[Openstack-operators] How to configure security-port feature in Kilo ?
于洁
16189455 at qq.com
Thu Jul 16 03:14:10 UTC 2015
Hi Clayton,
Thank you for your reply.
Recently our team used a VM as LVS, the rule in iptables will DROP the invalid message which makes the LVS could not work successfully.
So we want to use security-port to complete it. The API requirement is not clear.
And BTW, dose icehouse support security-port?
Thanks.
------------------ Original ------------------
From: "openstack-operators-request";<openstack-operators-request at lists.openstack.org>;
Date: Wed, Jul 15, 2015 05:41 PM
To: "openstack-operators"<openstack-operators at lists.openstack.org>;
Subject: OpenStack-operators Digest, Vol 57, Issue 19
Send OpenStack-operators mailing list submissions to
openstack-operators at lists.openstack.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
or, via email, send a message with subject or body 'help' to
openstack-operators-request at lists.openstack.org
You can reach the person managing the list at
openstack-operators-owner at lists.openstack.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of OpenStack-operators digest..."
Today's Topics:
1. Re: How to configure security-port feature in Kilo ?
(Clayton O'Neill)
2. Ceilometer client uses the wrong URL when contacting service
(Alvise Dorigo)
3. Re: OSAD for RHEL (Adam Young)
4. Meeting Thursday July 16th at 17:00UTC (Christopher Aedo)
5. [app-catalog] IRC Meeting Thursday July 16th at 17:00UTC
(Christopher Aedo)
6. Re: OSAD for RHEL (Kevin Carter)
7. [Neutron] New etherpad for collecting Neutron instrumentation
requirements (Ryan Moats)
8. Re: [openstack-dev] [Openstack] Rescinding the M name
decision (Lauren Sell)
9. Re: OSAD for RHEL (Kevin Carter)
10. Re: FAiled to create instance wiht openstack nova network
(pra devOPS)
11. Re: Scaling the Ops Meetup (Tom Fifield)
12. Neutron LBaaS HA in KIlo? (Pedro Sousa)
----------------------------------------------------------------------
Message: 1
Date: Tue, 14 Jul 2015 08:28:59 -0500
From: "Clayton O'Neill" <clayton at oneill.net>
To: openstack-operators <openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] How to configure security-port
feature in Kilo ?
Message-ID:
<CADg-rOX0yYprWM1DSfnP4yt8Vg48OBxV2zagrNBck1tL1M7Frw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Note that if you enable port-security when you upgrade to kilo you can
avoid these issues. If you enable port-security after upgrading, it's a
few pretty simple SQL commands to work around the bug below? described
below. You can find them in the associated kilo upgrade db migration here:
https://github.com/openstack/neutron/blob/master/neutron/db/migration/alembic_migrations/versions/35a0f3365720_add_port_security_in_ml2.py
That said, I'd be glad to hear more about how to actually *use* the port
security extension. It seems as if it can be used to turn off port
security on a per port or per network basis. Is there any UI for this, or
do you have to use the API?
On Tue, Jul 14, 2015 at 5:52 AM, James Denton <james.denton at rackspace.com>
wrote:
> In the /etc/neutron/plugins/ml2/ml2_conf.ini file, add the following
> under [ml2] and restart the neutron-server service:
>
>
> extension_drivers = port_security
>
>
> You may experience the following bugs upon enabling port security:
>
>
> https://bugs.launchpad.net/neutron/+bug/1461519
>
> https://bugs.launchpad.net/neutron/+bug/1454148?
>
>
> If you can, remove all existing Neutron networks prior to enabling port
> security. Otherwise, you may be looking at some DB changes to get things
> working again.
>
>
> James
> ------------------------------
> *From:* 16189455 at qq.com <16189455 at qq.com>
> *Sent:* Tuesday, July 14, 2015 12:17 AM
> *To:* openstack-operators
> *Subject:* [Openstack-operators] How to configure security-port feature
> in Kilo ?
>
> Hi all,
> Recently I want to have a try of the feature security-port, but these
> is very few introduction. Could you give some help?
> Thank you.
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/b1448315/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 14 Jul 2015 16:38:02 +0200
From: Alvise Dorigo <alvise.dorigo at pd.infn.it>
To: "openstack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>
Subject: [Openstack-operators] Ceilometer client uses the wrong URL
when contacting service
Message-ID: <55A51ECA.3090204 at pd.infn.it>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi,
I've setup an OpenStack IceHouse deployment with SSL.
The Ceilometer service is registered in Keystone with the https endpoints:
[root at controller-01 ~]# keystone endpoint-list|grep 8777
| 8c12e36a75454c5da92ac146630a7022 | regionOne |
https://cloud-areapd-test.pd.infn.it:8777 |
https://cloud-areapd-test.pd.infn.it:8777 |
https://cloud-areapd-test.pd.infn.it:8777 |
8f765dc84a884786b0e95076a20f1c4c |
When I select on the dashboard the menu "Resource usage", it hungs, and
in the horizon.log file I see this error:
2015-07-14 14:27:03,899 9751 DEBUG ceilometerclient.common.http curl -i
-X GET -H 'X-Auth-Token: 46778be5fbe2c753766b501314e6effa' -H
'Content-Type: application/json' -H 'Accept: application/json' -H
'User-Agent: python-ceilometerclient' http://90.147.77.250:8777/v2/meters
Why ( and from where) the ceilometerclient is getting the wrong non-SSL
endpoint http://90.147.77.250:8777/v2/meters ?
I thought it would take that URL from the Keystone's endpoint catalog
(which contains the correct https URLs); but it seems that it is not true.
Could someone explain and help me to set it up correctly ?
thanks,
Alvise
------------------------------
Message: 3
Date: Tue, 14 Jul 2015 11:59:20 -0400
From: Adam Young <ayoung at redhat.com>
To: Kevin Carter <kevin.carter at rackspace.com>, "Kris G. Lindgren"
<klindgren at godaddy.com>, John Dewey <john at dewey.ws>
Cc: "openstack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] OSAD for RHEL
Message-ID: <55A531D8.2040507 at redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
On 07/10/2015 02:25 PM, Kevin Carter wrote:
>
> To be clear the present OSAD project really has no intention to bring
> package based installations of OpenStack. We'd certainly not reject
> the idea and wouldn't mind having an implementation spec for it
> but all of our current tooling and design principles have been based
> on the fact that we've move away from distro packages and on to
> upstream source as it pertains to OpenStack. The system as it stands
> today creates an internal repository of built wheels for your
> environment and all of the OpenStack services are installed within LXC
> containers, where possible and it makes sense. The installation of
> these bits comes from the internal wheel repository and uses pip and
> all of the pre / post config happens within the Ansible playbooks.
>
I understand your frustration with the packaging approach. For a first
approximation, getting the code for OpenStack/Python operations out of
Pip makes sense. Ideally, we would be able to support both approaches.
Red Hat would not support a pip based install, but I am sure some Centos
base users would be happy with pip.
We had the same general discussion around devstack.
>
> One issue that will become a problem, for users of RedHat
> specifically, is the fact that RedHat has no LXC container templates
> (at least none that are publicly available) and even if someone were
> to make an official RedHat container template there'd be issues with
> the containers being able to connect to the satellite servers as well
> as other potential license problems.
>
I'd leave the issues with getting blessed RHEL LXC support to Red Hat.
Making something that works for CentOS with publically available LXC
containers there would be more what I expect from OSAD upstream.
What about Fedora support? It seems to me that we would be far more
likely to have something supportable with Fedora that could then be
backported to CentOS?
>
> I've done some experimenting with a RedHat 7.1 hosts and CentOS 7
> containers and things seem to work OK but I'd not say that I have
> really put a lot of effort into it. That said, if its something that
> you'd all like to work on I'd be happy to help out to make it all go.
>
Sounds good. I'll give it a try after the Keystone Midcycle.
>
> --
>
> Kevin Carter
> ------------------------------------------------------------------------
> *From:* Adam Young <ayoung at redhat.com>
> *Sent:* Thursday, July 9, 2015 11:32 AM
> *To:* Kris G. Lindgren; John Dewey
> *Cc:* openstack-operators at lists.openstack.org
> *Subject:* Re: [Openstack-operators] OSAD for RHEL
> On 07/09/2015 02:16 AM, Kris G. Lindgren wrote:
>> Does OSP support running each service in an LXC container as well?
>> What about nova-cells? How does it handle people who need to carry
>> local changes? What is the upgrade path like with OSP?
>
> So, ignoring the Hypervisor for the moment, there is no reason that
> the rest of the controllers can't run in separate Containers. I think
> a container based deployment would be fantastic.
>
> venv is not really sufficient, as the system level binaries can still
> conflict (MysQL and LDAP both require system libraries for Keystone,
> for example)
>
> From an Ansible perspective; we need to be able to share the HTTPD
> instance for Keystone and Apache, and getting that right will solve
> most of the issues deploying in a secure manner. Putting Them on
> separate hosts or containers should be a degenerate case, and thus be
> supported, too.
>
>
>
>
>
>
>>
>> Asking, because in Philly the general consensus, I fel,t was people
>> want to move away from the current system level package stuff and
>> move towards: venv's, "lightweight packages", containers. The only
>> reason that was brought up to keep packages around was to solve the
>> non-python lib stuff and using a depsolver (yum/apt) that doesn't
>> suck (pip). So I am pretty sure my wants are inline with what other
>> people in the community are either already doing or moving towards.
>> ___________________________________________
>> Kris Lindgren
>> Senior Linux Systems Engineer
>> GoDaddy, LLC.
>>
>>
>> From: John Dewey <john at dewey.ws <mailto:john at dewey.ws>>
>> Date: Wednesday, July 8, 2015 at 11:43 PM
>> To: "Kris G. Lindgren" <klindgren at godaddy.com
>> <mailto:klindgren at godaddy.com>>
>> Cc: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>,
>> "openstack-operators at lists.openstack.org
>> <mailto:openstack-operators at lists.openstack.org>"
>> <openstack-operators at lists.openstack.org
>> <mailto:openstack-operators at lists.openstack.org>>
>> Subject: Re: [Openstack-operators] OSAD for RHEL
>>
>> This would not be acceptable for those running OSP.
>>
>> On Wednesday, July 8, 2015 at 10:12 PM, Kris G. Lindgren wrote:
>>
>>> I should be more clear. My current thought is to have a venv packaged
>>> inside an rpm - so the rpm includes the needed init scripts, ensures the
>>> required system level binaries are installed, adds the users - ect ect.
>>> But would be a single deployable autonomous unit. Also, have a
>>> versioning
>>> schema to roll forward and back between venvs for quick update/rollback.
>>> We are already working on doing something similar to this to run kilo on
>>> cent6 boxen, until we can finish revving the remaining parts of the
>>> fleet
>>> to cent7.
>>>
>>> My desire is to move away from using system level python & openstack
>>> packages, so that I can possibly run mismatched versions if I need
>>> to. We
>>> had a need to run kilo ceilometer and juno neutron/nova on a single
>>> server. The conflicting python requirements between those made that task
>>> impossible. In general I want to get away from treating Openstack as a
>>> single system that everything needs to be upgraded in lock step
>>> (packages
>>> force you into this). I want to move to being able to upgrade say
>>> oslo.messaging to a newer version on just say nova on my control plane
>>> servers. Or upgrade nova to kilo while keeping the rest of the system
>>> (neutron) on juno. Unless I run each service in a vm/container or on a
>>> physical piece of hardware that is pretty much impossible to do with
>>> packages - outside of placing everything inside venv's.
>>>
>>> However, it is my understanding that OSAD already builds its own
>>> python-wheels and runs those inside lxc containers. So I don?t really
>>> follow what good throwing those into an rpm would really do?
>>> ____________________________________________
>>> Kris Lindgren
>>> Senior Linux Systems Engineer
>>> GoDaddy, LLC.
>>>
>>>
>>> On 7/8/15, 10:33 PM, "Adam Young" <ayoung at redhat.com
>>> <mailto:ayoung at redhat.com>> wrote:
>>>
>>>> On 07/07/2015 05:55 PM, Kris G. Lindgren wrote:
>>>>> +1 on RHEL support. I have some interest in moving away from packages
>>>>> and
>>>>> am interested in the OSAD tooling as well.
>>>>
>>>> I would not recommend an approach targetting RHEL that does not use
>>>> packages.
>>>>
>>>> OSAD support for RHEL using packages would be an outstanding tool.
>>>>
>>>> Which way are you planning on taking it?
>>>>
>>>>> ____________________________________________
>>>>> Kris Lindgren
>>>>> Senior Linux Systems Engineer
>>>>> GoDaddy, LLC.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7/7/15, 3:38 PM, "Abel Lopez" <alopgeek at gmail.com
>>>>> <mailto:alopgeek at gmail.com>> wrote:
>>>>>
>>>>>> Hey everyone,
>>>>>> I've started looking at osad, and I like much of the direction it
>>>>>> takes.
>>>>>> I'm pretty interested in developing it to run on RHEL, I just
>>>>>> wanted to
>>>>>> check if anyone would be -2 opposed to that before I spend cycles on
>>>>>> it.
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-operators mailing list
>>>>> OpenStack-operators at lists.openstack.org
>>>>> <mailto:OpenStack-operators at lists.openstack.org>
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.org
>>>> <mailto:OpenStack-operators at lists.openstack.org>
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> <mailto:OpenStack-operators at lists.openstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/1d20fa1f/attachment-0001.html>
------------------------------
Message: 4
Date: Tue, 14 Jul 2015 10:02:36 -0700
From: Christopher Aedo <doc at aedo.net>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>,
openstack-operators at lists.openstack.org
Subject: [Openstack-operators] Meeting Thursday July 16th at 17:00UTC
Message-ID:
<CA+odVQG4TCuh0i29n6gotiRFeQquDG1kWk9ezVf73ROj4jE9+Q at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hello! Our next OpenStack App Catalog meeting will take place this
Thursday July 16th at 17:00 UTC in #openstack-meeting-3
The agenda can be found here:
https://wiki.openstack.org/wiki/Meetings/app-catalog
Please add agenda items if there's anything specific you would like to
discuss. For this weeks meeting my primary intention is to discuss
the roadmap, everything we'd like to accomplish before the next
summit, and determine who all will be helping get it done.
Please join us if you can!
------------------------------
Message: 5
Date: Tue, 14 Jul 2015 10:14:40 -0700
From: Christopher Aedo <doc at aedo.net>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>,
openstack-operators at lists.openstack.org
Subject: [Openstack-operators] [app-catalog] IRC Meeting Thursday July
16th at 17:00UTC
Message-ID:
<CA+odVQG0afWBs6=0L1QQqnsnSDzpmk2c3z9g_VdiQPdr_1J1kQ at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
(Apologies for the re-send, missed the appropriate tag on the subject line!)
Hello! Our next OpenStack App Catalog meeting will take place this
Thursday July 16th at 17:00 UTC in #openstack-meeting-3
The agenda can be found here:
https://wiki.openstack.org/wiki/Meetings/app-catalog
Please add agenda items if there's anything specific you would like to
discuss. For this weeks meeting my primary intention is to discuss
the roadmap, everything we'd like to accomplish before the next
summit, and determine who all will be helping get it done.
Please join us if you can!
------------------------------
Message: 6
Date: Tue, 14 Jul 2015 18:41:21 +0000
From: Kevin Carter <kevin.carter at RACKSPACE.COM>
To: Adam Young <ayoung at redhat.com>, "Kris G. Lindgren"
<klindgren at godaddy.com>, John Dewey <john at dewey.ws>
Cc: "openstack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] OSAD for RHEL
Message-ID: <1436899281115.85866 at RACKSPACE.COM>
Content-Type: text/plain; charset="utf-8"
?
--
Kevin Carter
Racker, Developer, Hacker @ The Rackspace Private Cloud.
________________________________
From: Adam Young <ayoung at redhat.com>
Sent: Tuesday, July 14, 2015 10:59 AM
To: Kevin Carter; Kris G. Lindgren; John Dewey
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] OSAD for RHEL
On 07/10/2015 02:25 PM, Kevin Carter wrote:
To be clear the present OSAD project really has no intention to bring package based installations of OpenStack. We'd certainly not reject the idea and wouldn't mind having an implementation spec for it but all of our current tooling and design principles have been based on the fact that we've move away from distro packages and on to upstream source as it pertains to OpenStack. The system as it stands today creates an internal repository of built wheels for your environment and all of the OpenStack services are installed within LXC containers, where possible and it makes sense. The installation of these bits comes from the internal wheel repository and uses pip and all of the pre / post config happens within the Ansible playbooks.
I understand your frustration with the packaging approach. For a first approximation, getting the code for OpenStack/Python operations out of Pip makes sense. Ideally, we would be able to support both approaches. Red Hat would not support a pip based install, but I am sure some Centos base users would be happy with pip.
We had the same general discussion around devstack.
One issue that will become a problem, for users of RedHat specifically, is the fact that RedHat has no LXC container templates (at least none that are publicly available) and even if someone were to make an official RedHat container template there'd be issues with the containers being able to connect to the satellite servers as well as other potential license problems.
I'd leave the issues with getting blessed RHEL LXC support to Red Hat. Making something that works for CentOS with publically available LXC containers there would be more what I expect from OSAD upstream.
What about Fedora support? It seems to me that we would be far more likely to have something supportable with Fedora that could then be backported to CentOS?
I've done some experimenting with a RedHat 7.1 hosts and CentOS 7 containers and things seem to work OK but I'd not say that I have really put a lot of effort into it. That said, if its something that you'd all like to work on I'd be happy to help out to make it all go.
Sounds good. I'll give it a try after the Keystone Midcycle.
--
Kevin Carter
________________________________
From: Adam Young <ayoung at redhat.com><mailto:ayoung at redhat.com>
Sent: Thursday, July 9, 2015 11:32 AM
To: Kris G. Lindgren; John Dewey
Cc: openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] OSAD for RHEL
On 07/09/2015 02:16 AM, Kris G. Lindgren wrote:
Does OSP support running each service in an LXC container as well? What about nova-cells? How does it handle people who need to carry local changes? What is the upgrade path like with OSP?
So, ignoring the Hypervisor for the moment, there is no reason that the rest of the controllers can't run in separate Containers. I think a container based deployment would be fantastic.
venv is not really sufficient, as the system level binaries can still conflict (MysQL and LDAP both require system libraries for Keystone, for example)
From an Ansible perspective; we need to be able to share the HTTPD instance for Keystone and Apache, and getting that right will solve most of the issues deploying in a secure manner. Putting Them on separate hosts or containers should be a degenerate case, and thus be supported, too.
Asking, because in Philly the general consensus, I fel,t was people want to move away from the current system level package stuff and move towards: venv's, "lightweight packages", containers. The only reason that was brought up to keep packages around was to solve the non-python lib stuff and using a depsolver (yum/apt) that doesn't suck (pip). So I am pretty sure my wants are inline with what other people in the community are either already doing or moving towards.
___________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
From: John Dewey <john at dewey.ws<mailto:john at dewey.ws>>
Date: Wednesday, July 8, 2015 at 11:43 PM
To: "Kris G. Lindgren" <klindgren at godaddy.com<mailto:klindgren at godaddy.com>>
Cc: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>, "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] OSAD for RHEL
This would not be acceptable for those running OSP.
On Wednesday, July 8, 2015 at 10:12 PM, Kris G. Lindgren wrote:
I should be more clear. My current thought is to have a venv packaged
inside an rpm - so the rpm includes the needed init scripts, ensures the
required system level binaries are installed, adds the users - ect ect.
But would be a single deployable autonomous unit. Also, have a versioning
schema to roll forward and back between venvs for quick update/rollback.
We are already working on doing something similar to this to run kilo on
cent6 boxen, until we can finish revving the remaining parts of the fleet
to cent7.
My desire is to move away from using system level python & openstack
packages, so that I can possibly run mismatched versions if I need to. We
had a need to run kilo ceilometer and juno neutron/nova on a single
server. The conflicting python requirements between those made that task
impossible. In general I want to get away from treating Openstack as a
single system that everything needs to be upgraded in lock step (packages
force you into this). I want to move to being able to upgrade say
oslo.messaging to a newer version on just say nova on my control plane
servers. Or upgrade nova to kilo while keeping the rest of the system
(neutron) on juno. Unless I run each service in a vm/container or on a
physical piece of hardware that is pretty much impossible to do with
packages - outside of placing everything inside venv's.
However, it is my understanding that OSAD already builds its own
python-wheels and runs those inside lxc containers. So I don?t really
follow what good throwing those into an rpm would really do?
____________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
On 7/8/15, 10:33 PM, "Adam Young" <ayoung at redhat.com<mailto:ayoung at redhat.com>> wrote:
On 07/07/2015 05:55 PM, Kris G. Lindgren wrote:
+1 on RHEL support. I have some interest in moving away from packages
and
am interested in the OSAD tooling as well.
I would not recommend an approach targetting RHEL that does not use
packages.
OSAD support for RHEL using packages would be an outstanding tool.
Which way are you planning on taking it?
____________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
On 7/7/15, 3:38 PM, "Abel Lopez" <alopgeek at gmail.com<mailto:alopgeek at gmail.com>> wrote:
Hey everyone,
I've started looking at osad, and I like much of the direction it
takes.
I'm pretty interested in developing it to run on RHEL, I just wanted to
check if anyone would be -2 opposed to that before I spend cycles on
it.
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/d00229cb/attachment-0001.html>
------------------------------
Message: 7
Date: Tue, 14 Jul 2015 13:46:51 -0500
From: "Ryan Moats" <rmoats at us.ibm.com>
To: openstack-operators at lists.openstack.org
Subject: [Openstack-operators] [Neutron] New etherpad for collecting
Neutron instrumentation requirements
Message-ID: <201507141847.t6EIlrxh029018 at d01av01.pok.ibm.com>
Content-Type: text/plain; charset="us-ascii"
All-
There is an effort getting underway to generate an RFE (request for
enhancement), BPs and code changes to add instrumentation to neutron. An
etherpad has been set up at
https://etherpad.openstack.org/p/neutron-instrumentation to collect the
type of information that would be useful to OpenStack operators.
Please visit the page and add items that your organization feels would be
useful to have instrumented in Neutron or +1 items that are already there.
Feel free to fill in information on parts II (What to do with this
instrumentation once we have it) and part III (How should Ceilometer talk
to legacy systems) as well...
Thanks in advance,
Ryan Moats
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/edcaf523/attachment-0001.html>
------------------------------
Message: 8
Date: Tue, 14 Jul 2015 13:53:19 -0500
From: Lauren Sell <lauren at openstack.org>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>
Cc: "openstack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>,
"openstack at lists.openstack.org" <openstack at lists.openstack.org>,
"Jonathan Bryce \(jonathan at openstack.org\)" <jonathan at openstack.org>
Subject: Re: [Openstack-operators] [openstack-dev] [Openstack]
Rescinding the M name decision
Message-ID: <93B396BC-E9FC-443C-8E9D-D13B26B50BAC at openstack.org>
Content-Type: text/plain; charset=utf-8
Good news. After finalizing the trademark checks and giving the community time to weigh in, Mitaka will be the name of the M release.
Thanks again for the great discussion around this topic, and for the willingness to be responsive to the concerns of fellow community members.
> On Jul 9, 2015, at 2:18 PM, Tim Bell <Tim.Bell at cern.ch> wrote:
>
> Feel free to give input on the Mitaka proposal.
>
> Tim
>
>> -----Original Message-----
>> From: Jonathan Bryce [mailto:jbryce at jbryce.com]
>> Sent: 09 July 2015 20:52
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [Openstack] Rescinding the M name decision
>>
>>> On Jul 9, 2015, at 9:35 AM, Russell Bryant <rbryant at redhat.com> wrote:
>>>
>>> On 07/09/2015 09:19 AM, Neil Jerram wrote:
>>>> In the hope of forestalling an unnecessary sub-thread...
>>>>
>>>> Mita was #1 in the vote, so has presumably already been ruled out by
>>>> OpenStack's legal review.
>>>
>>> That is correct.
>>
>>
>> Hi everyone,
>>
>> I?ve really loved seeing everyone?s understanding and engagement on this
>> thread as we worked through the release cycle naming for ?M?. This was the
>> first attempt to follow a new process, so not surprisingly, we found some
>> improvements in the algorithm for the future. Still it?s awesome to see how
>> constructive and positive the whole conversation has been.
>>
>> I wanted to provide a quick update on the status of the Foundation?s
>> reviews of the names. First, as Russell mentioned above, after the voting
>> was completed, we asked our trademark counsel to do checks on the top 3
>> names. The first two both had significant trademark issues with existing
>> trademark holders in the same space that would have prevented us from
>> using the names in most jurisdictions where we have our largest
>> communities (US, Europe and Asia). The 3rd choice was relatively low risk
>> and so we passed word back to Monty who announced it. Once we realized
>> there were other issues with Meiji, we asked for an expedited check of the
>> next 3 names: Mitaka, Musashi, and Meguro. The preliminary check shows
>> that Mitaka and Meguro both present an acceptable level of risk, while
>> Musashi is higher on the risk scale and would probably create problems for
>> usage.
>>
>> At this time, we?re going to do a deeper check on Mitaka, which was the #4
>> candidate in voting and would be next in line after Meiji. I know Itoh-san
>> mentioned the Mitaka locale has the potential to be associated with certain
>> corporations in Japan, but my personal feeling is that may not be significant
>> enough to override it?s position in the voting and it?s availability for use.
>>
>> I?d encourage anyone with other concerns about Mitaka to post those
>> within the next 24 hours so we can appropriately consider and discuss
>> them. We should have results on the deeper trademark check by next week
>> as well and can hopefully settle on a final name.
>>
>> Thanks again for all the discussion and participation and especially to
>> Monty who?s been on the front lines of helping us navigate this. Feel free to
>> let me know if you have any other questions,
>>
>> Jonathan
>> 210-317-2438
>>
>>
>> __________________________________________________________
>> ________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-
>> request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
------------------------------
Message: 9
Date: Tue, 14 Jul 2015 19:01:41 +0000
From: Kevin Carter <kevin.carter at RACKSPACE.COM>
To: Adam Young <ayoung at redhat.com>, "Kris G. Lindgren"
<klindgren at godaddy.com>, John Dewey <john at dewey.ws>
Cc: "openstack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] OSAD for RHEL
Message-ID: <1436900500710.26115 at RACKSPACE.COM>
Content-Type: text/plain; charset="utf-8"
?Sorry for the blank reply, hot keys got the better of me :)
@Adam
Are there any plans to create a publicly available LXC template that we could used by others and when you say "I'd leave the issues with getting blessed RHEL LXC support to Red Hat?" do you imaging RedHat providing images/templates to deployers wanting to deploy on RHEL??
I noticed that the LXC tooling that RedHat provides is old and while functional its not using the lxc python 3 clients or libraries. Are there any plans to repack LXC using the available py3m packages that are in RHEL7.1?
In terms of pip vs rpm/deb packages are there things that RedHat will not specifically support when using pip? Is it that any use of pip would invalidate general RHEL host support? I ask because we already have all of the tooling to support a source based deployment which has the ability to do rolling upgrades and while I've only experimented with adding RedHat as base host OS (tested using RHEL 7/7.1) it shouldn't be a huge forklift to get that work done though adding in distinct code paths for deployments powered by packages would be a lot more work. As for Fedora support, I dont think thats far off once we have a base RHEL/CentOS7 system running.
--
Kevin
________________________________
From: Adam Young <ayoung at redhat.com>
Sent: Tuesday, July 14, 2015 10:59 AM
To: Kevin Carter; Kris G. Lindgren; John Dewey
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] OSAD for RHEL
On 07/10/2015 02:25 PM, Kevin Carter wrote:
To be clear the present OSAD project really has no intention to bring package based installations of OpenStack. We'd certainly not reject the idea and wouldn't mind having an implementation spec for it but all of our current tooling and design principles have been based on the fact that we've move away from distro packages and on to upstream source as it pertains to OpenStack. The system as it stands today creates an internal repository of built wheels for your environment and all of the OpenStack services are installed within LXC containers, where possible and it makes sense. The installation of these bits comes from the internal wheel repository and uses pip and all of the pre / post config happens within the Ansible playbooks.
I understand your frustration with the packaging approach. For a first approximation, getting the code for OpenStack/Python operations out of Pip makes sense. Ideally, we would be able to support both approaches. Red Hat would not support a pip based install, but I am sure some Centos base users would be happy with pip.
We had the same general discussion around devstack.
One issue that will become a problem, for users of RedHat specifically, is the fact that RedHat has no LXC container templates (at least none that are publicly available) and even if someone were to make an official RedHat container template there'd be issues with the containers being able to connect to the satellite servers as well as other potential license problems.
I'd leave the issues with getting blessed RHEL LXC support to Red Hat. Making something that works for CentOS with publically available LXC containers there would be more what I expect from OSAD upstream.
What about Fedora support? It seems to me that we would be far more likely to have something supportable with Fedora that could then be backported to CentOS?
I've done some experimenting with a RedHat 7.1 hosts and CentOS 7 containers and things seem to work OK but I'd not say that I have really put a lot of effort into it. That said, if its something that you'd all like to work on I'd be happy to help out to make it all go.
Sounds good. I'll give it a try after the Keystone Midcycle.
--
Kevin Carter
________________________________
From: Adam Young <ayoung at redhat.com><mailto:ayoung at redhat.com>
Sent: Thursday, July 9, 2015 11:32 AM
To: Kris G. Lindgren; John Dewey
Cc: openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>
Subject: Re: [Openstack-operators] OSAD for RHEL
On 07/09/2015 02:16 AM, Kris G. Lindgren wrote:
Does OSP support running each service in an LXC container as well? What about nova-cells? How does it handle people who need to carry local changes? What is the upgrade path like with OSP?
So, ignoring the Hypervisor for the moment, there is no reason that the rest of the controllers can't run in separate Containers. I think a container based deployment would be fantastic.
venv is not really sufficient, as the system level binaries can still conflict (MysQL and LDAP both require system libraries for Keystone, for example)
From an Ansible perspective; we need to be able to share the HTTPD instance for Keystone and Apache, and getting that right will solve most of the issues deploying in a secure manner. Putting Them on separate hosts or containers should be a degenerate case, and thus be supported, too.
Asking, because in Philly the general consensus, I fel,t was people want to move away from the current system level package stuff and move towards: venv's, "lightweight packages", containers. The only reason that was brought up to keep packages around was to solve the non-python lib stuff and using a depsolver (yum/apt) that doesn't suck (pip). So I am pretty sure my wants are inline with what other people in the community are either already doing or moving towards.
___________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
From: John Dewey <john at dewey.ws<mailto:john at dewey.ws>>
Date: Wednesday, July 8, 2015 at 11:43 PM
To: "Kris G. Lindgren" <klindgren at godaddy.com<mailto:klindgren at godaddy.com>>
Cc: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>, "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: Re: [Openstack-operators] OSAD for RHEL
This would not be acceptable for those running OSP.
On Wednesday, July 8, 2015 at 10:12 PM, Kris G. Lindgren wrote:
I should be more clear. My current thought is to have a venv packaged
inside an rpm - so the rpm includes the needed init scripts, ensures the
required system level binaries are installed, adds the users - ect ect.
But would be a single deployable autonomous unit. Also, have a versioning
schema to roll forward and back between venvs for quick update/rollback.
We are already working on doing something similar to this to run kilo on
cent6 boxen, until we can finish revving the remaining parts of the fleet
to cent7.
My desire is to move away from using system level python & openstack
packages, so that I can possibly run mismatched versions if I need to. We
had a need to run kilo ceilometer and juno neutron/nova on a single
server. The conflicting python requirements between those made that task
impossible. In general I want to get away from treating Openstack as a
single system that everything needs to be upgraded in lock step (packages
force you into this). I want to move to being able to upgrade say
oslo.messaging to a newer version on just say nova on my control plane
servers. Or upgrade nova to kilo while keeping the rest of the system
(neutron) on juno. Unless I run each service in a vm/container or on a
physical piece of hardware that is pretty much impossible to do with
packages - outside of placing everything inside venv's.
However, it is my understanding that OSAD already builds its own
python-wheels and runs those inside lxc containers. So I don?t really
follow what good throwing those into an rpm would really do?
____________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
On 7/8/15, 10:33 PM, "Adam Young" <ayoung at redhat.com<mailto:ayoung at redhat.com>> wrote:
On 07/07/2015 05:55 PM, Kris G. Lindgren wrote:
+1 on RHEL support. I have some interest in moving away from packages
and
am interested in the OSAD tooling as well.
I would not recommend an approach targetting RHEL that does not use
packages.
OSAD support for RHEL using packages would be an outstanding tool.
Which way are you planning on taking it?
____________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.
On 7/7/15, 3:38 PM, "Abel Lopez" <alopgeek at gmail.com<mailto:alopgeek at gmail.com>> wrote:
Hey everyone,
I've started looking at osad, and I like much of the direction it
takes.
I'm pretty interested in developing it to run on RHEL, I just wanted to
check if anyone would be -2 opposed to that before I spend cycles on
it.
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/f2496000/attachment-0001.html>
------------------------------
Message: 10
Date: Tue, 14 Jul 2015 16:46:33 -0700
From: pra devOPS <siv.devops at gmail.com>
To: matt <matt at nycresistor.com>,
openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] FAiled to create instance wiht
openstack nova network
Message-ID:
<CANvYX9Wcq-YtP8OxhBO2-ygMywW0+xMrB0veV1vQc1ieDXtKLQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi All:
I was able to spin up instances on openstack (all in one , Icehouse). Got
the ips able to connect it to the ips with floating ips.
from the floating ip network i am able to connect to the machines. Now I
want this vms talk outside the host on which they are hosted?
How can I do that?
Thanks,
Dev
On Mon, Jul 13, 2015 at 12:07 PM, pra devOPS <siv.devops at gmail.com> wrote:
>
> Can somebody suggest me on the below?
>
> Thanks,
> Dev
>
> On Fri, Jul 10, 2015 at 4:32 PM, pra devOPS <siv.devops at gmail.com> wrote:
>
>> Hi
>>
>> I am running as root, Please find below the nova config file. ( I am
>> using nova network)
>>
>> http://paste.openstack.org/show/363300/
>>
>> Thanks,
>> Dev
>>
>> On Fri, Jul 10, 2015 at 1:30 PM, matt <matt at nycresistor.com> wrote:
>>
>>> root-wrap failed probably a config error. might want to post your nova
>>> configs with commenting out of passwords / service tokens.
>>>
>>> dnsmasq --strict-order --bind-interfaces --conf-file= --pid-file=/var/lib/nova/networks/nova-br100.pid --listen-address=192.168.22.1 --except-interface=lo --dhcp-range=set:demo-net,192.168.22.2,static,255.255.255.0,120s --dhcp-lease-max=256 --dhcp-hostsfile=/var/lib/nova/networks/nova-br100.conf --dhcp-script=/usr/bin/nova-dhcpbridge --leasefile-ro --domain=novalocal --no-hosts --addn-hosts=/var/lib/nova/networks/nova-br100.hosts
>>> 2015-07-10 15:30:29.753 3044 TRACE oslo.messaging.rpc.dispatcher Exit code: 2
>>>
>>> needs to run as root. exit code 2 is obviously pretty bad. so that NEEDs to be fixed.
>>>
>>>
>>>
>>> On Fri, Jul 10, 2015 at 3:25 PM, pra devOPS <siv.devops at gmail.com>
>>> wrote:
>>>
>>>> All:
>>>>
>>>> I get the following error when trying to create an instance in
>>>> openstack icehouse centOS 7 on nova network.
>>>>
>>>> nova network logs and UI logs are pasted at:
>>>> *http://paste.openstack.org/show/362706/
>>>> <http://paste.openstack.org/show/362706/>*
>>>>
>>>>
>>>>
>>>> Can somebdody give susggestiong?
>>>> Thanks,Siva
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> OpenStack-operators at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150714/20bed3b5/attachment-0001.html>
------------------------------
Message: 11
Date: Wed, 15 Jul 2015 16:13:06 +0800
From: Tom Fifield <tom at openstack.org>
To: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] Scaling the Ops Meetup
Message-ID: <55A61612.10905 at openstack.org>
Content-Type: text/plain; charset=utf-8
Hi all,
On 01/07/15 15:29, Tom Fifield wrote:
> =Open Questions=
...
> * What are the costs involved in hosting one of these events?
Thanks to our wonderful sponsors (any inaccuracies or estimates are
mine), I got permission to post some rough cost information for the past
events, as requested:
=1. San Jose=
San Jose was hosted by eBay/Paypal who catered breakfast and brought in
pizza for lunch.
# Attendees: 40-50
Venue cost: $0
Food cost: $1000
Signage/misc: $0
Total per head: ~$20/head
Evening Event: $1000
=2. San Antonio=
San Antonio was hosted by Rackspace over two days who brought in
breakfast and pizza/food trucks for lunch.
# Attendees: 80-100
Venue cost: $1100 (security, AV)
Food cost: $2000
Signage/misc: $300
Total per head: ~$33/head
Evening Event: $1500
=3. Philadelphia=
Philadelphia was our first meetup held in a commercial venue, after we
ran out of space to host it at Comcast and had to move it at the last
minute. Two day event.
# Attendees: 125
Venue cost: $20,569 venue+food
Food cost: -
Signage/misc: $320
Total per head: ~$165/head
Evening Event: $3000
Regards,
Tom
>
>
> Regards,
>
>
> Tom
>
>
>
>
> On 30/06/15 12:33, Tom Fifield wrote:
>> Hi all,
>>
>> Right now, behind-the-scenes, we're working on getting a venue for next
>> ops mid-cycle. It's taking a little longer than normal, but rest assured
>> it is happening.
>>
>> Why is it so difficult? As you may have noticed, we're reaching the size
>> of event where both physically and financially, only the largest
>> organisations can host us.
>>
>> We thought we might get away with organising this one old-school with a
>> single host and sponsor. Then, for the next, start a brainstorming
>> discussion with you about how we scale these events into the future -
>> since once we get up and beyond a few hundred people, we're looking at
>> having to hire a venue as well as make some changes to the format of the
>> event.
>>
>> However, it seems that even this might be too late. We already had a
>> company that proposed to host the meetup at a west coast US hotel
>> instead of their place, and wanted to scope out other companies to
>> sponsor food.
>>
>> This would be a change in the model, so let's commence the discussion of
>> how we want to scale this event :)
>>
>> So far I've heard things like:
>> * "my $CORPORATE_BENEFACTOR would be fine to share sponsorship with others"
>> * "I really don't want to get to the point where we want booths at the
>> ops meetup"
>>
>> Which are promising! It seems like we have a shared understanding of
>> what to take this forward with.
>>
>> So, as the ops meetup grows - what would it look like for you?
>>
>> How do you think we can manage the venue selection and financial side of
>> things? What about the session layout and the scheduling with the
>> growing numbers of attendees?
>>
>> Current data can be found at
>> https://wiki.openstack.org/wiki/Operations/Meetups#Venue_Selection .
>>
>> I would also be interested in your thoughts about how these events have
>> only been in a limited geographical area so far, and how we can address
>> that issue.
>>
>>
>> Regards,
>>
>>
>> Tom
>>
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
------------------------------
Message: 12
Date: Wed, 15 Jul 2015 10:41:24 +0100
From: Pedro Sousa <pgsousa at gmail.com>
To: "OpenStack-operators at lists.openstack.org"
<openstack-operators at lists.openstack.org>
Subject: [Openstack-operators] Neutron LBaaS HA in KIlo?
Message-ID:
<CA+E02ZDQ5diz8VzNX5JUtmTHvZHFTzPEcN4WSQnK_sCRXdQjWA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi all,
can anybody clarify if Neutron LBaaS Agent has HA support in Kilo?
Regards,
Pedro Sousa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150715/a337901e/attachment.html>
------------------------------
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
End of OpenStack-operators Digest, Vol 57, Issue 19
***************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150716/a330fa38/attachment-0001.html>
More information about the OpenStack-operators
mailing list