Re: [Openstack] Clock Drift
3 Sources. CentOS NTP pool and 2 internal. _ *Tyler Bishop* EST 2007 O: 513-299-7108 x1000 M: 513-646-5809 http://BeyondHosting.net <http://beyondhosting.net/> This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s). On Fri, Mar 23, 2018 at 3:03 AM, Pablo Iranzo Gómez <pablo.ira...@redhat.com > wrote: > +++ Chris Friesen [22/03/18 16:22 -0600]: > >> On 03/21/2018 08:17 PM, Tyler Bishop wrote: >> >>> We've been fighting a constant clock skew issue lately on 4 of our >>> clusters. >>> They all use NTP but seem to go into WARN every 12 hours or so. >>> >>> Anyone else experiencing this? >>> >> >> What clock are you using in the guest? >> > > > And how many NTPD sources? > > > > > >> Chris >> >> >> ___ >> Mailing list: http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> Post to : openstack@lists.openstack.org >> Unsubscribe : http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> > > -- > > Pablo Iranzo Gómez (pablo.ira...@redhat.com) GnuPG: 0x5BD8E1E4 > Senior Software Maintenance Engineer - OpenStack iranzo @ IRC > RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA#110-215-852RHCA Level V > > ___ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > > ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] Clock Drift
We've been fighting a constant clock skew issue lately on 4 of our clusters. They all use NTP but seem to go into WARN every 12 hours or so. Anyone else experiencing this? ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] is there a way to set the number of queues with the virtio-scsi driver ?
Also interested in this. _ Tyler Bishop Founder EST 2007 O: 513-299-7108 x10 M: 513-646-5809 [ http://beyondhosting.net/ | http://BeyondHosting.net ] This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s). - Original Message - From: "Vincent Godin" <vince.ml...@gmail.com> To: "openstack" <openstack@lists.openstack.org> Sent: Tuesday, February 13, 2018 10:32:26 AM Subject: [Openstack] is there a way to set the number of queues with the virtio-scsi driver ? When creating a image, in metadata "libvirt Driver Options", it's just possible set the "hw_scsi_model" to "virtio-scsi" but there is no way to set the number of queues. As this is a big factor of io improvement, why this option is still not available in openstack ? Does someone made a patch for this ? ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?
On dell DRAC you can disable IPMI/RAC control at the the device for OS configuration. With Supermicro IPMI you just need to create a random user and random password that is not "admin". _____ Tyler Bishop Founder EST 2007 O: 513-299-7108 x10 M: 513-646-5809 [ http://beyondhosting.net/ | http://BeyondHosting.net ] This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s). From: "Guo James" <guoyongxh...@outlook.com> To: xief...@sina.com, "openstack" <openstack@lists.openstack.org> Sent: Wednesday, January 10, 2018 10:16:34 PM Subject: Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS? Ironic user can change ipmi address so that OpenStack ironic lose control of bare mental. I think that is unacceptable. It seems that we should make ironic image without root privilege From: xief...@sina.com [mailto:xief...@sina.com] Sent: Thursday, January 11, 2018 9:12 AM To: Guo James; openstack Subject: 回复: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS? If you can not get the usename and password of the OS, you can not modify ipmi configuration through you got the ironic user info. - 原始邮件 - 发件人: Guo James < [ mailto:guoyongxh...@outlook.com | guoyongxh...@outlook.com ] > 收件人: " [ mailto:openstack@lists.openstack.org | openstack@lists.openstack.org ] " < [ mailto:openstack@lists.openstack.org | openstack@lists.openstack.org ] > 主题: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS? 日期: 2018 年 01 月 10 日 17 点 21 分 I notice that after an ironic user get a bare mental successfully, he can access ipmi through ipmi device although he can't access ipmi through LAN How to prevent the situation? If he modify ipmi configuration, that will be mess. ___ Mailing list: [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack | http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ] Post to : [ mailto:openstack@lists.openstack.org | openstack@lists.openstack.org ] Unsubscribe : [ http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack | http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ] ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] [Neutron] Juno Neutron VPNaaS unstable
I would venture to say no fixes will be back ported to anything older than liberty at this point. You should upgrade anyway. From: "Davide Panarese"To: openstack@lists.openstack.org Sent: Monday, September 26, 2016 12:19:08 PM Subject: [Openstack] [Neutron] Juno Neutron VPNaaS unstable Hello, we have big problems with VPNaaS in multiregion Production environment on Openstack Juno with unstable connection between vrouters or vrouter to external pfSense for example. On network nodes we have different kernel parameters. Anyone knows which should be exactly kernel parameters to configure in kernel if there are? Is there any issue with some kernel versions? We use openswan 2.6.38 on kernel 3.13.0-65 and 3.13.0-74. The errors we noticed are that the VPN connection is UP but packets doesn’t pass through encrypted tunnel because there are mismatch with xfrm state. Seems that sometimes when SA is re-established openswan can’t ri-negotiate it and show error below: ignoring Delete SA payload: PROTO_IPSEC_ESP SA() not found (maybe expired) Anyone could help? Thank you very much. Regards, Davide ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Site to Site VPN in openstack
Openstack VPN is policy based, each remote network must have a policy. It is not a routed VPN tunnel like most devices. From: "Jaison Peter"To: "OpenStack General" , jw...@rockplace.co.kr Sent: Wednesday, September 21, 2016 1:47:25 AM Subject: Re: [Openstack] Site to Site VPN in openstack Thanks for your reply Han, That means, if we have 10.0.0.0 network in premises and 192.168.0.0 network in remote openstack private cloud, and if we need to set a site to site VPN with routes on the VPN endpoints so that both networks can communicate each other, then this case won't work if the on premises's VPN endpoint is a hardware device like ASA? On Tue, Sep 20, 2016 at 11:39 AM, Jaison Peter < urotr...@gmail.com > wrote: Hello all, I was checking if anything prevents us from establishing a site to site VPN from openstack private cloud to a on site hardware device like Cisco ASA. I knew that its possible to setup a site to site VPN between two openstack clouds using VPNaaS, but I am not sure about openstack to hardware device scenario. Please advice. ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Creating a FWaaS 'destroy's the router
You should have the driver specified in the configs: vpn_agent.ini -- [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver [ipsec] enable_detailed_logging = True [pluto] [vpnagent] vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver neutron_vpnaas.conf -- [DEFAULT] [service_providers] service_provider=VPN:libreswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default If you are not the intended recipient of this transmission you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. - Original Message - From: "Turbo Fredriksson" <tu...@bayour.com> To: "Tyler Bishop" <tyler.bis...@beyondhosting.net> Cc: "openstack List" <openstack@lists.openstack.org> Sent: Friday, September 16, 2016 2:18:10 PM Subject: Re: [Openstack] Creating a FWaaS 'destroy's the router On Sep 14, 2016, at 3:20 PM, Tyler Bishop wrote: > Can you post your vpn_agent.ini neutron_vpnaas.conf and neutron.conf? # egrep -v '^#|^$' vpn_agent.ini [DEFAULT] [ipsec] [pluto] [strongswan] [vpnagent] # egrep -v '^#|^$' neutron_vpnaas.conf [DEFAULT] [service_providers] # egrep -v '^#|^$' neutron.conf [DEFAULT] bind_host = 0.0.0.0 auth_strategy = keystone core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin service_plugins = router,metering,lbaas,firewall default_availability_zones = nova dns_domain = openstack.domain.tld. external_dns_driver = designate allow_overlapping_ips = True notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True interface_driver = openvswitch agent_down_time = 120 debug = false rpc_backend = rabbit [agent] root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf report_interval = 60 availability_zone = nova [cors] [cors.subdomain] [database] connection = mysql+pymysql://neutron:mysql_neutron_passw...@openstack.domain.tld/neutron use_db_reconnect = true [keystone_authtoken] http_connect_timeout = 5 http_request_max_retries = 3 region_name = europe-london auth_host = openstack.domain.tld auth_port = 35357 auth_protocol = http admin_user = neutron admin_password = USER_NEUTRON_PASSWORD admin_tenant_name = service [matchmaker_redis] [nova] region_name = europe-london auth_url = http://openstack.domain.tld:5000/v3 auth_type = v3password password = USER_NEUTRON_PASSWORD project_domain_name = default project_name = service tenant_name = service user_domain_name = default username = neutron [oslo_concurrency] lock_path = /var/lock/neutron [oslo_messaging_amqp] [oslo_messaging_notifications] driver = neutron.services.metering.drivers.iptables.iptables_driver.IptablesMeteringDriver [oslo_messaging_rabbit] rabbit_host = openstack.domain.tld rabbit_userid = openstack rabbit_password = RABBITMQ_OPENSTACK_PASSWORD [oslo_policy] [quotas] [ssl] [designate] url = http://openstack.domain.tld:9001/v2 admin_auth_url = http://openstack.domain.tld:35357/v3 admin_username = neutron admin_password = USER_NEUTRON_PASSWORD admin_tenant_name = service allow_reverse_dns_lookup = False ipv4_ptr_zone_prefix_size = 24 ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Whole sections of ml2_conf.ini being ignored?
I highly recommend using the correct config files vs the symlink configuration. I think the guide should be updated to reflect the config based on the driver instead... when you run yum update ect it will break neutron until you re-edit the systemd files. From: "Matt Kassawara"To: "Mark Hayden" Cc: openstack@lists.openstack.org Sent: Friday, February 19, 2016 7:34:23 PM Subject: Re: [Openstack] Whole sections of ml2_conf.ini being ignored? I managed to do the backport today, so you should see the new version merge into the Liberty version in the next few days. On Fri, Feb 19, 2016 at 10:38 AM, Mark Hayden < mhay...@coalesco.ca > wrote: Thanks for the quick help. I confirmed that the debian packaged install is set up this new way and moved the settings to the new location and finally made some progress. After clearing out the stuck "binding failed" from the database all the ports bind and my VM creates with a NIC and I can assign fixed and floating IPs. Now onto the next challenge: I can ping the virtual router (even from the internet on its public port!) but cannot reach the running instance on either IP (tried all the namespaces with ip netns exec... with both IPs but nothing). But I will create a new thread here unless someone has a quick answer. On 19 Feb 2016 09:00, Matt Kassawara < mkassaw...@gmail.com > wrote: BQ_BEGIN Looks like we (docs) never backported those fixes to the Liberty version of the guide. For some reason, the patch does not merge cleanly so I'm not sure when I'll get to it. On Thu, Feb 18, 2016 at 11:08 PM, Matt Kassawara < mkassaw...@gmail.com > wrote: BQ_BEGIN In Liberty, the L2 agent configuration moves from ml2_conf.ini to openvswitch_agent.ini for OVS and linuxbridge_agent.ini for Linux bridge. On Thu, Feb 18, 2016 at 10:51 PM, Mark Hayden < m...@haydensplace.com > wrote: BQ_BEGIN Hi, I have recently installed a small openstack setup using the Liberty release (from Debian Sid packaging). I have gotten as far as setting up a controller/network and a compute node with keystone, glance, cinder and nova services, but have gotten stuck trying to set up a DVR configuration of Neutron/openvswitch. I had an early OpenStack setup a few years ago (Essex release) but so much has changed from that "primitive" system with nova-network that I am pretty much a novice, but I am particulatly interested in the DVR setup to eliminate the dependency on a single network node for future expansion. However I have spent a few days not making no progress at all. I have tried to follow the relevant guide at http://docs.openstack.org/liberty/networking-guide/scenario-dvr-ovs.html as close as possible but I have not been able to get anything to work. All my ports come up dead (DOWN state, and tagged 4095 in ovs-vsctl) when I set up the virtual router and I cannot launch any instances as they fail at the network port binding stage. In the nova-compute.log: 2016-02-17 19:01:51.160 2556 ERROR nova.compute.manager [instance: 848c9525-3f48-4747-bbf1-d0d8bf52697b] PortBindingFailed: Binding failed for port bf1cde62-7ac6-47a8-8fb9-85ec524d02bd, please check neutron logs for more information. In neutron-server.log: 2016-02-17 19:01:50.669 3224 ERROR neutron.plugins.ml2.managers [req-e6f1dbbd-d26c-456a-af6a-604c905dc194 b1ce670ebde640b0a0b159f01b18c04e ffbdd9d45cf84de0a204acfd0344ee6b - - -] Failed to bind port bf1cde62-7ac6-47a8-8fb9-85ec524d02bd on host hostserver-0001 In neutron-openvswitch-agent.log: 2016-02-17 19:01:56.894 8021 INFO neutron.agent.common.ovs_lib [req-08c30666-e891-46ca-8200-be3d22285767 - - - - -] Port bf1cde62-7ac6-47a8-8fb9-85ec524d02bd not present in bridge br-int 2016-02-17 19:01:56.894 8021 INFO neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-08c30666-e891-46ca-8200-be3d22285767 - - - - -] port_unbound(): net_uuid None not in local_vlan_map I have tried using VXLAN as shown in the guide as well as VLAN but both do the same thing. However this seems to be more than a problem with the settings in the configuration files. This was revealed when I turned on debug level logging. For some reason no matter what settings I try in ml2_conf.ini most of them are ignored--it doesn't matter how many services I stop and start or even rebooting the entire system (even completely wiping out the database and starting over with network config), ALL the settings in the [ml2] section and all the [ml2_type_*] sections are ignored and a set of default values are used. The real sticking point seems to be that mechanism_drivers is always an empty list and tenant_network_types is always just ['local']. As such nova refuses to start any instances on the networks I set up. Has anybody else seen this behaviour? For what it's worth here is what I currently have in my ml2_conf.ini file: [ml2] type_drivers = flat,vlan,gre,vxlan
Re: [Openstack] Fwd: About Openstack Installation.
There is no right or wrong way. The reason its broken out onto a bunch of network devices during documentation is to make things easier to understand. You can run the entire service stack from a single nic single ip. From: "Erik McCormick"To: "Adam Lawson" Cc: openstack@lists.openstack.org, "madhuri kadam" Sent: Sunday, December 27, 2015 11:47:12 PM Subject: Re: [Openstack] Fwd: About Openstack Installation. You can also run your tunnels over the same nic and on the same VLAN you use to access your internal APIs if it's a small cloud and you're not concerned about bandwidth bottlenecks. This also allows you to have a single nic on your computes. I do this for dev clusters when I've had to go dumpster diving for hardware. -Erik On Dec 27, 2015 11:28 PM, "Adam Lawson" < alaw...@aqorn.com > wrote: As long as you manage to keep your networks separate(d) using VLANs or something, NIC use is kind of irrelevant as far as requirements go. Adam Lawson AQORN, Inc. 427 North Tatnall Street Ste. 58461 Wilmington, Delaware 19801-2230 Toll-free: (844) 4-AQORN-NOW ext. 101 International: +1 302-387-4660 Direct: +1 916-246-2072 On Sun, Dec 27, 2015 at 9:51 PM, Ajey Gore < ajeyg...@gmail.com > wrote: BQ_BEGIN Not really. BQ_BEGIN On Dec 27 2015, at 7:04 pm, madhuri kadam < madhurikadam...@gmail.com > wrote: -- Forwarded message -- From: madhuri kadam < madhurikadam...@gmail.com > Date: Sun, Dec 27, 2015 at 6:53 PM Subject: About Openstack Installation. To: openstack@lists.openstack.org Is it compulsory to use Three NIC for the network node while forming the cloud on physical machine. ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack BQ_END ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack BQ_END ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] Scaling private networks across cells and availability zones
What is the current recommended practice for scaling private networks? Should a vpn/router type machine be built to converge cells and availability zones? ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack