Friday, 2018-03-09

*** sapd_ has quit IRC		00:12
*** beagles\|biab is now known as beagles		00:18
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: Rename q- to neutron- services https://review.openstack.org/544281	00:18
rm_work	errr	00:30
rm_work	lol	00:30
rm_work	so we're not catching something correctly there	00:30
imacdonn	yeah	00:31
rm_work	and i don't think that's an error with your cert	00:31
imacdonn	I don't see anything obviously wrong with it	00:31
rm_work	if self.cryptography is an X509 object...	00:31
rm_work	i think to_cryptography should work	00:31
rm_work	i wonder what version of stuff you have	00:31
imacdonn	was just pondering that too	00:32
rm_work	it might be too old in RDO / cent / RHEL / whatever	00:32
imacdonn	right	00:32
imacdonn	python2-pyOpenSSL-16.2.0-3.el7.noarch ?	00:33
imacdonn	TL;DR https://github.com/requests/requests/issues/3701	00:35
rm_work	err	00:35
rm_work	should be part of cryptography	00:35
rm_work	not pyopenssl	00:35
rm_work	i think	00:36
imacdonn	ignore that link .. bad Google!	00:36
imacdonn	https://pyopenssl.org/en/stable/api/crypto.html	00:37
rm_work	oh but do this	00:37
rm_work	python -c 'import OpenSSL; print(OpenSSL.__version__)'	00:37
rm_work	that's not the same thing	00:37
imacdonn	16.2.0	00:38
imacdonn	as above ;)	00:38
rm_work	yeah ok	00:38
rm_work	sometimes it does weird mismatches	00:38
rm_work	of course i'm on 17.5.0	00:38
imacdonn	fancy :P	00:39
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: Prevent awk matching itself when stopping Octavia https://review.openstack.org/551021	00:39
rm_work	and cryptography?	00:40
imacdonn	python2-cryptography-1.7.2-1.el7_4.1.x86_64	00:40
rm_work	errr	00:40
rm_work	THAT may be too old	00:40
rm_work	can you uninstall that package and install cryptography with pip?	00:40
* cgoncalves senses package bump request coming toward his direction		00:41
imacdonn	heh	00:41
imacdonn	I'll try the fedora rawhide RPM ... it's 2.1.4	00:42
rm_work	that actually DOESN'T meet our requirements.txt	00:42
rm_work	(1.7.2)	00:42
cgoncalves	in our defense (downstream speaking) we follow what's in requirements.txt; upstream should take the responsability of bumping it in global-requirements	00:42
rm_work	cryptography!=2.0,>=1.9 # BSD/Apache-2.0	00:42
cgoncalves	:S	00:43
rm_work	1.7.2 is not >= 1.9	00:43
cgoncalves	https://github.com/rdo-packages/octavia-distgit/blob/rpm-master/openstack-octavia.spec#L114	00:45
cgoncalves	sh*t	00:45
rm_work	hmm	00:45
rm_work	maybe it was that old in that release? though i doubt it	00:46
cgoncalves	"FIXME: system version is stuck to 1.7.2 for cryptography"	00:46
rm_work	:/	00:46
rm_work	this is why we run things in virtualenvs or containers :P	00:47
cgoncalves	so whoever updated from 1.6 knew octavia requires 1.9	00:47
cgoncalves	FWIW tripleo overcloud is containerized now in queens. undercloud containerized coming in rocky	00:47
rm_work	imacdonn: interested in results when you update :P	00:48
rm_work	but brb getting food	00:48
imacdonn	ok... multitasking a bit	00:48
imacdonn	looks like it needs openssl 1.1 ... which is probably why they didn't want to update it	00:53
rm_work	T_T	00:57
rm_work	yes, update openssl and pyopenssl and cryptography >_>	00:58
rm_work	system openssl upgrade may be a pain tho	00:58
rm_work	i wonder if there's guides to set it up side-by-side	00:58
rm_work	not replace the whole system, just compile against a newer one	00:58
openstackgerrit	Min Sun proposed openstack/neutron-lbaas-dashboard master: Cannot update ssl certificate when update listener https://review.openstack.org/549947	01:02
*** annp has joined #openstack-lbaas		01:09
cgoncalves	imacdonn: I'm opening a bug report. could you please provide more info of your env and how you got the exception?	01:12
imacdonn	cgoncalves: here? or on the bug ?	01:12
rm_work	can we validate that the problem is resolved on an upgrade?	01:13
cgoncalves	imacdonn: here since I need that info to open the bug, unless you want to open it yourself :)	01:13
imacdonn	cgoncalves: Env is rdo-queens RPMs installed on Oracle Linux 7 ... trigger for the issue was attempting to create a listener, specifying a "container" that's actually a secret containing a PKCS#12 blob, like:	01:14
imacdonn	openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener2 --default-tls-container=http://slc10jtj.dcilab.oraclecorp.com:9311/v1/secrets/50a1b6e0-b53c-4b33-a06d-0544eaaf02f0 lb2	01:14
imacdonn	which produces: http://paste.openstack.org/show/695879/	01:15
cgoncalves	imacdonn: barbican?	01:15
imacdonn	yes	01:16
rm_work	yes	01:16
cgoncalves	hmm I think we don't support barbican yet	01:16
imacdonn	well ..... it's there (RPMs) .. and it seems to work	01:16
cgoncalves	right. octavia has been there since liberty or so and is only getting supported now :)	01:17
cgoncalves	anyway it's definitely worth reporting and fixing	01:18
imacdonn	https://www.rdoproject.org/rdo/matrix/ says it's there too .. but I don't know what you mean by "supported"	01:18
cgoncalves	imacdonn: supported in OSP	01:18
imacdonn	oh, that :P	01:19
cgoncalves	i'm not saying it's not supported. i just don't know	01:19
imacdonn	https://access.redhat.com/solutions/2544661 there may be an answer there, but I can't read it :) :P	01:20
imacdonn	if it's not supported, you can't support Octavia with TLS	01:21
imacdonn	(AFAIK)	01:22
cgoncalves	imacdonn: what's the octavia NVR installed?	01:22
cgoncalves	rpm -qa octavia	01:23
*** Swami has quit IRC		01:23
cgoncalves	imacdonn: "Barbican is expected to be shipped with Red Hat OpenStack Platform 13 . Barbican (Please note: only command-line client is included as Tech preview) is available as a Tech preview feature in RHOS10."	01:24
cgoncalves	updated september 7, 2017	01:24
imacdonn	openstack-octavia-api-2.0.0-1.el7.noarch	01:25
imacdonn	openstack-octavia-common-2.0.0-1.el7.noarch	01:25
imacdonn	openstack-octavia-health-manager-2.0.0-1.el7.noarch	01:25
imacdonn	openstack-octavia-housekeeping-2.0.0-1.el7.noarch	01:25
imacdonn	openstack-octavia-worker-2.0.0-1.el7.noarch	01:25
imacdonn	python2-octaviaclient-1.4.0-1.el7.noarch	01:25
imacdonn	python-octavia-2.0.0-1.el7.noarch	01:25
cgoncalves	thanks	01:26
rm_work	part of me is really enjoying seeing someone from Oracle struggle with Redhat content paywalls	01:29
cgoncalves	imacdonn: https://bugzilla.redhat.com/show_bug.cgi?id=1553520	01:29
openstack	bugzilla.redhat.com bug 1553520 in openstack-octavia "Cannot create listener with TLS termination" [Urgent,New] - Assigned to amuller	01:29
imacdonn	thanks	01:30
rm_work	though I do appreciate having someone here from oracle who's trying to actually participate in the community :)	01:30
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: [WIP] Add grenade support https://review.openstack.org/549654	01:57
*** imacdonn has quit IRC		02:03
*** imacdonn has joined #openstack-lbaas		02:03
*** sapd has joined #openstack-lbaas		02:14
*** harlowja has quit IRC		02:21
*** fnaval has joined #openstack-lbaas		03:41
*** fnaval has quit IRC		03:41
*** mburrows has joined #openstack-lbaas		03:45
*** sapd has quit IRC		04:18
*** sapd has joined #openstack-lbaas		04:33
*** yamamoto_ has joined #openstack-lbaas		04:52
*** ivve has joined #openstack-lbaas		04:55
*** yamamoto has quit IRC		04:56
*** mburrows has quit IRC		05:20
*** harlowja has joined #openstack-lbaas		05:25
*** kobis has joined #openstack-lbaas		05:45
*** kobis has quit IRC		05:49
*** harlowja has quit IRC		06:00
*** gcheresh_ has joined #openstack-lbaas		06:02
openstackgerrit	OpenStack Proposal Bot proposed openstack/neutron-lbaas master: Imported Translations from Zanata https://review.openstack.org/548770	06:14
*** kobis has joined #openstack-lbaas		06:14
*** harlowja has joined #openstack-lbaas		06:19
*** gcheresh_ has quit IRC		06:22
*** kobis has quit IRC		06:22
*** mburrows has joined #openstack-lbaas		06:23
*** kobis has joined #openstack-lbaas		07:23
*** pcaruana has joined #openstack-lbaas		07:27
*** bonky has quit IRC		07:45
*** rcernin has quit IRC		08:00
*** b_bezak has joined #openstack-lbaas		08:01
*** harlowja has quit IRC		08:08
rm_work	ROFL that's a new one: http://logs.openstack.org/51/549551/2/check/neutron-lbaasv2-dsvm-py3x-api/ea70837/job-output.txt.gz#_2018-03-08_20_53_58_033873	08:25
rm_work	deadlock on quotas	08:25
rm_work	i wonder if it's basically the same thing i found and helped fix in octavia (though I think johnsom was the one that really fixed it)	08:26
rm_work	and all of these "sys:1: ResourceWarning: unclosed file <_io.FileIO name=1 mode='wb' closefd=True>" are interesting too	08:28
rm_work	i wonder where that's coming from	08:28
rm_work	wish it showed where the fd was created	08:28
*** tesseract has joined #openstack-lbaas		08:38
*** threestrands_ has quit IRC		08:48
*** yamamoto_ has quit IRC		08:51
*** yamamoto has joined #openstack-lbaas		08:53
dayou	rm_work, wanna me to fix the merge conflict for: https://review.openstack.org/#/c/520590/? :P	08:54
rm_work	i'm doing it right now	08:54
rm_work	lol	08:54
dayou	:P	08:54
dayou	Great work	08:54
rm_work	and done	08:55
openstackgerrit	Adam Harwell proposed openstack/octavia master: Add element and flag to disable DHCP on amp images https://review.openstack.org/520590	08:55
dayou	Cool, how to do a thum up in irc?	08:55
rm_work	eh, no way I'm aware, but I read :thumsup: like it was parsed to emoji in my head :P	08:55
dayou	haha	08:56
rm_work	i'm just going through my patches and bumping the ones I think need some attention	08:56
rm_work	i've lost track of a few almost	08:56
rm_work	too many pending patches...	08:56
dayou	Let's wait for johnsom's back	08:57
dayou	I'll push more in the pipe also	08:57
rm_work	yeah	08:58
rm_work	we will have a lot for him to look at when he's back ^_^	08:58
dayou	haha	08:59
dayou	shock shock shock	08:59
rm_work	I want to knock out one of the API patches to add backup or timeouts	09:00
rm_work	or error-redirect	09:00
rm_work	maybe on the plane if i have wifi	09:01
dayou	safe trip, man	09:01
dayou	I heard we just opened wifi acess for airplanes, but I haven't tried that	09:02
dayou	I mean in my country	09:02
rm_work	ah	09:02
rm_work	sometimes it is good but often it is disabled on the routes i take	09:02
rm_work	it's hard to run tox, if it needs to rebuild :P	09:02
rm_work	gotta rebuild all my envs now	09:02
dayou	I got them rebuilt last week, now I am stucked in Queens, due the neutron bug on master that would cause a lot of noise on my fan	09:04
rm_work	T_T	09:07
*** numans has quit IRC		10:00
*** numans has joined #openstack-lbaas		10:02
*** salmankhan has joined #openstack-lbaas		10:09
*** salmankhan has quit IRC		10:12
*** salmankhan has joined #openstack-lbaas		10:13
*** salmankhan has quit IRC		10:19
*** kobis has quit IRC		10:20
*** kobis has joined #openstack-lbaas		10:20
*** kobis has quit IRC		10:21
*** kobis has joined #openstack-lbaas		10:21
*** kobis has quit IRC		10:22
*** kobis has joined #openstack-lbaas		10:22
*** kobis has quit IRC		10:22
*** kobis has joined #openstack-lbaas		10:23
*** kobis has quit IRC		10:23
*** kobis has joined #openstack-lbaas		10:23
*** kobis has quit IRC		10:24
openstackgerrit	Merged openstack/octavia master: Updated from global requirements https://review.openstack.org/549551	10:30
*** annp has quit IRC		10:30
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: [WIP] Add grenade support https://review.openstack.org/549654	10:39
*** mburrows has quit IRC		11:04
*** ispp has quit IRC		11:05
*** salmankhan has joined #openstack-lbaas		11:06
*** yamamoto has quit IRC		11:17
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: [WIP] Add grenade support https://review.openstack.org/549654	11:43
*** yamamoto has joined #openstack-lbaas		12:18
*** yamamoto has quit IRC		12:25
*** gcheresh_ has joined #openstack-lbaas		12:46
*** yamamoto has joined #openstack-lbaas		13:02
*** yamamoto has quit IRC		13:07
*** salmankhan has quit IRC		13:37
*** yamamoto has joined #openstack-lbaas		13:48
*** yamamoto has quit IRC		13:53
*** AlexeyAbashkin has joined #openstack-lbaas		13:56
*** AlexeyAbashkin has quit IRC		14:01
*** AlexeyAbashkin has joined #openstack-lbaas		14:03
*** AlexeyAbashkin has quit IRC		14:07
*** gcheresh_ has quit IRC		14:09
*** salmankhan has joined #openstack-lbaas		14:15
*** salmankhan has quit IRC		14:27
*** salmankhan has joined #openstack-lbaas		14:32
*** yamamoto has joined #openstack-lbaas		14:33
*** yamamoto has quit IRC		14:37
*** AlexeyAbashkin has joined #openstack-lbaas		14:43
*** AlexeyAbashkin has quit IRC		14:47
*** AlexeyAbashkin has joined #openstack-lbaas		14:51
xgerman_	rm_work: safe flights	14:53
openstackgerrit	Hengqing Hu proposed openstack/octavia-dashboard master: List children pools on LB details page https://review.openstack.org/551305	14:55
*** yamamoto has joined #openstack-lbaas		14:58
*** yamamoto has quit IRC		14:58
*** fnaval has joined #openstack-lbaas		15:10
*** bonky has joined #openstack-lbaas		15:21
bonky	Hi guys, quick question. Is it possible to create a clustered loadbalancer through neutron/octavia ?	15:22
bonky	I'm just curious if its supported or not :)	15:23
bonky	No worries guys, found parameter in config.	15:29
bonky	Thanks anyway :p	15:29
johnsom	Yes!	15:29
bonky	Another question though, since I've struggled with my deployment of octavia for a couple of days now, I have like 200 loadbalancers in state "error" / "pending_delete".. It seems like they cant be deleted since they were never created.	15:31
bonky	Can I force a removal of all these loadbalancers somehow ?	15:32
bonky	Its an annoyingly long list at the moment =)	15:32
*** AlexeyAbashkin has quit IRC		15:45
*** fnaval has quit IRC		15:45
*** fnaval has joined #openstack-lbaas		15:46
*** yamamoto has joined #openstack-lbaas		15:58
*** pcaruana has quit IRC		16:02
*** yamamoto has quit IRC		16:08
xgerman_	mmh, octavia should let you delete them… if not there is always the DB	16:16
cgoncalves	bonky: can you try deleting one of those zombie LBs and check what logs output?	16:20
openstackgerrit	Merged openstack/octavia master: Fix kvm-centos.7 gate https://review.openstack.org/550487	16:28
bonky	cgoncalves: 2018-03-09 16:28:02.858 1 INFO octavia.api.v1.controllers.load_balancer [req-0b01f598-94e7-4079-8af5-453a6ca6a1a9 5fc177cdfe7340399332ece2c09cd11c aff54c4fc2024c2c938def4effbba20e - default default] Load Balancer debc5396-7f4a-4175-bfdc-4c618cafa494 is immutable. 2018-03-09 16:28:02.873 1 DEBUG wsme.api [req-0b01f598-94e7-4079-8af5-453a6ca6a1a9 5fc177cdfe7340399332ece2c09cd11c aff54c4fc2024c2c938def4effbba20e - d	16:28
bonky	cgoncalves: 2018-03-09 16:28:29.949 1 DEBUG wsme.api [req-68be6258-0a30-4baa-81d9-dee05d9fcf3c 5fc177cdfe7340399332ece2c09cd11c aff54c4fc2024c2c938def4effbba20e - default default] Client-side error: Load Balancer ebf4c628-f480-4140-8028-dec204d7ced4 not found. format_exception /usr/lib/python2.7/site-packages/wsme/api.py:222	16:28
bonky	thats from the api-log	16:28
bonky	Client-side error: Load Balancer f90495a1-245f-4008-bf7d-5ba81cb74af1 not found. format_exception /usr/lib/python2.7/site-packages/wsme/api.py:222 <- this seems to be happening when I actually try to delete the loadbalancer	16:30
cgoncalves	octavia reports LB exists and same time it does not, funny	16:31
cgoncalves	should be fixed somehow, definitely. in the mean time, and since you're in a stage env I hope, just delete from DB as xgerman_ suggested	16:32
bonky	Can I ask how to do that :D ?	16:33
bonky	Never done anything in the db before	16:33
xgerman_	mmh, then it’s better to leave the DB alone ;-)	16:33
bonky	xgerman_: Well if you provide an example, I'm sure I can take it from there ;)	16:34
cgoncalves	something like: $ mysql octavia -e 'delete from loadbalancer where status="error" and status="pending_delete"'	16:35
xgerman_	and then follow to constrain violations to the other tables	16:35
cgoncalves	oops, provisioning_status="error" and operating_status="pending_delete"	16:35
bonky	ERROR 1451 (23000): Cannot delete or update a parent row: a foreign key constraint fails (`octavia`.`vip`, CONSTRAINT `fk_vip_load_balancer_id` FOREIGN KEY (`load_balancer_id`) REFERENCES `load_balancer` (`id`))	16:39
bonky	ok, so how do I follow that	16:40
xgerman_	now you delete the row for that LB in octavia.vip	16:45
bonky	hm ok, I'll figure it out, thanks!	16:47
bonky	:)	16:47
*** bonky has quit IRC		16:53
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: [DNM] Add experimental ovsfw-scenario job https://review.openstack.org/550431	17:00
*** harlowja has joined #openstack-lbaas		17:00
*** ivve has quit IRC		17:14
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: [DNM] Add experimental ovsfw-scenario job https://review.openstack.org/550431	17:16
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: Add experimental ovsfw-scenario job https://review.openstack.org/550431	17:23
*** harlowja has quit IRC		17:54
*** harlowja has joined #openstack-lbaas		17:56
*** harlowja has quit IRC		18:00
*** dmellado has quit IRC		18:16
xgerman_	cgoncalves: Is Ovtavia Tech preview or fully supported in OSP?	18:17
*** dmellado has joined #openstack-lbaas		18:42
*** AJaeger has joined #openstack-lbaas		18:44
AJaeger	neutron-lbaas cores, please review https://review.openstack.org/543929 and https://review.openstack.org/542022	18:45
AJaeger	johnsom: ^	18:46
xgerman_	omw	18:53
*** harlowja has joined #openstack-lbaas		19:00
AJaeger	thanks, xgerman_	19:02
*** tesseract has quit IRC		19:05
*** salmankhan has quit IRC		19:06
*** bonky has joined #openstack-lbaas		19:21
bonky	Is there any difference between (in neutron.conf, under DEFAULT-section), 'lbaasv2' and 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2' ? I have 'lbaasv2' currently	19:24
*** blake has joined #openstack-lbaas		19:27
xgerman_	no	19:28
xgerman_	lbaasv2 is the alias	19:28
bonky	ok	19:28
imacdonn	neutron_lbaas-12.0.0-py2.7.egg-info/entry_points.txt:lbaasv2 = neutron_lbaas.services.loadbalancer.plugin:LoadBalancerPluginv2	19:28
imacdonn	if you don't actually need neutron-lbaas, you might consider skipping it and just doing straight octavia	19:29
bonky	Oh, I see, so this is where I get a bit confused. My thought process as of now is to do only octavia. neutron-lbaas is the agent based on right ?	19:31
imacdonn	neutron-lbaas can drive the old agent-based haproxy-in-a-network-namespace model, or it can (I guess) be a front-end to octavia	19:32
bonky	https://docs.openstack.org/neutron/pike/admin/config-lbaas.html <- on this page, under the topic 'Configuring LBaaS v2 with Octavia', it says that I should have 'neutron_lbaas.services.loadbalancer.plugin:LoadBalancerPluginv2' present in my neutron.conf.	19:32
bonky	imacdonn: yes I see	19:32
imacdonn	or you can just avoid all of that and have octavia-api be the entry-point	19:33
imacdonn	(at least with the recent releases)	19:33
imacdonn	(as I understand it)	19:33
blake	Only if you want to use the Octavia driver. If you need the HAProxy driver, or a third party driver, you must use neutron-lbaas for the time being	19:33
bonky	Hm, I'm on Pike (OSP 12, rhel)	19:34
*** AJaeger has left #openstack-lbaas		19:34
imacdonn	blake: right.. good clarification	19:34
bonky	From a laymens perspective it makes sense right now to only make use of Octavia. I'm not sure why we would need anything else.	19:35
imacdonn	I guess Octavia may not be "supported" on OSP 12 ... it's not really clear (to me, yet) if it's supported in OSP 13, but it might be	19:35
bonky	Still very confused about the whole ecosystem and the terms.	19:35
bonky	imacdonn: Well I have octavia working in OSP 12. And it should be supported in OSP13 as I understand it.	19:36
imacdonn	that sounds about right	19:36
imacdonn	be aware that there's an issue with openssl, if you want to be able to create TLS LBs, though	19:37
imacdonn	not sure where OSP 13 is, release-wise .. I'm using RDO	19:37
bonky	ok ok	19:37
bonky	Is there a collection of "pros" vs "cons" using the 'agent-based haproxy-in-a-network-namespace'-model vs the 'octavia create vm's with a haproxy instance'-model ?	19:45
xgerman_	agent-based only has cons ;-)	19:45
xgerman_	Octavia is operator grade with HA, tenant separation, scalability, etc.	19:46
bonky	tenant separation and scalability I understand. What do you mean by 'operator grade with HA' ?	19:47
xgerman_	HA means we have sub-second failover	19:47
bonky	But dont you have failover with the 'agent-based one' ?	19:48
bonky	you have multiple controllers running the ha-proxy no ?	19:48
xgerman_	it’s not sub second… they will failover if they detect an agent as down	19:49
bonky	hehe forgive me for my lack of knowledge, but what is "sub second" ?	19:50
xgerman_	but they don;t share haproxy state there so you will have to renegotiate SSL sessions and such	19:50
xgerman_	Octavia run haproxy in cluster mode so they share all that	19:50
imacdonn	"sub second" -> "happens in less than one second"	19:50
xgerman_	yes	19:50
bonky	AH!	19:50
bonky	Thanks for your patience :)	19:51
bonky	But aren't talking about running ha-proxy in ACTIVE/ACTIVE mode now ? Which is not possible yet ? Or do I miss something ?	19:52
bonky	clustering via keepalived ?	19:53
xgerman_	there are two thing: we use keepalived to do the sub second failover for Active-Passive	19:53
bonky	Oh ok, so they share state even though they are active/passive you mean =	19:53
bonky	?	19:53
xgerman_	but we also run haproxy in a way that the ACTIVE and PASSIVE one share “stick tables”	19:53
xgerman_	yes	19:53
bonky	oh ok, cool	19:54
bonky	then I think I got it	19:54
xgerman_	if you need to save resources you can overcommit the Octavia VM flavor	19:54
xgerman_	I had an operator consider having some overcommitted tier to offer for free and some more real one to ask for money	19:55
bonky	Ok, I see	19:56
*** b_bezak has quit IRC		19:58
cgoncalves	xgerman_: full support in OSP13 (Queens release), at least that's what we're aiming at :)	20:21
xgerman_	Nice!!	20:21
*** threestrands has joined #openstack-lbaas		20:22
*** threestrands has quit IRC		20:22
*** threestrands has joined #openstack-lbaas		20:22
cgoncalves	imacdonn: Octavia is not supported on OSP12 (packages are available though); plan is to have it supported from OSP13. neutron-lbaas is still going to be supported but is in deprecation phase (both upstream and downstream)	20:25
cgoncalves	imacdonn, bonky: please let me know if you have any further queries about OSP and OSP+Octavia :)	20:25
bonky	cgoncalves: cool! After struggling a bit I got octavia working in OSP 12 ;)	20:26
cgoncalves	bonky: glad to know it's working well for you! :)	20:33
imacdonn	he didn't actually say "well" .. lol	20:41
*** gcheresh_ has joined #openstack-lbaas		20:42
bonky	haha, well, havent tried that much yet. trying to understand how it works and tidying up the configs a bit.	20:43
* imacdonn realises that he just assumed bonky is a "he" .. so much for Internalation Womens' Day :)		20:43
imacdonn	er International*	20:44
bonky	One thing I seem to have some trouble is the octavia user. The octavia user is located in the "defualt" domain. But all our projects and networks are only in our "company" domain. I'm not sure how that is suppose to work	20:44
bonky	But it may be a non issue	20:44
xgerman_	well, Octavia needs some resources — so with default quotas I ran against a wall with 10 LBs. Not sure if OSP is the same	20:45
bonky	yea, same here	20:45
bonky	since we are still testing i just bumped the default quotas	20:46
bonky	hehe	20:46
imacdonn	10 LBs, or 10 instances (amphorae) ?	20:46
openstackgerrit	German Eichberger proposed openstack/octavia master: [WIP] Switch amphora agent to use privsep https://review.openstack.org/549295	20:46
xgerman_	10 LBs aka 20 VMs (and FIPs and…)	20:47
bonky	Ehm, I actually hit a limit on the security groups. I'm not sure why though ?	20:47
xgerman_	we use those, too	20:48
xgerman_	each LB gets it’s own SG	20:48
bonky	And the quotas given in 'neutron_lbaas.conf' seems to be the "one" that counts (as far as lbaas-related), same parameters in octavia.conf I cant get to work.. Does that make sense?	20:49
bonky	ok, well then I understand why I hit that limit.	20:49
imacdonn	[imacdonn@home ~]$ os limits show --absolute --project service \| grep -i instances	20:49
imacdonn	\| maxTotalInstances \| 10 \|	20:49
imacdonn	\| totalInstancesUsed \| 2 \|	20:49
imacdonn	I guess mine defaults to 10 nova instances :P	20:49
xgerman_	My current quotas:	20:50
xgerman_	https://github.com/rcbops/rpc-octavia/blob/master/playbooks/vars/main.yml#L40-L49	20:50
xgerman_	I think that’s public…	20:51
imacdonn	I think 10 is the default quota for a new project	20:51
*** gcheresh_ has quit IRC		20:52
imacdonn	hmm, I installed cryptography 2.1.4 with pip, but still get this...	21:00
imacdonn	2018-03-09 20:59:42.707 21557 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/site-packages/octavia/certificates/common/pkcs12.py", line 35, in get_certificate	21:00
imacdonn	2018-03-09 20:59:42.707 21557 ERROR oslo_messaging.rpc.server return self.certificate.to_cryptography().public_bytes(	21:00
imacdonn	2018-03-09 20:59:42.707 21557 ERROR oslo_messaging.rpc.server AttributeError: 'X509' object has no attribute 'to_cryptography'	21:00
imacdonn	I think it's pyOpenSSL, but rm_work seemed adamant otherwise	21:01
cgoncalves	imacdonn: try pip install newer version of pyOpenSSL? :)	21:02
imacdonn	yeah	21:02
imacdonn	of course my LB is immutable now .. sigh	21:03
imacdonn	pyOpenSSL didn't fix it either ... assuming I'm getting the pip stuff right	21:11
imacdonn	will have to look at it more later	21:12
imacdonn	[root@slc10jtj ~]# pip show cryptography \| grep ^Version:	21:14
imacdonn	Version: 2.1.4	21:14
imacdonn	[root@slc10jtj ~]# pip show pyOpenSSL \| grep ^Version:	21:14
imacdonn	Version: 17.5.0	21:14
cgoncalves	imacdonn: can you pip show requests?	21:16
imacdonn	Version: 2.14.2	21:16
imacdonn	not sure how requests comes into play here ?	21:17
imacdonn	https://pyopenssl.org/en/stable/api/crypto.html#x509-objects	21:17
imacdonn	to_cryptography()	21:17
imacdonn	Export as a cryptography certificate.	21:17
imacdonn	Return type:cryptography.x509.Certificate	21:17
imacdonn	New in version 17.1.0.	21:17
cgoncalves	reading similar reports here https://github.com/requests/requests/issues/3701	21:18
imacdonn	yeah, I found that link yesterday	21:18
*** sshank has joined #openstack-lbaas		21:19
imacdonn	wait a sec.. I think I haz the dumb	21:19
imacdonn	I may not have restarted octavia services after updating pyOpenSSL	21:20
*** threestrands has quit IRC		21:22
cgoncalves	imacdonn: you could also try: python -c "import requests; requests.get('https://google.com')"	21:24
xgerman_	harlowja: msgpack (0.5.3) has the same error	21:24
harlowja	hmmmm	21:24
harlowja	sad	21:24
harlowja	can u go farther back to <0.5	21:24
harlowja	i'm assuming it once worked :-P	21:25
xgerman_	yes, I added a sed to massage OpenStack’s upper-constraints — but I cant be the only one using privsep?!	21:25
harlowja	lol	21:25
imacdonn	cgoncalves: I'd have to figure out how to make that go through a proxy ... really don't think it has anything to do with requests ... will get back to it later ... meeting coming up in 5 min	21:25
cgoncalves	imacdonn: ok	21:26
harlowja	xgerman_ one would hope...	21:26
xgerman_	that is interesting: https://github.com/msgpack/msgpack-python/releases	21:27
harlowja	ya, thus why < 0.5	21:27
harlowja	0.5 started on jan 6	21:27
harlowja	so i'd hope 0.4.x may have worked at one point, lol	21:27
harlowja	(likely what gus used?)	21:27
xgerman_	wonder what msgpack-python is?	21:29
xgerman_	so they renamed with 0.5.0 msgpack-python to msgpack…	21:38
harlowja	ya, i think the github repo is the same	21:38
xgerman_	which means going back is not so easy	21:38
harlowja	not sure why they did it, lol	21:38
xgerman_	so to force pre 0.5.0 on the system I would need to change privsep’s requirements (back?) toe the old name	21:39
harlowja	hmmmmm	21:40
harlowja	seems that's a yes	21:40
xgerman_	guess oslo went to sh*t after you stepped down from PTL	21:40
harlowja	hard to tell	21:41
harlowja	just a lot of softwae	21:41
harlowja	with dependencies	21:41
harlowja	lol	21:41
harlowja	https://github.com/openstack/requirements/blob/stable/ocata/global-requirements.txt#L424	21:41
harlowja	424 is a lot	21:41
harlowja	lol	21:41
harlowja	~424	21:41
xgerman_	and that ocata — meanwhile in Pike	21:41
xgerman_	or Queens	21:41
harlowja	ya, wrong branch	21:41
harlowja	~460 now	21:41
xgerman_	:-)	21:41
harlowja	all the libraries	21:41
harlowja	we are using all of pypi	21:42
harlowja	lol	21:42
xgerman_	ok, I will submit a patch to privsep to roll back the name change since it’s released under the old name anyway for now	21:43
xgerman_	(+ the new one)	21:43
imacdonn	cgoncalves: (multitasking while on meeting) seems that the new pyOpenSSL did fix it	21:44
imacdonn	previously had python2-pyOpenSSL-16.2.0-3.el7.noarch .. per paste above, we need >= 17.1.0	21:45
imacdonn	octavia requirements.txt has >=16.2.0, queens upper-constraints has ==17.5.0	21:48
*** mburrows has joined #openstack-lbaas		21:52
*** sshank has quit IRC		21:57
cgoncalves	imacdonn: sh*t, again mismatching of octavia requirements.txt and u-c...	22:02
imacdonn	cgoncalves: yup	22:02
cgoncalves	imacdonn: could you please reinstall python-cryptography rpm and retry? so that we can narrow it down to only pyOpenSSL needing update	22:03
imacdonn	ok	22:03
imacdonn	cgoncalves: seems to be failing in a different way now....2018-03-09 22:12:07.885 22700 WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [req-0d11cd1f-0a1b-445c-8677-01843a6a959c - ab1732cdc2dc45c98506436f2ef29b07 - - -] Could not connect to instance. Retrying.: SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)	22:12
cgoncalves	"it's just a warning" (tm)	22:13
imacdonn	yeah, but it retried ~13 times, then moved to:	22:15
imacdonn	2018-03-09 22:13:23.035 22700 WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [req-0d11cd1f-0a1b-445c-8677-01843a6a959c - ab1732cdc2dc45c98506436f2ef29b07 - - -] Could not connect to instance. Retrying.: ConnectTimeout: HTTPSConnectionPool(host='10.250.34.201', port=9443): Max retries exceeded with url: /0.5/listeners/0e22ee94-d17c-4e30-819d-8a535e42002d/certificates/imtestapp.dcilab.oraclecorp.com.pem (Caused by ConnectTime	22:15
imacdonn	outError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7efd4b7b8450>, 'Connection to 10.250.34.201 timed out. (connect timeout=10.0)'))	22:15
cgoncalves	imacdonn: ok, so we need pyOpenSSL>=17.1.0 and python-cryptography>=1.9?	22:15
imacdonn	I tested with cryptography 2.1.4	22:16
imacdonn	i.e. that plus pyOpenSSL 17.5.0 is is only combination that's worked so-far	22:16
cgoncalves	imacdonn: abusing of your goodwill, could you pip install both with minimum versions set in u-c queens?	22:31
imacdonn	cgoncalves: will try .. it's a pain to have to untangle everything when it fails :/	22:33
cgoncalves	pyopenssl 17.1.0 is clear to me checking changelog https://pyopenssl.org/en/stable/changelog.html#id26	22:33
imacdonn	it's also spelled out at https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509.to_cryptography	22:34
cgoncalves	https://github.com/pyca/pyopenssl/blob/17.1.0/setup.py#L99	22:35
imacdonn	so the U-C for Queens says cryptography 2.1.4, and pyOpenSSL 17.5.0	22:35
imacdonn	https://github.com/openstack/requirements/blob/stable/queens/upper-constraints.txt	22:36
cgoncalves	yes. I was just narrowing it down to what octavia queens really needs minimum	22:36
cgoncalves	I'll need to open yet another set of rhbz, this time for pyopenssl...	22:37
*** jdavis has joined #openstack-lbaas		22:38
imacdonn	cgoncalves: so is there some other combo you wanted to test?	22:41
cgoncalves	imacdonn: no, I think that's it. I just wanted to assert that the minimum requirements work	22:47
cgoncalves	imacdonn: thank you!	22:47
imacdonn	cgoncalves: I guess I would say that I've verified that the recommended versions work ... they're currently different from the minimum versions :/	22:47
*** bonky has quit IRC		22:48
cgoncalves	imacdonn: indeed! I owe you a few beers :)	22:50
imacdonn	cgoncalves: heh .. no problem	22:50
*** jdavis has quit IRC		23:12
*** fnaval has quit IRC		23:49
*** blake has quit IRC		23:52
*** yamamoto has joined #openstack-lbaas		23:54

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!