Saturday, 2016-03-05

*** mlima has joined #kolla		00:02
mlima	SamYaple, i saw that some modules does not have reconfigure file yet, but i dont know if i can commit.	00:04
mlima	the mitaka version has been "closed"?	00:05
*** Jeffrey4l has quit IRC		00:10
*** alisonh has joined #kolla		00:12
*** britthouser has joined #kolla		00:34
*** dimsum_ has quit IRC		00:35
*** jtriley has quit IRC		00:43
*** iceyao has joined #kolla		00:53
*** mbound has joined #kolla		00:59
openstackgerrit	Daniel Gonzalez Nothnagel proposed openstack/kolla: Unify vagrant bootstrap.sh scripts https://review.openstack.org/288821	01:02
*** mlima has quit IRC		01:03
*** mbound has quit IRC		01:04
*** sdake has joined #kolla		01:06
*** britthou_ has joined #kolla		01:08
*** britthouser has quit IRC		01:11
openstackgerrit	Merged openstack/kolla: Bump ansible version to head of devel https://review.openstack.org/288553	01:24
*** dims has joined #kolla		01:30
openstackgerrit	Serguei Bezverkhi proposed openstack/kolla: Partially-Implements: blueprint kolla-reconfig https://review.openstack.org/288824	01:33
*** sdake has quit IRC		01:43
*** Allen_Gao has quit IRC		01:50
*** dims has quit IRC		01:55
*** Allen_Gao has joined #kolla		02:05
openstackgerrit	Serguei Bezverkhi proposed openstack/kolla: Reconfigure for Swift https://review.openstack.org/288824	02:17
*** stvnoyes has quit IRC		02:25
*** stvnoyes has joined #kolla		02:26
*** gfidente has quit IRC		02:41
*** Marga_ has quit IRC		02:55
*** Jeffrey4l has joined #kolla		03:03
*** jasonsb has joined #kolla		03:24
*** klint has joined #kolla		03:35
*** jasonsb has quit IRC		03:36
*** vhosakot has joined #kolla		03:39
*** Marga_ has joined #kolla		03:53
*** Marga_ has quit IRC		04:08
*** Marga_ has joined #kolla		04:08
*** jasonsb has joined #kolla		04:09
openstackgerrit	MD NADEEM proposed openstack/kolla: Reconfigure for haproxy https://review.openstack.org/288248	04:19
*** jasonsb has quit IRC		04:19
*** britthou_ has quit IRC		04:32
*** Allen_Gao has quit IRC		05:02
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Copy the logs out of the container https://review.openstack.org/288541	05:07
*** Allen_Gao has joined #kolla		05:14
*** Jeffrey4l has quit IRC		05:17
*** pbourke has quit IRC		05:18
*** pbourke has joined #kolla		05:18
*** Marga_ has quit IRC		05:51
*** salv-orlando has joined #kolla		05:52
*** salv-orl_ has quit IRC		05:55
*** vhosakot has quit IRC		06:26
*** akwasnie has joined #kolla		07:14
*** Allen_Gao has quit IRC		07:27
*** akwasnie has quit IRC		07:35
*** akwasnie has joined #kolla		07:35
*** akwasnie has quit IRC		07:42
*** Allen_Gao has joined #kolla		07:44
*** The_Ball has quit IRC		08:04
*** akwasnie has joined #kolla		08:04
*** iceyao has quit IRC		08:20
*** akwasnie has quit IRC		08:26
*** achanda has quit IRC		08:36
*** achanda has joined #kolla		08:40
*** achanda has quit IRC		08:50
*** chandankumar has joined #kolla		09:31
*** dwalsh has joined #kolla		10:15
*** dwalsh has quit IRC		10:37
*** iceyao has joined #kolla		10:49
openstackgerrit	Eric Lemoine proposed openstack/kolla: Make Heka send logs to Elasticsearch https://review.openstack.org/284188	10:52
openstackgerrit	Eric Lemoine proposed openstack/kolla: Use alphabetical order in cleanup-containers https://review.openstack.org/287626	10:52
*** chandankumar has quit IRC		10:54
*** The_Ball has joined #kolla		11:29
*** Jeffrey4l has joined #kolla		11:47
*** salv-orl_ has joined #kolla		11:52
*** salv-orlando has quit IRC		11:55
*** macsz has joined #kolla		12:01
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Copy the logs out of the container https://review.openstack.org/288541	12:05
*** macsz has quit IRC		12:08
*** skape has joined #kolla		12:09
*** dims has joined #kolla		12:11
*** britthouser has joined #kolla		12:13
*** akwasnie has joined #kolla		12:13
*** dims has quit IRC		12:13
*** akwasnie has quit IRC		12:14
*** britthou_ has joined #kolla		12:16
*** britthouser has quit IRC		12:19
*** dims has joined #kolla		13:08
*** openstackgerrit_ has quit IRC		13:17
*** openstackgerrit_ has joined #kolla		13:18
*** dims has quit IRC		13:53
*** klint has quit IRC		14:03
*** nihilifer has quit IRC		14:15
*** nihilifer has joined #kolla		14:17
*** openstackgerrit_ has quit IRC		14:20
*** openstackgerrit_ has joined #kolla		14:21
*** jmccarthy has quit IRC		14:21
*** jmccarthy has joined #kolla		14:22
*** openstackgerrit_ has quit IRC		14:32
*** openstackgerrit_ has joined #kolla		14:33
*** dims has joined #kolla		14:49
*** sdake has joined #kolla		14:51
sdake	morning	14:51
sbezverk	Good morning	14:55
*** sdake_ has joined #kolla		14:56
sbezverk	sdake I registered new BP, please let me know if it has been done correctly..	14:57
*** sdake has quit IRC		14:57
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Copy the logs out of the container https://review.openstack.org/288541	15:00
*** britthou_ has quit IRC		15:03
*** iceyao has quit IRC		15:15
sdake_	Jeffrey4l morning	15:23
sdake_	sbezverk cool	15:23
sdake_	sbezverk if you hav a link i'll take a look	15:23
sdake_	sbezverk btw your patch was slightly wrong	15:23
sdake_	the commit log was wrong - could you fix real quick?	15:23
*** sdake_ is now known as sdake		15:24
Jeffrey4l	morning sdake	15:24
sdake	Jeffrey4l i am definately tagging today	15:25
sdake	assuming master works	15:25
sdake	i bsaically hit the wall last night and couldn't tag	15:25
sdake	do you know what shape master is in atm?	15:25
sdake	i see our leaky gate says it looks good ;-)	15:25
Jeffrey4l	the wall? what it?	15:26
Jeffrey4l	I have no time to test it today. If the gate says it good. it should be OK. at leat the main service is OK. sdake	15:26
openstackgerrit	Serguei Bezverkhi proposed openstack/kolla: Reconfigure for Swift https://review.openstack.org/288824	15:27
sdake	Jeffrey4l can you review that please	15:31
Jeffrey4l	np	15:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/kolla: Updated from global requirements https://review.openstack.org/288890	15:32
sdake	Jeffrey4l have one favor to ask, go through https://blueprints.launchpad.net/kolla/+spec/kolla-reconfig	15:35
sdake	and mark the work items to the correct statte	15:35
Jeffrey4l	ok.	15:35
sdake	if you can do that now, i'm going to markt he blueprint implemented and file separate bugss for work items left over	15:35
sdake	or altenately you can file seperate bugs and file them to mitaka->rc1	15:36
sdake	or in addition i mean	15:36
openstackgerrit	Merged openstack/kolla: Make Heka send logs to Elasticsearch https://review.openstack.org/284188	15:36
openstackgerrit	Merged openstack/kolla: Use alphabetical order in cleanup-containers https://review.openstack.org/287626	15:36
sdake	I use POSTPONED for things we can't implement Jeffrey4l because there are no playbooks	15:36
Jeffrey4l	sdake, roger that.	15:37
sdake	heat is DONE btw	15:37
sdake	see, all the states are not set up to date in the work items	15:37
*** dims has quit IRC		15:41
*** dims has joined #kolla		15:43
*** diogogmt has quit IRC		15:45
*** diogogmt has joined #kolla		15:48
sdake	Jeffrey4l and if you could do that now (apologie for context switch) I'd apprecaite it	15:48
Jeffrey4l	sdake, I am working on it. :D	15:48
Jeffrey4l	almost done	15:48
sdake	sweet ;)	15:48
ccesario	it was changed any thing in multinode deploy!? http://pastebin.com/w2AgrRA2 O_o	15:50
Jeffrey4l	sdake, done.	15:51
sdake	did you end up filing bugs targeted to milestone mitaka-rc1?	15:52
sdake	ccesario the keystone container has changed aroudn that area, it is possible multinode is busted	15:52
sdake	the gate only tests single node	15:53
Jeffrey4l	sdake, no.	15:53
Jeffrey4l	just mine filed? Or all?	15:53
Jeffrey4l	sdake,	15:53
sdake	all bugs wherre the state of the item is in TODO	15:53
sdake	file a separate bug per one	15:53
sdake	example	15:53
sdake	"reconfigure work for service XYZ"	15:53
sdake	critical mitaka->rc confirmed	15:53
sdake	mitaka-rc1 that is	15:54
sdake	e.g. https://bugs.launchpad.net/kolla/+bug/1553516	15:54
openstack	Launchpad bug 1553516 in kolla "droproot work for kibana" [Critical,Confirmed]	15:54
Jeffrey4l	roger. how about POSTPONED state? sdake	15:55
sdake	ignore postponed	15:55
Jeffrey4l	ok	15:55
sdake	when we add new services it will be a requirement to do the whole job	15:55
sdake	aslo inprogreess as well	15:57
sdake	if there are any inprogress that haven't merged	15:57
sdake	lets tryr to get them merged first	15:57
*** diogogmt has quit IRC		15:58
Jeffrey4l	sdake, just haproxy https://review.openstack.org/288248	15:59
sdake	ok lets carry that over int oa bug	15:59
sdake	and file a -1 on the reeview pointing at the bug id	16:00
Jeffrey4l	ok	16:00
Jeffrey4l	sdake, then we can mark the bp is implemented? and tag m3. right?	16:02
sdake	yup	16:03
sdake	once i get done with rootwrap fixup ;)	16:03
sdake	i am doing same thing with rootwrap atm	16:03
Jeffrey4l	cool	16:03
*** dims has quit IRC		16:04
sdake	Jeffrey4l mark reconfig implemented when done with the bugs	16:10
Jeffrey4l	ok	16:10
Jeffrey4l	sdake, all done. Have a long journal tomorrow. So need go to bed now. Good night. :p	16:11
Jeffrey4l	s/journal/journey/	16:12
*** dims has joined #kolla		16:16
*** dims has quit IRC		16:18
sdake	Jeffrey4l does mongodb deploy via ansible?	16:19
sdake	I thought it did not	16:19
*** Jeffrey4l has quit IRC		16:19
*** vhosakot has joined #kolla		16:19
*** vhosakot has quit IRC		16:38
SamYaple	holla	16:55
*** macsz has joined #kolla		16:59
sdake	hey SamYaple	17:02
sdake	i'm about done with sorting out the tracker	17:03
sdake	and then i'll do a test of centos source and binary	17:03
sdake	can you test master ubuntu source multinode?	17:03
sdake	if those tests come back with an a-ok i'll tag	17:03
SamYaple	doubtful. im working on some shade stuff right now to get the service and endpoint modules to land before anible 2.1	17:04
*** bmace has quit IRC		17:07
*** bmace has joined #kolla		17:07
sdake	i guess we could release without testing multinode deploy of ubuntu but a couple peopel have complained it doesn't work properly	17:07
sdake	not sure if its pebkac or a legitimate problem	17:08
sdake	SamYaple re fernet, mind dave-mccowan takes implementation of that for the rc1 release?	17:10
*** sdake_ has joined #kolla		17:17
*** sdake has quit IRC		17:18
*** sdake has joined #kolla		17:27
*** SiRiuS_ has joined #kolla		17:28
*** sdake_ has quit IRC		17:29
*** sdake_ has joined #kolla		17:31
openstackgerrit	Daniel Gonzalez Nothnagel proposed openstack/kolla: Unify vagrant bootstrap.sh scripts https://review.openstack.org/288821	17:34
*** sdake has quit IRC		17:34
openstackgerrit	Dave McCowan proposed openstack/kolla: Add two more examples of openrc for use with public endpoints https://review.openstack.org/288165	17:38
*** skape has quit IRC		17:44
*** salv-orlando has joined #kolla		17:52
*** macsz has quit IRC		17:55
*** salv-orl_ has quit IRC		17:55
*** macsz has joined #kolla		17:59
*** macsz has quit IRC		18:14
*** jasonsb has joined #kolla		18:22
sdake_	mitaka-3 looking pretty solid tracker wise: https://launchpad.net/kolla/+milestone/mitaka-3	18:24
sdake_	now to see if it actually works correctly ;)	18:25
*** sdake_ is now known as sdake		18:27
*** v1k0d3n has joined #kolla		18:32
sdake	dave-mccowan it took this long to build centos binary and push it to a local registry 2.3 over 10gig:	18:34
sdake	real12m29.995s	18:34
dave-mccowan	:-( sdake my last build took 2.5 hours. i still don't know what my bottleneck is. i timed downloads from my server at 30MB/s, but I'm not even seeing many downloads during the build process. could it be network latency?	18:37
sdake	latency plays a big part	18:37
sdake	kolal downlaods alot of small files during build	18:37
sdake	note i am also using overlayfs	18:38
sdake	320 plays yay looks like it deployed centos binary	18:38
dave-mccowan	if i have keepcache=1 in my docker config, then it should have to download, just check the version/hash/time/whatever, right?	18:39
sdake	horizon seems broken	18:42
sdake	{"versions": [{"status": "CURRENT", "id": "v1.0", "links": [{"href": "http://broked.selfip.net:8000/v1/", "rel": "self"}]}]}	18:42
sdake	when i connect to broked.selfip.net:8000	18:42
sdake	maybe I need to set the horizon port	18:43
sdake	oh 8000 is heat	18:43
sdake	i guess its working ;)	18:44
sdake	horizon seems to work http://broked.selfip.net:800/auth/login/?next=/	18:45
dave-mccowan	sdake no https:// ? :-( ;-)	18:46
sdake	is there a script to configure tls, if so, I'll give it a spin	18:47
sdake	wtb TLS documentation ;)	18:47
dave-mccowan	kolla-ansible certificates	18:47
dave-mccowan	kolla_enable_tls_external=yes	18:48
dave-mccowan	kolla-ansible deploy	18:48
dave-mccowan	(you also need two vips)	18:49
sdake	getting a create failed with heat	18:49
* sdake groans		18:49
dave-mccowan	kolla_external_vip_address=another.ip.free.for.vip	18:50
sdake	dave-mccowan got it, let me try to get heat working first	18:50
sdake	SamYaple heat is busted, how did you test it in your keystone v3 work?	18:58
*** sdake_ has joined #kolla		19:06
*** SiRiuS_ has quit IRC		19:06
* sdake_ wonders how many other services fail authorization		19:06
* sdake_ groans		19:06
sdake_	atleast the basic compute kit works	19:07
sdake_	although I can't ssh into my vms	19:07
sdake_	so not clear if neutron works for me	19:07
sdake_	dave-mccowan are you able to ssh into your vms that you create with nova boot?	19:07
sdake_	could just be an environmental thing on my side - my lab is afu	19:07
*** sdake has quit IRC		19:08
*** sdake has joined #kolla		19:10
*** sdake_ has quit IRC		19:12
sdake	dave-mccowan my deploy with tls is real2m7.647s	19:14
sdake	dave-mccowan with tls doesnt work for me https://broked.selfip.net:800/	19:15
sdake	try it uot	19:15
sdake	http://paste.fedoraproject.org/334551/14572053/ -> http://paste.fedoraproject.org/334551/14572053	19:16
sdake	dave-mccowan any suggestons?	19:17
sdake	I have zero idea how to diagnose tls problems	19:17
sdake	i should probalby set my stuff up to use the external tls gateway for my external fqdn let me try that	19:21
*** achanda has joined #kolla		19:34
*** achanda has quit IRC		19:34
*** SiRiuS_ has joined #kolla		19:38
sdake	i dont like that a misconfgiuraton of the vips requires a reboot to get things back in working order	19:43
sdake	dave-mccowan ^^	19:43
sdake	dave-mccowan I believe I have my tls configured properly	19:46
sdake	but getting this with keystone user-list:	19:46
sdake	Authorization Failed: SSL exception connecting to https://broked.selfip.net:5000/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)	19:46
sdake	this was after wiping out /etc/kolla	19:46
sdake	making sure external was 149 and is mapped to my nat (wrt router)	19:47
sdake	does nat require some special magic to work with ssl?	19:47
sdake	dave-mccowan i got the cert to work but https has a big red line through it sayign the certificate is invalid :)	19:54
sdake	he identity of this website has not been verified.	19:55
sdake	• Server's certificate does not match the URL.	19:55
sdake	• Server's certificate is not trusted.	19:55
sdake	our connection to broked.selfip.net is encrypted using an obsolete cipher suite.	19:56
sdake	The connection uses TLS 1.2.	19:56
sdake	The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.	19:56
sdake	[alt_names]	19:58
sdake	IP.1 = 192.168.1.149	19:58
sdake	this doesn't match my nat unfortunately	19:58
sdake	the ciphers look solid to me	20:08
sdake	not sure what the problem is with chrome complainign about that	20:08
sdake	maybe rsa's DE is in question considering backdooring	20:09
sdake	rather DH	20:09
sdake	256 block chaining is unbreakable imo and hmac with sha1 also unfakeable	20:10
*** macsz has joined #kolla		20:20
sdake	dave-mccowan need a bone here, can't use any cli tools because the site certificate is invalid	20:24
sdake	google chrome just says it has an invalid cert authority	20:24
*** harmw_ is now known as harmw		20:32
*** Marga_ has joined #kolla		20:32
openstackgerrit	OpenStack Proposal Bot proposed openstack/kolla: Updated from global requirements https://review.openstack.org/288890	20:45
sdake	dave-mccowan when yo uget a chance check out https://bugs.launchpad.net/kolla/+bug/1553577	20:50
openstack	Launchpad bug 1553577 in kolla "self-signed certificates don't function with keystone" [High,Triaged] - Assigned to Dave McCowan (dave-mccowan)	20:50
dave-mccowan	sdake look here for instructions on building your openrc https://review.openstack.org/288165	20:52
openstackgerrit	Benedikt Trefzer proposed openstack/kolla: Use debian repos for debian base docker image. https://review.openstack.org/288936	20:56
sdake	https://github.com/openstack/kolla/releases/tag/2.0.0.0b3 enjoy ;)	20:58
sdake	where is this external ca cert dave-mccowan ?	21:01
dave-mccowan	at /etc/kolla/certificates/haproxy-ca.pem	21:02
sdake	i used that, get a resource not found error	21:03
sdake	Authorization Failed: The resource could not be found. (HTTP 404)	21:03
sdake	export OS_CACERT=./external_cacert	21:04
sdake	same result as running with --insecure	21:04
*** SiRiuS_ has quit IRC		21:04
dave-mccowan	do a command with -vvv and pastebin it	21:05
dave-mccowan	where is your client?	21:05
sdake	on my macontosh	21:05
sdake	laptop	21:05
sdake	i tried this instead: export OS_CACERT=file:///external_cacert	21:06
sdake	and get Authorization Failed: SSL exception connecting to https://broked.selfip.net:5000/tokens: [Errno 2] No such file or directory	21:06
sdake	keystone doesn't take a -v operation	21:06
openstackgerrit	Benedikt Trefzer proposed openstack/kolla: Use debian repos for debian base docker image. https://review.openstack.org/288936	21:09
sdake	DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://broked.selfip.net:5000/tokens	21:09
sdake	INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): broked.selfip.net	21:09
sdake	DEBUG:requests.packages.urllib3.connectionpool:"POST /tokens HTTP/1.1" 404 93	21:09
sdake	DEBUG:keystoneclient.session:Request returned failure status: 404	21:09
sdake	Authorization Failed: The resource could not be found. (HTTP 404)	21:09
sdake	what does your openrc file look like?	21:09
sdake	I wouldn't think we would have to provide an external ca cert to keystone/nova/etc to get things to work	21:09
dave-mccowan	maybe try connecting from your deploy node first to rule out deployment issue, then check out figure out if it's your mac or your nat box.	21:09
sdake	but then again, I dont know how all this stuf fworks :)	21:09
*** macsz has quit IRC		21:09
dave-mccowan	we don't. only the client should need the CA certificate.	21:10
sdake	dave-mccowan what is thte contents of your tls enabled openrc file?	21:12
sdake	try connecting to my horizon at https://broked.selfip.net:443	21:13
sdake	see if that looks correct to you	21:13
dave-mccowan	nope, that doesn't look right. your NAT box is hosing up the connection.	21:14
dave-mccowan	it might still be able to work, but your certificate needs to match the FQDN that's being presented.	21:15
sdake	the ceritficate has broked.selfip.net in it	21:17
sdake	i tried using both my nat address and the internal VIP address prior to cert gen with no luck	21:17
sdake	horizon works, so internal http of keystone works	21:17
sdake	but external keystone ssl doesn't appear to work	21:17
dave-mccowan	or maybe my company's firewall is blocking that domain.	21:17
sdake	i am connected via cox, not via csco	21:18
dave-mccowan	broked.selfip.net uses an invalid security certificate. The certificate is only valid for the following names: rtp5-sinkhole-01.cisco.com, rtp5-sinkhole-01-svc.cisco.com, sinkhole.esl.cisco.com (Error code: ssl_error_bad_cert_domain)	21:18
dave-mccowan	that the error i got.	21:18
sdake	STDAKE-M-J2VL:demo sdake$ nslookup rt5-sinkhole-01.cisco.com	21:19
sdake	Server:192.168.1.1	21:19
sdake	Address:192.168.1.1#53	21:19
sdake	Non-authoritative answer:	21:19
sdake	Name:rt5-sinkhole-01.cisco.com	21:19
sdake	Address: 92.242.140.2	21:19
sdake	STDAKE-M-J2VL:demo sdake$ nslookup broked.selfip.net	21:19
sdake	Server:192.168.1.1	21:19
sdake	Address:192.168.1.1#53	21:19
sdake	Non-authoritative answer:	21:19
sdake	Name:broked.selfip.net	21:19
sdake	Address: 98.165.69.137	21:19
sdake	those ip addresses arent even in the same ballpark	21:19
sdake	can you try without connecting via the vpn?	21:20
sdake	sinkhole is a firewall block I think	21:20
*** dims has joined #kolla		21:20
sdake	let me try via the cvo	21:21
*** dave-mcc_ has joined #kolla		21:21
sdake	inside the firewall i get a tracerotue to sinkhole	21:23
sdake	which is probably a firewall of some sort	21:23
sdake	it should be tracerouting to my dyndns machine	21:23
*** dave-mccowan has quit IRC		21:24
sdake	dave-mcc_ how does it look from that angle?	21:25
dave-mcc_	it looks great if i use curl (and insecure, since i don't have your CA certificate).	21:26
sdake	certificate: http://paste.fedoraproject.org/334612/14572132/	21:26
sdake	open in chrome - get a big red bar from chrome :(	21:27
dave-mcc_	do you have a linux box you can try from? i turned up security pretty high; maybe macs have an older version of SSL support.	21:28
sdake	yes moment	21:28
sdake	you can try form your machine as well	21:29
sdake	you ahve my certificate ;)	21:29
dave-mcc_	i don't have a linux box outside of VPN	21:30
dave-mcc_	i'm getting [Errno 8] _ssl.c:510: EOF occurred in violation of protocol, when using CLI	21:31
dave-mcc_	is that what you're getting now?	21:31
sdake	nope	21:31
dave-mcc_	OS_AUTH_URL=https://98.165.69.137:5000/v3	21:33
dave-mcc_	how does that work for you?	21:33
dave-mcc_	i mean: OS_AUTH_URL=https://98.165.69.137:5000	21:33
sdake	in favor of keystoneauth1 plugins. They will be removed in future releases.	21:34
sdake	'in future releases.', DeprecationWarning)	21:34
sdake	Authorization Failed: SSL exception connecting to https://98.165.69.137:5000/tokens: hostname '98.165.69.137' doesn't match u'broked.selfip.net'	21:34
sdake	is reverse dns lookup used during ssl autentication ?	21:35
sdake	STDAKE-M-J2VL:demo sdake$ nslookup 98.165.69.137	21:36
dave-mcc_	no, the certificate contains the configured values of kolla_external fqdn and address	21:36
sdake	Server:192.168.1.1	21:36
sdake	Address:192.168.1.1#53	21:36
sdake	Non-authoritative answer:	21:36
sdake	137.69.165.98.in-addr.arpaname = ip98-165-69-137.ph.ph.cox.net.	21:36
sdake	yes, I hacked the address to not be external_vip_address, but to be my external external address on the internet	21:36
sdake	the external vip address is 192.168.1.149	21:36
sdake	but i'm wondering if the ssl auth is doing a reverse dns lookup and that is damaging things	21:37
dave-mcc_	no, ssl wouldn't do that	21:37
sdake	because as you can see, I have no control over reverse dns :)	21:37
sdake	anyway I end up with same results on linux machine which is to say esource not round	21:37
sdake	found	21:38
sdake	with /v3 and without /v3	21:38
*** jasonsb has quit IRC		21:38
sdake	i think what would be better is to configure keystone not to complain about the signing cert chain if using a self signed cert, then to force develoeprs tof igure all this stuffo ut ;)	21:39
sdake	openstack-ansible does exactly this	21:39
sdake	what does your web browser look like when you connect to https://broked.selfip.net?	21:40
dave-mcc_	the complaining is on the client side	21:40
sdake	dave-mcc_ check out the horizon interface, tell me if thta looks correct	21:41
sdake	you said sam didn't have any issues on his server, i wonder what the delta is	21:41
dave-mcc_	i get the dashboard with only a warning that the certificate is self signed	21:41
sdake	was his cert self-signed?	21:42
dave-mcc_	yes	21:42
sdake	and you were able to access keystone with his certificate?	21:42
dave-mcc_	it's weird that it works with curl, but not CLI. CLI is just curl library calls.	21:42
sdake	did his machine complain about the self signing?	21:42
dave-mcc_	i didn't hit his box. yes, self slgning work fine. that's not our problem.	21:43
sdake	i suspect it may be reverse dns lookup	21:43
sdake	let me try that out quickly	21:43
*** dave-mccowan has joined #kolla		21:46
sdake	dave-mcc_ how i alt_names used?	21:47
*** dave-mcc_ has quit IRC		21:48
*** salv-orlando has quit IRC		21:52
*** salv-orlando has joined #kolla		21:53
sdake	still resource not found	21:56
sdake	is ssl version of keystone using any port besides 5000?	21:56
sdake	dave-mccowan ^^	21:57
sdake	this is what chrome gives me dave-mccowan The identity of this website has not been verified.	21:58
sdake	• Server's certificate does not match the URL.	21:58
sdake	• Server's certificate is not trusted.	21:58
dave-mccowan	no. you have two different vips, right? it will be 5000 on external with SSL	21:58
sdake	yes two different vips	21:58
dave-mccowan	can you click more info on chrome? firefox gave more details on what it didn't like?	21:59
dave-mccowan	i was able to curl your keystone endpoint using your cert with no issues. can you do that too?	22:00
dave-mccowan	here's what i'm seeing: curl works and handshakes to TLSv1.2. openstack cli fails with handshake error. i'm thinking that the openstack CLI on mac is using old crypto and can't do newer protocols. i'm trying an experiment on my box now.	22:03
sdake	i tried on linux mchine with same results	22:04
sdake	my mac uses tls 1.2 in chrome	22:04
sdake	how do you curl with a cert?	22:04
dave-mccowan	--cacert $OS_CACERT	22:04
dave-mccowan	i got o your dashboard fine	22:05
sdake	STDAKE-M-J2VL:demo sdake$ curl --cacert $OS_CACERT https://broked.selfip.net	22:05
sdake	curl: (51) SSL: certificate verification failed (result: 5)	22:05
sdake	STDAKE-M-J2VL:demo sdake$ curl --cacert $OS_CACERT https://ip98-165-69-137.ph.ph.cox.net	22:06
sdake	STDAKE-M-J2VL:demo sdake$	22:06
sdake	STDAKE-M-J2VL:demo sdake$ curl --cacert $OS_CACERT https://ip98-165-69-137.ph.ph.cox.net:5000	22:06
sdake	{"versions": {"values": [{"status": "stable", "updated": "2015-09-15T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.5", "links": [{"href": "https://ip98-165-69-137.ph.ph.cox.net:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}],	22:06
sdake	"id": "v2.0", "links": [{"href": "https://ip98-165-69-137.ph.ph.cox.net:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}STDAKE-M-J2	22:06
sdake	i guess that is what i should expect to see dave-mccowan ?	22:07
sdake	all that curl was from mac machine	22:07
dave-mccowan	yep.. that's what a version endpoint should return. looks perfect.	22:08
sdake	STDAKE-M-J2VL:demo sdake$ curl --cacert $OS_CACERT https://ip98-165-69-137.ph.ph.cox.net:5000/tokens	22:08
sdake	{"error": {"message": "The resource could not be found.", "code": 404, "title":	22:08
sdake	this is what keytone client is doing, banging on 5000/tokens	22:08
dave-mccowan	try /v3/auth/tokens	22:09
dave-mccowan	export OS_IDENTITY_API_VERSION=3	22:09
sdake	STDAKE-M-J2VL:demo sdake$ curl --cacert $OS_CACERT https://ip98-165.cox.net:5000/v3/auth/tokens	22:09
sdake	{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}STDAKE-M-J2VL:demo sdake$	22:09
dave-mccowan	do you have OS_PASSWORD?	22:10
sdake	yup	22:10
sdake	its password	22:10
dave-mccowan	OK, i confirmed the issue I was tracking. the openstack client as installed on my mac can't do TLSv1.1 or higher. :-( i don't know if i need to fix my mac, or loosen security on kolla.	22:11
sdake	surely we are not the first people to run into this	22:12
sdake	how did you verify that exactly?	22:12
sdake	the same results happen on a linux machine as well	22:12
dave-mccowan	i think you're chasing more than one problem.	22:12
dave-mccowan	does your openrc look like that (sent via pm)?	22:14
dave-mccowan	yes, if i change my kolla install to support TLV10	22:15
dave-mccowan	i think maybe i have an issue with my mac though. maybe i need to pip upgrade something.	22:15
dave-mccowan	i had tried before from my mac, and assumed i had something wrong, so just always tested from linux.	22:16
dave-mccowan	paste me your haproxy.cfg	22:18
sdake	dave-mccowan moment	22:19
sdake	http://paste.fedoraproject.org/334631/57216383/ -> http://paste.fedoraproject.org/334631/57216383	22:19
sdake	i am pretty sure my machine gets through via tls, the problem is it is hitting the wrong endpoint	22:20
sdake	as you saw above, curl to /tokens fails	22:20
sdake	this is what keystone clinet does with --debug	22:20
sdake	openstack user list works	22:21
sdake	so its just that python keystone client is a big pile of muck	22:21
sdake	fwiw the keystone devs said not to use keystoneclient for cli :)	22:22
sdake	so dave-mccowan looks like everything works as expected ;)	22:22
sdake	nice job on tls!	22:22
dave-mccowan	ah ha. yea, i'm getting same thing from keystone client. i was using openstack client. it must be a V3 thing.	22:22
dave-mccowan	oh yea, everytime you type keystone it comes back "warning deprecated".	22:23
sdake	should be 'warning we gave up" :)	22:23
dave-mccowan	ok... in that case, it is just my mac that is having an issue doing TLSv1.2.	22:24
*** Jeffrey4l has joined #kolla		22:25
dave-mccowan	great. you probably have more services running that i do. if you can hit as many as you can and let me know what errors you find, i can do some touch up. many services require a one-liner in the config to work properly behind a tls proxy.	22:25
sdake	compute kit all works	22:27
sdake	heat works as well	22:27
sdake	that is all i had time to deploy from source and inary to tag today	22:27
sdake	heat engine however fails	22:27
sdake	heat-api ha san auth failure	22:27
sdake	SamYaple ^^	22:27
sdake	https://bugs.launchpad.net/kolla/+bug/1553565	22:28
openstack	Launchpad bug 1553565 in kolla "heat is DOA in mitaka-3" [Critical,Confirmed]	22:28
openstackgerrit	Jeffrey Zhang proposed openstack/kolla: Copy the logs out of the container https://review.openstack.org/288541	22:33
*** sdake has quit IRC		22:38
*** salv-orlando has quit IRC		22:39
*** SiRiuS_ has joined #kolla		22:42
*** Jeffrey4l has quit IRC		22:48
*** v1k0d3n has quit IRC		23:10
*** v1k0d3n has joined #kolla		23:10
*** sdake has joined #kolla		23:13
*** dims has quit IRC		23:16
*** sdake has quit IRC		23:21
*** salv-orlando has joined #kolla		23:40
*** salv-orlando has quit IRC		23:47

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!