Wednesday, 2018-08-15

abaindur	johnsom: is there a list of the support protocols for load balancing?	00:18
johnsom	abaindur Yes, in the API reference document	00:19
johnsom	https://developer.openstack.org/api-ref/load-balancer/v2/index.html#create-listener	00:19
johnsom	Look for "protocol"	00:19
abaindur	ah ok, i was just looking at the cookbook	00:19
*** longkb has joined #openstack-lbaas		00:42
*** hongbin has joined #openstack-lbaas		00:44
*** sapd1 has joined #openstack-lbaas		01:15
openstackgerrit	Michael Johnson proposed openstack/octavia master: Fix Octavia for host host routes https://review.openstack.org/591876	01:25
openstackgerrit	Michael Johnson proposed openstack/octavia master: Fix neutron "tenat_id" compatibility https://review.openstack.org/591883	01:52
*** abaindur has quit IRC		02:01
*** openstack has joined #openstack-lbaas		02:36
*** ChanServ sets mode: +o openstack		02:36
*** ramishra has joined #openstack-lbaas		02:37
*** hongbin has quit IRC		03:23
*** hongbin has joined #openstack-lbaas		03:28
*** hongbin_ has joined #openstack-lbaas		03:48
*** hongbin has quit IRC		03:50
*** hongbin_ has quit IRC		04:14
*** oanson has quit IRC		04:33
openstackgerrit	Michael Johnson proposed openstack/octavia master: Allow blocking IPs from member addresses https://review.openstack.org/591893	04:54
*** yboaron_ has joined #openstack-lbaas		04:56
*** oanson has joined #openstack-lbaas		05:00
*** pcaruana has joined #openstack-lbaas		05:12
johnsom	Cores, if you could please review https://review.openstack.org/#/c/591261/ to un-block the neutron-lbaas-dashboard gates	05:21
openstackgerrit	Merged openstack/octavia-dashboard master: Add Apple OS X ".DS_Store" to ".gitignore" file https://review.openstack.org/581653	05:28
*** abaindur has joined #openstack-lbaas		06:49
*** yboaron_ has quit IRC		07:50
*** yboaron_ has joined #openstack-lbaas		08:07
*** yboaron_ has quit IRC		08:12
*** velizarx has joined #openstack-lbaas		08:19
*** abaindur has quit IRC		08:26
*** velizarx has quit IRC		08:35
*** velizarx has joined #openstack-lbaas		08:37
*** bzhao__ has quit IRC		09:18
*** xgerman_ has quit IRC		09:18
*** salmankhan has joined #openstack-lbaas		09:22
*** yboaron_ has joined #openstack-lbaas		09:23
*** rtjure has joined #openstack-lbaas		09:35
sapd1	johnsom: Can I create amphora on both VIP Network and LB_Manage Network instead of a task which plugVIP on VIP Network?	10:05
*** longkb has quit IRC		10:45
*** sapd1 has quit IRC		10:59
openstackgerrit	Kobi Samoray proposed openstack/neutron-lbaas master: nlbaas2octavia: Escape 'key' field calls https://review.openstack.org/592006	11:25
openstackgerrit	Kobi Samoray proposed openstack/neutron-lbaas master: nlbaas2octavia: Script fails when no members found https://review.openstack.org/592008	11:30
*** sapd1 has joined #openstack-lbaas		14:49
johnsom	sapd1 You can tell the VIP to be on the lb-mgmt-net if you need.	14:56
sapd1	I'm trying to launch amphora instance using SR-IOV network.	15:00
sapd1	johnsom: because the flow in octavia is attach vrrp port after instance is created, so the SR-IOV port can't attach to amphora instance	15:02
sapd1	https://bugs.launchpad.net/nova/+bug/1708433	15:02
openstack	Launchpad bug 1708433 in OpenStack Compute (nova) "Attaching sriov nic VM fail with keyError pci_slot" [Medium,In progress] - Assigned to Matt Riedemann (mriedem)	15:02
johnsom	Ah, yeah, nova needs to fix that	15:02
*** ramishra has quit IRC		15:03
sapd1	No. nova has a associate spec with this bug. But It is not implemented. and abandoned	15:04
*** yboaron_ has quit IRC		15:11
*** kobis1 has joined #openstack-lbaas		15:33
kobis1	hey how's familiar with the nlbaas2octavia tool?	15:37
johnsom	kobis1 I wrote it	15:42
*** velizarx has quit IRC		15:45
kobis1	Hi johnsom, testing this now - running into a few issues	15:47
johnsom	I saw you posted a few fixes last night	15:48
kobis1	Today… time difference ;)	15:48
kobis1	Still testing these though	15:48
*** shoffmann has joined #openstack-lbaas		15:49
kobis1	Curious about changing the project on the security group - AFAIK the owner should remain same - the user's project. When I create an Octavia LB the VIP port's owner is the user project	15:49
shoffmann	Hi,	15:49
shoffmann	I'm testing with octavia loadbalancer and have an problem:	15:49
shoffmann	The creation of the loadbalancer finished without any error and it is shown as ACTIVE. The octavia-worker.log only shows	15:49
shoffmann	'INFO octavia.network.drivers.neutron.allowed_address_pairs [-] Port d0d1cb55-c6c8-4772-ab86-9dbc69d8e8b9 already exists. Nothing to be done.'	15:49
shoffmann	The problem is, that this port is not activ and not connected to the amphora Instance.	15:49
shoffmann	Can anyone tell me, how I can find out why?	15:50
shoffmann	Thanks.	15:50
kobis1	And then - when I create a NLBaaS LB, assign the SG to some SG in the user's domain, the migration "steals" my SG and then it's owned by Octavia	15:50
johnsom	We are greedy like that... lol	15:50
kobis1	In the most stupid case - I assign my VIP to the default SG… And boom it's gone...	15:51
johnsom	Yeah, it's probably a bug. I know we create a security group, thus the need for an ownership change, but It should probably check if it was owned by nlbaas before changing it.	15:52
kobis1	Is that SG for the internal Octavia net?	15:53
kobis1	OK cool, I'll just do some more testing - will try to push another fix for this as well	15:53
johnsom	shoffmann The message about the port is fine. It just means the port was created earlier in the process. Octavia has two ports, one is always "down" as it is a "fake" port created by neutron for the VIP. The other is up and has a "allowed-address-pair" pointing to the second port.	15:53
johnsom	kobis1 Ok, thanks! We do have a gate job for the tool as well if you want to update any tests.	15:54
kobis1	Cool for a starter I'll complete one cycle of manual testing… And then start updating tests and such. In the meantime my patches are WF -1 and there just to keep things in order on my side	15:55
johnsom	Ok	15:56
*** FracKen has joined #openstack-lbaas		15:56
johnsom	Cores, once this stable/queens merges I will cut a stable/queens release: https://review.openstack.org/#/c/592095/	16:04
*** fnaval has joined #openstack-lbaas		16:14
*** fnaval has quit IRC		16:16
*** fnaval has joined #openstack-lbaas		16:16
shoffmann	johnsom But I have to connect the FloatinIP to the "fake" port? I want to use a private subnet.	16:22
johnsom	shoffmann You use the port ID listed on the load balancer for the floating IP	16:23
shoffmann	johnsom Thanks. This is the "fake" port.	16:25
*** colby_ has joined #openstack-lbaas		16:31
colby_	johnsom: Thanks for spotting that. I just thought that was a product of the connection failing. Ill check into the cert config. Im able to use the certs with curl. Ill put my cert config and my curl command into a pastebin	16:31
*** kobis1 has quit IRC		16:41
*** openstackstatus has joined #openstack-lbaas		16:57
*** ChanServ sets mode: +v openstackstatus		16:57
*** shoffmann has left #openstack-lbaas		17:00
*** salmankhan has quit IRC		17:13
*** kobis1 has joined #openstack-lbaas		17:34
*** kobis1 has quit IRC		17:35
*** sapd1 has quit IRC		17:39
colby_	johnsom Here is my octavia config and curl command I used: https://pastebin.com/7erkcvM5	17:41
*** Krast has quit IRC		17:43
johnsom	colby_ I would check the ca_private_key file, make sure it has a ---- header and double check the passphrase unlocks it. Check the spacing around the passphrase, etc.	17:47
colby_	I used openssl to test the passphrase and it worked fine	17:53
colby_	ok Im at a loss. Ive checked the private key file. Everything looks fine. I used openssl (as the octavia user) to make sure I could view the key file and verify the password opened it correctly.	18:31
johnsom	Hmm, ok. Can you point me at that log file entry again from the worker process?	18:32
colby_	I use copied and pasted the values from the octavia config to make sure I had them the same	18:32
colby_	I can paste another one	18:32
johnsom	Thanks, I will refresh my memory of where that is occurring in the code and see if we can get more information out of the python library we are using.	18:34
colby_	https://pastebin.com/5WDU65zf	18:38
colby_	Thanks for your help	18:39
*** salmankhan has joined #openstack-lbaas		18:41
johnsom	colby_ What version of Octavia are you running?	18:42
colby_	1.0.2-1	18:43
johnsom	Ok, so back on Pike	18:46
colby_	yes we are running pike	18:46
*** salmankhan has quit IRC		18:46
colby_	we will probably be upgrading to queens in the next couple months	18:47
johnsom	Well, I can confirm it's not the ca_private_key_passphrase as I get a different error if that is wrong	18:57
johnsom	colby_ How hack-y are you willing to go on this host?	19:00
johnsom	Find the python OpenSSL module that the worker process is using (not sure if you are using venv or not).	19:02
johnsom	in the SSL.py file, find "use_privatekey_file" method, add some debug logging/print around the keyfile path it is using.	19:02
colby_	Im ok with that. Ill update my hosts where the workers are.	19:15
*** openstackgerrit has quit IRC		19:19
colby_	keyfile used: /etc/pki/tls/certs/octavia_client_cert.pem	19:54
colby_	that is not a keyfile	19:54
colby_	thats what is set as client cert: client_cert = /etc/pki/tls/certs/octavia_client_cert.pem	19:56
colby_	its not set anywhere else in the config	19:57
johnsom	#startmeeting Octavia	20:00
openstack	Meeting started Wed Aug 15 20:00:02 2018 UTC and is due to finish in 60 minutes. The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.	20:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	20:00
*** openstack changes topic to " (Meeting topic: Octavia)"		20:00
openstack	The meeting name has been set to 'octavia'	20:00
nmagnezi	o/	20:00
johnsom	Hi folks	20:00
cgoncalves	hellowoeeee!	20:00
johnsom	#topic Announcements	20:01
*** openstack changes topic to "Announcements (Meeting topic: Octavia)"		20:01
johnsom	We are still running the Rocky priority bug list:	20:01
johnsom	#link https://etherpad.openstack.org/p/octavia-priority-reviews	20:01
johnsom	Thank you to the folks that have been doing reviews there	20:01
johnsom	We will talk about RC2 later in the agenda	20:02
nmagnezi	We're planning to have another rc to include those?	20:02
nmagnezi	Ha, ok :)	20:02
johnsom	grin, that is what we will talk about	20:02
johnsom	The PTG etherpad is up:	20:02
nmagnezi	kk	20:02
johnsom	#link https://etherpad.openstack.org/p/octavia-stein-ptg	20:02
johnsom	Please add any topic ideas you may have. I think we are are less than a month out, so in the next week or two I will start putting a rough agenda together	20:03
johnsom	Any other announcements today?	20:03
johnsom	#topic Brief progress reports / bugs needing review	20:04
*** openstack changes topic to "Brief progress reports / bugs needing review (Meeting topic: Octavia)"		20:04
johnsom	I was on vacation with some relatives over the last week, so didn't get a lot done.	20:05
johnsom	I addressed three bug reports that we recently got. Those are up for review.	20:05
johnsom	I did tag the octavia-tempest-plugin for Rocky. We aren't cutting stable branches there, but we are tagging the releases now.	20:06
johnsom	That is the big summary for me. Anyone else?	20:06
johnsom	ok, moving on	20:07
nmagnezi	I mainly focus on my deep dive into active standby. Some of the issues I have reported	20:07
nmagnezi	Others will be reported next week	20:07
nmagnezi	With fixes	20:08
johnsom	Ok, let me know if you have questions or something I should look at (it's been busy, so I might have forgot something)	20:08
cgoncalves	not much from my side. UDP testing and more work on TripleO-Octavia integration for better CI coverage	20:08
nmagnezi	np, thank you :)	20:08
johnsom	#topic Do we want to cut an RC2?	20:08
*** openstack changes topic to "Do we want to cut an RC2? (Meeting topic: Octavia)"		20:08
nmagnezi	johnsom, right after that I plan to shift my focus to the migration tool that you wrote	20:08
johnsom	Ok, so we have six open patches on the priority review list. Do any of these look like things we need to merge and do an RC2?	20:09
* nmagnezi looks again		20:10
cgoncalves	if we have the opportunity for an RC2, why not?!	20:10
johnsom	True, I just need to have cores willing to review/vote/merge	20:11
johnsom	The first three I can vote on. If you all think they are a priority I will make some time this afternoon to review.	20:11
cgoncalves	it is my believe that most (if not all) top priority reviews look good and are small	20:12
nmagnezi	This looks important https://review.openstack.org/#/c/591876/	20:12
nmagnezi	#link https://review.openstack.org/#/c/591876/	20:12
johnsom	I would like to have these merged and backported to stable/rocky by about this time on friday.	20:12
cgoncalves	and stable/queens?! :D	20:12
johnsom	Yeah, that was reported by a user	20:13
johnsom	I was planning to cut queens after #6 on that list is merged	20:13
johnsom	But #5 is a good one too	20:13
johnsom	for queens that is	20:13
cgoncalves	+1	20:13
cgoncalves	"release early, release often"	20:14
johnsom	German is out on vacation, so it's really down to the rest of us	20:14
johnsom	Ok, so I am hearing, yes, we want an RC2. I will cut one about this time in two days. We need to get these in and backported by then or they don't make it.	20:15
johnsom	Then we backport them and do a followup release later.	20:15
cgoncalves	perfect, thanks!	20:15
johnsom	2 and 3 might be a bit on the risky side to merge, I need to look at those patches and judge the risk.	20:16
johnsom	Actually, 1,2, and 3 might be in that group	20:16
johnsom	I will take a look.	20:17
johnsom	Ok, any other RC2 discussion? Any other patches landing soon?	20:17
johnsom	#topic Open Discussion	20:18
*** openstack changes topic to "Open Discussion (Meeting topic: Octavia)"		20:18
johnsom	Ok, how about any other topics	20:18
cgoncalves	perhaps https://review.openstack.org/#/c/591893/	20:18
johnsom	Ah, yes, missed that one for the list	20:19
johnsom	So the summary here, is you can make a member pointed at the nova metadata IP and get the metadata for the amphora.	20:20
johnsom	So, this adds a way to blacklist IPs from being members, defaulting to the metadata IP.	20:20
nmagnezi	johnsom, not sure we can actually back port https://review.openstack.org/#/c/591893/ since it adds a config option	20:21
nmagnezi	it looks like a very important patch, so maybe we can make an exception for security reasons?	20:21
johnsom	Yeah, I think adding an option is better than changing an option. It has a valid default, so won't break people if they don't configure it.	20:22
johnsom	Ah, I need to add the sample octavia.conf entry and a release note too. (finished that patch late last night)	20:22
nmagnezi	I will review it tomorrow morning my time either way	20:22
nmagnezi	When did you plan to cut RC2 (if at all :) )	20:23
johnsom	I think it falls into the "compatible config change" category, so can be backported.	20:23
johnsom	It is a bit of a feature, but it does address a minor security concern	20:23
nmagnezi	johnsom, +1. I agree. Just wanted to point this out so we can double check ourselves here	20:24
cgoncalves	+1 for backporting	20:24
johnsom	Yep.	20:24
johnsom	It's a bummer, we don't even use the metadata service for the amps, so wish we could just turn it off, but we can't.	20:24
nmagnezi	Yeah, IIRC we use config-drive for SSH keys right?	20:25
johnsom	Right	20:25
johnsom	Plus the only ssh key in that metadata is the public key	20:25
johnsom	I'm not sure what all else is exposed there, but it's good to block it anyway	20:26
johnsom	Any other topics today?	20:27
cgoncalves	just a minor update that the networking-ovn team has been working actively on an octavia driver	20:27
cgoncalves	#link https://review.openstack.org/#/c/577395/	20:27
cgoncalves	I would like to have a non-voting CI job in octavia sometime in the near future	20:28
johnsom	Ok, I am open to that	20:28
nmagnezi	Sounds right to me	20:28
johnsom	I can't wait to drop the neutron-lbaas jobs. We have a lot of jobs at the moment	20:29
cgoncalves	+1	20:30
nmagnezi	+100	20:30
johnsom	I also need to look at nlbaas-dashboard. it looks like the docs job is grumpy there and I'm not sure why	20:31
johnsom	Oh, right, we need to get this merged:	20:32
johnsom	#link https://review.openstack.org/#/c/591261/	20:32
nmagnezi	noted.	20:33
johnsom	left overs from when horizon had integration tests	20:33
johnsom	Ok, well, if we don't have any other topics, I will go grab lunch.	20:34
nmagnezi	This patch looks good at a first glance	20:34
cgoncalves	all right, thanks folks!	20:34
johnsom	Yeah, we did something similar in octavia-dashboard a while ago	20:35
johnsom	Ok, thanks folks!	20:35
johnsom	#endmeeting	20:35
*** openstack changes topic to "Discussion of OpenStack Load Balancing (Octavia) \| https://etherpad.openstack.org/p/octavia-priority-reviews"		20:35
openstack	Meeting ended Wed Aug 15 20:35:13 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	20:35
openstack	Minutes: http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-15-20.00.html	20:35
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-15-20.00.txt	20:35
nmagnezi	O/	20:35
openstack	Log: http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-08-15-20.00.log.html	20:35
colby_	johnsom If you are free now Im wondering about the config for pike version. I looked here: https://docs.openstack.org/octavia/pike/configuration/configref.html#certificates and it seems to be missing all sorts of certificate config options I though were used	20:37
colby_	maybe that is my problem	20:37
*** openstackgerrit has joined #openstack-lbaas		20:41
openstackgerrit	Michael Johnson proposed openstack/octavia master: Allow blocking IPs from member addresses https://review.openstack.org/591893	20:41
*** abaindur has joined #openstack-lbaas		21:24
*** abaindur has quit IRC		21:26
*** abaindur has joined #openstack-lbaas		21:26
*** rcernin has joined #openstack-lbaas		21:29
colin-	anyone have suggestions for how to work past this error on a loadbalancer delete command?	21:36
colin-	clean_up DeleteLoadBalancer: Conflict (HTTP 409) (Request-ID: req-f9342b11-90f7-42d7-b6f9-a3d91121075a)	21:36
johnsom	colin- Looks like it is already in a PENDING_* state. Wait until the controller is finished retrying the action, then it will either be in ACTIVE or ERROR and you can delete it.	21:38
colin-	understood	21:40
colin-	any way to force that state as the operator?	21:41
colin-	if i'm unconcerned with the resource and any data on it	21:41
johnsom	Not really. It's a bad idea as the controller is actively working on the object. But, if you want to "do bad things"(tm) you can go into the database and change the provisioning status to ERROR by hand. The controller will get grumpy and attempt to revert things.	21:43
johnsom	colin- I would recommend adjusting the retry counts from the defaults so things fail faster. The defaults are super high to address gate host issues.	21:43
*** KeithMnemonic has quit IRC		21:44
colin-	yeah that makes sense. thanks for the additional info	21:53
*** abaindur has quit IRC		21:56
*** FracKen has left #openstack-lbaas		22:21
johnsom	Argh, looks like we have a bug with IPv6 in active/standby mode.	22:36
rm_work	johnsom: swept through and reviewed and was able to +2 a few of those priority ones people linked in the meeting	22:43
johnsom	rm_work Thanks	22:43
rm_work	not sure on the blocking IPs thing yet, that one is a little longer	22:43
rm_work	err, rather, a little more complex	22:44
rm_work	actually, nm it isn't that long it just looked like it was going to be	22:45
rm_work	i think I'm +2 there also	22:45
*** fnaval has quit IRC		22:45
rm_work	seems fine	22:45
rm_work	and yeah, i think the backport for that should be fine too, but i do tend to be pretty lenient on backports	22:46
rm_work	we should get someone else to cherry-pick these so we can both +2 :)	22:46
johnsom	Yeah, I thought about that	22:47
johnsom	Speaking of backports: https://review.openstack.org/#/c/592095	22:48
colby_	So since it appears pikes certificate config is very different than queens it might not work for me. Can I run the queens version of octavia with the rest of openstack being pike?	22:50
johnsom	colby_ Yes you can	22:50
rm_work	johnsom: or rocky :)	22:50
rm_work	err	22:50
rm_work	colby_: or rocky :P	22:50
johnsom	I didn't remember we changed that stuff much.	22:51
rm_work	yeah it shouldn't be that really	22:51
rm_work	i'm not aware of config changes to the cert stuff since basically ever	22:51
rm_work	colby_: i read most of the backlog, and i think you may be running into an issue that is similar to something I did	22:52
rm_work	you did determine that the wrong file was being provisioned as the "key" right?	22:52
colby_	yes	22:52
rm_work	the contents of what file ended up in the key	22:52
rm_work	?	22:52
colby_	but when the worker starts it does not even list some of the configs as being ready	22:52
colby_	so its loading what I have in client_cert config	22:53
colby_	as the key	22:53
rm_work	can you pastebin the whole config section for haproxy_amphora?	22:54
colby_	sure	22:54
rm_work	and controller_worker too	22:54
rm_work	while you're at it	22:54
openstackgerrit	Merged openstack/neutron-lbaas-dashboard master: Replace noop tests with registration test https://review.openstack.org/591261	22:54
rm_work	and [certificates]	22:54
colby_	here is my whole config: https://pastebin.com/7erkcvM5	22:54
rm_work	colby_: so, [certificates] + [haproxy_amphora] + [controller_worker]	22:55
rm_work	ah k that works	22:55
rm_work	;)	22:55
colby_	so according to the pike config reference: ca_certificate, ca_private_key, ca_private_key_passphrase dont exist	22:56
rm_work	hmmmmm	22:56
colby_	instead it has ca_certificates_file	22:56
colby_	they are not listed as loaded configs on worker start either	22:56
rm_work	hmmm in [certificates] yeah	22:57
rm_work	interesting	22:57
rm_work	ummm	23:00
rm_work	lol so	23:00
rm_work	it looks like [certificates] never had and still does not have anything but ca_certificates_file lol	23:00
rm_work	i noticed I have different ones in my [certificates] section too	23:01
rm_work	but they also aren't being read	23:01
rm_work	i think that section is bogus in our examples maybe?	23:01
rm_work	OH wait	23:01
colby_	ok so how would I make my certs work then?	23:02
openstackgerrit	Merged openstack/neutron-lbaas-dashboard master: Removes testr and switches cover to karma-coverage https://review.openstack.org/570442	23:02
rm_work	https://github.com/openstack/octavia/blob/master/octavia/certificates/common/local.py	23:03
rm_work	they come from that	23:03
rm_work	which is ... confusing	23:03
rm_work	but people didn't want them in the main config because they were specific to one "driver" for certificate generation	23:03
rm_work	so they are probably being read fine	23:03
rm_work	and they are only used during the generation process, so are unrelated to what happens after	23:04
rm_work	i don't think those are your problem	23:04
colby_	ok so then why is the worker trying to read my client_cert as my key?	23:04
rm_work	can you triple check the files that are present on your worker host	23:04
rm_work	and make sure they are actually the correct data in those filenames	23:04
rm_work	can you paste the contents of the agent's config too?	23:05
*** abaindur has joined #openstack-lbaas		23:06
colby_	the agent on the running instance right?	23:06
rm_work	yes	23:06
rm_work	and, the contents of the cert files are correct on the agent? it just literally tries to use the wrong filename when loading the key?	23:06
johnsom	rm_work It's the controller worker that is saying it has a bogus key file	23:07
colby_	yes I believe so. I added a log output that just echoed the contents of keyfile in the "use_privatekey_file method of SSL.py	23:07
rm_work	err is it?	23:07
rm_work	i thought he was saying it was on the amp, let me read scrollback again	23:07
johnsom	https://pastebin.com/5WDU65zf	23:07
colby_	those are controller_worker logs	23:08
rm_work	ok	23:08
rm_work	so yeah nm, one sec	23:08
*** abaindur has quit IRC		23:09
colby_	Thanks for helping me track this down guys	23:09
*** abaindur has joined #openstack-lbaas		23:10
johnsom	colby_ Thanks for pointing out that this is an area we need to clean up. It is clearly not right at the moment, confusing at the least.	23:12
rm_work	yes it is very freaking confusing	23:14
rm_work	umm	23:14
rm_work	ok so i think one of these cert files needs to be like a COMBO cert/key	23:14
rm_work	checking for sure	23:14
rm_work	because i actually do not see where we define a privatekey file anywhere	23:14
rm_work	besides the [certificates] section, which as i said, is not used for this	23:15
johnsom	Yeah, I am thinking there is some settings missing here.	23:15
johnsom	is/are	23:15
rm_work	i am actually gonna go look on my CW	23:15
rm_work	his config looks the same as mine tho	23:15
rm_work	ok client.pem is the combined one	23:16
colby_	ok so it should be the client cert and key then?	23:16
rm_work	yes both together	23:17
rm_work	mine is cert, then key concatenated on	23:17
rm_work	what is in yours	23:17
rm_work	guessing just the cert	23:18
rm_work	;)	23:18
rm_work	IIRC there was a reason for this	23:18
rm_work	just don't remember what ATM	23:18
rm_work	let me see if i can figure out the answer	23:18
*** rcernin has quit IRC		23:18
*** rcernin has joined #openstack-lbaas		23:19
rm_work	ah i think it's how the ssl adapter works	23:19
rm_work	https://github.com/openstack/octavia/blob/stable/pike/octavia/amphorae/drivers/haproxy/rest_api_driver.py#L237	23:19
rm_work	err, sorry, the requests session	23:19
johnsom	We need to write this stuff down somewhere	23:20
rm_work	http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates	23:20
rm_work	yep it is due to Requests	23:20
rm_work	ah it looks like it supports a tuple now	23:21
rm_work	i think it didn't before	23:21
rm_work	but we can't encrypt it <_<	23:21
rm_work	so	23:21
colby_	ah ok that fixed that error. Now I get: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],	23:23
colby_	so Ill work on that tomorrow :)	23:23
colby_	thanks guys	23:23
rm_work	np	23:24
openstackgerrit	Merged openstack/octavia master: Imported Translations from Zanata https://review.openstack.org/590128	23:45

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!