axw | hml: woot :) | 01:33 |
---|---|---|
hml | very happy! | 01:34 |
axw | wallyworld thumper: I've been through the sizings again. question mark on update-status, needs some spec to figure out what a decent approach is. other than that, I think wallyworld's numbers are fine, but I bumped a few up | 03:20 |
thumper | axw: thanks | 03:21 |
wallyworld | +1 | 03:21 |
anastasiamac | axw: fwiw, we had put some details in our sizing with jam... did u see these? | 03:29 |
axw | anastasiamac: yes, thanks | 03:29 |
anastasiamac | \o/ | 03:29 |
babbageclunk | wallyworld: ping? | 04:00 |
wallyworld | hey | 04:05 |
wallyworld | babbageclunk: pong | 04:06 |
babbageclunk | doh, didn't get a notification for some reason | 04:13 |
wallyworld | that happens to me too | 04:13 |
babbageclunk | wallyworld: sorry ^. I'm having to hack no-neutron support into the test doubles in goose. | 04:13 |
babbageclunk | wallyworld: is this worthwhile? | 04:13 |
wallyworld | hmmm. there's no easier way? | 04:14 |
babbageclunk | wallyworld: thought I'd check before I got too far down the rabbit hole. | 04:14 |
wallyworld | we can't use a monkey patch to simulate lack of neatron? | 04:15 |
babbageclunk | Hmm. Maybe by registering a control point for authorisation to chop it out? | 04:15 |
babbageclunk | I'll try that | 04:15 |
babbageclunk | hang on | 04:16 |
wallyworld | yeah that | 04:16 |
wallyworld | or return an error that triggers the switch to nova in juju | 04:17 |
wallyworld | via the control point mechanism | 04:17 |
wallyworld | jam: hey, i'd like to land that network-get PR. are you able to +1? | 04:41 |
jam | wallyworld: so the *big* point is that I don't think creating a "public" space is really going to do what you think it will in 2.3 | 04:46 |
jam | now, whether its still the best compromise that we can think of. I was hoping wpk would give it a look, but it seems he was overloaded with other things yesterday. | 04:47 |
jam | I'll check in again with him in about 10 min | 04:47 |
jam | I'll give the code a look as well. | 04:47 |
wallyworld | ok. i'm not sure why you think creating a space containing subnets from which a public address may be selected won't work. bear in mind though that is optional - just don't bind to anything if you want juju to choose a public address if one is available | 04:48 |
wallyworld | you bind the endpoint to a space if you *don't* want a public address to be used | 04:48 |
wallyworld | so the user has control of how their offer is consumed | 04:49 |
jam | wallyworld: if you don't bind at all, then you can't select a subnet | 04:49 |
jam | You might have carved several subnets that don't have public access because you want them to be for your database | 04:49 |
jam | so you need other subnets that *do* have public access, and thus you want to *select* them so you don't accidentally provision in the ones that don't have public | 04:50 |
jam | that doesn't mean your patch can't land, but it is a discrepancy between what we want to have and what we currently have | 04:53 |
axw | wallyworld: FYI, I'm looking at https://bugs.launchpad.net/juju/+bug/1724673 | 05:39 |
mup | Bug #1724673: unable to destroy-model with offer in it <cross-model> <juju:In Progress by axwalk> <https://launchpad.net/bugs/1724673> | 05:39 |
wallyworld | jam: if you don't bind, juju will try and select the machine public address to set as the ingress address. if you want to control what address juju uses, bind to a space | 05:40 |
wallyworld | ie you need to decide an an offerer if you want your offer to be public or not | 05:40 |
wallyworld | axw: awesome, thanks for picking up that bug | 05:43 |
jam | wallyworld: my point is, if I have created 2 subnets on AWS, one that has public internet and one that doesn't. if I don't bind *at all* then Juju randomly selects which subnet it will use | 05:45 |
jam | and *might* pick the one that has a public address, so that I can create a public offer | 05:45 |
jam | or might not | 05:45 |
wallyworld | jam: no it won't it will use the public address | 05:46 |
jam | wallyworld: if you deploy to subnet-b *it has not public address* | 05:46 |
wallyworld | it calls machine.PublicAddress() | 05:46 |
jam | wallyworld: AWS Subnets can have a "create public address" flag | 05:46 |
wallyworld | right but using spaces and hence subnets is your choice | 05:46 |
jam | wallyworld: so if you can't bind, then you can't say "Make sure to use these subnets that have public addresses" | 05:46 |
wallyworld | i'm missing something it seems - i thought in aws, gce etc - all machines got apublic address | 05:47 |
wallyworld | and m.PublicAddress() would return that | 05:47 |
wallyworld | and that's what we use in the absense of a binding | 05:47 |
jam | wallyworld: see above. There is a flag on a subnet that says "should machines in this subnet get a public address" | 05:48 |
jam | you can set that to false | 05:48 |
jam | which is what you *want* for your Database | 05:48 |
jam | because PCI says that database machines can't have public ingress | 05:48 |
wallyworld | not if you are offering it for public consumption | 05:48 |
jam | wallyworld: and yes, I don't want to make my db public | 05:48 |
jam | but I want my website public | 05:48 |
jam | and I can't have it use the database subnet | 05:48 |
jam | so I want to select the subnet that has public addresses associated with it | 05:49 |
wallyworld | so you can do that just fine | 05:49 |
jam | wallyworld: how do I tell it not to use the database subnet without binding? | 05:49 |
wallyworld | bind the website endpoint to a space with public addresses and the website db endpoint to a different space | 05:49 |
wallyworld | or just bind the db endpoint | 05:50 |
jam | wallyworld: you just said that if I bind it to the space that includes the subnet that has public addresses it will get the locally bound subnet address | 05:50 |
jam | I have the interview in 10, so I have to go prep, but I'll chat with you about this after | 05:50 |
wallyworld | ok, sounds good, i think we are at cross purposes | 05:50 |
jam | wpk was oversleeping, so I'll try to get his attention later as well | 05:50 |
wallyworld | ok | 05:50 |
=== frankban|afk is now known as frankban | ||
wallyworld | axw: i think ChangeIngressRules() in sshInstanceConfigurator is wrong? the param should be -A and not -I ? | 07:21 |
wallyworld | when i try with -I it fails, but -A works fine | 07:21 |
wpk | you mean iptables -I fails? | 07:32 |
axw | wallyworld: sorry gotta take charlotte to ballet, I can take a look when I get back. that thing is an abomination | 07:38 |
wallyworld | wpk: yeah, but -A works, eg sudo iptables -d 192.168.1.1 -A INPUT -p icmp --icmp-type 8 -j ACCEPT | 07:47 |
wallyworld | that works but -I doesn't | 07:47 |
wpk | whaaa? | 07:48 |
wpk | works for me | 07:48 |
wallyworld | hmmm | 07:48 |
wpk | how it fails? | 07:48 |
wallyworld | i sshed into an aws instance and confirmed there also | 07:48 |
wallyworld | wpk: wtf, i just tried it again and it worked | 07:49 |
wallyworld | last time i got an error message about chained rules or something | 07:50 |
wallyworld | nfi | 07:50 |
wpk | wallyworld: It got scared that I'll start to debug it. It's called respect. | 07:51 |
wallyworld | lol | 07:51 |
wallyworld | wpk: if you had time for a smallish review at some stage, https://github.com/juju/juju/pull/7969 | 09:50 |
wpk | I'd call it icmp-ping | 09:54 |
wallyworld | the sec group calls it just icmp | 09:55 |
wallyworld | a single word is better IMO | 09:55 |
wallyworld | it's also icmp in iptables | 09:55 |
wallyworld | easier to type udp or tcp or icmp | 09:55 |
wpk | it's icmp type 8 | 09:56 |
wpk | (in iptables) | 09:56 |
wallyworld | ACCEPT icmp -- 0.0.0.0/0 10.0.0.1 icmptype 8 | 09:57 |
wallyworld | the prot column is icmp | 09:57 |
wpk | but there's icmptype 8 | 09:57 |
wallyworld | but that's not in the prot column | 09:58 |
wpk | you're not accepting any icmp, just type 8 (echo) | 09:58 |
wallyworld | the type is not specified in the sec groiup is it? | 09:58 |
wallyworld | that example was just for iptables, when you open an ip rule in a sec group you just say icmp | 09:59 |
wallyworld | the iptables list has these headers: target prot opt source destination | 10:00 |
wallyworld | the prot values are "icmp" or "tcp" or "udp" | 10:00 |
wallyworld | and that's what we specify for IpPerm in aws for example also | 10:01 |
wallyworld | we don't specify the sub type | 10:01 |
wpk | But just like you're opening a port in tcp/udp here you're saying you're opening "icmp" and only opening one type of it(echo). I'm being pesky, I know.... | 10:02 |
wpk | but LGTM | 10:02 |
wpk | (just there might be someone who'll say that he wanted to open ICMP and only got pings :) | 10:03 |
wallyworld | wpk: but we don't specify that we're just opening one type for clouds. the only place we do that is that stupid configurator. i guess i could remove the type from there | 10:05 |
wpk | I wonder how it works on AWS. Anyway, as above - LGTM as is. | 10:05 |
wallyworld | ok, ty | 10:06 |
babbageclunk | jam: could you take another look at https://github.com/juju/juju/pull/7962 plz? | 10:12 |
axw | wallyworld: my PR has a bug in it, but highlighted an issue with the relation counting in applicationOffers.Remove. it's possible for a relation to a non-remote application to be removed, and replaced with one to a remote application, and the offer would still be removed | 10:24 |
axw | would/could | 10:24 |
wallyworld | oh oops | 10:25 |
axw | wallyworld: I've just pushed, see state/applicationoffers.go for my TODO(axw) | 10:25 |
axw | I'll take a look at fixing that tomorrow | 10:26 |
wallyworld | ty, luckily we shouldn't have people hitting this yet | 10:27 |
wallyworld | jam: not sure if you saw my last comment on the pr. if we can accept the current behaviour, i'd like to land it tonight so it makes beta2 | 10:28 |
wallyworld | without the pr, things are sub optimal in a different way - i believe the pr makes things better for more cases we care about | 10:28 |
wallyworld | you either want your db publiclly available as an offer or you don't - we support that scenario fine | 10:29 |
wpk | damn, I hate fixing tests in state/.. | 10:30 |
wallyworld | don't we all :-) | 10:31 |
jam | so who wants to be a review buddy for mgopurge: https://github.com/juju/mgopurge/pull/22/files | 12:51 |
jam | that one is fairly straightforward, at least | 12:51 |
wallyworld | jam: lgtm | 12:52 |
wallyworld | jam: did you get to ask for a 2nd opinion on the network-get PR? | 12:53 |
wallyworld | running out of time to land for beta2 | 12:54 |
jam | I did, though it seems he hasn't gotten to that, ran into other bugs. | 12:54 |
wpk | wallyworld: LGTM for now | 12:54 |
wallyworld | ty, we can iterate | 12:54 |
wallyworld | i do believe it's a step forward | 12:54 |
wallyworld | not perfect yet | 12:55 |
wallyworld | i did get the nagios stuff all working today though | 12:55 |
jam | wallyworld: is it possible to check if there is a public address corresponding to a given space, rather than just whether there is a binding, or we just don't have that information | 12:57 |
jam | we probably don't track a link anyway | 12:57 |
jam | anywhere | 12:57 |
wallyworld | jam: yeah, we don't model that IIANM | 12:58 |
jam | I, Ian, Man ? :) | 13:00 |
wpk | jam: Someone recently used 'OIC', I had to look it up in Acronym Finder. The first answer does not seem to be correct... | 13:01 |
jam | O I C, yeah | 13:04 |
wallyworld | If I Am Not Mistaken | 13:05 |
wallyworld | :-) | 13:05 |
jam | wallyworld: yeah, I figured it out, I just figured I'd play with it. | 13:05 |
jam | its not one I use regularly | 13:05 |
jam | IIRC is usually what I use there | 13:05 |
wallyworld | wpk: so you ok for me to merge? | 13:09 |
jam | looking over it now, myself | 13:13 |
wallyworld | ok, ta | 13:16 |
jam | wallyworld: I had one comment on it, where you took out a fallback to unit.PrivateAddress() if len(NetworkInfo) == 0 | 13:16 |
jam | wallyworld: aside from the fallback issue, I think lgtm | 13:19 |
wallyworld | jam: ty, i'm rereading the code, but it was intentional as it wasn't needed in that place anymore | 13:20 |
jam | k | 13:24 |
wallyworld | jam: we now rely on the behaviour in GetNetworkInfoForSpaces(0 to "Do The Right Thing" with regard to populating the bind addresses. | 13:24 |
wallyworld | the ingress address still falls back to using private addressfor the default space if it's cross model | 13:25 |
wallyworld | and if not, we select the first bind address | 13:25 |
jam | babbageclunk: reviewed | 13:32 |
=== frankban is now known as frankban|afk | ||
wallyworld | externalreality_: i have 10 mins now if you want to chat | 22:31 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!