Friday, 2019-03-22

« Thursday, 2019-03-21 Index Saturday, 2019-03-23 »
*** irclogbot_3 has joined #openstack-kuryr00:17
*** celebdor has quit IRC00:36
*** hongbin has joined #openstack-kuryr02:22
*** hongbin has quit IRC04:12
*** spsurya has quit IRC04:31
*** lxkong has quit IRC04:32
*** spsurya has joined #openstack-kuryr04:34
*** lxkong has joined #openstack-kuryr04:34
*** janki has joined #openstack-kuryr05:04
*** dims has quit IRC06:39
*** dims has joined #openstack-kuryr06:41
*** pcaruana has joined #openstack-kuryr07:27
openstackgerritDanil Golov proposed openstack/kuryr-kubernetes master: Annotate nodes with pci info for direct ports  https://review.openstack.org/64270307:41
openstackgerritDanil Golov proposed openstack/kuryr-kubernetes master: Update sriov neutron ports with pci info  https://review.openstack.org/64270407:41
openstackgerritDanil Golov proposed openstack/kuryr-kubernetes master: Annotate nodes with pci info for direct ports  https://review.openstack.org/64270307:55
openstackgerritDanil Golov proposed openstack/kuryr-kubernetes master: Update sriov neutron ports with pci info  https://review.openstack.org/64270407:55
*** celebdor has joined #openstack-kuryr08:08
*** maysams has joined #openstack-kuryr08:14
dulekmaysams: Hey, so do you have an idea why the LB member pod isn't added the ingress rule?08:23
dulekmaysams: Is that an overlook from our side? Misunderstanding of NP spec? Some bug?08:23
maysamsdulek, I'm reproducing that test locally08:23
maysamsdulek, to analyze it better08:24
dulekmaysams: Cool, do you want the pod definitions?08:24
maysamsdulek, Yup08:25
dulekmaysams: http://pastebin.test.redhat.com/74225808:27
dulekmaysams: This is result of `get all -o yaml`, note that there's a Service definition on the bottom.08:27
maysamsdulek: Right, thanks08:28
dulekmaysams: Ah, you either need coredns to be running or just change the command in line 55 to call service IP instead of svc-server.network-policy-965.08:28
maysamsdulek: okay08:29
dulekmaysams: Ah, also note that I changed client-a definition to retry 10000000 times instead of 5. :D08:30
maysamsdulek: XDD okay08:35
maysamsdulek, could you also get the namespace definition?08:41
dulekmaysams: Sure: http://pastebin.test.redhat.com/74226408:44
dulekmaysams: finalizers? What's that?08:44
maysamsdulek, finalizers? First time I see it08:45
*** alisanhaji has joined #openstack-kuryr08:45
dulekmaysams: Okay, that's nothing too important really, just says that before ns can be deleted k8s needs to purge all of it's resources.08:46
duleks/it's/its08:46
maysamsdulek: yup yup, just googled it08:47
maysamsdulek: do you have some secret defined?09:14
dulekmaysams: http://paste.openstack.org/raw/748229/09:16
dulekmaysams: But it should get created along with namespace automatically, I think.09:17
maysamsdulek, interesting.. It was not created, when I created the new namespace. I only have the default one09:19
dulekmaysams: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/framework/framework.go#L216-L23109:21
dulekThis is how it creates the Namespace. Nothing out of ordinary there, IMO.09:22
*** celebdor has quit IRC09:48
maysamsdulek: did your server pod ever got not ready?09:51
maysamsdulek: because it could not access port 80 and 8109:52
dulekmaysams: Uh, I think I lost your first message due to some disconnect.09:54
maysamsright09:54
maysamsdulek: I asked if your server pod ever got not ready due to not being able to access port 80 and 8109:54
dulekmaysams: No, it worked fine.09:55
dulekThat would be weird, really… Can you share the log?09:55
maysamswell it's running but not ready09:56
maysamsso I just described the pod09:56
maysamsand got09:56
maysamsaah, I just saw the log Error from server (BadRequest): a container name must be specified for pod server, choose one of: [server-container-80 server-container-81]09:56
maysamsdulek: sry.. I will try to fix that09:57
dulekmaysams: `kubectl -n <namespace> logs <pod-name> -c server-container-80`09:58
dulek:)09:58
dulekmaysams: It's just complaining that it doesn't know logs of which container from the pod you want.09:59
*** maysams has quit IRC10:06
*** celebdor has joined #openstack-kuryr10:06
*** maysams has joined #openstack-kuryr10:57
*** spsurya has quit IRC10:59
*** spsurya has joined #openstack-kuryr11:00
maysamsdulek: sorry I needed to be afk for a few min11:05
kmadac3@dulek: Hi yesterday I added support for revisions into macvlan driver and it helped. Are you ok, that I create change to gerit?11:37
dulekkmadac3: Definitely! I'm happy to review it. Please just run `tox -epep8,py27` before submitting to make sure tests are passing.11:38
dmelladokmadac3: please do so!11:43
dmelladoyep, and soon enough, py3* as well, please11:44
dmelladokmadac3: if you haven't done before, please take a look at https://docs.openstack.org/infra/manual/developers.html11:44
dmelladothanks!11:44
kmadac3@dulek: ok I will do it asap11:49
*** pcaruana has quit IRC11:53
*** rh-jelabarre has joined #openstack-kuryr12:12
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Add ipBlock support to NP  https://review.openstack.org/64513912:41
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Add ipBlock support to NP  https://review.openstack.org/64513912:43
*** pcaruana has joined #openstack-kuryr12:54
*** altlogbot_3 has quit IRC13:01
*** irclogbot_3 has quit IRC13:01
*** irclogbot_3 has joined #openstack-kuryr13:02
*** altlogbot_1 has joined #openstack-kuryr13:02
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Add ipBlock support to NP  https://review.openstack.org/64513913:38
*** ccamposr has joined #openstack-kuryr14:06
*** alisanhaji has quit IRC14:27
openstackgerritMichał Dulko proposed openstack/kuryr-kubernetes master: Fix cri-o gate  https://review.openstack.org/64486714:50
*** altlogbot_1 has quit IRC15:21
*** altlogbot_2 has joined #openstack-kuryr15:25
*** irclogbot_3 has quit IRC15:30
*** irclogbot_0 has joined #openstack-kuryr15:32
*** irclogbot_0 has quit IRC15:36
*** irclogbot_1 has joined #openstack-kuryr15:37
*** ccamposr has quit IRC15:43
dulekmaysams: Good news!16:08
maysamsdulek: tell me16:08
dulekmaysams: It does work with Amphora.16:08
dulekSo at least it's only ovn provider quirks.16:08
maysamsdulek: but I think it's still wrong16:09
dulekAnd as it isn't a feature yet, we don't need to worry about it today IMO.16:09
dulekmaysams: Oh well. :P16:09
maysamscould you share the client sg?16:09
maysamsdulek: ^16:10
dulekmaysams: Oh crap, I might still have the rule that I created to fix this on my env. Okay, let me try again.16:10
maysamsokay16:10
dulekmaysams: Okay, it worked even after I deleted that rule.16:12
maysamsdulek: I think it's working because of the default egress rle16:13
maysamsrule16:13
dulekmaysams: http://paste.openstack.org/raw/748252/16:14
dulekmaysams: This is on client-a port.16:14
dulekmaysams: First rule seems to open it for the server, which is good, isn't it?16:14
maysamsdulek: yes.. but we are trying to access the svc16:15
maysamsin the clietn pod16:15
dulekmaysams: Yes, which is fine, client has egress rule allowing it to call the svc, right?16:15
maysamsso.. that rule should be with the remote_ip refering to the svc, not to the server16:16
dulekmaysams: Ah, I see.16:16
maysamsdulek: does that makes sense?16:16
maysamsdulek, I'm trying to figure it out if this is wrong or not :P16:17
dulekmaysams: It called the svc IP - "svc-server.network-policy-4081 (10.1.0.150:80) open"16:17
dulekmaysams: It does make sense to me. But somehow it works…16:17
dulekmaysams: Ah, there are rules allowing egress everywhere?16:17
*** gaoyan has joined #openstack-kuryr16:17
maysamsyup16:17
dulekmaysams: Want me to check what happens if I delete them?16:17
maysamsyess :)16:18
dulekmaysams: Okay, let's see. Where are those rules coming from?16:19
dulekmaysams: I mean those two egress ones that I just deleted?16:19
dulekmaysams: Because it's not the default SG, it's definitely an SG created by kuryr-controller.16:19
dulekmaysams: Yep, it lost ability to connect.16:20
maysamsdulek: good.. so now we know the problem16:20
dulekmaysams: Shall I add a rule allowing it to call the LB IP?16:21
maysamsyupp, please16:21
*** gaoyan has quit IRC16:21
dulekopenstack security group rule create --egress --protocol tcp --remote-ip 10.1.0.150 60edc57f-29b1-4f18-ace3-07713df196bf16:22
*** janki has quit IRC16:22
maysamsthat's right16:23
dulekmaysams: "svc-server.network-policy-4081 (10.1.0.150:80) open"16:23
dulekLet me delete it and try again.16:23
dulekmaysams: Yep, it stops working again. So I guess we see the issue now?16:25
maysamsdulek: definitely16:26
maysamsdulek: That network policy is restricting egress access to all namespaces in a specific port16:27
maysamsdulek: and the approach I'm using in the patch is adding a new SG rule with the remote_ip of the pod that has a container matching the named port16:27
maysamsdulek: That's why we have that IP and not a rule allowing from everywhere16:28
dulekmaysams: Wait, I think I'm still testing with your patch.16:29
maysamsdulek: you mean that specific test or the others tests?16:30
dulekmaysams: At the moment I only run that specific test.16:32
maysamsdulek, Okay. Btw, thanks a lot for checking these things ;)16:33
dulekmaysams: Oh crap, I don't know what am I running anymore. :P Let me check again…16:33
maysamsXDD16:33
dulekmaysams: I do have your patch applied and I think I had it all the time.16:36
dulekmaysams: (I've checked the code inside the container)16:37
maysamsdulek, which is kinda good, right? Because we found the error16:38
maysamsdulek, the reason why the test was not passing16:39
dulekmaysams: I guess? :) Any idea why those default allow-all-egress are added in Octavia case but not the OVN case?16:39
maysamsdulek: In OVN they are added as well16:39
dulekmaysams: Ooooh, waaaait…16:39
dulekmaysams: "sg_mode = create" - I have this on.16:40
maysamsI have the update one16:40
dulekmaysams: Okay, I'm not sure about this one, but whatever it's about VIP rules, not client.16:41
maysamsdulek: yup.. btw with OVN the default egress rules was also present in the client pod http://paste.openstack.org/raw/748190/16:41
dulekmaysams: Hm…16:42
dulekmaysams: I think what we observed is that client-a is failing to connect with OVN provider and working fine with Amphora?16:42
maysamsdulek: you shared this with me yesterday ^16:42
dulekYes, yes, I remember. :)16:42
maysamsdulek: yes.. and in both cases the default egress rule is created16:43
dulekmaysams: So what's the difference…?16:43
dulekmaysams: Okay, I think this is enough mysteries for Friday evening. I have the env, I can switch it back to OVN and we can analyze it again on Monday.16:44
maysamsahahah16:44
maysamsdulek, sure thing16:44
maysamsdulek: Thanks a lot :)16:44
dulekmaysams: Thanks for taking this seriously. ;) Have a great weekend!16:45
maysamsdulek, you too!16:45
*** maysams has quit IRC16:50
*** celebdor has quit IRC16:58
*** gmann is now known as gmann_afk17:52
*** gmann_afk is now known as gmann18:11
*** celebdor has joined #openstack-kuryr18:40
*** pcaruana has quit IRC18:45
*** celebdor has quit IRC18:50
*** aperevalov has quit IRC19:00
« Thursday, 2019-03-21 Index Saturday, 2019-03-23 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!