Wednesday, 2018-08-08

« Tuesday, 2018-08-07 Index Thursday, 2018-08-09 »
johnsomOk, I have fixed a bunch of stuff. It was my mistake that it wasn't passing traffic, I made a bad suggestion on the OPS change.  I'm very sorry for that. I have fixed the functionality, but we can come back later and re-add the OPS session persistence option.  It's a rare setting anyway now that I re-read it's purpose00:18
johnsomFailover of a pure UDP LB seems to be working for me. I will test a multiple-listener and a mixed one next.00:19
johnsomThen I will build a centos image and see if it was just my issue that was causing it to not work00:19
bzhao__cgoncalves:  Hi , have you test with the new session persistence options?00:22
johnsombzhao__ Hi00:23
johnsombzhao__ I made a mistake and I am sorry.  The OPS change I requested was incorrect. I have fixed it to be functioning in my patch, but we should later put the options back for session persistence setting.00:24
bzhao__johnsom:  Hi, Micheal. Sorry for not online yesterday, just as the irc identify, my other account limited by china network. Can not login. ;-(00:24
bzhao__johnsom:  Never mind. ;-)00:24
johnsombzhao__ Bummer you had IRC problems00:24
bzhao__johnsom:  I will add them later. ;-)00:25
johnsombzhao__ I have a few more things to test, then I will post my patch and review the last needed patches.00:25
johnsombzhao__ I think we are in good shape to get it into Rocky00:25
johnsomIt is close, but it is working for me, just some cleanup stuff00:26
bzhao__johnsom:  OK, but I have a question, hmm, I didn't hit the error when failover error, when I reboot the vm/ delete it..Could you please show some details? ;-)00:26
bzhao__johnsom:  You help so much for me. Many thanks.00:27
johnsombzhao__ See this: https://review.openstack.org/#/c/587690/17/octavia/amphorae/backends/agent/api_server/templates/keepalived.systemd.j200:27
johnsombzhao__ If we didn't have an haproxy listener there was no systemd "need" to start the netns service00:28
bzhao__johnsom:  Yeah, I saw it,  I tested it with the latest code yesterday. There is no error again.As I add pdb during the flow update the amphora lisnters tasks. ;-).  The flow works fine, but after the failover flow finished, there is no RS configured successful in the amp ns, even though the config file is correct, I think it lacks a restart step. I mean the test above are in the previous order..00:33
bzhao__johnsom:  Thanks for explain. ;-)00:34
johnsombzhao__ Yeah, I looked at the flow order thing. It's because listener update is restarting keepalived and it has a requirement on the netns being present, but we really start those processes later in the flow.  It needs a refactor, but I think the proposed flow order is ok at the moment.00:35
bzhao__johnsom:  I will focus on centos thing, after finish let OPS back.00:35
johnsomHmmm, getting this with a mixed (2 UDP, 1 HAProxy) LB failover:  ERROR octavia.controller.worker.tasks.amphora_driver_tasks [None req-073b09b4-7989-4fdf-a151-be7a8e81d44e None None] Failed to update listeners on amphora 7d414c67-2923-47f1-af48-1676fb47c6d5. Skipping this amphora as it is failing to update due to: _action() takes at least 5 arguments (5 given)00:35
bzhao__johnsom:  Yeah, it seems OK for now.00:35
johnsombzhao__ Yeah, I am going to try centos tonight too.00:36
johnsomNeed to figure out this error first00:36
bzhao__johnsom:  Ha, fight all day. ;-). Fight Rocky. I will test it you mentioned, as there is already a test env. Also  the traceback look odd.."_action() takes at least 5 arguments (5 given) " ;-)00:39
johnsomYeah, I think the add of protocol to that _action method is not complete00:39
*** longkb has joined #openstack-lbaas00:42
bzhao__Oh, my bad.. The update_amphora_listeners may lack the protocol parameter during reload haproxy listener, I think.00:44
johnsomYeah, I think I would have implemented this differently so we aren't sending the protocol00:45
johnsomWe could have just searched for the configuration file in the amp to determine what type it was since we know the paths and know the filename formats.00:47
johnsomIf the file exists in the haproxy path, it is TCP, if it exist in UDP path it is UDP, if none, 40400:48
bzhao__johnsom:   loop the listeners on agent side with the same API url, check it is a UDP/haproxy lisnter on agent side? ;-)00:48
bzhao__johnsom:  Yeah, that's it.00:48
johnsomIt's really just two os.path_exists calls, one for TCP, one for UDP path00:49
johnsomThat way the API stays the same for those actions00:50
johnsombzhao__ Yeah, ok, I have it. I will update in my patch00:51
bzhao__Agree, but I think we need to leave only 1 client API for udp. "upload_udp_config", as the haproxy one url ends with "haproxy". ;-)00:51
bzhao__johnsom:  May I add the OPS option in the followup patch? ;-)00:52
johnsombzhao__ Yes, go ahead and work on OPS.  I think I am only going to do the actions, I will leave get/put UDP config, that is fine for now.  The actions changes make be nervous as they are slightly complex.00:53
*** hongbin has joined #openstack-lbaas00:53
bzhao__johnsom:  Thanks. A refactor is comming. ;-)00:55
*** hongbin has quit IRC01:13
*** hongbin has joined #openstack-lbaas01:13
*** bbbbzhao_ has joined #openstack-lbaas01:38
*** openstackgerrit has joined #openstack-lbaas02:08
openstackgerritTatsuma Matsuki proposed openstack/octavia master: Separate the thread pool for health and stats update  https://review.openstack.org/58158502:08
*** ramishra has joined #openstack-lbaas02:36
openstackgerritMichael Johnson proposed openstack/octavia master: Followup patch for UDP support  https://review.openstack.org/58769003:10
openstackgerritMichael Johnson proposed openstack/octavia master: [UDP] Fix failed member always in DRAIN status  https://review.openstack.org/58851103:11
bzhao__johnsom:  Thanks, Michael. I think there must be very late. After I finish the OPS back and testing in local. I will check the centos staff and wait for your back tommorrow. Take a good rest.03:18
johnsombzhao__ Only 8pm, so ok.  I an testing my patch for failover and then will test CentOS as well.  Then call it a night.03:19
bzhao__johnsom:  Ok, ha.03:20
*** hongbin has quit IRC03:51
openstackgerritMichael Johnson proposed openstack/octavia master: Followup patch for UDP support  https://review.openstack.org/58769003:55
johnsomOk, fixed the release note.  That patch does fix the failover error I saw03:55
johnsomYeah, looks like I fixed centos as well.  I can get UDP through a centos 7 vm04:15
johnsomlol anaconda log.  Man I spent some time with that in my redhat years04:17
johnsomYeah, reboot comes up fine with UDP only.  I rebooted it, then deleted the pair amp, still have UDP connections04:21
johnsomYeah, HM failover works too.  Ship it!04:23
johnsomgrin04:23
openstackgerritMichael Johnson proposed openstack/octavia master: [UDP] Fix failed member always in DRAIN status  https://review.openstack.org/58851104:24
bbbbzhao_johnsom: Woo,nice. The OPS is nearly back. But not test in local. I'm leaving for lunch04:25
johnsomOk. Yeah, I think we are good. Just need to get cores to review and merge04:25
bbbbzhao_johnsom: Thank you :)04:26
*** yamamoto has joined #openstack-lbaas04:29
xgerman_Ok. Will look in a bit and review04:34
johnsomMorning04:35
johnsomWell, it looks like Jacky was already on the first two04:36
johnsomCores, can you please review https://review.openstack.org/#/c/587690 and https://review.openstack.org/#/c/588511/ and merge if you are comfortable with them.04:37
*** yamamoto has quit IRC04:46
*** yamamoto has joined #openstack-lbaas04:50
bbbbzhao_So quick...I have not finish my lunch..04:51
bbbbzhao_:). Thanks very much04:52
*** kobis1 has joined #openstack-lbaas05:06
*** kobis1 has quit IRC05:20
xgerman_looking…05:29
*** yamamoto has quit IRC05:49
bzhao__Maybe I should not post a new for followup?..move it to the end of patch list05:52
openstackgerritMerged openstack/octavia master: UDP for [2]  https://review.openstack.org/52965105:57
johnsombzhao__: yeah, add to the end please so we can merge some patches05:58
openstackgerritMerged openstack/octavia master: UDP for [3][5][6]  https://review.openstack.org/53939105:58
bzhao__johnsom:  Yeah. Thanks. I think I need to add after the  [UDP] Fix failed member always in DRAIN status .06:00
johnsomYes, that would be fine06:01
*** kobis1 has joined #openstack-lbaas06:18
*** pcaruana has joined #openstack-lbaas06:27
*** luksky has joined #openstack-lbaas06:59
cgoncalvesbzhao__, hi. I have not yet because I still couldn't make to have the UDP socket open07:24
*** nmagnezi_ has joined #openstack-lbaas07:25
bzhao__cgoncalves:  Thanks for feedback,;-). I think I can get some time for centos tonight. Also johnsom  had fixed the Upper UDP for centos. According to his test, it may work on centos.07:27
cgoncalvesbzhao__, yes, the upper-case UDP and mapping netcat package to red hat family. I will stack again with latest patch sets now07:27
bzhao__cgoncalves: Thanks . But I think the other tests still need to be done on centos. Ha, let's play it on centos first. ;-)07:29
*** celebdor has joined #openstack-lbaas07:30
bzhao__cgoncalves:  I will join after the refactor..07:30
cgoncalvescool, thanks!07:32
*** rcernin has quit IRC07:35
*** velizarx has joined #openstack-lbaas07:38
*** abaindur has quit IRC07:47
openstackgerrithuangshan proposed openstack/octavia master: Add a periodic task for checking pending_* lbs in housekeeping  https://review.openstack.org/58974707:55
*** velizarx has quit IRC07:56
*** velizarx has joined #openstack-lbaas08:01
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Bring back new session_persistence type "OPS"  https://review.openstack.org/58974808:01
*** nmagnezi_ has quit IRC08:05
*** nmagnezi_ has joined #openstack-lbaas08:07
*** ktibi has joined #openstack-lbaas08:24
*** nmagnezi_ has quit IRC08:37
openstackgerritzhouchangxun proposed openstack/octavia master: Change the driver to a singleton  https://review.openstack.org/58910008:53
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Update amphora agent api ref  https://review.openstack.org/58889308:58
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Support HTTP GET and TCP check in udp healthmonitor  https://review.openstack.org/58918008:58
*** salmankhan has joined #openstack-lbaas09:17
bzhao__My test env is nearly dead as 2 centos amp lauched..;-)09:21
*** ktibi has quit IRC09:23
*** ktibi has joined #openstack-lbaas09:27
*** ktibi has quit IRC09:30
*** ktibi has joined #openstack-lbaas09:31
*** nmagnezi_ has joined #openstack-lbaas09:34
cgoncalvesit works!!09:35
bzhao__yeah. Same . ;-)09:35
cgoncalveshttp://paste.openstack.org/show/727615/09:35
bbbbzhao_https://www.irccloud.com/pastebin/6vRF618g/09:37
bbbbzhao_LOL09:37
cgoncalvesgreat, also works for you09:39
bzhao__ha. yeah.09:41
bzhao__It is necessary to test more. I'm testing failover now.09:42
*** luksky has quit IRC09:44
bzhao__Connection is OK if I delete the master amp. Great.09:45
cgoncalvestesting failover too (standalone amp topology)09:47
*** kobis1 has quit IRC09:48
bzhao__;-) . Test in ACTIVE STANDBY topology.09:48
cgoncalvesand just like that, from one day to the other, everything seem to work :)09:49
cgoncalvesfailover worked fine for me09:49
bzhao__Ha, johnsom 's magic. ;-)09:49
cgoncalvesyours too!!09:49
bzhao__Cool, my test env is slow. still waiting for connection the rebuid amp.09:50
bzhao__Oh yeah. Works!!! haha09:56
openstackgerrithuangshan proposed openstack/octavia master: Add a periodic task for checking pending_* lbs in housekeeping  https://review.openstack.org/58974710:01
cgoncalvesawesome!10:03
cgoncalvespity that we are past feature freeze, otherwise we could have also made to support udp in heat10:04
cgoncalvesI have a draft patch, only missing unit tests10:04
*** luksky has joined #openstack-lbaas10:16
bzhao__Thanks for your great work. Apologize for the late work, that's my bad for the so big patch and not good for review.  Then may make this feature delay. ;-(10:17
openstackgerrithuangshan proposed openstack/octavia master: Add a periodic task for checking pending_* lbs in housekeeping  https://review.openstack.org/58974710:20
bzhao__https://review.openstack.org/#/c/587690/19/elements/amphora-agent/pkg-map   johnsom  Woo10:23
*** kobis1 has joined #openstack-lbaas10:28
openstackgerritNir Magnezi proposed openstack/octavia master: Remove user_group option  https://review.openstack.org/58940810:32
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Support HTTP GET and TCP check in udp healthmonitor  https://review.openstack.org/58918010:40
openstackgerritNir Magnezi proposed openstack/octavia master: DNM: Leave VIP NIC plugging for keepalived  https://review.openstack.org/58929210:44
openstackgerritMerged openstack/octavia master: Followup patch for UDP support  https://review.openstack.org/58769011:21
openstackgerritMerged openstack/octavia master: [UDP] Fix failed member always in DRAIN status  https://review.openstack.org/58851111:21
bzhao__UDP-CONNECT Healthmonitor  works also, ;-)11:37
bzhao__Mixed case passed in failover on centos.11:50
*** nmagnezi_ has quit IRC11:59
cgoncalves\o/12:17
*** longkb has quit IRC12:20
*** amuller has joined #openstack-lbaas12:24
cgoncalvesconfirmed, manual LB failover on act-standby topology with UDP listener works12:30
*** nmagnezi_ has joined #openstack-lbaas12:33
bbbbzhao_yeah, excited. ;)  Leaving for home12:43
*** velizarx has quit IRC12:52
*** velizarx has joined #openstack-lbaas12:56
*** celebdor1 has joined #openstack-lbaas14:05
*** celebdor has quit IRC14:07
*** hongbin has joined #openstack-lbaas14:18
*** HW-Peter has joined #openstack-lbaas14:21
*** fnaval has joined #openstack-lbaas14:27
*** kobis1 has quit IRC14:56
*** nmagnezi_ has quit IRC15:12
xgerman_johnsom: this is weird http://logs.openstack.org/59/589259/4/check/openstack-ansible-functional-ubuntu-xenial/8f0c972/job-output.txt.gz15:16
xgerman_http://logs.openstack.org/59/589259/4/check/openstack-ansible-functional-ubuntu-xenial/8f0c972/logs/openstack/octavia1/octavia/octavia-worker.log.txt.gz#_2018-08-08_14_24_42_74515:17
xgerman_there must be some incompatibility between worker and lastest diskimage15:18
johnsomOr you caught it mid-merge of the UDP chain.....15:18
johnsomThat was one thing I fixed in the followup was reverting some incompatible changes to the amp api15:19
*** velizarx has quit IRC15:20
johnsomYeah, looks like you had a patch 2 amp with a followup patch octavia where I reverted that change15:21
xgerman_makes sense… so wait until tomorrow when we have. a new amp :-)15:21
xgerman_or can we trigger the amp job manually?15:22
johnsomGood question, it would be nice if we could15:22
*** luksky has quit IRC15:24
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Support HTTP GET and TCP check in udp healthmonitor  https://review.openstack.org/58918015:25
*** celebdor1 has quit IRC15:25
*** celebdor1 has joined #openstack-lbaas15:31
*** pcaruana has quit IRC15:34
*** aojea has joined #openstack-lbaas15:51
*** jlaffaye_ is now known as jlaffaye16:23
*** celebdor1 has quit IRC16:25
*** ktibi has quit IRC16:27
*** nmagnezi_ has joined #openstack-lbaas16:39
*** ramishra has quit IRC17:27
*** salmankhan has quit IRC18:13
*** abaindur has joined #openstack-lbaas18:25
*** amuller has quit IRC18:36
*** sapd has quit IRC18:49
johnsom#startmeeting Octavia20:00
openstackMeeting started Wed Aug  8 20:00:04 2018 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.20:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.20:00
openstackThe meeting name has been set to 'octavia'20:00
johnsomHi folks!20:00
xgerman_o/20:00
nmagnezi_o/20:00
cgoncalveshey-hey!20:00
johnsomHappy Rocky RC1 day20:00
colin-o/20:00
johnsomFirst up, just a note, I am going to be on vacation Thursday through Monday and will have limited computer access20:01
johnsomWe have relatives visiting and are heading to the coast.20:01
johnsomAs I mentioned, today is RC1 day where we cut the stable/rocky branch.20:01
johnsomI think we are in good shape.20:02
cgoncalveswell deserved, have fun!20:02
johnsomThank you to everyone that worked some long hours to get UDP in shape20:02
nmagnezi_Indeed20:02
nmagnezi_Have fun!20:02
johnsomThe core UDP patches have merged, so it made it into Rocky20:02
johnsomUnless there is a problem with it, I would like to see this one make it too:20:03
johnsom#link https://review.openstack.org/58725520:03
johnsomSo cores, if you haven't already reviewed, it would be appreciated.20:03
nmagnezi_Yup, I'll review it right after the meeting20:03
johnsomThen after that I will cut RC120:03
cgoncalvescan we also tag stable/queens? :D20:04
johnsomFrom here on if there is a bug fix you think we need in Rocky, please contact me with the link and add it to the priority list:20:04
xgerman_https://review.openstack.org/#/c/587505/20:04
johnsom#link https://etherpad.openstack.org/p/octavia-priority-reviews20:04
xgerman_https://review.openstack.org/#/c/585864/20:04
xgerman_those two20:04
johnsomThis will determine if we do an RC2 next week20:04
johnsomAlso, the Denver Stein PTG etherpad is up:20:05
johnsom#link https://etherpad.openstack.org/p/octavia-stein-ptg20:05
johnsomPlease add any topics you think we need to discuss to the topics list and if you are able to join us.20:06
johnsomAny other announcements today?20:06
johnsom#topic Brief progress reports / bugs needing review20:07
xgerman_I will be gone Monday for two weeks20:07
cgoncalvesyes. you get 6 more months of PTLing :)20:07
johnsomNice, enjoy the time off20:07
cgoncalvescongrats20:07
xgerman_4 more years!20:07
johnsomHa, well, yes. I announced that last week.20:08
johnsomThanks?20:08
johnsomgrin20:08
nmagnezi_ha20:08
nmagnezi_Mm I filed this20:08
nmagnezi_#link https://storyboard.openstack.org/#!/story/200330920:08
nmagnezi_Will be happy to some feedback20:08
nmagnezi_Tried to fix it, but wasn't able to make systemd to respawn the amphora-agent20:09
johnsomOver the last week I have been busy helping out with the UDP protocol support and tracking down a barbican client bug that impacts us.  Summary there is if the cloud is using admin or internal endpoints barbican client will fail to get the secret.20:09
johnsomnmagnezi Ok thanks.  I will take a look.  I had a question about your keepalived systemd story/patch as well. It's setup different than all of the other service definitions I have found, so wanted to understand more there20:10
johnsomThis is the barbican client bug if you are interested:20:11
johnsom#link https://storyboard.openstack.org/#!/story/200319720:11
johnsomAny other progress updates?20:12
johnsomOk20:13
johnsom#topic Some progress on the Storyboard issues20:13
*** luksky has joined #openstack-lbaas20:13
johnsom#link https://etherpad.openstack.org/p/storyboard-issues20:13
cgoncalveschanges to CI jobs and housekeeping. thanks to johnsom for helping me with centos-based controller20:13
johnsomnmagnezi_ cgoncalves The storyboard team has fixed a few things.  They had an intern that worked on some stuff20:14
johnsomThought I would mention that there has been progress there.20:14
nmagnezi_Thanks a lot for the followup!20:15
johnsomOne nice thing is the link to our project is no longer a number (though that still works)20:15
johnsomAt some point we should update our links, but since the number still works it's not a priority20:15
cgoncalves#link https://storyboard.openstack.org/#!/project/openstack/octavia20:15
johnsomYep20:16
nmagnezi_Nice20:16
johnsomOh, darn, I forgot to remove the "UDP doesn't work on CentOS" release note.  It worked for me, are you guys good with it?  If so I will post a patch real quick to fix that .20:17
cgoncalvesstill no priority/severity fields :/20:17
cgoncalvesor which project version is affeted20:17
cgoncalvesjohnsom, you added a release note? I didn't see that! :D20:18
nmagnezi_johnsom, would be nice to have it that fix if that's not too much trouble20:18
cgoncalvesI tested today with latest patch chain. I reported my findings here on the channel this morning (CET). TL;DR: it works!20:18
johnsomSure, no problem.  nmagnezi_ if you can review the fix right after the meeting it would be great.20:18
nmagnezi_Sure can20:18
johnsomYeah, ok I will ping you guys when I have a patch up. I saw a typo in the api-ref too I can fix20:19
cgoncalvesalso tested failover on standalone and act/stby UDP-listener LB -- works!20:19
johnsom#topic Open Discussion20:19
johnsomOther topics for today?20:19
johnsomcolin- Welcome BTW!  Not sure if you have joined a meeting before.20:19
johnsomNo other topics today?20:21
colin-thanks, first time :)20:22
johnsomThis is the open discussion part of the meeting, so if you have any questions/comments for the team it's a good time to get attention.  grin20:22
xgerman_or tell us which bug you like to work on :-)20:22
colin-thanks for the support thus far, hope to return the favor that's all20:23
johnsomNice, appreciated.20:23
johnsomOk, well, if we don't have any more topics we can wrap up early this week.20:23
nmagnezi_we have stuff to review20:24
nmagnezi_:)20:24
johnsomThanks again for all of your work on Rocky.  We closed out 66 "priority" patches!20:24
johnsom#endmeeting20:24
openstackMeeting ended Wed Aug  8 20:24:44 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:24
openstackMinutes:        http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-08-20.00.html20:24
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-08-20.00.txt20:24
openstackLog:            http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-08-20.00.log.html20:24
*** SumitNaiksatam has joined #openstack-lbaas20:25
openstackgerritMichael Johnson proposed openstack/octavia master: Fix UDP release note for CentOS  https://review.openstack.org/59003120:25
johnsomnmagnezi_ xgerman_ ^^^ release notes fix20:25
nmagnezi_johnsom, reviewed. Looking at the delete amps patch now20:26
johnsomThank you!20:26
johnsomFunny, that integer type for the protocol must have been there a long time.... I just noticed it today while looking at the api-ref for the UDP updates20:29
nmagnezi_johnsom, should we be backwards compatible here? :P20:30
nmagnezi_johnsom, your time to grin :)20:30
johnsomlol20:31
johnsomWell, given actually using an integer would not get you far.... grin20:31
johnsomYou just want to open the "Octavia number registery" don't you20:32
nmagnezi_johnsom, just wanted to bump the minor API version so we'll be at 2.2 :D20:33
johnsomnmagnezi_ We are at 2.2 now20:33
nmagnezi_Well I should be kicked out of here for this20:33
nmagnezi_(Or I can just say it way too late for me)20:33
johnsomUDP was 2.120:34
johnsomopps, 2.220:34
xgerman_+120:34
xgerman_yep, I was wondering if we should make our tests/infrastructure better so we just need to run some const array and add versions20:34
johnsomI kind of did that to make it easier to add versions, but maybe there is more improvement that could be added20:35
johnsomcgoncalves BTW, I want to get dual down amphora failover into stable/queens and then will cut.20:36
johnsomThe backport has a problem I need to figure out20:36
xgerman_yeah, need to mull a bit more and put that in20:36
johnsomWe should set a goal of next week for a stable/queens release20:37
nmagnezi_johnsom, +2 W+1 https://review.openstack.org/#/c/58725520:38
johnsomThank you!20:39
cgoncalvesjohnsom, ok. I just feel that we've been constantly delaying the cut ;)20:40
johnsomYeah, trying to get important fixes in it20:40
xgerman_+120:40
cgoncalveswe can release as often as we want, no?20:40
johnsomYes, but it kind of sucks to do a stable release when you know there is a nasty bug in the review stage20:41
johnsomPeople packaging probably don't want to make octavia packages every week...20:42
cgoncalveson our side, we have automation tools ;)20:42
cgoncalvesRDO master \o/20:42
johnsomSome days I wish I could automate reviews....20:43
xgerman_just get some bots20:43
xgerman_core-bot1 and 220:43
johnsomHa, yeah20:43
johnsomThough in honesty, I appreciate the second set of eyes on stuff20:43
xgerman_hence core-bote-220:44
cgoncalvesthat's what core-bot2 would be for -- second set of "eyes"20:44
cgoncalvesxgerman_, *hi5*20:44
openstackgerritNir Magnezi proposed openstack/octavia master: Remove user_group option  https://review.openstack.org/58940820:45
abaindurhi johnsom: in what version of openstacl client does the lbaas cli exist?20:53
johnsomabaindur For Octavia you install the python-octaviaclient plugin.  If you are using neutron-lbaas you have to use the "neutron" command, it is not supported via OpenStack client (because it is deprecated).20:54
abaindurwe have installed the python-openstackclient from the upperconstraints version for queens, but it cant find loadbalancer clis20:54
abainduroh, octaviaclient20:54
abaindurNo... we are not using neutron lbaas20:54
johnsomYeah, most of the services have OpenStack client plugins now20:54
abaindurthis is Octavia directly20:54
johnsomYep, perfect, install python-octaviaclient along with OpenStack client and the "openstack loadbalancer" commands will become available20:55
johnsomlog out/back in to get command completion20:55
xgerman_nmagnezi_: johnsom we probably need to merge the lbaas proxy-gate stuff as well21:03
xgerman_https://review.openstack.org/#/c/539350/21:04
johnsomLinks?21:04
xgerman_see above21:04
xgerman_still hoping we can merge it before lbaasv2 gets removed ;-)21:06
*** pcaruana has joined #openstack-lbaas21:07
*** salmankhan has joined #openstack-lbaas21:08
*** colby_home has joined #openstack-lbaas21:09
colby_homeHey Guys. I have a question about the certificate setup for the amphora. I looked at the script to generate the certs (not ideal for production). So I created a server_ca,server_key,server_cert,client_ca,client_key,client_cert. Which ones get assigned to which config option. Reading through docs doesn't give a lot of info21:11
*** salmankhan has quit IRC21:13
johnsomcolby_home Agreed, we still need a detailed install guide.  This is how it is configured for the test gates: https://github.com/openstack/octavia/blob/master/devstack/plugin.sh#L295-L30521:13
johnsombased on that script, which, yes, not good for production use21:13
johnsomDoes that answer your question?21:14
colby_homeI did a separate server CA and Client CA (recommended for production). How do those get configured?21:14
johnsomWell, I don't think they should be different CA's.21:18
johnsomLet me walk through the configuration items and explain them to see if that helps.21:19
colby_homeThis was in that script to generate:21:19
colby_homeecho "Note: For production use the ca issuing the client certificate and the ca issuing the server"21:19
colby_homeecho "certificate need to be different so a hacker can't just use the server certificate from a"21:19
colby_homeecho "compromised amphora to control all the others."21:19
colby_homeecho "\nTo use the certificates copy them to the directory specified in the octavia.conf"21:19
johnsomAh, hang on, yeah, I think I follow. I'm a bit rusty on this config section21:20
xgerman_yeah, we use the same CA —21:22
johnsomThe "server CA" cert should be certificates ca_certificate and ca_private_key21:22
johnsomThis is the CA that issues certificates to the amphora and the CA that verifies the certificate presented by the amphora agent.21:22
xgerman_if you need two CAs look at this sequence of commands: https://github.com/rcbops/rpc-octavia/blob/master/playbooks/rpc-octavia-generate-certs.yml21:22
johnsomThe "client CA" cert would be haproxy_amphora server_ca21:22
johnsomhaproxy_amphora client_cert is the certificate the controllers present to the amphora-agent21:23
johnsomso would be the client cert21:23
johnsomxgerman_ Are you using a split CA in OSA, I don't think so, I think you are using a single CA like the gates.21:24
xgerman_nope, split CA21:24
johnsomThe comment in the file is accurate and valid about splitting them21:24
johnsomOk21:25
johnsomcolby_home Did I confuse you worse, or help?21:26
colby_homeI think that helps :)21:27
colby_homeso haproxy_amphora client_cert should be the cert signed by the client CA?21:28
johnsomyes21:29
colby_homegotcha ok I think I got it21:30
johnsomAh, I see one part we are missing to the picture.21:32
johnsomThe client CA cert is controller-worker client_ca21:33
abaindur[certificates]21:38
abaindurca_certificate = ${OCTAVIA_CERTS_DIR}/ca_01.pem21:38
abaindurca_private_key = ${OCTAVIA_CERTS_DIR}/private/cakey.pem21:38
abaindurca_private_key_passphrase = <enter_your_password_here>21:38
abaindur[haproxy_amphora]21:38
abaindurclient_cert = ${OCTAVIA_CERTS_DIR}/client.pem21:38
abaindurserver_ca = ${OCTAVIA_CERTS_DIR}/ca_01.pem21:38
abaindurI just did that ^^21:38
abaindurwhere OCTAVIA_CERTS_DIR was the directory the built in create_certificates.sh put the files in21:39
johnsomcolby_home You also need to set the client ca in [controller-worker]21:39
johnsomOtherwise, yes, that looks right21:39
colby_homeah ok that makes more sense21:39
johnsomYeah, I was puzzled too21:39
abaindurwhat does client_ca need to be set to?21:40
johnsomYour ca_01.pem from the client CA that generated client.pem21:40
johnsomor 02 or whatever it is called21:41
abaindurSo the same as ca_certificate from [certificates] section?21:41
abaindurand server_ca in [haproxy_amphora]21:41
johnsomno, it should be a client CA where [certificates] is the server CA21:41
abaindurI dont see the devstack plugin setting the client_ca option in [controller_worker] section21:43
johnsomhttps://github.com/openstack/octavia/blob/master/etc/octavia.conf#L23721:45
johnsomor here https://docs.openstack.org/octavia/latest/configuration/configref.html#controller_worker.client_ca21:45
abaindurright im using the same CA21:47
abaindurso its the same .pem file as ive set in those other 2 places21:47
abainduri guess colby_home is using separate CAs21:47
johnsomRight, ah, confusing, ha.  Yeah, if you have two CAs those are going to be different21:47
colby_homeIm deploying in a production env (we dont really have a dev one for openstack) so I wanted to do the certs in the best way possible21:48
johnsomsplit CA is the best option21:48
abainduri'm not even worrying about all that and production yet. just trying to get it working in a basic setup :)21:49
abaindurwhat is the amphora_agent section for? deprecated?21:49
abaindur[amphora_agent]21:49
abaindur# agent_server_ca = /etc/octavia/certs/client_ca.pem21:49
abaindur# agent_server_cert = /etc/octavia/certs/server.pem21:49
johnsomThey are not deprecated, but they are used inside the amphroa agent config file.  They are ghost records here. I originally didn't add them to this file, but people kept adding them back...21:51
johnsomSo, ignore those, the controller will set them on amphora deployment21:51
colby_homeJust to be clear, the api server does not need the certs right? Only the worker/healthmonitor/housekeeper21:52
*** SumitNaiksatam has left #openstack-lbaas21:52
johnsomCorrect21:53
colby_homethanks21:53
johnsomAPI does not talk directly to the amphora21:53
*** aojea has quit IRC21:55
*** pcaruana has quit IRC22:02
*** aojea has joined #openstack-lbaas22:08
*** aojea has quit IRC22:09
*** aojea has joined #openstack-lbaas22:11
cgoncalveshttps://githubengineering.com/glb-director-open-source-load-balancer/22:19
*** rcernin has joined #openstack-lbaas22:19
johnsomYay, yet another load balnacer package...22:19
johnsomAh, L4 this time22:20
johnsomlol, oh, really ECMP... Got it. Same tech in the L3 act/act distributor22:21
*** aojea has quit IRC22:30
openstackgerritMerged openstack/octavia master: Delete amphora regardless of status  https://review.openstack.org/58725522:35
openstackgerritNir Magnezi proposed openstack/octavia master: systemd should recover Keepalived  https://review.openstack.org/58899322:50
*** hongbin has quit IRC22:54
*** zioproto_ has joined #openstack-lbaas22:55
openstackgerritMerged openstack/octavia master: Fix UDP release note for CentOS  https://review.openstack.org/59003122:55
*** fnaval has quit IRC22:57
*** amotoki_ has joined #openstack-lbaas23:01
*** irenab has quit IRC23:02
*** oanson has quit IRC23:02
*** dulek has quit IRC23:02
*** amotoki has quit IRC23:02
*** dosaboy has quit IRC23:02
*** zioproto has quit IRC23:02
*** zioproto_ is now known as zioproto23:02
openstackgerritNir Magnezi proposed openstack/octavia master: Leave VIP NIC plugging for keepalived  https://review.openstack.org/58929223:05
*** abaindur has quit IRC23:09
*** nmagnezi_ has quit IRC23:10
rm_worko/ sorry missed the meeting23:23
*** luksky has quit IRC23:26
johnsomAll good.  RC1 release is up for review23:30
rm_workcool23:54
« Tuesday, 2018-08-07 Index Thursday, 2018-08-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!