[01:33] <axw> hml: woot :)
[01:34] <hml> very happy!
[03:20] <axw> wallyworld thumper: I've been through the sizings again. question mark on update-status, needs some spec to figure out what a decent approach is. other than that, I think wallyworld's numbers are fine, but I bumped a few up
[03:21] <thumper> axw: thanks
[03:21] <wallyworld> +1
[03:29] <anastasiamac> axw: fwiw, we had put some details in our sizing with jam... did u see these?
[03:29] <axw> anastasiamac: yes, thanks
[03:29] <anastasiamac> \o/
[04:00] <babbageclunk> wallyworld: ping?
[04:05] <wallyworld> hey
[04:06] <wallyworld> babbageclunk: pong
[04:13] <babbageclunk> doh, didn't get a notification for some reason
[04:13] <wallyworld> that happens to me too
[04:13] <babbageclunk> wallyworld: sorry ^. I'm having to hack no-neutron support into the test doubles in goose.
[04:13] <babbageclunk> wallyworld: is this worthwhile?
[04:14] <wallyworld> hmmm. there's no easier way?
[04:14] <babbageclunk> wallyworld: thought I'd check before I got too far down the rabbit hole.
[04:15] <wallyworld> we can't use a monkey patch to simulate lack of neatron?
[04:15] <babbageclunk> Hmm. Maybe by registering a control point for authorisation to chop it out?
[04:15] <babbageclunk> I'll try that
[04:16] <babbageclunk> hang on
[04:16] <wallyworld> yeah that
[04:17] <wallyworld> or return an error that triggers the switch to nova in juju
[04:17] <wallyworld> via the control point mechanism
[04:41] <wallyworld> jam: hey, i'd like to land that network-get PR. are you able to +1?
[04:46] <jam> wallyworld: so the *big* point is that I don't think creating a "public" space is really going to do what you think it will in 2.3
[04:47] <jam> now, whether its still the best compromise that we can think of. I was hoping wpk would give it a look, but it seems he was overloaded with other things yesterday.
[04:47] <jam> I'll check in again with him in about 10 min
[04:47] <jam> I'll give the code a look as well.
[04:48] <wallyworld> ok. i'm not sure why you think creating a space containing subnets from which a public address may be selected won't work. bear in mind though that is optional - just don't bind to anything if you want juju to choose a public address if one is available
[04:48] <wallyworld> you bind the endpoint to a space if you *don't* want a public address to be used
[04:49] <wallyworld> so the user has control of how their offer is consumed
[04:49] <jam> wallyworld: if you don't bind at all, then you can't select a subnet
[04:49] <jam> You might have carved several subnets that don't have public access because you want them to be for your database
[04:50] <jam> so you need other subnets that *do* have public access, and thus you want to *select* them so you don't accidentally provision in the ones that don't have public
[04:53] <jam> that doesn't mean your patch can't land, but it is a discrepancy between what we want to have and what we currently have
[05:39] <axw> wallyworld: FYI, I'm looking at https://bugs.launchpad.net/juju/+bug/1724673
[05:39] <mup> Bug #1724673: unable to destroy-model with offer in it <cross-model> <juju:In Progress by axwalk> <https://launchpad.net/bugs/1724673>
[05:40] <wallyworld> jam: if you don't bind, juju will try and select the machine public address to set as the ingress address. if you want to control what address juju uses, bind to a space
[05:40] <wallyworld> ie you need to decide an an offerer if you want your offer to be public or not
[05:43] <wallyworld> axw: awesome, thanks for picking up that bug
[05:45] <jam> wallyworld: my point is, if I have created 2 subnets on AWS, one that has public internet and one that doesn't. if I don't bind *at all* then Juju randomly selects which subnet it will use
[05:45] <jam> and *might* pick the one that has a public address, so that I can create a public offer
[05:45] <jam> or might not
[05:46] <wallyworld> jam: no it won't it will use the public address
[05:46] <jam> wallyworld: if you deploy to subnet-b *it has not public address*
[05:46] <wallyworld> it calls machine.PublicAddress()
[05:46] <jam> wallyworld: AWS Subnets can have a "create public address" flag
[05:46] <wallyworld> right but using spaces and hence subnets is your choice
[05:46] <jam> wallyworld: so if you can't bind, then you can't say "Make sure to use these subnets that have public addresses"
[05:47] <wallyworld> i'm missing something it seems - i thought in aws, gce etc - all machines got  apublic address
[05:47] <wallyworld> and m.PublicAddress() would return that
[05:47] <wallyworld> and that's what we use in the absense of a binding
[05:48] <jam> wallyworld: see above. There is a flag on a subnet that says "should machines in this subnet get a public address"
[05:48] <jam> you can set that to false
[05:48] <jam> which is what you *want* for your Database
[05:48] <jam> because PCI says that database machines can't have public ingress
[05:48] <wallyworld> not if you are offering it for public consumption
[05:48] <jam> wallyworld: and yes, I don't want to make my db public
[05:48] <jam> but I want my website public
[05:48] <jam> and I can't have it use the database subnet
[05:49] <jam> so I want to select the subnet that has public addresses associated with it
[05:49] <wallyworld> so you can do that just fine
[05:49] <jam> wallyworld: how do I tell it not to use the database subnet without binding?
[05:49] <wallyworld> bind the website endpoint to a space with public addresses and the website db endpoint to a different space
[05:50] <wallyworld> or just bind the db endpoint
[05:50] <jam> wallyworld: you just said that if I bind it to the space that includes the subnet that has public addresses it will get the locally bound subnet address
[05:50] <jam> I have the interview in 10, so I have to go prep, but I'll chat with you about this after
[05:50] <wallyworld> ok, sounds good, i think we are at cross purposes
[05:50] <jam> wpk was oversleeping, so I'll try to get his attention later as well
[05:50] <wallyworld> ok
[07:21] <wallyworld> axw: i think ChangeIngressRules() in sshInstanceConfigurator is wrong? the param should be -A and not -I ?
[07:21] <wallyworld> when i try with -I it fails, but -A works fine
[07:32] <wpk> you mean iptables -I fails?
[07:38] <axw> wallyworld: sorry gotta take charlotte to ballet, I can take a look when I get back. that thing is an abomination
[07:47] <wallyworld> wpk: yeah, but -A works, eg sudo iptables -d 192.168.1.1 -A INPUT -p icmp --icmp-type 8 -j ACCEPT
[07:47] <wallyworld> that works but -I doesn't
[07:48] <wpk> whaaa?
[07:48] <wpk> works for me
[07:48] <wallyworld> hmmm
[07:48] <wpk> how it fails?
[07:48] <wallyworld> i sshed into an aws instance and confirmed there also
[07:49] <wallyworld> wpk: wtf, i just tried it again and it worked
[07:50] <wallyworld> last time i got an error message about chained rules or something
[07:50] <wallyworld> nfi
[07:51] <wpk> wallyworld: It got scared that I'll start to debug it. It's called respect.
[07:51] <wallyworld> lol
[09:50] <wallyworld> wpk: if you had time for a smallish review at some stage, https://github.com/juju/juju/pull/7969
[09:54] <wpk> I'd call it icmp-ping
[09:55] <wallyworld> the sec group calls it just icmp
[09:55] <wallyworld> a single word is better IMO
[09:55] <wallyworld> it's also icmp in iptables
[09:55] <wallyworld> easier to type udp or tcp or icmp
[09:56] <wpk> it's icmp type 8
[09:56] <wpk> (in iptables)
[09:57] <wallyworld> ACCEPT     icmp --  0.0.0.0/0            10.0.0.1     icmptype 8
[09:57] <wallyworld> the prot column is icmp
[09:57] <wpk> but there's icmptype 8
[09:58] <wallyworld> but that's not in the prot column
[09:58] <wpk> you're not accepting any icmp, just type 8 (echo)
[09:58] <wallyworld> the type is not specified in the sec groiup is it?
[09:59] <wallyworld> that example was just for iptables, when you open an ip rule in a sec group you just say icmp
[10:00] <wallyworld> the iptables list has these headers: target     prot opt source               destination
[10:00] <wallyworld> the prot values are "icmp" or "tcp" or "udp"
[10:01] <wallyworld> and that's what we specify for IpPerm in aws for example also
[10:01] <wallyworld> we don't specify the sub type
[10:02] <wpk> But just like you're opening a port in tcp/udp here you're saying you're opening "icmp" and only opening one type of it(echo). I'm being pesky, I know....
[10:02] <wpk> but LGTM
[10:03] <wpk> (just there might be someone who'll say that he wanted to open ICMP and only got pings :)
[10:05] <wallyworld> wpk: but we don't specify that we're just opening one type for clouds. the only place we do that is that stupid configurator. i guess i could remove the type from there
[10:05] <wpk> I wonder how it works on AWS. Anyway, as above - LGTM as is.
[10:06] <wallyworld> ok, ty
[10:12] <babbageclunk> jam: could you take another look at https://github.com/juju/juju/pull/7962 plz?
[10:24] <axw> wallyworld: my PR has a bug in it, but highlighted an issue with the relation counting in applicationOffers.Remove. it's possible for a relation to a non-remote application to be removed, and replaced with one to a remote application, and the offer would still be removed
[10:24] <axw> would/could
[10:25] <wallyworld> oh oops
[10:25] <axw> wallyworld: I've just pushed, see state/applicationoffers.go for my TODO(axw)
[10:26] <axw> I'll take a look at fixing that tomorrow
[10:27] <wallyworld> ty, luckily we shouldn't have people hitting this yet
[10:28] <wallyworld> jam: not sure if you saw my last comment on the pr. if we can accept the current behaviour, i'd like to land it tonight so it makes beta2
[10:28] <wallyworld> without the pr, things are sub optimal in a different way - i believe the pr makes things better for more cases we care about
[10:29] <wallyworld> you either want your db publiclly available as an offer or you don't - we support that scenario fine
[10:30] <wpk> damn, I hate fixing tests in state/..
[10:31] <wallyworld> don't we all :-)
[12:51] <jam> so who wants to be a review buddy for mgopurge: https://github.com/juju/mgopurge/pull/22/files
[12:51] <jam> that one is fairly straightforward, at least
[12:52] <wallyworld> jam: lgtm
[12:53] <wallyworld> jam: did you get to ask for a 2nd opinion on the network-get PR?
[12:54] <wallyworld> running out of time to land for beta2
[12:54] <jam> I did, though it seems he hasn't gotten to that, ran into other bugs.
[12:54] <wpk> wallyworld: LGTM for now
[12:54] <wallyworld> ty, we can iterate
[12:54] <wallyworld> i do believe it's a step forward
[12:55] <wallyworld> not perfect yet
[12:55] <wallyworld> i did get the nagios stuff all working today though
[12:57] <jam> wallyworld: is it possible to check if there is a public address corresponding to a given space, rather than just whether there is a binding, or we just don't have that information
[12:57] <jam> we probably don't track a link anyway
[12:57] <jam> anywhere
[12:58] <wallyworld> jam: yeah, we don't model that IIANM
[13:00] <jam> I, Ian, Man ? :)
[13:01] <wpk> jam: Someone recently used 'OIC', I had to look it up in Acronym Finder. The first answer does not seem to be correct...
[13:04] <jam> O I C, yeah
[13:05] <wallyworld> If I Am Not Mistaken
[13:05] <wallyworld> :-)
[13:05] <jam> wallyworld: yeah, I figured it out, I just figured I'd play with it.
[13:05] <jam> its not one I use regularly
[13:05] <jam> IIRC is usually what I use there
[13:09] <wallyworld> wpk: so you ok for me to merge?
[13:13] <jam> looking over it now, myself
[13:16] <wallyworld> ok, ta
[13:16] <jam> wallyworld: I had one comment on it, where you took out a fallback to unit.PrivateAddress() if len(NetworkInfo) == 0
[13:19] <jam> wallyworld: aside from the fallback issue, I think lgtm
[13:20] <wallyworld> jam: ty, i'm rereading the code, but it was intentional as it wasn't needed in that place anymore
[13:24] <jam> k
[13:24] <wallyworld> jam: we now rely on the behaviour in GetNetworkInfoForSpaces(0 to "Do The Right Thing" with regard to populating the bind addresses.
[13:25] <wallyworld> the ingress address still falls back to using private addressfor the default space if it's cross model
[13:25] <wallyworld> and if not, we select the first bind address
[13:32] <jam> babbageclunk: reviewed
[22:31] <wallyworld> externalreality_: i have 10 mins now if you want to chat