On Fri, 06 Mar 2015 16:02:39 +0100
Miroslav Suchý <msuchy(a)redhat.com> wrote:
All services are using SSL but novncproxy, which does not worked for
me and according some random notes on internet does not work over SSL
due some bugs. But novncproxy does not work for me even over plain
http. And I do not know why. If somebody else can check it, it would
be great. Strange thing is that
telnet
fed-cloud09.cloud.fedoraproject.org 6080
from my workstation is rejected, while on fed-cloud09 it pass. And
iptable allows port 6080. Strange.
I got this all fixed up and updated ansible.
Basically three issues:
1. novncproxy was listening only on the internal ip, so it wasn't
answering for external people using the web browser.
2. It was not able to talk to vnc on the compute nodes due to firewall.
3. It was not using https links in nova config and in novncproxy
sysconfig.
All thats set and I can see console in the web dash again just fine for
any of the instances I tried, and they are all https using only.
I tried to automatize adding of SSH keys using this:
I wonder if we shouldn't have something to update/upload everyones ssh
keys. Might be handy but of course it's not a blocker/that important.
We could even look at just tieing into our existing fedmsg listener
(when someone with a cloud account changes ssh key, update the cloud).
Anyway, I am able (again) to start VM and log to those VM.
Me too. I uploaded the F22 Alpha cloud image and it worked fine.
(aside cloud-init taking about 35 seconds to run. It seemed to be
timing out on some metadata ?)
We should look at hooking our cloud image upload service into this soon
so we can get images as soon as they are done.
My plan for next week is to migrate dev instance to new OpenStack
(before it will be re-provisioned) and see what needs to be changed.
Sounds good!
I think:
* We will of course need to change the variables it uses to point to
the new cloud (credentials, ips, etc).
* We will need to adapt to not giving every instance a floating ip. For
copr, I think this would be fine, as you don't care that they have
external ips they only need to talk to the backend right?
* Might be a good time to look at moving copr to f21? and builders also
to be f21? (they should come up faster and in general be better than
the el6 ones currently used, IMHO)
* Can we adjust the default tennat quotas in the playbooks? They seem a
bit low to me given the amount of resources we have.
* Right now ansible on lockbox01 is using euca2ools to manage cloud
instances, perhaps we could/should just move to nova now? Or this
could perhaps wait for us to move lockbox01 to rhel7.
Anyhow, I think we are making real progress now, lets keep it going!
kevin