Re: [Openstack-doc-core] Videos !
Hi all - I took a look at the Gallery plugins and it's used for images not videos as far as I can tell. So manually changing them is fine, but I'm having trouble choosing another neutral one for the next rotation. The current one has been there 2 months, past time to switch it. I was thinking about the Swift VM install, but I hesitate because it is from a company rather than a non-affiliated org. Then I looked at the OpenStack Basics - Overview one at http://www.youtube.com/watch?v=c1GFoY4btpo but it's specifically talking about Cisco. Do you think that the wiki should have policy of non-affiliated videos only? Or just most useful wins? Thanks, Anne On Mon, May 28, 2012 at 3:18 AM, Razique Mahroua razique.mahr...@gmail.comwrote: The rotation principle sounds great actually. as long as we provide a link to all videos, I think it's great. As for the rotation, I found two plugins : http://moinmo.in/ParserMarket/Gallery2 http://moinmo.in/MacroMarket/Gallery I'm not sure though it works with videos. Do you know these plugins ? Thanks, Razique Anne Gentle a...@openstack.org 25 mai 2012 17:25 Hi Razique and all - I've been adding some to this wiki page: http://wiki.openstack.org/DemoVideos It would be great to get a rotation on the front wiki page of a video a month or something. I think I could get the columns working while still keeping the current content. Here's how it could look: http://wiki.openstack.org/Sandbox What do you think? How could we get a rotation of videos going? How would we choose which get added to the font page of the wiki? Thanks, Anne Razique Mahroua razique.mahr...@gmail.com 25 mai 2012 16:07 Hi, what about videos tutorials for OPS installation/ deployment/ configuration, and so on ? I know there are there and that videos (CSScorp made a couple) but maybe an offcial channel for the videos ? Best regards, Razique -- Nuage Co - Razique Mahroua razique.mahr...@gmail.com postbox-contact.jpgpostbox-contact.jpgimage.jpg-- Mailing list: https://launchpad.net/~openstack-doc-core Post to : openstack-doc-core@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-doc-core More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
Hey Maru, I think you're putting too many words in Adam's mouth here. First, Adam didnt assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the first cut and not in the list that we agreed was critically essential to an initial implementation. As you noted, its a complex and somewhat tricky issue to get right. There's always room for more participation to correct the flaws you see in the existing system - the beauty of open source. I would love to see continued work on the signing and revocation work to drive in these features that mean so much to you. I'd be happy to open a blueprint if you can stand behind it, define what you think it required, and commit to the work to implement that revocation mechanism. Implying negative emotions on Adam's part when he's been one driving the implementation and doing the work is simply inappropriate. Please consider the blueprint route, definition of a viable solution, and work to make it happen instead of name calling and asserting how the developers doing the work are screwing up. - joe On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra checking. Revocation is a policy decision, and the assumption is that people that are going to use PKI tokens are comfortable with out revocation. Kerberos service tickets have the same limitation, and Kerberos has been in deployment that way for close to 25 years. Assuming that PKI ticket lifespan is short enough, revocation should not be required. What will be tricky is to balance the needs of long lived tokens (delayed operations, long running operations) against the needs for reasonable token timeout. PKI Token revocation would look like CRLs in the Certificate world. While they are used, they are clunky. Each time a token gets revoked, a blast message would have to go out to all registered parties informing them of the revocation. Keystone does not yet have a message queue interface, so doing that is prohibitive in the first implementation. Note that users can get disabled, and token chaining will no longer work: you won't be able to use a token to get a new token from Keystone. Thanks, Maru ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help :
[Openstack] how to create different instance name when create more instance in same time
Hi Now I try to create more instance in same time in Dashobard. but the Instance name is same. how to sovle it? -- Shake Chen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cells Status
I found time to update the branch with the latest code tonight: https://github.com/comstud/nova/tree/cells_service I put a review up here as a WIP also: https://review.openstack.org/#/c/10707/ I reviewed what's changed since the last update… and it was essentially: Rebase against master… resolving things that had moved to openstack-common Push bandwidth usage updates to top level API cell. Push instance metadata updates to top level API cell (though I don't think they would change in a child cell) instance system metadata syncing with instance updates Better delete instance handling Removed broken near/far filter which could have potential DoS issues, until it can be redone Looks like I might have lost some code cleanups I had done previously… and I'll restore those asap. The cells code as it is in the above branch is what's now running in a production environment and working… but there's still some edge cases of issues and doesn't support things like security groups and host aggregates. I'll give an update tomorrow about trying to land this in folsom… but I'll probably be posting it at the new dev list: openstack-...@lists.openstack.org - Chris On Aug 1, 2012, at 9:03 PM, Chris Behrens wrote: Ah, hit send early from my phone. There's a few additions I have in a private branch along with it being up2date with trunk. Will get that into the public branch and get the update out tomorrow! On Aug 1, 2012, at 9:01 PM, Chris Behrens cbehr...@codestud.com wrote: I'll push up the latest tomorrow, promise! And I'll give an update at that time. Sorry, been crazy times lately preparing for Rackspace's release today. We are live with cells, and I'm extremely anxious to start getting it into trunk. There's been a few additions not in the branch on github. - Chris On Aug 1, 2012, at 8:19 PM, Russell Sim russell@gmail.com wrote: Hey, We have been experimenting with the cells branch and I'm hoping I can get an update. The branch on github hasn't been updated for a couple of months and we are starting to hack on it but we are hesitant because we are aware that there are uncommitted changes. Cheers, Russell ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] how to create different instance name when create more instance in same time
You can always rename them with the dashboard, but this doesn't mean that the hostname will change... It will remain the same for every VMs. On Thu, Aug 2, 2012 at 9:31 AM, Shake Chen shake.c...@gmail.com wrote: Hi Now I try to create more instance in same time in Dashobard. but the Instance name is same. how to sovle it? -- Shake Chen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] how to create different instance name when create more instance in same time
in HPcloud , when create a VM, no need setting the Server name. how to achive it? On Thu, Aug 2, 2012 at 3:49 PM, Sébastien Han han.sebast...@gmail.comwrote: You can always rename them with the dashboard, but this doesn't mean that the hostname will change... It will remain the same for every VMs. On Thu, Aug 2, 2012 at 9:31 AM, Shake Chen shake.c...@gmail.com wrote: Hi Now I try to create more instance in same time in Dashobard. but the Instance name is same. how to sovle it? -- Shake Chen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Shake Chen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Angry People and OpenStack
+1 :) Nuage Co - Razique Mahrouarazique.mahr...@gmail.com Le 2 août 2012 à 06:17, Atul Jha atul@csscorp.com a écrit :Hi,snipi believe openstack is the best :0/snipIndeed it is.snipif the model of open and transparency still issue, we can fix anyway/snipI don`t see there is any. Its just there are certain section of people who are bound to create FUD and act as TROLL. What we can simply do is to ignore them. :)Cheers!!Atul Jhahttp://www.csscorp.com/common/email-disclaimer.php___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] swift authentication problem
On 08/02/2012 05:09 AM, sarath zacharia wrote: Hi, We successfully configured the swift in our cloud environment. But when a non admin user accessing the container it shows an *Error: *Unable to retrieve container list. Is there any option for accessing the the containers (Swift object storage ) in the dashboard for the non admin users ? Hi Sarath, I suspect your user doesn't have an appropriate role in the tenant being used. In your swift proxy config file you'll find a option called operator_roles, which will look something like this operator_roles = admin, swiftoperator you'll need to make sure your user has a role in this list (in the tenant being used) in order to use swift. see keystone user-role-add to add the role Hope this helps, Derek ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Nova Volume and provisionning on iSCSI SAN
Hi all, I have a question relating to nova-volume, and provisioning block devices as storage for VMs. As I understand it from the documentation, nova-volume will take a block device with LVM on it, and then become an iSCSI target to share the logical volumes to compute nodes. I also understand that there is another process for using an HP lefthand SAN or solaris iSCSI setup, whereby nova-volume can interact with APIs for volume creation on the SAN itself. I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from the SAN on my nova-volume node, then go through the documented process of creating an LVM on this LUN and having nova-volume re-share it over iSCSI to the compute nodes, but what I'm wondering is whether I can have the compute nodes simple connect to the iSCSI SAN to access these volumes (which would be created and managed by nova-volume still), rather than connect each compute node to the iSCSI target which nova-volume presents? I imagine with this setup, I could take advantage of the SAN's HA and performance benefits. Hope that makes sense.. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] growing fixed-ip network
Hi, I don't know how to handle the case when a tenant has used up all IPs. We use FlatNetworking, so no Floating IPs possible. So, when one tenant has used up all the IPs in their net, how can I assign another net to the same tenant ? If I just assign another net, every new instance just gets an IP from both nets. But if the first net doesn't have free IPs, I get the exception.NoMoreFixedIps() even if the second net still has lots of IPs. Can this be solved with quantum ? Cheers, Christoph -- Christoph Kluenter E-Mail: supp...@iphh.net Technik Tel: +49 (0)40 374919-10 IPHH Internet Port Hamburg GmbH Fax: +49 (0)40 374919-29 Wendenstrasse 408AG Hamburg, HRB 76071 D-20537 Hamburg Geschaeftsfuehrung: Axel G. Kroeger ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [glance] legacy client removal and python-glanceclient
Brian Waldon wrote: Ok, so I spent some time on this and got all of the existing/legacy CLI working within python-glanceclient. It should let anybody using the existing client keep on keepin' on without having to worry about CLI compatibility (until we actually remove the deprecated functionality in the v2 release). That's awesome, Brian. Great work. I pushed up a review here: https://review.openstack.org/#/c/10703/. I would love for those that voiced their concerns earlier to install the new client and make sure it really is backwards-compatibile. Yes, time to help and be part of the solution :) -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Multiple vNICs for Multiple networks.
Hi- I have installed Openstack+Quantum+OVS in two machines. One Controller and the other as node. I have created tenant specific/labeled and public labeled networks. Upon bringing up instances in a tenant, I'm able to see 3 types of IP address for the instance. and Upon login into the instance, for ifconfig -a I'm able to see eth0,eth1 and eth2 interfaces. But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to get the ip address for the instance. Is that for 'N' number of networks, instances get those many vNICs..? Please help me understand the same. -- Regards, -- Trinath Somanchi, +91 9866 235 130 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Node Disk Cleaning Script
Hi! I hope this script will usefull for somebody. #!/bin/bash cd /var/lib/nova/instances find -name disk* | xargs -n1 qemu-img info | grep backing | sed -e's/.*file: //' -e 's/ .*//' | sort | uniq /tmp/ignore while read i; do ARGS=$ARGS \( ! -path $i \) done /tmp/ignore find /var/lib/nova/instances/_base/ -type f $ARGS -delete ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Qcow2 Details on base images
Hi Jay, Thanks for your reply, it helped me get started. I have been going through the code and some of the sparse docs that are available. This is the code file https://github.com/openstack/nova/blob/master/nova/virt/libvirt/utils.py However I am facing a new issue and require some help. I wanted to modify how openstack handles the cow layer as such and also the qcow2 format. It turns out that openstack issues the external command qemu-img. First of all, is qemu-img internal to openstack ( I mean code for how qemu-img is implemented is in openstack or in qemu ) It is in openstack, where is the code located. If it is outside openstack, does that mean i have to change the code in qemu and then link those binaries with openstack. Any help would be appreciated. Thanks, Gaurab On Sun, Jul 29, 2012 at 6:35 AM, Jay Pipes jaypi...@gmail.com wrote: On 07/28/2012 11:10 AM, Gaurab Basu wrote: Another thing I would like to know is whether it uses snapshot mechanism over time. What is it you are referring to above? Are you asking whether Nova automatically takes snapshots of images over time? If so, no, it does not. If a user requests a snapshot of a launched instance, then Nova will issue snapshot commands -- in the case of the libvirt driver, these commands would be qemu-img snapshot -c SNAPSHOT_NAME IMAGE_PATH. I mean how does the copy on write functionality works. Does it keep the diff snapshots over time ( or something else ). Not sure here whether you are asking how QEMU's copy on write operations work or whether Nova keeps the base images separate from any VM images. If you are asking about the latter, the answer is that Nova will create the virtual machine images by creating a COW image based on the base image it pulls from Glance -- after making a resized copy of the base image if it needs to do so to meet the needs of the requested image size of the VM. Snapshots that are taken of virtual machine images on a host are stored by Nova in Glance. And does the diff work at the level of file or block level? AFAIK, CoW and snapshot actions with QEMU are block-level. What is the format that the image is converted to after it is fetched from glance. There may be no conversion needed at all... it depends on what the format of the original base image that was stored in Glance. Conversion between raw/iso and QCOW2 and vice versa is what you see in the code, and is what is done during migration as Mikal mentioned below. I am fairly new to openstack. Can you point me to the specific files in the code where all these things are coded. I want to know the details of the present state. grep for qemu-img in the nova/ directory. You'll see all the files that call qemu-img commands and then you can go look in those files. Best, -jay Thanks again for your help. Regards, Gaurab On Sat, Jul 28, 2012 at 11:52 AM, Michael Still michael.st...@canonical.com mailto:michael.st...@canonical.com wrote: On 28/07/12 05:42, Gaurab Basu wrote: Hi, I am trying to figure out the technology that openstack uses when multiple VM's having the*same *base image (OS) are provisioned on a physical server. Does it use as many copy as the number of VM's or does it use the same base image and then copy on write. I need to understand the complete details. Can anybody share some details or point me to some place where I can find the details. Its pretty hard to provide a complete description of what happens, because the code keeps changing. However, assuming you have copy on write turned on (which is the default IIRC), and assuming that all of the instances have the same disk size, then you end up with: - the image as fetched from glance, with possible format conversion - that image resized to the size the instance requested - a cow on write layer for each instance that is using that sized image The first should be smallish, the second can be quite large, and the third will really depend on how much writing the instances are doing. Note that this all falls apart if instances are migrated, because as part of the migration the copy on write layer is transformed into a full disk image, which is what is shipped over to the new machine. Hope this helps, Mikal ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing
[Openstack] Nova Manage Network unable to add vlan ID
Hi- I issued the command, nova-manage network create --label=tenant-1 --fixed_range_v4=172.15.1.0/24 --bridge_interface=br-int --vlan=15 --project_id=a17de6f647b14739acb33f09d246f72e But in the network listing the vlanID is none root@OpenstackController:~# nova-manage network list id IPv4 IPv6 start address DNS1 DNS2 VlanID project uuid 2012-08-02 17:50:40 DEBUG nova.utils [req-8ad6fc0b-96e6-49af-bd1d-ea97a38708cf None None] backend module 'nova.db.sqlalchemy.api' from '/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/api.pyc' from (pid=11488) __get_backend /usr/lib/python2.7/dist-packages/nova/utils.py:658 1172.15.1.0/24 None 172.15.1.2 8.8.4.4None None a17de6f647b14739acb33f09d246f72eaf1c58f9-bfcf-4495-abb6-3d16e5e3bf6b Can any one guide me on finding out what might be the wrong thing here... Thanking you... -- Regards, -- Trinath Somanchi, +91 9866 235 130 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] growing fixed-ip network
It should hop on to the next subnet block if available ( assuming that in LAN its a private address scheme ) . Ravi On Thu, Aug 2, 2012 at 5:58 AM, Christoph Kluenter c...@iphh.net wrote: Hi, I don't know how to handle the case when a tenant has used up all IPs. We use FlatNetworking, so no Floating IPs possible. So, when one tenant has used up all the IPs in their net, how can I assign another net to the same tenant ? If I just assign another net, every new instance just gets an IP from both nets. But if the first net doesn't have free IPs, I get the exception.NoMoreFixedIps() even if the second net still has lots of IPs. Can this be solved with quantum ? Cheers, Christoph -- Christoph Kluenter E-Mail: supp...@iphh.net Technik Tel: +49 (0)40 374919-10 IPHH Internet Port Hamburg GmbH Fax: +49 (0)40 374919-29 Wendenstrasse 408AG Hamburg, HRB 76071 D-20537 Hamburg Geschaeftsfuehrung: Axel G. Kroeger ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Netstack] Multiple vNICs for Multiple networks.
Hi, Your environment seems to work well. The problem you have perhaps depends on your VM image. If you use ifconfig -a, you should see all thress interfaces. When ifconfig w/o -a option show interface(s) which are UP, ifconfig with -a shows all interfaces available on a machine. But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to get the ip address for the instance. This result shows eth1 has been created as you expected, but eth1 and eth2 are not UP. Which interfaces are up on boot depends on a VM image you used. if you use Ubuntu Server images, you need to add the following lines to /etc/network/interfaces: auto eth1 iface eth1 inet dhcp auto eth2 iface eth2 inet dhcp Thanks, 2012/8/2 Trinath Somanchi trinath.soman...@gmail.com: Hi- I have installed Openstack+Quantum+OVS in two machines. One Controller and the other as node. I have created tenant specific/labeled and public labeled networks. Upon bringing up instances in a tenant, I'm able to see 3 types of IP address for the instance. and Upon login into the instance, for ifconfig -a I'm able to see eth0,eth1 and eth2 interfaces. But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to get the ip address for the instance. Is that for 'N' number of networks, instances get those many vNICs..? Please help me understand the same. -- Regards, -- Trinath Somanchi, +91 9866 235 130 -- Mailing list: https://launchpad.net/~netstack Post to : netst...@lists.launchpad.net Unsubscribe : https://launchpad.net/~netstack More help : https://help.launchpad.net/ListHelp -- Akihiro MOTOKI amot...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] growing fixed-ip network
* Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan: It should hop on to the next subnet block if available ( assuming that in LAN its a private address scheme ) . We only use routable IPs. thats why we have some nets which can't be subnetted. What difference does it make if its private adress space ? christoph Ravi On Thu, Aug 2, 2012 at 5:58 AM, Christoph Kluenter c...@iphh.net wrote: Hi, I don't know how to handle the case when a tenant has used up all IPs. We use FlatNetworking, so no Floating IPs possible. So, when one tenant has used up all the IPs in their net, how can I assign another net to the same tenant ? If I just assign another net, every new instance just gets an IP from both nets. But if the first net doesn't have free IPs, I get the exception.NoMoreFixedIps() even if the second net still has lots of IPs. Can this be solved with quantum ? Cheers, Christoph -- Christoph Kluenter E-Mail: supp...@iphh.net Technik Tel: +49 (0)40 374919-10 IPHH Internet Port Hamburg GmbH Fax: +49 (0)40 374919-29 Wendenstrasse 408AG Hamburg, HRB 76071 D-20537 Hamburg Geschaeftsfuehrung: Axel G. Kroeger ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Christoph Kluenter E-Mail: supp...@iphh.net Technik Tel: +49 (0)40 374919-10 IPHH Internet Port Hamburg GmbH Fax: +49 (0)40 374919-29 Wendenstrasse 408AG Hamburg, HRB 76071 D-20537 Hamburg Geschaeftsfuehrung: Axel G. Kroeger ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
On 08/02/2012 01:56 AM, Joseph Heck wrote: Hey Maru, I think you're putting too many words in Adam's mouth here. First, Adam didnt assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the first cut and not in the list that we agreed was critically essential to an initial implementation. As you noted, its a complex and somewhat tricky issue to get right. There's always room for more participation to correct the flaws you see in the existing system - the beauty of open source. I would love to see continued work on the signing and revocation work to drive in these features that mean so much to you. I'd be happy to open a blueprint if you can stand behind it, define what you think it required, and commit to the work to implement that revocation mechanism. Implying negative emotions on Adam's part when he's been one driving the implementation and doing the work is simply inappropriate. Please consider the blueprint route, definition of a viable solution, and work to make it happen instead of name calling and asserting how the developers doing the work are screwing up. Thanks for the support Joe. I don't think Maru was being too harsh. So long as he doesn't start calling me Sir as that is always an followed by you are making a scene. - joe On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com mailto:mne...@internap.com wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. I think you have valid concerns. Realistically, I think 5 minutes is too short, and for many operations, 24 hours would be the right granularity. However, The timespan of the tokens is configurable, and the policy of the deploying organization should dictate. Remember, this is the administrative interface for virtual machines, and not the applications running in them. Removing someone from access to creating/rebooting/destroying virtual machines is a much more deliberate decision than banning someone from a public forum. Aside from someone getting fired, I am not sure how essential it is that we have rapid revocation of tokens. And firing someone is usually part of the whole escort from the building routine. So, let me put the onus on you: make the argument for rapid revocation of tokens. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra checking. Revocation is a policy decision, and the assumption is that people that are going to use PKI tokens are comfortable with out revocation. Kerberos service tickets have the same limitation, and Kerberos has been in deployment that way for close to 25
Re: [Openstack] Angry People and OpenStack
On Aug 1, 2012, at 11:17 PM, Atul Jha atul@csscorp.com wrote: I don`t see there is any. Its just there are certain section of people who are bound to create FUD and act as TROLL. What we can simply do is to ignore them. :) This is a dangerous attitude here. People who criticize are haters and should be ignored. Stick your head in the sand and ignore the fact that OpenStack governance has a huge trust problem, that the product has stability and compatibility issues. Attack me for criticizing OpenStack when on a daily basis I am doing a lot of work to get into real world deployments. In the mean time, I know people on this list heaping plenty of public praise on OpenStack who are actively pushing people in private towards alternatives. Yeah, that'll work really well. -George -- George Reese - Chief Technology Officer, enStratus e: george.re...@enstratus.comSkype: nspollutiont: @GeorgeReesep: +1.207.956.0217 enStratus: Enterprise Cloud Management - @enStratus - http://www.enstratus.com To schedule a meeting with me: http://tungle.me/GeorgeReese ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Netstack] Nova Manage Network unable to add vlan ID
Minor correction for my previous mail. Quantum OVS plugin (with non-tunneling mode) assigns VLAN-ID automatically for each virtual network. (with non-tunneling mode) is unnecessary. All modes of OVS plugin do the same behavior. OVS plugin assigns VLAN-ID automatically for each virtual network. Thanks, 2012/8/2 Akihiro MOTOKI amot...@gmail.com: Hi, In Essex Quantum, --vlan and --bridge_interface options for nova-manage are ignored. For VLAN, Quantum OVS plugin (with non-tunneling mode) assigns VLAN-ID automatically for each virtual network. Regarding bridge-interface, you need to configure OVS manually using ovs-vsctl. Thanks, 2012/8/2 Trinath Somanchi trinath.soman...@gmail.com: Hi- I issued the command, nova-manage network create --label=tenant-1 --fixed_range_v4=172.15.1.0/24 --bridge_interface=br-int --vlan=15 --project_id=a17de6f647b14739acb33f09d246f72e But in the network listing the vlanID is none root@OpenstackController:~# nova-manage network list id IPv4 IPv6 start address DNS1 DNS2 VlanID projectuuid 2012-08-02 17:50:40 DEBUG nova.utils [req-8ad6fc0b-96e6-49af-bd1d-ea97a38708cf None None] backend module 'nova.db.sqlalchemy.api' from '/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/api.pyc' from (pid=11488) __get_backend /usr/lib/python2.7/dist-packages/nova/utils.py:658 1172.15.1.0/24 None 172.15.1.2 8.8.4.4 None None a17de6f647b14739acb33f09d246f72e af1c58f9-bfcf-4495-abb6-3d16e5e3bf6b Can any one guide me on finding out what might be the wrong thing here... Thanking you... -- Regards, -- Trinath Somanchi, +91 9866 235 130 -- Mailing list: https://launchpad.net/~netstack Post to : netst...@lists.launchpad.net Unsubscribe : https://launchpad.net/~netstack More help : https://help.launchpad.net/ListHelp -- Akihiro MOTOKI amot...@gmail.com -- Akihiro MOTOKI amot...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Inbound connectivity and FlatDHCP networking
Traffic from vm to vm on different hosts should be able to go accross flat_interface Okay, that makes sense. Getting inbound connectivity over fixed_ips can be tricky. It looks like you want to set up a specific range from vms that is not snatted. there is a config option for this called dmz_cidr. Anything in the dmz_cidr range will not be snatted. With a multi_host, flatDHCP model, is the general idea that fixed_ips are -- generally -- internal to the compute host, and all external access is supposed to be via floating ips? That's sort of how it looks, but I hadn't seen that states explicitly anywhere. fixed_range=10.0.0.0/16 dmz_cidr=10.1.0.0/16 How does fixed_range interact with networks created via 'nova-manage network create ...'? There are a few bugs (e.g., https://bugs.launchpad.net/nova/+bug/741626) that suggest things need to be specified in both places. Is that correct? -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
This was a concern for HP as well. This is one of the reasons we were happy to see that signed tokens are currently a deployment option. So, you can continue to use the unsigned model until such a time that revocation can be put into place for the token signing model. Jason From: openstack-bounces+jason.rouault=hp@lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On Behalf Of Maru Newby Sent: Wednesday, August 01, 2012 7:20 PM To: openstack@lists.launchpad.net (openstack@lists.launchpad.net) Subject: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? Thanks, Maru smime.p7s Description: S/MIME cryptographic signature ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] growing fixed-ip network
On Thu, Aug 2, 2012 at 8:42 AM, Christoph Kluenter c...@iphh.net wrote: * Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan: It should hop on to the next subnet block if available ( assuming that in LAN its a private address scheme ) . We only use routable IPs. thats why we have some nets which can't be subnetted. What difference does it make if its private adress space ? The major reason to use private address space is that there is likely a lot more of it than you have in public address space. if you have effectively unlimited fixed_ip space, you can give each project a lot. For example, we give each project a /23. While a user could potentially still run out of address space on our system, it hasn't happened yet with our workload. -nld ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Cannot pass hint to Nova Scheduler
Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property| Value| +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host| None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b| | OS-EXT-STS:power_state | 0| | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error| | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive| | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image | cirros-0.3.0-x86_64-uec | | key_name| | | metadata| {} | | name| server1 | | progress| 0| | status | BUILD| | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 | | updated | 2012-08-02T14:25:10Z | | user_id | d5e02f1810a44575b99a147f94507da1 | +-+--+ as you can see, the vm is in error, this also happens whenever I need to pass a hint to the scheduler, as in samehostfilter and differenthostfilter, Does anyone know what's going on, thanks in advance. Heng ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Netstack] Multiple vNICs for Multiple networks.
Hi, Yes, if you do not specify networks using the “–nic” option you will get a vnic on each of the public networks and one for each network belonging to that tenant. Using the “—nic net-id=uuid-xyz” option you can refer to specific networks on which you want the vnics. Thanks, ~Sumit. From: netstack-bounces+snaiksat=cisco@lists.launchpad.net [mailto:netstack-bounces+snaiksat=cisco@lists.launchpad.net] On Behalf Of Trinath Somanchi Sent: Thursday, August 02, 2012 3:18 AM To: openstack@lists.launchpad.net; netst...@lists.launchpad.net Subject: [Netstack] Multiple vNICs for Multiple networks. Hi- I have installed Openstack+Quantum+OVS in two machines. One Controller and the other as node. I have created tenant specific/labeled and public labeled networks. Upon bringing up instances in a tenant, I'm able to see 3 types of IP address for the instance. and Upon login into the instance, for ifconfig -a I'm able to see eth0,eth1 and eth2 interfaces. But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to get the ip address for the instance. Is that for 'N' number of networks, instances get those many vNICs..? Please help me understand the same. -- Regards, -- Trinath Somanchi, +91 9866 235 130 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] growing fixed-ip network
Also.. builds are better created in Private IP and then prepped to release to Public cloud. After all just an instance rinning OS is not yet there in terms of APP stack. Ravi. On Thu, Aug 2, 2012 at 10:49 AM, Narayan Desai narayan.de...@gmail.comwrote: On Thu, Aug 2, 2012 at 8:42 AM, Christoph Kluenter c...@iphh.net wrote: * Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan: It should hop on to the next subnet block if available ( assuming that in LAN its a private address scheme ) . We only use routable IPs. thats why we have some nets which can't be subnetted. What difference does it make if its private adress space ? The major reason to use private address space is that there is likely a lot more of it than you have in public address space. if you have effectively unlimited fixed_ip space, you can give each project a lot. For example, we give each project a /23. While a user could potentially still run out of address space on our system, it hasn't happened yet with our workload. -nld ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Instance stuck in deleting state with error
On Wed, Aug 1, 2012 at 3:12 PM, Lorin Hochstein lo...@nimbisservices.com wrote: I believe pip gets it from PyPI: http://pypi.python.org/pypi/python-novaclient/ Ah, I documented this internally and promptly forgot, this is where my version of python-novaclient with reset-state came from: sudo pip install -e git+https://github.com/openstack/python-novaclient.git#egg=python-novaclient you may want to verify the version at http://pypi.python.org/pypi/python-novaclient has it as well. -Jon ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive | | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image | cirros-0.3.0-x86_64-uec | | key_name | | | metadata | {} | | name | server1 | | progress | 0 | | status | BUILD | | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 | | updated | 2012-08-02T14:25:10Z | | user_id | d5e02f1810a44575b99a147f94507da1 | +-+--+ as you can see, the vm is in error, this also happens whenever I need to pass a hint to the scheduler, as in samehostfilter and differenthostfilter, Does anyone know what's going on, thanks in advance. Heng ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Angry People and OpenStack
On Thu 02 Aug 2012 07:19:28 AM PDT, George Reese wrote: ignore the fact that OpenStack governance has a huge trust problem, I don't think this is true: It's true that some people don't trust OpenStack governance, not that the governance is broken. The bylaws have been discussed for months, the governance model is based on the processes and principles that have brought OpenStack where it is today. We can't stop every time to address theoretical concerns expressed by people that fundamentally don't trust us (and they don't have to). that the product has stability and compatibility issues. Like all products out there: nobody is perfect. Attack me for criticizing OpenStack when on a daily basis I am doing a lot of work to get into real world deployments. you've been criticised for your questionable choice of words not for the content of your criticism. While you probably ended up in somebody's killfile, your contributions are still appreciated by many because you *do* real things with OpenStack (differently from others that just like to *talk* about OpenStack). Let's stick to making a great product and have fun meanwhile: this is an exciting time. OpenStack Foundation is being born, well funded, supported by a wide spectrum of companies and lots of people. The future is bright. /stef ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nova Volume and provisionning on iSCSI SAN
I guess you might need to port one of the other iSCSI-based drivers (e.g. lefthand) to use whatever creation/deletion/access control mechanisms your Dell SAN uses... This does not look to be a significant amount of work, but such commands aren't generally standardized so would need to be done for your specific SAN. -- Duncan Thomas HP Cloud Services, Galway From: openstack-bounces+duncan.thomas=hp@lists.launchpad.net [mailto:openstack-bounces+duncan.thomas=hp@lists.launchpad.net] On Behalf Of Bilel Msekni Sent: 02 August 2012 10:32 To: openstack@lists.launchpad.net Subject: [Openstack] Nova Volume and provisionning on iSCSI SAN Hi all, I have a question relating to nova-volume, and provisioning block devices as storage for VMs. As I understand it from the documentation, nova-volume will take a block device with LVM on it, and then become an iSCSI target to share the logical volumes to compute nodes. I also understand that there is another process for using an HP lefthand SAN or solaris iSCSI setup, whereby nova-volume can interact with APIs for volume creation on the SAN itself. I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from the SAN on my nova-volume node, then go through the documented process of creating an LVM on this LUN and having nova-volume re-share it over iSCSI to the compute nodes, but what I'm wondering is whether I can have the compute nodes simple connect to the iSCSI SAN to access these volumes (which would be created and managed by nova-volume still), rather than connect each compute node to the iSCSI target which nova-volume presents? I imagine with this setup, I could take advantage of the SAN's HA and performance benefits. Hope that makes sense.. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nova Volume and provisionning on iSCSI SAN
You will likely have to write a nova-volume/cinder backend to talk to the dell SAN directly. You could probably base it on the HP lefthand san code and get something working pretty quickly: https://github.com/openstack/nova/blob/master/nova/volume/san.py Vish On Aug 2, 2012, at 2:31 AM, Bilel Msekni ski...@hotmail.fr wrote: Hi all, I have a question relating to nova-volume, and provisioning block devices as storage for VMs. As I understand it from the documentation, nova-volume will take a block device with LVM on it, and then become an iSCSI target to share the logical volumes to compute nodes. I also understand that there is another process for using an HP lefthand SAN or solaris iSCSI setup, whereby nova-volume can interact with APIs for volume creation on the SAN itself. I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from the SAN on my nova-volume node, then go through the documented process of creating an LVM on this LUN and having nova-volume re-share it over iSCSI to the compute nodes, but what I'm wondering is whether I can have the compute nodes simple connect to the iSCSI SAN to access these volumes (which would be created and managed by nova-volume still), rather than connect each compute node to the iSCSI target which nova-volume presents? I imagine with this setup, I could take advantage of the SAN's HA and performance benefits. Hope that makes sense.. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Inbound connectivity and FlatDHCP networking
On Aug 2, 2012, at 7:35 AM, Lars Kellogg-Stedman l...@seas.harvard.edu wrote: With a multi_host, flatDHCP model, is the general idea that fixed_ips are -- generally -- internal to the compute host, and all external access is supposed to be via floating ips? That's sort of how it looks, but I hadn't seen that states explicitly anywhere. It isn't explicitly that way, but it is the easiest setup. It is possible to set up fixed ips that are accessible/routable from outside but there are a lot of gotchas How does fixed_range interact with networks created via 'nova-manage network create ...'? There are a few bugs (e.g., https://bugs.launchpad.net/nova/+bug/741626) that suggest things need to be specified in both places. Is that correct? The snatting rule is created exclusively from fixed_range, so right now fixed_range must contain all created fixed networks. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] qpid_heartbeat...doesn't?
On Thu, Aug 02, 2012 at 12:33:13PM -0400, Lars Kellogg-Stedman wrote: Looks like a typo. Could you try this. FYI: The same typo appears to exist in notify_qpid.py. Err, that is, glance/notifier/notify_qpid.py, in case it wasn't obvious... -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive | | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image | cirros-0.3.0-x86_64-uec | | key_name | | | metadata | {} | | name | server1 | | progress | 0 | | status | BUILD | | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 | | updated | 2012-08-02T14:25:10Z | | user_id | d5e02f1810a44575b99a147f94507da1 | +-+--+ as you can see, the vm is in error, this also happens whenever I need to pass a hint to the scheduler, as in samehostfilter and differenthostfilter, Does anyone know what's going on, thanks in advance. Heng ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive | | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image | cirros-0.3.0-x86_64-uec | | key_name | | | metadata | {} | | name | server1 | | progress | 0 | | status | BUILD | | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 | | updated | 2012-08-02T14:25:10Z | | user_id | d5e02f1810a44575b99a147f94507da1 | +-+--+ as you can see, the vm is in error, this also happens whenever I need to pass a hint to the scheduler, as in samehostfilter and differenthostfilter, Does anyone know what's going on, thanks in advance. Heng ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hi Heng, I didn't know that you were using devstack. The path I provided is for manually installation of openstack. I didn't try it with devstack. According to https://answers.launchpad.net/nova/+question/176973, devstack outputs the log to the screen. Try Vish's suggestion. Good luck. PJ On Thu, Aug 2, 2012 at 11:47 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive | | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image | cirros-0.3.0-x86_64-uec | | key_name | | | metadata | {} | | name | server1 | | progress | 0 | | status | BUILD | | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 | | updated | 2012-08-02T14:25:10Z | | user_id | d5e02f1810a44575b99a147f94507da1 | +-+--+ as you can see, the vm is in error, this also happens whenever I need to pass a hint to the scheduler, as in samehostfilter and differenthostfilter, Does anyone know what's going on, thanks in advance. Heng ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nova Volume and provisionning on iSCSI SAN
On Thu, Aug 2, 2012 at 10:21 AM, Vishvananda Ishaya vishvana...@gmail.com wrote: You will likely have to write a nova-volume/cinder backend to talk to the dell SAN directly. You could probably base it on the HP lefthand san code and get something working pretty quickly: https://github.com/openstack/nova/blob/master/nova/volume/san.py Vish On Aug 2, 2012, at 2:31 AM, Bilel Msekni ski...@hotmail.fr wrote: Hi all, I have a question relating to nova-volume, and provisioning block devices as storage for VMs. As I understand it from the documentation, nova-volume will take a block device with LVM on it, and then become an iSCSI target to share the logical volumes to compute nodes. I also understand that there is another process for using an HP lefthand SAN or solaris iSCSI setup, whereby nova-volume can interact with APIs for volume creation on the SAN itself. I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from the SAN on my nova-volume node, then go through the documented process of creating an LVM on this LUN and having nova-volume re-share it over iSCSI to the compute nodes, but what I'm wondering is whether I can have the compute nodes simple connect to the iSCSI SAN to access these volumes (which would be created and managed by nova-volume still), rather than connect each compute node to the iSCSI target which nova-volume presents? I imagine with this setup, I could take advantage of the SAN's HA and performance benefits. Hope that makes sense.. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp Bilel, If you need some help with this let me know. I'll be back from vacation tomorrow and can point a few things out to you if needed. John ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [nova] Reminder: nova team meeting today at 2100 UTC
Hello Everyone, Just a quick reminder that we are having a nova team meeting today at 2100 UTC. That is 2PM on the West Coast, and 4PM Central. Check your city/timezone here: http://www.timeanddate.com/worldclock/fixedtime.html?hour=21min=0sec=0 The agenda is located at: http://wiki.openstack.org/Meetings/Nova See you all in a few hours! Vish ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Qcow2 Details on base images
On 08/02/2012 07:47 AM, Gaurab Basu wrote: Hi Jay, Thanks for your reply, it helped me get started. I have been going through the code and some of the sparse docs that are available. This is the code file https://github.com/openstack/nova/blob/master/nova/virt/libvirt/utils.py However I am facing a new issue and require some help. I wanted to modify how openstack handles the cow layer as such and also the qcow2 format. It turns out that openstack issues the external command qemu-img. First of all, is qemu-img internal to openstack ( I mean code for how qemu-img is implemented is in openstack or in qemu ) It is in openstack, where is the code located. If it is outside openstack, does that mean i have to change the code in qemu and then link those binaries with openstack. QEMU is a totally separate project from Nova, yes. QEMU is written in C and has a number of executables such as qemu-img and qemu-nbd, etc. Nova calls out to these executables in subprocesses. If you want to make changes to QEMU, yes, you would want to look into the QEMU contribution process and community. Here's where to start: http://wiki.qemu.org/Documentation/GettingStartedDevelopers Best, -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Node Disk Cleaning Script
On 08/02/2012 12:12 PM, Алексей Кайтаз wrote: Hi! I hope this script will usefull for somebody. #!/bin/bash cd /var/lib/nova/instances find -name disk* | xargs -n1 qemu-img info | grep backing | sed -e's/.*file: //' -e 's/ .*//' | sort | uniq /tmp/ignore while read i; do ARGS=$ARGS \( ! -path $i \) done /tmp/ignore find /var/lib/nova/instances/_base/ -type f $ARGS -delete This is done automatically by nova when you enable this in /etc/nova/nova.conf remove_unused_base_images = True That is done in Fedora/EPEL packages for the last while, and will default on in the next folsom release. cheers, Pádraig. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Inbound connectivity and FlatDHCP networking
On Thu, Aug 02, 2012 at 09:24:56AM -0700, Vishvananda Ishaya wrote: It isn't explicitly that way, but it is the easiest setup. It is possible to set up fixed ips that are accessible/routable from outside but there are a lot of gotchas Got it. The snatting rule is created exclusively from fixed_range, so right now fixed_range must contain all created fixed networks. Thanks, that clears up a mystery! We've now got inbound networking operating correctly, although it did require us to fiddle around with some policy routing rules to get traffic going to the right gateway. I'm going to write up some details and post it here later. -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Preventing OpenStack from allocating some floating ips?
If I create a floating address range like this: nova-manage floating create --ip_range=10.243.30.0/24 Is there any way to block out specific addresses in that range? For example, the .1 address is the network gateway, and everything will fall apart if that address is accidentally allocated to an instance. Similarly, our host needs an address in that range in order to route traffic to the gateway. Is there any way to exempt specific addresses? I realize that instead of allocating a /24 I could allocate a series of, say, /28 networks, but that seems a little clumsy. Thanks, -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] qpid_heartbeat...doesn't?
On 08/02/2012 05:35 PM, Lars Kellogg-Stedman wrote: On Thu, Aug 02, 2012 at 12:33:13PM -0400, Lars Kellogg-Stedman wrote: Looks like a typo. Could you try this. FYI: The same typo appears to exist in notify_qpid.py. Err, that is, glance/notifier/notify_qpid.py, in case it wasn't obvious... Well spotted. I've submitted a patch for: https://bugs.launchpad.net/glance/+bug/1032314 cheers, Pádraig. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hi, I recorded the error message, below 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in host_passes 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = self._process_filter(jsonutils.loads(query), host_state) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/__init__.py, line 326, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 366, in decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, idx=_w(s, 0).end()) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object could be decoded) 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded 2012-08-02 13:51:02 TRACE nova.rpc.amqp it seems that the filter cannot find my json file, so although I was using the --hint functionality, whatever typed after the hint did not went to the filter host_passed function, so it could not locate the json object, any thoughts? Thanks. Heng From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca] Sent: Thursday, August 02, 2012 4:47 PM To: Pengjun Pan Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | | | adminPass | dKvrsv4MZtfc | | config_drive | | | created | 2012-08-02T14:25:10Z | | flavor | m1.tiny | | hostId | | | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc | | image |
Re: [Openstack] Cannot pass hint to Nova Scheduler
Post your filter file. Might be a typo. PJ On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hi, I recorded the error message, below 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in host_passes 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = self._process_filter(jsonutils.loads(query), host_state) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/__init__.py, line 326, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 366, in decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, idx=_w(s, 0).end()) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object could be decoded) 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded 2012-08-02 13:51:02 TRACE nova.rpc.amqp it seems that the filter cannot find my json file, so although I was using the --hint functionality, whatever typed after the hint did not went to the filter host_passed function, so it could not locate the json object, any thoughts? Thanks. Heng From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca] Sent: Thursday, August 02, 2012 4:47 PM To: Pengjun Pan Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value | +-+--+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | instance-002b | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | error | | accessIPv4 | | | accessIPv6 | |
Re: [Openstack] Cannot pass hint to Nova Scheduler
Hi, attached is the json_filter file I was used, but I it just came with devstack script installation, I did not even modify it. Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 6:07 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Post your filter file. Might be a typo. PJ On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hi, I recorded the error message, below 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in host_passes 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = self._process_filter(jsonutils.loads(query), host_state) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/__init__.py, line 326, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 366, in decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, idx=_w(s, 0).end()) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object could be decoded) 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded 2012-08-02 13:51:02 TRACE nova.rpc.amqp it seems that the filter cannot find my json file, so although I was using the --hint functionality, whatever typed after the hint did not went to the filter host_passed function, so it could not locate the json object, any thoughts? Thanks. Heng From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca] Sent: Thursday, August 02, 2012 4:47 PM To: Pengjun Pan Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log should be in /var/log/nova/nova-scheduler.log. PJ On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hello Joseph: I am not sure where to find the log, so I just used the screen to n-sch, and one of the error is TRACE nova.rpc.amqp ValueError: No JSON object could be decoded and I have no idea why this happened? Thank you. Heng From: Joseph Suh [j...@isi.edu] Sent: Thursday, August 02, 2012 3:28 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Heng, Does scheduler log show any error message or complaints? Thanks, Joseph (w) 703-248-6160 (f) 703-812-3712 http://www.east.isi.edu/~jsuh Information Sciences Institute University of Southern California 3811 N. Fairfax Drive Suite 200 Arlington, VA, 22203, USA - Original Message - From: Heng Xu shouhengzhang...@mail.utoronto.ca To: openstack@lists.launchpad.net Sent: Thursday, August 2, 2012 10:57:53 AM Subject: [Openstack] Cannot pass hint to Nova Scheduler Hi folks: I am new to openstack, I am current trying to test the json filter, I changed my /etc/nova/nova.conf as follow scheduler_driver=nova. scheduler.multi.MultiScheduler compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler scheduler_available_filters=nova.scheduler.filters.standard_filters scheduler_default_filters=JsonFilter least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn compute_fill_first_cost_fn_weight=-1.0 so I can use the json filter however, when I was using it, if I boot a vm without any --hint to the scheduler, then the vm started fine, but if I use nova --debug boot --image 827d564a-e636-4fc4-a376- d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1 my vm started with error, and the following were output from the command above +- +--+ | Property | Value |
Re: [Openstack] Angry People and OpenStack
George I like your contributions. I also like the idea of people treating each other well. Makes it easier for us to have the discussions you want to have. -Matt On Thu, Aug 2, 2012 at 8:54 AM, Stefano Maffulli stef...@openstack.orgwrote: On Thu 02 Aug 2012 07:19:28 AM PDT, George Reese wrote: ignore the fact that OpenStack governance has a huge trust problem, I don't think this is true: It's true that some people don't trust OpenStack governance, not that the governance is broken. The bylaws have been discussed for months, the governance model is based on the processes and principles that have brought OpenStack where it is today. We can't stop every time to address theoretical concerns expressed by people that fundamentally don't trust us (and they don't have to). that the product has stability and compatibility issues. Like all products out there: nobody is perfect. Attack me for criticizing OpenStack when on a daily basis I am doing a lot of work to get into real world deployments. you've been criticised for your questionable choice of words not for the content of your criticism. While you probably ended up in somebody's killfile, your contributions are still appreciated by many because you *do* real things with OpenStack (differently from others that just like to *talk* about OpenStack). Let's stick to making a great product and have fun meanwhile: this is an exciting time. OpenStack Foundation is being born, well funded, supported by a wide spectrum of companies and lots of people. The future is bright. /stef ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Fwd: Re: Keystone: 'PKI Signed Tokens' lack support for revocation
Origianlly respoded just to Christopher. Forwarding this on to a the main list. First of all, let me say thanks to everyone participating in the discussion. This is the only way we are going to identify all of the issues and come up with a decent implementation. I knew this would be a touchy subject when we first started designing it, and suspected that it would take some form of commit before the discussion hit the majority of the community. On 08/02/2012 02:20 PM, Christopher MacGown wrote: On Thursday, August 2, 2012 at 6:59 AM, Adam Young wrote: So, let me put the onus on you: make the argument for rapid revocation of tokens. If you are deploying OpenStack and providing access to third parties, and for whatever reason you terminate a relationship with that third party — whether they cancel, you've banned them, you've removed a user from a tenant/project — you want that third party to immediately lose access to whatever capability they had prior to that termination. Leaving non-affiliated users with access to resources is a serious security risk that would make OpenStack unusable in a regulated environment. In those cases, you probably want to continue on with online token checking, regardless of UUID/PKI. That ability will not go away. We probably do need a configuration option for auth_token that indicates whether it should verify with PKI or not, but my guess is that the real policy will be dictated by keystone. Perhaps what we really need is for the remote services to query this value from the keystone server. It could do the check when it origianally fetches certificates. The certificates themselves could be shorter lived (say 24 hours) and refreshed when they expire. Automatic Management of the certificates probably should also be configurable, with many organizations preferring to use Puppet etc. I suspect that we are going to want a more nuanced policy/mechanism long term, something along the lines of: Tenant specific PKI tickets are short lived, say 5 minutes. Non-tenant specific tickets are used to get tenant specific tickets. Long running tasks will call back to Keystone to verify ticket validity using UUID tokens. If we start doing something along the lines of Federation as I've started https://blueprints.launchpad.net/keystone/+spec/federation You would also have the option of revoking the signing certificate for a whole domain, which would be an effective way to deny access to a swath of people, say on a breach of contract. In large organziations, there is always going to be some non-zero delay between the decision to revocation authorization and the implementation of that decision. With LDAP replication, at a minimum you have the replication delay. The question is what that acceptable delay is in a given scenario. It may not be the same even for all use cases even in a large organization. -- Christopher MacGown, CTO Piston Cloud Computing, Inc. w: (650) 24-CLOUD m: (415) 300-0944 http://www.pistoncloud.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Announcing proof-of-concept Load Balancing as a Service project
REMINDER: the IRC meeting will happen in 5 minutes on #openstack-meetings. On Tue, Jul 24, 2012 at 6:33 PM, Eugene Kirpichov ekirpic...@gmail.com wrote: Hello community, We at Mirantis have had a number of clients request functionality to control various load balancer devices (software and hardware) via an OpenStack API and horizon. So, in collaboration with Cisco OpenStack team and a number of other community members, we’ve started socializing the blueprints for an elastic load balancer API service. At this point we’d like to share where we are and would very much appreciate anyone participate and provide input. The current vision is to allow cloud tenants to request and provision virtual load balancers on demand and allow cloud administrators to manage a pool of available LB devices. Access is provided under a unified interface to different kinds of load balancers, both software and hardware. It means that API for tenants is abstracted away from the actual API of underlying hardware or software load balancers, and LBaaS effectively bridges this gap. POC level support for Cisco ACE and HAproxy is currently implemented in the form of plug-ins to LBaaS called “drivers”. We also started some work on F5 drivers. Would appreciate hearing input on what other drivers may be important at this point…nginx? Another question we have is if this should be a standalone module or a Quantum plugin… Dan – any feedback on this (and BTW congrats on the acquisition =). In order not to reinvent the wheel, we decided to base our API on Atlas-LB (http://wiki.openstack.org/Atlas-LB). Here are all the pointers: * Project overview: http://goo.gl/vZdei * Screencast: http://www.youtube.com/watch?v=NgAL-kfdbtE * API draft: http://goo.gl/gFcWT * Roadmap: http://goo.gl/EZAhf * Github repo: https://github.com/Mirantis/openstack-lbaas The code is written in Python and based on the OpenStack service template. We’ll be happy to give a walkthrough over what we have to anyone who may be interested in contributing (for example, creating a driver to support a particular LB device). All of the documents and code are not set in stone and we’re writing here specifically to ask for feedback and collaboration from the community. We would like to start holding weekly IRC meetings at #openstack-meeting; we propose 19:00 UTC on Thursdays (this time seems free according to http://wiki.openstack.org/Meetings/ ), starting Aug 2. -- Eugene Kirpichov http://www.linkedin.com/in/eugenekirpichov -- Eugene Kirpichov http://www.linkedin.com/in/eugenekirpichov ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Preventing OpenStack from allocating some floating ips?
On Thu, 2012-08-02 at 13:59 -0400, Lars Kellogg-Stedman wrote: If I create a floating address range like this: nova-manage floating create --ip_range=10.243.30.0/24 Is there any way to block out specific addresses in that range? For example, the .1 address is the network gateway, and everything will fall apart if that address is accidentally allocated to an instance. Similarly, our host needs an address in that range in order to route traffic to the gateway. Is there any way to exempt specific addresses? I realize that instead of allocating a /24 I could allocate a series of, say, /28 networks, but that seems a little clumsy. (The following is assuming you're using Essex - I don't really know anything about Quantum) An interesting thing about how floating IPs work is that internally nova-network just has a big table of ip addresses in the database. The only thing that using a CIDR range like 10.243.20.0/24 does is save you some typing - it does the exact same thing as separately adding 10.243.20.1, 10.243.20.2, and so on. So it really makes no difference if you just individually add the ip addresses that you want to use. The easiest alternative? Just add the entire /24 range, then delete the individual addresses that you want to reserve using nova-manage floating delete 10.243.30.1 and so on. -- Calvin Walton calvin.wal...@kepstin.ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift account listing
On Thu, 19 Jul 2012 16:10:06 +0100 Juan J. Martinez j...@memset.com wrote: I guess you can use the list of current accounts from Keystone and translate that into the account ring hash. swift-get-nodes /etc/swift/account.ring.gz myKeyStoneAcct | grep Hash | cut -f2 5819de5a52d5813f5ce95c9121b97652 Then you can look for hashes that are not in that list of hashes. Per storage node you should check: /srv/node/$0/accounts/$1/*/$2/ The point is to use Swift itself _and_ Keystone, in order to find discrepancies or orphan accounts. I ended using listdir for now, since our installation is very small, so directories fit in memory. Code is here: https://github.com/zaitcev/swift-report Output looks like this: 15051/4a7/3acbbe2ab55b81269ff88490a1b574a7 SK zaitcev 60690/f22/ed125debcbadbac11ef93c40dede0f22 SK glance 5497/6ee/1579e4404e54e5edb53c00f1206696ee SK shared 52389/69e/cca50f1c92b3b7f2a15d6b8e2aaee69e S- - 3066/787/0bfa11e194ee8889ff1c797a718cf787 SK admin 56328/3d8/dc088209ed71d08a00493c95888583d8 SK testuser S is for accounts found in Swift, K is for accounts found in Keystone. I have a feeling though that I must be reinventing the bicycle here. Surely someone, somewhere, have written a Swift consistency checker before. -- Pete ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Preventing OpenStack from allocating some floating ips?
(The following is assuming you're using Essex - I don't really know anything about Quantum) Yeah, we're using Essex with FlatDHCP networking for now. An interesting thing about how floating IPs work is that internally nova-network just has a big table of ip addresses in the database. That's good to know. We try as much as possible to avoid solutions that involve poking at the database, but we can probably live with this. Especially since MySQL knows about IP addresses (so we can select all addresses below x.x.x.10 or something). -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
On Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote: Sorry if this rekindles old arguments, but could someone summarize the reasons for an openstack-common PTL without voting rights? I would have defaulted to giving them a vote *especially* because the code in common is, well, common to all of the projects. So far, the PPB considered openstack-common to be driven by all PTLs, so it didn't have a specific PTL. As far as future governance is concerned (technical committee of the Foundation), openstack-common would technically be considered a supporting library (rather than a core project) -- those can have leads, but those do not get granted an automatic TC seat. OK, I can see the distinction there. I think the project needs an official leader, even if we don't call them a PTL in the sense meant for other projects. And I would expect anyone willing to take on the PTL role for common to be qualified to run for one of the open positions on the new TC, if they wanted to participate there. The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections. The RPC code is there now. We're talking about putting the membership services there too, for the sake of RPC, and even the low-level SQLAlchemy/MySQL access code for the sake of membership services. A wrapper around pyopenssl is likely to land there too, for the sake of RPC. These are just some of the changes that have already landed, or are expected to land within Folsom. Common contains essential pieces to the success of OpenStack which are currently lacking (official) leadership. Everyone's problem is nobody's problem. Consider this my +1 on assigning a PTL for common. Regards, Eric Windisch ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Preventing OpenStack from allocating some floating ips?
The create command via cidr is just a convienience to create a bunch of floating ips at once, floating ips are actually individual entries in the db. It should skip the network and gateway addressses by default, but it is perfectly acceptable to delete individual addresses with nova-manage floating delete 10.243.30.17 (for example) You need to leave off the /XX to specify a single address. Vish On Aug 2, 2012, at 10:59 AM, Lars Kellogg-Stedman l...@seas.harvard.edu wrote: If I create a floating address range like this: nova-manage floating create --ip_range=10.243.30.0/24 Is there any way to block out specific addresses in that range? For example, the .1 address is the network gateway, and everything will fall apart if that address is accidentally allocated to an instance. Similarly, our host needs an address in that range in order to route traffic to the gateway. Is there any way to exempt specific addresses? I realize that instead of allocating a /24 I could allocate a series of, say, /28 networks, but that seems a little clumsy. Thanks, -- Lars Kellogg-Stedman l...@seas.harvard.edu | Senior Technologist| http://ac.seas.harvard.edu/ Academic Computing | http://code.seas.harvard.edu/ Harvard School of Engineering and Applied Sciences | ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] EC2 api and tenants
I'm using essex 2012.1 and I'm running into an issue with tenant separation using the ec2 api. I end up having to give a user the 'admin' role in keytone to create instances within a tenant. I can live with that but the problem is, now that the user has 'admin', they also see all of the instances including ones from other tenants via a describe_instances(). If I only give them the 'Member' role, they can only see the instances within thier default tenant but they can't create instances. Also, if they only have 'Member', I'm able to create instances via horizon manually. I'm assuming I'm missing some combination of roles I need to setup to allow a users to create instances in thier default tenant but not see other instances in other tenants. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [glance] legacy client removal and python-glanceclient
The review has now landed in python-glanceclient master, so I'm going to release it tomorrow as v0.3.0 if nothing comes up between now and then. On Aug 2, 2012, at 3:10 AM, Thierry Carrez wrote: Brian Waldon wrote: Ok, so I spent some time on this and got all of the existing/legacy CLI working within python-glanceclient. It should let anybody using the existing client keep on keepin' on without having to worry about CLI compatibility (until we actually remove the deprecated functionality in the v2 release). That's awesome, Brian. Great work. I pushed up a review here: https://review.openstack.org/#/c/10703/. I would love for those that voiced their concerns earlier to install the new client and make sure it really is backwards-compatibile. Yes, time to help and be part of the solution :) -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
+1Cheers,Christopher FerrisIBM Distinguished Engineer, CTO Industry and Cloud StandardsMember, IBM Academy of TechnologyIBM Software Group, Standards Strategyemail: chris...@us.ibm.comTwitter: christo4ferrisphone: +1 508 234 2986-openstack-bounces+chrisfer=us.ibm@lists.launchpad.net wrote: -To: Doug Hellmann doug.hellm...@dreamhost.comFrom: Eric WindischSent by: openstack-bounces+chrisfer=us.ibm@lists.launchpad.netDate: 08/02/2012 04:59PMCc: Thierry Carrez thie...@openstack.org, openstack@lists.launchpad.netSubject: Re: [Openstack] best practices for merging common into specific projectsOn Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote: Sorry if this rekindles old arguments, but could someone summarize the reasons for an openstack-common "PTL" without voting rights? I would have defaulted to giving them a vote *especially* because the code in common is, well, common to all of the projects. So far, the PPB considered openstack-common to be driven by "all PTLs", so it didn't have a specific PTL.As far as future governance is concerned (technical committee of the Foundation), openstack-common would technically be considered a supporting library (rather than a core project) -- those can have leads, but those do not get granted an automatic TC seat. OK, I can see the distinction there. I think the project needs an official leader, even if we don't call them a PTL in the sense meant for other projects. And I would expect anyone willing to take on the PTL role for common to be qualified to run for one of the open positions on the new TC, if they wanted to participate there.The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections.The RPC code is there now. We're talking about putting the membership services there too, for the sake of RPC, and even the low-level SQLAlchemy/MySQL access code for the sake of membership services. A wrapper around pyopenssl is likely to land there too, for the sake of RPC. These are just some of the changes that have already landed, or are expected to land within Folsom.Common contains essential pieces to the success of OpenStack which are currently lacking (official) leadership. Everyone's problem is nobody's problem.Consider this my +1 on assigning a PTL for common.Regards,Eric Windisch___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] EC2 api and tenants
Which version of the code are you using? This could potentially be a bug. Can you give some more information on what goes wrong with creating an instance? Do you get a traceback anywhere? Vish On Aug 2, 2012, at 1:23 PM, Mitchell Broome mitchell.bro...@gmail.com wrote: I'm using essex 2012.1 and I'm running into an issue with tenant separation using the ec2 api. I end up having to give a user the 'admin' role in keytone to create instances within a tenant. I can live with that but the problem is, now that the user has 'admin', they also see all of the instances including ones from other tenants via a describe_instances(). If I only give them the 'Member' role, they can only see the instances within thier default tenant but they can't create instances. Also, if they only have 'Member', I'm able to create instances via horizon manually. I'm assuming I'm missing some combination of roles I need to setup to allow a users to create instances in thier default tenant but not see other instances in other tenants. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote: The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections. +1 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] EC2 api and tenants
On Thu, Aug 2, 2012 at 1:23 PM, Mitchell Broome mitchell.bro...@gmail.com wrote: I'm using essex 2012.1 and I'm running into an issue with tenant separation using the ec2 api. I end up having to give a user the 'admin' role in keytone to create instances within a tenant. I can live with that but the problem is, now that the user has 'admin', they also see all of the instances including ones from other tenants via a describe_instances(). If I only give them the 'Member' role, they can only see the instances within thier default tenant but they can't create instances. Also, if they only have 'Member', I'm able to create instances via horizon manually. I'm assuming I'm missing some combination of roles I need to setup to allow a users to create instances in thier default tenant but not see other instances in other tenants. So far, from what I can tell, you need to add custom roles (or continue using sysadmin and netadmin), and add these roles to the proper actions in policy.json. - Ryan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot pass hint to Nova Scheduler
Sorry for top-posting, but there's not really a good place to inline comment. First, let's tackle logging in devstack... When using devstack, you noticed that it logs to the screen session by default. To make devstack ALSO log to a file, put the following in your localrc: LOG_COLOR=False SCREEN_LOGDIR=/opt/stack/logs And re-run stack.sh. You will now find the various service log files in /opt/stack/logs. Second, let's handle the JSON issue... Nova isn't trying to decode a file. It's trying to JSON-decode the string you're putting on the command line: --hint query=['=','$free_ram_mb',1024] The novaclient is passing the string ['=','$free_ram_mb',1024] to the jsonutils.loads() function, which is what is failing. You can try parsing this string yourself and see that the failure is raised the same as appears in the log: jpipes@uberbox:~/repos/tempest$ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import json p = json.loads(['=','$free_ram_mb',1024]) Traceback (most recent call last): File stdin, line 1, in module File /usr/lib/python2.7/json/__init__.py, line 326, in loads return _default_decoder.decode(s) File /usr/lib/python2.7/json/decoder.py, line 366, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode raise ValueError(No JSON object could be decoded) ValueError: No JSON object could be decoded The problem is the string needs to be properly formatted JSON, and single-quotes are not allowed -- you need to use double-quotes: p = json.loads('[=,$free_ram_mb,1024]') print p [u'=', u'$free_ram_mb', 1024] Try your command like this instead: nova --debug boot --image 827d564a-e636-4fc4-a376-d36f7ebe1747 --flavor 1 --hint query='[=,$free_ram_mb,1024]' server1 And I think you should be fine, as the following proof shows: jpipes@uberbox:~/repos/tempest$ echo '[=,$free_ram_mb,1024]' | python -mjson.tool [ =, $free_ram_mb, 1024 ] Best, -jay On 08/02/2012 02:09 PM, Heng Xu wrote: Hi, attached is the json_filter file I was used, but I it just came with devstack script installation, I did not even modify it. Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 6:07 PM To: Heng Xu Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Post your filter file. Might be a typo. PJ On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu shouhengzhang...@mail.utoronto.ca wrote: Hi, I recorded the error message, below 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in host_passes 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = self._process_filter(jsonutils.loads(query), host_state) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/__init__.py, line 326, in loads 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 366, in decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, idx=_w(s, 0).end()) 2012-08-02 13:51:02 TRACE nova.rpc.amqp File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object could be decoded) 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded 2012-08-02 13:51:02 TRACE nova.rpc.amqp it seems that the filter cannot find my json file, so although I was using the --hint functionality, whatever typed after the hint did not went to the filter host_passed function, so it could not locate the json object, any thoughts? Thanks. Heng From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca] Sent: Thursday, August 02, 2012 4:47 PM To: Pengjun Pan Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi PJ I don't know what happen, I could not find the file in my Ubuntu filesystem, I searched for it, no result, but I just used ./stack.sh to install it, I it is just me could not find the file? Any thoughts? thank you Heng From: Pengjun Pan [panpeng...@gmail.com] Sent: Thursday, August 02, 2012 4:42 PM To: Heng Xu Cc: Joseph Suh; openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler Hi Heng, The log
Re: [Openstack] best practices for merging common into specific projects
On 08/02/2012 04:05 PM, Eric Windisch wrote: On Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote: Sorry if this rekindles old arguments, but could someone summarize the reasons for an openstack-common PTL without voting rights? I would have defaulted to giving them a vote *especially* because the code in common is, well, common to all of the projects. So far, the PPB considered openstack-common to be driven by all PTLs, so it didn't have a specific PTL. As far as future governance is concerned (technical committee of the Foundation), openstack-common would technically be considered a supporting library (rather than a core project) -- those can have leads, but those do not get granted an automatic TC seat. OK, I can see the distinction there. I think the project needs an official leader, even if we don't call them a PTL in the sense meant for other projects. And I would expect anyone willing to take on the PTL role for common to be qualified to run for one of the open positions on the new TC, if they wanted to participate there. The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections. No disagreement from me. The RPC code is there now. We're talking about putting the membership services there too, for the sake of RPC, and even the low-level SQLAlchemy/MySQL access code for the sake of membership services. A wrapper around pyopenssl is likely to land there too, for the sake of RPC. These are just some of the changes that have already landed, or are expected to land within Folsom. What do you mean by membership services? Common contains essential pieces to the success of OpenStack which are currently lacking (official) leadership. Everyone's problem is nobody's problem. Consider this my +1 on assigning a PTL for common. Sure, me too. -jay ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
+1 On Fri, Aug 3, 2012 at 6:47 AM, Vishvananda Ishaya vishvana...@gmail.comwrote: On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote: The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections. +1 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- *Intel SSG/SSD/SOTC/PRC/CITT* 880 Zixing Road, Zizhu Science Park, Minhang District, Shanghai, 200241, China +862161166500 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
What do you mean by membership services? See the email today from Yun Mao. This is a proposal to have a pluggable framework for integration services that maintain memberships. This was originally desiged to replace the MySQL heartbeats in Nova, although there will be a mysql-heartbeat backend by default as a drop-in replacement. There is a zookeeper backend in the works, and we've discussed the possibility of building a backend that can poll RabbitMQ's list_consumers. This is useful for more than just Nova's heartbeats, however. This will largely supplant the requirement for the matchmaker to build these backends in itself, which had been my original plan (the matchmaker is already in openstack-common). As such, it had already been my intent to have a MySQL-backed matchmaker. The only thing new is that someone has actually written the code. In the first pass, the intention is to leave the matchmaker in and introduce the membership modules. Then, the matchmaker would either use the new membership modules as a backend, or even replaced entirely. Regards, Eric Windisch ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] User Account and Authentication Service (UAA)
hi all anyone here have paper related to User Account and Authentication Service (UAA) in is OpenStack using UAA also? thx in advance F ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
On 08/01/2012 11:05 PM, Maru Newby wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I realize that I had been thinking about the revocation list as something that needs to be broadcast. This is certainly not the case. A much better approach would be for the Keystone server to have a list of revoked tokens exposed in an URL. Then, as service like Glance or Nova can query the Revocation list on a simple schedule. The time out would be configurable, of course. There is a question about what to do if the keystone server cannot be reached during that interval. Since the current behavior is for authentication to fail, I suppose we would continue doing that, but also wait a random amount of time and then requery the Keystone server. In the future, I would like to make the set of Keystone servers a configurable list, and the policy for revocation checking should be able to vary per server: some Keystone servers in a federated approach might not be accessible. In those cases, it might be necessary for one Keystone server to proxy the revocation list for another server. Let me know if this scheme makes sense to you. If so, we can write it up as an additional blueprint. It should not be that hard to implement. I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra checking. Revocation is a policy decision, and the assumption is that people that are going to use PKI tokens are comfortable with out revocation. Kerberos service tickets have the same limitation, and Kerberos has been in deployment that way for close to 25 years. Assuming that PKI ticket lifespan is short enough, revocation should not be required. What will be tricky is to balance the needs of long lived tokens (delayed operations, long running operations) against the needs for reasonable token timeout. PKI Token revocation would look like CRLs in the Certificate world. While they are used, they are clunky. Each time a token gets revoked, a blast message would have to go out to all registered parties informing them of the revocation. Keystone does not yet have a message queue interface, so doing that is prohibitive in the first implementation. Note that users can get disabled, and token chaining will no longer work: you won't be able to use a token to get a new token from Keystone. Thanks, Maru ___ Mailing list:https://launchpad.net/~openstack Post to :openstack@lists.launchpad.net Unsubscribe :https://launchpad.net/~openstack More help
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
Hi Adam, I was thinking along the same lines - the revocation list could be accessed via a simple url. It wouldn't even have to be hosted by Keystone, necessarily. For larger clusters where performance might become an issue, what about generating to a static file as needed that is made available via any of the usual web server suspects? As to whether the keystone server cannot be reached, that could be configurable. Some deployments might prefer permissive failure, others restrictive failure. I can see the case for both options. +1, also, to the set of Keystone servers being a configurable list, with differential policies for revocation checking. As to a justification for revocation, my use-case is more Swift (and integrated CDN) than Nova. A rogue user being able to manipulate VMs is one thing, but being able to expose potentially private data to a really wide audience is another. I would rate the damage potential of an object storage compromise as easily as great as application-level compromise. I would be happy to participate in creating and implementing these ideas. How can I help? Thanks, Maru On 2012-08-02, at 10:24 PM, Adam Young wrote: On 08/01/2012 11:05 PM, Maru Newby wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I realize that I had been thinking about the revocation list as something that needs to be broadcast. This is certainly not the case. A much better approach would be for the Keystone server to have a list of revoked tokens exposed in an URL. Then, as service like Glance or Nova can query the Revocation list on a simple schedule. The time out would be configurable, of course. There is a question about what to do if the keystone server cannot be reached during that interval. Since the current behavior is for authentication to fail, I suppose we would continue doing that, but also wait a random amount of time and then requery the Keystone server. In the future, I would like to make the set of Keystone servers a configurable list, and the policy for revocation checking should be able to vary per server: some Keystone servers in a federated approach might not be accessible. In those cases, it might be necessary for one Keystone server to proxy the revocation list for another server. Let me know if this scheme makes sense to you. If so, we can write it up as an additional blueprint. It should not be that hard to implement. I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
Hi Adam, I apologize if I came across as disrespectful. I was becoming frustrated that what I perceived as a valid concern was seemingly being ignored, but I recognize that there is no excuse for addressing you in a manner that I would not myself wish to be treated. I will do better going forward. Thanks, Maru ps: Thank you for the reminder, Joe! On 2012-08-02, at 1:56 AM, Joseph Heck wrote: Hey Maru, I think you're putting too many words in Adam's mouth here. First, Adam didnt assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the first cut and not in the list that we agreed was critically essential to an initial implementation. As you noted, its a complex and somewhat tricky issue to get right. There's always room for more participation to correct the flaws you see in the existing system - the beauty of open source. I would love to see continued work on the signing and revocation work to drive in these features that mean so much to you. I'd be happy to open a blueprint if you can stand behind it, define what you think it required, and commit to the work to implement that revocation mechanism. Implying negative emotions on Adam's part when he's been one driving the implementation and doing the work is simply inappropriate. Please consider the blueprint route, definition of a viable solution, and work to make it happen instead of name calling and asserting how the developers doing the work are screwing up. - joe On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra checking. Revocation is a policy decision, and the assumption is that people that are going to use PKI tokens are comfortable with out revocation. Kerberos service tickets have the same limitation, and Kerberos has been in deployment that way for close to 25 years. Assuming that PKI ticket lifespan is short enough, revocation should not be required. What will be tricky is to balance the needs of long lived tokens (delayed operations, long running operations) against the needs for reasonable token timeout. PKI Token revocation would look like CRLs in the Certificate world. While they are used, they are clunky. Each time a token gets revoked, a blast message would have to go out to all registered parties informing them of the revocation. Keystone does not yet have a message queue interface, so doing that is
Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation
Adam, I haven't yet had a chance to review how the new PKI signed tokens is implemented, but what you're describing sounds quite similar to online certificate status protocol (OCSP) but for tokens. Nate On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com wrote: On 08/01/2012 11:05 PM, Maru Newby wrote: Hi Adam, I apologize if my questions were answered before. I wasn't aware that what I perceive as a very serious security concern was openly discussed. The arguments against revocation support, as you've described them, seem to be: - it's complicated/messy/expensive to implement and/or execute - Kerberos doesn't need it, so why would we? I'm not sure why either of these arguments would justify the potential security hole that a lack of revocation represents, but I suppose a 'short enough' token lifespan could minimize that hole. But how short a span are you suggesting as being acceptable? The delay between when a user's access permissions change (whether roles, password or even account deactivation) and when the ticket reflects that change is my concern. The default in Keystone has been 24h, which is clearly too long. Something on the order of 5 minutes would be ideal, but then ticket issuance could become the bottleneck. Validity that's much longer could be a real problem, though. Maybe not at the cloud administration level, but for a given project I can imagine someone being fired and their access being revoked. How long is an acceptable period for that ticket to still be valid? How much damage could be done by someone who should no longer have access to an account if their access cannot be revoked, by anyone, at all? I realize that I had been thinking about the revocation list as something that needs to be broadcast. This is certainly not the case. A much better approach would be for the Keystone server to have a list of revoked tokens exposed in an URL. Then, as service like Glance or Nova can query the Revocation list on a simple schedule. The time out would be configurable, of course. There is a question about what to do if the keystone server cannot be reached during that interval. Since the current behavior is for authentication to fail, I suppose we would continue doing that, but also wait a random amount of time and then requery the Keystone server. In the future, I would like to make the set of Keystone servers a configurable list, and the policy for revocation checking should be able to vary per server: some Keystone servers in a federated approach might not be accessible. In those cases, it might be necessary for one Keystone server to proxy the revocation list for another server. Let me know if this scheme makes sense to you. If so, we can write it up as an additional blueprint. It should not be that hard to implement. I'm hearing that you, as the implementer of this feature, don't consider the lack of revocation to be an issue. What am I missing? Is support for revocation so repugnant that the potential security hole is preferable? I can see that from a developer's perspective, but I don't understand why someone deploying Keystone wouldn't avoid PKI tokens until revocation support became available. Thanks, Maru On 2012-08-01, at 9:47 PM, Adam Young wrote: On 08/01/2012 09:19 PM, Maru Newby wrote: I see that support for PKI Signed Tokens has been added to Keystone without support for token revocation. I tried to raise this issue on the bug report: https://bugs.launchpad.net/keystone/+bug/1003962/comments/4 And the review: https://review.openstack.org/#/c/7754/ I'm curious as to whether anybody shares my concern and if there is a specific reason why nobody responded to my question as to why revocation is not required for this new token scheme. Anybody? It was discussed back when I wrote the Blueprint. While it is possible to do revocations with PKI, it is expensive and requires a lot of extra checking. Revocation is a policy decision, and the assumption is that people that are going to use PKI tokens are comfortable with out revocation. Kerberos service tickets have the same limitation, and Kerberos has been in deployment that way for close to 25 years. Assuming that PKI ticket lifespan is short enough, revocation should not be required. What will be tricky is to balance the needs of long lived tokens (delayed operations, long running operations) against the needs for reasonable token timeout. PKI Token revocation would look like CRLs in the Certificate world. While they are used, they are clunky. Each time a token gets revoked, a blast message would have to go out to all registered parties informing them of the revocation. Keystone does not yet have a message queue interface, so doing that is prohibitive in the first implementation. Note that users can get disabled, and token chaining will no longer work: you won't be able to use a
Re: [Openstack] Node Disk Cleaning Script
Pádraig, thanks. That I need. 2012/8/2 Pádraig Brady p...@draigbrady.com On 08/02/2012 12:12 PM, Алексей Кайтаз wrote: Hi! I hope this script will usefull for somebody. #!/bin/bash cd /var/lib/nova/instances find -name disk* | xargs -n1 qemu-img info | grep backing | sed -e's/.*file: //' -e 's/ .*//' | sort | uniq /tmp/ignore while read i; do ARGS=$ARGS \( ! -path $i \) done /tmp/ignore find /var/lib/nova/instances/_base/ -type f $ARGS -delete This is done automatically by nova when you enable this in /etc/nova/nova.conf remove_unused_base_images = True That is done in Fedora/EPEL packages for the last while, and will default on in the next folsom release. cheers, Pádraig. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] best practices for merging common into specific projects
On Thu, 2012-08-02 at 15:47 -0700, Vishvananda Ishaya wrote: On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote: The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections. +1 So, I guess I've been doing this unofficially. I'm happy for that to be official until the next round elections. Cheers, Mark. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] User Account and Authentication Service (UAA)
It has keystone. Den 3. aug. 2012 03:05 skrev Frans Thamura fr...@meruvian.org følgende: hi all anyone here have paper related to User Account and Authentication Service (UAA) in is OpenStack using UAA also? thx in advance F ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack-ubuntu-testing-notifications] Build Failure: quantal_folsom_python-glanceclient_trunk #51
Title: quantal_folsom_python-glanceclient_trunk General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/quantal_folsom_python-glanceclient_trunk/51/Project:quantal_folsom_python-glanceclient_trunkDate of build:Thu, 02 Aug 2012 14:31:53 -0400Build duration:3 min 7 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: 1 out of the last 5 builds failed.80ChangesUpdate python-keystoneclient version dependencyby bcwaldonedittools/pip-requiresConsole Output[...truncated 1895 lines...]Build-Space: 768Build-Time: 4Distribution: quantal-folsomFail-Stage: buildInstall-Time: 44Job: python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dscPackage: python-glanceclientPackage-Time: 72Source-Version: 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1Space: 768Status: attemptedVersion: 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1Finished at 20120802-1434Build needed 00:01:12, 768k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/python-glanceclient/quantal-folsom-proposed /tmp/tmpzC8S6q/python-glanceclientmk-build-deps -i -r -t apt-get -y /tmp/tmpzC8S6q/python-glanceclient/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hbzr merge lp:~openstack-ubuntu-testing/python-glanceclient/quantal-folsom --forcedch -b -D quantal --newversion 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1 Automated Ubuntu testing build:dch -b -D quantal --newversion 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1_source.changessbuild -d quantal-folsom -n -A python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dscTraceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications More help : https://help.launchpad.net/ListHelp
[Openstack-ubuntu-testing-notifications] Build Still Failing: quantal_folsom_swift_trunk #38
Title: quantal_folsom_swift_trunk General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/quantal_folsom_swift_trunk/38/Project:quantal_folsom_swift_trunkDate of build:Thu, 02 Aug 2012 14:31:53 -0400Build duration:3 min 55 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: All recent builds failed.0ChangesEnsure parameters sent to db are utf8 strsby z-launchpadeditswift/common/db.pyConsole Output[...truncated 2667 lines...]Build-Time: 17Distribution: quantal-folsomFail-Stage: buildInstall-Time: 37Job: swift_1.6.1+git201208021432~quantal-0ubuntu1.dscPackage: swiftPackage-Time: 77Source-Version: 1.6.1+git201208021432~quantal-0ubuntu1Space: 19032Status: attemptedVersion: 1.6.1+git201208021432~quantal-0ubuntu1Finished at 20120802-1435Build needed 00:01:17, 19032k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/swift/quantal-folsom-proposed /tmp/tmp9cWeNy/swiftmk-build-deps -i -r -t apt-get -y /tmp/tmp9cWeNy/swift/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hgit log ceaf7606fe25f77cf31deb2946a16ae7a6fec05c..HEAD --no-merges --pretty=format:[%h] %sbzr merge lp:~openstack-ubuntu-testing/swift/quantal-folsom --forcedch -b -D quantal --newversion 1.6.1+git201208021432~quantal-0ubuntu1 Automated Ubuntu testing build:dch -b -D quantal --newversion 1.6.1+git201208021432~quantal-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC swift_1.6.1+git201208021432~quantal-0ubuntu1_source.changessbuild -d quantal-folsom -n -A swift_1.6.1+git201208021432~quantal-0ubuntu1.dscTraceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications More help : https://help.launchpad.net/ListHelp
[Openstack-ubuntu-testing-notifications] Build Still Failing: precise_folsom_python-glanceclient_trunk #46
Title: precise_folsom_python-glanceclient_trunk General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/precise_folsom_python-glanceclient_trunk/46/Project:precise_folsom_python-glanceclient_trunkDate of build:Thu, 02 Aug 2012 20:31:53 -0400Build duration:3 min 36 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: 2 out of the last 5 builds failed.60ChangesAllow CLI opts to override auth token and endpointby bcwaldoneditglanceclient/shell.pyConsole Output[...truncated 1707 lines...]Build-Space: 760Build-Time: 3Distribution: precise-folsomFail-Stage: buildInstall-Time: 38Job: python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dscPackage: python-glanceclientPackage-Time: 78Source-Version: 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1Space: 760Status: attemptedVersion: 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1Finished at 20120802-2035Build needed 00:01:18, 760k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/python-glanceclient/precise-folsom-proposed /tmp/tmpv5qaQP/python-glanceclientmk-build-deps -i -r -t apt-get -y /tmp/tmpv5qaQP/python-glanceclient/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hbzr merge lp:~openstack-ubuntu-testing/python-glanceclient/precise-folsom --forcedch -b -D precise --newversion 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1 Automated Ubuntu testing build:dch -b -D precise --newversion 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1_source.changessbuild -d precise-folsom -n -A python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dscTraceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last): File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications More help : https://help.launchpad.net/ListHelp