[Openstack] Folsom 2012.2.4 Ubuntu Packages
Hello, Does anyone know when the Folsom 2012.2.4 release will be available in the Ubuntu Cloud Archive? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nested Open vSwitch Bridges
I'm not sure how effective these rules are. I've been able to use OVS+nova-network+libvirt to create nested bridges without issues. On Thu, May 2, 2013 at 12:53 AM, Édouard Thuleau thul...@gmail.com wrote: And if you use libvirt virt driver, the hypervisor (libvirt+KVM in my case) adds anti MAC and IP spoofing rules on VNICs of VM: $ virsh nwfilter-list UUID Name 991dbd1a-373b-a005-57b2-5b1f4107f653 allow-arp aefdae18-56e8-4e67-c8f1-cc826e2c519c allow-dhcp f1e80828-1b4b-dcb3-4136-faaf5beab9e2 allow-dhcp-server 9e497c96-ec4a-4ad8-fcbb-d2917e3af70a allow-incoming-ipv4 4d998884-5870-8956-5585-d34f77231e3e allow-ipv4 7a4233d3-1fa8-6eb1-f2e8-3e55f773da0d clean-traffic fae01ed3-2bd5-e6b4-a63e-daa336655c20 no-arp-ip-spoofing bf61b4b4-f844-6c36-9bb7-6245b642b0cb no-arp-mac-spoofing 04cc5d54-08a0-31ca-4b5e-79a2e96d276b no-arp-spoofing 255d63a3-12a7-32b9-dffb-a2d61c8fcb39 no-ip-multicast a0e9b6f3-e099-2b0b-7d4b-69e63587fa39 no-ip-spoofing 83145355-39d1-9dce-4012-3032c110cf82 no-mac-broadcast 653c47ed-48f0-25ea-bf18-1153a58d3773 no-mac-spoofing cc460af0-ee60-7ca8-c09e-a074490711ac no-other-l2-traffic 5df592f3-dcff-e0f3-73ac-d2eb3baeda11 no-other-rarp-traffic 891e4787-e5c0-d59b-cbd6-41bc3c6b36fc nova-allow-dhcp-server 418f4ad6-d997-b483-15d9-c7c2c21b4eba nova-base fdc1ee23-05a1-0303-6d24-8a300bd57f21 nova-instance-instance-0004-fa163e3ec9b3 e8cd7fa5-2de9-cfe1-f24f-8a449043c6f3 nova-instance-instance-0005-fa163ed87bff 16e11cd9-6e17-3c91-6776-e3bffc70e94b nova-instance-instance-0006-fa163ecd666a c5ba020f-6b6f-d511-8ee1-2e2b49497431 nova-instance-instance-0007-fa163e1d4e38 2d085283-a4bf-79f8-80f1-20498b8cc475 nova-instance-instance-0018-fa163ee1842c 7d4bb9f1-597e-2a36-e340-45ec710b4481 nova-instance-instance-0088-fa163ef641ad 79ef4d25-ff42-fd63-f34b-fc1079c391b3 nova-nodhcp c5ac3035-ac46-3870-ff5c-296b5f4221d3 nova-vpn b615cae6-4ca8-882f-42e1-9de541e4844b qemu-announce-self b34d17b0-30d6-75c4-19d0-e636d1f99160 qemu-announce-self-rarp The virt driver is control by Nova, so is that Nova should be responsible for network security? Perhaps it could be disabled? But if we disable it, is that Quantum takes good care? Édouard. On Wed, May 1, 2013 at 7:14 AM, Joe Topjian joe.topj...@cybera.ca wrote: Thank you both for the information. I see that the compute node has some iptables rules for the instance -- one in particular that filters the instance's mac address -- but deleting this rule doesn't resolve the issue. So my guess is that it's the flow table that Salvatore mentioned which is ultimately controlling the filtering. At the moment, I don't know enough about open vswitch to make custom changes to the flow table. For now, setting the bridge's mac address as the same mac of the virtual interface is a good work around. Thanks again, Joe On Tue, Apr 30, 2013 at 5:57 PM, Salvatore Orlando sorla...@nicira.comwrote: I was not aware that security groups for OVS already enforced anti spoofing rules. That's good to know. Salvatore On 1 May 2013 00:55, Aaron Rosen aro...@nicira.com wrote: Also, the security group stuff locks down the port to be the mac+ip of the quantum port mac+ip. If you create a new bridge and add ethX to it you'll also have to set the mac on your bridge to be the same as ethX (which is the mac that quantum handed out). Aaron On Tue, Apr 30, 2013 at 4:25 PM, Salvatore Orlando sorla...@nicira.com wrote: Hi Joe, are you using the OVS plugin with GRE overlays? In that case your problem might be the fact that the plugin pushes a OVS flow entry which applies the 'local' vlan tag only to packet directed to the VM's mac [1] To me, this does not look like a bug; it's probably intended behaviour, as it kind of implements mac spoofing prevention. In the future we might also expect stricter anti-spoof checking; on the other side a change for administratively enabling promiscuos mode might be welcome - this should allow you to do nested OVS. Salvatore [1] https://github.com/openstack/quantum/blob/master/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py#L448 On 30 April 2013 22:08, Joe Topjian joe.topj...@cybera.ca wrote: Hello, I have OpenStack (Grizzly) up and running with Quantum. I'm using the Open vSwitch plugin, per-tenant routing, and network namespaces. As far as I'm aware, this is all set up correctly as instances that I create are able to retrieve an IP address via DHCP, reach the metadata server, and reach the outside internet. The issue that I'm running into is that when I install Open vSwitch on the instance itself, I'm unable to create working bridges. For example: ovs-vsctl add-br br-eth0 ovs-vsctl add-port br-eth0 eth0 (swap IPs from eth0 to br-eth0, kill dhcp, etc etc) Traffic isn't flowing properly, though. If I run
Re: [Openstack] Floating IP is wasting IP resources
I agree with you. I'd be interested to know if anyone else has run into this issue and their solution. Here's what I'll be trying to implement to get around this: I have an incoming trunk connection that carries two vlans: a public IP subnet and private subnet. I have them configured as two bridges in OVS: br-nat (the private subnet) and br-floating (the public subnet). Right now I have one L3 service working with br-nat. Users can create routers, set a default gateway, and get outgoing nat'd access to the internet. Since the subnet is private, I can easily configure this L3 service with a large allocation pool. Yet to be implemented: the br-floating L3 service. This will be a smaller pool that will be restricted via quotas. Users will have to be more conservative with access to this service (maybe by creating an instance which will act as a port-forwarding firewall to an internal subnet). This places more work on the user compared to the nova-network vlanmanager workflow. However, I feel the ability to create multiple internal per-project subnets is a decent tradeoff. If this doesn't work out or if this ends up being to complicated for users, I'll probably go with the Provider Router with Private Networks use case ( http://docs.openstack.org/grizzly/openstack-network/admin/content/use_cases_single_router.html ). On Thu, May 2, 2013 at 4:06 AM, 陈雷 raid.c...@gmail.com wrote: Recently I'm test floating IP on version Grizzly, I found the mechanism of floating IP is a little of wasting public IP addresses. In some circumstance, like public cloud environment. there is only one user in one project (tenant). If the user want to using floating IP, he has to create an router and set a gateway for it, this process will occupy one additional public IP address. So the whole process of floating IP will use 2 public address at least. So my question is, are there any ways to avoid this? Thanks Ray ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Nested Open vSwitch Bridges
Hello, I have OpenStack (Grizzly) up and running with Quantum. I'm using the Open vSwitch plugin, per-tenant routing, and network namespaces. As far as I'm aware, this is all set up correctly as instances that I create are able to retrieve an IP address via DHCP, reach the metadata server, and reach the outside internet. The issue that I'm running into is that when I install Open vSwitch on the instance itself, I'm unable to create working bridges. For example: ovs-vsctl add-br br-eth0 ovs-vsctl add-port br-eth0 eth0 (swap IPs from eth0 to br-eth0, kill dhcp, etc etc) Traffic isn't flowing properly, though. If I run a continuous ping and run tcpdump on both the instance and the tap interface on the controller, I see arp requests going out of the instance, being received on the tap interface, the tap interface sending a reply, but the reply never reaching the instance. However, I have found that if I create a bridge with the same MAC as the interface that I'm adding to the bridge, traffic flows correctly: ovs-vsctl set bridge br-eth0 other-config:hwaddr=aa:bb:cc:00:11:22 My best guess is that there's something (L2) blocking the flow of traffic, but I'm not exactly sure where to start looking. I think it's safe to assume that Open vSwitch on the OpenStack servers is doing the blocking but I think it's Quantum that's implementing the blocking since if I use Open vSwitch with nova-network, this problem doesn't happen. Does anyone have any pointers? Or even a fix? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nested Open vSwitch Bridges
Thank you both for the information. I see that the compute node has some iptables rules for the instance -- one in particular that filters the instance's mac address -- but deleting this rule doesn't resolve the issue. So my guess is that it's the flow table that Salvatore mentioned which is ultimately controlling the filtering. At the moment, I don't know enough about open vswitch to make custom changes to the flow table. For now, setting the bridge's mac address as the same mac of the virtual interface is a good work around. Thanks again, Joe On Tue, Apr 30, 2013 at 5:57 PM, Salvatore Orlando sorla...@nicira.comwrote: I was not aware that security groups for OVS already enforced anti spoofing rules. That's good to know. Salvatore On 1 May 2013 00:55, Aaron Rosen aro...@nicira.com wrote: Also, the security group stuff locks down the port to be the mac+ip of the quantum port mac+ip. If you create a new bridge and add ethX to it you'll also have to set the mac on your bridge to be the same as ethX (which is the mac that quantum handed out). Aaron On Tue, Apr 30, 2013 at 4:25 PM, Salvatore Orlando sorla...@nicira.comwrote: Hi Joe, are you using the OVS plugin with GRE overlays? In that case your problem might be the fact that the plugin pushes a OVS flow entry which applies the 'local' vlan tag only to packet directed to the VM's mac [1] To me, this does not look like a bug; it's probably intended behaviour, as it kind of implements mac spoofing prevention. In the future we might also expect stricter anti-spoof checking; on the other side a change for administratively enabling promiscuos mode might be welcome - this should allow you to do nested OVS. Salvatore [1] https://github.com/openstack/quantum/blob/master/quantum/plugins/openvswitch/agent/ovs_quantum_agent.py#L448 On 30 April 2013 22:08, Joe Topjian joe.topj...@cybera.ca wrote: Hello, I have OpenStack (Grizzly) up and running with Quantum. I'm using the Open vSwitch plugin, per-tenant routing, and network namespaces. As far as I'm aware, this is all set up correctly as instances that I create are able to retrieve an IP address via DHCP, reach the metadata server, and reach the outside internet. The issue that I'm running into is that when I install Open vSwitch on the instance itself, I'm unable to create working bridges. For example: ovs-vsctl add-br br-eth0 ovs-vsctl add-port br-eth0 eth0 (swap IPs from eth0 to br-eth0, kill dhcp, etc etc) Traffic isn't flowing properly, though. If I run a continuous ping and run tcpdump on both the instance and the tap interface on the controller, I see arp requests going out of the instance, being received on the tap interface, the tap interface sending a reply, but the reply never reaching the instance. However, I have found that if I create a bridge with the same MAC as the interface that I'm adding to the bridge, traffic flows correctly: ovs-vsctl set bridge br-eth0 other-config:hwaddr=aa:bb:cc:00:11:22 My best guess is that there's something (L2) blocking the flow of traffic, but I'm not exactly sure where to start looking. I think it's safe to assume that Open vSwitch on the OpenStack servers is doing the blocking but I think it's Quantum that's implementing the blocking since if I use Open vSwitch with nova-network, this problem doesn't happen. Does anyone have any pointers? Or even a fix? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Puppet modules for OpenStack?
Hello, There's also a mailing list for those modules if you need any help or would like to help out: https://groups.google.com/a/puppetlabs.com/forum/?fromgroups#!forum/puppet-openstack They're a great set of modules with a great community behind them. Quantum support is lacking at the moment, but that's being worked on. Thanks, Joe On Sat, Apr 13, 2013 at 4:05 PM, Jeremy Stanley fu...@yuggoth.org wrote: On 2013-04-13 14:29:00 +0200 (+0200), Dennis Jacobfeuerborn wrote: [...] Is there a set of modules out there that have gained a certain momentum within the community so that they could be called inofficially endorsed by the (puppet using) openstack community? Dan Bode (bodepd on IRC) just moved them to Stackforge to take advantage of OpenStack's CI and developer workflows. See... https://github.com/stackforge/puppet-openstack https://github.com/stackforge/puppet-cinder https://github.com/stackforge/puppet-glance https://github.com/stackforge/puppet-horizon https://github.com/stackforge/puppet-keystone https://github.com/stackforge/puppet-nova https://github.com/stackforge/puppet-swift https://github.com/stackforge/puppet-openstack_dev_env I haven't used them, but I do see they've been getting quite a bit of community contribution and attention. Hope that helps! -- Jeremy Stanley ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Libvirt iSCSI client: duplicit connection_info data
Hi Brano,
I apologize for reviving an old thread.
On Wed, Mar 20, 2013 at 4:39 AM, Brano Zarnovican zarnovi...@gmail.comwrote:
Hi devs,
we are using backend iSCSI provider (Netapp) which is mapping
Openstack volumes to iSCSI LUNs. This mapping is not static and
changes over time. For example when the volume is detached then his
LUN id becomes unused. After a while a _different_ volume may get the
same LUN id, as Netapp is recycling them. This is expected behavior..
As a result, there may be entries in block_device_mapping with
identical connection_info..
connection_info: {driver_volume_type: iscsi, data:
{target_lun: 5, .. target_iqn:
iqn.1992-08.com.netapp:node.netapp02, volume_id: 1806}}
connection_info: {driver_volume_type: iscsi, data:
{target_lun: 5, .. target_iqn:
iqn.1992-08.com.netapp:node.netapp02, volume_id: 2227}}
Zero or one of them may be attached, the rest is in detached state.
As a fix to address #1112483, I'm deleting the device when it is being
disconnected (echo 1 /sys/block/sdg/device/delete).
Trouble is that OpenStack seems to expect the disconnect_volume to be
idempotent (_cleanup() method). That is, calling disconnect_volume on
detached volume will do nothing. However, because of the LUN reuse,
the id may now be mapped to a different volume. Caller is asking me to
disconnect volume with LUN5. From just looking at the device name
there is no way of telling which openstack volume it is.
/dev/disk/by-path/ip-172.30.128.3:3260-iscsi-iqn.1992-08.com.netapp:node.netapp02-lun-5
- ../../sdg
How to get out of this .. ?
1) Do not call 'disconnect_volume' for volumes that were successfully
disconnected before. In other words, disconnect_volume is not
idempotent anymore.
2) Wipeout connection_info after disconnect. At least for Netapp
provider it makes no sense to retain the info which is no longer valid
anyway.
3) do not reuse LUN ids - this would require major driver change to
keep track of all currently used LUNs for both attached and detached
volumes
4) store somewhere on the host system mapping between LUNs and
openstack volumes. You could check against it, before disconnecting a
LUN device
None of the options is too pleasant. Any suggestions how to address
the problem ?
Regards,
Brano Zarnovican
PS: We are using Essex. LUN reusing is a feature of Netapp that exists
in all versions of the driver (IMO). By a quick glance I think the
same problem with disconnect_volume exists on Folsom and master
branch.
I'm using Folsom with a NetApp appliance and can confirm the problem exists.
--
Joe Topjian
Systems Administrator
Cybera Inc.
www.cybera.ca
Cybera is a not-for-profit organization that works to spur and support
innovation, for the economic benefit of Alberta, through the use
of cyberinfrastructure.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [StackTach][Metering] Nova summary report for the PHB in your life ...
Hi Sandy, Thank you for this announcement - we use StackTach extensively and this will be very useful. I have another reporting tool that uses StackTach's database that might be of interest to you. Our users have the ability to run Windows instances and we wanted to have the ability to provide Windows licenses similar to Amazon. In short, we were able to join a Microsoft program for this and report the license usage back to MS each month. The following script generates that report: https://github.com/jtopjian/puppet-admin/blob/dair/files/openstack/reports/windows_report.rb An example output is: https://gist.github.com/jtopjian/4955292 (names anonymized) Anyway, just thought it might be of interest! Thank you again for StackTach. I think it's an awesome tool and can't see using OpenStack without it. I plan on looking at it in more detail when I get time and seeing if I can contribute anything back or at the least spread the word about its use. Oh, I have a Puppet module for it here: https://github.com/jtopjian/puppet-stacktach I hope to get it uploaded to the Puppet Forge soon. (apologizes if this message is not threaded correctly - my mailing list subscription was in flux when the original message came in so I don't have it to properly reply to.) Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] dnsmasq stops talking to instances?
Hi Lars, There are no errors being logged by dnsmasq; started just after 2AM, all of the DHCPREQUEST ... traffic just stops, and the logs after that point look like this: We ran into similar issues that turned out to be a qemu bug: https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/997978 The fixed qemu-kvm package is now in the main Ubuntu repository (assuming you are using Ubuntu 12.04), so maybe upgrading it will resolve your issue quickly. Note that upgrading it does not affect currently running instances (and subsequently means only newly launched instances will be fixed). Oct 19 02:02:34 stack-1 dnsmasq[32013]: read /etc/hosts - 2 addresses Oct 19 02:02:34 stack-1 dnsmasq[32013]: read /var/lib/nova/networks/nova-br662.conf Oct 19 02:02:35 stack-1 dnsmasq[32013]: read /etc/hosts - 2 addresses Oct 19 02:02:35 stack-1 dnsmasq[32013]: read /var/lib/nova/networks/nova-br662.conf Oct 19 02:03:12 stack-1 dnsmasq[32013]: read /etc/hosts - 2 addresses Oct 19 02:03:12 stack-1 dnsmasq[32013]: read /var/lib/nova/networks/nova-br662.conf ...until I restart things. For us, this included restarting the instance since it lost its IP address from lack of DHCP traffic. While we were troubleshooting the issue, we ended up adding a local account to each instance so we can log into the vnc console and restart networking services. Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Puppet module for Quantum and vSwitches (Currently OVS)
Hi Endre, You and I spoke about this module earlier today. I just saw this post to the OpenStack list and wanted to follow-up to the list with some brief information about it + where to find more information -- so please disregard anything repeated from our conversation :) Secondly, thank you and Emilien for your interest in Puppet and OpenStack. On Mon, Oct 8, 2012 at 6:15 AM, Endre Karlson endre.karl...@gmail.comwrote: Hi, me and Emilien Macchi have been collaborating on some puppet modules for Quantum and vSwitches. You can see them here: https://github.com/EmilienM/openstack-quantum-puppet https://github.com/ekarlso/puppet-vswitch Please note that they are Working In Progress and may change. Feedback is wanted. The Quantum module that you linked is based off of an earlier proof-of-concept module that I made a few weeks ago. There are areas in this code that were strictly for experimenting, so be careful. I think your vswitch module is great and will work well with the Quantum module -- much better than the original exec blocks. Rather than going into deep Puppet-specific details about this module on the OpenStack list, I'll instead point to the puppet-openstack mailing list for you or anyone else interested to join: https://groups.google.com/a/puppetlabs.com/forum/?fromgroups#!forum/puppet-openstack There's a current thread discussing the original Quantum module plus some other early Folsom modules: https://groups.google.com/a/puppetlabs.com/forum/?fromgroups=#!topic/puppet-openstack/BGaBkYDn2wo Thank you again for your interest and work with this :) Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Puppet module for Quantum and vSwitches (Currently OVS)
Hi Dmitry, Great modules. But you're using function multini to insert values into configuration files. Where can I find sources of this function? https://github.com/jtopjian/puppetlabs-inifile/tree/jtopjian-multini This function is now deprecated as Dan Bode has done a better implementation. Please see the following discussion for more information: https://groups.google.com/a/puppetlabs.com/forum/?fromgroups=#!topic/puppet-openstack/BGaBkYDn2wo Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Horizon Bug 1004412 Details
Hello, I've been aware of Bug 1004412 ( https://bugs.launchpad.net/horizon/+bug/1004412) in my Essex deployments for a while and finally had some time to look into it in detail. I believe I have found the cause and wanted to discuss what I found vs how it was fixed in the patch. From what I can see, when an admin requests a list of volumes, all volumes in the cloud are returned. But when an admin requests a list of instances, only instances owned by the admin are returned -- unless an option to return all instances is specified. Because of these two distinct actions, the chances of a KeyError happening when visiting /nova/instances_and_volumes is extremely high once other projects begin working in the OpenStack environment: all volumes from all projects are returned but only admin instances are returned, so any volume attached in another project cannot find its corresponding instance. I see two proper solutions to this issue: either only return volumes owned by the admin or return all instances in all projects by default. I was unable to figure out (without doing too many changes) how to filter volumes, so I decided on the latter solution. In views.py, I modified the call to get a list of instances to be: if self.request.user.is_admin(): self._instances_list = api.server_list(self.request, all_tenants=True) else: self._instances_list = api.server_list(self.request) Without looking at the implementation details, but instead what the implementation is trying to achieve, I do not see this same issue being resolved in the patch ( https://github.com/openstack/horizon/commit/155bfb72c1b5f866236928f4ffd0c2567dc556f3 ). My question is if I have incorrectly assessed the issue or if the patch is taking other things into account that I'm not aware of? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cells Status
We didnt find any information related to CELLS [which is planned to replace ZONES] in the latest Folsom pre-release. Can any body give us information on this. Unfortunately, cells was unable to make feature freeze. It should be in Grizzly. Sorry for the delay :/ This is very disappointing. I was looking forward to cells as well. When was this decided and was the decision announced somewhere else? I'd like to know so I can monitor for other announcements like this. Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Quantum, Horizon, and IPs
Hello, Regarding a bug currently being worked on ( https://bugs.launchpad.net/horizon/+bug/1040956), I'd like clarification on some of the comments. It sounds like the bug will not fully be fixed until Grizzly. Until then, the api is returning an empty list for a few functions. From reading Dan's last comment, it sounds as though end-users will not be able to allocate a floating IP to their project via Horizon? Given that, will they will not be able to associate floating IPs to instances, either? If this is true, what will the recommended tool / commands be for end-users to manage floating IPs for themselves? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Quantum, Horizon, and IPs
Hi Dan, Thank you very much for your commends. Horizon support for Quantum in Folsom is limits to the core L2 networks + IP address management aspects of Quantum. Quantum itself didn't add support for L3 and Floating IPs didn't land until extremely late in Folsom, so its not Horizon's fault that this is not supported. Yes, understood. I am not trying to place blame anywhere. As a service provider, I'm trying to figure out how end-users will now use Folsom-based clouds. quantum has its own set of floatingip commands that will be available to tenants: snip Networks that support floating ips can be identified by searching for networks where router:external=True . We haven't yet added a convenient CLI command for that, but you can do: quantum network-list -- --router:external=True My only concern with this is the possible increase in knowledge and steps that an end-user will have to know and do in order to get their instance publicly available on the internet. Users were used to a two step process (allocate and associate). They now have to use a command line tool. As long as the quantum tool can be installed on client machines and place calls to the quantum service, this can be acceptable. In my opinion, it is starting to place more work on the end-user that they would like if they now have to first lookup an external network, then allocate an IP from that network, then associate that IP to an instance, all with a CLI. If I am thinking about this in the wrong way, I apologize. This will be covered in the Quantum admin guide. Again, if I'm thinking about this wrong and these scenarios will be covered in the admin guide, I apologize. Early in Grizzly we'll also probably work on a mechanism for proxying Nova floatingip API calls to Quantum floating IP calls. What are the chances of a backport or doing this early enough that some of this new code can be run inside Folsom? Thank you again for your help. Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] novnc for Ubuntu 12.04 and Folsom
Hello, According to this bug report (https://bugs.launchpad.net/nova/+bug/1021836), novnc was updated to account for a change in the rpc module. However, there does not seem to be an updated package in the Ubuntu Folsom repository ( https://launchpad.net/~openstack-ubuntu-testing/+archive/folsom-trunk-testing/+packages) nor at the novnc launchpad page (https://launchpad.net/ubuntu/+source/novnc ). Does anyone know if there will be a proper novnc package for Ubuntu 12.04 and Folsom? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] novnc for Ubuntu 12.04 and Folsom
Hi Chuck, Sounds good. Thank you for the quick reply! Joe On Sun, Sep 9, 2012 at 3:05 PM, Chuck Short chuck.sh...@canonical.comwrote: Hi Joe, Yes there will be one, I been working on it and it should be in the archive soon. chuck On 12-09-09 04:18 PM, Joe Topjian wrote: Hello, According to this bug report ( https://bugs.launchpad.net/nova/+bug/1021836), novnc was updated to account for a change in the rpc module. However, there does not seem to be an updated package in the Ubuntu Folsom repository ( https://launchpad.net/~openstack-ubuntu-testing/+archive/folsom-trunk-testing/+packageshttps://launchpad.net/%7Eopenstack-ubuntu-testing/+archive/folsom-trunk-testing/+packages) nor at the novnc launchpad page ( https://launchpad.net/ubuntu/+source/novnc). Does anyone know if there will be a proper novnc package for Ubuntu 12.04 and Folsom? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] novnc zombie processes
Hello, I'm seeing an issue where novnc is leaving behind zombie python processes after a user launches a VNC session. Has anyone else seen this issue or know how to fix it? I'm running OpenStack Essex on Ubuntu 12.04 novnc 2012.1~e3+dfsg+1-2 python-novnc 2012.1~e3+dfsg+1-2 Please let me know if anyone needs additional information. Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Big data is coming to Canada. Join the welcome wagon. *Cyber Summit 2012* October 1-3, Banff www.cybera.ca/summit2012 Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Trouble getting instances back up after hard server reboot
1:1.0.17-1ubuntu2 Linux SCSI target user-space tools ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [nova] [cinder] Nova-volume vs. Cinder in Folsom
Hello, I'm not an OpenStack developer nor any type of developer. I am, however, heavily involved with operations for a few production OpenStack environments. I understand the debate going on and wanted to add an administrator's point of view. For admins, OpenStack is not our job, but a tool we use in our job. It's terribly frustrating when that tool drastically changes every six months. I find Gabriel's reply interesting and sane. I think if it was agreed upon to ensure N+1 compatibility, then OpenStack should adhere to that. The change being discussed involves storage volumes. This is dead serious. If the migration goes awry, there's potential for production data loss. If the badly-migrated OpenStack environment is used to offer services for outside customers, we've just lost data for those customers. It's one of the worst scenarios for admins. If upgrading from one version of OpenStack to the next is too dangerous due to the possibility of getting into situations such as described above, then it needs to be clearly announced. There's a reason why major RHEL releases are maintained in parallel for so long. With regard to Option 1, I understand the benefits of making this change. If Option 1 was chosen, IMO, the best-case scenario would be if the extra work involved with upgrading to Cinder/Folsom was just a schema migration and everything else still worked as it did with Essex. If this were to happen, though, I would spend /weeks/ testing and planning the Folsom upgrade. I'd estimate that my production environments would make it to Folsom 3 months after it was released. But then what major change am I going to have to worry about in another 3 months? Thanks, Joe On Thu, Jul 12, 2012 at 2:48 PM, Gabriel Hurley gabriel.hur...@nebula.comwrote: The stated and agreed-upon goal from Essex forward is to make the core OpenStack projects N+1 compatible (e.g. Essex-Folsom, Folsom-Grizzly), and to make the clients capable of talking to every API version forever.** ** ** ** Anything standing in the way of that should be considered a release-blocking bug, and should be filed against the appropriate projects. I for one intend to see to that as best I can. ** ** That said, there **is** a grey area around “migration” steps like Nova Volume - Cinder. If the migration path is clear, stable, well-documented, uses the same schemas and same APIs… I’d say that **may** still fall into the category of N+1 compatible. It sounds like that’s the idea here, but that we need to thoroughly vet the practicality of that assertion. I don’t think we can decide this without proof that the clean transition is 100% possible. ** ** Code isn’t the only thing of value; constructively and respectfully shaping design decisions is great, testing and filing bugs is also fantastic. Profanity and disrespect are not acceptable. Ever. ** ** All the best, ** ** **- **Gabriel ** -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [OpenStack][Keystone] Blueprint to store quota data in Keystone
. Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [OpenStack][Keystone] Blueprint to store quota data in Keystone
Hi Everett, 1. For the keystone CLI I'm proposing using JSON for batch create, update, and delete of quotas. I don't believe this is done anywhere else in OpenStack. Good idea? Bad idea? My plan is to go with the JSON. IMO, using JSON on the command line is pretty unconventional with regards to classic CLI commands, but I do think it is interesting. With regard to your dot notation, couldn't multiple --quota args be used? For example: keystone quota-create --quota nova.ram=102400 --quota nova.instances=20 --quota swift.total=1073741824 tenant-id This is definitely possible programmatically with Python and the opt-parsing modules, but I was wondering if you chose not to use it as an example for other non-programmatic reasons. Secondly, with regard to quota-create and quota-update, is there a huge difference between the two besides one would ultimately do an insert and one would do an update? If that is the only difference, could the two be combined into a single quota-set subcommand? Thanks, Joe -- Joe Topjian Systems Administrator Cybera Inc. www.cybera.ca Cybera is a not-for-profit organization that works to spur and support innovation, for the economic benefit of Alberta, through the use of cyberinfrastructure. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
