Re: [Openstack] Clock Drift

[Tyler Bishop]

3 Sources.  CentOS NTP pool and 2 internal.

_

*Tyler Bishop*
EST 2007


O: 513-299-7108 x1000
M: 513-646-5809
http://BeyondHosting.net <http://beyondhosting.net/>


This email is intended only for the recipient(s) above and/or
otherwise authorized personnel. The information contained herein and
attached is confidential and the property of Beyond Hosting. Any
unauthorized copying, forwarding, printing, and/or disclosing
any information related to this email is prohibited. If you received this
message in error, please contact the sender and destroy all copies of this
email and any attachment(s).

On Fri, Mar 23, 2018 at 3:03 AM, Pablo Iranzo Gómez <pablo.ira...@redhat.com
> wrote:

> +++ Chris Friesen [22/03/18 16:22 -0600]:
>
>> On 03/21/2018 08:17 PM, Tyler Bishop wrote:
>>
>>> We've been fighting a constant clock skew issue lately on 4 of our
>>> clusters.
>>>  They all use NTP but seem to go into WARN every 12 hours or so.
>>>
>>> Anyone else experiencing this?
>>>
>>
>> What clock are you using in the guest?
>>
>
>
> And how many NTPD sources?
>
>
>
>
>
>> Chris
>>
>>
>> ___
>> Mailing list: http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>>
>
> --
>
> Pablo Iranzo Gómez (pablo.ira...@redhat.com)  GnuPG: 0x5BD8E1E4
> Senior Software Maintenance Engineer - OpenStack   iranzo @ IRC
> RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA#110-215-852RHCA Level V
>
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Clock Drift

[Tyler Bishop]

We've been fighting a constant clock skew issue lately on 4 of our
clusters.   They all use NTP but seem to go into WARN every 12 hours or so.

Anyone else experiencing this?
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] is there a way to set the number of queues with the virtio-scsi driver ?

[Tyler Bishop]

Also interested in this.

_ 

Tyler Bishop 
Founder EST 2007 


O: 513-299-7108 x10 
M: 513-646-5809 
[ http://beyondhosting.net/ | http://BeyondHosting.net ] 


This email is intended only for the recipient(s) above and/or otherwise 
authorized personnel. The information contained herein and attached is 
confidential and the property of Beyond Hosting. Any unauthorized copying, 
forwarding, printing, and/or disclosing any information related to this email 
is prohibited. If you received this message in error, please contact the sender 
and destroy all copies of this email and any attachment(s).

- Original Message -
From: "Vincent Godin" <vince.ml...@gmail.com>
To: "openstack" <openstack@lists.openstack.org>
Sent: Tuesday, February 13, 2018 10:32:26 AM
Subject: [Openstack] is there a way to set the number of queues with the 
virtio-scsi driver ?

When creating a image, in metadata "libvirt Driver Options", it's just
possible set the "hw_scsi_model" to "virtio-scsi" but there is no way
to set the number of queues. As this is a big factor of io
improvement, why this option is still not available in openstack ?
Does someone made a patch for this ?

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?

[Tyler Bishop]

On dell DRAC you can disable IPMI/RAC control at the the device for OS 
configuration. 

With Supermicro IPMI you just need to create a random user and random password 
that is not "admin". 


_____ 

Tyler Bishop 
Founder EST 2007 


O: 513-299-7108 x10 
M: 513-646-5809 
[ http://beyondhosting.net/ | http://BeyondHosting.net ] 


This email is intended only for the recipient(s) above and/or otherwise 
authorized personnel. The information contained herein and attached is 
confidential and the property of Beyond Hosting. Any unauthorized copying, 
forwarding, printing, and/or disclosing any information related to this email 
is prohibited. If you received this message in error, please contact the sender 
and destroy all copies of this email and any attachment(s). 


From: "Guo James" <guoyongxh...@outlook.com> 
To: xief...@sina.com, "openstack" <openstack@lists.openstack.org> 
Sent: Wednesday, January 10, 2018 10:16:34 PM 
Subject: Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi 
through OS? 



Ironic user can change ipmi address so that OpenStack ironic lose control of 
bare mental. 

I think that is unacceptable. 

It seems that we should make ironic image without root privilege 




From: xief...@sina.com [mailto:xief...@sina.com] 
Sent: Thursday, January 11, 2018 9:12 AM 
To: Guo James; openstack 
Subject: 回复： [Openstack] [ironic] how to prevent ironic user to controle ipmi 
through OS? 





If you can not get the usename and password of the OS, you can not modify ipmi 
configuration through you got the ironic user info. 








- 原始邮件 - 
发件人： Guo James < [ mailto:guoyongxh...@outlook.com | guoyongxh...@outlook.com ] 
> 
收件人： " [ mailto:openstack@lists.openstack.org | openstack@lists.openstack.org ] 
" < [ mailto:openstack@lists.openstack.org | openstack@lists.openstack.org ] > 
主题： [Openstack] [ironic] how to prevent ironic user to controle ipmi through 
OS? 
日期： 2018 年 01 月 10 日 17 点 21 分 



I notice that after an ironic user get a bare mental successfully, he can 
access ipmi through ipmi device although he can't access ipmi through LAN 
How to prevent the situation? 
If he modify ipmi configuration, that will be mess. 
___ 
Mailing list: [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack | 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ] 
Post to : [ mailto:openstack@lists.openstack.org | 
openstack@lists.openstack.org ] 
Unsubscribe : [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack | 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ] 

___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Neutron] Juno Neutron VPNaaS unstable

[Tyler Bishop]

I would venture to say no fixes will be back ported to anything older than 
liberty at this point. 

You should upgrade anyway. 



From: "Davide Panarese"  
To: openstack@lists.openstack.org 
Sent: Monday, September 26, 2016 12:19:08 PM 
Subject: [Openstack] [Neutron] Juno Neutron VPNaaS unstable 

Hello, 
we have big problems with VPNaaS in multiregion Production environment on 
Openstack Juno with unstable connection between vrouters or vrouter to external 
pfSense for example. 
On network nodes we have different kernel parameters. Anyone knows which should 
be exactly kernel parameters to configure in kernel if there are? Is there any 
issue with some kernel versions? 

We use openswan 2.6.38 on kernel 3.13.0-65 and 3.13.0-74. 

The errors we noticed are that the VPN connection is UP but packets doesn’t 
pass through encrypted tunnel because there are mismatch with xfrm state. Seems 
that sometimes when SA is re-established openswan can’t ri-negotiate it and 
show error below: 

ignoring Delete SA payload: PROTO_IPSEC_ESP SA() not found 
(maybe expired) 


Anyone could help? 

Thank you very much. 

Regards, 
Davide 

___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Site to Site VPN in openstack

[Tyler Bishop]

Openstack VPN is policy based, each remote network must have a policy. 

It is not a routed VPN tunnel like most devices. 




From: "Jaison Peter"  
To: "OpenStack General" , jw...@rockplace.co.kr 
Sent: Wednesday, September 21, 2016 1:47:25 AM 
Subject: Re: [Openstack] Site to Site VPN in openstack 

Thanks for your reply Han, 
That means, if we have 10.0.0.0 network in premises and 192.168.0.0 network in 
remote openstack private cloud, and if we need to set a site to site VPN with 
routes on the VPN endpoints so that both networks can communicate each other, 
then this case won't work if the on premises's VPN endpoint is a hardware 
device like ASA? 

On Tue, Sep 20, 2016 at 11:39 AM, Jaison Peter < urotr...@gmail.com > wrote: 



Hello all, 

I was checking if anything prevents us from establishing a site to site VPN 
from openstack private cloud to a on site hardware device like Cisco ASA. I 
knew that its possible to setup a site to site VPN between two openstack clouds 
using VPNaaS, but I am not sure about openstack to hardware device scenario. 
Please advice. 





___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Creating a FWaaS 'destroy's the router

[Tyler Bishop]

You should have the driver specified in the configs:
vpn_agent.ini
--
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

[ipsec]
enable_detailed_logging = True

[pluto]

[vpnagent]
vpn_device_driver = 
neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver 





neutron_vpnaas.conf
--
[DEFAULT]

[service_providers]
service_provider=VPN:libreswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default



If you are not the intended recipient of this transmission you are notified 
that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.

- Original Message -
From: "Turbo Fredriksson" <tu...@bayour.com>
To: "Tyler Bishop" <tyler.bis...@beyondhosting.net>
Cc: "openstack List" <openstack@lists.openstack.org>
Sent: Friday, September 16, 2016 2:18:10 PM
Subject: Re: [Openstack] Creating a FWaaS 'destroy's the router

On Sep 14, 2016, at 3:20 PM, Tyler Bishop wrote:

> Can you post your vpn_agent.ini neutron_vpnaas.conf and neutron.conf?

# egrep -v '^#|^$' vpn_agent.ini
[DEFAULT]
[ipsec]
[pluto]
[strongswan]
[vpnagent]

# egrep -v '^#|^$' neutron_vpnaas.conf
[DEFAULT]
[service_providers]

# egrep -v '^#|^$' neutron.conf
[DEFAULT]
bind_host = 0.0.0.0
auth_strategy = keystone
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
service_plugins = router,metering,lbaas,firewall
default_availability_zones = nova
dns_domain = openstack.domain.tld.
external_dns_driver = designate
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
interface_driver = openvswitch
agent_down_time = 120
debug = false
rpc_backend = rabbit
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
report_interval = 60
availability_zone = nova
[cors]
[cors.subdomain]
[database]
connection = 
mysql+pymysql://neutron:mysql_neutron_passw...@openstack.domain.tld/neutron
use_db_reconnect = true
[keystone_authtoken]
http_connect_timeout = 5
http_request_max_retries = 3
region_name = europe-london
auth_host = openstack.domain.tld
auth_port = 35357
auth_protocol = http
admin_user = neutron
admin_password = USER_NEUTRON_PASSWORD
admin_tenant_name = service
[matchmaker_redis]
[nova]
region_name = europe-london
auth_url = http://openstack.domain.tld:5000/v3
auth_type = v3password
password = USER_NEUTRON_PASSWORD
project_domain_name = default
project_name = service
tenant_name = service
user_domain_name = default
username = neutron
[oslo_concurrency]
lock_path = /var/lock/neutron
[oslo_messaging_amqp]
[oslo_messaging_notifications]
driver = 
neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver
[oslo_messaging_rabbit]
rabbit_host = openstack.domain.tld
rabbit_userid = openstack
rabbit_password = RABBITMQ_OPENSTACK_PASSWORD
[oslo_policy]
[quotas]
[ssl]
[designate]
url = http://openstack.domain.tld:9001/v2
admin_auth_url = http://openstack.domain.tld:35357/v3
admin_username = neutron
admin_password = USER_NEUTRON_PASSWORD
admin_tenant_name = service
allow_reverse_dns_lookup = False
ipv4_ptr_zone_prefix_size = 24

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Whole sections of ml2_conf.ini being ignored?

[Tyler Bishop]

I highly recommend using the correct config files vs the symlink configuration. 

I think the guide should be updated to reflect the config based on the driver 
instead... when you run yum update ect it will break neutron until you re-edit 
the systemd files. 




From: "Matt Kassawara"  
To: "Mark Hayden"  
Cc: openstack@lists.openstack.org 
Sent: Friday, February 19, 2016 7:34:23 PM 
Subject: Re: [Openstack] Whole sections of ml2_conf.ini being ignored? 

I managed to do the backport today, so you should see the new version merge 
into the Liberty version in the next few days. 

On Fri, Feb 19, 2016 at 10:38 AM, Mark Hayden < mhay...@coalesco.ca > wrote: 




Thanks for the quick help. I confirmed that the debian packaged install is set 
up this new way and moved the settings to the new location and finally made 
some progress. After clearing out the stuck "binding failed" from the database 
all the ports bind and my VM creates with a NIC and I can assign fixed and 
floating IPs. 

Now onto the next challenge: I can ping the virtual router (even from the 
internet on its public port!) but cannot reach the running instance on either 
IP (tried all the namespaces with ip netns exec... with both IPs but nothing). 
But I will create a new thread here unless someone has a quick answer. 
On 19 Feb 2016 09:00, Matt Kassawara < mkassaw...@gmail.com > wrote: 

BQ_BEGIN

Looks like we (docs) never backported those fixes to the Liberty version of the 
guide. For some reason, the patch does not merge cleanly so I'm not sure when 
I'll get to it. 

On Thu, Feb 18, 2016 at 11:08 PM, Matt Kassawara < mkassaw...@gmail.com > 
wrote: 

BQ_BEGIN

In Liberty, the L2 agent configuration moves from ml2_conf.ini to 
openvswitch_agent.ini for OVS and linuxbridge_agent.ini for Linux bridge. 

On Thu, Feb 18, 2016 at 10:51 PM, Mark Hayden < m...@haydensplace.com > wrote: 

BQ_BEGIN



Hi, 

I have recently installed a small openstack setup using the Liberty release 
(from Debian Sid packaging). I have gotten as far as setting up a 
controller/network and a compute node with keystone, glance, cinder and nova 
services, but have gotten stuck trying to set up a DVR configuration of 
Neutron/openvswitch. 

I had an early OpenStack setup a few years ago (Essex release) but so much has 
changed from that "primitive" system with nova-network that I am pretty much a 
novice, but I am particulatly interested in the DVR setup to eliminate the 
dependency on a single network node for future expansion. However I have spent 
a few days not making no progress at all. 

I have tried to follow the relevant guide at 
http://docs.openstack.org/liberty/networking-guide/scenario-dvr-ovs.html as 
close as possible but I have not been able to get anything to work. All my 
ports come up dead (DOWN state, and tagged 4095 in ovs-vsctl) when I set up the 
virtual router and I cannot launch any instances as they fail at the network 
port binding stage. 

In the nova-compute.log: 

2016-02-17 19:01:51.160 2556 ERROR nova.compute.manager [instance: 
848c9525-3f48-4747-bbf1-d0d8bf52697b] PortBindingFailed: Binding failed for 
port bf1cde62-7ac6-47a8-8fb9-85ec524d02bd, please check neutron logs for more 
information. 

In neutron-server.log: 

2016-02-17 19:01:50.669 3224 ERROR neutron.plugins.ml2.managers 
[req-e6f1dbbd-d26c-456a-af6a-604c905dc194 b1ce670ebde640b0a0b159f01b18c04e 
ffbdd9d45cf84de0a204acfd0344ee6b - - -] Failed to bind port 
bf1cde62-7ac6-47a8-8fb9-85ec524d02bd on host hostserver-0001 

In neutron-openvswitch-agent.log: 

2016-02-17 19:01:56.894 8021 INFO neutron.agent.common.ovs_lib 
[req-08c30666-e891-46ca-8200-be3d22285767 - - - - -] Port 
bf1cde62-7ac6-47a8-8fb9-85ec524d02bd not present in bridge br-int 

2016-02-17 19:01:56.894 8021 INFO 
neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent 
[req-08c30666-e891-46ca-8200-be3d22285767 - - - - -] port_unbound(): net_uuid 
None not in local_vlan_map 

I have tried using VXLAN as shown in the guide as well as VLAN but both do the 
same thing. However this seems to be more than a problem with the settings in 
the configuration files. This was revealed when I turned on debug level 
logging. 

For some reason no matter what settings I try in ml2_conf.ini most of them are 
ignored--it doesn't matter how many services I stop and start or even rebooting 
the entire system (even completely wiping out the database and starting over 
with network config), ALL the settings in the [ml2] section and all the 
[ml2_type_*] sections are ignored and a set of default values are used. The 
real sticking point seems to be that mechanism_drivers is always an empty list 
and tenant_network_types is always just ['local']. As such nova refuses to 
start any instances on the networks I set up. 

Has anybody else seen this behaviour? For what it's worth here is what I 
currently have in my ml2_conf.ini file: 





[ml2] 
type_drivers = flat,vlan,gre,vxlan 

Re: [Openstack] Fwd: About Openstack Installation.

[Tyler Bishop]

There is no right or wrong way. The reason its broken out onto a bunch of 
network devices during documentation is to make things easier to understand. 
You can run the entire service stack from a single nic single ip. 





From: "Erik McCormick"  
To: "Adam Lawson"  
Cc: openstack@lists.openstack.org, "madhuri kadam"  
Sent: Sunday, December 27, 2015 11:47:12 PM 
Subject: Re: [Openstack] Fwd: About Openstack Installation. 



You can also run your tunnels over the same nic and on the same VLAN you use to 
access your internal APIs if it's a small cloud and you're not concerned about 
bandwidth bottlenecks. This also allows you to have a single nic on your 
computes. I do this for dev clusters when I've had to go dumpster diving for 
hardware. 

-Erik 
On Dec 27, 2015 11:28 PM, "Adam Lawson" < alaw...@aqorn.com > wrote: 



As long as you manage to keep your networks separate(d) using VLANs or 
something, NIC use is kind of irrelevant as far as requirements go. 


Adam Lawson 

AQORN, Inc. 
427 North Tatnall Street 
Ste. 58461 
Wilmington, Delaware 19801-2230 
Toll-free: (844) 4-AQORN-NOW ext. 101 
International: +1 302-387-4660 
Direct: +1 916-246-2072 

On Sun, Dec 27, 2015 at 9:51 PM, Ajey Gore < ajeyg...@gmail.com > wrote: 

BQ_BEGIN
Not really. 



BQ_BEGIN
On Dec 27 2015, at 7:04 pm, madhuri kadam < madhurikadam...@gmail.com > wrote: 

-- Forwarded message -- 
From: madhuri kadam < madhurikadam...@gmail.com > 
Date: Sun, Dec 27, 2015 at 6:53 PM 
Subject: About Openstack Installation. 
To: openstack@lists.openstack.org 


Is it compulsory to use Three NIC for the network node while forming the cloud 
on physical machine. 





___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 


BQ_END



___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 


BQ_END


___ 
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to : openstack@lists.openstack.org 
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Scaling private networks across cells and availability zones

[Tyler Bishop]

What is the current recommended practice for scaling private networks? Should a 
vpn/router type machine be built to converge cells and availability zones? 



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack