Re: [Openstack-doc-core] Videos !

2012-08-02 Thread Anne Gentle 
Hi all -
I took a look at the Gallery plugins and it's used for images not videos as
far as I can tell. So manually changing them is fine, but I'm having
trouble choosing another neutral one for the next rotation.

The current one has been there 2 months, past time to switch it. I was
thinking about the Swift VM install, but I hesitate because it is from a
company rather than a non-affiliated org. Then I looked at the OpenStack
Basics - Overview one at

http://www.youtube.com/watch?v=c1GFoY4btpo

but it's specifically talking about Cisco.

Do you think that the wiki should have policy of non-affiliated videos
only? Or just most useful wins?

Thanks,

Anne

On Mon, May 28, 2012 at 3:18 AM, Razique Mahroua
razique.mahr...@gmail.comwrote:

 The rotation principle sounds great actually. as long as we provide a
 link to all videos, I think it's great.
 As for the rotation, I found two plugins :
 http://moinmo.in/ParserMarket/Gallery2
 http://moinmo.in/MacroMarket/Gallery

 I'm not sure though it works with videos. Do you know these plugins ?

 Thanks,
 Razique

  Anne Gentle a...@openstack.org
  25 mai 2012 17:25
 Hi Razique and all -

 I've been adding some to this wiki page:
 http://wiki.openstack.org/DemoVideos

 It would be great to get a rotation on the front wiki page of a video a
 month or something. I think I could get the columns working while still
 keeping the current content. Here's how it could look:
 http://wiki.openstack.org/Sandbox

 What do you think? How could we get a rotation of videos going? How would
 we choose which get added to the font page of the wiki?

 Thanks,
 Anne


   Razique Mahroua razique.mahr...@gmail.com
  25 mai 2012 16:07
  Hi,
 what about videos tutorials for OPS installation/ deployment/
 configuration, and so on ?
 I know there are there and that videos (CSScorp made a couple) but maybe
 an offcial channel for the videos ?
 Best regards,
 Razique


 --
 Nuage  Co - Razique Mahroua
 razique.mahr...@gmail.com




postbox-contact.jpgpostbox-contact.jpgimage.jpg-- 
Mailing list: https://launchpad.net/~openstack-doc-core
Post to : openstack-doc-core@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-doc-core
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Joseph Heck 
Hey Maru,

I think you're putting too many words in Adam's mouth here. First, Adam didnt 
assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the 
first cut and not in the list that we agreed was critically essential to an 
initial implementation. As you noted, its a complex and somewhat tricky issue 
to get right.

There's always room for more participation to correct the flaws you see in the 
existing system - the beauty of open source. I would love to see continued work 
on the signing and revocation work to drive in these features that mean so much 
to you.  I'd be happy to open a blueprint if you can stand behind it, define 
what you think it required, and commit to the work to implement that revocation 
mechanism.

Implying negative emotions on Adam's part when he's been one driving the 
implementation and doing the work is simply inappropriate. Please consider the 
blueprint route, definition of a viable solution, and work to make it happen 
instead of name calling and asserting how the developers doing the work are 
screwing up.

- joe

On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote:
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what I 
 perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is clearly 
 too long.  Something on the order of 5 minutes would be ideal, but then 
 ticket issuance could become the bottleneck.  Validity that's much longer 
 could be a real problem, though.  Maybe not at the cloud administration 
 level, but for a given project I can imagine someone being fired and their 
 access being revoked.  How long is an acceptable period for that ticket to 
 still be valid?  How much damage could be done by someone who should no 
 longer have access to an account if their access cannot be revoked, by 
 anyone, at all?
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation support 
 became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone without 
 support for token revocation.  I tried to raise this issue on the bug 
 report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation is 
 not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra 
 checking.  Revocation is a policy decision, and the assumption is that 
 people that are going to use PKI tokens are comfortable with out revocation. 
  Kerberos service tickets have the same limitation, and Kerberos has been in 
 deployment that way for close to 25 years.
 
 Assuming that PKI ticket lifespan is short enough,  revocation should not be 
 required.  What will be tricky is to balance the needs of long lived tokens 
 (delayed operations, long running operations) against the needs for 
 reasonable token timeout.
 
 PKI Token revocation would look like CRLs in the Certificate world.  While 
 they are used, they are clunky.  Each time a token gets revoked, a blast 
 message would have to go out to all registered parties informing them of the 
 revocation.  Keystone does not yet have a message queue interface, so doing 
 that is prohibitive in the first implementation.
 
 Note that users can get disabled, and token chaining will no longer work:  
 you won't be able to use a token to get a new token from Keystone.
 
 
 
 Thanks,
 
 
 Maru
 
 
 
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   :

[Openstack] how to create different instance name when create more instance in same time

2012-08-02 Thread Shake Chen 
Hi

Now I try to create more instance in same time in Dashobard. but the
Instance name is same. how to sovle it?



-- 
Shake Chen
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cells Status

2012-08-02 Thread Chris Behrens 

I found time to update the branch with the latest code tonight:

https://github.com/comstud/nova/tree/cells_service

I put a review up here as a WIP also:

https://review.openstack.org/#/c/10707/

I reviewed what's changed since the last update… and it was essentially:

Rebase against master… resolving things that had moved to openstack-common
Push bandwidth usage updates to top level API cell.
Push instance metadata updates to top level API cell (though I don't think they 
would change in a child cell)
instance system metadata syncing with instance updates
Better delete instance handling
Removed broken near/far filter which could have potential DoS issues, until it 
can be redone

Looks like I might have lost some code cleanups I had done previously… and I'll 
restore those asap.  The cells code as it is in the above branch is what's now 
running in a production environment and working… but there's still some edge 
cases of issues and doesn't support things like security groups and host 
aggregates. 

I'll give an update tomorrow about trying to land this in folsom… but I'll 
probably be posting it at the new dev list: openstack-...@lists.openstack.org

- Chris


On Aug 1, 2012, at 9:03 PM, Chris Behrens wrote:

 Ah, hit send early from my phone.  There's a few additions I have in a 
 private branch along with it being up2date with trunk.  Will get that into 
 the public branch and get the update out tomorrow!
 
 On Aug 1, 2012, at 9:01 PM, Chris Behrens cbehr...@codestud.com wrote:
 
 I'll push up the latest tomorrow, promise!  And I'll give an update at that 
 time.  Sorry, been crazy times lately preparing for Rackspace's release 
 today.
 
 We are live with cells, and I'm extremely anxious to start getting it into 
 trunk.  There's been a few additions not in the branch on github.
 
 - Chris
 
 
 
 On Aug 1, 2012, at 8:19 PM, Russell Sim russell@gmail.com wrote:
 
 Hey,
 
 We have been experimenting with the cells branch and I'm hoping I can get
 an update.  The branch on github hasn't been updated for a couple of
 months and we are starting to hack on it but we are hesitant because we
 are aware that there are uncommitted changes.
 
 Cheers,
 Russell
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] how to create different instance name when create more instance in same time

2012-08-02 Thread Sébastien Han 
You can always rename them with the dashboard, but this doesn't mean that
the hostname will change... It will remain the same for every VMs.


On Thu, Aug 2, 2012 at 9:31 AM, Shake Chen shake.c...@gmail.com wrote:

 Hi

 Now I try to create more instance in same time in Dashobard. but the
 Instance name is same. how to sovle it?



 --
 Shake Chen



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] how to create different instance name when create more instance in same time

2012-08-02 Thread Shake Chen 
in HPcloud , when create a VM, no need setting the Server name.  how to
achive it?



On Thu, Aug 2, 2012 at 3:49 PM, Sébastien Han han.sebast...@gmail.comwrote:

 You can always rename them with the dashboard, but this doesn't mean that
 the hostname will change... It will remain the same for every VMs.


 On Thu, Aug 2, 2012 at 9:31 AM, Shake Chen shake.c...@gmail.com wrote:

 Hi

 Now I try to create more instance in same time in Dashobard. but the
 Instance name is same. how to sovle it?



 --
 Shake Chen



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp





-- 
Shake Chen
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Angry People and OpenStack

2012-08-02 Thread Razique Mahroua 
+1 :)
Nuage  Co - Razique Mahrouarazique.mahr...@gmail.com

Le 2 août 2012 à 06:17, Atul Jha atul@csscorp.com a écrit :Hi,snipi believe openstack is the best :0/snipIndeed it is.snipif the model of open and transparency still issue, we can fix anyway/snipI don`t see there is any. Its just there are certain section of people who are bound to create FUD and act as TROLL. What we can simply do is to ignore them. :)Cheers!!Atul Jhahttp://www.csscorp.com/common/email-disclaimer.php___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] swift authentication problem

2012-08-02 Thread Derek Higgins 
On 08/02/2012 05:09 AM, sarath zacharia wrote:
 Hi,
We successfully configured the swift in our cloud
 environment. But when a non admin user accessing the container
it shows an *Error: *Unable to retrieve container list.
 
   Is there any option for accessing the the containers (Swift
 object storage ) in the dashboard for the non admin users ?

Hi Sarath,
   I suspect your user doesn't have an appropriate role in the tenant
being used. In your swift proxy config file you'll find a option called
operator_roles, which will look something like this

operator_roles = admin, swiftoperator

you'll need to make sure your user has a role in this list (in the
tenant being used) in order to use swift.

see keystone user-role-add to add the role

Hope this helps,
Derek


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Nova Volume and provisionning on iSCSI SAN

2012-08-02 Thread Bilel Msekni 

Hi all,
I have a question relating to nova-volume, and provisioning block 
devices as storage for VMs. As I understand it from the documentation, 
nova-volume will take a block device with LVM on it, and then become an 
iSCSI target to share the logical volumes to compute nodes. I also 
understand that there is another process for using an HP lefthand SAN or 
solaris iSCSI setup, whereby nova-volume can interact with APIs for 
volume creation on the SAN itself.


I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN 
from the SAN on my nova-volume node, then go through the documented 
process of creating an LVM on this LUN and having nova-volume re-share 
it over iSCSI to the compute nodes, but what I'm wondering is whether I 
can have the compute nodes simple connect to the iSCSI SAN to access 
these volumes (which would be created and managed by nova-volume still), 
rather than connect each compute node to the iSCSI target which 
nova-volume presents? I imagine with this setup, I could take advantage 
of the SAN's HA and performance benefits.


Hope that makes sense..
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] growing fixed-ip network

2012-08-02 Thread Christoph Kluenter 
Hi,

I don't know how to handle the case when a tenant has used up all IPs.
We use FlatNetworking, so no Floating IPs possible.
So, when one tenant has used up all the IPs in their net, how can I assign 
another net
to the same tenant ? If I just assign another net, every new instance just gets 
an IP from both nets.
But if the first net doesn't have free IPs, I get the  
exception.NoMoreFixedIps()
even if the second net still has lots of IPs.

Can this be solved with quantum ?

Cheers,
  Christoph
-- 
Christoph Kluenter   E-Mail: supp...@iphh.net
Technik  Tel: +49 (0)40 374919-10
IPHH Internet Port Hamburg GmbH  Fax: +49 (0)40 374919-29
Wendenstrasse 408AG Hamburg, HRB 76071
D-20537 Hamburg  Geschaeftsfuehrung: Axel G. Kroeger

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [glance] legacy client removal and python-glanceclient

2012-08-02 Thread Thierry Carrez 
Brian Waldon wrote:
 Ok, so I spent some time on this and got all of the existing/legacy CLI
 working within python-glanceclient. It should let anybody using the
 existing client keep on keepin' on without having to worry about CLI
 compatibility (until we actually remove the deprecated functionality in
 the v2 release).

That's awesome, Brian. Great work.

 I pushed up a review
 here: https://review.openstack.org/#/c/10703/. I would love for those
 that voiced their concerns earlier to install the new client and make
 sure it really is backwards-compatibile.

Yes, time to help and be part of the solution :)

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Multiple vNICs for Multiple networks.

2012-08-02 Thread Trinath Somanchi 
Hi-


I have installed Openstack+Quantum+OVS in two machines.

One Controller and the other as node.

I have created tenant specific/labeled and public labeled networks.

Upon bringing up instances in a tenant, I'm able to see 3 types of IP
address for the instance. and Upon login into the instance, for ifconfig
-a I'm able to see eth0,eth1 and eth2 interfaces.

But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to
get the ip address for the instance.

Is that for 'N' number of networks, instances get those many vNICs..?

Please help me understand the same.



-- 
Regards,
--
Trinath Somanchi,
+91 9866 235 130
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Node Disk Cleaning Script

2012-08-02 Thread Алексей Кайтаз 
Hi!
I hope this script will usefull for somebody.

#!/bin/bash
cd /var/lib/nova/instances
find -name disk* | xargs -n1 qemu-img info | grep backing | sed
-e's/.*file: //' -e 's/ .*//' | sort | uniq  /tmp/ignore
while read i; do
ARGS=$ARGS  \( ! -path $i  \) 
done  /tmp/ignore
find /var/lib/nova/instances/_base/ -type f  $ARGS  -delete
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Qcow2 Details on base images

2012-08-02 Thread Gaurab Basu 
Hi Jay,

Thanks for your reply, it helped me get started.

I have been going through the code and some of the sparse docs that are
available.

This is the code file
https://github.com/openstack/nova/blob/master/nova/virt/libvirt/utils.py

However I am facing a new issue and require some help. I wanted to modify
how openstack handles the cow layer as such and also the qcow2 format.
It turns out that openstack issues the external command qemu-img.

First of all, is qemu-img internal to openstack ( I mean code for how
qemu-img is implemented is in openstack or in qemu )
It is in openstack, where is the code located.

If it is outside openstack, does that mean i have to change the code in
qemu and then link those binaries with openstack.

Any help would be appreciated.

Thanks,
Gaurab



On Sun, Jul 29, 2012 at 6:35 AM, Jay Pipes jaypi...@gmail.com wrote:

 On 07/28/2012 11:10 AM, Gaurab Basu wrote:
  Another thing I would like to know is whether it uses snapshot mechanism
  over time.

 What is it you are referring to above? Are you asking whether Nova
 automatically takes snapshots of images over time? If so, no, it does
 not. If a user requests a snapshot of a launched instance, then Nova
 will issue snapshot commands -- in the case of the libvirt driver, these
 commands would be qemu-img snapshot -c SNAPSHOT_NAME IMAGE_PATH.

  I mean how does the copy on write functionality works. Does it keep the
  diff snapshots over time ( or something else ).

 Not sure here whether you are asking how QEMU's copy on write operations
 work or whether Nova keeps the base images separate from any VM images.
 If you are asking about the latter, the answer is that Nova will create
 the virtual machine images by creating a COW image based on the base
 image it pulls from Glance -- after making a resized copy of the base
 image if it needs to do so to meet the needs of the requested image size
 of the VM.

 Snapshots that are taken of virtual machine images on a host are stored
 by Nova in Glance.

  And does the diff work at the level of file or block level?

 AFAIK, CoW and snapshot actions with QEMU are block-level.

  What is the format that the image is converted to after it is fetched
  from glance.

 There may be no conversion needed at all... it depends on what the
 format of the original base image that was stored in Glance. Conversion
 between raw/iso and QCOW2 and vice versa is what you see in the code,
 and is what is done during migration as Mikal mentioned below.

  I am fairly new to openstack.
  Can you point me to the specific files in the code where all these
  things are coded. I want to know the details of the
  present state.

 grep for qemu-img in the nova/ directory. You'll see all the files that
 call qemu-img commands and then you can go look in those files.

 Best,
 -jay

  Thanks again for your help.
 
  Regards,
  Gaurab
 
  On Sat, Jul 28, 2012 at 11:52 AM, Michael Still
  michael.st...@canonical.com mailto:michael.st...@canonical.com
 wrote:
 
  On 28/07/12 05:42, Gaurab Basu wrote:
   Hi,
  
   I am trying to figure out the technology that openstack uses when
   multiple VM's having the*same *base image (OS) are provisioned on a
   physical server.
   Does it use as many copy as the number of VM's or does it use the
 same
   base image and then copy on write.
  
   I need to understand the complete details. Can anybody share some
   details or point me to some place where I can find the details.
 
  Its pretty hard to provide a complete description of what happens,
  because the code keeps changing. However, assuming you have copy on
  write turned on (which is the default IIRC), and assuming that all of
  the instances have the same disk size, then you end up with:
 
   - the image as fetched from glance, with possible format conversion
   - that image resized to the size the instance requested
   - a cow on write layer for each instance that is using that sized
 image
 
  The first should be smallish, the second can be quite large, and the
  third will really depend on how much writing the instances are doing.
 
  Note that this all falls apart if instances are migrated, because as
  part of the migration the copy on write layer is transformed into a
 full
  disk image, which is what is shipped over to the new machine.
 
  Hope this helps,
  Mikal
 
 
 
 
 
  ___
  Mailing list: https://launchpad.net/~openstack
  Post to : openstack@lists.launchpad.net
  Unsubscribe : https://launchpad.net/~openstack
  More help   : https://help.launchpad.net/ListHelp
 

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing

[Openstack] Nova Manage Network unable to add vlan ID

2012-08-02 Thread Trinath Somanchi 
Hi-

I issued the command, nova-manage network create --label=tenant-1
--fixed_range_v4=172.15.1.0/24  --bridge_interface=br-int --vlan=15
--project_id=a17de6f647b14739acb33f09d246f72e

But in the network listing the vlanID is none

root@OpenstackController:~# nova-manage network list
id   IPv4  IPv6   start address
DNS1   DNS2   VlanID project
uuid
2012-08-02 17:50:40 DEBUG nova.utils
[req-8ad6fc0b-96e6-49af-bd1d-ea97a38708cf None None] backend module
'nova.db.sqlalchemy.api' from
'/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/api.pyc' from
(pid=11488) __get_backend /usr/lib/python2.7/dist-packages/nova/utils.py:658
1172.15.1.0/24 None   172.15.1.2
8.8.4.4None   None
a17de6f647b14739acb33f09d246f72eaf1c58f9-bfcf-4495-abb6-3d16e5e3bf6b

Can any one guide me on finding out what might be the wrong thing here...

Thanking you...


-- 
Regards,
--
Trinath Somanchi,
+91 9866 235 130
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] growing fixed-ip network

2012-08-02 Thread Ravi Jagannathan 
It should hop on to the next subnet block if available ( assuming that in
LAN its a private address scheme ) .

Ravi

On Thu, Aug 2, 2012 at 5:58 AM, Christoph Kluenter c...@iphh.net wrote:

 Hi,

 I don't know how to handle the case when a tenant has used up all IPs.
 We use FlatNetworking, so no Floating IPs possible.
 So, when one tenant has used up all the IPs in their net, how can I assign
 another net
 to the same tenant ? If I just assign another net, every new instance just
 gets an IP from both nets.
 But if the first net doesn't have free IPs, I get the
  exception.NoMoreFixedIps()
 even if the second net still has lots of IPs.

 Can this be solved with quantum ?

 Cheers,
   Christoph
 --
 Christoph Kluenter   E-Mail: supp...@iphh.net
 Technik  Tel: +49 (0)40 374919-10
 IPHH Internet Port Hamburg GmbH  Fax: +49 (0)40 374919-29
 Wendenstrasse 408AG Hamburg, HRB 76071
 D-20537 Hamburg  Geschaeftsfuehrung: Axel G. Kroeger

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Netstack] Multiple vNICs for Multiple networks.

2012-08-02 Thread Akihiro MOTOKI 
Hi,

Your environment seems to work well.
The problem you have perhaps depends on your VM image.

If you use ifconfig -a, you should see all thress interfaces.
When ifconfig w/o -a option show interface(s) which are UP,
ifconfig with -a shows all interfaces available on a machine.

 But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to
 get the ip address for the instance.

This result shows eth1 has been created as you expected,
but eth1 and eth2 are not UP.
Which interfaces are up on boot depends on a VM image you used.

if you use Ubuntu Server images, you need to add the following lines
to /etc/network/interfaces:

auto eth1
iface eth1 inet dhcp
auto eth2
iface eth2 inet dhcp


Thanks,

2012/8/2 Trinath Somanchi trinath.soman...@gmail.com:
 Hi-


 I have installed Openstack+Quantum+OVS in two machines.

 One Controller and the other as node.

 I have created tenant specific/labeled and public labeled networks.

 Upon bringing up instances in a tenant, I'm able to see 3 types of IP
 address for the instance. and Upon login into the instance, for ifconfig
 -a I'm able to see eth0,eth1 and eth2 interfaces.

 But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to
 get the ip address for the instance.

 Is that for 'N' number of networks, instances get those many vNICs..?

 Please help me understand the same.



 --
 Regards,
 --
 Trinath Somanchi,
 +91 9866 235 130


 --
 Mailing list: https://launchpad.net/~netstack
 Post to : netst...@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~netstack
 More help   : https://help.launchpad.net/ListHelp




-- 
Akihiro MOTOKI amot...@gmail.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] growing fixed-ip network

2012-08-02 Thread Christoph Kluenter 
* Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan:
 It should hop on to the next subnet block if available ( assuming that in
 LAN its a private address scheme ) .
We only use routable IPs. thats why we have some nets which can't be subnetted.
What difference does it make if its private adress space ?

christoph
 
 Ravi
 
 On Thu, Aug 2, 2012 at 5:58 AM, Christoph Kluenter c...@iphh.net wrote:
 
  Hi,
 
  I don't know how to handle the case when a tenant has used up all IPs.
  We use FlatNetworking, so no Floating IPs possible.
  So, when one tenant has used up all the IPs in their net, how can I assign
  another net
  to the same tenant ? If I just assign another net, every new instance just
  gets an IP from both nets.
  But if the first net doesn't have free IPs, I get the
   exception.NoMoreFixedIps()
  even if the second net still has lots of IPs.
 
  Can this be solved with quantum ?
 
  Cheers,
Christoph
  --
  Christoph Kluenter   E-Mail: supp...@iphh.net
  Technik  Tel: +49 (0)40 374919-10
  IPHH Internet Port Hamburg GmbH  Fax: +49 (0)40 374919-29
  Wendenstrasse 408AG Hamburg, HRB 76071
  D-20537 Hamburg  Geschaeftsfuehrung: Axel G. Kroeger
 
  ___
  Mailing list: https://launchpad.net/~openstack
  Post to : openstack@lists.launchpad.net
  Unsubscribe : https://launchpad.net/~openstack
  More help   : https://help.launchpad.net/ListHelp
 

-- 
Christoph Kluenter   E-Mail: supp...@iphh.net
Technik  Tel: +49 (0)40 374919-10
IPHH Internet Port Hamburg GmbH  Fax: +49 (0)40 374919-29
Wendenstrasse 408AG Hamburg, HRB 76071
D-20537 Hamburg  Geschaeftsfuehrung: Axel G. Kroeger

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young 

On 08/02/2012 01:56 AM, Joseph Heck wrote:

Hey Maru,

I think you're putting too many words in Adam's mouth here. First, 
Adam didnt assert is wasnt valuable, useful, or nessecary - simply 
that it wasnt in the first cut and not in the list that we agreed was 
critically essential to an initial implementation. As you noted, its a 
complex and somewhat tricky issue to get right.


There's always room for more participation to correct the flaws you 
see in the existing system - the beauty of open source. I would love 
to see continued work on the signing and revocation work to drive in 
these features that mean so much to you.  I'd be happy to open a 
blueprint if you can stand behind it, define what you think it 
required, and commit to the work to implement that revocation mechanism.


Implying negative emotions on Adam's part when he's been one driving 
the implementation and doing the work is simply inappropriate. Please 
consider the blueprint route, definition of a viable solution, and 
work to make it happen instead of name calling and asserting how the 
developers doing the work are screwing up.


Thanks for the support Joe.  I don't think Maru was being too harsh.  So 
long as he doesn't start calling me Sir as that is always an followed 
by you are making a scene.


- joe

On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com 
mailto:mne...@internap.com wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware 
that what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the 
potential security hole that a lack of revocation represents, but I 
suppose a 'short enough' token lifespan could minimize that hole. 
 But how short a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to 
an account if their access cannot be revoked, by anyone, at all?


I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.
I think you have valid concerns.  Realistically, I think 5 minutes is 
too short,  and for many operations, 24 hours would be the right 
granularity.  However,  The timespan of the tokens is configurable, and 
the policy of the deploying organization should dictate.


Remember, this is the administrative interface for virtual machines, and 
not the applications running in them.  Removing someone from access to 
creating/rebooting/destroying virtual machines is a much more deliberate 
decision than banning someone from a public forum.  Aside from someone 
getting fired, I am not sure how essential it is that we have rapid 
revocation of tokens.  And firing someone is usually part of the whole 
escort from the building  routine.


So, let me put the onus on you:  make the argument for rapid revocation 
of tokens.





Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25

Re: [Openstack] Angry People and OpenStack

2012-08-02 Thread George Reese 

On Aug 1, 2012, at 11:17 PM, Atul Jha atul@csscorp.com wrote:

 
 I don`t see there is any. Its just there are certain section of people who 
 are bound to create FUD and act as TROLL. What we can simply do is to ignore 
 them. :)
 

This is a dangerous attitude here.

People who criticize are haters and should be ignored. Stick your head in the 
sand and ignore the fact that OpenStack governance has  a huge trust problem, 
that the product has stability and compatibility issues. 

Attack me for criticizing OpenStack when on a daily basis I am doing a lot of 
work to get into real world deployments. In the mean time, I know people on 
this list heaping plenty of public praise on OpenStack who are actively pushing 
people in private towards alternatives.

Yeah, that'll work really well.

-George

--
George Reese - Chief Technology Officer, enStratus
e: george.re...@enstratus.comSkype: nspollutiont: @GeorgeReesep: 
+1.207.956.0217
enStratus: Enterprise Cloud Management - @enStratus - http://www.enstratus.com
To schedule a meeting with me: http://tungle.me/GeorgeReese

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Netstack] Nova Manage Network unable to add vlan ID

2012-08-02 Thread Akihiro MOTOKI 
Minor correction for my previous mail.

 Quantum OVS plugin (with non-tunneling mode) assigns
 VLAN-ID automatically for each virtual network.

(with non-tunneling mode) is unnecessary.
All modes of OVS plugin do the same behavior.

OVS plugin assigns VLAN-ID automatically for each virtual network.

Thanks,

2012/8/2 Akihiro MOTOKI amot...@gmail.com:
 Hi,

 In Essex Quantum, --vlan and --bridge_interface options for nova-manage
 are ignored. For VLAN, Quantum OVS plugin (with non-tunneling mode) assigns
 VLAN-ID automatically for each virtual network.
 Regarding bridge-interface, you need to configure OVS manually using 
 ovs-vsctl.

 Thanks,

 2012/8/2 Trinath Somanchi trinath.soman...@gmail.com:
 Hi-

 I issued the command, nova-manage network create --label=tenant-1
 --fixed_range_v4=172.15.1.0/24  --bridge_interface=br-int --vlan=15
 --project_id=a17de6f647b14739acb33f09d246f72e

 But in the network listing the vlanID is none

 root@OpenstackController:~# nova-manage network list
 id   IPv4  IPv6   start address  DNS1
 DNS2   VlanID projectuuid
 2012-08-02 17:50:40 DEBUG nova.utils
 [req-8ad6fc0b-96e6-49af-bd1d-ea97a38708cf None None] backend module
 'nova.db.sqlalchemy.api' from
 '/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/api.pyc' from
 (pid=11488) __get_backend /usr/lib/python2.7/dist-packages/nova/utils.py:658
 1172.15.1.0/24 None   172.15.1.2 8.8.4.4
 None   None   a17de6f647b14739acb33f09d246f72e
 af1c58f9-bfcf-4495-abb6-3d16e5e3bf6b

 Can any one guide me on finding out what might be the wrong thing here...

 Thanking you...


 --
 Regards,
 --
 Trinath Somanchi,
 +91 9866 235 130


 --
 Mailing list: https://launchpad.net/~netstack
 Post to : netst...@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~netstack
 More help   : https://help.launchpad.net/ListHelp




 --
 Akihiro MOTOKI amot...@gmail.com



-- 
Akihiro MOTOKI amot...@gmail.com

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Inbound connectivity and FlatDHCP networking

2012-08-02 Thread Lars Kellogg-Stedman 
 Traffic from vm to vm on different hosts should be able to go accross 
 flat_interface

Okay, that makes sense.

 Getting inbound connectivity over fixed_ips can be tricky. It looks
 like you want to set up a specific range from vms that is not
 snatted. there is a config option for this called dmz_cidr. Anything
 in the dmz_cidr range will not be snatted.

With a multi_host, flatDHCP model, is the general idea that fixed_ips
are -- generally -- internal to the compute host, and all external
access is supposed to be via floating ips?  That's sort of how it
looks, but I hadn't seen that states explicitly anywhere.

 fixed_range=10.0.0.0/16
 dmz_cidr=10.1.0.0/16

How does fixed_range interact with networks created via 'nova-manage
network create ...'?  There are a few bugs (e.g.,
https://bugs.launchpad.net/nova/+bug/741626) that suggest things need
to be specified in both places.   Is that correct?

-- 
Lars Kellogg-Stedman l...@seas.harvard.edu   |
Senior Technologist| http://ac.seas.harvard.edu/
Academic Computing | 
http://code.seas.harvard.edu/
Harvard School of Engineering and Applied Sciences |

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Rouault, Jason (Cloud Services) 
This was a concern for HP as well.  This is one of the reasons we were happy
to see that signed tokens are currently a deployment option.  So, you can
continue to use the unsigned model until such a time that revocation can be
put into place for the token signing model.

 

Jason

 

From: openstack-bounces+jason.rouault=hp@lists.launchpad.net
[mailto:openstack-bounces+jason.rouault=hp@lists.launchpad.net] On
Behalf Of Maru Newby
Sent: Wednesday, August 01, 2012 7:20 PM
To: openstack@lists.launchpad.net (openstack@lists.launchpad.net)
Subject: [Openstack] Keystone: 'PKI Signed Tokens' lack support for
revocation

 

I see that support for PKI Signed Tokens has been added to Keystone without
support for token revocation.  I tried to raise this issue on the bug
report:

 

https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

 

And the review:

 

https://review.openstack.org/#/c/7754/

 

I'm curious as to whether anybody shares my concern and if there is a
specific reason why nobody responded to my question as to why revocation is
not required for this new token scheme.   Anybody?

 

Thanks,

 

 

Maru

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] growing fixed-ip network

2012-08-02 Thread Narayan Desai 
On Thu, Aug 2, 2012 at 8:42 AM, Christoph Kluenter c...@iphh.net wrote:
 * Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan:
 It should hop on to the next subnet block if available ( assuming that in
 LAN its a private address scheme ) .
 We only use routable IPs. thats why we have some nets which can't be 
 subnetted.
 What difference does it make if its private adress space ?

The major reason to use private address space is that there is likely
a lot more of it than you have in public address space. if you have
effectively unlimited fixed_ip space, you can give each project a lot.
For example, we give each project a /23. While a user could
potentially still run out of address space on our system, it hasn't
happened yet with our workload.
 -nld

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Heng Xu 
Hi folks:
I am new to openstack, I am current trying to test the json filter, I changed 
my /etc/nova/nova.conf as follow

scheduler_driver=nova.
scheduler.multi.MultiScheduler
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
scheduler_available_filters=nova.scheduler.filters.standard_filters
scheduler_default_filters=JsonFilter
least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
compute_fill_first_cost_fn_weight=-1.0


so I can use the json filter
however, when I was using it, if I boot a vm without any --hint to the 
scheduler, then the vm started fine, but if I use

nova --debug boot --image 827d564a-e636-4fc4-a376-
d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

my vm started with error, and the following were output from the command above

+-
+--+
| Property| Value|
+-+--+
| OS-DCF:diskConfig   | MANUAL   |
| OS-EXT-SRV-ATTR:host| None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name   | instance-002b|
| OS-EXT-STS:power_state  | 0|
| OS-EXT-STS:task_state   | scheduling   |
| OS-EXT-STS:vm_state | error|
| accessIPv4  |  |
| accessIPv6  |  |
| adminPass   | dKvrsv4MZtfc |
| config_drive|  |
| created | 2012-08-02T14:25:10Z |
| flavor  | m1.tiny  |
| hostId  |  |
| id  | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
| image   | cirros-0.3.0-x86_64-uec  |
| key_name|  |
| metadata| {}   |
| name| server1  |
| progress| 0|
| status  | BUILD|
| tenant_id   | d99ffa1b0c43455ab8dbbd81cf4380a7 |
| updated | 2012-08-02T14:25:10Z |
| user_id | d5e02f1810a44575b99a147f94507da1 |
+-+--+

as you can see, the vm is in error, this also happens whenever I need to pass a 
hint to the scheduler, as in samehostfilter and differenthostfilter,

Does anyone know what's going on, thanks in advance.
Heng

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Netstack] Multiple vNICs for Multiple networks.

2012-08-02 Thread Sumit Naiksatam (snaiksat) 
Hi,

Yes, if you do not specify networks using the “–nic” option you will get a vnic 
on each of the public networks and one for each network belonging to that 
tenant. Using the “—nic net-id=uuid-xyz” option you can refer to specific 
networks on which you want the vnics.

Thanks,
~Sumit.

From: netstack-bounces+snaiksat=cisco@lists.launchpad.net 
[mailto:netstack-bounces+snaiksat=cisco@lists.launchpad.net] On Behalf Of 
Trinath Somanchi
Sent: Thursday, August 02, 2012 3:18 AM
To: openstack@lists.launchpad.net; netst...@lists.launchpad.net
Subject: [Netstack] Multiple vNICs for Multiple networks.

Hi-


I have installed Openstack+Quantum+OVS in two machines.

One Controller and the other as node.

I have created tenant specific/labeled and public labeled networks.

Upon bringing up instances in a tenant, I'm able to see 3 types of IP address 
for the instance. and Upon login into the instance, for ifconfig -a I'm able 
to see eth0,eth1 and eth2 interfaces.

But for ifconfig, only eth0 is shown. If I do dhclient eth1, I'm able to get 
the ip address for the instance.

Is that for 'N' number of networks, instances get those many vNICs..?

Please help me understand the same.



--
Regards,
--
Trinath Somanchi,
+91 9866 235 130

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] growing fixed-ip network

2012-08-02 Thread Ravi Jagannathan 
Also.. builds are better created in Private IP and then prepped to release
to Public cloud. After all just an instance rinning OS is not yet there in
terms of APP stack.

Ravi.

On Thu, Aug 2, 2012 at 10:49 AM, Narayan Desai narayan.de...@gmail.comwrote:

 On Thu, Aug 2, 2012 at 8:42 AM, Christoph Kluenter c...@iphh.net wrote:
  * Am Thu, Aug 02 2012 at 09:24:55 -0400 , schrieb Ravi Jagannathan:
  It should hop on to the next subnet block if available ( assuming that
 in
  LAN its a private address scheme ) .
  We only use routable IPs. thats why we have some nets which can't be
 subnetted.
  What difference does it make if its private adress space ?

 The major reason to use private address space is that there is likely
 a lot more of it than you have in public address space. if you have
 effectively unlimited fixed_ip space, you can give each project a lot.
 For example, we give each project a /23. While a user could
 potentially still run out of address space on our system, it hasn't
 happened yet with our workload.
  -nld

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Instance stuck in deleting state with error

2012-08-02 Thread Jonathan Proulx 
On Wed, Aug 1, 2012 at 3:12 PM, Lorin Hochstein
lo...@nimbisservices.com wrote:

 I believe pip gets it from PyPI:
 http://pypi.python.org/pypi/python-novaclient/

Ah, I documented this internally and promptly forgot, this is where my
version of python-novaclient with reset-state came from:
sudo pip install -e
git+https://github.com/openstack/python-novaclient.git#egg=python-novaclient

you may want to verify the version at
http://pypi.python.org/pypi/python-novaclient has it as well.

-Jon

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Heng Xu 
Hello Joseph:
I am not sure where to find the log, so I just used the screen to n-sch,
and one of the error is 
TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
and I have no idea why this happened?
Thank you.
Heng


From: Joseph Suh [j...@isi.edu]
Sent: Thursday, August 02, 2012 3:28 PM
To: Heng Xu
Cc: openstack@lists.launchpad.net
Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

Heng,

Does scheduler log show any error message or complaints?

Thanks,

Joseph


(w) 703-248-6160
(f) 703-812-3712
http://www.east.isi.edu/~jsuh

Information Sciences Institute
University of Southern California
3811 N. Fairfax Drive Suite 200
Arlington, VA, 22203, USA


- Original Message -
From: Heng Xu shouhengzhang...@mail.utoronto.ca
To: openstack@lists.launchpad.net
Sent: Thursday, August 2, 2012 10:57:53 AM
Subject: [Openstack] Cannot pass hint to Nova Scheduler



Hi folks:
I am new to openstack, I am current trying to test the json filter, I changed 
my /etc/nova/nova.conf as follow

scheduler_driver=nova.
scheduler.multi.MultiScheduler
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
scheduler_available_filters=nova.scheduler.filters.standard_filters
scheduler_default_filters=JsonFilter
least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
compute_fill_first_cost_fn_weight=-1.0

so I can use the json filter
however, when I was using it, if I boot a vm without any --hint to the 
scheduler, then the vm started fine, but if I use

nova --debug boot --image 827d564a-e636-4fc4-a376-
d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

my vm started with error, and the following were output from the command above

+-
+--+
| Property | Value |
+-+--+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | instance-002b |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | error |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | dKvrsv4MZtfc |
| config_drive | |
| created | 2012-08-02T14:25:10Z |
| flavor | m1.tiny |
| hostId | |
| id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
| image | cirros-0.3.0-x86_64-uec |
| key_name | |
| metadata | {} |
| name | server1 |
| progress | 0 |
| status | BUILD |
| tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 |
| updated | 2012-08-02T14:25:10Z |
| user_id | d5e02f1810a44575b99a147f94507da1 |
+-+--+

as you can see, the vm is in error, this also happens whenever I need to pass a 
hint to the scheduler, as in samehostfilter and differenthostfilter,

Does anyone know what's going on, thanks in advance.
Heng


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Angry People and OpenStack

2012-08-02 Thread Stefano Maffulli 
On Thu 02 Aug 2012 07:19:28 AM PDT, George Reese wrote:
  ignore the fact that OpenStack governance has  a huge
 trust problem,

I don't think this is true: It's true that some people don't trust 
OpenStack governance, not that the governance is broken.  The bylaws 
have been discussed for months, the governance model is based on the 
processes and principles that have brought OpenStack where it is today. 
We can't stop every time to address  theoretical concerns expressed by 
people that fundamentally don't trust us (and they don't have to).

 that the product has stability and compatibility issues.

Like all products out there: nobody is perfect.

 Attack me for criticizing OpenStack when on a daily basis I am doing a
 lot of work to get into real world deployments.

you've been criticised for your questionable choice of words not for 
the content of your criticism.

While you probably ended up in somebody's killfile, your contributions 
are still appreciated by many because you *do* real things with 
OpenStack (differently from others that just like to *talk* about 
OpenStack).

Let's stick to making a great product and have fun meanwhile: this is 
an exciting time. OpenStack Foundation is being born, well funded, 
supported by a wide spectrum of companies and lots of people. The 
future is bright.

/stef

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Nova Volume and provisionning on iSCSI SAN

2012-08-02 Thread Thomas, Duncan 
I guess you might need to port one of the other iSCSI-based drivers (e.g. 
lefthand) to use whatever creation/deletion/access control mechanisms your Dell 
SAN uses... This does not look to be a significant amount of work, but such 
commands aren't generally standardized so would need to be done for your 
specific SAN.

--
Duncan Thomas
HP Cloud Services, Galway

From: openstack-bounces+duncan.thomas=hp@lists.launchpad.net 
[mailto:openstack-bounces+duncan.thomas=hp@lists.launchpad.net] On Behalf 
Of Bilel Msekni
Sent: 02 August 2012 10:32
To: openstack@lists.launchpad.net
Subject: [Openstack] Nova Volume and provisionning on iSCSI SAN

Hi all,
I have a question relating to nova-volume, and provisioning block devices as 
storage for VMs. As I understand it from the documentation, nova-volume will 
take a block device with LVM on it, and then become an iSCSI target to share 
the logical volumes to compute nodes. I also understand that there is another 
process for using an HP lefthand SAN or solaris iSCSI setup, whereby 
nova-volume can interact with APIs for volume creation on the SAN itself.

I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from the 
SAN on my nova-volume node, then go through the documented process of creating 
an LVM on this LUN and having nova-volume re-share it over iSCSI to the compute 
nodes, but what I'm wondering is whether I can have the compute nodes simple 
connect to the iSCSI SAN to access these volumes (which would be created and 
managed by nova-volume still), rather than connect each compute node to the 
iSCSI target which nova-volume presents? I imagine with this setup, I could 
take advantage of the SAN's HA and performance benefits.

Hope that makes sense..
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Nova Volume and provisionning on iSCSI SAN

2012-08-02 Thread Vishvananda Ishaya 
You will likely have to write a nova-volume/cinder backend to talk to the dell 
SAN directly. You could probably base it on the HP lefthand san code and get 
something working pretty quickly:


https://github.com/openstack/nova/blob/master/nova/volume/san.py

Vish

On Aug 2, 2012, at 2:31 AM, Bilel Msekni ski...@hotmail.fr wrote:

 Hi all,
 I have a question relating to nova-volume, and provisioning block devices as 
 storage for VMs. As I understand it from the documentation, nova-volume will 
 take a block device with LVM on it, and then become an iSCSI target to share 
 the logical volumes to compute nodes. I also understand that there is another 
 process for using an HP lefthand SAN or solaris iSCSI setup, whereby 
 nova-volume can interact with APIs for volume creation on the SAN itself.
 
 I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from 
 the SAN on my nova-volume node, then go through the documented process of 
 creating an LVM on this LUN and having nova-volume re-share it over iSCSI to 
 the compute nodes, but what I'm wondering is whether I can have the compute 
 nodes simple connect to the iSCSI SAN to access these volumes (which would be 
 created and managed by nova-volume still), rather than connect each compute 
 node to the iSCSI target which nova-volume presents? I imagine with this 
 setup, I could take advantage of the SAN's HA and performance benefits.
 
 Hope that makes sense..
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Inbound connectivity and FlatDHCP networking

2012-08-02 Thread Vishvananda Ishaya 

On Aug 2, 2012, at 7:35 AM, Lars Kellogg-Stedman l...@seas.harvard.edu wrote:

 
 With a multi_host, flatDHCP model, is the general idea that fixed_ips
 are -- generally -- internal to the compute host, and all external
 access is supposed to be via floating ips?  That's sort of how it
 looks, but I hadn't seen that states explicitly anywhere.

It isn't explicitly that way, but it is the easiest setup. It is possible to 
set up fixed ips that are accessible/routable from outside but there are a lot 
of gotchas
 
 How does fixed_range interact with networks created via 'nova-manage
 network create ...'?  There are a few bugs (e.g.,
 https://bugs.launchpad.net/nova/+bug/741626) that suggest things need
 to be specified in both places.   Is that correct?

The snatting rule is created exclusively from fixed_range, so right now 
fixed_range must contain all created fixed networks.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] qpid_heartbeat...doesn't?

2012-08-02 Thread Lars Kellogg-Stedman 
On Thu, Aug 02, 2012 at 12:33:13PM -0400, Lars Kellogg-Stedman wrote:
  Looks like a typo.
  Could you try this.
 
 FYI: The same typo appears to exist in notify_qpid.py.

Err, that is, glance/notifier/notify_qpid.py, in case it wasn't
obvious...

-- 
Lars Kellogg-Stedman l...@seas.harvard.edu   |
Senior Technologist| http://ac.seas.harvard.edu/
Academic Computing | 
http://code.seas.harvard.edu/
Harvard School of Engineering and Applied Sciences |

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Pengjun Pan 
Hi Heng,

The log should be in /var/log/nova/nova-scheduler.log.

PJ

On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I changed 
 my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command above

 +-
 +--+
 | Property | Value |
 +-+--+
 | OS-DCF:diskConfig | MANUAL |
 | OS-EXT-SRV-ATTR:host | None |
 | OS-EXT-SRV-ATTR:hypervisor_hostname | None |
 | OS-EXT-SRV-ATTR:instance_name | instance-002b |
 | OS-EXT-STS:power_state | 0 |
 | OS-EXT-STS:task_state | scheduling |
 | OS-EXT-STS:vm_state | error |
 | accessIPv4 | |
 | accessIPv6 | |
 | adminPass | dKvrsv4MZtfc |
 | config_drive | |
 | created | 2012-08-02T14:25:10Z |
 | flavor | m1.tiny |
 | hostId | |
 | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
 | image | cirros-0.3.0-x86_64-uec |
 | key_name | |
 | metadata | {} |
 | name | server1 |
 | progress | 0 |
 | status | BUILD |
 | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 |
 | updated | 2012-08-02T14:25:10Z |
 | user_id | d5e02f1810a44575b99a147f94507da1 |
 +-+--+

 as you can see, the vm is in error, this also happens whenever I need to pass 
 a hint to the scheduler, as in samehostfilter and differenthostfilter,

 Does anyone know what's going on, thanks in advance.
 Heng


 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Heng Xu 
Hi PJ

I don't know what happen, I could not find the file in my Ubuntu filesystem, I 
searched for it, no result, but I just used ./stack.sh to install it, I it is 
just me could not find the file? Any thoughts?
thank you

Heng

From: Pengjun Pan [panpeng...@gmail.com]
Sent: Thursday, August 02, 2012 4:42 PM
To: Heng Xu
Cc: Joseph Suh; openstack@lists.launchpad.net
Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

Hi Heng,

The log should be in /var/log/nova/nova-scheduler.log.

PJ

On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I changed 
 my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command above

 +-
 +--+
 | Property | Value |
 +-+--+
 | OS-DCF:diskConfig | MANUAL |
 | OS-EXT-SRV-ATTR:host | None |
 | OS-EXT-SRV-ATTR:hypervisor_hostname | None |
 | OS-EXT-SRV-ATTR:instance_name | instance-002b |
 | OS-EXT-STS:power_state | 0 |
 | OS-EXT-STS:task_state | scheduling |
 | OS-EXT-STS:vm_state | error |
 | accessIPv4 | |
 | accessIPv6 | |
 | adminPass | dKvrsv4MZtfc |
 | config_drive | |
 | created | 2012-08-02T14:25:10Z |
 | flavor | m1.tiny |
 | hostId | |
 | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
 | image | cirros-0.3.0-x86_64-uec |
 | key_name | |
 | metadata | {} |
 | name | server1 |
 | progress | 0 |
 | status | BUILD |
 | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 |
 | updated | 2012-08-02T14:25:10Z |
 | user_id | d5e02f1810a44575b99a147f94507da1 |
 +-+--+

 as you can see, the vm is in error, this also happens whenever I need to pass 
 a hint to the scheduler, as in samehostfilter and differenthostfilter,

 Does anyone know what's going on, thanks in advance.
 Heng


 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Pengjun Pan 
Hi Heng,

I didn't know that you were using devstack. The path I provided is for
manually installation of openstack. I didn't try it with devstack.

According to https://answers.launchpad.net/nova/+question/176973,
devstack outputs the log to the screen. Try Vish's suggestion.

Good luck.

PJ

On Thu, Aug 2, 2012 at 11:47 AM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hi PJ

 I don't know what happen, I could not find the file in my Ubuntu filesystem, 
 I searched for it, no result, but I just used ./stack.sh to install it, I it 
 is just me could not find the file? Any thoughts?
 thank you

 Heng
 
 From: Pengjun Pan [panpeng...@gmail.com]
 Sent: Thursday, August 02, 2012 4:42 PM
 To: Heng Xu
 Cc: Joseph Suh; openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi Heng,

 The log should be in /var/log/nova/nova-scheduler.log.

 PJ

 On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
 shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I 
 changed my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command 
 above

 +-
 +--+
 | Property | Value |
 +-+--+
 | OS-DCF:diskConfig | MANUAL |
 | OS-EXT-SRV-ATTR:host | None |
 | OS-EXT-SRV-ATTR:hypervisor_hostname | None |
 | OS-EXT-SRV-ATTR:instance_name | instance-002b |
 | OS-EXT-STS:power_state | 0 |
 | OS-EXT-STS:task_state | scheduling |
 | OS-EXT-STS:vm_state | error |
 | accessIPv4 | |
 | accessIPv6 | |
 | adminPass | dKvrsv4MZtfc |
 | config_drive | |
 | created | 2012-08-02T14:25:10Z |
 | flavor | m1.tiny |
 | hostId | |
 | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
 | image | cirros-0.3.0-x86_64-uec |
 | key_name | |
 | metadata | {} |
 | name | server1 |
 | progress | 0 |
 | status | BUILD |
 | tenant_id | d99ffa1b0c43455ab8dbbd81cf4380a7 |
 | updated | 2012-08-02T14:25:10Z |
 | user_id | d5e02f1810a44575b99a147f94507da1 |
 +-+--+

 as you can see, the vm is in error, this also happens whenever I need to 
 pass a hint to the scheduler, as in samehostfilter and differenthostfilter,

 Does anyone know what's going on, thanks in advance.
 Heng


 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Nova Volume and provisionning on iSCSI SAN

2012-08-02 Thread John Griffith 
On Thu, Aug 2, 2012 at 10:21 AM, Vishvananda Ishaya
vishvana...@gmail.com wrote:
 You will likely have to write a nova-volume/cinder backend to talk to the
 dell SAN directly. You could probably base it on the HP lefthand san code
 and get something working pretty quickly:


 https://github.com/openstack/nova/blob/master/nova/volume/san.py

 Vish

 On Aug 2, 2012, at 2:31 AM, Bilel Msekni ski...@hotmail.fr wrote:

 Hi all,
 I have a question relating to nova-volume, and provisioning block devices as
 storage for VMs. As I understand it from the documentation, nova-volume will
 take a block device with LVM on it, and then become an iSCSI target to share
 the logical volumes to compute nodes. I also understand that there is
 another process for using an HP lefthand SAN or solaris iSCSI setup, whereby
 nova-volume can interact with APIs for volume creation on the SAN itself.

 I have a dell iSCSI SAN, and I can see that I'd be able to mount a LUN from
 the SAN on my nova-volume node, then go through the documented process of
 creating an LVM on this LUN and having nova-volume re-share it over iSCSI to
 the compute nodes, but what I'm wondering is whether I can have the compute
 nodes simple connect to the iSCSI SAN to access these volumes (which would
 be created and managed by nova-volume still), rather than connect each
 compute node to the iSCSI target which nova-volume presents? I imagine with
 this setup, I could take advantage of the SAN's HA and performance benefits.

 Hope that makes sense..
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


Bilel,

If you need some help with this let me know.  I'll be back from
vacation tomorrow and can point a few things out to you if needed.

John

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] [nova] Reminder: nova team meeting today at 2100 UTC

2012-08-02 Thread Vishvananda Ishaya 
Hello Everyone,

Just a quick reminder that we are having a nova team meeting today at 2100 UTC. 
That is 2PM on the West Coast, and 4PM Central. Check your city/timezone here:

http://www.timeanddate.com/worldclock/fixedtime.html?hour=21min=0sec=0

The agenda is located at:

http://wiki.openstack.org/Meetings/Nova

See you all in a few hours!

Vish
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Qcow2 Details on base images

2012-08-02 Thread Jay Pipes 
On 08/02/2012 07:47 AM, Gaurab Basu wrote:
 Hi Jay,
 
 Thanks for your reply, it helped me get started.
 
 I have been going through the code and some of the sparse docs that are
 available.
 
 This is the code file
 https://github.com/openstack/nova/blob/master/nova/virt/libvirt/utils.py
 
 However I am facing a new issue and require some help. I wanted to
 modify how openstack handles the cow layer as such and also the qcow2
 format.
 It turns out that openstack issues the external command qemu-img.
 
 First of all, is qemu-img internal to openstack ( I mean code for how
 qemu-img is implemented is in openstack or in qemu )
 It is in openstack, where is the code located.
 
 If it is outside openstack, does that mean i have to change the code in
 qemu and then link those binaries with openstack.

QEMU is a totally separate project from Nova, yes. QEMU is written in C
and has a number of executables such as qemu-img and qemu-nbd, etc. Nova
calls out to these executables in subprocesses.

If you want to make changes to QEMU, yes, you would want to look into
the QEMU contribution process and community.

Here's where to start:

http://wiki.qemu.org/Documentation/GettingStartedDevelopers

Best,
-jay

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Node Disk Cleaning Script

2012-08-02 Thread Pádraig Brady 
On 08/02/2012 12:12 PM, Алексей Кайтаз wrote:
 Hi!
 I hope this script will usefull for somebody.
 
 #!/bin/bash
 cd /var/lib/nova/instances
 find -name disk* | xargs -n1 qemu-img info | grep backing | sed 
 -e's/.*file: //' -e 's/ .*//' | sort | uniq  /tmp/ignore
 while read i; do
 ARGS=$ARGS  \( ! -path $i  \) 
 done  /tmp/ignore
 find /var/lib/nova/instances/_base/ -type f  $ARGS  -delete

This is done automatically by nova when you enable this in /etc/nova/nova.conf

  remove_unused_base_images = True

That is done in Fedora/EPEL packages for the last while,
and will default on in the next folsom release.

cheers,
Pádraig.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Inbound connectivity and FlatDHCP networking

2012-08-02 Thread Lars Kellogg-Stedman 
On Thu, Aug 02, 2012 at 09:24:56AM -0700, Vishvananda Ishaya wrote:
 It isn't explicitly that way, but it is the easiest setup. It is
 possible to set up fixed ips that are accessible/routable from
 outside but there are a lot of gotchas

Got it.

 The snatting rule is created exclusively from fixed_range, so right
 now fixed_range must contain all created fixed networks.

Thanks, that clears up a mystery!  We've now got inbound networking
operating correctly, although it did require us to fiddle around with
some policy routing rules to get traffic going to the right gateway.
I'm going to write up some details and post it here later.

-- 
Lars Kellogg-Stedman l...@seas.harvard.edu   |
Senior Technologist| http://ac.seas.harvard.edu/
Academic Computing | 
http://code.seas.harvard.edu/
Harvard School of Engineering and Applied Sciences |

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Preventing OpenStack from allocating some floating ips?

2012-08-02 Thread Lars Kellogg-Stedman 
If I create a floating address range like this:

  nova-manage floating create --ip_range=10.243.30.0/24

Is there any way to block out specific addresses in that range?  For
example, the .1 address is the network gateway, and everything will
fall apart if that address is accidentally allocated to an instance.

Similarly, our host needs an address in that range in order to route
traffic to the gateway.

Is there any way to exempt specific addresses?  I realize that instead
of allocating a /24 I could allocate a series of, say, /28 networks,
but that seems a little clumsy.

Thanks,

-- 
Lars Kellogg-Stedman l...@seas.harvard.edu   |
Senior Technologist| http://ac.seas.harvard.edu/
Academic Computing | 
http://code.seas.harvard.edu/
Harvard School of Engineering and Applied Sciences |

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] qpid_heartbeat...doesn't?

2012-08-02 Thread Pádraig Brady 
On 08/02/2012 05:35 PM, Lars Kellogg-Stedman wrote:
 On Thu, Aug 02, 2012 at 12:33:13PM -0400, Lars Kellogg-Stedman wrote:
 Looks like a typo.
 Could you try this.

 FYI: The same typo appears to exist in notify_qpid.py.
 
 Err, that is, glance/notifier/notify_qpid.py, in case it wasn't
 obvious...

Well spotted.
I've submitted a patch for:
https://bugs.launchpad.net/glance/+bug/1032314

cheers,
Pádraig.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Heng Xu 
Hi, I recorded the error message, below

2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
/opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in 
host_passes
2012-08-02 13:51:02 TRACE nova.rpc.amqp result = 
self._process_filter(jsonutils.loads(query), host_state)
2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
/opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads
2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s)
2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
/usr/lib/python2.7/json/__init__.py, line 326, in loads
2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s)
2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
/usr/lib/python2.7/json/decoder.py, line 366, in decode
2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, 
idx=_w(s, 0).end())
2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
/usr/lib/python2.7/json/decoder.py, line 384, in raw_decode
2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object 
could be decoded)
2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be 
decoded
2012-08-02 13:51:02 TRACE nova.rpc.amqp 

it seems that the filter cannot find my json file, so although I was using the 
--hint functionality, whatever typed after the hint did not went to the filter 
host_passed function, so it could not locate the json object, any thoughts?
Thanks. Heng


From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net 
[openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on 
behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca]
Sent: Thursday, August 02, 2012 4:47 PM
To: Pengjun Pan
Cc: openstack@lists.launchpad.net
Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

Hi PJ

I don't know what happen, I could not find the file in my Ubuntu filesystem, I 
searched for it, no result, but I just used ./stack.sh to install it, I it is 
just me could not find the file? Any thoughts?
thank you

Heng

From: Pengjun Pan [panpeng...@gmail.com]
Sent: Thursday, August 02, 2012 4:42 PM
To: Heng Xu
Cc: Joseph Suh; openstack@lists.launchpad.net
Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

Hi Heng,

The log should be in /var/log/nova/nova-scheduler.log.

PJ

On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I changed 
 my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command above

 +-
 +--+
 | Property | Value |
 +-+--+
 | OS-DCF:diskConfig | MANUAL |
 | OS-EXT-SRV-ATTR:host | None |
 | OS-EXT-SRV-ATTR:hypervisor_hostname | None |
 | OS-EXT-SRV-ATTR:instance_name | instance-002b |
 | OS-EXT-STS:power_state | 0 |
 | OS-EXT-STS:task_state | scheduling |
 | OS-EXT-STS:vm_state | error |
 | accessIPv4 | |
 | accessIPv6 | |
 | adminPass | dKvrsv4MZtfc |
 | config_drive | |
 | created | 2012-08-02T14:25:10Z |
 | flavor | m1.tiny |
 | hostId | |
 | id | 9d4a5855-3c69-40ba-b50d-3a2aa6a92edc |
 | image |

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Pengjun Pan 
Post your filter file. Might be a typo.

PJ

On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hi, I recorded the error message, below

 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in 
 host_passes
 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = 
 self._process_filter(jsonutils.loads(query), host_state)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/__init__.py, line 326, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 366, in decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, 
 idx=_w(s, 0).end())
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object 
 could be decoded)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be 
 decoded
 2012-08-02 13:51:02 TRACE nova.rpc.amqp

 it seems that the filter cannot find my json file, so although I was using 
 the --hint functionality, whatever typed after the hint did not went to the 
 filter host_passed function, so it could not locate the json object, any 
 thoughts?
 Thanks. Heng

 
 From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net 
 [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on 
 behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca]
 Sent: Thursday, August 02, 2012 4:47 PM
 To: Pengjun Pan
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi PJ

 I don't know what happen, I could not find the file in my Ubuntu filesystem, 
 I searched for it, no result, but I just used ./stack.sh to install it, I it 
 is just me could not find the file? Any thoughts?
 thank you

 Heng
 
 From: Pengjun Pan [panpeng...@gmail.com]
 Sent: Thursday, August 02, 2012 4:42 PM
 To: Heng Xu
 Cc: Joseph Suh; openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi Heng,

 The log should be in /var/log/nova/nova-scheduler.log.

 PJ

 On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
 shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I 
 changed my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command 
 above

 +-
 +--+
 | Property | Value |
 +-+--+
 | OS-DCF:diskConfig | MANUAL |
 | OS-EXT-SRV-ATTR:host | None |
 | OS-EXT-SRV-ATTR:hypervisor_hostname | None |
 | OS-EXT-SRV-ATTR:instance_name | instance-002b |
 | OS-EXT-STS:power_state | 0 |
 | OS-EXT-STS:task_state | scheduling |
 | OS-EXT-STS:vm_state | error |
 | accessIPv4 | |
 | accessIPv6 | |

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Heng Xu 
Hi, attached is the json_filter file I was used, but I it just came with 
devstack script installation, I did not even modify it.
Heng

From: Pengjun Pan [panpeng...@gmail.com]
Sent: Thursday, August 02, 2012 6:07 PM
To: Heng Xu
Cc: openstack@lists.launchpad.net
Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

Post your filter file. Might be a typo.

PJ

On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu
shouhengzhang...@mail.utoronto.ca wrote:
 Hi, I recorded the error message, below

 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in 
 host_passes
 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = 
 self._process_filter(jsonutils.loads(query), host_state)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/__init__.py, line 326, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 366, in decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, 
 idx=_w(s, 0).end())
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object 
 could be decoded)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be 
 decoded
 2012-08-02 13:51:02 TRACE nova.rpc.amqp

 it seems that the filter cannot find my json file, so although I was using 
 the --hint functionality, whatever typed after the hint did not went to the 
 filter host_passed function, so it could not locate the json object, any 
 thoughts?
 Thanks. Heng

 
 From: openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net 
 [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on 
 behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca]
 Sent: Thursday, August 02, 2012 4:47 PM
 To: Pengjun Pan
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi PJ

 I don't know what happen, I could not find the file in my Ubuntu filesystem, 
 I searched for it, no result, but I just used ./stack.sh to install it, I it 
 is just me could not find the file? Any thoughts?
 thank you

 Heng
 
 From: Pengjun Pan [panpeng...@gmail.com]
 Sent: Thursday, August 02, 2012 4:42 PM
 To: Heng Xu
 Cc: Joseph Suh; openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi Heng,

 The log should be in /var/log/nova/nova-scheduler.log.

 PJ

 On Thu, Aug 2, 2012 at 10:44 AM, Heng Xu
 shouhengzhang...@mail.utoronto.ca wrote:
 Hello Joseph:
 I am not sure where to find the log, so I just used the screen to n-sch,
 and one of the error is
 TRACE nova.rpc.amqp ValueError: No JSON object could be decoded
 and I have no idea why this happened?
 Thank you.
 Heng

 
 From: Joseph Suh [j...@isi.edu]
 Sent: Thursday, August 02, 2012 3:28 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Heng,

 Does scheduler log show any error message or complaints?

 Thanks,

 Joseph

 
 (w) 703-248-6160
 (f) 703-812-3712
 http://www.east.isi.edu/~jsuh

 Information Sciences Institute
 University of Southern California
 3811 N. Fairfax Drive Suite 200
 Arlington, VA, 22203, USA


 - Original Message -
 From: Heng Xu shouhengzhang...@mail.utoronto.ca
 To: openstack@lists.launchpad.net
 Sent: Thursday, August 2, 2012 10:57:53 AM
 Subject: [Openstack] Cannot pass hint to Nova Scheduler



 Hi folks:
 I am new to openstack, I am current trying to test the json filter, I 
 changed my /etc/nova/nova.conf as follow

 scheduler_driver=nova.
 scheduler.multi.MultiScheduler
 compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
 volume_scheduler_driver=nova.scheduler.chance.ChanceScheduler
 scheduler_available_filters=nova.scheduler.filters.standard_filters
 scheduler_default_filters=JsonFilter
 least_cost_functions=nova.scheduler.least_cost.compute_fill_first_cost_fn
 compute_fill_first_cost_fn_weight=-1.0

 so I can use the json filter
 however, when I was using it, if I boot a vm without any --hint to the 
 scheduler, then the vm started fine, but if I use

 nova --debug boot --image 827d564a-e636-4fc4-a376-
 d36f7ebe1747 --flavor 1 --hint query=['=','$free_ram_mb',1024] server1

 my vm started with error, and the following were output from the command 
 above

 +-
 +--+
 | Property | Value |

Re: [Openstack] Angry People and OpenStack

2012-08-02 Thread Matt Joyce 
George I like your contributions.

I also like the idea of people treating each other well.  Makes it easier
for us to have the discussions you want to have.

-Matt

On Thu, Aug 2, 2012 at 8:54 AM, Stefano Maffulli stef...@openstack.orgwrote:

 On Thu 02 Aug 2012 07:19:28 AM PDT, George Reese wrote:
   ignore the fact that OpenStack governance has  a huge
  trust problem,

 I don't think this is true: It's true that some people don't trust
 OpenStack governance, not that the governance is broken.  The bylaws
 have been discussed for months, the governance model is based on the
 processes and principles that have brought OpenStack where it is today.
 We can't stop every time to address  theoretical concerns expressed by
 people that fundamentally don't trust us (and they don't have to).

  that the product has stability and compatibility issues.

 Like all products out there: nobody is perfect.

  Attack me for criticizing OpenStack when on a daily basis I am doing a
  lot of work to get into real world deployments.

 you've been criticised for your questionable choice of words not for
 the content of your criticism.

 While you probably ended up in somebody's killfile, your contributions
 are still appreciated by many because you *do* real things with
 OpenStack (differently from others that just like to *talk* about
 OpenStack).

 Let's stick to making a great product and have fun meanwhile: this is
 an exciting time. OpenStack Foundation is being born, well funded,
 supported by a wide spectrum of companies and lots of people. The
 future is bright.

 /stef

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] Fwd: Re: Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young 
Origianlly respoded just to Christopher.  Forwarding this on to a the 
main list.


First of all, let me say thanks to everyone participating in the 
discussion. This is the only way we are going to identify all of the 
issues and come up with a decent implementation. I knew this would be a 
touchy subject when we first started designing it, and suspected that it 
would take some form of commit before the discussion hit the majority of 
the community.



On 08/02/2012 02:20 PM, Christopher MacGown wrote:

On Thursday, August 2, 2012 at 6:59 AM, Adam Young wrote:


So, let me put the onus on you:  make the argument for rapid 
revocation of tokens.
If you are deploying OpenStack and providing access to third parties, 
and for whatever reason you terminate a relationship with that third 
party — whether they cancel, you've banned them, you've removed a user 
from a tenant/project — you want that third party to immediately lose 
access to whatever capability they had prior to that termination. 
Leaving non-affiliated users with access to resources is a serious 
security risk that would make OpenStack  unusable in a regulated 
environment.


In those cases, you probably want to continue on with online token 
checking,  regardless of UUID/PKI.  That ability will not go away.  We 
probably do need a configuration option for auth_token that indicates 
whether it should verify with PKI or not,  but my guess is that the real 
policy will be dictated by keystone. Perhaps what we really need is for 
the remote services to query this value from the keystone server.  It 
could do the check when it origianally fetches certificates.  The 
certificates themselves could be shorter lived (say 24 hours) and 
refreshed when they expire.


Automatic Management of the certificates probably should also be 
configurable, with many organizations preferring to use Puppet etc.


I suspect that we are going to want a more nuanced policy/mechanism long 
term,  something along the lines of:


Tenant specific PKI tickets are short lived, say 5 minutes.
Non-tenant specific tickets are used to get tenant specific tickets.
Long running tasks will call back to Keystone to verify ticket validity 
using  UUID tokens.



If we start doing something along the lines of Federation as I've started
https://blueprints.launchpad.net/keystone/+spec/federation
You would also have the option of revoking the signing certificate for a 
whole domain,  which would be an effective way to deny access to a swath 
of people, say on a breach of contract.


In large organziations, there is always going to be some non-zero delay 
between the decision to  revocation authorization and the implementation 
of that decision.  With LDAP replication,  at a minimum you have the 
replication delay.  The question is what that acceptable delay is in a 
given scenario.  It may not be the same even for all use cases even in a 
large organization.







--
Christopher MacGown, CTO
Piston Cloud Computing, Inc.
w: (650) 24-CLOUD
m: (415) 300-0944
http://www.pistoncloud.com




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Announcing proof-of-concept Load Balancing as a Service project

2012-08-02 Thread Eugene Kirpichov 
REMINDER: the IRC meeting will happen in 5 minutes on #openstack-meetings.

On Tue, Jul 24, 2012 at 6:33 PM, Eugene Kirpichov ekirpic...@gmail.com wrote:
 Hello community,

 We at Mirantis have had a number of clients request functionality to
 control various load balancer devices (software and hardware) via an
 OpenStack API and horizon. So, in collaboration with Cisco OpenStack
 team and a number of other community members, we’ve started
 socializing the blueprints for an elastic load balancer API service.
 At this point we’d like to share where we are and would very much
 appreciate anyone participate and provide input.

 The current vision is to allow cloud tenants to request and
 provision virtual load balancers on demand and allow cloud
 administrators to manage a pool of available LB devices. Access is
 provided under a unified interface to different kinds of load
 balancers, both software and hardware. It means that API for tenants
 is abstracted away from the actual API of underlying hardware or
 software load balancers, and LBaaS effectively bridges this gap.

 POC level support for Cisco ACE and HAproxy is currently implemented
 in the form of plug-ins to LBaaS called “drivers”. We also started some
 work on F5 drivers. Would appreciate hearing input on what other
 drivers may be important at this point…nginx?

 Another question we have is if this should be a standalone module or a
 Quantum plugin… Dan – any feedback on this (and BTW congrats on the
 acquisition =).

 In order not to reinvent the wheel, we decided to base our API on
 Atlas-LB (http://wiki.openstack.org/Atlas-LB).

 Here are all the pointers:
  * Project overview: http://goo.gl/vZdei
  * Screencast: http://www.youtube.com/watch?v=NgAL-kfdbtE
  * API draft: http://goo.gl/gFcWT
  * Roadmap: http://goo.gl/EZAhf
  * Github repo: https://github.com/Mirantis/openstack-lbaas

 The code is written in Python and based on the OpenStack service
 template. We’ll be happy to give a walkthrough over what we have to
 anyone who may be interested in contributing (for example, creating a
 driver to support a particular LB device).

 All of the documents and code are not set in stone and we’re writing
 here specifically to ask for feedback and collaboration from the
 community.

 We would like to start holding weekly IRC meetings at
 #openstack-meeting; we propose 19:00 UTC on Thursdays (this time seems
 free according to http://wiki.openstack.org/Meetings/ ), starting Aug 2.

 --
 Eugene Kirpichov
 http://www.linkedin.com/in/eugenekirpichov



-- 
Eugene Kirpichov
http://www.linkedin.com/in/eugenekirpichov

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Preventing OpenStack from allocating some floating ips?

2012-08-02 Thread Calvin Walton 
On Thu, 2012-08-02 at 13:59 -0400, Lars Kellogg-Stedman wrote:
 If I create a floating address range like this:
 
   nova-manage floating create --ip_range=10.243.30.0/24
 
 Is there any way to block out specific addresses in that range?  For
 example, the .1 address is the network gateway, and everything will
 fall apart if that address is accidentally allocated to an instance.
 
 Similarly, our host needs an address in that range in order to route
 traffic to the gateway.
 
 Is there any way to exempt specific addresses?  I realize that instead
 of allocating a /24 I could allocate a series of, say, /28 networks,
 but that seems a little clumsy.

(The following is assuming you're using Essex - I don't really know
anything about Quantum)

An interesting thing about how floating IPs work is that internally
nova-network just has a big table of ip addresses in the database. The
only thing that using a CIDR range like 10.243.20.0/24 does is save
you some typing - it does the exact same thing as separately adding
10.243.20.1, 10.243.20.2, and so on.

So it really makes no difference if you just individually add the ip
addresses that you want to use.

The easiest alternative? Just add the entire /24 range, then delete the
individual addresses that you want to reserve using
nova-manage floating delete 10.243.30.1
and so on.

-- 
Calvin Walton calvin.wal...@kepstin.ca


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Swift account listing

2012-08-02 Thread Pete Zaitcev 
On Thu, 19 Jul 2012 16:10:06 +0100
Juan J. Martinez j...@memset.com wrote:

 I guess you can use the list of current accounts from Keystone and
 translate that into the account ring hash.

 swift-get-nodes /etc/swift/account.ring.gz myKeyStoneAcct | grep Hash |
 cut -f2 5819de5a52d5813f5ce95c9121b97652
 
 Then you can look for hashes that are not in that list of hashes. Per
 storage node you should check:
 
  /srv/node/$0/accounts/$1/*/$2/

The point is to use Swift itself _and_ Keystone, in order to find
discrepancies or orphan accounts. I ended using listdir for now,
since our installation is very small, so directories fit in memory.
Code is here:
 https://github.com/zaitcev/swift-report

Output looks like this:

15051/4a7/3acbbe2ab55b81269ff88490a1b574a7 SK zaitcev
60690/f22/ed125debcbadbac11ef93c40dede0f22 SK glance
 5497/6ee/1579e4404e54e5edb53c00f1206696ee SK shared
52389/69e/cca50f1c92b3b7f2a15d6b8e2aaee69e S- -
 3066/787/0bfa11e194ee8889ff1c797a718cf787 SK admin
56328/3d8/dc088209ed71d08a00493c95888583d8 SK testuser

S is for accounts found in Swift, K is for accounts found in Keystone.

I have a feeling though that I must be reinventing the bicycle here.
Surely someone, somewhere, have written a Swift consistency checker
before.

-- Pete

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Preventing OpenStack from allocating some floating ips?

2012-08-02 Thread Lars Kellogg-Stedman 
 (The following is assuming you're using Essex - I don't really know
 anything about Quantum)

Yeah, we're using Essex with FlatDHCP networking for now.

 An interesting thing about how floating IPs work is that internally
 nova-network just has a big table of ip addresses in the database.

That's good to know.  We try as much as possible to avoid solutions
that involve poking at the database, but we can probably live with
this.  Especially since MySQL knows about IP addresses (so we can
select all addresses below x.x.x.10 or something).

-- 
Lars Kellogg-Stedman l...@seas.harvard.edu   |
Senior Technologist| http://ac.seas.harvard.edu/
Academic Computing | 
http://code.seas.harvard.edu/
Harvard School of Engineering and Applied Sciences |

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Eric Windisch 


On Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote:

   Sorry if this rekindles old arguments, but could someone summarize the
   reasons for an openstack-common PTL without voting rights? I would
   have defaulted to giving them a vote *especially* because the code in
   common is, well, common to all of the projects.
  
  
  So far, the PPB considered openstack-common to be driven by all PTLs,
  so it didn't have a specific PTL.
  
  As far as future governance is concerned (technical committee of the
  Foundation), openstack-common would technically be considered a
  supporting library (rather than a core project) -- those can have leads,
  but those do not get granted an automatic TC seat.
 
 
 OK, I can see the distinction there. I think the project needs an official 
 leader, even if we don't call them a PTL in the sense meant for other 
 projects. And I would expect anyone willing to take on the PTL role for 
 common to be qualified to run for one of the open positions on the new TC, if 
 they wanted to participate there.
The scope of common is expanding. I believe it is time to seriously consider a 
proper PTL. Preferably, before the PTL elections.

The RPC code is there now. We're talking about putting the membership services 
there too, for the sake of RPC, and even the low-level SQLAlchemy/MySQL access 
code for the sake of membership services. A wrapper around pyopenssl is likely 
to land there too, for the sake of RPC. These are just some of the changes that 
have already landed, or are expected to land within Folsom.

Common contains essential pieces to the success of OpenStack which are 
currently lacking (official) leadership. Everyone's problem is nobody's problem.

Consider this my +1 on assigning a PTL for common.

Regards,
Eric Windisch




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Preventing OpenStack from allocating some floating ips?

2012-08-02 Thread Vishvananda Ishaya 
The create command via cidr is just a convienience to create a bunch of 
floating ips at once, floating ips are actually individual entries in the db. 
It should skip the network and gateway addressses by default, but it is 
perfectly acceptable to delete individual addresses with

nova-manage floating delete 10.243.30.17 (for example)

You need to leave off the /XX to specify a single address.

Vish

On Aug 2, 2012, at 10:59 AM, Lars Kellogg-Stedman l...@seas.harvard.edu wrote:

 If I create a floating address range like this:
 
  nova-manage floating create --ip_range=10.243.30.0/24
 
 Is there any way to block out specific addresses in that range?  For
 example, the .1 address is the network gateway, and everything will
 fall apart if that address is accidentally allocated to an instance.
 
 Similarly, our host needs an address in that range in order to route
 traffic to the gateway.
 
 Is there any way to exempt specific addresses?  I realize that instead
 of allocating a /24 I could allocate a series of, say, /28 networks,
 but that seems a little clumsy.
 
 Thanks,
 
 -- 
 Lars Kellogg-Stedman l...@seas.harvard.edu   |
 Senior Technologist| 
 http://ac.seas.harvard.edu/
 Academic Computing | 
 http://code.seas.harvard.edu/
 Harvard School of Engineering and Applied Sciences |
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] EC2 api and tenants

2012-08-02 Thread Mitchell Broome 
I'm using essex 2012.1 and I'm running into an issue with tenant
separation using the ec2 api.  I end up having to give a user the
'admin' role in keytone to create instances within a tenant.  I can
live with that but the problem is, now that the user has 'admin', they
also see all of the instances including ones from other tenants via a
describe_instances().

If I only give them the 'Member' role, they can only see the instances
within thier default tenant but they can't create instances.  Also, if
they only have 'Member', I'm able to create instances via horizon
manually.

I'm assuming I'm missing some combination of roles I need to setup to
allow a users to create instances in thier default tenant but not see
other instances in other tenants.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [glance] legacy client removal and python-glanceclient

2012-08-02 Thread Brian Waldon 
The review has now landed in python-glanceclient master, so I'm going to 
release it tomorrow as v0.3.0 if nothing comes up between now and then.

On Aug 2, 2012, at 3:10 AM, Thierry Carrez wrote:

 Brian Waldon wrote:
 Ok, so I spent some time on this and got all of the existing/legacy CLI
 working within python-glanceclient. It should let anybody using the
 existing client keep on keepin' on without having to worry about CLI
 compatibility (until we actually remove the deprecated functionality in
 the v2 release).
 
 That's awesome, Brian. Great work.
 
 I pushed up a review
 here: https://review.openstack.org/#/c/10703/. I would love for those
 that voiced their concerns earlier to install the new client and make
 sure it really is backwards-compatibile.
 
 Yes, time to help and be part of the solution :)
 
 -- 
 Thierry Carrez (ttx)
 Release Manager, OpenStack
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Christopher B Ferris 
+1Cheers,Christopher FerrisIBM Distinguished Engineer, CTO Industry and Cloud StandardsMember, IBM Academy of TechnologyIBM Software Group, Standards Strategyemail: chris...@us.ibm.comTwitter: christo4ferrisphone: +1 508 234 2986-openstack-bounces+chrisfer=us.ibm@lists.launchpad.net wrote: -To: Doug Hellmann doug.hellm...@dreamhost.comFrom: Eric Windisch Sent by: openstack-bounces+chrisfer=us.ibm@lists.launchpad.netDate: 08/02/2012 04:59PMCc: Thierry Carrez thie...@openstack.org, openstack@lists.launchpad.netSubject: Re: [Openstack] best practices for merging common into specific projectsOn Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote:   Sorry if this rekindles old arguments, but could someone summarize the   reasons for an openstack-common "PTL" without voting rights? I would   have defaulted to giving them a vote *especially* because the code in   common is, well, common to all of the projects.  So far, the PPB considered openstack-common to be driven by "all PTLs",  so it didn't have a specific PTL.As far as future governance is concerned (technical committee of the  Foundation), openstack-common would technically be considered a  supporting library (rather than a core project) -- those can have leads,  but those do not get granted an automatic TC seat.   OK, I can see the distinction there. I think the project needs an official leader, even if we don't call them a PTL in the sense meant for other projects. And I would expect anyone willing to take on the PTL role for common to be qualified to run for one of the open positions on the new TC, if they wanted to participate there.The scope of common is expanding. I believe it is time to seriously consider a proper PTL. Preferably, before the PTL elections.The RPC code is there now. We're talking about putting the membership services there too, for the sake of RPC, and even the low-level SQLAlchemy/MySQL access code for the sake of membership services. A wrapper around pyopenssl is likely to land there too, for the sake of RPC. These are just some of the changes that have already landed, or are expected to land within Folsom.Common contains essential pieces to the success of OpenStack which are currently lacking (official) leadership. Everyone's problem is nobody's problem.Consider this my +1 on assigning a PTL for common.Regards,Eric Windisch___Mailing list: https://launchpad.net/~openstackPost to   : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help  : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] EC2 api and tenants

2012-08-02 Thread Vishvananda Ishaya 
Which version of the code are you using? This could potentially be a bug.
Can you give some more information on what goes wrong with creating an instance?
Do you get a traceback anywhere?

Vish

On Aug 2, 2012, at 1:23 PM, Mitchell Broome mitchell.bro...@gmail.com wrote:

 I'm using essex 2012.1 and I'm running into an issue with tenant
 separation using the ec2 api.  I end up having to give a user the
 'admin' role in keytone to create instances within a tenant.  I can
 live with that but the problem is, now that the user has 'admin', they
 also see all of the instances including ones from other tenants via a
 describe_instances().
 
 If I only give them the 'Member' role, they can only see the instances
 within thier default tenant but they can't create instances.  Also, if
 they only have 'Member', I'm able to create instances via horizon
 manually.
 
 I'm assuming I'm missing some combination of roles I need to setup to
 allow a users to create instances in thier default tenant but not see
 other instances in other tenants.
 
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Vishvananda Ishaya 

On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote:

 The scope of common is expanding. I believe it is time to seriously consider 
 a proper PTL. Preferably, before the PTL elections.

+1
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] EC2 api and tenants

2012-08-02 Thread Ryan Lane 
On Thu, Aug 2, 2012 at 1:23 PM, Mitchell Broome
mitchell.bro...@gmail.com wrote:
 I'm using essex 2012.1 and I'm running into an issue with tenant
 separation using the ec2 api.  I end up having to give a user the
 'admin' role in keytone to create instances within a tenant.  I can
 live with that but the problem is, now that the user has 'admin', they
 also see all of the instances including ones from other tenants via a
 describe_instances().

 If I only give them the 'Member' role, they can only see the instances
 within thier default tenant but they can't create instances.  Also, if
 they only have 'Member', I'm able to create instances via horizon
 manually.

 I'm assuming I'm missing some combination of roles I need to setup to
 allow a users to create instances in thier default tenant but not see
 other instances in other tenants.


So far, from what I can tell, you need to add custom roles (or
continue using sysadmin and netadmin), and add these roles to the
proper actions in policy.json.

- Ryan

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Cannot pass hint to Nova Scheduler

2012-08-02 Thread Jay Pipes 
Sorry for top-posting, but there's not really a good place to inline
comment.

First, let's tackle logging in devstack...

When using devstack, you noticed that it logs to the screen session by
default. To make devstack ALSO log to a file, put the following in your
localrc:

LOG_COLOR=False
SCREEN_LOGDIR=/opt/stack/logs

And re-run stack.sh. You will now find the various service log files in
/opt/stack/logs.

Second, let's handle the JSON issue...

Nova isn't trying to decode a file. It's trying to JSON-decode the
string you're putting on the command line:

--hint query=['=','$free_ram_mb',1024]

The novaclient is passing the string ['=','$free_ram_mb',1024] to the
jsonutils.loads() function, which is what is failing. You can try
parsing this string yourself and see that the failure is raised the same
as appears in the log:

jpipes@uberbox:~/repos/tempest$ python
Python 2.7.3 (default, Apr 20 2012, 22:39:59)
[GCC 4.6.3] on linux2
Type help, copyright, credits or license for more information.
 import json
 p = json.loads(['=','$free_ram_mb',1024])
Traceback (most recent call last):
  File stdin, line 1, in module
  File /usr/lib/python2.7/json/__init__.py, line 326, in loads
return _default_decoder.decode(s)
  File /usr/lib/python2.7/json/decoder.py, line 366, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode
raise ValueError(No JSON object could be decoded)
ValueError: No JSON object could be decoded

The problem is the string needs to be properly formatted JSON, and
single-quotes are not allowed -- you need to use double-quotes:

 p = json.loads('[=,$free_ram_mb,1024]')
 print p
[u'=', u'$free_ram_mb', 1024]

Try your command like this instead:

nova --debug boot --image 827d564a-e636-4fc4-a376-d36f7ebe1747 --flavor
1 --hint query='[=,$free_ram_mb,1024]' server1

And I think you should be fine, as the following proof shows:

jpipes@uberbox:~/repos/tempest$ echo '[=,$free_ram_mb,1024]' |
python -mjson.tool
[
=,
$free_ram_mb,
1024
]


Best,
-jay


On 08/02/2012 02:09 PM, Heng Xu wrote:
 Hi, attached is the json_filter file I was used, but I it just came with 
 devstack script installation, I did not even modify it.
 Heng
 
 From: Pengjun Pan [panpeng...@gmail.com]
 Sent: Thursday, August 02, 2012 6:07 PM
 To: Heng Xu
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler
 
 Post your filter file. Might be a typo.
 
 PJ
 
 On Thu, Aug 2, 2012 at 1:02 PM, Heng Xu
 shouhengzhang...@mail.utoronto.ca wrote:
 Hi, I recorded the error message, below

 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/scheduler/filters/json_filter.py, line 141, in 
 host_passes
 2012-08-02 13:51:02 TRACE nova.rpc.amqp result = 
 self._process_filter(jsonutils.loads(query), host_state)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /opt/stack/nova/nova/openstack/common/jsonutils.py, line 123, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return json.loads(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/__init__.py, line 326, in loads
 2012-08-02 13:51:02 TRACE nova.rpc.amqp return _default_decoder.decode(s)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 366, in decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp obj, end = self.raw_decode(s, 
 idx=_w(s, 0).end())
 2012-08-02 13:51:02 TRACE nova.rpc.amqp   File 
 /usr/lib/python2.7/json/decoder.py, line 384, in raw_decode
 2012-08-02 13:51:02 TRACE nova.rpc.amqp raise ValueError(No JSON object 
 could be decoded)
 2012-08-02 13:51:02 TRACE nova.rpc.amqp ValueError: No JSON object could be 
 decoded
 2012-08-02 13:51:02 TRACE nova.rpc.amqp

 it seems that the filter cannot find my json file, so although I was using 
 the --hint functionality, whatever typed after the hint did not went to the 
 filter host_passed function, so it could not locate the json object, any 
 thoughts?
 Thanks. Heng

 
 From: 
 openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net 
 [openstack-bounces+shouhengzhang.xu=mail.utoronto...@lists.launchpad.net] on 
 behalf of Heng Xu [shouhengzhang...@mail.utoronto.ca]
 Sent: Thursday, August 02, 2012 4:47 PM
 To: Pengjun Pan
 Cc: openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi PJ

 I don't know what happen, I could not find the file in my Ubuntu filesystem, 
 I searched for it, no result, but I just used ./stack.sh to install it, I it 
 is just me could not find the file? Any thoughts?
 thank you

 Heng
 
 From: Pengjun Pan [panpeng...@gmail.com]
 Sent: Thursday, August 02, 2012 4:42 PM
 To: Heng Xu
 Cc: Joseph Suh; openstack@lists.launchpad.net
 Subject: Re: [Openstack] Cannot pass hint to Nova Scheduler

 Hi Heng,

 The log

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Jay Pipes 
On 08/02/2012 04:05 PM, Eric Windisch wrote:
 On Monday, July 23, 2012 at 12:04 PM, Doug Hellmann wrote:
 
 Sorry if this rekindles old arguments, but could someone summarize the
 reasons for an openstack-common PTL without voting rights? I would
 have defaulted to giving them a vote *especially* because the code in
 common is, well, common to all of the projects.


 So far, the PPB considered openstack-common to be driven by all PTLs,
 so it didn't have a specific PTL.

 As far as future governance is concerned (technical committee of the
 Foundation), openstack-common would technically be considered a
 supporting library (rather than a core project) -- those can have leads,
 but those do not get granted an automatic TC seat.


 OK, I can see the distinction there. I think the project needs an official 
 leader, even if we don't call them a PTL in the sense meant for other 
 projects. And I would expect anyone willing to take on the PTL role for 
 common to be qualified to run for one of the open positions on the new TC, 
 if they wanted to participate there.
 The scope of common is expanding. I believe it is time to seriously consider 
 a proper PTL. Preferably, before the PTL elections.

No disagreement from me.

 The RPC code is there now. We're talking about putting the membership 
 services there too, for the sake of RPC, and even the low-level 
 SQLAlchemy/MySQL access code for the sake of membership services. A wrapper 
 around pyopenssl is likely to land there too, for the sake of RPC. These are 
 just some of the changes that have already landed, or are expected to land 
 within Folsom.

What do you mean by membership services?

 Common contains essential pieces to the success of OpenStack which are 
 currently lacking (official) leadership. Everyone's problem is nobody's 
 problem.
 
 Consider this my +1 on assigning a PTL for common.

Sure, me too.

-jay

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Zhongyue Luo 
+1

On Fri, Aug 3, 2012 at 6:47 AM, Vishvananda Ishaya vishvana...@gmail.comwrote:


 On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote:

  The scope of common is expanding. I believe it is time to seriously
 consider a proper PTL. Preferably, before the PTL elections.

 +1
 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp




-- 
*Intel SSG/SSD/SOTC/PRC/CITT*
880 Zixing Road, Zizhu Science Park, Minhang District, Shanghai, 200241,
China
+862161166500
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Eric Windisch 
 
 What do you mean by membership services?
See the email today from Yun Mao.  This is a proposal to have a pluggable 
framework for integration services that maintain memberships. This was 
originally desiged to replace the MySQL heartbeats in Nova, although there will 
be a mysql-heartbeat backend by default as a drop-in replacement. There is a 
zookeeper backend in the works, and we've discussed the possibility of building 
a backend that can poll RabbitMQ's list_consumers.

This is useful for more than just Nova's heartbeats, however.  This will 
largely supplant the requirement for the matchmaker to build these backends in 
itself, which had been my original plan (the matchmaker is already in 
openstack-common).  As such, it had already been my intent to have a 
MySQL-backed matchmaker.  The only thing new is that someone has actually 
written the code.

In the first pass, the intention is to leave the matchmaker in and introduce 
the membership modules.  Then, the matchmaker would either use the new 
membership modules as a backend, or even replaced entirely.

Regards,
Eric Windisch




___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] User Account and Authentication Service (UAA)

2012-08-02 Thread Frans Thamura 
hi all

anyone here have paper related to User Account and Authentication
Service (UAA) in

is OpenStack using UAA also?

thx in advance

F

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Adam Young 

On 08/01/2012 11:05 PM, Maru Newby wrote:

Hi Adam,

I apologize if my questions were answered before.  I wasn't aware that 
what I perceive as a very serious security concern was openly 
discussed.  The arguments against revocation support, as you've 
described them, seem to be:


 - it's complicated/messy/expensive to implement and/or execute
 - Kerberos doesn't need it, so why would we?

I'm not sure why either of these arguments would justify the potential 
security hole that a lack of revocation represents, but I suppose a 
'short enough' token lifespan could minimize that hole.  But how short 
a span are you suggesting as being acceptable?


The delay between when a user's access permissions change (whether 
roles, password or even account deactivation) and when the ticket 
reflects that change is my concern.  The default in Keystone has been 
24h, which is clearly too long.  Something on the order of 5 minutes 
would be ideal, but then ticket issuance could become the bottleneck. 
 Validity that's much longer could be a real problem, though.  Maybe 
not at the cloud administration level, but for a given project I can 
imagine someone being fired and their access being revoked.  How long 
is an acceptable period for that ticket to still be valid?  How much 
damage could be done by someone who should no longer have access to an 
account if their access cannot be revoked, by anyone, at all?



I realize that I had been thinking about the revocation list as 
something that needs to be broadcast.  This is certainly not the case.


A much better approach would be for the Keystone server to have a list 
of revoked tokens exposed in an URL.  Then, as service like Glance or 
Nova can query the Revocation list on a simple schedule.  The time out 
would be configurable, of course.


There is a question about what to do if the keystone server cannot be 
reached during that interval.  Since the current behavior is for 
authentication to fail,  I suppose we would continue doing that,  but 
also wait a random amount of time and then requery the Keystone server.


In the future, I would like to make the set of Keystone servers a 
configurable list, and the policy for revocation checking should be able 
to vary per server:  some Keystone servers in a federated approach might 
not be accessible.  In those cases,  it might be necessary for one 
Keystone server to proxy the revocation list for another server.


Let me know if this scheme makes sense to you.  If so, we can write it 
up as an additional blueprint.  It should not be that hard to implement.





I'm hearing that you, as the implementer of this feature, don't 
consider the lack of revocation to be an issue.  What am I missing? 
 Is support for revocation so repugnant that the potential security 
hole is preferable?  I can see that from a developer's perspective, 
but I don't understand why someone deploying Keystone wouldn't avoid 
PKI tokens until revocation support became available.


Thanks,


Maru


On 2012-08-01, at 9:47 PM, Adam Young wrote:


On 08/01/2012 09:19 PM, Maru Newby wrote:
I see that support for PKI Signed Tokens has been added to Keystone 
without support for token revocation.  I tried to raise this issue 
on the bug report:


https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

And the review:

https://review.openstack.org/#/c/7754/

I'm curious as to whether anybody shares my concern and if there is 
a specific reason why nobody responded to my question as to why 
revocation is not required for this new token scheme.   Anybody?


It was discussed back when I wrote the Blueprint.  While it is 
possible to do revocations with PKI,  it is expensive and requires a 
lot of extra checking.  Revocation is a policy decision, and the 
assumption is that people that are going to use PKI tokens are 
comfortable with out revocation.  Kerberos service tickets have the 
same limitation, and Kerberos has been in deployment that way for 
close to 25 years.


Assuming that PKI ticket lifespan is short enough,  revocation should 
not be required.  What will be tricky is to balance the needs of long 
lived tokens (delayed operations, long running operations) against 
the needs for reasonable token timeout.


PKI Token revocation would look like CRLs in the Certificate world.  
While they are used, they are clunky.  Each time a token gets 
revoked, a blast message would have to go out to all registered 
parties informing them of the revocation.  Keystone does not yet have 
a message queue interface, so doing that is prohibitive in the first 
implementation.


Note that users can get disabled, and token chaining will no longer 
work:  you won't be able to use a token to get a new token from Keystone.





Thanks,


Maru




___
Mailing list:https://launchpad.net/~openstack
Post to :openstack@lists.launchpad.net
Unsubscribe :https://launchpad.net/~openstack
More help

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Maru Newby 
Hi Adam,

I was thinking along the same lines - the revocation list could be accessed via 
a simple url.  It wouldn't even have to be hosted by Keystone, necessarily.  
For larger clusters where performance might become an issue, what about 
generating to a static file as needed that is made available via any of the 
usual web server suspects?

As to whether the keystone server cannot be reached, that could be 
configurable.  Some deployments might prefer permissive failure, others 
restrictive failure.  I can see the case for both options.

+1, also, to the set of Keystone servers being a configurable list, with 
differential policies for revocation checking.

As to a justification for revocation, my use-case is more Swift (and integrated 
CDN) than Nova.  A rogue user being able to manipulate VMs is one thing, but 
being able to expose potentially private data to a really wide audience is 
another.  I would rate the damage potential of an object storage compromise as 
easily as great as application-level compromise.

I would be happy to participate in creating and implementing these ideas.  How 
can I help?

Thanks,


Maru 

On 2012-08-02, at 10:24 PM, Adam Young wrote:

 On 08/01/2012 11:05 PM, Maru Newby wrote:
 
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what 
 I perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is 
 clearly too long.  Something on the order of 5 minutes would be ideal, but 
 then ticket issuance could become the bottleneck.  Validity that's much 
 longer could be a real problem, though.  Maybe not at the cloud 
 administration level, but for a given project I can imagine someone being 
 fired and their access being revoked.  How long is an acceptable period for 
 that ticket to still be valid?  How much damage could be done by someone who 
 should no longer have access to an account if their access cannot be 
 revoked, by anyone, at all?
 
 
 I realize that I had been thinking about the revocation list as something 
 that needs to be broadcast.  This is certainly not the case.
 
 A much better approach would be for the Keystone server to have a list of 
 revoked tokens exposed in an URL.  Then, as service like Glance or Nova can 
 query the Revocation list on a simple schedule.  The time out would be 
 configurable, of course.
 
 There is a question about what to do if the keystone server cannot be reached 
 during that interval.  Since the current behavior is for authentication to 
 fail,  I suppose we would continue doing that,  but also wait a random amount 
 of time and then requery the Keystone server.
 
 In the future, I would like to make the set of Keystone servers a 
 configurable list, and the policy for revocation checking should be able to 
 vary per server:  some Keystone servers in a federated approach might not be 
 accessible.  In those cases,  it might be necessary for one Keystone server 
 to proxy the revocation list for another server.
 
 Let me know if this scheme makes sense to you.  If so, we can write it up as 
 an additional blueprint.  It should not be that hard to implement.
 
 
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation 
 support became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone 
 without support for token revocation.  I tried to raise this issue on the 
 bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation 
 is not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Maru Newby 
Hi Adam,

I apologize if I came across as disrespectful.  I was becoming frustrated that 
what I perceived as a valid concern was seemingly being ignored, but I 
recognize that there is no excuse for addressing you in a manner that I would 
not myself wish to be treated.  I will do better going forward.

Thanks,


Maru

ps: Thank you for the reminder, Joe!

On 2012-08-02, at 1:56 AM, Joseph Heck wrote:

 Hey Maru,
 
 I think you're putting too many words in Adam's mouth here. First, Adam didnt 
 assert is wasnt valuable, useful, or nessecary - simply that it wasnt in the 
 first cut and not in the list that we agreed was critically essential to an 
 initial implementation. As you noted, its a complex and somewhat tricky issue 
 to get right.
 
 There's always room for more participation to correct the flaws you see in 
 the existing system - the beauty of open source. I would love to see 
 continued work on the signing and revocation work to drive in these features 
 that mean so much to you.  I'd be happy to open a blueprint if you can stand 
 behind it, define what you think it required, and commit to the work to 
 implement that revocation mechanism.
 
 Implying negative emotions on Adam's part when he's been one driving the 
 implementation and doing the work is simply inappropriate. Please consider 
 the blueprint route, definition of a viable solution, and work to make it 
 happen instead of name calling and asserting how the developers doing the 
 work are screwing up.
 
 - joe
 
 On Aug 1, 2012, at 8:05 PM, Maru Newby mne...@internap.com wrote:
 Hi Adam,
 
 I apologize if my questions were answered before.  I wasn't aware that what 
 I perceive as a very serious security concern was openly discussed.  The 
 arguments against revocation support, as you've described them, seem to be:
 
  - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?
 
 I'm not sure why either of these arguments would justify the potential 
 security hole that a lack of revocation represents, but I suppose a 'short 
 enough' token lifespan could minimize that hole.  But how short a span are 
 you suggesting as being acceptable?
 
 The delay between when a user's access permissions change (whether roles, 
 password or even account deactivation) and when the ticket reflects that 
 change is my concern.  The default in Keystone has been 24h, which is 
 clearly too long.  Something on the order of 5 minutes would be ideal, but 
 then ticket issuance could become the bottleneck.  Validity that's much 
 longer could be a real problem, though.  Maybe not at the cloud 
 administration level, but for a given project I can imagine someone being 
 fired and their access being revoked.  How long is an acceptable period for 
 that ticket to still be valid?  How much damage could be done by someone who 
 should no longer have access to an account if their access cannot be 
 revoked, by anyone, at all?
 
 I'm hearing that you, as the implementer of this feature, don't consider the 
 lack of revocation to be an issue.  What am I missing?  Is support for 
 revocation so repugnant that the potential security hole is preferable?  I 
 can see that from a developer's perspective, but I don't understand why 
 someone deploying Keystone wouldn't avoid PKI tokens until revocation 
 support became available.
 
 Thanks,
 
 
 Maru 
  
 
 
 On 2012-08-01, at 9:47 PM, Adam Young wrote:
 
 On 08/01/2012 09:19 PM, Maru Newby wrote:
 
 I see that support for PKI Signed Tokens has been added to Keystone 
 without support for token revocation.  I tried to raise this issue on the 
 bug report:
 
 https://bugs.launchpad.net/keystone/+bug/1003962/comments/4
 
 And the review:
 
 https://review.openstack.org/#/c/7754/
 
 I'm curious as to whether anybody shares my concern and if there is a 
 specific reason why nobody responded to my question as to why revocation 
 is not required for this new token scheme.   Anybody?
 
 It was discussed back when I wrote the Blueprint.  While it is possible to 
 do revocations with PKI,  it is expensive and requires a lot of extra 
 checking.  Revocation is a policy decision, and the assumption is that 
 people that are going to use PKI tokens are comfortable with out 
 revocation.  Kerberos service tickets have the same limitation, and 
 Kerberos has been in deployment that way for close to 25 years.
 
 Assuming that PKI ticket lifespan is short enough,  revocation should not 
 be required.  What will be tricky is to balance the needs of long lived 
 tokens (delayed operations, long running operations) against the needs for 
 reasonable token timeout.
 
 PKI Token revocation would look like CRLs in the Certificate world.  While 
 they are used, they are clunky.  Each time a token gets revoked, a blast 
 message would have to go out to all registered parties informing them of 
 the revocation.  Keystone does not yet have a message queue interface, so 
 doing that is

Re: [Openstack] Keystone: 'PKI Signed Tokens' lack support for revocation

2012-08-02 Thread Nathanael Burton 
Adam,

I haven't yet had a chance to review how the new PKI signed tokens is
implemented, but what you're describing sounds quite similar to online
certificate status protocol (OCSP) but for tokens.

Nate
On Aug 2, 2012 10:24 PM, Adam Young ayo...@redhat.com wrote:

  On 08/01/2012 11:05 PM, Maru Newby wrote:

 Hi Adam,

  I apologize if my questions were answered before.  I wasn't aware that
 what I perceive as a very serious security concern was openly discussed.
  The arguments against revocation support, as you've described them, seem
 to be:

   - it's complicated/messy/expensive to implement and/or execute
  - Kerberos doesn't need it, so why would we?

  I'm not sure why either of these arguments would justify the potential
 security hole that a lack of revocation represents, but I suppose a 'short
 enough' token lifespan could minimize that hole.  But how short a span are
 you suggesting as being acceptable?

  The delay between when a user's access permissions change (whether
 roles, password or even account deactivation) and when the ticket reflects
 that change is my concern.  The default in Keystone has been 24h, which is
 clearly too long.  Something on the order of 5 minutes would be ideal, but
 then ticket issuance could become the bottleneck.  Validity that's much
 longer could be a real problem, though.  Maybe not at the cloud
 administration level, but for a given project I can imagine someone being
 fired and their access being revoked.  How long is an acceptable period for
 that ticket to still be valid?  How much damage could be done by someone
 who should no longer have access to an account if their access cannot be
 revoked, by anyone, at all?



 I realize that I had been thinking about the revocation list as something
 that needs to be broadcast.  This is certainly not the case.

 A much better approach would be for the Keystone server to have a list of
 revoked tokens exposed in an URL.  Then, as service like Glance or Nova can
 query the Revocation list on a simple schedule.  The time out would be
 configurable, of course.

 There is a question about what to do if the keystone server cannot be
 reached during that interval.  Since the current behavior is for
 authentication to fail,  I suppose we would continue doing that,  but also
 wait a random amount of time and then requery the Keystone server.

 In the future, I would like to make the set of Keystone servers a
 configurable list, and the policy for revocation checking should be able to
 vary per server:  some Keystone servers in a federated approach might not
 be accessible.  In those cases,  it might be necessary for one Keystone
 server to proxy the revocation list for another server.

 Let me know if this scheme makes sense to you.  If so, we can write it up
 as an additional blueprint.  It should not be that hard to implement.



  I'm hearing that you, as the implementer of this feature, don't consider
 the lack of revocation to be an issue.  What am I missing?  Is support for
 revocation so repugnant that the potential security hole is preferable?  I
 can see that from a developer's perspective, but I don't understand why
 someone deploying Keystone wouldn't avoid PKI tokens until revocation
 support became available.

  Thanks,


  Maru



  On 2012-08-01, at 9:47 PM, Adam Young wrote:

  On 08/01/2012 09:19 PM, Maru Newby wrote:

 I see that support for PKI Signed Tokens has been added to Keystone
 without support for token revocation.  I tried to raise this issue on the
 bug report:

  https://bugs.launchpad.net/keystone/+bug/1003962/comments/4

  And the review:

  https://review.openstack.org/#/c/7754/

  I'm curious as to whether anybody shares my concern and if there is a
 specific reason why nobody responded to my question as to why revocation is
 not required for this new token scheme.   Anybody?


 It was discussed back when I wrote the Blueprint.  While it is possible to
 do revocations with PKI,  it is expensive and requires a lot of extra
 checking.  Revocation is a policy decision, and the assumption is that
 people that are going to use PKI tokens are comfortable with out
 revocation.  Kerberos service tickets have the same limitation, and
 Kerberos has been in deployment that way for close to 25 years.

 Assuming that PKI ticket lifespan is short enough,  revocation should not
 be required.  What will be tricky is to balance the needs of long lived
 tokens (delayed operations, long running operations) against the needs for
 reasonable token timeout.

 PKI Token revocation would look like CRLs in the Certificate world.  While
 they are used, they are clunky.  Each time a token gets revoked, a blast
 message would have to go out to all registered parties informing them of
 the revocation.  Keystone does not yet have a message queue interface, so
 doing that is prohibitive in the first implementation.

 Note that users can get disabled, and token chaining will no longer work:
 you won't be able to use a

Re: [Openstack] Node Disk Cleaning Script

2012-08-02 Thread Алексей Кайтаз 
Pádraig, thanks.

That I need.

2012/8/2 Pádraig Brady p...@draigbrady.com

 On 08/02/2012 12:12 PM, Алексей Кайтаз wrote:
  Hi!
  I hope this script will usefull for somebody.
 
  #!/bin/bash
  cd /var/lib/nova/instances
  find -name disk* | xargs -n1 qemu-img info | grep backing | sed
 -e's/.*file: //' -e 's/ .*//' | sort | uniq  /tmp/ignore
  while read i; do
  ARGS=$ARGS  \( ! -path $i  \) 
  done  /tmp/ignore
  find /var/lib/nova/instances/_base/ -type f  $ARGS  -delete

 This is done automatically by nova when you enable this in
 /etc/nova/nova.conf

   remove_unused_base_images = True

 That is done in Fedora/EPEL packages for the last while,
 and will default on in the next folsom release.

 cheers,
 Pádraig.

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] best practices for merging common into specific projects

2012-08-02 Thread Mark McLoughlin 
On Thu, 2012-08-02 at 15:47 -0700, Vishvananda Ishaya wrote:
 On Aug 2, 2012, at 1:05 PM, Eric Windisch e...@cloudscaling.com wrote:
 
  The scope of common is expanding. I believe it is time to seriously
  consider a proper PTL. Preferably, before the PTL elections.
 
 +1

So, I guess I've been doing this unofficially. I'm happy for that to be
official until the next round elections.

Cheers,
Mark.


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] User Account and Authentication Service (UAA)

2012-08-02 Thread Endre Karlson 
It has keystone.
Den 3. aug. 2012 03:05 skrev Frans Thamura fr...@meruvian.org følgende:

 hi all

 anyone here have paper related to User Account and Authentication
 Service (UAA) in

 is OpenStack using UAA also?

 thx in advance

 F

 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack-ubuntu-testing-notifications] Build Failure: quantal_folsom_python-glanceclient_trunk #51

2012-08-02 Thread openstack-testing-bot 
Title: quantal_folsom_python-glanceclient_trunk
General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/quantal_folsom_python-glanceclient_trunk/51/Project:quantal_folsom_python-glanceclient_trunkDate of build:Thu, 02 Aug 2012 14:31:53 -0400Build duration:3 min 7 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: 1 out of the last 5 builds failed.80ChangesUpdate python-keystoneclient version dependencyby bcwaldonedittools/pip-requiresConsole Output[...truncated 1895 lines...]Build-Space: 768Build-Time: 4Distribution: quantal-folsomFail-Stage: buildInstall-Time: 44Job: python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dscPackage: python-glanceclientPackage-Time: 72Source-Version: 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1Space: 768Status: attemptedVersion: 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1Finished at 20120802-1434Build needed 00:01:12, 768k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/python-glanceclient/quantal-folsom-proposed /tmp/tmpzC8S6q/python-glanceclientmk-build-deps -i -r -t apt-get -y /tmp/tmpzC8S6q/python-glanceclient/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hbzr merge lp:~openstack-ubuntu-testing/python-glanceclient/quantal-folsom --forcedch -b -D quantal --newversion 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1 Automated Ubuntu testing build:dch -b -D quantal --newversion 1:0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1_source.changessbuild -d quantal-folsom -n -A python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dscTraceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last):  File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'python-glanceclient_0.2.0.8.61fdefb+git201208021431~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- 
Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications
Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications
More help   : https://help.launchpad.net/ListHelp

[Openstack-ubuntu-testing-notifications] Build Still Failing: quantal_folsom_swift_trunk #38

2012-08-02 Thread openstack-testing-bot 
Title: quantal_folsom_swift_trunk
General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/quantal_folsom_swift_trunk/38/Project:quantal_folsom_swift_trunkDate of build:Thu, 02 Aug 2012 14:31:53 -0400Build duration:3 min 55 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: All recent builds failed.0ChangesEnsure parameters sent to db are utf8 strsby z-launchpadeditswift/common/db.pyConsole Output[...truncated 2667 lines...]Build-Time: 17Distribution: quantal-folsomFail-Stage: buildInstall-Time: 37Job: swift_1.6.1+git201208021432~quantal-0ubuntu1.dscPackage: swiftPackage-Time: 77Source-Version: 1.6.1+git201208021432~quantal-0ubuntu1Space: 19032Status: attemptedVersion: 1.6.1+git201208021432~quantal-0ubuntu1Finished at 20120802-1435Build needed 00:01:17, 19032k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/swift/quantal-folsom-proposed /tmp/tmp9cWeNy/swiftmk-build-deps -i -r -t apt-get -y /tmp/tmp9cWeNy/swift/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hgit log ceaf7606fe25f77cf31deb2946a16ae7a6fec05c..HEAD --no-merges --pretty=format:[%h] %sbzr merge lp:~openstack-ubuntu-testing/swift/quantal-folsom --forcedch -b -D quantal --newversion 1.6.1+git201208021432~quantal-0ubuntu1 Automated Ubuntu testing build:dch -b -D quantal --newversion 1.6.1+git201208021432~quantal-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC swift_1.6.1+git201208021432~quantal-0ubuntu1_source.changessbuild -d quantal-folsom -n -A swift_1.6.1+git201208021432~quantal-0ubuntu1.dscTraceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last):  File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'quantal-folsom', '-n', '-A', 'swift_1.6.1+git201208021432~quantal-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- 
Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications
Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications
More help   : https://help.launchpad.net/ListHelp

[Openstack-ubuntu-testing-notifications] Build Still Failing: precise_folsom_python-glanceclient_trunk #46

2012-08-02 Thread openstack-testing-bot 
Title: precise_folsom_python-glanceclient_trunk
General InformationBUILD FAILUREBuild URL:https://jenkins.qa.ubuntu.com/job/precise_folsom_python-glanceclient_trunk/46/Project:precise_folsom_python-glanceclient_trunkDate of build:Thu, 02 Aug 2012 20:31:53 -0400Build duration:3 min 36 secBuild cause:Started by an SCM changeBuilt on:pkg-builderHealth ReportWDescriptionScoreBuild stability: 2 out of the last 5 builds failed.60ChangesAllow CLI opts to override auth token and endpointby bcwaldoneditglanceclient/shell.pyConsole Output[...truncated 1707 lines...]Build-Space: 760Build-Time: 3Distribution: precise-folsomFail-Stage: buildInstall-Time: 38Job: python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dscPackage: python-glanceclientPackage-Time: 78Source-Version: 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1Space: 760Status: attemptedVersion: 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1Finished at 20120802-2035Build needed 00:01:18, 760k disc spaceERROR:root:Error occurred during package creation/buildERROR:root:Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2INFO:root:Complete command log:INFO:root:Destroying schroot.bzr branch lp:~openstack-ubuntu-testing/python-glanceclient/precise-folsom-proposed /tmp/tmpv5qaQP/python-glanceclientmk-build-deps -i -r -t apt-get -y /tmp/tmpv5qaQP/python-glanceclient/debian/controlpython setup.py sdistgit log -n1 --no-merges --pretty=format:%Hbzr merge lp:~openstack-ubuntu-testing/python-glanceclient/precise-folsom --forcedch -b -D precise --newversion 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1 Automated Ubuntu testing build:dch -b -D precise --newversion 1:0.2.0.10.18543b1+git201208022031~precise-0ubuntu1 Automated Ubuntu testing build:debcommitbzr builddeb -S -- -sa -us -ucbzr builddeb -S -- -sa -us -ucdebsign -k9935ACDC python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1_source.changessbuild -d precise-folsom -n -A python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dscTraceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2Error in sys.excepthook:Traceback (most recent call last):  File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 68, in apport_excepthookbinary = os.path.realpath(os.path.join(os.getcwdu(), sys.argv[0]))OSError: [Errno 2] No such file or directoryOriginal exception was:Traceback (most recent call last):  File "/var/lib/jenkins/tools/openstack-ubuntu-testing/bin/build-package", line 135, in raise esubprocess.CalledProcessError: Command '['sbuild', '-d', 'precise-folsom', '-n', '-A', 'python-glanceclient_0.2.0.10.18543b1+git201208022031~precise-0ubuntu1.dsc']' returned non-zero exit status 2Build step 'Execute shell' marked build as failureEmail was triggered for: FailureSending email for trigger: Failure-- 
Mailing list: https://launchpad.net/~openstack-ubuntu-testing-notifications
Post to : openstack-ubuntu-testing-notifications@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack-ubuntu-testing-notifications
More help   : https://help.launchpad.net/ListHelp