JuanJo Ciarlante jjo

## nova-compute-epoll_wait-busy-loop.log
# with default_log_levels=qpid=DEBUG,oslo.messaging=DEBUG,suds=DEBUG,requests.packages.urllib3.connectionpool
# at /etc/nova/nova.conf:


2015-11-17 14:05:40.980 704816 DEBUG oslo_concurrency.lockutils [-] Acquired semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:198
2015-11-17 14:05:40.980 704816 DEBUG oslo_concurrency.lockutils [-] Releasing semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:211
2015-11-17 14:05:40.981 704816 DEBUG oslo_concurrency.lockutils [req-a869c724-1d04-4e81-a55a-98e7148941d2 - - - - -] Acquired semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:198
2015-11-17 14:05:40.981 704816 DEBUG oslo_concurrency.lockutils [req-a869c724-1d04-4e81-a55a-98e7148941d2 - - - - -] Releasing semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:211
2015-11-17 14:05:40.981 704816 INFO oslo_service.service [req-a869c724-1d04-4e81-

## lxc-default-with-netns
# /etc/apparmor.d/lxc/lxc-default-with-netns
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-netns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>


  # - onetime mount, if /run/netns was not mounted yet:

## neutronapi_ops.py
#!/usr/bin/env python
from __future__ import print_function
import sys

from cliff import app
from cliff import command
from cliff import commandmanager

from keystoneauth1.identity import v3
from keystoneauth1 import session

## kubeless-0.0.16.yaml.diff
# https://gist.github.com/jjo/3777dda2e9933a3017094d3be1a84f6b

Deploy kubeless controller with system:serviceaccount:kubeless:kubeless-ctl
instead of system:serviceaccount:kubeless:default, to narrow the RBAC subject
for needed clusterrole perms

diff --git a/kubeless-0.0.16.yaml b/kubeless-0.0.16.yaml
index d9ce99f..c0af307 100644
--- a/kubeless-0.0.16.yaml
+++ b/kubeless-0.0.16.yaml

## kubeless-clusterrole-min.yaml
# https://gist.github.com/jjo/ceb4a66c4f6f3e270a667418f74d34a2
#
# kubeless-clusterrole-min.yaml
# Narrow RBAC perms to mininum needed (to avoid cluster-admin's equivalent),
#
# NOTE: to narrow the subject, kubeless controller is deployed with
#   system:serviceaccount:kubeless:kubeless-ctl
# instead of
#   system:serviceaccount:kubeless:default
#

## kubeless-kubecfg-diff-before-more-precise-rbac.diff
$ /home/jjo/work/src/github.com/ksonnet/kubecfg/kubecfg diff --diff-strategy subset kubeless-rbac.jsonnet
---
- live ThirdPartyResource/function.k8s.io
+ config ThirdPartyResource/function.k8s.ioThirdPartyResource/function.k8s.io unchanged
---
- live ClusterRole/kubeless-controller-deployer
+ config ClusterRole/kubeless-controller-deployerClusterRole/kubeless-controller-deployer unchanged
---
- live ClusterRoleBinding/kubeless-controller-deployer
+ config ClusterRoleBinding/kubeless-controller-deployer {

## kubeless-kubecfg-diff-after-more-precise-rbac.diff
$ /home/jjo/work/src/github.com/ksonnet/kubecfg/kubecfg diff --diff-strategy subset kubeless-rbac.jsonnet
---
- live ThirdPartyResource/function.k8s.io
+ config ThirdPartyResource/function.k8s.ioThirdPartyResource/function.k8s.io unchanged
---
- live ClusterRole/kubeless-controller-deployer
+ config ClusterRole/kubeless-controller-deployerClusterRole/kubeless-controller-deployer unchanged
---
- live ClusterRoleBinding/kubeless-controller-deployer
+ config ClusterRoleBinding/kubeless-controller-deployerClusterRoleBinding/kubeless-controller-deployer unchanged

## docker-netstat.out
~# docker ps|sed 1d|xargs -I@ sh -c 'set @;echo = $2 =; nsenter -n -t $(docker inspect -f "{{.State.Pid}}" $1) netstat -anp'
= mirantis/kubeadm-dind-cluster:v1.7 =
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:34377        0.0.0.0:*               LISTEN      3307/dockerd
udp        0      0 10.192.0.4:53           0.0.0.0:*                           25869/socat
udp        0      0 127.0.0.11:55597        0.0.0.0:*                           3307/dockerd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     359006   25346/dind_init     /var/run/docker.sock

## docker-netstat.out
# docker ps|sed '1d;s,>,_,'|xargs -I@ sh -c 'set @;echo == $2;nsenter -n -t $(docker inspect -f "{{.State.Pid}}" $1) netstat -an'
== gcr.io/google_containers/k8s-dns-kube-dns-amd64@sha256:40790881bbe9ef4ae4ff7fe8b892498eecb7fe6dcc22661402f271e03f7de344
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 172.17.0.6:52640        10.0.0.1:443            ESTABLISHED
tcp        0      0 :::10053                :::*                    LISTEN
tcp        0      0 :::10054                :::*                    LISTEN
tcp        0      0 :::10055                :::*                    LISTEN
tcp        0      0 :::8081                 :::*                    LISTEN

## kubectl-log-them-all-f.sh
$ kubectl get pod -oname|xargs -I@ -P0 sh -c 'kubectl logs -f @|sed "s|^|@: |"'
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:22:50 +0000] "GET / HTTP/1.1" 200 612 "-" "Wget" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:03 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:04 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:02:04:21 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:35:29 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:35:58 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:36:00 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.3
	# with default_log_levels=qpid=DEBUG,oslo.messaging=DEBUG,suds=DEBUG,requests.packages.urllib3.connectionpool
	# at /etc/nova/nova.conf:


	2015-11-17 14:05:40.980 704816 DEBUG oslo_concurrency.lockutils [-] Acquired semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:198
	2015-11-17 14:05:40.980 704816 DEBUG oslo_concurrency.lockutils [-] Releasing semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:211
	2015-11-17 14:05:40.981 704816 DEBUG oslo_concurrency.lockutils [req-a869c724-1d04-4e81-a55a-98e7148941d2 - - - - -] Acquired semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:198
	2015-11-17 14:05:40.981 704816 DEBUG oslo_concurrency.lockutils [req-a869c724-1d04-4e81-a55a-98e7148941d2 - - - - -] Releasing semaphore "singleton_lock" lock /usr/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:211
	2015-11-17 14:05:40.981 704816 INFO oslo_service.service [req-a869c724-1d04-4e81-
	# /etc/apparmor.d/lxc/lxc-default-with-netns
	# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
	# will source all profiles under /etc/apparmor.d/lxc

	profile lxc-container-default-with-netns flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/lxc/container-base>
	#include <abstractions/lxc/start-container>


	# - onetime mount, if /run/netns was not mounted yet:
	#!/usr/bin/env python
	from __future__ import print_function
	import sys

	from cliff import app
	from cliff import command
	from cliff import commandmanager

	from keystoneauth1.identity import v3
	from keystoneauth1 import session
	# https://gist.github.com/jjo/3777dda2e9933a3017094d3be1a84f6b

	Deploy kubeless controller with system:serviceaccount:kubeless:kubeless-ctl
	instead of system:serviceaccount:kubeless:default, to narrow the RBAC subject
	for needed clusterrole perms

	diff --git a/kubeless-0.0.16.yaml b/kubeless-0.0.16.yaml
	index d9ce99f..c0af307 100644
	--- a/kubeless-0.0.16.yaml
	+++ b/kubeless-0.0.16.yaml
	# https://gist.github.com/jjo/ceb4a66c4f6f3e270a667418f74d34a2
	#
	# kubeless-clusterrole-min.yaml
	# Narrow RBAC perms to mininum needed (to avoid cluster-admin's equivalent),
	#
	# NOTE: to narrow the subject, kubeless controller is deployed with
	# system:serviceaccount:kubeless:kubeless-ctl
	# instead of
	# system:serviceaccount:kubeless:default
	#
	$ /home/jjo/work/src/github.com/ksonnet/kubecfg/kubecfg diff --diff-strategy subset kubeless-rbac.jsonnet
	---
	- live ThirdPartyResource/function.k8s.io
	+ config ThirdPartyResource/function.k8s.ioThirdPartyResource/function.k8s.io unchanged
	---
	- live ClusterRole/kubeless-controller-deployer
	+ config ClusterRole/kubeless-controller-deployerClusterRole/kubeless-controller-deployer unchanged
	---
	- live ClusterRoleBinding/kubeless-controller-deployer
	+ config ClusterRoleBinding/kubeless-controller-deployer {
	~# docker ps\|sed 1d\|xargs -I@ sh -c 'set @;echo = $2 =; nsenter -n -t $(docker inspect -f "{{.State.Pid}}" $1) netstat -anp'
	= mirantis/kubeadm-dind-cluster:v1.7 =
	Active Internet connections (servers and established)
	Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
	tcp 0 0 127.0.0.11:34377 0.0.0.0:* LISTEN 3307/dockerd
	udp 0 0 10.192.0.4:53 0.0.0.0:* 25869/socat
	udp 0 0 127.0.0.11:55597 0.0.0.0:* 3307/dockerd
	Active UNIX domain sockets (servers and established)
	Proto RefCnt Flags Type State I-Node PID/Program name Path
	unix 2 [ ACC ] STREAM LISTENING 359006 25346/dind_init /var/run/docker.sock
	# docker ps\|sed '1d;s,>,_,'\|xargs -I@ sh -c 'set @;echo == $2;nsenter -n -t $(docker inspect -f "{{.State.Pid}}" $1) netstat -an'
	== gcr.io/google_containers/k8s-dns-kube-dns-amd64@sha256:40790881bbe9ef4ae4ff7fe8b892498eecb7fe6dcc22661402f271e03f7de344
	Active Internet connections (servers and established)
	Proto Recv-Q Send-Q Local Address Foreign Address State
	tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
	tcp 0 0 172.17.0.6:52640 10.0.0.1:443 ESTABLISHED
	tcp 0 0 :::10053 :::* LISTEN
	tcp 0 0 :::10054 :::* LISTEN
	tcp 0 0 :::10055 :::* LISTEN
	tcp 0 0 :::8081 :::* LISTEN
	$ kubectl get pod -oname\|xargs -I@ -P0 sh -c 'kubectl logs -f @\|sed "s\|^\|@: \|"'
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:22:50 +0000] "GET / HTTP/1.1" 200 612 "-" "Wget" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:03 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:00:27:04 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:02:04:21 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:35:29 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:35:58 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
	pods/nginx-1423793266-msmhm: 10.220.1.1 - - [11/Aug/2017:11:36:00 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.3