Friday, 2018-06-29

*** fnaval has quit IRC		00:17
*** abaindur has quit IRC		00:25
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	00:33
*** longkb has joined #openstack-lbaas		00:36
*** abaindur has joined #openstack-lbaas		00:39
johnsom	rm_work Thoughts on how this could happen? http://logs.openstack.org/54/549054/11/check/octavia-v2-dsvm-noop-api/f0cd44a/job-output.txt.gz#_2018-06-28_22_07_03_513395	00:41
johnsom	Ah, I think we have a bug, we wait for the object to delete, but don't wait for the LB to go back ACTIVE	00:50
*** abaindur has quit IRC		00:57
*** abaindur has joined #openstack-lbaas		01:05
*** johnnytan2885 has quit IRC		01:19
*** abaindur has quit IRC		01:26
*** abaindur has joined #openstack-lbaas		01:26
*** abaindur has quit IRC		01:31
bzhao__	johnsom: hi, have you done the udp test? :). For current lvs-nat, we need to open the ip_forward in lvs director. Then we can access the VIP accross a neutron router. But I found the default amphora-haproxy didn't open it. Also another point about the allowed_address_pair of peer_port, as currently we support lvs-nat, the port need to pass the src IP which is the client IP to pass the port securtity(IP-mac). Whether	01:42
bzhao__	I have to plan to fix it, anyway It's a huge issue I faced, as we need to force to let user to create the lb with customized vip_port..	01:42
bzhao__	johnsom: sorry. Whether I have to plan to fix it? anyway It's a huge issue I faced, as we need to force to let user to create the lb with customized vip_port..	01:43
johnsom	bzhao__ I have been distracted working on a few other issues and have not got back to UDP yet. I was hoping to tomorrow.	01:44
johnsom	So the NAT is not working correctly?	01:44
bzhao__	johnsom: Thanks, never mind. I must to create another allowed address pair which the ip is the udp client IP, then it can work.	01:45
bzhao__	on that peer port	01:46
johnsom	Is it ip_forward in the kernel settings for the amphora?	01:46
johnsom	bzhao__ Hmmm, that does not make sense to me. We should not be creating another allowed address pairs port in neutron.	01:46
bzhao__	johnsom: yeah, I add it during each udp listener create, disable by the last udp listener delete.	01:47
johnsom	bzhao__ Have you posted a patch with the code to add the ip_forward? I want to look at the code to understand	01:48
bzhao__	johnsom: as the lvs-nat, when it pass the lvs director, the traffic should be like client ip:protocol port - real server ip: real server listened port, but the current allowed address pair is just a vip ip adress addition.	01:49
bzhao__	johnsom: https://review.openstack.org/#/c/529651/31/octavia/amphorae/backends/agent/api_server/keepalivedlvs.py @165	01:51
johnsom	bzhao__ Ok, can you give me a few minutes to look at a few things?	01:52
bzhao__	johnsom: OK. Thanks.	01:52
johnsom	bzhao__ Ok, sorry, I needed to refresh my memory on how I envisioned implementing this. (it is late here, so a bit tired)	02:28
johnsom	bzhao__ I think what we need to do is add a source NAT iptables rule in iptables for the UDP flow.	02:29
bzhao__	johnsom: Never mind, have a good sleep. Yeah, good suggest, just not sure whether we need to introduce some "terrible" things to amp instance to affect tcp cases. I will prefer to fix and test it today. Thanks, just have a good rest. :)	02:35
johnsom	bzhao__ I think we should be able to make the iptables packet selection for masquerade limited to the UDP	02:36
johnsom	bzhao__ The way the network namespace and HAProxy work is the source address is always the amphora subnet source address anyway.	02:36
bzhao__	johnsom: Yeah, I agree. I know the masquerade rule need to snat it src IP from client IP to the eth nic ip. Just not sure for tcp. :) . Thanks very much for explain and help.	02:38
bzhao__	johnsom: Thank you, michael.	02:39
johnsom	bzhao__ Something like "iptables -t nat -A POSTROUTING -o <member network interface> -p udp -j MASQUERADE"	02:41
johnsom	bzhao__ Don't forget we need to make those persistent across reboots	02:42
bzhao__	johnsom: Yeah. That's it.	02:42
bzhao__	johnsom: yeah. store it into a iptables file. I think I can reference some part from neutron side. :). Make it better as i can.	02:43
johnsom	bzhao__ Yes! You have it. Ok, leave me a message here if there is some work I can pick up in the morning here.	02:44
johnsom	bzhao__ I really want this to work for Rocky	02:44
bzhao__	johnsom: OK, thanks, I really want too. :). If any problems I hit, I will leave the comments for you. Wait for your back. :)	02:46
*** ivve has joined #openstack-lbaas		02:52
*** ramishra has joined #openstack-lbaas		03:25
*** hongbin has joined #openstack-lbaas		03:41
*** hongbin has quit IRC		03:42
*** kobis has joined #openstack-lbaas		04:23
*** abaindur has joined #openstack-lbaas		04:24
*** kobis has quit IRC		04:31
*** kobis has joined #openstack-lbaas		04:32
*** kobis has quit IRC		04:32
*** AlexeyAbashkin has joined #openstack-lbaas		04:48
*** abaindur has quit IRC		05:00
openstackgerrit	Swaminathan Vasudevan proposed openstack/neutron-lbaas master: neutron-lbaas haproxy agent prevent vif unplug when failover occurs https://review.openstack.org/578966	05:13
*** abaindur has joined #openstack-lbaas		05:15
*** abaindur has quit IRC		05:16
*** abaindur has joined #openstack-lbaas		05:17
*** pcaruana has joined #openstack-lbaas		05:20
*** AlexeyAbashkin has quit IRC		05:51
rm_work	johnsom: ah yeah i thought i found and fixed most of those instances >_< guess I missed one	05:54
*** AlexeyAbashkin has joined #openstack-lbaas		06:01
*** Alexey_Abashkin has joined #openstack-lbaas		06:13
*** AlexeyAbashkin has quit IRC		06:15
*** Alexey_Abashkin is now known as AlexeyAbashkin		06:15
*** AlexeyAbashkin has quit IRC		06:33
*** abaindur has quit IRC		06:36
*** sapd__ has joined #openstack-lbaas		06:42
*** sapd_ has quit IRC		06:42
*** sapd__ has quit IRC		06:44
*** sapd__ has joined #openstack-lbaas		06:45
*** annp has quit IRC		06:51
*** sapd_ has joined #openstack-lbaas		06:52
*** annp has joined #openstack-lbaas		06:52
*** sapd__ has quit IRC		06:54
*** annp has quit IRC		06:57
*** kobis has joined #openstack-lbaas		07:07
*** tesseract has joined #openstack-lbaas		07:10
*** annp has joined #openstack-lbaas		07:11
*** kobis has quit IRC		07:16
*** ispp has joined #openstack-lbaas		07:37
*** kobis has joined #openstack-lbaas		07:49
*** kobis has quit IRC		07:51
*** ispp has quit IRC		07:55
*** ispp has joined #openstack-lbaas		08:14
*** numans_ has joined #openstack-lbaas		09:02
*** numans_ has quit IRC		09:02
*** kobis has joined #openstack-lbaas		10:05
*** ispp has quit IRC		10:07
*** kobis has quit IRC		10:13
*** kobis has joined #openstack-lbaas		10:14
*** ispp has joined #openstack-lbaas		10:19
*** kobis has quit IRC		10:26
*** ispp has quit IRC		10:34
*** ispp has joined #openstack-lbaas		10:58
*** annp has quit IRC		11:39
*** ispp has quit IRC		11:43
*** ispp has joined #openstack-lbaas		11:45
bzhao__	johnsom: seems the lvs direct the traffic not based on iptables. 1	11:55
bzhao__	johnsom: I can just accept the packets in nat PREROUTING chain.	11:55
bzhao__	johnsom: I will continue to test it and find out a way to solve the issue which need to change allow address pair of neutron port.	11:57
bzhao__	https://usercontent.irccloud-cdn.com/file/sEEoUMFa/image.png	12:06
bzhao__	sorry, the above picture is wrong.	12:07
bzhao__	https://usercontent.irccloud-cdn.com/file/o5kSgEsH/image.png	12:07
bzhao__	johnsom: The above picture shows we can only get the traffic before into lvs. (22.22.22.2 is the client IP, 10.0.0.9 is the LB VIP).	12:08
bzhao__	johnsom: lvs do the dnat to realserver itself.. :(	12:09
*** kobis has joined #openstack-lbaas		12:10
*** kobis has quit IRC		12:14
*** rcernin has quit IRC		12:29
*** longkb has quit IRC		12:31
*** peereb has joined #openstack-lbaas		12:46
*** openstackgerrit has quit IRC		12:49
*** yamamoto has quit IRC		12:57
*** ktibi has joined #openstack-lbaas		13:06
*** amuller has joined #openstack-lbaas		13:21
*** yamamoto has joined #openstack-lbaas		13:26
*** LutzB has quit IRC		13:55
*** ispp has quit IRC		13:57
*** LutzB has joined #openstack-lbaas		14:21
*** ispp has joined #openstack-lbaas		14:29
*** ispp has quit IRC		14:40
xgerman_	bzhao__: yes lvs does things differently…	14:48
bzhao__	xgerman_: Thanks, german. But here, I have no idea to not change the peer port's allowed address pair, as the traffic won't change after pass through the lvs director. even the type is lvs-nat or lvs-dr..	14:53
bzhao__	The peer port must allow the client IP as src ip to outgoing.. :(. Currently, the peer port just allow itselves fixed ip and vip to pass the port security chain..	14:57
johnsom	bzhaoe__ I will work on this today. It's SNAT we need to add.	15:02
bzhao__	johnsom: Thanks, michael. :). Is there any nice idea? Seems tc on the peer interface?	15:09
johnsom	bzhao__ I think we just need a masquerade iptables run on the member network outbound ports.	15:15
*** openstack has quit IRC		15:22
*** openstack has joined #openstack-lbaas		15:26
*** ChanServ sets mode: +o openstack		15:26
*** openstackgerrit has joined #openstack-lbaas		15:34
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	15:34
*** amuller has quit IRC		15:38
*** tesseract has quit IRC		15:42
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Add "wait for active" after object delete https://review.openstack.org/579205	15:56
*** hvhaugwitz has quit IRC		16:09
*** mugsie has quit IRC		16:09
*** zigo has quit IRC		16:09
*** hvhaugwitz has joined #openstack-lbaas		16:14
*** mugsie has joined #openstack-lbaas		16:14
*** zigo has joined #openstack-lbaas		16:14
*** bcafarel has quit IRC		16:14
*** irenab has quit IRC		16:16
*** irenab has joined #openstack-lbaas		16:17
*** keithmnemonic[m] has quit IRC		16:17
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Fix missing docs command mapping for status show https://review.openstack.org/579214	16:22
*** ramishra has quit IRC		16:30
openstackgerrit	Michael Johnson proposed openstack/octavia master: Re-enable KVM https://review.openstack.org/579215	16:33
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Re-enable KVM https://review.openstack.org/579216	16:34
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Re-enable KVM https://review.openstack.org/579217	16:36
*** pcaruana has quit IRC		16:40
*** ktibi has quit IRC		16:45
*** keithmnemonic[m] has joined #openstack-lbaas		17:11
*** openstack has quit IRC		17:11
*** openstack has joined #openstack-lbaas		17:15
*** ChanServ sets mode: +o openstack		17:15
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	17:58
*** kbyrne has quit IRC		18:14
*** phuoc_ has quit IRC		18:58
*** peereb has quit IRC		19:07
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	19:37
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Add "wait for active" after object delete https://review.openstack.org/579205	20:17
*** yamamoto has quit IRC		20:17
rm_work	oh lol	20:19
rm_work	found another place where a fix merged that i had already done in my L3 driver <_<	20:19
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	20:24
openstackgerrit	Adam Harwell proposed openstack/octavia master: Experimental multi-az support https://review.openstack.org/558962	20:25
openstackgerrit	Adam Harwell proposed openstack/octavia master: WIP: AZ Evacuation resource https://review.openstack.org/559873	20:25
openstackgerrit	Adam Harwell proposed openstack/octavia master: WIP: Floating IP Network Driver (spans L3s) https://review.openstack.org/435612	20:25
openstackgerrit	Michael Johnson proposed openstack/octavia master: Fix failover when multiple amphora have failed https://review.openstack.org/577344	20:28
rm_work	i wonder if there's a huge discernible difference ... https://review.openstack.org/#/c/435612/141..142/octavia/controller/worker/controller_worker.py	20:42
rm_work	i'd been running with "!= ALLOCATED"	20:43
rm_work	which ... i guess it wouldn't be on an LB in BOOTING, so that one doesn't matter	20:43
rm_work	but mine would have left out ERROR	20:43
*** yamamoto has joined #openstack-lbaas		21:18
*** yamamoto has quit IRC		21:22
openstackgerrit	Michael Johnson proposed openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool https://review.openstack.org/578942	21:25
johnsom	rm_work BTW, you don't need your zuul page javascript hack anymore	21:25
rm_work	oh nice	21:26
rm_work	they added that?	21:26
johnsom	mnaser hooked you up	21:26
rm_work	sweet	21:26
mnaser	\o/	21:26
* rm_work cheers		21:26
mnaser	no more browser tabs destroyed	21:26
xgerman_	sweet	21:26
openstackgerrit	Michael Johnson proposed openstack/octavia master: Move from platform.linux_distribution to distro.id https://review.openstack.org/579288	21:33
openstackgerrit	Merged openstack/octavia master: Re-enable KVM https://review.openstack.org/579215	23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!