From mgagne at iweb.com Wed Apr 1 00:06:03 2015 From: mgagne at iweb.com (=?UTF-8?Q?Mathieu_Gagn=c3=a9?=) Date: Tue, 31 Mar 2015 20:06:03 -0400 Subject: [Openstack-operators] Security around enterprise credentials and OpenStack API Message-ID: <551B366B.1090607@iweb.com> Hi, Lets say I wish to use an existing enterprise LDAP service to manage my OpenStack users so I only have one place to manage users. How would you manage authentication and credentials from a security point of view? Do you tell your users to use their enterprise credentials or do you use an other method/credentials? The reason is that (usually) enterprise credentials also give access to a whole lot of systems other than OpenStack itself. And it goes without saying that I'm not fond of the idea of storing my password in plain text to be used by some scripts I created. What's your opinion/suggestion? Do you guys have a second credential system solely used for OpenStack? -- Mathieu From matt at mattfischer.com Wed Apr 1 00:35:08 2015 From: matt at mattfischer.com (Matt Fischer) Date: Tue, 31 Mar 2015 18:35:08 -0600 Subject: [Openstack-operators] Security around enterprise credentials and OpenStack API In-Reply-To: <551B366B.1090607@iweb.com> References: <551B366B.1090607@iweb.com> Message-ID: Mathieu, We LDAP (AD) with a fallback to MySQL. This allows us to store service accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in MySQL. We only do Identity via LDAP and we have a forked copy of this driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this. We don't have any permissions to write into LDAP or move people into groups, so we keep a copy of users locally for purposes of user-list operations. The only interaction between OpenStack and LDAP for us is when that driver tries a bind. On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagn? wrote: > Hi, > > Lets say I wish to use an existing enterprise LDAP service to manage my > OpenStack users so I only have one place to manage users. > > How would you manage authentication and credentials from a security > point of view? Do you tell your users to use their enterprise > credentials or do you use an other method/credentials? > > The reason is that (usually) enterprise credentials also give access to > a whole lot of systems other than OpenStack itself. And it goes without > saying that I'm not fond of the idea of storing my password in plain > text to be used by some scripts I created. > > What's your opinion/suggestion? Do you guys have a second credential > system solely used for OpenStack? > > -- > Mathieu > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.heckmann at ubisoft.com Wed Apr 1 02:58:47 2015 From: marc.heckmann at ubisoft.com (Marc Heckmann) Date: Wed, 1 Apr 2015 02:58:47 +0000 Subject: [Openstack-operators] Security around enterprise credentials and OpenStack API In-Reply-To: References: <551B366B.1090607@iweb.com> Message-ID: Hi all, I was going to post a similar question this evening, so I decided to just bounce on Mathieu?s question. See below inline. > On Mar 31, 2015, at 8:35 PM, Matt Fischer wrote: > > Mathieu, > > We LDAP (AD) with a fallback to MySQL. This allows us to store service accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in MySQL. We only do Identity via LDAP and we have a forked copy of this driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this. We don't have any permissions to write into LDAP or move people into groups, so we keep a copy of users locally for purposes of user-list operations. The only interaction between OpenStack and LDAP for us is when that driver tries a bind. > > > >> On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagn? wrote: >> Hi, >> >> Lets say I wish to use an existing enterprise LDAP service to manage my >> OpenStack users so I only have one place to manage users. >> >> How would you manage authentication and credentials from a security >> point of view? Do you tell your users to use their enterprise >> credentials or do you use an other method/credentials? We too have integration with enterprise credentials through LDAP, but as you suggest, we certainly don?t want users to use those credentials in scripts or store them on instances. Instead we have a custom Web portal where they can create separate Keystone credentials for their project/tenant which are stored in Keystone?s MySQL database. Our LDAP integration actually happens at a level above Keystone. We don?t actually let users acquire Keystone tokens using their LDAP accounts. We?re not really happy with this solution, it?s a hack and we are looking to revamp it entirely. The problem is that I never have been able to find a clear answer on how to do this with Keystone. I?m actually quite partial to the way AWS IAM works. Especially the instance ?role" features. Roles in AWS IAM is similar to TRUSTS in Keystone except that it is integrated into the instance metadata. It?s pretty cool. Other than that, RBAC policies in Openstack get us a good way towards IAM like functionality. We just need a policy editor in Horizon. Anyway, the problem is around delegation of credentials which are used non-interactively. We need to limit what those users can do (through RBAC policy) but also somehow make the credentials ephemeral. If someone (Keystone developer?) could point us in the right direction, that would be great. Thanks in advance. >> >> The reason is that (usually) enterprise credentials also give access to >> a whole lot of systems other than OpenStack itself. And it goes without >> saying that I'm not fond of the idea of storing my password in plain >> text to be used by some scripts I created. >> >> What's your opinion/suggestion? Do you guys have a second credential >> system solely used for OpenStack? >> >> -- >> Mathieu >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From comnea.dani at gmail.com Wed Apr 1 06:17:50 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Wed, 1 Apr 2015 07:17:50 +0100 Subject: [Openstack-operators] Security around enterprise credentials and OpenStack API In-Reply-To: References: <551B366B.1090607@iweb.com>

Message-ID: + developers mailing list, hopefully a developer might be able to chime in. On Wed, Apr 1, 2015 at 3:58 AM, Marc Heckmann wrote: > Hi all, > > I was going to post a similar question this evening, so I decided to just > bounce on Mathieu?s question. See below inline. > > > On Mar 31, 2015, at 8:35 PM, Matt Fischer wrote: > > > > Mathieu, > > > > We LDAP (AD) with a fallback to MySQL. This allows us to store service > accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in > MySQL. We only do Identity via LDAP and we have a forked copy of this > driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do > this. We don't have any permissions to write into LDAP or move people into > groups, so we keep a copy of users locally for purposes of user-list > operations. The only interaction between OpenStack and LDAP for us is when > that driver tries a bind. > > > > > > > >> On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagn? wrote: > >> Hi, > >> > >> Lets say I wish to use an existing enterprise LDAP service to manage my > >> OpenStack users so I only have one place to manage users. > >> > >> How would you manage authentication and credentials from a security > >> point of view? Do you tell your users to use their enterprise > >> credentials or do you use an other method/credentials? > > We too have integration with enterprise credentials through LDAP, but as > you suggest, we certainly don?t want users to use those credentials in > scripts or store them on instances. Instead we have a custom Web portal > where they can create separate Keystone credentials for their > project/tenant which are stored in Keystone?s MySQL database. Our LDAP > integration actually happens at a level above Keystone. We don?t actually > let users acquire Keystone tokens using their LDAP accounts. > > We?re not really happy with this solution, it?s a hack and we are looking > to revamp it entirely. The problem is that I never have been able to find a > clear answer on how to do this with Keystone. > > I?m actually quite partial to the way AWS IAM works. Especially the > instance ?role" features. Roles in AWS IAM is similar to TRUSTS in Keystone > except that it is integrated into the instance metadata. It?s pretty cool. > > Other than that, RBAC policies in Openstack get us a good way towards IAM > like functionality. We just need a policy editor in Horizon. > > Anyway, the problem is around delegation of credentials which are used > non-interactively. We need to limit what those users can do (through RBAC > policy) but also somehow make the credentials ephemeral. > > If someone (Keystone developer?) could point us in the right direction, > that would be great. > > Thanks in advance. > > >> > >> The reason is that (usually) enterprise credentials also give access to > >> a whole lot of systems other than OpenStack itself. And it goes without > >> saying that I'm not fond of the idea of storing my password in plain > >> text to be used by some scripts I created. > >> > >> What's your opinion/suggestion? Do you guys have a second credential > >> system solely used for OpenStack? > >> > >> -- > >> Mathieu > >> > >> _______________________________________________ > >> OpenStack-operators mailing list > >> OpenStack-operators at lists.openstack.org > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >> > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators at lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Apr 1 19:19:42 2015 From: ayoung at redhat.com (Adam Young) Date: Wed, 01 Apr 2015 15:19:42 -0400 Subject: [Openstack-operators] Security around enterprise credentials and OpenStack API In-Reply-To: References: <551B366B.1090607@iweb.com>

Message-ID: <551C44CE.8000508@redhat.com> On 03/31/2015 10:58 PM, Marc Heckmann wrote: > Hi all, > > I was going to post a similar question this evening, so I decided to just bounce on Mathieu?s question. See below inline. > >> On Mar 31, 2015, at 8:35 PM, Matt Fischer wrote: >> >> Mathieu, >> >> We LDAP (AD) with a fallback to MySQL. This allows us to store service accounts (like nova) and "team accounts" for use in Jenkins/scripts etc in MySQL. We only do Identity via LDAP and we have a forked copy of this driver (https://github.com/SUSE-Cloud/keystone-hybrid-backend) to do this. We don't have any permissions to write into LDAP or move people into groups, so we keep a copy of users locally for purposes of user-list operations. The only interaction between OpenStack and LDAP for us is when that driver tries a bind. >> >> >> >>> On Tue, Mar 31, 2015 at 6:06 PM, Mathieu Gagn? wrote: >>> Hi, >>> >>> Lets say I wish to use an existing enterprise LDAP service to manage my >>> OpenStack users so I only have one place to manage users. >>> >>> How would you manage authentication and credentials from a security >>> point of view? Do you tell your users to use their enterprise >>> credentials or do you use an other method/credentials? > We too have integration with enterprise credentials through LDAP, but as you suggest, we certainly don?t want users to use those credentials in scripts or store them on instances. Instead we have a custom Web portal where they can create separate Keystone credentials for their project/tenant which are stored in Keystone?s MySQL database. Our LDAP integration actually happens at a level above Keystone. We don?t actually let users acquire Keystone tokens using their LDAP accounts. > > We?re not really happy with this solution, it?s a hack and we are looking to revamp it entirely. The problem is that I never have been able to find a clear answer on how to do this with Keystone. > > I?m actually quite partial to the way AWS IAM works. Especially the instance ?role" features. Roles in AWS IAM is similar to TRUSTS in Keystone except that it is integrated into the instance metadata. It?s pretty cool. > > Other than that, RBAC policies in Openstack get us a good way towards IAM like functionality. We just need a policy editor in Horizon. > > Anyway, the problem is around delegation of credentials which are used non-interactively. We need to limit what those users can do (through RBAC policy) but also somehow make the credentials ephemeral. > > If someone (Keystone developer?) could point us in the right direction, that would be great. Kerberos. Works well for Keystone. http://adam.younglogic.com/2014/07/kerberos-for-horizon-and-keystone/ We are working on Kerberos support for Horizon as well, but we might not get it blessed by Kilo time frame. I think there might be a better approach on the Horizon front using SSSD and Federation: http://adam.younglogic.com/2015/03/key-fed-lookup-redux/ That will likely work with Horizon as is (in Kilo) but I have not yet tested it...doing so is on my short list. What CERN is doing is using SAML for everything, and using ADFS with a discovery page to let you use X509, Kerberos, or Password to get a SAML assertion, and then handing that over to Horizon. SAML against Keystone CLI wise requires ECP support on the SAML side...you've been warned,. > > Thanks in advance. > >>> The reason is that (usually) enterprise credentials also give access to >>> a whole lot of systems other than OpenStack itself. And it goes without >>> saying that I'm not fond of the idea of storing my password in plain >>> text to be used by some scripts I created. >>> >>> What's your opinion/suggestion? Do you guys have a second credential >>> system solely used for OpenStack? >>> >>> -- >>> Mathieu >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> OpenStack-operators at lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From klindgren at godaddy.com Wed Apr 1 22:27:34 2015 From: klindgren at godaddy.com (Kris G. Lindgren) Date: Wed, 1 Apr 2015 22:27:34 +0000 Subject: [Openstack-operators] Fwd: [openstack-dev] [release] oslo.messaging 1.8.1 In-Reply-To: References: <51E25278-E5AD-4197-A85B-AFF8C57F1294@doughellmann.com> Message-ID: Also, If you are running oslo.messaging 1.8.1 or higher and are wondering why you are no longer seeing notifications from nova. Change notification_driver=nova.openstack.common.notifier.rpc_notifier to notification_driver=messaging and you will start seeing notifications for nova events again. I assume this will apply to other services as well - but we are configured to receive notifications from nova. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. On 3/25/15, 8:30 AM, "Davanum Srinivas" wrote: >FYI. for those waiting to try oslo.messaging rabbitmq heartbeat support. > >-- dims > >---------- Forwarded message ---------- >From: Doug Hellmann >Date: Wed, Mar 25, 2015 at 10:13 AM >Subject: [openstack-dev] [release] oslo.messaging 1.8.1 >To: "OpenStack Development Mailing List (not for usage questions)" > > > >We are pleased to announce the release of: > >oslo.messaging 1.8.1: Oslo Messaging API > >This is a Kilo-series patch release, fixing several bugs. > >For more details, please see the git log history below and: > > http://launchpad.net/oslo.messaging/+milestone/1.8.1 > >Please report issues through launchpad: > > http://bugs.launchpad.net/oslo.messaging > >Changes in oslo.messaging 1.8.0..1.8.1 >-------------------------------------- > >57fad97 Publish tracebacks only on debug level >b5f91b2 Reconnect on connection lost in heartbeat thread >ac8bdb6 cleanup connection pool return >ee18dc5 rabbit: Improves logging >db99154 fix up verb tense in log message >64bdd80 rabbit: heartbeat implementation >9b14d1a Add support for multiple namespaces in Targets > >Diffstat (except docs and test files) >------------------------------------- > >oslo_messaging/_drivers/amqp.py | 44 ++- >oslo_messaging/_drivers/amqpdriver.py | 15 +- >oslo_messaging/_drivers/impl_qpid.py | 2 +- >oslo_messaging/_drivers/impl_rabbit.py | 346 >++++++++++++++++++++--- >oslo_messaging/rpc/dispatcher.py | 2 +- >oslo_messaging/target.py | 9 +- >11 files changed, 541 insertions(+), 70 deletions(-) >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > >-- >Davanum Srinivas :: https://twitter.com/dims > >_______________________________________________ >OpenStack-operators mailing list >OpenStack-operators at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From harlowja at outlook.com Wed Apr 1 22:39:31 2015 From: harlowja at outlook.com (Joshua Harlow) Date: Wed, 1 Apr 2015 15:39:31 -0700 Subject: [Openstack-operators] Fwd: [openstack-dev] [release] oslo.messaging 1.8.1 In-Reply-To: References: <51E25278-E5AD-4197-A85B-AFF8C57F1294@doughellmann.com> Message-ID: I hope that in the future https://review.openstack.org/#/c/140318/ can help out making this more obvious; as a good example set that works can be very very helpful to understand why/what the options are... Docs that are good would help to... Kris G. Lindgren wrote: > Also, > > If you are running oslo.messaging 1.8.1 or higher and are wondering why > you are no longer seeing notifications from nova. Change > notification_driver=nova.openstack.common.notifier.rpc_notifier to > notification_driver=messaging and you will start seeing notifications for > nova events again. I assume this will apply to other services as well - > but we are configured to receive notifications from nova. > > ____________________________________________ > > Kris Lindgren > Senior Linux Systems Engineer > GoDaddy, LLC. > > > > > On 3/25/15, 8:30 AM, "Davanum Srinivas" wrote: > >> FYI. for those waiting to try oslo.messaging rabbitmq heartbeat support. >> >> -- dims >> >> ---------- Forwarded message ---------- >> From: Doug Hellmann >> Date: Wed, Mar 25, 2015 at 10:13 AM >> Subject: [openstack-dev] [release] oslo.messaging 1.8.1 >> To: "OpenStack Development Mailing List (not for usage questions)" >> >> >> >> We are pleased to announce the release of: >> >> oslo.messaging 1.8.1: Oslo Messaging API >> >> This is a Kilo-series patch release, fixing several bugs. >> >> For more details, please see the git log history below and: >> >> http://launchpad.net/oslo.messaging/+milestone/1.8.1 >> >> Please report issues through launchpad: >> >> http://bugs.launchpad.net/oslo.messaging >> >> Changes in oslo.messaging 1.8.0..1.8.1 >> -------------------------------------- >> >> 57fad97 Publish tracebacks only on debug level >> b5f91b2 Reconnect on connection lost in heartbeat thread >> ac8bdb6 cleanup connection pool return >> ee18dc5 rabbit: Improves logging >> db99154 fix up verb tense in log message >> 64bdd80 rabbit: heartbeat implementation >> 9b14d1a Add support for multiple namespaces in Targets >> >> Diffstat (except docs and test files) >> ------------------------------------- >> >> oslo_messaging/_drivers/amqp.py | 44 ++- >> oslo_messaging/_drivers/amqpdriver.py | 15 +- >> oslo_messaging/_drivers/impl_qpid.py | 2 +- >> oslo_messaging/_drivers/impl_rabbit.py | 346 >> ++++++++++++++++++++--- >> oslo_messaging/rpc/dispatcher.py | 2 +- >> oslo_messaging/target.py | 9 +- >> 11 files changed, 541 insertions(+), 70 deletions(-) >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> -- >> Davanum Srinivas :: https://twitter.com/dims >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From george.shuklin at gmail.com Thu Apr 2 12:11:05 2015 From: george.shuklin at gmail.com (George Shuklin) Date: Thu, 02 Apr 2015 15:11:05 +0300 Subject: [Openstack-operators] Hundreds of instances per host Message-ID: <551D31D9.8080100@gmail.com> Hello. Did someone have experience with many-many instances on a single host? What kind of issues you find on '200 instances' (300) borderline? Any specific performance issues, stability? (KVM) I've just start playing with that idea and I see that 150 instances consume significant amount of CPU for nothing (300%, with 4% per qemu process), and libvirtd eats for 30% in the peak, plus about 11% for nova-compute. But this is in the lab conditions. Any real-life experience? Thanks! From stefano at openstack.org Fri Apr 3 21:59:33 2015 From: stefano at openstack.org (Stefano Maffulli) Date: Fri, 03 Apr 2015 14:59:33 -0700 Subject: [Openstack-operators] OpenStack Community Weekly Newsletter (Mar 27 - Apr 3) Message-ID: <1428098373.7280.17.camel@sputacchio.gateway.2wire.net> Game changer: inside Adobe?s new Marketing Cloud architecture The Adobe Marketing Cloud powers software-as-a-service marketing for outfits such as the Los Angeles Kings, eBags and Verizon Wireless. When the IT infrastructure team in Adobe?s Digital Marketing group realized it was time for an evolutionary revamp, it turned to OpenStack and VMware to up its game. Nominations for OpenStack PTLs (Program Technical Leads) are now open Nominations for OpenStack PTLs (Program Technical Leads) are now open and will remain open until April 9, 2015 05:59 UTC. To announce your candidacy please start a new openstack-dev at lists.openstack.org mailing list thread with the program name as a tag, example [Glance] PTL Candidacy with the body as your announcement of intent. People who are not the candidate, please refrain from posting +1 to the candidate announcement posting. Additional information about the nomination process can be found on the wiki. Additions to OpenStack git namespace * Magnum is now in the openstack git namespace * [congress] is an openstack project The Road to Vancouver * Sign up for OpenStack Upstream Training in Vancouver * Canada Visa Information * Official Hotel Room Blocks * 2015 OpenStack T-Shirt Design Contest * Preparation to Design summit * Liberty Design Summit planning * [Nova] Tracking ideas for summit sessions * [QA] Tracking Ideas for Summit Sessions * [neutron] Design Summit Session etherpad Relevant Conversations * The Evolution of core developer to maintainer? * [Nova][Neutron] Status of the nova-network to Neutron migration work * "First App" Tutorial for OpenStack * [api] Erring is Caring: An API Working Group Guideline for Errors * "The Security Team" for OpenStack Deadlines and Development Priorities * [Nova] Identifying release critical bugs in Kilo * [neutron] FF and our march towards the RC * [cinder] Proposals for Liberty Summit * [Cinder] Bug Triage - Call for Participation * [sahara] Design summit proposals for Liberty Summit * [Nova] Liberty specs are now open * [neutron] Liberty Specs are now open! Security Advisories and Notices * None Tips ?n Tricks * By Victoria Mart?nez de la Cruz: Creation of Trove-Compatible Images for RDO Reports from Previous Events * OpenStack QA Code Sprint in NYC * Best Practices and Considerations Deploying OpenStack In Production Upcoming Events * Apr 06 - 07, 2015 April Meetup: ?I Can Haz Moar Networks?? w/Midokura & Cumulus Networks Morrisville, NC, US * Apr 07, 2015 April Sydney Meetup * Apr 08 - 16, 2015 PyCon 2015 Montreal, Quebec, CA * Apr 08 - 09, 2015 Software Defined Networks (SDN) & Linux Based Network OS (#20) Washington D.C., DC, US * Apr 09 - 10, 2015 Are you getting the most out of Cinder block storage in OpenStack? * Apr 09, 2015 OpenStack Howto part 1 - Install and Run Prague, CZ * Apr 13 - 14, 2015 OpenStack Live Santa Clara, CA, US * Apr 13 - 16, 2015 StackAttack! A HOLatCollaborate15 Las Vegas, NV, US * Apr 15, 2015 iX OpenStack Tag K?ln, NRW, DE * Apr 15 - 16, 2015 1? Hangout OpenStack Brasil 2015 Brasil, BR * Apr 16 - 18, 2015 Open Cloud 2015 Beijing, Beijing, CN * Apr 16, 2015 8th OpenStack Meetup Stockholm Stockholm, SE * Apr 16, 2015 8th OpenStack User Group Nordics meetup Stockholm, SE * Apr 21 - 22, 2015 CONNECT 2015 Melbourne, Victoria, AU * Apr 22 - 23, 2015 China SDNNFV Conference Beijing, CN * Apr 22, 2015 OpenStack NYC Meetup New York, NY, US * Apr 23, 2015 OpenStack Philadelphia Meetup Philadelphia, PA, US * May 05 - 07, 2015 CeBIT AU 2015 Sydney, NSW, AU * May 18 - 22, 2015 OpenStack Summit May 2015 Vancouver, BC Other News * Parallels goes open source, wants OpenStack?s help to penetrate enterprise * Passion + community support = Success with OpenStack * python-barbicanclient 3.0.3 released * Million level scalability test report from cascading * What's Up Doc? Apr 2 2015 * [release] taskflow 0.8.1 * Call for testing: 2014.2.3 candidate tarballs The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tom at openstack.org Mon Apr 6 01:29:21 2015 From: tom at openstack.org (Tom Fifield) Date: Mon, 06 Apr 2015 09:29:21 +0800 Subject: [Openstack-operators] Ops @ Vancouver Summit - agenda brainstorming In-Reply-To: <2D352D0CD819F64F9715B1B89695400D5C71DB91@ORSMSX113.amr.corp.intel.com> References: <5510F034.1000902@openstack.org> <2D352D0CD819F64F9715B1B89695400D5C71DB91@ORSMSX113.amr.corp.intel.com> Message-ID: <5521E171.7020205@openstack.org> A noble aim - I'd support this kind of activity from anyone who wants to do it :) Can you explain more about what you're thinking? On 31/03/15 05:26, Barrett, Carol L wrote: > Tom - In support of helping to create impact from the feedback, I suggest we partner someone from the Product Work Group with each of the Moderators. The role of the PWG partner would be to identify/summarize the top 1-2 use cases, recruit a couple of operators to help flesh it out and then bring into the roadmap discussion. > > Thoughts? > Carol > > -----Original Message----- > From: Tom Fifield [mailto:tom at openstack.org] > Sent: Monday, March 23, 2015 10:04 PM > To: OpenStack Operators > Subject: [Openstack-operators] Ops @ Vancouver Summit - agenda brainstorming > > Hi all, > > As you've no doubt guessed - the Ops Summit will return in Vancouver, and we need your help to work out what should be on the agenda. > > If you're new: note that this is in addition to the operations (and > other) conference track's presentations. It's aimed at giving us a design-summit-style place to congregate, swap best practices, ideas and give feedback. > > > We've listened to feedback from the past events, especially Paris, and I'm delighted to report that from Vancouver on we're a fully integrated part of the actual design summit. No more random other hotels far away from things and dodgy signage put together at the last minute - it's time to go Pro :) > > > One biggest pieces of feedback we have regarding the organisation of these events so far is that you want to see direct action happen as a result of our discussions. We've had some success with this mid-cycle, for example: > > * Rabbit - heartbeat patch merged [1], now listed as top 5 issue for ops > * OVS - recommendation for vswitch at least 2.1.2 [2] > * Nova Feedback - large range of action items [3] > * Security - raised priority on policy.json docs [4] > > ... just a few amoungst dozens. > > However, we can continue to improve, so please - when you are suggesting sessions in the below etherpad please make sure you phrase them in a way that will result in _actions_ and _results_. > > > > ********************************************************************** > > Please propose session ideas on: > > https://etherpad.openstack.org/p/YVR-ops-meetup > > ensuring you read the new instructions to make sessions 'actionable'. > > > ********************************************************************** > > > > The room allocation is still being worked out (all hail Thierry!), but the current thinking is that the general sessions will all be on one day (likely Tuesday), and the working groups will be distributed throughout the week. > > > More as it comes, and as always, further information about ops meetups and notes from the past can be found on the wiki @: > > https://wiki.openstack.org/wiki/Operations/Meetups > > > Regards, > > > Tom > > > > > [1] https://review.openstack.org/#/c/146047/ > [2] https://etherpad.openstack.org/p/PHL-ops-OVS > [3] > http://lists.openstack.org/pipermail/openstack-dev/2015-March/058801.html > [4] https://bugs.launchpad.net/openstack-manuals/+bug/1311067 > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > From tom at openstack.org Mon Apr 6 01:47:59 2015 From: tom at openstack.org (Tom Fifield) Date: Mon, 06 Apr 2015 09:47:59 +0800 Subject: [Openstack-operators] Ops @ Vancouver Summit - agenda brainstorming In-Reply-To: <55193FE9.7050408@openstack.org> References: <5510F034.1000902@openstack.org> <55193FE9.7050408@openstack.org> Message-ID: <5521E5CF.4040109@openstack.org> Many thanks to those who have contributed so far, especially the moderator volunteers! This is the final ping - get to the etherpad now if you would like input on the Ops @ Vancouver Summit things. So far we have only 3 architecture show and tell sessions, from our regular contributors. The Architecture show and tell sessions were very popular according to summit feedback in Paris - it would be a shame if we reduced the amount of time for it due to lack of participation :) All you have to do is speak for 5-8 minutes about your architecture, tell us a story about when something exploded or share anything generally cool you think other ops would enjoy :) >> https://etherpad.openstack.org/p/YVR-ops-meetup Regards, Tom On 30/03/15 20:22, Tom Fifield wrote: > Hi all, > > Giving this another stoke. > > So far we have zero volunteers for the architecture show and tell > lightening talks, and very few moderator volunteers :) > > If you have ideas about what should be on the agenda for ops summit > sessions at Vancouver, > >> >> ********************************************************************** >> >> Please propose session ideas on: >> >> https://etherpad.openstack.org/p/YVR-ops-meetup >> >> ensuring you read the new instructions to make sessions 'actionable'. >> >> >> ********************************************************************** > > We basically need to get this done in a week or so, giving us enough > time to promote the agenda before the summit. > > > Regards, > > > Tom > > On 24/03/15 13:03, Tom Fifield wrote: >> Hi all, >> >> As you've no doubt guessed - the Ops Summit will return in Vancouver, >> and we need your help to work out what should be on the agenda. >> >> If you're new: note that this is in addition to the operations (and >> other) conference track's presentations. It's aimed at giving us a >> design-summit-style place to congregate, swap best practices, ideas and >> give feedback. >> >> >> We've listened to feedback from the past events, especially Paris, and >> I'm delighted to report that from Vancouver on we're a fully integrated >> part of the actual design summit. No more random other hotels far away >> from things and dodgy signage put together at the last minute - it's >> time to go Pro :) >> >> >> One biggest pieces of feedback we have regarding the organisation of >> these events so far is that you want to see direct action happen as a >> result of our discussions. We've had some success with this mid-cycle, >> for example: >> >> * Rabbit - heartbeat patch merged [1], now listed as top 5 issue for ops >> * OVS - recommendation for vswitch at least 2.1.2 [2] >> * Nova Feedback - large range of action items [3] >> * Security - raised priority on policy.json docs [4] >> >> ... just a few amoungst dozens. >> >> However, we can continue to improve, so please - when you are suggesting >> sessions in the below etherpad please make sure you phrase them in a way >> that will result in _actions_ and _results_. >> >> >> >> ********************************************************************** >> >> Please propose session ideas on: >> >> https://etherpad.openstack.org/p/YVR-ops-meetup >> >> ensuring you read the new instructions to make sessions 'actionable'. >> >> >> ********************************************************************** >> >> >> >> The room allocation is still being worked out (all hail Thierry!), but >> the current thinking is that the general sessions will all be on one day >> (likely Tuesday), and the working groups will be distributed throughout >> the week. >> >> >> More as it comes, and as always, further information about ops meetups >> and notes from the past can be found on the wiki @: >> >> https://wiki.openstack.org/wiki/Operations/Meetups >> >> >> Regards, >> >> >> Tom >> >> >> >> >> [1] https://review.openstack.org/#/c/146047/ >> [2] https://etherpad.openstack.org/p/PHL-ops-OVS >> [3] >> http://lists.openstack.org/pipermail/openstack-dev/2015-March/058801.html >> [4] https://bugs.launchpad.net/openstack-manuals/+bug/1311067 >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > From tom at openstack.org Mon Apr 6 03:21:33 2015 From: tom at openstack.org (Tom Fifield) Date: Mon, 06 Apr 2015 11:21:33 +0800 Subject: [Openstack-operators] User Survey - Deadline Apr 8 In-Reply-To: <55137E9E.7000109@openstack.org> References: <55137E9E.7000109@openstack.org> Message-ID: <5521FBBD.4000706@openstack.org> Reminder: deadline is April 8th. Please go to: http://www.openstack.org/user-survey and tell your friends. Any problems - mail me :) Regards, Tom On 26/03/15 11:35, Tom Fifield wrote: > Hi all, > > As you know, before previous summits we have been running a survey of > OpenStack users. We?re doing it again, and we need your help! > > If you are running an OpenStack cloud, please participate > in the survey [http://www.openstack.org/user-survey]. If you already > completed the survey before, you can simply log back in to update your > deployment details and answer a few new questions. Please note that if > your survey response has not been updated in 12 months, it will expire, > so we encourage you to take this time to update your existing profile so > your deployment can be included in the upcoming analysis. > > As a member of our community, please help us spread the word. We're > trying to gather as much real-world deployment data as possible to share > back with you. We have made it easier to fill out and added some new > questions (eg packaging, containers) > > The information provided is confidential and will only be presented in > aggregate unless the user consents to making it public. > > The deadline to complete the survey and be part of the next report is > April 8 at 23:00 UTC. > > Questions? Check out the FAQ [https://www.openstack.org/user-survey/faq] > or contact me ;) > > Thanks for your help! > > > Regards, > > > Tom > From carol.l.barrett at intel.com Mon Apr 6 20:53:49 2015 From: carol.l.barrett at intel.com (Barrett, Carol L) Date: Mon, 6 Apr 2015 20:53:49 +0000 Subject: [Openstack-operators] Ops @ Vancouver Summit - agenda brainstorming In-Reply-To: <5521E171.7020205@openstack.org> References: <5510F034.1000902@openstack.org> <2D352D0CD819F64F9715B1B89695400D5C71DB91@ORSMSX113.amr.corp.intel.com> <5521E171.7020205@openstack.org> Message-ID: <2D352D0CD819F64F9715B1B89695400D5C725CA8@ORSMSX113.amr.corp.intel.com> My thought is for each work session or general session, listen to the discussion to capture key information to write-up a use case. This includes asking clarifying questions along the way, During the wrap-up we'd want to establish priorities for the use cases and ask for a couple of Operator volunteers to review/assist in the development of the use case. If possible, during work sessions, we'd like to leave Vancouver with a strong draft of the use case. >From there we'd put the use cases in the cross-project repo and use the product work group process for socializing with the community and integrating (as appropriate) on the roadmap. I'm open to other thoughts and approaches, so pls offer your thoughts. Thanks Carol -----Original Message----- From: Tom Fifield [mailto:tom at openstack.org] Sent: Sunday, April 05, 2015 6:29 PM To: Barrett, Carol L; OpenStack Operators Subject: Re: [Openstack-operators] Ops @ Vancouver Summit - agenda brainstorming A noble aim - I'd support this kind of activity from anyone who wants to do it :) Can you explain more about what you're thinking? On 31/03/15 05:26, Barrett, Carol L wrote: > Tom - In support of helping to create impact from the feedback, I suggest we partner someone from the Product Work Group with each of the Moderators. The role of the PWG partner would be to identify/summarize the top 1-2 use cases, recruit a couple of operators to help flesh it out and then bring into the roadmap discussion. > > Thoughts? > Carol > > -----Original Message----- > From: Tom Fifield [mailto:tom at openstack.org] > Sent: Monday, March 23, 2015 10:04 PM > To: OpenStack Operators > Subject: [Openstack-operators] Ops @ Vancouver Summit - agenda > brainstorming > > Hi all, > > As you've no doubt guessed - the Ops Summit will return in Vancouver, and we need your help to work out what should be on the agenda. > > If you're new: note that this is in addition to the operations (and > other) conference track's presentations. It's aimed at giving us a design-summit-style place to congregate, swap best practices, ideas and give feedback. > > > We've listened to feedback from the past events, especially Paris, and > I'm delighted to report that from Vancouver on we're a fully > integrated part of the actual design summit. No more random other > hotels far away from things and dodgy signage put together at the last > minute - it's time to go Pro :) > > > One biggest pieces of feedback we have regarding the organisation of these events so far is that you want to see direct action happen as a result of our discussions. We've had some success with this mid-cycle, for example: > > * Rabbit - heartbeat patch merged [1], now listed as top 5 issue for > ops > * OVS - recommendation for vswitch at least 2.1.2 [2] > * Nova Feedback - large range of action items [3] > * Security - raised priority on policy.json docs [4] > > ... just a few amoungst dozens. > > However, we can continue to improve, so please - when you are suggesting sessions in the below etherpad please make sure you phrase them in a way that will result in _actions_ and _results_. > > > > ********************************************************************** > > Please propose session ideas on: > > https://etherpad.openstack.org/p/YVR-ops-meetup > > ensuring you read the new instructions to make sessions 'actionable'. > > > ********************************************************************** > > > > The room allocation is still being worked out (all hail Thierry!), but the current thinking is that the general sessions will all be on one day (likely Tuesday), and the working groups will be distributed throughout the week. > > > More as it comes, and as always, further information about ops meetups and notes from the past can be found on the wiki @: > > https://wiki.openstack.org/wiki/Operations/Meetups > > > Regards, > > > Tom > > > > > [1] https://review.openstack.org/#/c/146047/ > [2] https://etherpad.openstack.org/p/PHL-ops-OVS > [3] > http://lists.openstack.org/pipermail/openstack-dev/2015-March/058801.h > tml [4] https://bugs.launchpad.net/openstack-manuals/+bug/1311067 > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator > s > From aishwarya.adyanthaya at accenture.com Tue Apr 7 12:16:00 2015 From: aishwarya.adyanthaya at accenture.com (aishwarya.adyanthaya at accenture.com) Date: Tue, 7 Apr 2015 12:16:00 +0000 Subject: [Openstack-operators] Endpoints in kubernetes Message-ID: Hello, I'm trying to integrate Kubernetes with OpenStack and I've started with the master node. While creating the master node I downloaded the Kubernetes.git and next I executed the command 'make release'. During the release, I got few lines that read 'Error on creating endpoints: endpoints "service1" not found' though in the end of the execution it read successful. When I checked the network it read 'Error: cannot sync with the cluster using endpoints http://127.0.0.1:4001'. Does anyone know if we need to add extra packages or other configurations that needs to be done before getting Kubernetes.git on the node to rectify the error? Thanks! ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aishwarya.adyanthaya at accenture.com Tue Apr 7 12:17:42 2015 From: aishwarya.adyanthaya at accenture.com (aishwarya.adyanthaya at accenture.com) Date: Tue, 7 Apr 2015 12:17:42 +0000 Subject: [Openstack-operators] Endpoints in kubernetes Message-ID: <5462b1727db5452084cf045b7c849f5f@CO2PR42MB188.048d.mgd.msft.net> Hello, I'm trying to integrate Kubernetes with OpenStack and I've started with the master node. While creating the master node I downloaded the Kubernetes.git and next I executed the command 'make release'. During the release, I got few lines that read 'Error on creating endpoints: endpoints "service1" not found' though in the end of the execution it read successful. When I checked the network it read 'Error: cannot sync with the cluster using endpoints http://127.0.0.1:4001'. Does anyone know if we need to add extra packages or other configurations that needs to be done before getting Kubernetes.git on the node to rectify the error? Thanks! ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From afreedland at mirantis.com Tue Apr 7 15:12:50 2015 From: afreedland at mirantis.com (Alex Freedland) Date: Tue, 7 Apr 2015 08:12:50 -0700 Subject: [Openstack-operators] Endpoints in kubernetes In-Reply-To: References: Message-ID: Here is a link for disk image builder for Kubernetes images with use in Murano: https://github.com/stackforge/murano/tree/master/contrib/elements/kubernetes It has all steps to preinstall Kubernetes on top of Ubuntu. Alex Freedland Co-Founder and Chairman Mirantis, Inc. On Tue, Apr 7, 2015 at 5:16 AM, wrote: > Hello, > > > > I?m trying to integrate Kubernetes with OpenStack and I?ve started with > the master node. While creating the master node I downloaded the > Kubernetes.git and next I executed the command ?make release?. During the > release, I got few lines that read ?Error on creating endpoints: endpoints > "service1" not found? though in the end of the execution it read > successful. When I checked the network it read ?Error: cannot sync with > the cluster using endpoints http://127.0.0.1:4001?. > > > > Does anyone know if we need to add extra packages or other configurations > that needs to be done before getting Kubernetes.git on the node to rectify > the error? > > > > Thanks! > > ------------------------------ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > > ______________________________________________________________________________________ > > www.accenture.com > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.heckmann at ubisoft.com Tue Apr 7 15:36:27 2015 From: marc.heckmann at ubisoft.com (Marc Heckmann) Date: Tue, 7 Apr 2015 15:36:27 +0000 Subject: [Openstack-operators] Dynamic Policy for Access Control In-Reply-To: <5D7F9996EA547448BC6C54C8C5AAF4E50102865948@CERNXCHG41.cern.ch> References: <54EB4AE2.1000203@redhat.com> <5D7F9996EA547448BC6C54C8C5AAF4E50102865948@CERNXCHG41.cern.ch> Message-ID: <1428424599.61768.6.camel@localhost.localdomain> My apologies for not seeing this sooner as the topic is of great interest. My comments below inline.. On Mon, 2015-02-23 at 16:41 +0000, Tim Bell wrote: > > -----Original Message----- > > From: Adam Young [mailto:ayoung at redhat.com] > > Sent: 23 February 2015 16:45 > > To: openstack-operators at lists.openstack.org > > Subject: [Openstack-operators] Dynamic Policy for Access Control > > > > "Admin can do everything!" has been a common lament, heard for multiple > > summits. Its more than just a development issue. I'd like to fix that. I think we > > all would. > > > > > > I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a > > general overview last fall, after the Kilo summit: > > > > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ I agree with everything in that post. I would add the following comments: 1. I doubt this will change, but to be clear, we cannot lose the ability to create custom roles and limit the capabilities of the standard roles. For example, if I wanted to limit the ability to make images public or limit the ability to associate a floating IP. 2. This work should not be done in vacuum. Ideally, Horizon support for assigning roles to users and editing policy should be released at the same time or not long after. I realize that this is easier said than done, but it will be important in order for the feature to get used. > > > > > > Some of what I am looking at is: what are the general roles that Operators > > would like to have by default when deploying OpenStack? > > > > As I described in http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, we've got (mapped per-project to an AD group) > > - operator (start/stop/reboot/console) > - accounting (read ceilometer data for reporting) > > > I've submitted a talk about policy for the Summit: > > https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for- > > access-control > > > > If you want, please vote for it, but even if it does not get selected, I'd like to > > discuss Policy with the operators at the summit, as input to the Keystone > > development effort. > > > > Sounds like a good topic for the ops meetup track. > > > Feedback greatly welcome. > > > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators at lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From sorrison at gmail.com Wed Apr 8 03:45:46 2015 From: sorrison at gmail.com (Sam Morrison) Date: Wed, 8 Apr 2015 13:45:46 +1000 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> Message-ID: <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> Hi Daniele, I?ve started playing with neutron too and have the exact same issue. Did you find a solution? Cheers, Sam > On 18 Feb 2015, at 8:47 pm, Daniele Venzano wrote: > > Hello, > > I?m trying to configure a very simple Neutron setup. > > On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. > > On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. > I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. > > So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. > I can provide logs and config files, but probably I just need a hint in the right direction. > > On the network controller: > Do I need a bridge to connect the namespace to the physical interface? > Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? > > I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. > > Thanks, > Daniele > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniele.venzano at eurecom.fr Wed Apr 8 08:00:12 2015 From: daniele.venzano at eurecom.fr (Daniele Venzano) Date: Wed, 8 Apr 2015 10:00:12 +0200 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> Message-ID: <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> Well, I found a way to make it work. Yes, you need a bridge (brctl addbr ...). You need to create it by hand and add the interfaces (physical and dnsmasq namespace) to it. The linuxbridge agent installed on the network node does not do anything. The problem with this is that the interface for the namespace is created after an arbitrary amount of time by one of the neutron daemons, so you cannot simply put the bridge creation in one of the boot scripts, but you have to wait for the interface to appear. From: Sam Morrison [mailto:sorrison at gmail.com] Sent: Wednesday 08 April 2015 05:46 To: Daniele Venzano Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Hi Daniele, I?ve started playing with neutron too and have the exact same issue. Did you find a solution? Cheers, Sam On 18 Feb 2015, at 8:47 pm, Daniele Venzano wrote: Hello, I?m trying to configure a very simple Neutron setup. On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. I can provide logs and config files, but probably I just need a hint in the right direction. On the network controller: Do I need a bridge to connect the namespace to the physical interface? Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. Thanks, Daniele _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From lleelm at outlook.com Wed Apr 8 08:40:26 2015 From: lleelm at outlook.com (LeeKies) Date: Wed, 8 Apr 2015 08:40:26 +0000 Subject: [Openstack-operators] floatingip with security group Message-ID: I create a VM with a default security group , then I create and associate a floating ip with this VM.But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip. When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lleelm at outlook.com Wed Apr 8 08:42:44 2015 From: lleelm at outlook.com (LeeKies) Date: Wed, 8 Apr 2015 08:42:44 +0000 Subject: [Openstack-operators] [Neutron]floatingip with security group Message-ID: I create a VM with a default security group , then I create and associate a floating ip with this VM.But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip. When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Wed Apr 8 09:29:08 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Wed, 8 Apr 2015 10:29:08 +0100 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> Message-ID: Which release are you using it, on which OS ? On Wed, Apr 8, 2015 at 9:00 AM, Daniele Venzano wrote: > Well, I found a way to make it work. > > Yes, you need a bridge (brctl addbr ...). > > You need to create it by hand and add the interfaces (physical and dnsmasq > namespace) to it. > > The linuxbridge agent installed on the network node does not do anything. > > > > The problem with this is that the interface for the namespace is created > after an arbitrary amount of time by one of the neutron daemons, so you > cannot simply put the bridge creation in one of the boot scripts, but you > have to wait for the interface to appear. > > > > > > *From:* Sam Morrison [mailto:sorrison at gmail.com] > *Sent:* Wednesday 08 April 2015 05:46 > *To:* Daniele Venzano > *Cc:* openstack-operators at lists.openstack.org > *Subject:* Re: [Openstack-operators] Flat network with linux bridge plugin > > > > Hi Daniele, > > > > I?ve started playing with neutron too and have the exact same issue. Did > you find a solution? > > > > Cheers, > > Sam > > > > > > > > On 18 Feb 2015, at 8:47 pm, Daniele Venzano > wrote: > > > > Hello, > > > > I?m trying to configure a very simple Neutron setup. > > > > On the compute nodes I want a linux bridge connected to a physical > interface on one side and the VMs on the other side. This I have, by using > the linux bridge agent and a physnet1:em1 mapping in the config file. > > > > On the controller side I need the dhcp and metadata agents. I installed > and configured them. They start, no errors in logs. I see a namespace with > a ns-* interface in it for dhcp. Outside the namespace I see a tap* > interface without IP address, not connected to anything. > > I installed the linux bridge agent also on the controller node, hoping it > would create the bridge between the physnet interface and the dhcp > namespace tap interface, but it just sits there and does nothing. > > > > So: I have VMs sending DHCP requests. I see the requests on the controller > node, but the dhcp namespace is not connected to anything. > > I can provide logs and config files, but probably I just need a hint in > the right direction. > > > > On the network controller: > > Do I need a bridge to connect the namespace to the physical interface? > > Should this bridge be created by me by hand, or by the linuxbridge agent? > Should I run the linuxbridge agent on the network controller? > > > > I do not want/have a l3 agent. I want to have just one shared network for > all tenants, very simple. > > > > Thanks, > > Daniele > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Wed Apr 8 09:32:32 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Wed, 8 Apr 2015 10:32:32 +0100 Subject: [Openstack-operators] [Openstack-dev] resource quotas limit per stacks within a project In-Reply-To: References:

Message-ID: + operators Hard to believe nobody is facing this problems, even on small shops you end up with multiple stacks part of the same tenant/ project. Thanks, Dani On Wed, Apr 1, 2015 at 8:10 PM, Daniel Comnea wrote: > Any ideas/ thoughts please? > > In VMware world is basically the same feature provided by the resource > pool. > > > Thanks, > Dani > > On Tue, Mar 31, 2015 at 10:37 PM, Daniel Comnea > wrote: > >> Hi all, >> >> I'm trying to understand what options i have for the below use case... >> >> Having multiple stacks (various number of instances) deployed within 1 >> Openstack project (tenant), how can i guarantee that there will be no >> race after the project resources. >> >> E.g - say i have few stacks like >> >> stack 1 = production >> stack 2 = development >> stack 3 = integration >> >> i don't want to be in a situation where stack 3 (because of a need to run >> some heavy tests) will use all of the resources for a short while while >> production will suffer from it. >> >> Any ideas? >> >> Thanks, >> Dani >> >> P.S - i'm aware of the heavy work being put into improving the quotas or >> the CPU pinning however that is at the project level >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniele.venzano at eurecom.fr Wed Apr 8 10:21:07 2015 From: daniele.venzano at eurecom.fr (Daniele Venzano) Date: Wed, 8 Apr 2015 12:21:07 +0200 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> Message-ID: <04c901d071e5$ba0c4480$2e24cd80$@eurecom.fr> Juno (from ubuntu cloud), on Ubuntu 14.04 From: daniel.comnea at gmail.com [mailto:daniel.comnea at gmail.com] On Behalf Of Daniel Comnea Sent: Wednesday 08 April 2015 11:29 To: Daniele Venzano Cc: Sam Morrison; openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Which release are you using it, on which OS ? On Wed, Apr 8, 2015 at 9:00 AM, Daniele Venzano wrote: Well, I found a way to make it work. Yes, you need a bridge (brctl addbr ...). You need to create it by hand and add the interfaces (physical and dnsmasq namespace) to it. The linuxbridge agent installed on the network node does not do anything. The problem with this is that the interface for the namespace is created after an arbitrary amount of time by one of the neutron daemons, so you cannot simply put the bridge creation in one of the boot scripts, but you have to wait for the interface to appear. From: Sam Morrison [mailto:sorrison at gmail.com] Sent: Wednesday 08 April 2015 05:46 To: Daniele Venzano Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Hi Daniele, I?ve started playing with neutron too and have the exact same issue. Did you find a solution? Cheers, Sam On 18 Feb 2015, at 8:47 pm, Daniele Venzano wrote: Hello, I?m trying to configure a very simple Neutron setup. On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. I can provide logs and config files, but probably I just need a hint in the right direction. On the network controller: Do I need a bridge to connect the namespace to the physical interface? Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. Thanks, Daniele _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdorman at godaddy.com Wed Apr 8 14:38:48 2015 From: mdorman at godaddy.com (Mike Dorman) Date: Wed, 8 Apr 2015 14:38:48 +0000 Subject: [Openstack-operators] [Neutron]floatingip with security group In-Reply-To: References: Message-ID: <8E897DA7-9D4B-40F6-8E04-B717BF672276@godaddy.com> Yup, you need to configure an ?address pair? for the floating IP. This isn?t specifically a security groups thing, but it will allow traffic to the floating IP to pass into the VM to which it is associated. Under the covers, it?s implemented similarly to security groups, but is not directly a security groups function. From: LeeKies Date: Wednesday, April 8, 2015 at 2:42 AM To: OpenStack Operators Subject: [Openstack-operators] [Neutron]floatingip with security group I create a VM with a default security group , then I create and associate a floating ip with this VM. But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip. When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From klindgren at godaddy.com Wed Apr 8 14:54:27 2015 From: klindgren at godaddy.com (Kris G. Lindgren) Date: Wed, 8 Apr 2015 14:54:27 +0000 Subject: [Openstack-operators] [Openstack-dev] resource quotas limit per stacks within a project In-Reply-To: References:

Message-ID: Why wouldn't you separate you dev/test/productiion via tenants as well? That's what we encourage our users to do. This would let you create flavors that give dev/test less resources under exhaustion conditions and production more resources. You could even pin dev/test to specific hypervisors/areas of the cloud and let production have the rest via those flavors. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Daniel Comnea > Date: Wednesday, April 8, 2015 at 3:32 AM To: Daniel Comnea > Cc: "OpenStack Development Mailing List (not for usage questions)" >, "openstack-operators at lists.openstack.org" > Subject: Re: [Openstack-operators] [Openstack-dev] resource quotas limit per stacks within a project + operators Hard to believe nobody is facing this problems, even on small shops you end up with multiple stacks part of the same tenant/ project. Thanks, Dani On Wed, Apr 1, 2015 at 8:10 PM, Daniel Comnea > wrote: Any ideas/ thoughts please? In VMware world is basically the same feature provided by the resource pool. Thanks, Dani On Tue, Mar 31, 2015 at 10:37 PM, Daniel Comnea > wrote: Hi all, I'm trying to understand what options i have for the below use case... Having multiple stacks (various number of instances) deployed within 1 Openstack project (tenant), how can i guarantee that there will be no race after the project resources. E.g - say i have few stacks like stack 1 = production stack 2 = development stack 3 = integration i don't want to be in a situation where stack 3 (because of a need to run some heavy tests) will use all of the resources for a short while while production will suffer from it. Any ideas? Thanks, Dani P.S - i'm aware of the heavy work being put into improving the quotas or the CPU pinning however that is at the project level -------------- next part -------------- An HTML attachment was scrubbed... URL: From klindgren at godaddy.com Wed Apr 8 15:00:52 2015 From: klindgren at godaddy.com (Kris G. Lindgren) Date: Wed, 8 Apr 2015 15:00:52 +0000 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: <04c901d071e5$ba0c4480$2e24cd80$@eurecom.fr> References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> <04c901d071e5$ba0c4480$2e24cd80$@eurecom.fr> Message-ID: We run this exact configuration with the exception that we are using OVS instead of linux bridge agent. On your "Network nodes" (those running metadata/dhcp) you need to configure them exactly like you do you compute services from the standpoint of the L2 agent. Once we did that when the l2 agent starts it creates the bridges it cares about and the dhcp agent then gets plugged into those bridges. We didn't have to specifically create any bridges or manually plug vifs into it to get everything to work. I would be highly surprised if the linuxbridge agent acted any differently. Mainly because the dhcp agent consumes an IP/port on the network, no different than a vm would. So the L2 agent should plug it for you automatically. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Daniele Venzano > Organization: EURECOM Date: Wednesday, April 8, 2015 at 4:21 AM To: 'Daniel Comnea' > Cc: "openstack-operators at lists.openstack.org" > Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Juno (from ubuntu cloud), on Ubuntu 14.04 From: daniel.comnea at gmail.com [mailto:daniel.comnea at gmail.com] On Behalf Of Daniel Comnea Sent: Wednesday 08 April 2015 11:29 To: Daniele Venzano Cc: Sam Morrison; openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Which release are you using it, on which OS ? On Wed, Apr 8, 2015 at 9:00 AM, Daniele Venzano > wrote: Well, I found a way to make it work. Yes, you need a bridge (brctl addbr ...). You need to create it by hand and add the interfaces (physical and dnsmasq namespace) to it. The linuxbridge agent installed on the network node does not do anything. The problem with this is that the interface for the namespace is created after an arbitrary amount of time by one of the neutron daemons, so you cannot simply put the bridge creation in one of the boot scripts, but you have to wait for the interface to appear. From: Sam Morrison [mailto:sorrison at gmail.com] Sent: Wednesday 08 April 2015 05:46 To: Daniele Venzano Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Hi Daniele, I?ve started playing with neutron too and have the exact same issue. Did you find a solution? Cheers, Sam On 18 Feb 2015, at 8:47 pm, Daniele Venzano > wrote: Hello, I?m trying to configure a very simple Neutron setup. On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. I can provide logs and config files, but probably I just need a hint in the right direction. On the network controller: Do I need a bridge to connect the namespace to the physical interface? Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. Thanks, Daniele _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From klindgren at godaddy.com Wed Apr 8 15:17:22 2015 From: klindgren at godaddy.com (Kris G. Lindgren) Date: Wed, 8 Apr 2015 15:17:22 +0000 Subject: [Openstack-operators] [Neutron]floatingip with security group In-Reply-To: <8E897DA7-9D4B-40F6-8E04-B717BF672276@godaddy.com> References: <8E897DA7-9D4B-40F6-8E04-B717BF672276@godaddy.com> Message-ID: Mike is talking about our specific way of doing floating ips - which is not the default for neutron, so you do *NOT* have to add an allowed-address pair for the floating ip to work. You will however have to add to the security group rules to allow traffic from whatever networks are connecting to your floating ip. The reason for this is because the floating Ip is performed via nat. So traffic from say the internet hits the floating IP and is destination nat'd to the IP of you vm. So from your vm's stand point it sees traffic from the internet trying to connect to it. If the security group rules on the vm do not allow this traffic it will be dropped. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Michael Dorman > Date: Wednesday, April 8, 2015 at 8:38 AM To: OpenStack Operators > Subject: Re: [Openstack-operators] [Neutron]floatingip with security group Yup, you need to configure an "address pair" for the floating IP. This isn't specifically a security groups thing, but it will allow traffic to the floating IP to pass into the VM to which it is associated. Under the covers, it's implemented similarly to security groups, but is not directly a security groups function. From: LeeKies Date: Wednesday, April 8, 2015 at 2:42 AM To: OpenStack Operators Subject: [Openstack-operators] [Neutron]floatingip with security group I create a VM with a default security group , then I create and associate a floating ip with this VM. But I can't connect the floating ip, I check the security group, and I think it's the sg problem. I add a rule in default sg, and then I can connect the floating ip. When I create a floating ip , Does I have to add a rule in security group to allow the ip for ingress ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniele.venzano at eurecom.fr Wed Apr 8 15:47:23 2015 From: daniele.venzano at eurecom.fr (Daniele Venzano) Date: Wed, 8 Apr 2015 17:47:23 +0200 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> <04c901d071e5$ba0c4480$2e24cd80$@eurecom.fr> Message-ID: <05b201d07213$4e694010$eb3bc030$@eurecom.fr> I am 99% sure I configured the linuxbridge agent on the network node the same way as on the compute nodes, but it was doing nothing. But I did it a while ago, so I could be wrong. Anyway having the agent constantly running just to create a bridge at boot is bit of a waste. The next maintenance window I will try again, just to understand. From: Kris G. Lindgren [mailto:klindgren at godaddy.com] Sent: Wednesday 08 April 2015 17:01 To: Daniele Venzano; 'Daniel Comnea' Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin We run this exact configuration with the exception that we are using OVS instead of linux bridge agent. On your "Network nodes" (those running metadata/dhcp) you need to configure them exactly like you do you compute services from the standpoint of the L2 agent. Once we did that when the l2 agent starts it creates the bridges it cares about and the dhcp agent then gets plugged into those bridges. We didn't have to specifically create any bridges or manually plug vifs into it to get everything to work. I would be highly surprised if the linuxbridge agent acted any differently. Mainly because the dhcp agent consumes an IP/port on the network, no different than a vm would. So the L2 agent should plug it for you automatically. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. From: Daniele Venzano Organization: EURECOM Date: Wednesday, April 8, 2015 at 4:21 AM To: 'Daniel Comnea' Cc: "openstack-operators at lists.openstack.org" Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Juno (from ubuntu cloud), on Ubuntu 14.04 From: daniel.comnea at gmail.com [mailto:daniel.comnea at gmail.com] On Behalf Of Daniel Comnea Sent: Wednesday 08 April 2015 11:29 To: Daniele Venzano Cc: Sam Morrison; openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Which release are you using it, on which OS ? On Wed, Apr 8, 2015 at 9:00 AM, Daniele Venzano wrote: Well, I found a way to make it work. Yes, you need a bridge (brctl addbr ...). You need to create it by hand and add the interfaces (physical and dnsmasq namespace) to it. The linuxbridge agent installed on the network node does not do anything. The problem with this is that the interface for the namespace is created after an arbitrary amount of time by one of the neutron daemons, so you cannot simply put the bridge creation in one of the boot scripts, but you have to wait for the interface to appear. From: Sam Morrison [mailto:sorrison at gmail.com] Sent: Wednesday 08 April 2015 05:46 To: Daniele Venzano Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Flat network with linux bridge plugin Hi Daniele, I?ve started playing with neutron too and have the exact same issue. Did you find a solution? Cheers, Sam On 18 Feb 2015, at 8:47 pm, Daniele Venzano wrote: Hello, I?m trying to configure a very simple Neutron setup. On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. I can provide logs and config files, but probably I just need a hint in the right direction. On the network controller: Do I need a bridge to connect the namespace to the physical interface? Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. Thanks, Daniele _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From everett.toews at RACKSPACE.COM Wed Apr 8 22:06:58 2015 From: everett.toews at RACKSPACE.COM (Everett Toews) Date: Wed, 8 Apr 2015 22:06:58 +0000 Subject: [Openstack-operators] [openstack-dev] [all][log] Openstack HTTP error codes In-Reply-To: References:

Message-ID: On Jan 29, 2015, at 8:34 PM, Rochelle Grober > wrote: Hi folks! Changed the tags a bit because this is a discussion for all projects and dovetails with logging rationalization/standards/ At the Paris summit, we had a number of session on logging that kept circling back to Error Codes. But, these codes would not be http codes, rather, as others have pointed out, codes related to the calling entities and referring entities and the actions that happened or didn?t. Format suggestions were gathered from the Operators and from some senior developers. The Logging Working Group is planning to put forth a spec for discussion on formats and standards before the Ops mid-cycle meetup. Working from a Glance proposal on error codes: https://review.openstack.org/#/c/127482/ and discussions with operators and devs, we have a strawman to propose. We also have a number of requirements from Ops and some Devs. Here is the basic idea: Code for logs would have four segments: Project Vendor/Component Error Catalog number Criticality Def [A-Z] [A-Z] [A-Z] - [{0-9}|{A-Z}][A-Z] - [0000-9999]- [0-9] Ex. CIN- NA- 0001- 2 Cinder NetApp driver error no Criticality Ex. GLA- 0A- 0051 3 Glance Api error no Criticality Three letters for project, Either a two letter vendor code or a number and letter for 0+letter for internal component of project (like API=0A, Controller =0C, etc), four digit error number which could be subsetted for even finer granularity, and a criticality number. This is for logging purposes and tracking down root cause faster for operators, but if an error is generated, why can the same codes be used internally for the code as externally for the logs? This also allows for a unique message to be associated with the error code that is more descriptive and that can be pre translated. Again, for logging purposes, the error code would not be part of the message payload, but part of the headers. Referrer IDs and other info would still be expected in the payload of the message and could include instance ids/names, NICs or VIFs, etc. The message headers is code in Oslo.log and when using the Oslo.log library, will be easy to use. Since this discussion came up, I thought I needed to get this info out to folks and advertise that anyone will be able to comment on the spec to drive it to agreement. I will be advertising it here and on Ops and Product-WG mailing lists. I?d also like to invite anyone who want to participate in discussions to join them. We?ll be starting a bi-weekly or weekly IRC meeting (also announced in the stated MLs) in February. And please realize that other than Oslo.log, the changes to make the errors more useable will be almost entirely community created standards with community created tools to help enforce them. None of which exist yet, FYI. Hi Rocky, The API WG is trying to come up with a guideline for an error format for the HTTP APIs [1]. In that error format is a code field that I was hoping could match the code in the logs you mention above. I noticed in the Logging WG meetings [2] that you mention an "Error Code Spec?. I?d like to be able to use info from that spec in the example [2] of the error format. Has there been any progress on that spec? Can you link me to it? Also, if you have time for a review of the error format, I?d like to hear your thoughts. Thanks, Everett [1] https://review.openstack.org/#/c/167793/ [2] https://wiki.openstack.org/wiki/Meetings/log-wg [3] https://review.openstack.org/#/c/167793/4/guidelines/errors-example.json,unified -------------- next part -------------- An HTML attachment was scrubbed... URL: From sorrison at gmail.com Wed Apr 8 23:14:09 2015 From: sorrison at gmail.com (Sam Morrison) Date: Thu, 9 Apr 2015 09:14:09 +1000 Subject: [Openstack-operators] Flat network with linux bridge plugin In-Reply-To: <05b201d07213$4e694010$eb3bc030$@eurecom.fr> References: <0f7b01d04b5f$ef1a5100$cd4ef300$@eurecom.fr> <66A29CC3-24C1-4DCC-AE07-36E72723E62C@gmail.com> <045c01d071d2$0a406e90$1ec14bb0$@eurecom.fr> <04c901d071e5$ba0c4480$2e24cd80$@eurecom.fr> <05b201d07213$4e694010$eb3bc030$@eurecom.fr> Message-ID: <1B562E5E-66FA-4D05-877F-47F1B1218FEB@gmail.com> I reset neutron (cleared DB etc.) and rebooted the network node and it worked fine the second time around. I think the first time something went wrong talking to the DB initially. I fixed up the config but then it was impossible for it to fix itself. eg. restarting the neutron agents did nothing. Sam > On 9 Apr 2015, at 1:47 am, Daniele Venzano wrote: > > I am 99% sure I configured the linuxbridge agent on the network node the same way as on the compute nodes, but it was doing nothing. > But I did it a while ago, so I could be wrong. Anyway having the agent constantly running just to create a bridge at boot is bit of a waste. > The next maintenance window I will try again, just to understand. > > > From: Kris G. Lindgren [mailto:klindgren at godaddy.com] > Sent: Wednesday 08 April 2015 17:01 > To: Daniele Venzano; 'Daniel Comnea' > Cc: openstack-operators at lists.openstack.org > Subject: Re: [Openstack-operators] Flat network with linux bridge plugin > > We run this exact configuration with the exception that we are using OVS instead of linux bridge agent. On your "Network nodes" (those running metadata/dhcp) you need to configure them exactly like you do you compute services from the standpoint of the L2 agent. Once we did that when the l2 agent starts it creates the bridges it cares about and the dhcp agent then gets plugged into those bridges. We didn't have to specifically create any bridges or manually plug vifs into it to get everything to work. > > I would be highly surprised if the linuxbridge agent acted any differently. Mainly because the dhcp agent consumes an IP/port on the network, no different than a vm would. So the L2 agent should plug it for you automatically. > ____________________________________________ > > Kris Lindgren > Senior Linux Systems Engineer > GoDaddy, LLC. > > From: Daniele Venzano > > Organization: EURECOM > Date: Wednesday, April 8, 2015 at 4:21 AM > To: 'Daniel Comnea' > > Cc: "openstack-operators at lists.openstack.org " > > Subject: Re: [Openstack-operators] Flat network with linux bridge plugin > > Juno (from ubuntu cloud), on Ubuntu 14.04 > > From: daniel.comnea at gmail.com [mailto:daniel.comnea at gmail.com ] On Behalf Of Daniel Comnea > Sent: Wednesday 08 April 2015 11:29 > To: Daniele Venzano > Cc: Sam Morrison; openstack-operators at lists.openstack.org > Subject: Re: [Openstack-operators] Flat network with linux bridge plugin > > Which release are you using it, on which OS ? > > > On Wed, Apr 8, 2015 at 9:00 AM, Daniele Venzano > wrote: > Well, I found a way to make it work. > Yes, you need a bridge (brctl addbr ...). > You need to create it by hand and add the interfaces (physical and dnsmasq namespace) to it. > The linuxbridge agent installed on the network node does not do anything. > > The problem with this is that the interface for the namespace is created after an arbitrary amount of time by one of the neutron daemons, so you cannot simply put the bridge creation in one of the boot scripts, but you have to wait for the interface to appear. > > > From: Sam Morrison [mailto:sorrison at gmail.com ] > Sent: Wednesday 08 April 2015 05:46 > To: Daniele Venzano > Cc: openstack-operators at lists.openstack.org > Subject: Re: [Openstack-operators] Flat network with linux bridge plugin > > Hi Daniele, > > I?ve started playing with neutron too and have the exact same issue. Did you find a solution? > > Cheers, > Sam > > > >> On 18 Feb 2015, at 8:47 pm, Daniele Venzano > wrote: >> >> Hello, >> >> I?m trying to configure a very simple Neutron setup. >> >> On the compute nodes I want a linux bridge connected to a physical interface on one side and the VMs on the other side. This I have, by using the linux bridge agent and a physnet1:em1 mapping in the config file. >> >> On the controller side I need the dhcp and metadata agents. I installed and configured them. They start, no errors in logs. I see a namespace with a ns-* interface in it for dhcp. Outside the namespace I see a tap* interface without IP address, not connected to anything. >> I installed the linux bridge agent also on the controller node, hoping it would create the bridge between the physnet interface and the dhcp namespace tap interface, but it just sits there and does nothing. >> >> So: I have VMs sending DHCP requests. I see the requests on the controller node, but the dhcp namespace is not connected to anything. >> I can provide logs and config files, but probably I just need a hint in the right direction. >> >> On the network controller: >> Do I need a bridge to connect the namespace to the physical interface? >> Should this bridge be created by me by hand, or by the linuxbridge agent? Should I run the linuxbridge agent on the network controller? >> >> I do not want/have a l3 agent. I want to have just one shared network for all tenants, very simple. >> >> Thanks, >> Daniele >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From gfa at zumbi.com.ar Thu Apr 9 06:03:02 2015 From: gfa at zumbi.com.ar (gustavo panizzo (gfa)) Date: Thu, 09 Apr 2015 14:03:02 +0800 Subject: [Openstack-operators] vm live migrated ended on a different az Message-ID: <55261616.7030400@zumbi.com.ar> hello, last night our ops live migrated (nova live-migration --block-migrate $vm) a group of vm to do hw maintenance. some of the vm ended on a different AZ making the vm unusable (we have different upstream network connectivity on each AZ) I haven't read all the logs yet, but i remember when i created the zones i did test live migrations and it always remain in the same AZ. I googled and nothing appears, i wonder if somebody else had this problem or is not even supposed to work and i got lucky until today? of course, i have setup AZ filter scheduler_available_filters=nova.scheduler.filters.all_filters scheduler_default_filters=RetryFilter,AggregateInstanceExtraSpecsFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ImagePropertiesFilter -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 From amuller at redhat.com Thu Apr 9 14:52:19 2015 From: amuller at redhat.com (Assaf Muller) Date: Thu, 9 Apr 2015 10:52:19 -0400 (EDT) Subject: [Openstack-operators] [Neutron] The specs process, effective operators feedback and product management In-Reply-To: <1524636922.17358007.1428588368861.JavaMail.zimbra@redhat.com> Message-ID: <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com> The Neutron specs process was introduced during the Juno timecycle. At the time it was mostly a bureaucratic bottleneck (The ability to say no) to ease the pain of cores and manage workloads throughout a cycle. Perhaps this is a somewhat naive outlook, but I see other positives, such as more upfront design (Some is better than none), less high level talk during the implementation review process and more focus on the details, and 'free' documentation for every major change to the project (Some would say this is kind of a big deal; What better way to write documentation than to force the developers to do it in order for their features to get merged). That being said, you can only get a feature merged if you propose a spec, and the only people largely proposing specs are developers. This ingrains the open source culture of developer focused evolution, that, while empowering and great for developers, is bad for product managers, users (That are sometimes under-presented, as is the case I'm trying to make) and generally causes a lack of a cohesive vision. Like it or not, the specs process and the driver's team approval process form a sort of product management, deciding what features will ultimately go in to Neutron and in what time frame. We shouldn't ignore the fact that we clearly have people and product managers pulling the strings in the background, often deciding where developers will spend their time and what specs to propose, for the purpose of this discussion. I argue that managers often don't have the tools to understand what is important to the project, only to their own customers. The Neutron drivers team, on the other hand, don't have a clear incentive (Or I suspect the will) to spend enormous amounts of time doing 'product management', as being a driver is essentially your third or fourth job by this point, and are the same people solving gate issues, merging code, triaging bugs and so on. I'd like to avoid to go in to a discussion of what's wrong with the current specs process as I'm sure people have heard me complain about this in #openstack-neutron plenty of times before. Instead, I'd like to suggest a system that would perhaps get us to implement specs that are currently not being proposed, and give an additional form of input that would make sure that the development community is spending it's time in the right places. While 'super users' have been given more exposure, and operators summits give operators an additional tool to provide feedback, from a developer's point of view, the input is non-empiric and scattered. I also have a hunch that operators still feel their voice is not being heard. I propose an upvote/downvote system (Think Reddit), where everyone (Operators especially) would upload paragraph long explanations of what they think is missing in Neutron. The proposals have to be actionable (So 'Neutron sucks', while of great humorous value, isn't something I can do anything about), and I suspect the downvote system will help self-regulate that anyway. The proposals are not specs, but are like product RFEs, so for example there would not be a 'testing' section, as these proposals will not replace the specs process anyway but augment it as an additional form of input. Proposals can range from new features (Role based access control for Neutron resources, dynamic routing, Neutron availability zones, QoS, ...) to quality of life improvements (Missing logs, too many DEBUG level logs, poor trouble shooting areas with an explanation of what could be improved, ...) to long standing bugs, Nova network parity issues, and whatever else may be irking the operators community. The proposals would have to be moderated (Closing duplicates, low quality submissions and implemented proposals for example) and if that is a concern then I volunteer to do so. This system will also give drivers a 'way out': The last cycle we spent time refactoring this and that, and developers love doing that so it's easy to get behind. I think that as in the next cycles we move back to features, friction will rise and the process will reveal its flaws. Something to consider: Maybe the top proposal takes a day to implement. Maybe some low priority bug is actually the second highest proposal. Maybe all of the currently marked 'critical' bugs don't even appear on the list. Maybe we aren't spending our time where we should be. And now a word from our legal team: In order for this to be viable, the system would have to be a *non binding*, *additional* form of input. The top proposal *could* be declined for the same reasons that specs are currently being declined. It would not replace any of our current systems or processes. Assaf Muller, Cloud Networking Engineer Red Hat From mestery at mestery.com Thu Apr 9 15:04:52 2015 From: mestery at mestery.com (Kyle Mestery) Date: Thu, 9 Apr 2015 10:04:52 -0500 Subject: [Openstack-operators] [Neutron] The specs process, effective operators feedback and product management In-Reply-To: <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com> References: <1524636922.17358007.1428588368861.JavaMail.zimbra@redhat.com> <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com> Message-ID: On Thu, Apr 9, 2015 at 9:52 AM, Assaf Muller wrote: > The Neutron specs process was introduced during the Juno timecycle. At the > time it > was mostly a bureaucratic bottleneck (The ability to say no) to ease the > pain of cores > and manage workloads throughout a cycle. Perhaps this is a somewhat naive > outlook, > but I see other positives, such as more upfront design (Some is better > than none), > less high level talk during the implementation review process and more > focus on the details, > and 'free' documentation for every major change to the project (Some would > say this > is kind of a big deal; What better way to write documentation than to > force the developers > to do it in order for their features to get merged). > > Right. Keep in mind that for Liberty we're making changes to this process. For instance, I've already indicated specs which were approved for Kilo but failed were moved to kilo-backlog. To get them into Liberty, you just propose a patch which moves the patch in the liberty directory. We already have a bunch that have taken this path. I hope we can merge the patches for these specs in Liberty-1. > That being said, you can only get a feature merged if you propose a spec, > and the only > people largely proposing specs are developers. This ingrains the open > source culture of > developer focused evolution, that, while empowering and great for > developers, is bad > for product managers, users (That are sometimes under-presented, as is the > case I'm trying > to make) and generally causes a lack of a cohesive vision. Like it or not, > the specs process > and the driver's team approval process form a sort of product management, > deciding what > features will ultimately go in to Neutron and in what time frame. > > We haven't done anything to limit reviews of specs by these other users, and in fact, I would love for more users to review these specs. > We shouldn't ignore the fact that we clearly have people and product > managers pulling the strings > in the background, often deciding where developers will spend their time > and what specs to propose, > for the purpose of this discussion. I argue that managers often don't have > the tools to understand > what is important to the project, only to their own customers. The Neutron > drivers team, on the other hand, > don't have a clear incentive (Or I suspect the will) to spend enormous > amounts of time doing 'product management', > as being a driver is essentially your third or fourth job by this point, > and are the same people > solving gate issues, merging code, triaging bugs and so on. I'd like to > avoid to go in to a discussion of what's > wrong with the current specs process as I'm sure people have heard me > complain about this in > #openstack-neutron plenty of times before. Instead, I'd like to suggest a > system that would perhaps > get us to implement specs that are currently not being proposed, and give > an additional form of > input that would make sure that the development community is spending it's > time in the right places. > > While these are valid points, the fact that a spec merges isn't an indication that hte code will merge. We have plenty of examples of that in the past two releases. Thus, there are issues beyond the specs process which may prevent your code from merging for an approved spec. That said, I admire your guile in proposing some changes. :) > While 'super users' have been given more exposure, and operators summits > give operators > an additional tool to provide feedback, from a developer's point of view, > the input is > non-empiric and scattered. I also have a hunch that operators still feel > their voice is not being heard. > > Agreed. > I propose an upvote/downvote system (Think Reddit), where everyone > (Operators especially) would upload > paragraph long explanations of what they think is missing in Neutron. The > proposals have to be actionable > (So 'Neutron sucks', while of great humorous value, isn't something I can > do anything about), > and I suspect the downvote system will help self-regulate that anyway. The > proposals are not specs, but are > like product RFEs, so for example there would not be a 'testing' section, > as these proposals will not > replace the specs process anyway but augment it as an additional form of > input. Proposals can range > from new features (Role based access control for Neutron resources, > dynamic routing, > Neutron availability zones, QoS, ...) to quality of life improvements > (Missing logs, too many > DEBUG level logs, poor trouble shooting areas with an explanation of what > could be improved, ...) > to long standing bugs, Nova network parity issues, and whatever else may > be irking the operators community. > The proposals would have to be moderated (Closing duplicates, low quality > submissions and implemented proposals > for example) and if that is a concern then I volunteer to do so. > > Anytime you introduce a voting system you provide incentive to game the system. I am not in favor of a voting system for anything involving specs. If people think things are important, they should be reviewing specs and collaborating to write specs. There are examples of people who have written specs and not done the work. Perhaps what we really need is for people to write specs with no assignee initially. Then we could have people looking for things to work on (there are many, I've been approached by many in the last months) to take those specs up. > This system will also give drivers a 'way out': The last cycle we spent > time refactoring this and that, > and developers love doing that so it's easy to get behind. I think that as > in the next cycles we move back to features, > friction will rise and the process will reveal its flaws. > > Something to consider: Maybe the top proposal takes a day to implement. > Maybe some low priority bug is actually > the second highest proposal. Maybe all of the currently marked 'critical' > bugs don't even appear on the list. > Maybe we aren't spending our time where we should be. > > And now a word from our legal team: In order for this to be viable, the > system would have to be a > *non binding*, *additional* form of input. The top proposal *could* be > declined for the same reasons > that specs are currently being declined. It would not replace any of our > current systems or processes. > > I like the intent here, but I'm not sure we need an additional layer of input. What about the current specs process and bugs in LP isn't working that this will address specifically? It seems to me like you're saying people don't know how to use these, and this is another avenue for those people to suggest input into the project. I'm pondering the implications of that now. Thanks, Kyle > Assaf Muller, Cloud Networking Engineer > Red Hat > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Thu Apr 9 19:09:35 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Thu, 9 Apr 2015 20:09:35 +0100 Subject: [Openstack-operators] [Openstack-dev] resource quotas limit per stacks within a project In-Reply-To: References:

Message-ID: Thanks for your reply Kris. I'd love to but we're forced to by an in-house app we built (in the same space with Murano to offer a Service catalogue for various services) deployment. IT must be a different path to corss the bridge given the circumstances. Dani On Wed, Apr 8, 2015 at 3:54 PM, Kris G. Lindgren wrote: > Why wouldn't you separate you dev/test/productiion via tenants as well? > That?s what we encourage our users to do. This would let you create > flavors that give dev/test less resources under exhaustion conditions and > production more resources. You could even pin dev/test to specific > hypervisors/areas of the cloud and let production have the rest via those > flavors. > ____________________________________________ > > Kris Lindgren > Senior Linux Systems Engineer > GoDaddy, LLC. > > From: Daniel Comnea > Date: Wednesday, April 8, 2015 at 3:32 AM > To: Daniel Comnea > Cc: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev at lists.openstack.org>, " > openstack-operators at lists.openstack.org" < > openstack-operators at lists.openstack.org> > Subject: Re: [Openstack-operators] [Openstack-dev] resource quotas limit > per stacks within a project > > + operators > > Hard to believe nobody is facing this problems, even on small shops you > end up with multiple stacks part of the same tenant/ project. > > Thanks, > Dani > > On Wed, Apr 1, 2015 at 8:10 PM, Daniel Comnea > wrote: > >> Any ideas/ thoughts please? >> >> In VMware world is basically the same feature provided by the resource >> pool. >> >> >> Thanks, >> Dani >> >> On Tue, Mar 31, 2015 at 10:37 PM, Daniel Comnea >> wrote: >> >>> Hi all, >>> >>> I'm trying to understand what options i have for the below use case... >>> >>> Having multiple stacks (various number of instances) deployed within 1 >>> Openstack project (tenant), how can i guarantee that there will be no >>> race after the project resources. >>> >>> E.g - say i have few stacks like >>> >>> stack 1 = production >>> stack 2 = development >>> stack 3 = integration >>> >>> i don't want to be in a situation where stack 3 (because of a need to >>> run some heavy tests) will use all of the resources for a short while while >>> production will suffer from it. >>> >>> Any ideas? >>> >>> Thanks, >>> Dani >>> >>> P.S - i'm aware of the heavy work being put into improving the quotas >>> or the CPU pinning however that is at the project level >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustavo.randich at gmail.com Thu Apr 9 21:52:24 2015 From: gustavo.randich at gmail.com (Gustavo Randich) Date: Thu, 9 Apr 2015 18:52:24 -0300 Subject: [Openstack-operators] [Neutron][Nova] No Valid Host when booting new VM with Public IP In-Reply-To: <5509E284.2060102@gmail.com> References:

<5509E284.2060102@gmail.com> Message-ID: Hi everybody, I'm trying to setup exactly this (instance attached directly to ext-net), using VLAN external networks. Everything seems to work OK: the VM sees the DHCP server in the network node, routes get configured inside the VM, but when it sends ARP asking for the MAC address of the external default gateway, it never gets the answer, because the arp-reply frame is dropped by br-vlan in the compute node (ovs for external network). The cause of the drop is that it is not tagged with any VLAN ID. So, my question is: - Should the external facing OVS (br-ex or br-vlan) have as a port one which receives tagged frames from the external network (i.e. eth0) or untagged frames (i.e. vlanXX, eth0.XX)? Thanks! On Wed, Mar 18, 2015 at 5:39 PM, George Shuklin wrote: > We have that configuration and it works fine. Even better than L3 NAT on > neutron routers. > > Tenant's VM works perfect with external networks and white IPs, but you > should make external network available on each compute node (ml2_conf.ini). > > > On 03/18/2015 07:29 PM, Adam Lawson wrote: > > What I'm trying to do is force OpenStack to do something it normally > doesn't do for the sake of learning and experimentation. I.e. bind a public > network to a VM so it can be accessed outside the cloud when floating IP's > are normally required. I know there are namespace issues at play which may > prevent this from working, just trying to scope the boundaries of what I > can and cannot do really. > > > * Adam Lawson* > > AQORN, Inc. > 427 North Tatnall Street > Ste. 58461 > Wilmington, Delaware 19801-2230 > Toll-free: (844) 4-AQORN-NOW ext. 101 > International: +1 302-387-4660 > Direct: +1 916-246-2072 > > > On Wed, Mar 18, 2015 at 7:08 AM, Pedro Sousa wrote: > >> Hi Adam >> >> For external network you should use floating ips to access externally to >> your instances if I understood correctly. >> >> Regards >> Em 16/03/2015 20:56, "Adam Lawson" escreveu: >> >>> Got a strange error and I'm really hoping to get some help with it >>> since it has be scratching my head. >>> >>> When I create a VM within Horizon and select the PRIVATE network, it >>> boots up great. >>> When I attempt to create a VM within Horizon and include the PUBLIC >>> network (either by itself or with the private network), it fails with a "No >>> valid host found" error. >>> >>> I looked at the nova-api and the nova-scheduler logs on the controller >>> and the most I've found are errors/warnings binding VIF's but I'm not 100% >>> certain it's the root cause although I believe it's related. >>> >>> I didn't find any WARNINGS or ERRORS in the compute or network node. >>> >>> Setup: >>> >>> - 1 physical host running 4 KVM domains/guests >>> - 1x Controller >>> - 1x Networ >>> - 1x Volume >>> - 1x Compute >>> >>> >>> *Controller Node:* >>> nova.conf (http://pastebin.com/q3e9cntH) >>> >>> - neutron.conf (http://pastebin.com/ukEVzBbN) >>> - ml2_conf.ini (http://pastebin.com/w10jBGZC) >>> - nova-api.log (http://pastebin.com/My99Mg2z) >>> - nova-scheduler (http://pastebin.com/Nb75Z6yH) >>> - neutron-server.log (http://pastebin.com/EQVQPVDF) >>> >>> >>> *Network Node:* >>> >>> - l3_agent.ini (http://pastebin.com/DBaD1F5x) >>> - neutron.conf (http://pastebin.com/Bb3qkNi7) >>> - ml2_conf.ini (http://pastebin.com/xEC1Bs9L) >>> >>> >>> *Compute Node:* >>> >>> - nova.conf (http://pastebin.com/K6SiE9Pw) >>> - nova-compute.conf (http://pastebin.com/9Mz30b4v) >>> - neutron.conf (http://pastebin.com/Le4wYRr4) >>> - ml2_conf.ini (http://pastebin.com/nnyhC8mV) >>> >>> >>> *Back-end:* >>> Physical switch >>> >>> Any thoughts on what could be causing this? >>> >>> * Adam Lawson* >>> >>> AQORN, Inc. >>> 427 North Tatnall Street >>> Ste. 58461 >>> Wilmington, Delaware 19801-2230 >>> Toll-free: (844) 4-AQORN-NOW ext. 101 >>> International: +1 302-387-4660 <%2B1%20302-387-4660> >>> Direct: +1 916-246-2072 <%2B1%20916-246-2072> >>> >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> OpenStack-operators at lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >>> >>> > > > _______________________________________________ > OpenStack-operators mailing listOpenStack-operators at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rochelle.grober at huawei.com Thu Apr 9 23:09:45 2015 From: rochelle.grober at huawei.com (Rochelle Grober) Date: Thu, 9 Apr 2015 23:09:45 +0000 Subject: [Openstack-operators] [openstack-dev] [Neutron] The specs process, effective operators feedback and product management In-Reply-To: References: <1524636922.17358007.1428588368861.JavaMail.zimbra@redhat.com> <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com>

Message-ID: Adding the product working group mailing list to this thread [1] I?d like to introduce the Neutron Drivers (and others) to the Product Working Group. We are a bunch of ?influencers? who are focused on adding value through some broader outlooks in the OpenStack community. And yes, many of us are or have been Product/Program/Project managers. We?ve just started (first meeting was at the Paris summit) and have been brainstorming on ways our skillsets could be applied to the OpenStack Environment. A number of us have stepped up to provide some drive for cross project efforts and all of us have been reaching out to work with PTLs and developers and Ops and Users on how we can lighten their loads. One way we are looking at is to provide some tracking of development efforts and plans, along with providing Use Cases to projects that will help developers figure out how to address User and Operator functionality or other gaps. This discussion is perfect for our mailing list, and IRC scheduled chat and a cross project session at the summit (at a minimum). I?ll leave others in the Product WG to respond in line (even though I have lots of thoughts on this, too), but let?s try to get a working session or two, or even a lunch session on this topic with all interested parties at the Summit. And yes, I think that more, different patches in the specs area could allow for mapping use cases and other user requests to individual specs and/or blueprints and/or bug reports. It?s a matter of communicating both what is needed and how and where to do it. --Rocky [1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061071.html From: Salvatore Orlando [mailto:sorlando at nicira.com] Sent: Thursday, April 09, 2015 09:19 To: OpenStack Development Mailing List (not for usage questions) Cc: OpenStack Operators Subject: Re: [openstack-dev] [Openstack-operators] [Neutron] The specs process, effective operators feedback and product management On 9 April 2015 at 17:04, Kyle Mestery > wrote: On Thu, Apr 9, 2015 at 9:52 AM, Assaf Muller > wrote: The Neutron specs process was introduced during the Juno timecycle. At the time it was mostly a bureaucratic bottleneck (The ability to say no) to ease the pain of cores and manage workloads throughout a cycle. Perhaps this is a somewhat naive outlook, but I see other positives, such as more upfront design (Some is better than none), less high level talk during the implementation review process and more focus on the details, and 'free' documentation for every major change to the project (Some would say this is kind of a big deal; What better way to write documentation than to force the developers to do it in order for their features to get merged). Right. Keep in mind that for Liberty we're making changes to this process. For instance, I've already indicated specs which were approved for Kilo but failed were moved to kilo-backlog. To get them into Liberty, you just propose a patch which moves the patch in the liberty directory. We already have a bunch that have taken this path. I hope we can merge the patches for these specs in Liberty-1. It was never meant to be a bureaucratic bottleneck, although the ability of moving out early in the process blueprint that did not fit in the scope of the current release (or in the scope of the project altogether) was a goal. However, it became a bureaucratic step - it has been surely been perceived as that. Fast tracking blueprints which were already approved makes sense. I believe the process should be made even slimmer, removing the deadlines for spec proposal and approval, and making the approval process simpler - with reviewers being a lot less pedant on one side, and proposer not expecting approval of a spec to be a binding contract on the other side. That being said, you can only get a feature merged if you propose a spec, and the only people largely proposing specs are developers. This ingrains the open source culture of developer focused evolution, that, while empowering and great for developers, is bad for product managers, users (That are sometimes under-presented, as is the case I'm trying to make) and generally causes a lack of a cohesive vision. Like it or not, the specs process and the driver's team approval process form a sort of product management, deciding what features will ultimately go in to Neutron and in what time frame. We haven't done anything to limit reviews of specs by these other users, and in fact, I would love for more users to review these specs. I think your analysis is correct. Neutron is a developer-led community, and that's why the "drivers" acting also as "product managers" approve specifications. I don't want to discuss here the merits of the drivers team - that probably deserves another discussion thread - but as Kyle says no-one has been discouraged for reviewing specs and influencing the decision process. The neutron-drivers meetings were very open in my opinion. However, if this meant - as you say - that users, operators, and product managers (yes, them too ;) ) were left off this process, I'm happy to hear proposals to improve it. We shouldn't ignore the fact that we clearly have people and product managers pulling the strings in the background, often deciding where developers will spend their time and what specs to propose, for the purpose of this discussion. I argue that managers often don't have the tools to understand what is important to the project, only to their own customers. The Neutron drivers team, on the other hand, don't have a clear incentive (Or I suspect the will) to spend enormous amounts of time doing 'product management', as being a driver is essentially your third or fourth job by this point, and are the same people solving gate issues, merging code, triaging bugs and so on. I'd like to avoid to go in to a discussion of what's wrong with the current specs process as I'm sure people have heard me complain about this in #openstack-neutron plenty of times before. Yes I have heard you complaining. Ideally I would borrow concepts from anarchism to define an ideal way in which various contributors should take over the different. However, I am afraid this will quickly translate in a sort of extreme neo-liberism which will probably lead the project with self destruction. But I'm all up for a change in the process since what we have now is drifting towards Soviet-style bureaucracy. Jokes apart, I think you are right, the process as it is just adds responsibilities to a subset of people who are already busy with other duties, increasing frustration in people who depends on them (being one of these people I am fully aware of that!) Instead, I'd like to suggest a system that would perhaps get us to implement specs that are currently not being proposed, and give an additional form of input that would make sure that the development community is spending it's time in the right places. While these are valid points, the fact that a spec merges isn't an indication that hte code will merge. We have plenty of examples of that in the past two releases. Thus, there are issues beyond the specs process which may prevent your code from merging for an approved spec. That said, I admire your guile in proposing some changes. :) While 'super users' have been given more exposure, and operators summits give operators an additional tool to provide feedback, from a developer's point of view, the input is non-empiric and scattered. I also have a hunch that operators still feel their voice is not being heard. Agreed. I propose an upvote/downvote system (Think Reddit), where everyone (Operators especially) would upload paragraph long explanations of what they think is missing in Neutron. The proposals have to be actionable (So 'Neutron sucks', while of great humorous value, isn't something I can do anything about), and I suspect the downvote system will help self-regulate that anyway. The proposals are not specs, but are like product RFEs, so for example there would not be a 'testing' section, as these proposals will not replace the specs process anyway but augment it as an additional form of input. I personally do not believe in the viability of a system which gives priority to features based on "popular acclamation", mostly for the reasons kyle explains above. Also, "additional form of input" leaves an uncomfortable grey area where whoever is authorized to approve spec will need to strike the right balance between what they believe are the right engineering priorities and what are the priorities set by the community through the system you propose. Also, rather than having a different system, we might just sum the score associated with current neutron specs. Proposals can range from new features (Role based access control for Neutron resources, dynamic routing, Neutron availability zones, QoS, ...) to quality of life improvements (Missing logs, too many DEBUG level logs, poor trouble shooting areas with an explanation of what could be improved, ...) to long standing bugs, Nova network parity issues, and whatever else may be irking the operators community. The proposals would have to be moderated (Closing duplicates, low quality submissions and implemented proposals for example) and if that is a concern then I volunteer to do so. I think that the answer to a process issue is never more process. But this is just my personal opinion! Anytime you introduce a voting system you provide incentive to game the system. I am not in favor of a voting system for anything involving specs. If people think things are important, they should be reviewing specs and collaborating to write specs. There are examples of people who have written specs and not done the work. Do you mean the plugin perestroika thing? I'll never write a spec I don't intend to implement myself again!!! Perhaps what we really need is for people to write specs with no assignee initially. Then we could have people looking for things to work on (there are many, I've been approached by many in the last months) to take those specs up. This system will also give drivers a 'way out': The last cycle we spent time refactoring this and that, and developers love doing that so it's easy to get behind. I think that as in the next cycles we move back to features, friction will rise and the process will reveal its flaws. I think the flaws are already quite clear, or do you reckon that there is something worse looming? Something to consider: Maybe the top proposal takes a day to implement. Maybe some low priority bug is actually the second highest proposal. Maybe all of the currently marked 'critical' bugs don't even appear on the list. Maybe we aren't spending our time where we should be. Those are all valid concerns. As a member of the drivers team I've personally asked myself these questions. Obviously this does not imply I had the right answers! And now a word from our legal team: In order for this to be viable, the system would have to be a *non binding*, *additional* form of input. The top proposal *could* be declined for the same reasons that specs are currently being declined. It would not replace any of our current systems or processes. I like the intent here, but I'm not sure we need an additional layer of input. What about the current specs process and bugs in LP isn't working that this will address specifically? It seems to me like you're saying people don't know how to use these, and this is another avenue for those people to suggest input into the project. I'm pondering the implications of that now. Since it seems there a 1:1 mapping between specs and "proposals", your idea might be implemented in gerrit. Rather than submitting a proposal, submit a spec, and then have people give it a +1 or -1. Collect scores, and publish them on a web page. Even if I do not think it is the right think to have it as a part of the decision process, it is probably a useful thing to have, and requires low maintenance. For the specs process, I would rather consider how to delegate decision making around specs - for instance involving SMEs and cross-product team members - and how to make this process as smooth as possible. Thanks, Kyle Assaf Muller, Cloud Networking Engineer Red Hat _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From blak111 at gmail.com Fri Apr 10 16:34:08 2015 From: blak111 at gmail.com (Kevin Benton) Date: Fri, 10 Apr 2015 09:34:08 -0700 Subject: [Openstack-operators] [Neutron] The specs process, effective operators feedback and product management In-Reply-To: <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com> References: <1524636922.17358007.1428588368861.JavaMail.zimbra@redhat.com> <639534235.17402447.1428591139863.JavaMail.zimbra@redhat.com> Message-ID: >The Neutron drivers team, on the other hand, don't have a clear incentive (Or I suspect the will) to spend enormous amounts of time doing 'product management', as being a driver is essentially your third or fourth job by this point, and are the same people solving gate issues, merging code, triaging bugs and so on. Are you hinting here that there should be a separate team of people from the developers who are deciding what should and should not be worked on in Neutron? Have there been examples of that working in other open source projects where the majority of the development isn't driven by one employer? I ask that because I don't see much of an incentive for a developer to follow requirements generated by people not familiar with the Neutron code base. One of the roles of the driver team is to determine what is feasible in the release cycle. How would that be possible without actively contributing or (at a minimum) being involved in code reviews? On Thu, Apr 9, 2015 at 7:52 AM, Assaf Muller wrote: > The Neutron specs process was introduced during the Juno timecycle. At the > time it > was mostly a bureaucratic bottleneck (The ability to say no) to ease the > pain of cores > and manage workloads throughout a cycle. Perhaps this is a somewhat naive > outlook, > but I see other positives, such as more upfront design (Some is better > than none), > less high level talk during the implementation review process and more > focus on the details, > and 'free' documentation for every major change to the project (Some would > say this > is kind of a big deal; What better way to write documentation than to > force the developers > to do it in order for their features to get merged). > > That being said, you can only get a feature merged if you propose a spec, > and the only > people largely proposing specs are developers. This ingrains the open > source culture of > developer focused evolution, that, while empowering and great for > developers, is bad > for product managers, users (That are sometimes under-presented, as is the > case I'm trying > to make) and generally causes a lack of a cohesive vision. Like it or not, > the specs process > and the driver's team approval process form a sort of product management, > deciding what > features will ultimately go in to Neutron and in what time frame. > > We shouldn't ignore the fact that we clearly have people and product > managers pulling the strings > in the background, often deciding where developers will spend their time > and what specs to propose, > for the purpose of this discussion. I argue that managers often don't have > the tools to understand > what is important to the project, only to their own customers. The Neutron > drivers team, on the other hand, > don't have a clear incentive (Or I suspect the will) to spend enormous > amounts of time doing 'product management', > as being a driver is essentially your third or fourth job by this point, > and are the same people > solving gate issues, merging code, triaging bugs and so on. I'd like to > avoid to go in to a discussion of what's > wrong with the current specs process as I'm sure people have heard me > complain about this in > #openstack-neutron plenty of times before. Instead, I'd like to suggest a > system that would perhaps > get us to implement specs that are currently not being proposed, and give > an additional form of > input that would make sure that the development community is spending it's > time in the right places. > > While 'super users' have been given more exposure, and operators summits > give operators > an additional tool to provide feedback, from a developer's point of view, > the input is > non-empiric and scattered. I also have a hunch that operators still feel > their voice is not being heard. > > I propose an upvote/downvote system (Think Reddit), where everyone > (Operators especially) would upload > paragraph long explanations of what they think is missing in Neutron. The > proposals have to be actionable > (So 'Neutron sucks', while of great humorous value, isn't something I can > do anything about), > and I suspect the downvote system will help self-regulate that anyway. The > proposals are not specs, but are > like product RFEs, so for example there would not be a 'testing' section, > as these proposals will not > replace the specs process anyway but augment it as an additional form of > input. Proposals can range > from new features (Role based access control for Neutron resources, > dynamic routing, > Neutron availability zones, QoS, ...) to quality of life improvements > (Missing logs, too many > DEBUG level logs, poor trouble shooting areas with an explanation of what > could be improved, ...) > to long standing bugs, Nova network parity issues, and whatever else may > be irking the operators community. > The proposals would have to be moderated (Closing duplicates, low quality > submissions and implemented proposals > for example) and if that is a concern then I volunteer to do so. > > This system will also give drivers a 'way out': The last cycle we spent > time refactoring this and that, > and developers love doing that so it's easy to get behind. I think that as > in the next cycles we move back to features, > friction will rise and the process will reveal its flaws. > > Something to consider: Maybe the top proposal takes a day to implement. > Maybe some low priority bug is actually > the second highest proposal. Maybe all of the currently marked 'critical' > bugs don't even appear on the list. > Maybe we aren't spending our time where we should be. > > And now a word from our legal team: In order for this to be viable, the > system would have to be a > *non binding*, *additional* form of input. The top proposal *could* be > declined for the same reasons > that specs are currently being declined. It would not replace any of our > current systems or processes. > > > Assaf Muller, Cloud Networking Engineer > Red Hat > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -- Kevin Benton -------------- next part -------------- An HTML attachment was scrubbed... URL: From alopgeek at gmail.com Fri Apr 10 19:48:49 2015 From: alopgeek at gmail.com (Abel Lopez) Date: Fri, 10 Apr 2015 12:48:49 -0700 Subject: [Openstack-operators] Short survey on Guest Images Message-ID: <6FCA51FF-43C6-4343-B3ED-F9A174C3C113@gmail.com> If you're somehow involved in creating/providing images for glance, I have a very short survey that I'd like input on. https://docs.google.com/forms/d/1HR500i8raQiH72GwEbpFuUQA8OvA7Uae2e-39Y6YSQ0/viewform?usp=send_form Responses will help me as part of my presentation in Vancouver. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From gustavo.randich at gmail.com Fri Apr 10 20:13:26 2015 From: gustavo.randich at gmail.com (Gustavo Randich) Date: Fri, 10 Apr 2015 17:13:26 -0300 Subject: [Openstack-operators] how to attach VMs to external/vlan network directly Message-ID: Hi, I've tried without success to attach instances directly to external VLAN network using "provider:network_type vlan"; below are the details. Using "provider:network_type flat" I made it work. I was basically following this: http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/ Any idea will be appreciated. ML2 CONFIG ml2_type_vlan network_vlan_ranges vlannet:81:91 bridge_mappings vlannet:br-vlan enable_security_group True enable_ipset True firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver NETWORK CREATION neutron net-create vlan81 --router:external True --provider:physical_network vlannet --provider:network_type vlan --provider:segmentation_id 81 --shared neutron subnet-create vlan81 10.111.81.0/24 --name vlan81 --allocation-pool start=10.111.81.65,end=10.111.81.126 --enable-dhcp --gateway 10.111.81.254 --dns-nameserver 10.1.1.68 --dns-nameserver 10.1.1.42 --host-route destination=169.254.169.254/32,nexthop=10.111.81.65 NETWORK CONFIGURATION OF COMPUTE/NETWORK NODES em1 \ bond0 -> vlan81 -> | br-vlan | <-> | br-int | em2 / DEBUGGING root at juno-dev02:~# ovs-ofctl dump-flows br-vlan NXST_FLOW reply (xid=0x4): cookie=0x0, duration=2991.439s, table=0, n_packets=5374, n_bytes=357405, idle_age=2, priority=4,in_port=5,dl_vlan=1 actions=mod_vlan_vid:81,NORMAL cookie=0x0, duration=3439.498s, table=0, n_packets=3792, n_bytes=159460, idle_age=0, priority=2,in_port=5 actions=drop cookie=0x0, duration=3440.064s, table=0, n_packets=113217, n_bytes=18712371, idle_age=0, priority=1 actions=NORMAL root at juno-dev02:~# ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4): cookie=0x0, duration=3891.241s, table=0, n_packets=1448, n_bytes=157908, idle_age=1236, priority=3,in_port=7,dl_vlan=81 actions=mod_vlan_vid:1,NORMAL cookie=0x0, duration=4339.435s, table=0, n_packets=26538, n_bytes=1584268, idle_age=1, priority=2,in_port=7 actions=drop cookie=0x0, duration=4340.224s, table=0, n_packets=10686, n_bytes=590535, idle_age=1, priority=1 actions=NORMAL cookie=0x0, duration=4340.153s, table=23, n_packets=0, n_bytes=0, idle_age=4340, priority=0 actions=drop root at juno-dev02:~# nova list +--------------------------------------+------+--------+------------+-------------+---------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+------+--------+------------+-------------+---------------------+ | 2f1a2cba-6fc7-45ae-a251-e709ab8b7ecc | test | ACTIVE | - | Running | vlan81=10.111.81.66 | +--------------------------------------+------+--------+------------+-------------+---------------------+ Instance can reach DHCP server on network node (10.111.81.65), but cannot reach default gateway (10.111.81.254), nor any host of the external network. The br-vlan bridge shows outgoing ARP packets tagged with vlan 81, and ARP replies not tagged, which I suppose it then drops because it does not match the first rule of br-vlan. The br-int bridge shows only outgoin ARP packets: root at juno-dev02:~# tcpdump -env -i br-vlan icmp or arp tcpdump: listening on br-vlan, link-type EN10MB (Ethernet), capture size 65535 bytes 11:45:56.463254 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 11:45:56.464491 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 is-at 78:19:f7:9b:2a:41, length 42 11:45:57.461253 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 11:45:57.462765 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 is-at 78:19:f7:9b:2a:41, length 42 root at juno-dev02:~# tcpdump -env -i br-int icmp or arp tcpdump: WARNING: br-int: no IPv4 address assigned tcpdump: listening on br-int, link-type EN10MB (Ethernet), capture size 65535 bytes 11:29:49.330084 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 11:29:50.162106 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 11:29:51.180111 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefano at openstack.org Fri Apr 10 21:28:10 2015 From: stefano at openstack.org (Stefano Maffulli) Date: Fri, 10 Apr 2015 14:28:10 -0700 Subject: [Openstack-operators] OpenStack Community Weekly Newsletter (Apr 3 - 10) Message-ID: <1428701290.22374.0.camel@sputacchio.gateway.2wire.net> Making your list and checking it twice for the OpenStack Vancouver Summit Emily Hugenbruch shared her pre-summit checklists: great tips there. OVN and OpenStack Integration Development Update The Open vSwitch project announced the OVN effort back in January and Russell Bryant started to look into it. He reports about OVN, calling it ?a promising open source backend for OpenStack Neutron?. OpenStack in the classroom Amrith Kumar announced an effort to work with educational institutions in Massachusetts and near Toronto (where Tesora has offices) to try and make available a course on cloud computing with OpenStack as the exemplar system. OpenStack In The Enterprise A new mini-portal on openstack.org website to discover use cases and white papers from the enterprise world. The Road to Vancouver * Sign up for OpenStack Upstream Training in Vancouver * Canada Visa Information * Official Hotel Room Blocks * 2015 OpenStack T-Shirt Design Contest * Preparation to Design summit * Liberty Design Summit - Proposed slot allocation * What's a Design Summit? There is still room for Upstream Training Relevant Conversations * PTL Voting is now open * Kilo stable branches for "other" libraries * The Evolution of core developer to maintainer? * The Core Deficiency * Implementation of Pacemaker Managed OpenStack VM Recovery * Neutron Kilo Retrospective and a Look Toward Liberty * [Neutron] The specs process, effective operators feedback and product management Deadlines and Development Priorities * [Nova] Identifying release critical bugs in Kilo * [Cinder] Bug Triage - Call for Participation * [Nova] Liberty specs are now open and [Nova] Trunk is now Liberty * [neutron] Liberty Specs are now open! Security Advisories and Notices * None Tips ?n Tricks * By Adam Young: Horizon WebSSO via SSSD * By Assaf Muller: Multinode DVR Devstack * By Alessandro Pilotti: VirtualBox driver for OpenStack Upcoming Events * Apr 13 - 14, 2015 OpenStack Live Santa Clara, CA, US * Apr 13 - 16, 2015 StackAttack! A HOLatCollaborate15 Las Vegas, NV, US * Apr 15, 2015 iX OpenStack Tag K?ln, NRW, DE * Apr 15 - 16, 2015 1? Hangout OpenStack Brasil 2015 Brasil, BR * Apr 16 - 18, 2015 Open Cloud 2015 Beijing, Beijing, CN * Apr 16, 2015 8th OpenStack Meetup Stockholm Stockholm, SE * Apr 16, 2015 8th OpenStack User Group Nordics meetup Stockholm, SE * Apr 21 - 22, 2015 CONNECT 2015 Melbourne, Victoria, AU * Apr 22 - 23, 2015 China SDNNFV Conference Beijing, CN * Apr 22, 2015 OpenStack NYC Meetup New York, NY, US * Apr 23, 2015 OpenStack Philadelphia Meetup Philadelphia, PA, US * May 05 - 07, 2015 CeBIT AU 2015 Sydney, NSW, AU * May 18 - 22, 2015 OpenStack Summit May 2015 Vancouver, BC Other News * A community distribution of OpenStack * Why adopting OpenStack for dev/test matters * Gophercloud Update * Why OpenStack will change the way we live, work and play The weekly newsletter is a way for the community to learn about all the various activities occurring on a weekly basis. If you would like to add content to a weekly update or have an idea about this newsletter, please leave a comment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Apr 10 21:30:07 2015 From: ayoung at redhat.com (Adam Young) Date: Fri, 10 Apr 2015 17:30:07 -0400 Subject: [Openstack-operators] Dynamic Policy for Access Control In-Reply-To: <1428424599.61768.6.camel@localhost.localdomain> References: <54EB4AE2.1000203@redhat.com> <5D7F9996EA547448BC6C54C8C5AAF4E50102865948@CERNXCHG41.cern.ch> <1428424599.61768.6.camel@localhost.localdomain> Message-ID: <552840DF.1050000@redhat.com> On 04/07/2015 11:36 AM, Marc Heckmann wrote: > My apologies for not seeing this sooner as the topic is of great > interest. My comments below inline.. > > On Mon, 2015-02-23 at 16:41 +0000, Tim Bell wrote: >>> -----Original Message----- >>> From: Adam Young [mailto:ayoung at redhat.com] >>> Sent: 23 February 2015 16:45 >>> To: openstack-operators at lists.openstack.org >>> Subject: [Openstack-operators] Dynamic Policy for Access Control >>> >>> "Admin can do everything!" has been a common lament, heard for multiple >>> summits. Its more than just a development issue. I'd like to fix that. I think we >>> all would. >>> >>> >>> I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a >>> general overview last fall, after the Kilo summit: >>> >>> https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ > I agree with everything in that post. > > I would add the following comments: > > 1. I doubt this will change, but to be clear, we cannot lose the ability > to create custom roles and limit the capabilities of the standard roles. > For example, if I wanted to limit the ability to make images public or > limit the ability to associate a floating IP. That is a baseline consideration. We are hoping to make custom roles the norm. > > 2. This work should not be done in vacuum. Ideally, Horizon support for > assigning roles to users and editing policy should be released at the > same time or not long after. I realize that this is easier said than > done, but it will be important in order for the feature to get used. Role assignments will be done the same way they are now, as Horizon fetches the list of roles from Keystone. Editing policy will require a new UI. I don't see that happening in Horizon until the Keystone mechanism is finalized. Thanks for the response. We can carry on the conversation at the Summit. > >>> >>> Some of what I am looking at is: what are the general roles that Operators >>> would like to have by default when deploying OpenStack? >>> >> As I described in http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, we've got (mapped per-project to an AD group) >> >> - operator (start/stop/reboot/console) >> - accounting (read ceilometer data for reporting) >> >>> I've submitted a talk about policy for the Summit: >>> https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for- >>> access-control >>> >>> If you want, please vote for it, but even if it does not get selected, I'd like to >>> discuss Policy with the operators at the summit, as input to the Keystone >>> development effort. >>> >> Sounds like a good topic for the ops meetup track. >> >>> Feedback greatly welcome. >>> >>> _______________________________________________ >>> OpenStack-operators mailing list >>> OpenStack-operators at lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > From rochelle.grober at huawei.com Sat Apr 11 01:05:11 2015 From: rochelle.grober at huawei.com (Rochelle Grober) Date: Sat, 11 Apr 2015 01:05:11 +0000 Subject: [Openstack-operators] [all] [api] [log] Erring is Caring In-Reply-To: <160927AC-D86B-4CD2-A646-E02A3C68EA1F@rackspace.com> References: <160927AC-D86B-4CD2-A646-E02A3C68EA1F@rackspace.com> Message-ID: Hi all, The first draft of the spec for Log Message Error Codes (from the Log Working Group) is out for review: https://review.openstack.org/#/c/172552/ Please comment, and please look for the way forward so that the different places, ways and reasons errors get reported provide consistency across the projects the make up the Openstack ecosystem. Consistency across uses will speed problem solving and will provide a common language across the diversity of users of the OpenStack code and environments. This cross project spec is focused on just a part of the Log Message "header", but it is the start of where log messages need to go. It dovetails in with developer focused API errors, but is aimed at the log files the operators rely on to keep their clouds running. Over the next couple of days, I will also specifically add reviewers to the list if you haven't already commented on the spec;-). Thanks for your patience waiting for this. It *is* a work in progress, but I think the meat is there for discussion. Also, please look at and comment on: Return Request ID to caller https://review.openstack.org/#/c/156508/ as this is also critical to get right for logging and developer efforts. --Rocky -----Original Message----- From: Everett Toews [mailto:everett.toews at RACKSPACE.COM] Sent: Tuesday, March 31, 2015 14:36 To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [all] [api] Erring is Caring Hi All, An API Working Group Guideline for Errors https://review.openstack.org/#/c/167793/ Errors are a crucial part of the developer experience when using an API. As developers learn the API they inevitably run into errors. The quality and consistency of the error messages returned to them will play a large part in how quickly they can learn the API, how they can be more effective with the API, and how much they enjoy using the API. We need consistency across all services for the error format returned in the response body. The Way Forward I did a bit of research into the current state of consistency in errors across OpenStack services [1]. Since no services seem to respond with a top-level "errors" key, it's possible that they could just include this key in the response body along with their usual response and the 2 can live side-by-side for some deprecation period. Hopefully those services with unstructured errors should okay with adding some structure. That said, the current error formats aren't documented anywhere that I've seen so this all feels fair game anyway. How this would get implemented in code is up to you. It could eventually be implemented in all projects individually or perhaps a Oslo utility is called for. However, this discussion is not about the implementation. This discussion is about the error format. The Review I've explicitly added all of the API WG and Logging WG CPLs as reviewers to that patch but feedback from all is welcome. You can find a more readable version of patch set 4 at [2]. I see the "id" and "code" fields as the connection point to what the logging working group is doing. Thanks, Everett [1] https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Errors [2] http://docs-draft.openstack.org/93/167793/4/check/gate-api-wg-docs/e2f5b6e//doc/build/html/guidelines/errors.html __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev From mkassawara at gmail.com Sat Apr 11 15:55:00 2015 From: mkassawara at gmail.com (Matt Kassawara) Date: Sat, 11 Apr 2015 10:55:00 -0500 Subject: [Openstack-operators] how to attach VMs to external/vlan network directly In-Reply-To: References: Message-ID: Does vlan81 between bond0 and br-vlan reflect a VLAN subinterface on the host? If so, you need to remove it and attach bond0 directly to br-vlan because Open vSwitch performs the tagging for you. On Fri, Apr 10, 2015 at 3:13 PM, Gustavo Randich wrote: > Hi, > > I've tried without success to attach instances directly to external VLAN > network using "provider:network_type vlan"; below are the details. Using > "provider:network_type flat" I made it work. > > I was basically following this: > http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/ > > Any idea will be appreciated. > > ML2 CONFIG > ml2_type_vlan network_vlan_ranges vlannet:81:91 > bridge_mappings vlannet:br-vlan > enable_security_group True > enable_ipset True > firewall_driver > neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver > > NETWORK CREATION > neutron net-create vlan81 --router:external True > --provider:physical_network vlannet --provider:network_type vlan > --provider:segmentation_id 81 --shared > neutron subnet-create vlan81 10.111.81.0/24 --name vlan81 > --allocation-pool start=10.111.81.65,end=10.111.81.126 --enable-dhcp > --gateway 10.111.81.254 --dns-nameserver 10.1.1.68 --dns-nameserver > 10.1.1.42 --host-route destination=169.254.169.254/32,nexthop=10.111.81.65 > > NETWORK CONFIGURATION OF COMPUTE/NETWORK NODES > em1 \ > bond0 -> vlan81 -> | br-vlan | <-> | br-int | > em2 / > > DEBUGGING > > root at juno-dev02:~# ovs-ofctl dump-flows br-vlan > NXST_FLOW reply (xid=0x4): > cookie=0x0, duration=2991.439s, table=0, n_packets=5374, n_bytes=357405, > idle_age=2, priority=4,in_port=5,dl_vlan=1 actions=mod_vlan_vid:81,NORMAL > cookie=0x0, duration=3439.498s, table=0, n_packets=3792, n_bytes=159460, > idle_age=0, priority=2,in_port=5 actions=drop > cookie=0x0, duration=3440.064s, table=0, n_packets=113217, > n_bytes=18712371, idle_age=0, priority=1 actions=NORMAL > > root at juno-dev02:~# ovs-ofctl dump-flows br-int > NXST_FLOW reply (xid=0x4): > cookie=0x0, duration=3891.241s, table=0, n_packets=1448, n_bytes=157908, > idle_age=1236, priority=3,in_port=7,dl_vlan=81 actions=mod_vlan_vid:1,NORMAL > cookie=0x0, duration=4339.435s, table=0, n_packets=26538, > n_bytes=1584268, idle_age=1, priority=2,in_port=7 actions=drop > cookie=0x0, duration=4340.224s, table=0, n_packets=10686, n_bytes=590535, > idle_age=1, priority=1 actions=NORMAL > cookie=0x0, duration=4340.153s, table=23, n_packets=0, n_bytes=0, > idle_age=4340, priority=0 actions=drop > > root at juno-dev02:~# nova list > > +--------------------------------------+------+--------+------------+-------------+---------------------+ > | ID | Name | Status | Task State | > Power State | Networks | > > +--------------------------------------+------+--------+------------+-------------+---------------------+ > | 2f1a2cba-6fc7-45ae-a251-e709ab8b7ecc | test | ACTIVE | - | > Running | vlan81=10.111.81.66 | > > +--------------------------------------+------+--------+------------+-------------+---------------------+ > > > Instance can reach DHCP server on network node (10.111.81.65), but cannot > reach default gateway (10.111.81.254), nor any host of the external network. > > The br-vlan bridge shows outgoing ARP packets tagged with vlan 81, and ARP > replies not tagged, which I suppose it then drops because it does not match > the first rule of br-vlan. > > The br-int bridge shows only outgoin ARP packets: > > > root at juno-dev02:~# tcpdump -env -i br-vlan icmp or arp > tcpdump: listening on br-vlan, link-type EN10MB (Ethernet), capture size > 65535 bytes > 11:45:56.463254 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 > (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 > 11:45:56.464491 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP > (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 > is-at 78:19:f7:9b:2a:41, length 42 > 11:45:57.461253 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 > (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 > 11:45:57.462765 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP > (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 > is-at 78:19:f7:9b:2a:41, length 42 > > root at juno-dev02:~# tcpdump -env -i br-int icmp or arp > tcpdump: WARNING: br-int: no IPv4 address assigned > tcpdump: listening on br-int, link-type EN10MB (Ethernet), capture size > 65535 bytes > 11:29:49.330084 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 > (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 > 11:29:50.162106 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 > (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 > 11:29:51.180111 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q > (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 > (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustavo.randich at gmail.com Sun Apr 12 04:26:24 2015 From: gustavo.randich at gmail.com (Gustavo Randich) Date: Sun, 12 Apr 2015 01:26:24 -0300 Subject: [Openstack-operators] how to attach VMs to external/vlan network directly In-Reply-To: References: Message-ID: Yes, vlan81 is a subinterface. That is the problem. Will try adding bond0 to br-vlan... Thanks! On Saturday, April 11, 2015, Matt Kassawara wrote: > Does vlan81 between bond0 and br-vlan reflect a VLAN subinterface on the > host? If so, you need to remove it and attach bond0 directly to br-vlan > because Open vSwitch performs the tagging for you. > > On Fri, Apr 10, 2015 at 3:13 PM, Gustavo Randich < > gustavo.randich at gmail.com > > wrote: > >> Hi, >> >> I've tried without success to attach instances directly to external VLAN >> network using "provider:network_type vlan"; below are the details. Using >> "provider:network_type flat" I made it work. >> >> I was basically following this: >> http://www.s3it.uzh.ch/blog/openstack-neutron-vlan/ >> >> Any idea will be appreciated. >> >> ML2 CONFIG >> ml2_type_vlan network_vlan_ranges vlannet:81:91 >> bridge_mappings vlannet:br-vlan >> enable_security_group True >> enable_ipset True >> firewall_driver >> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >> >> NETWORK CREATION >> neutron net-create vlan81 --router:external True >> --provider:physical_network vlannet --provider:network_type vlan >> --provider:segmentation_id 81 --shared >> neutron subnet-create vlan81 10.111.81.0/24 --name vlan81 >> --allocation-pool start=10.111.81.65,end=10.111.81.126 --enable-dhcp >> --gateway 10.111.81.254 --dns-nameserver 10.1.1.68 --dns-nameserver >> 10.1.1.42 --host-route destination= >> 169.254.169.254/32,nexthop=10.111.81.65 >> >> NETWORK CONFIGURATION OF COMPUTE/NETWORK NODES >> em1 \ >> bond0 -> vlan81 -> | br-vlan | <-> | br-int | >> em2 / >> >> DEBUGGING >> >> root at juno-dev02:~# ovs-ofctl dump-flows br-vlan >> NXST_FLOW reply (xid=0x4): >> cookie=0x0, duration=2991.439s, table=0, n_packets=5374, n_bytes=357405, >> idle_age=2, priority=4,in_port=5,dl_vlan=1 actions=mod_vlan_vid:81,NORMAL >> cookie=0x0, duration=3439.498s, table=0, n_packets=3792, n_bytes=159460, >> idle_age=0, priority=2,in_port=5 actions=drop >> cookie=0x0, duration=3440.064s, table=0, n_packets=113217, >> n_bytes=18712371, idle_age=0, priority=1 actions=NORMAL >> >> root at juno-dev02:~# ovs-ofctl dump-flows br-int >> NXST_FLOW reply (xid=0x4): >> cookie=0x0, duration=3891.241s, table=0, n_packets=1448, n_bytes=157908, >> idle_age=1236, priority=3,in_port=7,dl_vlan=81 actions=mod_vlan_vid:1,NORMAL >> cookie=0x0, duration=4339.435s, table=0, n_packets=26538, >> n_bytes=1584268, idle_age=1, priority=2,in_port=7 actions=drop >> cookie=0x0, duration=4340.224s, table=0, n_packets=10686, >> n_bytes=590535, idle_age=1, priority=1 actions=NORMAL >> cookie=0x0, duration=4340.153s, table=23, n_packets=0, n_bytes=0, >> idle_age=4340, priority=0 actions=drop >> >> root at juno-dev02:~# nova list >> >> +--------------------------------------+------+--------+------------+-------------+---------------------+ >> | ID | Name | Status | Task State | >> Power State | Networks | >> >> +--------------------------------------+------+--------+------------+-------------+---------------------+ >> | 2f1a2cba-6fc7-45ae-a251-e709ab8b7ecc | test | ACTIVE | - | >> Running | vlan81=10.111.81.66 | >> >> +--------------------------------------+------+--------+------------+-------------+---------------------+ >> >> >> Instance can reach DHCP server on network node (10.111.81.65), but cannot >> reach default gateway (10.111.81.254), nor any host of the external network. >> >> The br-vlan bridge shows outgoing ARP packets tagged with vlan 81, and >> ARP replies not tagged, which I suppose it then drops because it does not >> match the first rule of br-vlan. >> >> The br-int bridge shows only outgoin ARP packets: >> >> >> root at juno-dev02:~# tcpdump -env -i br-vlan icmp or arp >> tcpdump: listening on br-vlan, link-type EN10MB (Ethernet), capture size >> 65535 bytes >> 11:45:56.463254 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q >> (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 >> (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 >> 11:45:56.464491 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP >> (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 >> is-at 78:19:f7:9b:2a:41, length 42 >> 11:45:57.461253 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q >> (0x8100), length 46: vlan 81, p 0, ethertype ARP, Ethernet (len 6), IPv4 >> (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 >> 11:45:57.462765 78:19:f7:9b:2a:41 > fa:16:3e:58:74:5b, ethertype ARP >> (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Reply 10.111.81.254 >> is-at 78:19:f7:9b:2a:41, length 42 >> >> root at juno-dev02:~# tcpdump -env -i br-int icmp or arp >> tcpdump: WARNING: br-int: no IPv4 address assigned >> tcpdump: listening on br-int, link-type EN10MB (Ethernet), capture size >> 65535 bytes >> 11:29:49.330084 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q >> (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 >> (len 4), Request who-has 10.111.81.254 tell 10.111.81.66, length 28 >> 11:29:50.162106 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q >> (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 >> (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 >> 11:29:51.180111 fa:16:3e:58:74:5b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q >> (0x8100), length 46: vlan 1, p 0, ethertype ARP, Ethernet (len 6), IPv4 >> (len 4), Request who-has 10.111.81.49 tell 10.111.81.66, length 28 >> >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aishwarya.adyanthaya at accenture.com Mon Apr 13 03:16:30 2015 From: aishwarya.adyanthaya at accenture.com (aishwarya.adyanthaya at accenture.com) Date: Mon, 13 Apr 2015 03:16:30 +0000 Subject: [Openstack-operators] Endpoints in kubernetes In-Reply-To: References: Message-ID: Hi Alex, I went to the link you specified (https://github.com/stackforge/murano/tree/master/contrib/elements/kubernetes) and downloaded the packages for Kubernetes (like etcd, Kubernetes, flannel) but found no configuration files where I could edit the service configuration. I checked my machine for the configuration but couldn?t find it. If you could let me know on it that would be really helpful. Thank you in advance. Aishwarya Adyanthaya From: Alex Freedland [mailto:afreedland at mirantis.com] Sent: Tuesday, April 07, 2015 8:43 PM To: Adyanthaya, Aishwarya Cc: openstack-operators at lists.openstack.org Subject: Re: [Openstack-operators] Endpoints in kubernetes Here is a link for disk image builder for Kubernetes images with use in Murano: https://github.com/stackforge/murano/tree/master/contrib/elements/kubernetes It has all steps to preinstall Kubernetes on top of Ubuntu. Alex Freedland Co-Founder and Chairman Mirantis, Inc. On Tue, Apr 7, 2015 at 5:16 AM, > wrote: Hello, I?m trying to integrate Kubernetes with OpenStack and I?ve started with the master node. While creating the master node I downloaded the Kubernetes.git and next I executed the command ?make release?. During the release, I got few lines that read ?Error on creating endpoints: endpoints "service1" not found? though in the end of the execution it read successful. When I checked the network it read ?Error: cannot sync with the cluster using endpoints http://127.0.0.1:4001?. Does anyone know if we need to add extra packages or other configurations that needs to be done before getting Kubernetes.git on the node to rectify the error? Thanks! ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -------------- next part -------------- An HTML attachment was scrubbed... URL: From mvanwink at rackspace.com Mon Apr 13 04:30:15 2015 From: mvanwink at rackspace.com (Matt Van Winkle) Date: Mon, 13 Apr 2015 04:30:15 +0000 Subject: [Openstack-operators] [Large Deployment Team] Meeting this Thursday at 16:00 UTC Message-ID: Hello all, Just a reminder that we have a meeting this Thursday at 16:00 UTC. (Reminder to some us, this makes it an hour earlier :) ). I'm working on confirming the room after the confusion a couple months ago and will update tomorrow with more details. We will discuss the outputs from the session at the mid cycle and determine what we want to accomplish in Vancouver. I'l touch base tomorrow, but wanted to get this on your calendars. Thanks! MAtt -------------- next part -------------- An HTML attachment was scrubbed... URL: From aishwarya.adyanthaya at accenture.com Mon Apr 13 05:06:08 2015 From: aishwarya.adyanthaya at accenture.com (aishwarya.adyanthaya at accenture.com) Date: Mon, 13 Apr 2015 05:06:08 +0000 Subject: [Openstack-operators] kubernetes minion services Message-ID: <41da12394d0f4fea83aa5ebf76691073@CO2PR42MB188.048d.mgd.msft.net> Hi, I'm trying to integrate Kubernetes with Openstack and I have been following the site 'devops.profitbricks.com' for it. The master node is running services such as kube-apiserver, kube-scheduler, kube-controller-manager but the etcd service seem to be missing even after the configuration was done. The services on minions aren't in running state after the configuration are done. I tried manually starting it with the service start command and checked for its status but it seems to be in stop/waiting state. Could anyone point out what I have to do? Thanks in advance! Aishwarya Adyanthaya ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com From tom at openstack.org Mon Apr 13 09:32:41 2015 From: tom at openstack.org (Tom Fifield) Date: Mon, 13 Apr 2015 18:32:41 +0900 Subject: [Openstack-operators] Draft Agenda for the Vancouver Ops Summit Sessions Message-ID: <552B8D39.2020309@openstack.org> Hi, Thank you very much to the sixty-odd people who contributed to the planning etherpad. I've taken that etherpad, Paris summit attendee feedback survey results, PHL ops feedback etherpad and munged all that into a first-draft schedule for Vancouver. If you're new: note that this is in addition to the operations (and other) conference track's presentations. It's aimed at giving us a design-summit-style place to congregate, swap best practices, ideas and give feedback. As a reminder, we have two different kind of sessions - General Sessions (Tuesday), which are interactive planning discussions for the operator community, and**Working groups (Wednesday)**focus on specific topics aiming to make concrete tasks in that area. Below is the draft schedule. Please take a look and reply with your thoughts! We need to get this ticked off fairly quickly, to ensure we find moderators for the sessions and can get them advertised as soon as possible. _*General Sessions*_ Tuesday Big Room 1 Big Room 2 Big Room 3 11:15 - 11:55 Ops Summit "101" / The Story So Far Federation - Keystone & other - what do people need? RabbitMQ 12:05 - 12:45 How do we fix logging? Architecture Show and Tell Ceilometer - what needs fixing? 12:45 - 2:00 2:00 - 2:40 Billing / show back / charge back - how do I do that? Architecture Show and Tell - Special Edition Cinder Feedback 2:50 - 3:30 OnBoard & Integration of Legacy Apps User Committee Session Hypervisor Tuning 3:40 - 4:20 Security CI/CD and Deployment Database 4:20 - 4:40 4:40 - 5:20 internal evangelism - convincing your C-level exec to back OpenStack Operating multi-site OpenStack installations in practice Nova Feedback (inc EC2 API) 5:30 - 6:10 Customer onboarding and offboarding Containers - what do you want? Neutron Feedback _*Working Groups*_ Wednesday Room 1 Room 2 Room 3 9:00 - 9:40 Telco Chef HPC Working Group 9:50 - 10:30 Telco Puppet HPC Working Group 10:30 - 11:00 11:00 - 11:40 Monitoring & Tools Working Group Ansible Ops Tags Working Group 11:50 - 12:30 Monitoring & Tools Working Group Ceph Ops Tags Working Group 12:30 - 1:50 1:50 - 2:30 Large Deployments Team Burning Issues Tech Choices (eg is MongoDB OK?) 2:40 - 3:20 Large Deployments Team Burning Issues CMDB 3:30 - 4:10 Large Deployments Team Docs Data-Plane technology transitions. 4:10 - 4:30 4:30 - 5:10 Upgrades Packaging nova-network 5:20 - 6:00 Upgrades Packaging nova-network Regards, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: From aishwarya.adyanthaya at accenture.com Mon Apr 13 12:06:49 2015 From: aishwarya.adyanthaya at accenture.com (aishwarya.adyanthaya at accenture.com) Date: Mon, 13 Apr 2015 12:06:49 +0000 Subject: [Openstack-operators] kubernetes services Message-ID: <575aaf51c9f9412dab31f785d70f6ddd@CO2PR42MB188.048d.mgd.msft.net> Hi, I'm trying to integrate Kubernetes with Openstack and I have been following the site 'devops.profitbricks.com' for it. The master node is running services such as kube-apiserver, kube-scheduler, kube-controller-manager but the etcd service seem to be missing even after the configuration was done. The services on minions aren't in running state after the configuration are done. I tried manually starting it with the service start command and checked for its status but it seems to be in stop/waiting state. Could anyone point out what I have to do? Thanks in advance! Aishwarya Adyanthaya ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From george.shuklin at gmail.com Mon Apr 13 21:56:43 2015 From: george.shuklin at gmail.com (George Shuklin) Date: Tue, 14 Apr 2015 00:56:43 +0300 Subject: [Openstack-operators] Draft Agenda for the Vancouver Ops Summit Sessions In-Reply-To: <552B8D39.2020309@openstack.org> References: <552B8D39.2020309@openstack.org> Message-ID: <552C3B9B.6040904@gmail.com> On 04/13/2015 12:32 PM, Tom Fifield wrote: What kind of projects will be a sessions 'Architecture Show and Tell' and 'Architecture Show and Tell - Special Edition' about? Thanks. On 04/13/2015 12:32 PM, Tom Fifield wrote: [cut] > > _*General Sessions*_ > > Tuesday Big Room 1 Big Room 2 Big Room 3 > 11:15 - 11:55 Ops Summit "101" / The Story So Far Federation - > Keystone & other - what do people need? RabbitMQ > 12:05 - 12:45 How do we fix logging? Architecture Show and Tell > Ceilometer - what needs fixing? > 12:45 - 2:00 > > > > 2:00 - 2:40 Billing / show back / charge back - how do I do that? > Architecture Show and Tell - Special Edition Cinder Feedback > 2:50 - 3:30 > > > [cut] -------------- next part -------------- An HTML attachment was scrubbed... URL: From tom at openstack.org Tue Apr 14 00:10:31 2015 From: tom at openstack.org (Tom Fifield) Date: Tue, 14 Apr 2015 09:10:31 +0900 Subject: [Openstack-operators] Draft Agenda for the Vancouver Ops Summit Sessions In-Reply-To: <552C3B9B.6040904@gmail.com> References: <552B8D39.2020309@openstack.org> <552C3B9B.6040904@gmail.com> Message-ID: <552C5AF7.2060508@openstack.org> Hi George, You can see the list on the planning etherpad at: https://etherpad.openstack.org/p/YVR-ops-meetup These are not projects, but people talking about their own clouds, in lightening talk form :) Special Edition is a carry over from last summit where we had an 'upgrades' special edition. I've yet to see whether we have a nice logical grouping for this time. Regards, Tom On 14/04/15 06:56, George Shuklin wrote: > > On 04/13/2015 12:32 PM, Tom Fifield wrote: > > > What kind of projects will be a sessions 'Architecture Show and Tell' > and 'Architecture Show and Tell - Special Edition' about? > > Thanks. > > > On 04/13/2015 12:32 PM, Tom Fifield wrote: > > [cut] >> >> _*General Sessions*_ >> >> Tuesday Big Room 1 Big Room 2 Big Room 3 >> 11:15 - 11:55 Ops Summit "101" / The Story So Far Federation - >> Keystone & other - what do people need? RabbitMQ >> 12:05 - 12:45 How do we fix logging? Architecture Show and Tell >> Ceilometer - what needs fixing? >> 12:45 - 2:00 >> >> >> >> 2:00 - 2:40 Billing / show back / charge back - how do I do that? >> Architecture Show and Tell - Special Edition Cinder Feedback >> 2:50 - 3:30 >> >> >> > [cut] > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > From gokrokvertskhov at mirantis.com Tue Apr 14 00:23:56 2015 From: gokrokvertskhov at mirantis.com (Georgy Okrokvertskhov) Date: Mon, 13 Apr 2015 17:23:56 -0700 Subject: [Openstack-operators] kubernetes services In-Reply-To: <575aaf51c9f9412dab31f785d70f6ddd@CO2PR42MB188.048d.mgd.msft.net> References: <575aaf51c9f9412dab31f785d70f6ddd@CO2PR42MB188.048d.mgd.msft.net> Message-ID: Hi, If you don't see etcd process it probably means that you did not initialize an etc cluster. You need to have ETCD properly configured before you install Kubernetes as Kubernetes uses ETCd to distribute its configuration. There are two ways to setup ETCd cluster. The first one requires to use some hub which will be a coordination point between ETCd nodes. The second one is manual way when you add each ETCd member one by one providing initialization configuration string as an option on each member. Each time you add an ETCd member this init string will be changed. Here are bash scripts which are used in Kubernetes cluster automation in Murano: https://github.com/stackforge/murano-apps/tree/master/kubernetes/io.murano.apps.docker.kubernetes.KubernetesCluster/Resources/scripts the sequence or ETCd is the following: on ETCd master (first VM): master-etcd-setup.sh --==Adding an ETCd memeber ==- 1) On master: master-add-member.sh 2) take the init string generated after script execution 3) On new member: member-etcd-setup.sh Just take a look on the scripts and you will figure out how to setup a cluster. Thanks Gosha On Mon, Apr 13, 2015 at 5:06 AM, wrote: > Hi, > > > > I'm trying to integrate Kubernetes with Openstack and I have been > following the site 'devops.profitbricks.com' for it. The master node is > running services such as kube-apiserver, kube-scheduler, > kube-controller-manager but the etcd service seem to be missing even after > the configuration was done. The services on minions aren't in running state > after the configuration are done. I tried manually starting it with the > service start command and checked for its status but it seems to be in > stop/waiting state. > > > > Could anyone point out what I have to do? Thanks in advance! > > > > Aishwarya Adyanthaya > > > > ------------------------------ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > > ______________________________________________________________________________________ > > www.accenture.com > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -- Georgy Okrokvertskhov Architect, OpenStack Platform Products, Mirantis http://www.mirantis.com Tel. +1 650 963 9828 Mob. +1 650 996 3284 -------------- next part -------------- An HTML attachment was scrubbed... URL: From clint at fewbar.com Tue Apr 14 17:21:20 2015 From: clint at fewbar.com (Clint Byrum) Date: Tue, 14 Apr 2015 10:21:20 -0700 Subject: [Openstack-operators] [all] QPID incompatible with python 3 and untested in gate -- what to do? Message-ID: <1429031332-sup-4892@fewbar.com> Hello! There's been some recent progress on python3 compatibility for core libraries that OpenStack depends on[1], and this is likely to open the flood gates for even more python3 problems to be found and fixed. Recently a proposal was made to make oslo.messaging start to run python3 tests[2], and it was found that qpid-python is not python3 compatible yet. This presents us with questions: Is anyone using QPID, and if so, should we add gate testing for it? If not, can we deprecate the driver? In the most recent survey results I could find [3] I don't even see message broker mentioned, whereas Databases in use do vary somewhat. Currently it would appear that only oslo.messaging runs functional tests against QPID. I was unable to locate integration testing for it, but I may not know all of the places to dig around to find that. So, please let us know if QPID is important to you. Otherwise it may be time to unburden ourselves of its maintenance. [1] https://pypi.python.org/pypi/eventlet/0.17.3 [2] https://review.openstack.org/#/c/172135/ [3] http://superuser.openstack.org/articles/openstack-user-survey-insights-november-2014 From clint at fewbar.com Tue Apr 14 17:22:15 2015 From: clint at fewbar.com (Clint Byrum) Date: Tue, 14 Apr 2015 10:22:15 -0700 Subject: [Openstack-operators] [all] QPID incompatible with python 3 and untested in gate -- what to do? Message-ID: <1429032117-sup-4270@fewbar.com> Hello! There's been some recent progress on python3 compatibility for core libraries that OpenStack depends on[1], and this is likely to open the flood gates for even more python3 problems to be found and fixed. Recently a proposal was made to make oslo.messaging start to run python3 tests[2], and it was found that qpid-python is not python3 compatible yet. This presents us with questions: Is anyone using QPID, and if so, should we add gate testing for it? If not, can we deprecate the driver? In the most recent survey results I could find [3] I don't even see message broker mentioned, whereas Databases in use do vary somewhat. Currently it would appear that only oslo.messaging runs functional tests against QPID. I was unable to locate integration testing for it, but I may not know all of the places to dig around to find that. So, please let us know if QPID is important to you. Otherwise it may be time to unburden ourselves of its maintenance. [1] https://pypi.python.org/pypi/eventlet/0.17.3 [2] https://review.openstack.org/#/c/172135/ [3] http://superuser.openstack.org/articles/openstack-user-survey-insights-november-2014 From ozamiatin at mirantis.com Tue Apr 14 17:54:17 2015 From: ozamiatin at mirantis.com (ozamiatin) Date: Tue, 14 Apr 2015 20:54:17 +0300 Subject: [Openstack-operators] Oslo.messaging ZeroMQ driver changes in Liberty Message-ID: <552D5449.2020106@mirantis.com> Hi, Does anyone use any version of ZeroMQ driver in production deployment? If you do, please leave your comments in [1], or reply to this letter. [1] https://review.openstack.org/#/c/171131/ Thanks, Oleksii Zamiatin From jacobgodin at gmail.com Tue Apr 14 17:56:09 2015 From: jacobgodin at gmail.com (Jacob Godin) Date: Tue, 14 Apr 2015 14:56:09 -0300 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways Message-ID: Hi folks, Looking for a bit of advice on how to accomplish something with Neutron. Our setup uses OVS+GRE with isolated tenant networks. Currently, we have one large network servicing our Floating IPs as well as our external router interfaces. What we're looking to do is actually have two distinct networks handle these tasks. One for FIPs and another for routers. Is this possible? -------------- next part -------------- An HTML attachment was scrubbed... URL: From emilien at redhat.com Tue Apr 14 18:55:22 2015 From: emilien at redhat.com (Emilien Macchi) Date: Tue, 14 Apr 2015 14:55:22 -0400 Subject: [Openstack-operators] [puppet] OPS meetup in Vancouver Summit Message-ID: <552D629A.7020901@redhat.com> Operators, Your feedback is one of the reasons why our Puppet modules are very popular; we would like to continue to organize a Puppet session during the next OPS meeting in Vancouver summit. To track all what we need to cover, I created a new etherpad: https://etherpad.openstack.org/p/liberty-summit-ops-puppet Feel free to bring topics based on your feedback from your operator point of view of using Puppet modules for OpenStack. We are a weekly meeting [1], so we will make sure to track the topics and prepare an agenda *before* the summit. Thanks, [1] https://wiki.openstack.org/wiki/Meetings/PuppetOpenStack#Agenda -- Emilien Macchi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From amuller at redhat.com Tue Apr 14 21:06:52 2015 From: amuller at redhat.com (Assaf Muller) Date: Tue, 14 Apr 2015 17:06:52 -0400 (EDT) Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> Message-ID: <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi folks, > > Looking for a bit of advice on how to accomplish something with Neutron. Our > setup uses OVS+GRE with isolated tenant networks. Currently, we have one > large network servicing our Floating IPs as well as our external router > interfaces. > > What we're looking to do is actually have two distinct networks handle these > tasks. One for FIPs and another for routers. > > Is this possible? Every router is allocated an IP address on the same network as the floating IPs it serves. This is unavoidable at this time. I don't see how you could work around this and separate the two. Can you expand on what you're trying to accomplish and why? There's work going on in this area planned for Liberty and it would be interesting to hear your use case. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > From blak111 at gmail.com Tue Apr 14 21:08:43 2015 From: blak111 at gmail.com (Kevin Benton) Date: Tue, 14 Apr 2015 14:08:43 -0700 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: Message-ID: Probably not in the way you want. You can have two subnets on the external network. Then you would set the allocation pool to be nothing for the subnet that you want the router interfaces to be attached to to make sure floating IPs aren't allocated from it. Then whenever you attach a router interface you would need to explicitly set the IP address to something from the first subnet. This obviously won't work well if you want it to automatically happen for tenants, but it might work if you are setting up the infrastructure yourself. On Tue, Apr 14, 2015 at 10:56 AM, Jacob Godin wrote: > Hi folks, > > Looking for a bit of advice on how to accomplish something with Neutron. > Our setup uses OVS+GRE with isolated tenant networks. Currently, we have > one large network servicing our Floating IPs as well as our external router > interfaces. > > What we're looking to do is actually have two distinct networks handle > these tasks. One for FIPs and another for routers. > > Is this possible? > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -- Kevin Benton -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacobgodin at gmail.com Tue Apr 14 21:12:35 2015 From: jacobgodin at gmail.com (Jacob Godin) Date: Tue, 14 Apr 2015 18:12:35 -0300 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: Message-ID: Thanks Kevin. That might work in some instances, however our tenants have the ability to create their own routers and allocate their gateway. I suppose we could hack some code in to restrict what networks are usable for routers vs floating IPs. On Tue, Apr 14, 2015 at 6:08 PM, Kevin Benton wrote: > Probably not in the way you want. > > You can have two subnets on the external network. Then you would set the > allocation pool to be nothing for the subnet that you want the router > interfaces to be attached to to make sure floating IPs aren't allocated > from it. Then whenever you attach a router interface you would need to > explicitly set the IP address to something from the first subnet. > > This obviously won't work well if you want it to automatically happen for > tenants, but it might work if you are setting up the infrastructure > yourself. > > On Tue, Apr 14, 2015 at 10:56 AM, Jacob Godin > wrote: > >> Hi folks, >> >> Looking for a bit of advice on how to accomplish something with Neutron. >> Our setup uses OVS+GRE with isolated tenant networks. Currently, we have >> one large network servicing our Floating IPs as well as our external router >> interfaces. >> >> What we're looking to do is actually have two distinct networks handle >> these tasks. One for FIPs and another for routers. >> >> Is this possible? >> >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> >> > > > -- > Kevin Benton > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacobgodin at gmail.com Tue Apr 14 21:12:48 2015 From: jacobgodin at gmail.com (Jacob Godin) Date: Tue, 14 Apr 2015 18:12:48 -0300 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com> References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com> Message-ID: Absolutely. We're trying to reduce our public IPv4 usage, so having one per tenant network (not even including floating IPs) is a drain. Instead of having: instance -> (gateway IP) virtual router NAT (public IP) -> (public gateway) router We want to have: instance -> (gateway IP) virtual router NAT (private IP) -> (private gateway) router NAT We have lots of networks, so this would have a huge impact on our IP usage. Also, in this case, floating IP addresses would still work the same way that they do now.\ Thanks Assaf On Tue, Apr 14, 2015 at 6:06 PM, Assaf Muller wrote: > ----- Original Message ----- > > Hi folks, > > > > Looking for a bit of advice on how to accomplish something with Neutron. > Our > > setup uses OVS+GRE with isolated tenant networks. Currently, we have one > > large network servicing our Floating IPs as well as our external router > > interfaces. > > > > What we're looking to do is actually have two distinct networks handle > these > > tasks. One for FIPs and another for routers. > > > > Is this possible? > > Every router is allocated an IP address on the same network as the > floating IPs it serves. > This is unavoidable at this time. I don't see how you could work around > this and separate > the two. Can you expand on what you're trying to accomplish and why? > There's work going > on in this area planned for Liberty and it would be interesting to hear > your use case. > > > > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators at lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspreitz at us.ibm.com Tue Apr 14 21:22:19 2015 From: mspreitz at us.ibm.com (Mike Spreitzer) Date: Tue, 14 Apr 2015 17:22:19 -0400 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com> Message-ID: Jacob Godin wrote on 04/14/2015 05:12:48 PM: > Absolutely. We're trying to reduce our public IPv4 usage, so having > one per tenant network (not even including floating IPs) is a drain. I am having exactly the same issue. I am currently solving it with a different hack that nobody likes, I will not even describe it here. But total agreement that the problem is important. IPv6 is the ultimate answer, provided there is a reasonably smooth transition. I think we will need to support a tenant that is using both v4 and v6 during his transition. This will require NAT between a tenant's v4 and v6. Regards, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacobgodin at gmail.com Tue Apr 14 21:24:03 2015 From: jacobgodin at gmail.com (Jacob Godin) Date: Tue, 14 Apr 2015 18:24:03 -0300 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com>

Message-ID: Hey Mike, Would you send along your solution off-list? I'm curious, and I won't judge :) On Tue, Apr 14, 2015 at 6:22 PM, Mike Spreitzer wrote: > Jacob Godin wrote on 04/14/2015 05:12:48 PM: > > > Absolutely. We're trying to reduce our public IPv4 usage, so having > > one per tenant network (not even including floating IPs) is a drain. > > I am having exactly the same issue. I am currently solving it with a > different hack that nobody likes, I will not even describe it here. But > total agreement that the problem is important. > > IPv6 is the ultimate answer, provided there is a reasonably smooth > transition. I think we will need to support a tenant that is using both v4 > and v6 during his transition. This will require NAT between a tenant's v4 > and v6. > > Regards, > Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From mvanwink at rackspace.com Wed Apr 15 03:04:14 2015 From: mvanwink at rackspace.com (Matt Van Winkle) Date: Wed, 15 Apr 2015 03:04:14 +0000 Subject: [Openstack-operators] [Large Deployments] UPDATE: Meeting this Thursday at 16:00 UTC #openstack-meeting Message-ID: Hello again, folks! I went over all the schedules at: https://wiki.openstack.org/wiki/Meetings And for the Even months (Feb, April, June, etc). #openstack-meeting was open at 16:00 UTC. So, I've updated the above to include our meeting and added: https://wiki.openstack.org/wiki/Meetings/LDT I still need to put our previous minutes in there. I'll work with folks to get this added to the feed and we'll try to pick an official time for the APAC friendly time slot for the ODD months. We only met in January at the alternating time because March was the mid cycle. We'll need to decide on Thursday if we want to try and have a May meeting with the Summit going on or wait till July to have the next alternate meeting time. The main focus of this meeting will be debrief form the mid-cycle and prep for Vancouver. Also, I was wrong earlier, for those of us that have Daylight savings, this will be an our LATER than usual. (For example 11:00am Central versus 10) Please excuse my thinking backwards in the last note. See you all on Thursday! Matt PS - I've gone over the meeting page several times, but please let me know if I just completely missed a conflict on rooms. From: Matt Van Winkle > Date: Sunday, April 12, 2015 11:30 PM To: "openstack-operators at lists.openstack.org" > Subject: [Openstack-operators] [Large Deployment Team] Meeting this Thursday at 16:00 UTC Hello all, Just a reminder that we have a meeting this Thursday at 16:00 UTC. (Reminder to some us, this makes it an hour earlier :) ). I'm working on confirming the room after the confusion a couple months ago and will update tomorrow with more details. We will discuss the outputs from the session at the mid cycle and determine what we want to accomplish in Vancouver. I'l touch base tomorrow, but wanted to get this on your calendars. Thanks! MAtt -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Wed Apr 15 06:33:25 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Wed, 15 Apr 2015 07:33:25 +0100 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com>

Message-ID: Mike, pls share the solution, some are interested even if is a hack as long as it gets the job done. On Tue, Apr 14, 2015 at 10:24 PM, Jacob Godin wrote: > Hey Mike, > > Would you send along your solution off-list? I'm curious, and I won't > judge :) > > On Tue, Apr 14, 2015 at 6:22 PM, Mike Spreitzer > wrote: > >> Jacob Godin wrote on 04/14/2015 05:12:48 PM: >> >> > Absolutely. We're trying to reduce our public IPv4 usage, so having >> > one per tenant network (not even including floating IPs) is a drain. >> >> I am having exactly the same issue. I am currently solving it with a >> different hack that nobody likes, I will not even describe it here. But >> total agreement that the problem is important. >> >> IPv6 is the ultimate answer, provided there is a reasonably smooth >> transition. I think we will need to support a tenant that is using both v4 >> and v6 during his transition. This will require NAT between a tenant's v4 >> and v6. >> >> Regards, >> Mike > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspreitz at us.ibm.com Wed Apr 15 07:13:53 2015 From: mspreitz at us.ibm.com (Mike Spreitzer) Date: Wed, 15 Apr 2015 03:13:53 -0400 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com>

Message-ID: > From: Daniel Comnea > To: Jacob Godin > Cc: Mike Spreitzer/Watson/IBM at IBMUS, OpenStack Operators operators at lists.openstack.org> > Date: 04/15/2015 02:34 AM > Subject: Re: [Openstack-operators] [Neutron] Floating IPs / Router Gateways > Sent by: daniel.comnea at gmail.com > > Mike, pls share the solution, some are interested even if is a hack > as long as it gets the job done. > > > On Tue, Apr 14, 2015 at 10:24 PM, Jacob Godin wrote: > Hey Mike, > > Would you send along your solution off-list? I'm curious, and I won't judge :) > > On Tue, Apr 14, 2015 at 6:22 PM, Mike Spreitzer wrote: > Jacob Godin wrote on 04/14/2015 05:12:48 PM: > > > Absolutely. We're trying to reduce our public IPv4 usage, so having > > one per tenant network (not even including floating IPs) is a drain. > > I am having exactly the same issue. I am currently solving it with > a different hack that nobody likes, I will not even describe it > here. But total agreement that the problem is important. > > IPv6 is the ultimate answer, provided there is a reasonably smooth > transition. I think we will need to support a tenant that is using > both v4 and v6 during his transition. This will require NAT between > a tenant's v4 and v6. > > Regards, > Mike OK, you asked for it. What we do is share Neutron routers, and add some iptables rules that prevent communication between the tenants sharing a router. I told you it was a hack. Regards, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From jacobgodin at gmail.com Wed Apr 15 12:36:12 2015 From: jacobgodin at gmail.com (Jacob Godin) Date: Wed, 15 Apr 2015 09:36:12 -0300 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com>

Message-ID: Ah, gotcha. So you're not using overlapping subnets then. Unfortunately that hack wouldn't work in our environment, but definitely something that others might consider using. On Wed, Apr 15, 2015 at 4:13 AM, Mike Spreitzer wrote: > > From: Daniel Comnea > > To: Jacob Godin > > Cc: Mike Spreitzer/Watson/IBM at IBMUS, OpenStack Operators > operators at lists.openstack.org> > > Date: 04/15/2015 02:34 AM > > Subject: Re: [Openstack-operators] [Neutron] Floating IPs / Router > Gateways > > Sent by: daniel.comnea at gmail.com > > > > Mike, pls share the solution, some are interested even if is a hack > > as long as it gets the job done. > > > > > > > On Tue, Apr 14, 2015 at 10:24 PM, Jacob Godin > wrote: > > Hey Mike, > > > > Would you send along your solution off-list? I'm curious, and I won't > judge :) > > > > On Tue, Apr 14, 2015 at 6:22 PM, Mike Spreitzer > wrote: > > Jacob Godin wrote on 04/14/2015 05:12:48 PM: > > > > > Absolutely. We're trying to reduce our public IPv4 usage, so having > > > one per tenant network (not even including floating IPs) is a drain. > > > > I am having exactly the same issue. I am currently solving it with > > a different hack that nobody likes, I will not even describe it > > here. But total agreement that the problem is important. > > > > IPv6 is the ultimate answer, provided there is a reasonably smooth > > transition. I think we will need to support a tenant that is using > > both v4 and v6 during his transition. This will require NAT between > > a tenant's v4 and v6. > > > > Regards, > > Mike > > OK, you asked for it. What we do is share Neutron routers, and add some > iptables rules that prevent communication between the tenants sharing a > router. I told you it was a hack. > > Regards, > Mike > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From boris at pavlovic.me Wed Apr 15 12:45:18 2015 From: boris at pavlovic.me (Boris Pavlovic) Date: Wed, 15 Apr 2015 15:45:18 +0300 Subject: [Openstack-operators] [openstack-dev][openstack-ops][rally][announce] What's new in Rally v0.0.3 Message-ID: Hello, Rally team is happy to say that we cut new release 0.0.3. *Release stats:* +------------------+-----------------+ | Commits | 53 | +------------------+-----------------+ | Bug fixes | 14 | +------------------+-----------------+ | Dev cycle | 33 days | +------------------+-----------------+ | Release date | 14/Apr/2015 | +------------------+-----------------+ | New scenarios | 11 | +------------------+-----------------+ | New slas | 2 | +------------------+-----------------+ *New features:* - Add the ability to specify versions for clients in benchmark scenarios You can call self.clients(?glance?, ?2?) and get client initialized for specific API version. - Add API for tempest uninstall $ rally-manage tempest uninstall # removes fully tempest for active deployment - Add a ?uuids-only option to rally task list $ rally task list ?uuids-only # returns list with only task uuids - Adds endpoint to ?fromenv deployment creation $ rally deployment create ?fromenv # recognizes standard OS_ENDPOINT environment variable - Configure SSL per deployment Now SSL information is deployment specific not Rally specific and rally.conf option is deprecated. Take a look at sample. For more details take a look at release notes: http://boris-42.me/rally-v0-0-3-whats-new/ or here https://rally.readthedocs.org/en/latest/release_notes/v0.0.3.html Best regards, Boris Pavlovic -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Wed Apr 15 12:50:03 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Wed, 15 Apr 2015 13:50:03 +0100 Subject: [Openstack-operators] [Neutron] Floating IPs / Router Gateways In-Reply-To: References: <564711130.21500133.1429045564374.JavaMail.zimbra@redhat.com> <1510428524.21500280.1429045612339.JavaMail.zimbra@redhat.com>

Message-ID: sure but appreciate your response. Dani On Wed, Apr 15, 2015 at 1:36 PM, Jacob Godin wrote: > Ah, gotcha. So you're not using overlapping subnets then. > > Unfortunately that hack wouldn't work in our environment, but definitely > something that others might consider using. > > On Wed, Apr 15, 2015 at 4:13 AM, Mike Spreitzer > wrote: > >> > From: Daniel Comnea >> > To: Jacob Godin >> > Cc: Mike Spreitzer/Watson/IBM at IBMUS, OpenStack Operators > > operators at lists.openstack.org> >> > Date: 04/15/2015 02:34 AM >> > Subject: Re: [Openstack-operators] [Neutron] Floating IPs / Router >> Gateways >> > Sent by: daniel.comnea at gmail.com >> > >> > Mike, pls share the solution, some are interested even if is a hack >> > as long as it gets the job done. >> > >> >> > >> > On Tue, Apr 14, 2015 at 10:24 PM, Jacob Godin >> wrote: >> > Hey Mike, >> > >> > Would you send along your solution off-list? I'm curious, and I won't >> judge :) >> > >> > On Tue, Apr 14, 2015 at 6:22 PM, Mike Spreitzer >> wrote: >> > Jacob Godin wrote on 04/14/2015 05:12:48 PM: >> > >> > > Absolutely. We're trying to reduce our public IPv4 usage, so having >> > > one per tenant network (not even including floating IPs) is a drain. >> > >> > I am having exactly the same issue. I am currently solving it with >> > a different hack that nobody likes, I will not even describe it >> > here. But total agreement that the problem is important. >> > >> > IPv6 is the ultimate answer, provided there is a reasonably smooth >> > transition. I think we will need to support a tenant that is using >> > both v4 and v6 during his transition. This will require NAT between >> > a tenant's v4 and v6. >> > >> > Regards, >> > Mike >> >> OK, you asked for it. What we do is share Neutron routers, and add some >> iptables rules that prevent communication between the tenants sharing a >> router. I told you it was a hack. >> >> Regards, >> Mike >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From clint at fewbar.com Wed Apr 15 21:26:38 2015 From: clint at fewbar.com (Clint Byrum) Date: Wed, 15 Apr 2015 14:26:38 -0700 Subject: [Openstack-operators] [all] QPID incompatible with python 3 and untested in gate -- what to do? In-Reply-To: <1429031332-sup-4892@fewbar.com> References: <1429031332-sup-4892@fewbar.com> Message-ID: <1429132713-sup-2744@fewbar.com> I sent this to the dev list as well, and a nice discussion broke out: http://lists.openstack.org/pipermail/openstack-dev/2015-April/061467.html Given that discussion, I've added a spec for review to help clarify messaging backends: https://review.openstack.org/174105 Excerpts from Clint Byrum's message of 2015-04-14 10:21:20 -0700: > Hello! There's been some recent progress on python3 compatibility for > core libraries that OpenStack depends on[1], and this is likely to open > the flood gates for even more python3 problems to be found and fixed. > > Recently a proposal was made to make oslo.messaging start to run python3 > tests[2], and it was found that qpid-python is not python3 compatible yet. > > This presents us with questions: Is anyone using QPID, and if so, should > we add gate testing for it? If not, can we deprecate the driver? In the > most recent survey results I could find [3] I don't even see message > broker mentioned, whereas Databases in use do vary somewhat. > > Currently it would appear that only oslo.messaging runs functional tests > against QPID. I was unable to locate integration testing for it, but I > may not know all of the places to dig around to find that. > > So, please let us know if QPID is important to you. Otherwise it may be > time to unburden ourselves of its maintenance. > > [1] https://pypi.python.org/pypi/eventlet/0.17.3 > [2] https://review.openstack.org/#/c/172135/ > [3] http://superuser.openstack.org/articles/openstack-user-survey-insights-november-2014 From mismith at overstock.com Wed Apr 15 23:33:04 2015 From: mismith at overstock.com (Mike Smith) Date: Wed, 15 Apr 2015 23:33:04 +0000 Subject: [Openstack-operators] No more identity groups? Message-ID: Hello all. On my Havana-version openstack cloud, Horizon has the option of creating groups of users and then adding groups of users to tenants instead of having to add users individually. On my Juno-version cloud, this feature seems to no longer exist. I checked the keystone catalog and both are using v2.0 of the identify API. Does anybody know if this is something that we removed, or if there is something I need to do to enable this identity group functionality? Thanks, Mike ________________________________ CONFIDENTIALITY NOTICE: This message is intended only for the use and review of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message solely to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately by telephone or return email. Thank you. From Kevin.Fox at pnnl.gov Wed Apr 15 23:47:44 2015 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Wed, 15 Apr 2015 23:47:44 +0000 Subject: [Openstack-operators] No more identity groups? In-Reply-To: References: Message-ID: <1A3C52DFCD06494D8528644858247BF01A1D3008@EX10MBOX03.pnnl.gov> Its part of the keystone v3 api I think. I've only seen it show up when I configure horizon to specifically talk v3 to keystone. Thanks, Kevin ________________________________________ From: Mike Smith [mismith at overstock.com] Sent: Wednesday, April 15, 2015 4:33 PM To: Subject: [Openstack-operators] No more identity groups? Hello all. On my Havana-version openstack cloud, Horizon has the option of creating groups of users and then adding groups of users to tenants instead of having to add users individually. On my Juno-version cloud, this feature seems to no longer exist. I checked the keystone catalog and both are using v2.0 of the identify API. Does anybody know if this is something that we removed, or if there is something I need to do to enable this identity group functionality? Thanks, Mike ________________________________ CONFIDENTIALITY NOTICE: This message is intended only for the use and review of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message solely to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately by telephone or return email. Thank you. _______________________________________________ OpenStack-operators mailing list OpenStack-operators at lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators From matt at mattfischer.com Thu Apr 16 01:23:24 2015 From: matt at mattfischer.com (Matt Fischer) Date: Wed, 15 Apr 2015 19:23:24 -0600 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations Message-ID: I'd like to have some better logging when certain CRUD operations happen in Keystone, for example, when a project is deleted. I specifically mean "any" when I say better since right now I'm not seeing anything even when Verbose is enabled. This is pretty frustrating for me because these are rather important events, certainly more important than my load balancers hitting Keystone which it's happily logging twice a second. I know that Keystone supports some audit event notifications [1]. Can I simply have these reflect back into the main logs somehow? [1] - http://docs.openstack.org/developer/keystone/event_notifications.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From mismith at overstock.com Thu Apr 16 01:49:30 2015 From: mismith at overstock.com (Mike Smith) Date: Thu, 16 Apr 2015 01:49:30 +0000 Subject: [Openstack-operators] No more identity groups? In-Reply-To: <1A3C52DFCD06494D8528644858247BF01A1D3008@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01A1D3008@EX10MBOX03.pnnl.gov> Message-ID: <912B7924-0CC1-4A78-9AD6-D49CAAAD07B1@overstock.com> Thanks. I made the following changes to the local_settings file for horizon and now the groups show up: OPENSTACK_API_VERSIONS = { "identity": 3 } OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST > On Apr 15, 2015, at 5:47 PM, Fox, Kevin M wrote: > > Its part of the keystone v3 api I think. I've only seen it show up when I configure horizon to specifically talk v3 to keystone. > > Thanks, > Kevin > ________________________________________ > From: Mike Smith [mismith at overstock.com] > Sent: Wednesday, April 15, 2015 4:33 PM > To: > Subject: [Openstack-operators] No more identity groups? > > Hello all. On my Havana-version openstack cloud, Horizon has the option of creating groups of users and then adding groups of users to tenants instead of having to add users individually. On my Juno-version cloud, this feature seems to no longer exist. I checked the keystone catalog and both are using v2.0 of the identify API. > > Does anybody know if this is something that we removed, or if there is something I need to do to enable this identity group functionality? > > Thanks, > Mike > > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ________________________________ CONFIDENTIALITY NOTICE: This message is intended only for the use and review of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message solely to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify sender immediately by telephone or return email. Thank you. From mangelajo at redhat.com Thu Apr 16 05:10:59 2015 From: mangelajo at redhat.com (Miguel Angel Ajo Pelayo) Date: Thu, 16 Apr 2015 07:10:59 +0200 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References: Message-ID: I?m not involved in the keystone project, but I?d recommend you to start by filling a blueprint asking for it, and explaining what you just said here: https://blueprints.launchpad.net/keystone I?d also try to contact Keystone PTL (I?m not sure who is the PTL). Best regards, Miguel ?ngel > On 16/4/2015, at 3:23, Matt Fischer wrote: > > I'd like to have some better logging when certain CRUD operations happen in Keystone, for example, when a project is deleted. I specifically mean "any" when I say better since right now I'm not seeing anything even when Verbose is enabled. > > This is pretty frustrating for me because these are rather important events, certainly more important than my load balancers hitting Keystone which it's happily logging twice a second. > > I know that Keystone supports some audit event notifications [1]. Can I simply have these reflect back into the main logs somehow? > > > [1] - http://docs.openstack.org/developer/keystone/event_notifications.html _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators Miguel Angel Ajo -------------- next part -------------- An HTML attachment was scrubbed... URL: From comnea.dani at gmail.com Thu Apr 16 07:18:16 2015 From: comnea.dani at gmail.com (Daniel Comnea) Date: Thu, 16 Apr 2015 08:18:16 +0100 Subject: [Openstack-operators] No more identity groups? In-Reply-To: <912B7924-0CC1-4A78-9AD6-D49CAAAD07B1@overstock.com> References: <1A3C52DFCD06494D8528644858247BF01A1D3008@EX10MBOX03.pnnl.gov> <912B7924-0CC1-4A78-9AD6-D49CAAAD07B1@overstock.com> Message-ID: Am i right in thinking v3 is not in Icehouse hence the above trick won't work? On Thu, Apr 16, 2015 at 2:49 AM, Mike Smith wrote: > Thanks. I made the following changes to the local_settings file for > horizon and now the groups show up: > > OPENSTACK_API_VERSIONS = { > "identity": 3 > } > > OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST > > > > On Apr 15, 2015, at 5:47 PM, Fox, Kevin M wrote: > > > > Its part of the keystone v3 api I think. I've only seen it show up when > I configure horizon to specifically talk v3 to keystone. > > > > Thanks, > > Kevin > > ________________________________________ > > From: Mike Smith [mismith at overstock.com] > > Sent: Wednesday, April 15, 2015 4:33 PM > > To: > > Subject: [Openstack-operators] No more identity groups? > > > > Hello all. On my Havana-version openstack cloud, Horizon has the > option of creating groups of users and then adding groups of users to > tenants instead of having to add users individually. On my Juno-version > cloud, this feature seems to no longer exist. I checked the keystone > catalog and both are using v2.0 of the identify API. > > > > Does anybody know if this is something that we removed, or if there is > something I need to do to enable this identity group functionality? > > > > Thanks, > > Mike > > > > OpenStack-operators mailing list > > OpenStack-operators at lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > ________________________________ > > CONFIDENTIALITY NOTICE: This message is intended only for the use and > review of the individual or entity to which it is addressed and may contain > information that is privileged and confidential. If the reader of this > message is not the intended recipient, or the employee or agent responsible > for delivering the message solely to the intended recipient, you are hereby > notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify sender immediately by telephone or > return email. Thank you. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Tim.Bell at cern.ch Thu Apr 16 10:10:41 2015 From: Tim.Bell at cern.ch (Tim Bell) Date: Thu, 16 Apr 2015 10:10:41 +0000 Subject: [Openstack-operators] OpenStack HPC/HTC operator session Message-ID: <5D7F9996EA547448BC6C54C8C5AAF4E501029CEA09@CERNXCHG43.cern.ch> There is an opportunity for a get-together of the people running OpenStack for HPC/HTC workloads at Vancouver. Getting the best of out of the cloud while at the same time meeting the needs of the user communities is a challenging job so sharing experiences for an hour would be really useful. We're collecting +1s for attendance on openstack-hpc at lists.openstack.org so please reply there if you'd be interested. Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From dstanek at dstanek.com Thu Apr 16 11:56:30 2015 From: dstanek at dstanek.com (David Stanek) Date: Thu, 16 Apr 2015 07:56:30 -0400 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References:

Message-ID: On Thu, Apr 16, 2015 at 1:10 AM, Miguel Angel Ajo Pelayo < mangelajo at redhat.com> wrote: > I?m not involved in the keystone project, but I?d recommend you to start > by filling a blueprint > asking for it, and explaining what you just said here: > > https://blueprints.launchpad.net/keystone > Adding a blueprint for discussion would be a good idea if you think you want a change to the project. > I?d also try to contact Keystone PTL (I?m not sure who is the PTL). > Morgan Fainberg is out PTL. > > Best regards, > Miguel ?ngel > > On 16/4/2015, at 3:23, Matt Fischer wrote: > > I'd like to have some better logging when certain CRUD operations happen > in Keystone, for example, when a project is deleted. I specifically mean > "any" when I say better since right now I'm not seeing anything even when > Verbose is enabled. > > This is pretty frustrating for me because these are rather important > events, certainly more important than my load balancers hitting Keystone > which it's happily logging twice a second. > > I know that Keystone supports some audit event notifications [1]. Can I > simply have these reflect back into the main logs somehow? > > It would be possible (and trivial) to add logging messages at the INFO level, but I'm not sure that is what you really want. I don't know much about the operational side at this point, but I'm hoping that there's a way to consume the notification events and then write them to a log if that's what you wish to do. > > [1] - > http://docs.openstack.org/developer/keystone/event_notifications.html > > -- David blog: http://www.traceback.org twitter: http://twitter.com/dstanek www: http://dstanek.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From morgan.fainberg at gmail.com Thu Apr 16 14:50:43 2015 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Thu, 16 Apr 2015 07:50:43 -0700 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References:

Message-ID: <8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com> > On Apr 16, 2015, at 04:56, David Stanek wrote: > > > >> On Thu, Apr 16, 2015 at 1:10 AM, Miguel Angel Ajo Pelayo wrote: >> I?m not involved in the keystone project, but I?d recommend you to start by filling a blueprint >> asking for it, and explaining what you just said here: >> >> https://blueprints.launchpad.net/keystone > > Adding a blueprint for discussion would be a good idea if you think you want a change to the project. > > >> >> I?d also try to contact Keystone PTL (I?m not sure who is the PTL). > > Morgan Fainberg is out PTL. > > >> >> Best regards, >> Miguel ?ngel >> >>> On 16/4/2015, at 3:23, Matt Fischer wrote: >>> >>> I'd like to have some better logging when certain CRUD operations happen in Keystone, for example, when a project is deleted. I specifically mean "any" when I say better since right now I'm not seeing anything even when Verbose is enabled. >>> >>> This is pretty frustrating for me because these are rather important events, certainly more important than my load balancers hitting Keystone which it's happily logging twice a second. >>> >>> I know that Keystone supports some audit event notifications [1]. Can I simply have these reflect back into the main logs somehow? > > It would be possible (and trivial) to add logging messages at the INFO level, but I'm not sure that is what you really want. I don't know much about the operational side at this point, but I'm hoping that there's a way to consume the notification events and then write them to a log if that's what you wish to do. > It wouldn't hurt us to see logging expanded upon. As long as the logging conforms to the cross-project logging spec[1]. [1] https://github.com/openstack/openstack-specs/blob/master/specs/log-guidelines.rst --Morgan Sent via mobile -------------- next part -------------- An HTML attachment was scrubbed... URL: From gord at live.ca Thu Apr 16 14:58:14 2015 From: gord at live.ca (gordon chung) Date: Thu, 16 Apr 2015 10:58:14 -0400 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: <8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com> References: , , , <8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com> Message-ID: _______________________________ > From: morgan.fainberg at gmail.com? > Date: Thu, 16 Apr 2015 07:50:43 -0700? > To: dstanek at dstanek.com? > CC: openstack-operators at lists.openstack.org? > Subject: Re: [Openstack-operators] logging for Keystone on user/project? > delete/create operations? >? >? >? > On Apr 16, 2015, at 04:56, David Stanek? > > wrote:? >? >? >? > On Thu, Apr 16, 2015 at 1:10 AM, Miguel Angel Ajo Pelayo? > > wrote:? > I?m not involved in the keystone project, but I?d recommend you to? > start by filling a blueprint? > asking for it, and explaining what you just said here:? >? > https://blueprints.launchpad.net/keystone? >? > Adding a blueprint for discussion would be a good idea if you think you? > want a change to the project.? >? >? >? > I?d also try to contact Keystone PTL (I?m not sure who is the PTL).? >? > Morgan Fainberg is out PTL.? >? >? >? > Best regards,? > Miguel ?ngel? >? > On 16/4/2015, at 3:23, Matt Fischer? > > wrote:? >? > I'd like to have some better logging when certain CRUD operations? > happen in Keystone, for example, when a project is deleted. I? > specifically mean "any" when I say better since right now I'm not? > seeing anything even when Verbose is enabled.? >? > This is pretty frustrating for me because these are rather important? > events, certainly more important than my load balancers hitting? > Keystone which it's happily logging twice a second.? >? > I know that Keystone supports some audit event notifications [1]. Can I? > simply have these reflect back into the main logs somehow?? >? > It would be possible (and trivial) to add logging messages at the INFO? > level, but I'm not sure that is what you really want. I don't know much? > about the operational side at this point, but I'm hoping that there's a? > way to consume the notification events and then write them to a log if? > that's what you wish to do.? Ceilometer listens to these notifications currently and it's possible to write them to a file rather than a database. a lot of this functionality was worked on in Kilo but there may be a way to support this in Juno and Icehouse (disclaimer: may require some patching and even more patching, respectively) cheers, gord From jlk at bluebox.net Thu Apr 16 16:50:31 2015 From: jlk at bluebox.net (Jesse Keating) Date: Thu, 16 Apr 2015 09:50:31 -0700 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References:

<8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com> Message-ID: Standing up Ceilometer (and patching things) just to be able to log this stuff to a file seems rather... heavy handed? We understand that these things are emitted via notifications, but as of right now trying to do anything with those notifications such as simply logging them requires too much additional infrastructure. - jlk On Thu, Apr 16, 2015 at 7:58 AM, gordon chung wrote: > > > _______________________________ > > From: morgan.fainberg at gmail.com > > Date: Thu, 16 Apr 2015 07:50:43 -0700 > > To: dstanek at dstanek.com > > CC: openstack-operators at lists.openstack.org > > Subject: Re: [Openstack-operators] logging for Keystone on user/project > > delete/create operations > > > > > > > > On Apr 16, 2015, at 04:56, David Stanek > > > wrote: > > > > > > > > On Thu, Apr 16, 2015 at 1:10 AM, Miguel Angel Ajo Pelayo > > > wrote: > > I?m not involved in the keystone project, but I?d recommend you to > > start by filling a blueprint > > asking for it, and explaining what you just said here: > > > > https://blueprints.launchpad.net/keystone > > > > Adding a blueprint for discussion would be a good idea if you think you > > want a change to the project. > > > > > > > > I?d also try to contact Keystone PTL (I?m not sure who is the PTL). > > > > Morgan Fainberg is out PTL. > > > > > > > > Best regards, > > Miguel ?ngel > > > > On 16/4/2015, at 3:23, Matt Fischer > > > wrote: > > > > I'd like to have some better logging when certain CRUD operations > > happen in Keystone, for example, when a project is deleted. I > > specifically mean "any" when I say better since right now I'm not > > seeing anything even when Verbose is enabled. > > > > This is pretty frustrating for me because these are rather important > > events, certainly more important than my load balancers hitting > > Keystone which it's happily logging twice a second. > > > > I know that Keystone supports some audit event notifications [1]. Can I > > simply have these reflect back into the main logs somehow? > > > > It would be possible (and trivial) to add logging messages at the INFO > > level, but I'm not sure that is what you really want. I don't know much > > about the operational side at this point, but I'm hoping that there's a > > way to consume the notification events and then write them to a log if > > that's what you wish to do. > > Ceilometer listens to these notifications currently and it's possible to > write them to a file rather than a database. a lot of this functionality > was worked on in Kilo but there may be a way to support this in Juno and > Icehouse (disclaimer: may require some patching and even more patching, > respectively) > > cheers, > gord > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at mattfischer.com Thu Apr 16 17:06:48 2015 From: matt at mattfischer.com (Matt Fischer) Date: Thu, 16 Apr 2015 11:06:48 -0600 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References:

<8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com> Message-ID: So I've not had time to fully test this, but Steve Martinelli let me know that you can simply set the notification_driver to "log" and keystone will log them. The format is a bit more obtuse than I'd like to see and it uses ids rather than names which means I'd need to do some correlation later. Here's what I get out of Juno on a user-create: 2015-04-16 15:07:10.137 23939 INFO oslo.messaging.notification.identity.user.created [-] {"priority": "INFO", "event_type": "identity.user.created", "timestamp": "2015-04-16 15:07:10.137145", "publisher_id": "identity.dev01-keystone-001", "payload": {"resource_info": "c79e7f9f64d04ae78b3e069e5cafb9fd"}, "message_id": "3b1bce1f-8049-4b4f-986f-2ada3d918ee7"} In the message above the c79e is the ID of the user I just created. Another downside so far seems to be that its logging too much, including every time someone authenticates and that it's at INFO level which I hate because it logs my LB connection. I think the former may be configurable, the latter is not unless I hack Keystone. Also in K you can set the format for these either to basic or cadf. I've pushed a puppet change to allow this to be set via puppet. This gets me way ahead of where I wanted to be without using either rabbitmq or ceilometer (which we've gutted from our environment anyway). On Thu, Apr 16, 2015 at 10:50 AM, Jesse Keating wrote: > Standing up Ceilometer (and patching things) just to be able to log this > stuff to a file seems rather... heavy handed? We understand that these > things are emitted via notifications, but as of right now trying to do > anything with those notifications such as simply logging them requires too > much additional infrastructure. > > > - jlk > > On Thu, Apr 16, 2015 at 7:58 AM, gordon chung wrote: > >> >> >> _______________________________ >> > From: morgan.fainberg at gmail.com >> > Date: Thu, 16 Apr 2015 07:50:43 -0700 >> > To: dstanek at dstanek.com >> > CC: openstack-operators at lists.openstack.org >> > Subject: Re: [Openstack-operators] logging for Keystone on user/project >> > delete/create operations >> > >> > >> > >> > On Apr 16, 2015, at 04:56, David Stanek >> > > wrote: >> > >> > >> > >> > On Thu, Apr 16, 2015 at 1:10 AM, Miguel Angel Ajo Pelayo >> > > wrote: >> > I?m not involved in the keystone project, but I?d recommend you to >> > start by filling a blueprint >> > asking for it, and explaining what you just said here: >> > >> > https://blueprints.launchpad.net/keystone >> > >> > Adding a blueprint for discussion would be a good idea if you think you >> > want a change to the project. >> > >> > >> > >> > I?d also try to contact Keystone PTL (I?m not sure who is the PTL). >> > >> > Morgan Fainberg is out PTL. >> > >> > >> > >> > Best regards, >> > Miguel ?ngel >> > >> > On 16/4/2015, at 3:23, Matt Fischer >> > > wrote: >> > >> > I'd like to have some better logging when certain CRUD operations >> > happen in Keystone, for example, when a project is deleted. I >> > specifically mean "any" when I say better since right now I'm not >> > seeing anything even when Verbose is enabled. >> > >> > This is pretty frustrating for me because these are rather important >> > events, certainly more important than my load balancers hitting >> > Keystone which it's happily logging twice a second. >> > >> > I know that Keystone supports some audit event notifications [1]. Can I >> > simply have these reflect back into the main logs somehow? >> > >> > It would be possible (and trivial) to add logging messages at the INFO >> > level, but I'm not sure that is what you really want. I don't know much >> > about the operational side at this point, but I'm hoping that there's a >> > way to consume the notification events and then write them to a log if >> > that's what you wish to do. >> >> Ceilometer listens to these notifications currently and it's possible to >> write them to a file rather than a database. a lot of this functionality >> was worked on in Kilo but there may be a way to support this in Juno and >> Icehouse (disclaimer: may require some patching and even more patching, >> respectively) >> >> cheers, >> gord >> _______________________________________________ >> OpenStack-operators mailing list >> OpenStack-operators at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >> > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gord at live.ca Thu Apr 16 18:25:10 2015 From: gord at live.ca (gordon chung) Date: Thu, 16 Apr 2015 14:25:10 -0400 Subject: [Openstack-operators] logging for Keystone on user/project delete/create operations In-Reply-To: References: , , , <8E86A734-2D7D-431B-BD17-349BCFE9A833@gmail.com>, , Message-ID: > Standing up Ceilometer (and patching things) just to be able to log? > this stuff to a file seems rather... heavy handed? We understand that? > these things are emitted via notifications, but as of right now trying? > to do anything with those notifications such as simply logging them? > requires too much additional infrastructure.? agreed. it's really dependent on what your use case is... just pointing out an option to the statement: "hoping that there's a?way to consume the notification events and then write them to a log". if you're just looking to track operations of a single keystone service, then you probably don't want notifications. if you're looking to collate them against various other things then you'll need some service/tool to either listen to notifications or grab/process logs from multiple places. cheers, gord > _______________________________ >> From: morgan.fainberg at gmail.com >> Date: Thu, 16 Apr 2015 07:50:43 -0700 >> To: dstanek at dstanek.com