45
*** mewald has quit IRC		17:46
*** aagate has quit IRC		17:54
*** jamesbenson has joined #openstack-kolla		17:59
openstackgerrit	Merged openstack/kolla-kubernetes master: Remove the resolv.conf workaround https://review.openstack.org/507252	18:03
kfox1111	rwellum: thx.	18:07
kfox1111	inc0: might have been tangential to one of our conversations.	18:07
kfox1111	k8s supports automatic letsencrypt.	18:07
rwellum	yw kfox1111	18:10
*** pcaruana has joined #openstack-kolla		18:11
*** jamesbenson has quit IRC		18:14
*** sambetts\|afk has quit IRC		18:17
*** mgoddard has quit IRC		18:18
*** dciabrin has quit IRC		18:19
*** sambetts_ has joined #openstack-kolla		18:20
*** dciabrin has joined #openstack-kolla		18:20
*** jamesbenson has joined #openstack-kolla		18:24
*** serlex has joined #openstack-kolla		18:29
*** aagate has joined #openstack-kolla		18:50
inc0	kfox1111: I think we can't really use it because we run haproxy instead of kube load balancers right?	18:51
kfox1111	if you fronted your haproxies with ingress, it would work.	18:51
inc0	well...we could modify haproxy tls to use certs	18:51
inc0	or that	18:51
inc0	right	18:51
kfox1111	I want to do that too.	18:51
kfox1111	Ideally, you would have 2 layers of tls.	18:52
*** unicell has joined #openstack-kolla		18:52
SamYaple	inc0: you can do letencrypt in kolla-ansible easily https://yaple.net/2016/07/10/letsencrypt-haproxy-and-auto-renewal/	18:52
kfox1111	the user facing termination would be the only thing with the main certs.	18:52
SamYaple	its a little outdated, but its pretty straightforward	18:52
kfox1111	then it would use local certs from that pod to the services.	18:52
SamYaple	youll jsut want to have a letencrypt container running to serve requests	18:52
kfox1111	cool. :)	18:52
kfox1111	I'm really excited for the proposed wild card lets encrypt certs.	18:53
harlowja	has anyone seen this one (and knows the issue) @ https://gist.github.com/harlowja/ce809a62d26dcc63b2b6e932c987de1e ?	18:53
SamYaple	kfox1111: yea i dont know how i feel about that. i like the idea, but wild-card certs are poor security	18:54
SamYaple	i suppose if you are just using it for encryption then its a good thing	18:54
kfox1111	yeah. its better not to use them, but...	18:54
kfox1111	its way better then using nothing...	18:55
SamYaple	harlowja: looks like very old libvirt version. what are you trying ot build?	18:55
SamYaple	kfox1111: agreed. ive been slowly cultivating certs for years	18:55
kfox1111	but when you have a nice seperation of ingress has the widcard, and backends don't, its a bit safer too.	18:55
SamYaple	ive got ~600 unique certs	18:55
kfox1111	wow.	18:55
kfox1111	how often do you need to update one?	18:55
SamYaple	3 months	18:56
kfox1111	not too bad.	18:56
SamYaple	well they have rate limits you know? so its better to get them in. because you can update as many as you want, but you cant create them all from scratch	18:56
SamYaple	you get like 10 a week or something	18:56
kfox1111	the problem I have is no path from external to internal.	18:56
kfox1111	so I'd havve to place some web service externally to gather them,	18:56
SamYaple	so i have one for each service, nova-novncproxy.yaple.net neutron-server.yaple.net cinder-api.yaple.net etc	18:57
kfox1111	but do something more manual to get them inside. :/	18:57
SamYaple	hmm yea	18:57
kfox1111	a few wildcards would be much easier to transfer in,	18:57
SamYaple	i would just run an internal CA in that case	18:57
kfox1111	we do that. but I kind of hate it.	18:57
SamYaple	then you could actually do client certs	18:57
kfox1111	it breaks the internet trust model.	18:57
kfox1111	cause the holder of that ca can spoof anybody.	18:57
SamYaple	oh please the current CAs break the trust model	18:57
SamYaple	how many breaches exist?	18:58
kfox1111	some have. but they have also been kicked out.	18:58
SamYaple	this is for internal environment anyway	18:58
SamYaple	if someone is already internal and has your CA, you would be screwed anyway	18:58
kfox1111	the line between internal/external is often fuzzy. :/	18:58
*** lpetrut has joined #openstack-kolla		18:58
SamYaple	they would have your wildcard cert and key anyway	18:58
kfox1111	no, its more nuanced then that.	18:58
kfox1111	say you work for a compay A, and you also work with collaboration B.	18:59
kfox1111	both self sign their certs and expect you to load in their CA's into your browser.	18:59
kfox1111	both could spoof your bank and other sites.	18:59
kfox1111	yeah, you could keep a whole seperate browser chain of trust for each org.	18:59
kfox1111	but what a pain.... :/	19:00
kfox1111	better if they just had a proper chain of trust.	19:00
*** lpetrut has quit IRC		19:00
SamYaple	so they have hijacked your dns and have generated false certs	19:00
SamYaple	there are bigger issues there	19:01
*** lpetrut has joined #openstack-kolla		19:01
kfox1111	possible. but security is having many walls.	19:02
kfox1111	one of the collaborations I work with: https://www.opensciencegrid.org/ has a huge number of CA's in its own chain of trust.	19:02
kfox1111	if any of them has a breach, its a problem.	19:02
kfox1111	just seems like a bad idea to me. I think in general the main chain of trust is more secure then orgs.	19:03
SamYaple	i hear you. i fall on the otherside of that argument personally	19:04
SamYaple	but i was more refering to a CA per environment for openstack	19:04
kfox1111	yeah...	19:06
kfox1111	I really wish there was a way to do a CA per subdomain.	19:06
kfox1111	not, here's a ca. lets trust it for the world.	19:07
kfox1111	that part of the internet's very broken.	19:07
*** jrist has quit IRC		19:07
SamYaple	i like the idea of a blockchain "ca" where each domain is its own blockchain	19:08
SamYaple	you could sync that fairly quickly	19:08
kfox1111	+1	19:09
kfox1111	or, I think you could probably extend the dns security stuff to have a signed https ca record.	19:09
SamYaple	you could have the lax and paranoid setting there too. sync blockchain everytime you query dns (for revocation) or more relaxed for speed	19:10
kfox1111	probably woudn't need any software at all, other then have the browsers do an extra dns lookup.	19:10
SamYaple	oh jeez. want to talk about internet being broken its dns	19:10
kfox1111	hehe.	19:10
kfox1111	yeah, well, thats a whole nother conversation. :)	19:11
SamYaple	up until recently 6 people could independantly destroy the internet	19:11
SamYaple	crazy	19:11
kfox1111	indeed.	19:11
*** dciabrin has quit IRC		19:18
*** jrist has joined #openstack-kolla		19:20
harlowja	SamYaple mitaka but perhaps that version is busted	19:23
harlowja	anyway, if nobody else seen, that's ok, i'll figure it out :-P	19:24
SamYaple	harlowja: ah thats probably right for mitaka	19:25
SamYaple	but thats so old you probably wont get much help for it	19:25
SamYaple	newton is about to EOL, mitaka EOL'd 6 months ago	19:25
harlowja	ya, expected so	19:25
harlowja	sad fact is nobody can upgrade that i know of at the pace openstack releases things, ha	19:26
*** manheim has joined #openstack-kolla		19:40
*** manheim has quit IRC		19:41
*** manheim has joined #openstack-kolla		19:54
*** manheim has quit IRC		19:55
SamYaple	harlowja: no, i agree, but you are over 2 years behind now	19:57
SamYaple	most larger companies skip releases so they have once a year upgrades	19:58
*** manheim has joined #openstack-kolla		20:05
*** manheim has quit IRC		20:05
*** dciabrin has joined #openstack-kolla		20:06
kfox1111	yeah.... :/	20:06
kfox1111	I'm hoping once we get the kolla-kubernetes upgrade gates going,	20:07
kfox1111	to keep a copy of the mitaka deployment ones around, and the intermediary jobs,	20:07
kfox1111	so we can test a multi version upgrade.	20:07
kfox1111	start at mitaka, perform the upgrade jobs for each version up to trunk.	20:08
*** pcaruana has quit IRC		20:18
*** jamesbenson has quit IRC		20:22
*** jamesbenson has joined #openstack-kolla		20:22
*** jamesbenson has quit IRC		20:23
*** jamesbenson has joined #openstack-kolla		20:25
*** jamesbenson has quit IRC		20:26
*** jamesbenson has joined #openstack-kolla		20:27
*** rhallisey has quit IRC		20:34
*** manheim has joined #openstack-kolla		20:50
*** manheim has quit IRC		20:50
*** hrw has joined #openstack-kolla		20:56
*** erlon has joined #openstack-kolla		20:57
*** ansmith has quit IRC		20:58
*** jamesbenson has quit IRC		21:00
*** jascott1 has quit IRC		21:02
*** lpetrut has quit IRC		21:11
*** jascott1 has joined #openstack-kolla		21:15
*** jascott1 has quit IRC		21:18
*** jascott1 has joined #openstack-kolla		21:20
*** Pavo has joined #openstack-kolla		21:29
openstackgerrit	Eduardo Gonzalez proposed openstack/kolla master: Re-enable bifrost test_build https://review.openstack.org/465012	21:29
openstackgerrit	Eduardo Gonzalez proposed openstack/kolla master: Re-enable bifrost test_build https://review.openstack.org/465012	21:32
*** serlex has quit IRC		21:33
*** jamesbenson has joined #openstack-kolla		21:35
*** jamesbenson has quit IRC		21:38
*** manheim has joined #openstack-kolla		21:42
*** manheim has quit IRC		21:42
*** bmace has quit IRC		21:44
*** bmace has joined #openstack-kolla		21:45
*** ansmith has joined #openstack-kolla		21:49
*** Pavo has quit IRC		21:54
*** jamesbenson has joined #openstack-kolla		22:00
*** jamesbenson has quit IRC		22:02
*** jrist has quit IRC		22:14
openstackgerrit	OpenStack Proposal Bot proposed openstack/kolla-kubernetes master: Updated from global requirements https://review.openstack.org/509443	22:24
*** jrist has joined #openstack-kolla		22:35
*** gfidente has quit IRC		22:35
*** manheim has joined #openstack-kolla		22:52
*** dciabrin has quit IRC		23:04
*** vhosakot has quit IRC		23:05
*** vhosakot has joined #openstack-kolla		23:05
*** MasterOfBugs has joined #openstack-kolla		23:06
*** dciabrin has joined #openstack-kolla		23:16
*** manheim has quit IRC		23:41
*** MasterOfBugs has quit IRC		23:45
*** manheim has joined #openstack-kolla		23:48
*** jamesbenson has joined #openstack-kolla		23:49
*** jtriley has joined #openstack-kolla		23:52
*** jamesbenson has quit IRC		23:53

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!