13:03:46 #startmeeting hyper-v 13:03:47 Meeting started Wed Mar 30 13:03:46 2016 UTC and is due to finish in 60 minutes. The chair is alexpilotti. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:03:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:03:51 The meeting name has been set to 'hyper_v' 13:03:54 hi all 13:03:57 Hello 13:03:59 o/ 13:03:59 Hi All 13:04:03 hello folks 13:04:05 hello 13:04:05 Hello 13:04:13 hello 13:04:36 sagar_nikam sent some topics for the agenda, we can start from there 13:04:51 alexpilotti: sure thanks 13:04:55 #topic TLS/SSL/Certs 13:05:09 sagar_nikam: would you like to intro the topic? 13:05:19 we have setup a TLS enabled controller 13:05:31 All APIs are https enabed 13:05:52 next we installed nova-compute on hyperv host 13:06:07 so all Keystone endpoints have https 13:06:09 and then copied the certs from controller (.crt file) to hyperv host 13:06:18 added this entry in nova.conf 13:06:25 in cafile entry 13:06:31 nova-compute starts 13:06:40 but while performing nova boot 13:06:47 glance download fails 13:06:56 since the https endpoint is not reached 13:07:03 and we get the error 13:07:16 “2016-03-22 11:52:46.273 4808 ERROR nova.compute.manager [instance: a2f491eb-8796-489d-89e4-8cd93fd044cb] SSLError: SSL exception connecting to https://10.1.212.10:9696/v2.0/extensions.json: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)” 13:07:33 this is the issue we are hitting 13:07:40 we are using python 2.7.10 on hyperv host 13:07:50 googling i found this link 13:07:59 http://stackoverflow.com/questions/33140382/troubleshooting-ssl-certificate-verify-failed-error 13:08:03 sagar_nikam: here's the Nova code: https://github.com/openstack/nova/blob/master/nova/image/glance.py 13:08:28 the error in that exactly the same we hit 13:08:32 under [glance] 13:08:35 do you have: 13:08:39 protocol = https 13:08:52 and the response in that link suggests the issue is with openssl version used in python 2.7.10 13:09:02 alexpilotti:yes 13:09:05 or since it's deprectaed, 13:09:08 it is https 13:09:16 api_servers = https://etc ? 13:09:25 going back to python version 2.7.11 has some fixes 13:09:44 if you set: 13:09:51 api_insecure = True 13:09:53 does it work? 13:10:19 entry from nova.conf 13:10:31 yes, under [glance] 13:10:37 [glance] api_servers = https://my-ip:9292 protocol = https 13:11:16 i suspect that this issue is got to do with python 2.7.10 13:11:19 can you add also api_insecure = True 13:11:24 just for a test 13:11:24 alexpilotti: your thoughts ? 13:11:42 alexpilotti: sure, for test i can add that 13:11:51 I think it's just related to openssl not being able to verify the cert on the server 13:11:53 but for prod, we need to find a solution 13:12:20 alexpilotti: is it not related to python version 13:12:26 see this change log of python 13:12:28 also you need: https://github.com/openstack/nova/blob/master/nova/image/glance.py#L155-L160 13:12:33 https://hg.python.org/cpython/raw-file/53d30ab403f1/Misc/NEWS 13:12:45 do you have: 13:12:48 it has a fix for using openssl 13:13:05 [ssl] cacert = ca.crt ? 13:13:22 yes 13:13:26 check this entry 13:13:38 [ssl] ca_file = "C:\Users\Administrator\Desktop\ca-certificates.crt" 13:14:02 ok then you are good 13:14:02 actually i have ca_file 13:14:10 not cacert 13:14:34 alexpilotti: have your team got SSL/Certs working on hyperv ? 13:14:34 did you try with python 2.7.11? just to make sure it's not a openssl issue 13:14:53 so far we never had issues 13:14:56 alexpilotti: yes, trying with python 2.7.11 13:15:07 this can be easily isolated as well 13:15:13 what was the python version you have used 13:15:23 you just have to create a glanceclient: 13:15:24 glanceclient.Client(str(version), endpoint, **params) 13:16:23 glanceclient.Client("1", "https://xxx", cacert=xxx.crt) 13:16:25 you mean in a test code ? 13:16:31 yeah of course 13:16:34 ok 13:16:38 we can try that 13:16:46 just to isolate the issue 13:16:54 just run it on any Windows 13:17:03 yes, correct 13:17:12 we can even go one step further 13:17:27 however i am curious, how did it work in your setup ? which version of python on hyperv host 13:18:41 this is what the glanceclient is using: https://github.com/openstack/python-glanceclient/blob/1995046a5f2445b0b125f4a06f852409c6d4a25d/glanceclient/common/https.py#L234 13:19:43 ionutbalutoiu: did that environment that you set up have a Glance endpoint too? 13:21:43 alexpilotti, no, it was just a deployment with swift + keystone 13:21:51 both running on https 13:21:56 we can easily replicate the entire setup in devstack 13:21:59 USE_SSL=True 13:22:39 alexpilotti: we will try in our setup, can your team try in devstack and let us know your findings 13:23:00 sure, it's worth doing a test 13:23:01 hopefully we can find a solution soon 13:23:21 I'm quite confident that it's just a configuration issue 13:23:57 sure, if that is a configuration issue, then it is good 13:24:01 we're doing some tests today 13:24:19 also are we sure, just copying the certs file to hyperv host is sufficient ? 13:24:42 alexpilotti: thanks. that helps 13:25:05 if they get properly passed the urllib3, there should be no issue 13:25:14 ok 13:25:19 we'll get back with what we find out ASAP 13:25:26 sure... thanks 13:25:53 we can move to next topic if everybody is done on this topic 13:26:08 actually, we should move all of our devstack deployments to TLS, as it's more consistent with real production environments 13:26:50 next 13:26:53 #topic FreeRDP 13:27:11 sagar_nikam: would you like to introduce your request? 13:27:32 sure 13:27:40 freerdp-webconnect 13:27:48 any plans of supporting it on linux 13:27:56 we would like to use it on linux 13:28:20 it is already building on Linux 13:28:26 in the same way of novnc 13:29:00 from the last i saw, it was not available 13:29:03 it builds on ubuntu and centos afaik, need to double check 13:29:06 can you point me to the link ? 13:29:17 i tried on ubuntu 13:29:19 did not work 13:29:48 ubuntu 14.04? 13:29:55 what did you run to build it? 13:30:05 also your instructions are for installing it from code, we would like a .deb file 13:30:12 yes ubuntu 14.04 13:30:30 debian file is not available 13:30:56 you mean a deb? 13:31:17 yes 13:31:22 ATM it needs to be built with ./setup-all.sh -i 13:31:27 deb is not available 13:31:36 we dont provide prebuilt debs or rpms 13:31:38 yes correct, 13:32:01 that was my question. any plans of supporting deb or rpm ? 13:32:03 but we'd happily accept contributions :) 13:32:24 we dont plan to do it in the short term 13:32:47 ok 13:32:57 as you know we use mostly windows ATM, so although we support building on Linux, we don't plan to package it 13:33:07 ok 13:33:22 you also need to make sure that all dependencies are properly satisfied as well 13:33:50 doing a custom deb package based on the compiled binaries shouldn't be too difficult IMO 13:34:12 ok 13:34:45 we will use it as nad when it is available, till that time, we will probably use it on windows 13:34:55 sure 13:34:59 we will use it as nad when it is available, till that time, we will probably use it on windows 13:35:13 anything else you'd like to add on the topic? 13:35:26 no 13:35:47 cool, next: 13:35:53 #topic: Newton – Plans for resubmitting FC and cluster patches upstream 13:36:27 AFAIK the windows is open now, so we can start resubmitting all the BP specs 13:36:41 and ensure that the patches are ready for review etc 13:36:50 claudiub|2: can you confirm? 13:37:07 both cluster driver and FC are important, hopefully they get merged in newton 13:37:13 bp specs reapproved for n 13:37:41 sagar_nikam: yes, they are all here: https://github.com/openstack/nova-specs/tree/master/specs/newton/approved 13:37:57 alexpilotti: can we have these 2 in the top 3 from hyperv for nova core reviewers 13:38:19 well, they want 3 patches at a time 13:38:45 any preference in the priority between cluster and FC? 13:38:58 cluster first, FC second 13:39:05 ok 13:39:31 atuvenie: can you please take care of rebasing on master? 13:40:05 yes 13:40:37 also, there are a ton of BPs that are pending approval: https://blueprints.launchpad.net/nova?searchtext=hyper-v 13:40:54 claudiub|2: can you please ping johnthetubaguy and ask if they can be reapproved? 13:41:08 those are the ones w/o specs (aka trivial bps) 13:41:08 sure 13:41:33 there are at least 10 of them 13:42:12 also the cluster one says "slow progress", should be changed in "needs code review" as soon as patches get rebased 13:42:30 I'd also start rebasing the FC ones 13:42:48 especially if they aready to go as is 13:43:08 sagar_nikam: any other question on this topic? 13:43:33 since we are at the start of M 13:43:42 lets get these patches submitted for review 13:43:52 hopefully we get some review time 13:43:54 sagar_nikam: we might need again your +1s on those patches after rebase, BTW 13:44:03 sure 13:44:22 i will work with hemna and kurt to get +1 for FC 13:45:14 FC ones should be easier to rebase. lpetrut, can you please take care of those? 13:45:17 e.g.: https://review.openstack.org/#/c/258617/ 13:45:52 lpetrut: let me know when you need review from hemna and kurt 13:46:02 also https://review.openstack.org/#/c/273504/ 13:46:22 we need to ask johnthetubaguy to remove the -2s, since the BP got re-approved for N 13:46:35 lpetrut: you here? 13:46:47 sagar_nikam: sure 13:47:04 there's also the os-brick one w a -2: https://review.openstack.org/#/c/273504/ 13:48:13 since Newton is now open, I guess I should talk with John to remove the -2 13:48:15 I'd suggest to start on those ASAP 13:48:34 lpetrut: yes, there's no reason to keep them blocked anymore 13:48:43 12' to go 13:48:51 anything else on the topic? 13:49:03 no 13:49:09 ok, next 13:49:13 sonu: any networking topics 13:49:18 we have 12' 13:49:37 #topic wait for Neutron vif events 13:50:18 we added support in compute-hyperv for waiting for Neutron when spawning an instance 13:51:20 we lose a 6% performance, but it looks like we got rid of the WMI ACL bug 13:51:31 alexpilotti: do we have a bug for it upstream ? any plans of upstreaming it 13:51:39 yes, sure 13:51:58 not surre if this wont require a BP 13:52:09 there's a bp for this already, it's approved 13:52:09 https://blueprints.launchpad.net/nova/+spec/hyper-v-spawn-on-neutron-event 13:52:14 #link https://blueprints.launchpad.net/nova/+spec/hyper-v-spawn-on-neutron-event 13:52:23 here we go :) 13:53:00 already reapproved 13:53:08 we just need to send up a patch 13:53:09 looking at the BP, it seems a small change 13:53:16 not very complex 13:53:50 sagar_nikam: https://github.com/openstack/compute-hyperv/commit/3b117c95285a5cf52be6440f955c8c9c33249a7b 13:54:02 here's the compute-hyperv equivalent 13:54:31 ok 13:54:42 it can be applied to Nova roughly as is 13:55:10 ok, tests and paths need to be changed, but the logic is the same 13:55:25 also it's not dependent on anything else 13:55:34 5' to go 13:55:44 #topic performance 13:56:33 last Rally tests are great, looks like we got ahead of KVM, by a tiny margin on the Hadoop test case :) 13:56:55 I'm very happy about all the Mitaka improvements 13:57:29 sagar_nikam: any plans to do some performance tests? 13:57:30 how may of these mitaka improvements already upstream ? 13:57:40 all the os-win ones 13:58:00 luckily a lot of those are os-win specific, so we dont have the Nova bottleneck 13:58:21 we are still on liberty, i know that sonu:'s team is planning scale tests on liberty in few weeks 13:58:42 cool 13:58:50 good to know that all changes are in os-win 13:59:17 alexpilotti: we may need some help if scale results point to issues 13:59:23 in liberty 13:59:44 sure, happy to help 13:59:49 thanks 13:59:59 we will reach to your team if required 14:00:06 we're also going to backport a lot of stuff to Liberty / Kilo as soon as Mitaka is fully released 14:00:18 cool thanks! 14:00:21 time's over! 14:00:28 thank you all 14:00:32 thanks y'all for joining! 14:00:37 #endmeeting