Wednesday, 2018-06-06

« Tuesday, 2018-06-05 Index Thursday, 2018-06-07 »
*** markstur has quit IRC00:06
*** jmlowe has joined #openstack-manila00:19
*** eharney has quit IRC00:47
*** markstur has joined #openstack-manila00:51
*** harlowja has quit IRC01:10
*** threestrands_ has joined #openstack-manila01:33
*** threestrands has quit IRC01:36
*** kaisers_ has joined #openstack-manila01:37
*** kaisers has quit IRC01:40
*** markstur has quit IRC01:57
*** chrisyang_0660 has joined #openstack-manila02:45
chrisyang_0660Hi team, may I ask a core to review our patch? https://review.openstack.org/#/c/570771/02:46
*** jmlowe has quit IRC02:47
*** jmlowe has joined #openstack-manila02:56
*** markstur has joined #openstack-manila03:00
openstackgerritliushi proposed openstack/manila master: Config for cephfs volume and namespace prefixes  https://review.openstack.org/57202203:03
*** masuberu has quit IRC04:04
*** boris_42_ has quit IRC04:06
*** mvenesio has joined #openstack-manila04:13
*** harlowja has joined #openstack-manila04:17
*** kaisers_ has quit IRC04:35
*** kaisers has joined #openstack-manila04:36
*** kaisers has quit IRC04:40
*** harlowja has quit IRC04:45
*** kaisers has joined #openstack-manila05:08
*** kaisers has quit IRC05:13
*** mvenesio has quit IRC05:28
*** e0ne has joined #openstack-manila05:32
*** kaisers has joined #openstack-manila05:41
*** e0ne has quit IRC05:54
*** e0ne has joined #openstack-manila05:56
*** e0ne has quit IRC05:56
*** markstur has quit IRC05:58
*** masber has joined #openstack-manila06:04
*** pcaruana has joined #openstack-manila06:44
*** openstackgerrit has quit IRC07:19
*** rishabh has joined #openstack-manila07:20
*** rishabh is now known as Guest9927407:21
*** masber has quit IRC07:27
*** dsariel has joined #openstack-manila07:28
*** masber has joined #openstack-manila07:35
*** masuberu has joined #openstack-manila07:39
*** masber has quit IRC07:43
*** openstackgerrit has joined #openstack-manila07:50
openstackgerritYong Huang proposed openstack/manila stable/queens: [Manila Unity] Set unity_server_meta_pool option as required  https://review.openstack.org/57268707:50
*** e0ne has joined #openstack-manila07:51
*** a-pugachev has joined #openstack-manila07:59
*** threestrands_ has quit IRC08:03
*** dsariel has quit IRC08:14
*** kaisers has quit IRC08:15
*** e0ne has quit IRC08:34
*** e0ne has joined #openstack-manila08:35
*** kaisers has joined #openstack-manila08:45
*** e0ne_ has joined #openstack-manila08:50
*** e0ne has quit IRC08:51
openstackgerritzhongjun proposed openstack/manila master: Added share server in ensure shares method  https://review.openstack.org/57270508:57
*** e0ne has joined #openstack-manila09:00
*** e0ne_ has quit IRC09:00
*** YuYangWang has joined #openstack-manila09:29
*** rraja__ has joined #openstack-manila09:43
*** dsariel has joined #openstack-manila10:14
*** e0ne_ has joined #openstack-manila10:22
*** e0ne has quit IRC10:24
tbarronchrisyang_0660: reviewed.  It looks good except that the release note needs a tweak.10:42
*** ganso has joined #openstack-manila10:52
gansozhongjun_: ping10:56
*** erlon has joined #openstack-manila11:02
*** scorcoran_afk has joined #openstack-manila11:05
*** scorcoran_afk is now known as scorcoran11:06
*** ubijtsa has joined #openstack-manila11:10
*** ubijtsa is now known as assassin11:10
*** Guest99274 has quit IRC11:13
*** luizbag has joined #openstack-manila11:30
*** a-pugachev has quit IRC11:39
*** assassin has quit IRC11:44
*** vgreen has joined #openstack-manila11:57
*** rraja_ has joined #openstack-manila12:00
*** rraja__ has quit IRC12:03
*** scorcoran is now known as scorcoran_mtg12:05
*** radmacher has joined #openstack-manila12:18
*** AlexeyAbashkin has joined #openstack-manila12:29
*** rraja_ has quit IRC12:30
*** tpsilva has joined #openstack-manila12:30
*** eharney has joined #openstack-manila12:34
*** rraja_ has joined #openstack-manila12:39
openstackgerritNir Gilboa proposed openstack/manila-tempest-plugin master: Move shared logic to base scenario test class  https://review.openstack.org/53605912:42
*** sapcc-bot2 has quit IRC12:49
*** sapcc-bot has quit IRC12:49
*** sapcc-bot has joined #openstack-manila12:50
*** sapcc-bot9 has joined #openstack-manila12:50
*** rishabh has joined #openstack-manila13:04
*** rishabh has quit IRC13:04
radmacherDoes anyone here have experience with the NetApp driver? Im trying to figure out some supported implementation options and how to deal with multi tennant security.13:06
*** dustins has joined #openstack-manila13:07
tbarronganso: bswartz ^^^^^13:22
tbarronradmacher: probably just go on and ask your questions and people will pick up as they are able13:22
gansoradmacher: Hi13:22
*** kaisers has quit IRC13:23
*** kaisers has joined #openstack-manila13:23
tbarronradmacher: also this is a good guide: http://netapp.github.io/openstack-deploy-ops-guide/ocata/content/ch_manila.html13:24
radmacherHey. I am curious about how to secure and isolate multi tenant access over a shared storage vlan. I spoke with someone at NetApp at the OpenStack Summit and he mentioned a design that let instances have a private tenant network used for storage but then use neutron to translate that access down into a shared provider vlan network via floating IPs. This would provide tenant isolation and let us13:25
radmachermanage nfs mount access on the NetApp side via the floating IPs.13:25
radmacherThe problem is that I cant find any documentation describing this.13:26
tbarronradmacher: and see https://www.openstack.org/assets/presentation-media/What-the-heck-DHSS.pdf w.r.t. multi-tenancy options13:26
radmacherThank you for those links. The first deployment guide is something I have run across already and from what I can parse does not cover the situation I was thinking of. Ill read this PDF now.13:28
*** kambiz has quit IRC13:33
*** kambiz has joined #openstack-manila13:33
*** Alexey_Abashkin has joined #openstack-manila13:51
*** AlexeyAbashkin has quit IRC13:53
*** Alexey_Abashkin is now known as AlexeyAbashkin13:53
*** dustins has quit IRC13:57
gansoradmacher: sorry for the delay, I'm in a meeting. You can find instructions how to set up the DHSS=True (or Multi-SVM in NetApp vocabulary) in https://netapp-openstack-dev.github.io/openstack-docs/queens/ch_manila.html13:58
*** DorZ has joined #openstack-manila13:59
DorZHey there. How can I get up the web dashboard?13:59
DorZor is it by default up and I dont know the port?14:00
gansoradmacher: there are several ways to configure your network, but the one described in the guide is that you configure neutron to  create tenant networks with VLANs from a provider network which is directly connected to the storage. The VMs will be created on this network as well, so they talk directly to the storage over this VLAN securely14:01
gansoradmacher: on the storage side, a new vserver will be created for each share network, making sure that one VM that is in one share network cannot access resources from another share network that it is not in14:02
radmacherganso: what if we were not able to use vservers/svms14:07
DorZhey. how can I create new (first) project on manila? tried to execute manila create but it ask me for alot of details14:17
gansoradmacher: not sure if I understand your use case, "vserver"/"svm" is how netapp storage segregates tenants, so you need to have at least 1 in your storage. Whether it will be 1 vserver/svm per tenant or 1 shared across all tenants depends on how you configure the manila driver mode14:19
radmacherYeah, it will be one vserver/svm shared between all of our openstack tenants14:23
radmacherthe model I had in my head, that I understood from the conversation I had with the NetApp person, was that we would have a single storage vlan with a single vserver attached to all of our compute hosts. That VLAN would be presented as a provider vlan of which we pulled floating IPs from. Tenants would then have private tenant netwokrs attached to their instance storage interfaces that would14:26
radmacherthen use the previously mentioned floating IPs to associate to specific instances and allow access to the vserver.14:26
*** AlexeyAbashkin has quit IRC14:28
*** AlexeyAbashkin has joined #openstack-manila14:36
gansoradmacher: oh I understand it know, it is a DHSS=False / Single-SVM setup14:36
gansoradmacher: in that case the network is a wildcard and the storage configuration is not that relevant in that case14:36
radmacherok, thats helpful. Ill keep that in mind as I go through this slide deck. Thank You.14:38
*** scorcoran_mtg is now known as scorcoran14:38
gansoradmacher: in the link that tbarron said you can see some tips to achieve isolation using DHSS=False. It would be good to get your neutron expert involved to weigh in as well14:39
gansoradmacher: ideally (IMOO) you shouldn't have to rely on floating ips to allow connectivity to the storage14:39
radmacherfor what reason?14:39
gansoradmacher: s/IMOO/IMO14:40
gansoradmacher: in a regular environment floating ips usually connect VMs to the external world, most of the times that is not ideal to connect VMs to the storage network. There should be a network path from VMs to the storage network that doesn't go through the external network14:40
*** scorcoran is now known as scorcoran_food14:41
radmacherI can agree with that. My problem is that given the requirement for us to not use multiple vservers Im not sure how else to provide isolation.14:42
radmacherThis would also not be an "external" network. But a seperate storage only interface that the instance uses to mount NFS. Its external in openstack parlance but not out to the public network.14:43
rraja_batrick, ping14:44
gansoradmacher: oh cool, but in that I believe floating ips are not necessary to connect to that storage network. Just a virtual router should be enough14:44
rraja_batrick, can you take a look at this patch, https://review.openstack.org/#/c/572022/14:44
radmacherganso: this is true. For some reason I had both fused together in my head. The storage system would just route traffic to the tenant networks via the attached virtual router. no need for translations. Is this something that can be end to end provisioned with Manila?14:46
rraja_batrick, the code itself is fine. I just feel that the configurables need a better description or something is missing. please add your comments if any to that review14:47
tbarronradmacher: with a different backend (ceph-nfs) and DHSS=false we use a separate isolated network in the data centre for the NFS exports14:48
tbarronradmacher: we make a neutron provider network (shared) that maps to this data center network14:49
tbarronradmacher: and we boot VMs with two nics14:49
tbarronrraja_: the first nic is on the tenant private network and can get floating IPs with a tenant-owned router14:50
tbarronrraja_: sorry14:50
radmachertbarron: that is exactly what we are thinking of. How do you manage tenant isolation though? Is it a seperate isolated network per tenant or do they all share that network?14:50
tbarronradmacher: ^^14:50
tbarronradmacher: that nic has nothing to do with the nfs service14:50
tbarronradmacher: the second nic acquires an address on the "StorageNFS" network and mounts shares over it14:51
tbarronradmacher: no floating IPs are required; they get IPs from that net's allocation pool directly14:51
*** scorcoran_food is now known as scorcoran_mtg14:51
gansoradmacher: not sure what you mean by Manila provisioning that end-to-end, in DHSS=False mode all network configuration is manual, done by the admnistrator, and manila doesn't get involved like in DHSS=True where Manila does all the setup for you14:51
tbarronradmacher: default security rules disallow ping, ssh among VMs on that network belonging to different tenants14:52
tbarronradmacher: they share the same network and server, so there is potential resource contention but14:52
tbarronradmacher: there should not be direct VM to VM access issues14:52
radmachertbarron: and you are trusting that neutron wont let an instance change its IP so it would then be allowed to mount a share that it shouldnt?14:53
tbarronradmacher: need to have arp spoofing protection on that net14:53
tbarronradmacher: but if you have a netapp I'd be inclined to go with the DHSS=True approach14:54
gansotbarron: depends if radmacher needs replication or manage features14:55
radmachertbarron: what you described is how we have it currently. I was just wondering if we could get further isolation. What gansol and I were discussing sounds like it might be that ticket.14:55
tbarronradmacher: in the future we want to take a similar approach for cephfs-nfs but are atm constrained by the current ganesha (nfs-gateway) implementation14:55
tbarronradmacher: which is being worked on14:55
gansotoo bad those features are not yet available in DHSS=True14:55
tbarronganso: ack14:56
radmacherganso: Im not sure what you mean about replication/manage features.14:56
tbarronDorZ: don't mean to be ignoring your questions.  Did you succeed in accessing the OpenStack dashboard?15:00
*** dsariel has quit IRC15:00
*** markstur has joined #openstack-manila15:09
*** dsariel has joined #openstack-manila15:13
*** AlexeyAbashkin has quit IRC15:14
*** AlexeyAbashkin has joined #openstack-manila15:16
*** pcaruana has quit IRC15:23
gansoradmacher: those are manila features that NetApp backend supports, but only in DHSS=False15:40
*** rraja_ has quit IRC15:42
radmacherganso: ah. gotcha15:47
*** erlon_ has joined #openstack-manila15:54
*** erlon has quit IRC15:54
*** dustins has joined #openstack-manila15:58
*** scorcoran_mtg is now known as scorcoran_biab16:02
*** scorcoran_biab is now known as scorcoran16:28
batricktbarron: how do I submit a comment in gerrit?16:49
batricki am trying to reply to the patchset linked to by rraja16:49
batrickmy comment is in "draft" but i don't see a way to submit lol16:49
tbarronbatrick: are you logged in to gerrit?16:49
batricki think so16:50
batrickit had me go to ubuntu one or something to create an account16:51
batrickand my name is at the top-right16:51
gouthamrthere's a "Reply" button16:53
gouthamron the landing page for the change..16:53
tbarronbatrick: ok, the hard part is done, use 'Reply' as gouthamr said16:54
tbarronbatrick: and thanks for helping on that review16:55
batrickoh, the reply button is on the main changeset page16:56
batricki was looking for it on the place i made the comment: https://review.openstack.org/#/c/572022/6//COMMIT_MSG16:56
*** AlexeyAbashkin has quit IRC16:57
tbarronbatrick: that's too reasonable16:57
gouthamrbatrick: you can make comments on all the files that are in the change, and then post them at once with the "Reply" and your vote on the code -1,0,+116:57
*** e0ne_ has quit IRC17:01
*** dustins_ has joined #openstack-manila17:22
*** dustins has quit IRC17:25
*** kaisers has quit IRC17:47
*** e0ne has joined #openstack-manila17:58
*** boris_42_ has joined #openstack-manila18:07
*** jmlowe has quit IRC18:23
*** kaisers has joined #openstack-manila18:24
*** scorcoran is now known as scorcoran_afk18:25
*** dsariel has quit IRC18:57
*** kaisers has quit IRC19:00
*** jmlowe has joined #openstack-manila19:03
*** jmlowe has quit IRC19:04
*** jmlowe has joined #openstack-manila19:05
*** vgreen has quit IRC19:22
*** e0ne has quit IRC19:22
*** scorcoran_afk has quit IRC19:30
openstackgerritNir Gilboa proposed openstack/manila-tempest-plugin master: Move shared logic to base scenario test class  https://review.openstack.org/53605919:33
*** kaisers has joined #openstack-manila19:41
*** kaisers has quit IRC19:46
*** jmlowe has quit IRC19:50
*** luizbag has quit IRC19:55
*** scorcoran_afk has joined #openstack-manila20:00
*** e0ne has joined #openstack-manila20:01
*** jmlowe has joined #openstack-manila20:07
*** ganso has quit IRC20:08
*** dsariel has joined #openstack-manila20:18
radmacher /script load usercount.pl20:24
*** e0ne has quit IRC20:30
*** jmlowe has quit IRC21:05
openstackgerritSean McGinnis proposed openstack/manila master: Default pylint to run using python3  https://review.openstack.org/57299121:14
*** jmlowe has joined #openstack-manila21:25
*** batrick has quit IRC21:31
*** dims has left #openstack-manila21:32
*** batrick has joined #openstack-manila21:34
*** kaisers has joined #openstack-manila21:42
*** dustins_ has quit IRC22:00
*** kaisers has quit IRC22:06
*** markstur has quit IRC22:18
*** jmlowe has quit IRC22:24
*** DorZ has quit IRC22:37
*** tpsilva has quit IRC22:40
*** jmlowe has joined #openstack-manila22:45
*** threestrands has joined #openstack-manila22:51
*** jmlowe has quit IRC23:22
*** jmlowe has joined #openstack-manila23:24
*** kaisers has joined #openstack-manila23:45
*** kaisers has quit IRC23:50
openstackgerritGoutham Pacha Ravi proposed openstack/manila master: Use class name in invocation of super  https://review.openstack.org/57304023:51
« Tuesday, 2018-06-05 Index Thursday, 2018-06-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!