[14:27] <fallenour> @stokachu @rick_h @catbus @dmitri-sh hey guys, I am looking to build a cluster of web servers, and Im trying to find a prepackaged loadbalancing apache2 with haproxy or nginx with or without mysql included. I know it exists but I cant find it. Can you lend me a hand?
[14:29] <bdx> fallenour: there are many ways to skin that cat ;)
[14:30] <rick_h> fallenour: heh yea bdx is the proxy loadbalancing master atm :)
[14:39] <fallenour> @bdx Id like to have three apache2 servers, 2 loadbalancers and reverse proxies with Memcached, with master/slave databases. I knwo that means MySQL with either NGinx or HAProxy, using LXD for the web sites themselves on the Apache2 servers, with the HAProxy / Nginx boxes loadbalancing to the Apache2 server clusters, leveraging the MySQL master databases to do forced replication to the slave databases which will be used by the sites.
[14:39] <fallenour> I know thats a tall order, but I do know that a charm exists already for it, I just cant find the damn thing.
[14:40] <fallenour> effective work flow End User >>> Load Balancer 1/2 >>> Apache2 Server 1,2,3 >>> Relevant WebServer in LXD Container 1,2,3
[14:41] <fallenour> Preferrably a round robin basis if possible, its the easiest, and allows me to bring 1 server down at a time for maintanence without outage time
[14:42] <bdx> fallenour:  the quantity is arbitrary, just assume the services can scale, and focus on getting a bundle put together with just a singleton architecture
[14:43] <fallenour> @bxd so build a custom charm then? Memcached + HAProxy + Apach2 + lxd?
[14:43] <fallenour> ooo! Plus MySql Master/Slave?
[14:43] <bdx> fallenour: a custom *bundle*
[14:44] <bdx> yeah, put dont worry about the slave part yet
[14:44] <fallenour> @bdx k. Do you think it would be well received? If So, I wouldnt mind publishing it. I think itd be really cool to finally give something to the Web Devs. Theyve saved my ass on more than one hellfire moment
[14:45] <bdx> fallenour: yeah ... so the idea is such that you release your charm or bundle to the charm store once it is  super solid/complete
[14:46] <fallenour> @bdx LOOOL. BDX: "Yeah...." Me: Ohh gwd, I said something stupid again XD
[14:46] <bdx> fallenour: see if you can find a bundle or two to use as an example
[14:47] <bdx> you will see how there are sections to specify the charms, and relations, and machines
[14:51] <bdx> fallenour: no worries, its not always so obvious, different ways of sharing things in different communities/ecosystems, it was more of a "how do I phrase this" "yea...."
[14:54] <fallenour> @All Please be aware, this is misconfigured. I have a localized cache of all of the Ubuntu Repo, and it exceeds 110 GB of storage currently. Please be aware you will need to extend the threshold from 80 to 150 for stability reasons. Can someone please inform the developer? https://jujucharms.com/ubuntu-repository-cache/24
[14:55] <fallenour> Other than that, its OUTSTANDING! Im glad someone made building it a lot easier, because the initial build was a huge pain in the ass.
[14:57] <bdx> fallenour: the "submit a bug" button on the ^ web page that will aid you in submitting a bug for the charm?
[14:58] <fallenour> @bdx I never saw that LOL!
[14:58] <bdx> yeah we should make it a big red button huh?
[14:59] <fallenour> @bdx Please dont, Im red/blue color blind :(
[15:48] <knobby> set irc.server.canonical.ssl_verify yes
[15:48] <knobby> bah
[16:05] <stormmore> o/ juju world
[16:07] <fallenour> o/ @stormmore
[16:17] <Catalys> @beisner Just did a upgrade to Pike however did come across a few issues such as the DB migration failing and having to trigger one manually, is it safe to do that with "nova-manage db sync" afterwards though?
[16:20] <rick_h> beisner: ^
[16:21] <rick_h> oh nvm /me drinks more coffee
[16:39] <el_tigro1> Is there a way to backup/restore a juju client for a single controller? The 'tar' method described in the documentation is an all or nothing approach:
[16:39] <el_tigro1> https://jujucharms.com/docs/2.1/controllers-backup
[16:40] <rick_h> el_tigro1: a single juju model?
[16:41] <el_tigro1> The client for a single controller including all its models
[16:41] <el_tigro1> At least that's what I think I mean
[16:42] <el_tigro1> the info seems to be stored in these 4 files in ~/.local/share/juju: accounts.yaml, controllers,yaml, bootstrap-config.yaml, models.yaml
[16:42] <rick_h> el_tigro1: oic, no. I'd love to have one. I've always wanted to do a juju export/import for the client to sync my machines up together
[16:42] <el_tigro1> exactly
[16:43] <el_tigro1> rick_h: Thanks
[16:43] <rick_h> el_tigro1: I cheat instead and I copy/paste the creds and use a different user account for each machine so I can juju register xxxxx and have valid users  and cached data on each machine
[16:45] <el_tigro1> rick_h: Thanks, that helps
[17:09] <cory_fu> tinwood: https://github.com/juju-solutions/charms.reactive/pull/126
[17:24] <fallenour> @rich_h hey whats the juju command to force remove a machine? Ive tried juju remove-machine  and remove-machine --force, but they still show up as down. They never built, so I want to remove them to reduce clutter on juju status output
[17:25] <fallenour> nevermind, they randomly cleared up this time, im guessing the --force option got it this time
[17:30] <fallenour> @rick_h @catbus @stokachu @bdx Having issues deploying more than one apache instance, keeps giving me an "application already exists error". I dont receive this error from other charms, or at least none that ive noticed. Any ideas on how to deploy my other two apache instances (apache2/1, apache2/2) on lxd containers on machines 8 and 9?
[17:31] <bdx> fallenour: once you deploy the application, you have to use the `add-unit` command to scale it up
[17:32] <bdx> fallenour: e.x. `juju deploy apache2; juju add-unit apache2;`
[17:32] <fallenour> @bdx juju add-unit --to lxd:8 && juju add-unit --to lxd:9 ?
[17:32] <bdx> fallenour: :thumbsup:
[17:32] <fallenour> ooh! juju add-unit apache2 --to lxd*
[17:33] <bdx> hmmm, not sure about ^
[17:33] <fallenour> sorry, full context: juju add-unit apache2 --to lxd:8 && juju add-unit apache2 --to lxd:9
[17:34] <bdx> ya, you can do that
[17:34] <fallenour> Also, @BDX how do I cluster a pair of HAProxy systems? I tried to do that in juju gui, but it didnt work. Did I miss something?
[17:34] <rick_h> fallenour: yea, that way your application is tracking config/etc in a common place and you're just scaling it up and up with more units
[17:37] <bdx> fallenour: so ... I'm not sure haproxy really *clusters* as (to the extent of my knowledge) one haproxy instance isn't aware of the others
[17:37] <fallenour> @bdx damn. Is there an alternative that you would recommend? Its very important that I have a clustered loadbalancer.
[17:38] <bdx> fallenour: so you can have pools of haproxy servers
[17:38] <fallenour> @bdx pointing to more than one apache2 server I take it? And then have dns load balancing im assuming off of the haproxy servers?
[17:39] <bdx> like you can loadbalance across haproxy servers in different fashions
[17:39] <bdx> yeah exactly
[17:39] <bdx> I do a very similar thing in many configurations
[17:40] <bdx> pool of haproxy servers -> application servers (nginx -> gunicorn)
[17:41] <bdx> so with haproxy you can configure it to do active or passive loadbalancing
[17:41] <bdx> fallenour: it sounds like you want active-active
[17:42] <fallenour> So for websites I take it you take a simliar approach, and drop it onto an apache2 or gunicorn box?
[17:42] <bdx> fallenour: if this is so, you would need to configure the 'peering_mode' config for the haproxy charm
[17:42] <fallenour> @bdx yea I want to be able to randomly reconfigure and reshape my traffic geographcially
[17:43] <fallenour> @bdx some of the projects I am supporting do VPN and encryption, and if I need to run their traffic and data out of the country immediately to keep them from jail time or execution, I need to be able to do it immediately
[17:44] <fallenour> @bdx right now some countries are on the war path against crypto or vpn of any kind, regardless of legit or illegit use
[17:45] <fallenour> clear
[17:45] <bdx> aha
[17:45] <bdx> yeah
[17:48] <bdx> fallenour: what you are looking for is a SDN platform/controller
[17:49] <bdx> fallenour: check this out https://www.opendaylight.org/
[18:04] <fallenour> @bdx this thing looks insane o.o
[18:07] <bdx> fallenour: it takes some extensive deep diving to come to terms with the full capability and feature set of what something like opendaylight can do ... don't feel bad if it doesn't all 'click' right off the bat
[18:07] <bdx> but I feel like you get the big picture
[18:08] <fallenour> @bdx yea it looks like and sounds like it cna do an L2 / L3 / DDNS centralized orchestration. Is that hitting close to the ballpark?
[18:10] <fallenour> @bdx one of the apache2 instanaces hung, juju add-unit adds a specified unit, what deletes one?
[18:10] <bdx> `juju remove-unit`
[18:14] <bdx> fallenour: yeah you are on the right track
[18:14] <fallenour> @bdx sweet. Next question, my machine numbers are super messed up right now, 0,1,2,3,5,6,7,8,10 is it possible to renumber them?
[18:15] <bdx> the numbers are arbitrary ... you shouldn't concern yourself with the ordering
[18:15] <bdx> correction *the machine number will always increment each time you deploy a machine*
[18:16] <fallenour> @bdx ok. me personally I dont care, but some people do
[18:16] <bdx> fllenour: there is no way to keep track of the things if they don't have unique ids
[18:17] <bdx> if you want the numbering to start over you have to create a new model
[18:18] <bdx> fallenour: I'll stress that you really shouldn't concern yourself with the ordering of the machine numbers
[18:18] <bdx> because as you scale things up and down, you may add and remove units and machines
[18:19] <fallenour> @bdx yea Ive already experienced some unique "features" lol
[18:21] <bdx> fallenour: a common take on how to look at this is, try to think of your infrastructure as cattle not cows
[18:21] <bdx> we don't care what number a cow has
[18:21] <bdx> only what type of cow it is
[18:21] <rick_h> Cattle not pets :p
[18:21] <bdx> awww
[18:21] <fallenour> @bdx yeap, and Ill send Ole Bessie to the slaughter she mooes just a tad over my stereo
[18:21] <bdx> rick_h: to the save
[18:21] <bdx> ha
[18:21] <bdx> haha
[18:22] <fallenour> clear
[18:22] <rick_h> Pets get names and love and attention. Cattle get herded and such...
[18:22] <fallenour> @rick_h nah, cattle get love to. That way they taste better when youre eating them :D
[18:23] <bdx> oh no
[18:23] <bdx> :)
[18:23] <xarses_> wagu
[18:23] <xarses_> =)
[18:23] <rick_h> fallenour: hah, "I don't buy steaks without a name tag on them. I want to know who's so yummy!"
[18:23] <tychicus> ^^ agreed
[18:25] <xarses_> Waiter: "Tonight we are serving Stephanie, a 4 yr old Texan from yummy tummy farms..."
[18:29] <xarses_> ok, so I know that juju has the ideas about being able to restrict access, but it doesn't appear to do any restrictions with a maas cloud, is there a way to make it interface with iptables or another driver?
[18:30] <fallenour> @xarses_ you can deploy pfsense for starters, restrict a lot that way.
[18:30] <xarses_> deploy pfsense?
[18:34] <fallenour> @xarses_ Yeap, Check here:  https://www.pfsense.org/download/    You can also deploy OpenVPN: https://jujucharms.com/openvpn/6
[18:34] <fallenour> @xarses_ you can deploy PfSense easily with Openstack, and then also use juju for OpenVPN
[18:34] <bdx> fallenour: pfsense should sit above your openstack
[18:34] <bdx> fallenour: you can deploy it *in* openstack but .....
[18:35] <xarses_> I'm not sure we are on the same page, I want the maas cloud to require things like `expose` to have the ports exposed outside of the model
[18:35] <fallenour> @bdx true, but if you deploy it, and then leverage it as a primary gateway, you can use it in openstack
[18:35] <fallenour> @bdx its dirty, but it works.
[18:35] <fallenour>  @xarses_ then you will most definitely need to do port forwarding on either a firewall or a modem, depending on if you have a bridged modem or not
[18:35] <xarses_> for example, the amqp port is exposed on the network, but the service isn't exposed
[18:36] <fallenour> @xarses_ So you want Internet USer >>> Port 22 >>> Your PFSense Firewall 22 >>> Port Forward SSH Service to "X":22
[18:36] <fallenour> Is that correct?
[18:36] <xarses_> no
[18:37] <fallenour> @xarses_ so then you want an exposed port with no service behind it? So it detects as services active, but not actualyl there?
[18:37] <fallenour> @xarses_ almost like a false flag honeypot?
[18:38] <fallenour> @xarses_ For Instance, Internet USer >>> Port 22 >>> Your PFSense Firewall 22 >>> Port Forward to Service that doesnt exist, or is a FIFO Connection Completion Shell Process for Nagios Trigger Alert
[18:39] <xarses_> I want juju to secure my mass cloud machines the same way it does for openstack cloud machines
[18:40] <xarses_> well, it cant be the same, but I wan't it to do the iptables, or go tell it what service I want it to use
[18:40] <fallenour> @xarses_ but maas doesnt do that, at least not to my knowledge. I think you are referring to Heat in Openstack, which is an inline proxy service, which does work, but MaaS is just a Metal as a Service Software. All it can do is deploy ISOs or Yamls at best. Its more so the Yaml that secures your machine, not so much MaaS itself.
[18:41] <xarses_> no I'm not referring to heat in openstack
[18:41] <fallenour> @xarses_ are you referring to the security modules built into Yaml scripts deployed by MaaS?
[18:41] <xarses_> I'm referring to juju using neutron security groups to enforce security between units to exposed ports
[18:41] <fallenour> @xarses_ ahhh!
[18:42] <fallenour> @xarses_ for something liek that, youll be much better off, and have much better granular control if you put a protocol proxy inline, something like ThrottleProxy
[18:43] <xarses_> https://github.com/mistakster/throttle-proxy ?
[18:44] <xarses_> ya, I still think we aren't connecting here
[18:45] <xarses_> when juju deploys a model on the openstack cloud, it creates a 100% restricted locked down security group
[18:45] <xarses_> and then alters based on relations
[18:45] <xarses_> and if the unit is exposed
[18:45] <xarses_> it does 0 of that on the mass cloud, with bare machines, or lxd units
[18:46] <xarses_> what can I hook in there to do something similar, i.e. iptables
[18:47] <xarses_> or otherwise expose the data that made the similar decisions when deploying to the openstack cloud
[18:48] <xarses_> preferably, I'd plugin Calico-Felix for it to update, but that seems quite far fetched
[18:48] <zeestrat> Hey rick_h, I'm writing a controller charm and an accompanying agent charm that scales out and need a reality check on how the relations work. I made an interface that provides on the controller and requires on the agents which works. Adding new agents also work as the joined/changed fires on both the controller and the new agent, however the other agents also need to do somethings when a new agent joins, but they
[18:48] <zeestrat> don't get any joined events from the controller or other agents that I can use. What's the design pattern for such a case? Am I missing something with the regular provide-request interface relations? Do I need to use the peer interface on the agents so they know about each other when scaling out, or is there something else?
[18:49] <rick_h> zeestrat: sorry, I'm literally heading out the door to get family from the train station. I'll parse and respond when I get back
[18:50] <zeestrat> rick_h: No worries. Thanks!
[19:02] <fallenour> @bdx ok so this might be crazy, but what happens if I do this with haproxy: haproxy 0,1,2 (active-passive) >>> ha proxy 3,4,5 (active-active) >>> apache2 0,1,2
[19:02] <fallenour> thoughts?
[19:03] <fallenour> @bdx a loadbalanced roundrobin with failover of the loadbalancer at layer 1
[19:06] <bdx> fallenour: yeah, nice .... it all depends on your use case, and what the best practice for accommodating that use case is
[19:08] <bdx> fallenour: if you are proxing to a web application you are going to want a different setup than if you are using it as a network function or general routing utility
[19:08] <bdx> that goes for the software and the hardware underneath
[19:10] <bdx> fallenour: all that to say .... I'm sure there are plenty of haproxy/nginx based NFV in a box things out there
[19:16] <xarses_> is there a `juju` way to move the bootstrap metadata cluster_F from where ever you started to somewhere sane on the controller after getting it bootstrapped?
[19:28] <fallenour> is anyone else having issues getting gitlab to deploy? https://jujucharms.com/gitlab/precise/5
[19:28] <fallenour> @bdx @rick_h "no matching agent binaries available"
[19:31] <bdx> fallenour: https://jujucharms.com/u/spiculecharms/gitlab-server/8
[19:32] <bdx> fallenour: the *supported* gitlab is not supported anymore, ^ that should work for you
[19:33] <bdx> fallenour: sometimes, its helpful to click the "show community results" button in the charm store to see the other options (especially when the charm you are looking at only supports < lts ubuntu)
[19:42] <bdx> ^ supported gitlab charm* isn't supported anymore
[19:49] <rick_h> bdx: fallenour yea, precise is out of support so there's no Juju agents for precise. We should pull that series I guess but there's extended support and such.
[19:50] <bdx> rick_h: so contact the maintainers and ask them to contact the juju admins to take their charm out of the store?
[19:50] <rick_h> bdx: well, for something like that I think we'd just not show/etc the series. precise-only charms yea should probably be yanked/deprecated in some way
[19:51] <bdx> rick_h: ahh totally, like an underlying filter in the charmstore that will filter out < lts charms?
[19:53] <bdx> or put them in a deprecated category or something
[19:59] <rick_h> bdx: yea
[20:01] <rick_h> zeestrat: so yea, the peer relationship is all about them knowing about each other
[20:02] <rick_h> zeestrat: I think that's all you need
[20:04] <zeestrat> rick_h: Alright. Figured so after going through most of the other charms and interfaces. Thanks a bunch.
[20:04] <rick_h> zeestrat: np, let me know if there's something to play with. I'd love to see what you're up to :P
[20:15] <zeestrat> rick_h: Will do :) Gotta sort out this peering and some more automated testing. Speaking of testing, what's the state of matrix?
[20:16] <rick_h> zeestrat: hmm, not sure tbh. tvansteenburgh cory_fu is there any update on the latest on the testing train?
[20:23] <tvansteenburgh> no one is working on matrix at the moment
[20:28] <fallenour> @bdx @rick_h does that mean that anything trusty isnt going to work? IE : https://jujucharms.com/owncloud/trusty/4
[20:29] <rick_h> fallenour: no, precise
[20:29] <rick_h> fallenour: trusty should be ok for a little bit longer I think
[20:30] <rick_h> fallenour: yea, trusty EOL is april 2019
[20:31] <fallenour> @rick_h ok, I was just curious. Its been isntalling for quite some time now, and has been hung on allocating / waiting on machine (lxd machines) so Im not sure why its taking so long
[20:31] <rick_h> fallenour: ah, so if it's a new series it'll have to d/l the trusty lxd image and such
[20:31] <rick_h> fallenour: normally that's shown in status and the lxd logs I think
[21:46] <fallenour> @rick_h I cant get the bad install of owncloud to uninstall, ive tried juju remove-unit owncloud as well as juju remove-application owncloud, and it still shows up as error on 7/lxd/8 . What do I need to do to get rid of it to rebuild?
[21:48] <rick_h> fallenour: what's the issue? It's in error state? I wonder if you can remove-machine --force a container
[21:49] <fallenour> @rick_h owncloud didnt install for some reason. Hook failed install, but when I run remove-unit and remove-application to kill it and start over, it wont go away, and it says application is still installed, even though I know i removed it
[21:49] <fallenour> @rick_h @catbus @bdx is there a command to remove bundles? maybe that is my issue. I did initially install owncloud as a bundle.
[21:49] <rick_h> fallenour: try the remove-machine --force on the container id
[21:51] <fallenour> @rick_h HAZAAH!
[21:51] <fallenour> @rick_h SUCCESS!!
[21:56] <rick_h> fallenour: woot
[22:07] <el_tigro1> According to the help page, you can use 'juju register <url>` instead  of 'juju register <blob from add-user>'). I'm guessing this is to register an existing user/controller with a new client?
[22:08] <el_tigro1> When I try it out I get this error: "ERROR unable to connect to API: x509: certificate signed by unknown authority"
[22:10] <el_tigro1> Shouldn't juju be expecting an unknown certificate since the ca-cert unique to the controller?
[22:10] <el_tigro1> *is unique
[22:10] <thumper> I'm not sure about the register url sorry
[22:15] <el_tigro1> essentially I just want to register a controller with another client without having to use 'add-user`. So that I can have different clients authenticating as the same user. Does that make sense or is it a bad idea? I guess I could always do it manually by editing the config files
[22:18] <thumper> no it isn't a bad idea, and it is a deficiency in the current system
[22:18] <el_tigro1> thumper: thanks for the clear and direct answer
[22:19] <fallenour> @el_tigro1 have you tried using certutil to add it to approved CAs list?
[22:19] <el_tigro1> fallenour: I haven't
[22:19] <thumper> el_tigro1: we are actually looking at this behaviour at the moment with the plan to clean it up in the 2.4 cycle
[22:19] <fallenour> @el_tigro1 do that. once you add it to the system as an approved CA, it should fix the issue. Ive experienced similar issues before with FreeIPA
[22:20] <el_tigro1> fallenour: thanks, I'll look into it
[22:29] <fallenour> has anyone been able to get owncloud to install successfully?
[22:44] <bdx> fallenour: I gotchu, check it
[23:14] <bdx> fallenour: at a basic level, this is all it takes to create a owncloud charm https://github.com/jamesbeedy/layer-owncloud
[23:16] <bdx> fallenour: here is a working owncloud charm -> `juju deploy cs:~jamesbeedy/owncloud-1`, https://jujucharms.com/u/jamesbeedy/owncloud/1
[23:21] <bdx> `juju deploy cs:~jamesbeedy/owncloud-2`
[23:39] <bdx> fallenour: with a tidbit of polish https://jujucharms.com/u/jamesbeedy/owncloud/4