[01:33] hml: woot :) [01:34] very happy! [03:20] wallyworld thumper: I've been through the sizings again. question mark on update-status, needs some spec to figure out what a decent approach is. other than that, I think wallyworld's numbers are fine, but I bumped a few up [03:21] axw: thanks [03:21] +1 [03:29] axw: fwiw, we had put some details in our sizing with jam... did u see these? [03:29] anastasiamac: yes, thanks [03:29] \o/ [04:00] wallyworld: ping? [04:05] hey [04:06] babbageclunk: pong [04:13] doh, didn't get a notification for some reason [04:13] that happens to me too [04:13] wallyworld: sorry ^. I'm having to hack no-neutron support into the test doubles in goose. [04:13] wallyworld: is this worthwhile? [04:14] hmmm. there's no easier way? [04:14] wallyworld: thought I'd check before I got too far down the rabbit hole. [04:15] we can't use a monkey patch to simulate lack of neatron? [04:15] Hmm. Maybe by registering a control point for authorisation to chop it out? [04:15] I'll try that [04:16] hang on [04:16] yeah that [04:17] or return an error that triggers the switch to nova in juju [04:17] via the control point mechanism [04:41] jam: hey, i'd like to land that network-get PR. are you able to +1? [04:46] wallyworld: so the *big* point is that I don't think creating a "public" space is really going to do what you think it will in 2.3 [04:47] now, whether its still the best compromise that we can think of. I was hoping wpk would give it a look, but it seems he was overloaded with other things yesterday. [04:47] I'll check in again with him in about 10 min [04:47] I'll give the code a look as well. [04:48] ok. i'm not sure why you think creating a space containing subnets from which a public address may be selected won't work. bear in mind though that is optional - just don't bind to anything if you want juju to choose a public address if one is available [04:48] you bind the endpoint to a space if you *don't* want a public address to be used [04:49] so the user has control of how their offer is consumed [04:49] wallyworld: if you don't bind at all, then you can't select a subnet [04:49] You might have carved several subnets that don't have public access because you want them to be for your database [04:50] so you need other subnets that *do* have public access, and thus you want to *select* them so you don't accidentally provision in the ones that don't have public [04:53] that doesn't mean your patch can't land, but it is a discrepancy between what we want to have and what we currently have [05:39] wallyworld: FYI, I'm looking at https://bugs.launchpad.net/juju/+bug/1724673 [05:39] Bug #1724673: unable to destroy-model with offer in it [05:40] jam: if you don't bind, juju will try and select the machine public address to set as the ingress address. if you want to control what address juju uses, bind to a space [05:40] ie you need to decide an an offerer if you want your offer to be public or not [05:43] axw: awesome, thanks for picking up that bug [05:45] wallyworld: my point is, if I have created 2 subnets on AWS, one that has public internet and one that doesn't. if I don't bind *at all* then Juju randomly selects which subnet it will use [05:45] and *might* pick the one that has a public address, so that I can create a public offer [05:45] or might not [05:46] jam: no it won't it will use the public address [05:46] wallyworld: if you deploy to subnet-b *it has not public address* [05:46] it calls machine.PublicAddress() [05:46] wallyworld: AWS Subnets can have a "create public address" flag [05:46] right but using spaces and hence subnets is your choice [05:46] wallyworld: so if you can't bind, then you can't say "Make sure to use these subnets that have public addresses" [05:47] i'm missing something it seems - i thought in aws, gce etc - all machines got apublic address [05:47] and m.PublicAddress() would return that [05:47] and that's what we use in the absense of a binding [05:48] wallyworld: see above. There is a flag on a subnet that says "should machines in this subnet get a public address" [05:48] you can set that to false [05:48] which is what you *want* for your Database [05:48] because PCI says that database machines can't have public ingress [05:48] not if you are offering it for public consumption [05:48] wallyworld: and yes, I don't want to make my db public [05:48] but I want my website public [05:48] and I can't have it use the database subnet [05:49] so I want to select the subnet that has public addresses associated with it [05:49] so you can do that just fine [05:49] wallyworld: how do I tell it not to use the database subnet without binding? [05:49] bind the website endpoint to a space with public addresses and the website db endpoint to a different space [05:50] or just bind the db endpoint [05:50] wallyworld: you just said that if I bind it to the space that includes the subnet that has public addresses it will get the locally bound subnet address [05:50] I have the interview in 10, so I have to go prep, but I'll chat with you about this after [05:50] ok, sounds good, i think we are at cross purposes [05:50] wpk was oversleeping, so I'll try to get his attention later as well [05:50] ok === frankban|afk is now known as frankban [07:21] axw: i think ChangeIngressRules() in sshInstanceConfigurator is wrong? the param should be -A and not -I ? [07:21] when i try with -I it fails, but -A works fine [07:32] you mean iptables -I fails? [07:38] wallyworld: sorry gotta take charlotte to ballet, I can take a look when I get back. that thing is an abomination [07:47] wpk: yeah, but -A works, eg sudo iptables -d 192.168.1.1 -A INPUT -p icmp --icmp-type 8 -j ACCEPT [07:47] that works but -I doesn't [07:48] whaaa? [07:48] works for me [07:48] hmmm [07:48] how it fails? [07:48] i sshed into an aws instance and confirmed there also [07:49] wpk: wtf, i just tried it again and it worked [07:50] last time i got an error message about chained rules or something [07:50] nfi [07:51] wallyworld: It got scared that I'll start to debug it. It's called respect. [07:51] lol [09:50] wpk: if you had time for a smallish review at some stage, https://github.com/juju/juju/pull/7969 [09:54] I'd call it icmp-ping [09:55] the sec group calls it just icmp [09:55] a single word is better IMO [09:55] it's also icmp in iptables [09:55] easier to type udp or tcp or icmp [09:56] it's icmp type 8 [09:56] (in iptables) [09:57] ACCEPT icmp -- 0.0.0.0/0 10.0.0.1 icmptype 8 [09:57] the prot column is icmp [09:57] but there's icmptype 8 [09:58] but that's not in the prot column [09:58] you're not accepting any icmp, just type 8 (echo) [09:58] the type is not specified in the sec groiup is it? [09:59] that example was just for iptables, when you open an ip rule in a sec group you just say icmp [10:00] the iptables list has these headers: target prot opt source destination [10:00] the prot values are "icmp" or "tcp" or "udp" [10:01] and that's what we specify for IpPerm in aws for example also [10:01] we don't specify the sub type [10:02] But just like you're opening a port in tcp/udp here you're saying you're opening "icmp" and only opening one type of it(echo). I'm being pesky, I know.... [10:02] but LGTM [10:03] (just there might be someone who'll say that he wanted to open ICMP and only got pings :) [10:05] wpk: but we don't specify that we're just opening one type for clouds. the only place we do that is that stupid configurator. i guess i could remove the type from there [10:05] I wonder how it works on AWS. Anyway, as above - LGTM as is. [10:06] ok, ty [10:12] jam: could you take another look at https://github.com/juju/juju/pull/7962 plz? [10:24] wallyworld: my PR has a bug in it, but highlighted an issue with the relation counting in applicationOffers.Remove. it's possible for a relation to a non-remote application to be removed, and replaced with one to a remote application, and the offer would still be removed [10:24] would/could [10:25] oh oops [10:25] wallyworld: I've just pushed, see state/applicationoffers.go for my TODO(axw) [10:26] I'll take a look at fixing that tomorrow [10:27] ty, luckily we shouldn't have people hitting this yet [10:28] jam: not sure if you saw my last comment on the pr. if we can accept the current behaviour, i'd like to land it tonight so it makes beta2 [10:28] without the pr, things are sub optimal in a different way - i believe the pr makes things better for more cases we care about [10:29] you either want your db publiclly available as an offer or you don't - we support that scenario fine [10:30] damn, I hate fixing tests in state/.. [10:31] don't we all :-) [12:51] so who wants to be a review buddy for mgopurge: https://github.com/juju/mgopurge/pull/22/files [12:51] that one is fairly straightforward, at least [12:52] jam: lgtm [12:53] jam: did you get to ask for a 2nd opinion on the network-get PR? [12:54] running out of time to land for beta2 [12:54] I did, though it seems he hasn't gotten to that, ran into other bugs. [12:54] wallyworld: LGTM for now [12:54] ty, we can iterate [12:54] i do believe it's a step forward [12:55] not perfect yet [12:55] i did get the nagios stuff all working today though [12:57] wallyworld: is it possible to check if there is a public address corresponding to a given space, rather than just whether there is a binding, or we just don't have that information [12:57] we probably don't track a link anyway [12:57] anywhere [12:58] jam: yeah, we don't model that IIANM [13:00] I, Ian, Man ? :) [13:01] jam: Someone recently used 'OIC', I had to look it up in Acronym Finder. The first answer does not seem to be correct... [13:04] O I C, yeah [13:05] If I Am Not Mistaken [13:05] :-) [13:05] wallyworld: yeah, I figured it out, I just figured I'd play with it. [13:05] its not one I use regularly [13:05] IIRC is usually what I use there [13:09] wpk: so you ok for me to merge? [13:13] looking over it now, myself [13:16] ok, ta [13:16] wallyworld: I had one comment on it, where you took out a fallback to unit.PrivateAddress() if len(NetworkInfo) == 0 [13:19] wallyworld: aside from the fallback issue, I think lgtm [13:20] jam: ty, i'm rereading the code, but it was intentional as it wasn't needed in that place anymore [13:24] k [13:24] jam: we now rely on the behaviour in GetNetworkInfoForSpaces(0 to "Do The Right Thing" with regard to populating the bind addresses. [13:25] the ingress address still falls back to using private addressfor the default space if it's cross model [13:25] and if not, we select the first bind address [13:32] babbageclunk: reviewed === frankban is now known as frankban|afk [22:31] externalreality_: i have 10 mins now if you want to chat