Friday, 2018-08-17

« Thursday, 2018-08-16 Index Saturday, 2018-08-18 »
*** SumitNaiksatam has quit IRC00:01
*** SumitNaiksatam has joined #openstack-lbaas00:02
*** SumitNaiksatam has quit IRC00:07
abaindurjohnsom: Is there a way to test https TLS load balancer with the local_cert_manager?00:20
abaindurWe just want to validate https it works and try some l7 policies00:20
abaindurDon't have Barbican setup00:20
*** longkb has joined #openstack-lbaas00:36
*** hongbin has joined #openstack-lbaas01:04
*** SumitNaiksatam has joined #openstack-lbaas01:20
*** abaindur has quit IRC01:21
*** ianychoi has joined #openstack-lbaas01:47
*** HW_Peter has quit IRC02:36
*** gans has joined #openstack-lbaas03:06
*** sapd1 has quit IRC03:09
johnsomabaindur I think you just drop your certs in whatever directory is defined by CONF.certificates.storage_path and name the file whatever you use for the reference ID.03:13
johnsomhttps://github.com/openstack/octavia/blob/master/octavia/certificates/manager/local.py#L97-L10203:13
johnsomBy certs, I mean the one cert that driver can handle03:13
johnsomfor testing03:13
*** gans has quit IRC03:14
johnsomCores, this needs one more vote to fix the gates/bandit check: https://review.openstack.org/#/c/592756/03:19
*** abaindur has joined #openstack-lbaas03:33
*** abaindur has quit IRC03:33
*** abaindur has joined #openstack-lbaas03:33
*** abaindur has quit IRC03:33
*** abaindur has joined #openstack-lbaas03:34
*** abaindur has quit IRC03:34
*** abaindur has joined #openstack-lbaas03:35
*** SumitNaiksatam has quit IRC03:50
*** SumitNaiksatam has joined #openstack-lbaas03:51
*** hongbin has quit IRC03:57
*** blake has joined #openstack-lbaas03:59
*** blake has quit IRC04:10
rm_worknmagnezi: need a +A on https://review.openstack.org/#/c/592756/1 after it passes the recheck04:24
rm_workif you're around04:24
*** ramishra has joined #openstack-lbaas04:32
*** SumitNaiksatam has quit IRC04:48
*** SumitNaiksatam has joined #openstack-lbaas04:54
openstackgerritJames Page proposed openstack/octavia master: Fix compat with Python >= 3.6  https://review.openstack.org/59282905:33
*** sapd1 has joined #openstack-lbaas05:44
*** velizarx has joined #openstack-lbaas06:53
*** pcaruana has joined #openstack-lbaas06:54
*** rcernin has quit IRC06:55
*** abaindur has quit IRC06:58
*** abaindur has joined #openstack-lbaas06:59
*** longkb has quit IRC07:03
*** longkb has joined #openstack-lbaas07:03
*** velizarx has quit IRC07:24
*** velizarx has joined #openstack-lbaas07:43
devfazHi, is anybody using amphora with xenial? Currently trying to run octavia-tempest-tests against latest-amphora (xenial) and it looks like there is a problem with new net-device-naming schema. Amphora is returning an 500, because dad is running into an timeout. Took a look and dad is trying to up eth1, but there is just an ensX-device?!07:51
*** longkb has quit IRC08:02
*** longkb has joined #openstack-lbaas08:02
*** ktibi has joined #openstack-lbaas08:04
*** luksky has joined #openstack-lbaas08:23
*** abaindur has quit IRC08:53
*** abaindur has joined #openstack-lbaas08:55
*** salmankhan has joined #openstack-lbaas09:37
cgoncalvesCPU load average: 794.80, 467.48, 491.3409:55
cgoncalvesyay health manager! https://storyboard.openstack.org/#!/story/200347909:55
*** dayou has joined #openstack-lbaas09:56
*** sapd1 has quit IRC10:09
devfazjust created a story, because adding netdev/biosdevname option to kernel fixed my issue: https://storyboard.openstack.org/#!/story/200348110:20
cgoncalvesdevfaz, CI jobs build and test xenial amphorae. do you know how come you're seeing that issue whereas CI is not?10:27
devfazsorry, no idea. Just a stupid shell-script running the diskimage-create.sh after cloning the other repos. Do you have some info/link to the ci job - maybe I can look for the difference.10:29
devfazcgoncalves: found it - will take a look10:40
cgoncalvesdevfaz, https://github.com/openstack/octavia/blob/master/diskimage-create/diskimage-create.sh#L18610:42
devfazcgoncalves, right - im also just running this script. Im currently trying to find out if the created amphora is also using ensX-devices or if our cloud/kvm settings may trigger this.10:43
*** ramishra has quit IRC11:04
cgoncalvesdevfaz, ok. let us know what you find :)11:07
*** longkb has quit IRC11:07
devfazcgoncalves, currently I verified: yes, the job is using the created image :)11:07
devfazcgoncalves, is there a way to download the image to test the binary-version directly?11:08
*** ramishra has joined #openstack-lbaas11:23
cgoncalvesdevfaz, what do you mean by binary-version?11:27
devfazcgoncalves, the qcow2-file11:27
devfazfyi: just running devstack in the hope it creates an amphora-image automatically :)11:28
devfazjust found the CI-Jobs are running on bionic and im using xenial on the host, too. But I would assume the tests exist longer than bionic and also were executed on xenial in the past, too?11:29
devfaz1. im trying to get the image out of devstack11:30
cgoncalvesby default all CI jobs use xenial. there's an extra job that uses bionic11:30
devfaz2. im trying to update qemu/libvirt to bionic11:30
devfazarg..11:30
devfazok, so 2. is obsolete :)11:30
cgoncalvesso, let's recap :)11:31
cgoncalvesyou can either invoke diskimage-create.sh script from octavia repo directly and specificy which distro/version you want and get the qcow11:31
cgoncalvesor run devstack with defaults and that will build a ubuntu-minimal xenial amphora11:31
cgoncalvesyou can get the qcow. it will be in /opt/stack/octavia/diskimage-create if I'm not mistaken11:32
cgoncalvesyou can also change the default distro/version devstack builds with some flags in local.conf11:32
cgoncalvesfor example11:33
cgoncalvesOCTAVIA_AMP_BASE_OS=centos11:33
cgoncalvesOCTAVIA_AMP_DISTRIBUTION_RELEASE_ID=711:33
cgoncalvesOCTAVIA_AMP_IMAGE_SIZE=311:33
cgoncalveswould create a centos 7 amphora with a disk size of 3GB11:33
cgoncalvesdevfaz, probably you would like to get the periodically built xenial image :)11:34
cgoncalveshttps://tarballs.openstack.org/octavia/test-images/11:34
devfazcgoncalves, great! I will give it a try11:35
devfazcgoncalves, just booted the image and got an ens3 device. I will start the tempest-test, but I would suggest they will fail again11:48
cgoncalvesdevfaz, very likely to fail, yes11:48
devfazcgoncalves, is there a way to get the console-out of an amphora used during the ci-jobs?11:57
cgoncalvesdevfaz, openstack console log show <amphora vm id>11:57
devfazcgoncalves, I know - but I dont have the credentials for the public openstack-ci-cloud ;)11:58
cgoncalvesah, sorry, ci jobs, missed that part11:58
cgoncalveswell, no11:58
devfazcgoncalves, nevertheless.. if octavia needs ethX-naming-scheme, this should be actively requested, isnt it?12:01
cgoncalvesdevfaz, hmmm I would say yes if we can reproduce your issue12:02
cgoncalvesI think it is a valid one, anyway, regardless if we can reproduce or not12:02
devfazok, I assume you dont have an ubuntu-hv near you ;)12:02
cgoncalvescentos only :)12:02
devfaz;)12:03
cgoncalveshttps://docs.openstack.org/diskimage-builder/latest/elements/stable-interface-names/12:03
cgoncalveshmmmm12:03
devfazwell, but way is ci not affected?12:06
cgoncalvesdevfaz, try appending "stable-interface-names" to AMP_element_sequence in octavia/diskimage-create/diskimage-create.sh and build new image12:08
devfazcgoncalves, I think "stable-interface-names" is trying to enable the "stable" (aka. Predictable Network Interface Names) but I will give it a try12:09
devfazhttps://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/12:10
cgoncalvesoh12:12
devfazcgoncalves, ok - looks like biosdevnames is something similar to systemds way to reach the same goal12:13
devfazhttp://linux.dell.com/files/whitepapers/consistent_network_device_naming_in_linux.pdf12:13
devfazstatus update: amphora is building; "old" test-image-amphora is - as assumed - failing in tempest12:18
cgoncalvesjohnsom may know this interface naming better as he uses ubuntu amps :)12:19
*** velizarx has quit IRC12:31
*** velizarx has joined #openstack-lbaas12:41
devfazcgoncalves: just fyi - enabling stable-interface-names changed nothing.13:11
devfazstill ens313:11
*** ramishra has quit IRC13:33
johnsomdevfaz: yeah, we use xenial. I just opened a bug about this, it is a bug when using IPv6 vip on active/standby lbs. It is not related to interface naming (the amp agent handles that for us by using mac addresses).13:41
devfazjohnsom, great thx!13:42
johnsomcgoncalves: do you need that neutron sync junk enabled?13:46
cgoncalvesjohnsom, what? where?13:57
*** ramishra has joined #openstack-lbaas14:00
johnsomcgoncalves: you HM /Rabbit issue14:24
cgoncalvesoh, sh*t! it is enabled indeed...14:28
cgoncalveshttp://git.openstack.org/cgit/openstack/tripleo-heat-templates/tree/puppet/services/octavia-health-manager.yaml#n7414:29
cgoncalvesbah!14:29
*** velizarx has quit IRC14:47
*** SumitNaiksatam has quit IRC14:51
*** rpittau has quit IRC14:54
johnsomYeah, double check the provisioning sync isn't on either14:55
cgoncalvesit's good there14:56
cgoncalves./octavia.conf:# sync_provisioning_status = False14:56
johnsomok14:56
devfazjohnsom: I will keep my workaround (old nic-naming-schema) active, because it will fix my tempest-tests. Do you see any furhter/other troubles I may introduce with it?14:56
johnsomdevfaz The issue with the v6 tests on active/standby shouldn't be a interface naming issue, at least not how I saw it yesterday when I opened the bug.  It's an issue in how we are plugging the ports and bringing up the interfaces.  Do you have more information?14:58
devfazjohnsom, well with the old-interface-naming the tests pass and the "err"-msg changed into something like "oh, eth1 is already configured..."14:59
johnsomHmm, what was your fix again?15:00
devfazI think I have to do some further testing. Is there a way to introduce some active/passive-gate-testing to avoid such issues in future?15:00
devfazexport DIB_BOOTLOADER_DEFAULT_CMDLINE="net.ifnames=0 biosdevname=0 nofb nomodeset vga=normal"15:01
devfazjohnsom,15:01
johnsomYes, the hold up has been the gate hosts can't handle that many VMs in the test runs. They don't have enough memory. But now the multi-node stuff for zuulv3 is fixed, we should be able to get some gates in.15:01
johnsomHmmm, if I remember the code right, when the amphora agent moves the interfaces into the network namespace, it finds the right interface by MAC address and renames them to eth1, eth2, etc.15:03
*** fnaval has joined #openstack-lbaas15:22
*** strigazi has quit IRC16:05
*** strigazi has joined #openstack-lbaas16:06
*** strigazi has quit IRC16:06
*** luksky has quit IRC16:06
*** strigazi has joined #openstack-lbaas16:07
*** ktibi has quit IRC16:07
*** salmankhan has quit IRC16:12
*** salmankhan has joined #openstack-lbaas16:13
*** strigazi has quit IRC16:13
*** strigazi has joined #openstack-lbaas16:14
*** ramishra has quit IRC16:19
openstackgerritMerged openstack/octavia master: "Resolve" bandit issue with sha1 hashes  https://review.openstack.org/59275616:26
*** salmankhan has quit IRC16:32
*** salmankhan has joined #openstack-lbaas16:34
openstackgerritMerged openstack/octavia master: Allow blocking IPs from member addresses  https://review.openstack.org/59189316:39
*** SumitNaiksatam has joined #openstack-lbaas16:47
*** hvhaugwitz has quit IRC16:49
*** hvhaugwitz has joined #openstack-lbaas16:50
*** salmankhan1 has joined #openstack-lbaas16:55
*** salmankhan has quit IRC16:55
*** salmankhan1 is now known as salmankhan16:55
*** salmankhan has quit IRC17:22
*** luksky has joined #openstack-lbaas17:26
*** amuller has joined #openstack-lbaas17:27
*** amuller has quit IRC17:29
openstackgerritAkihiro Motoki proposed openstack/octavia-dashboard master: Drop nose dependencies  https://review.openstack.org/59314519:10
openstackgerritAkihiro Motoki proposed openstack/neutron-lbaas-dashboard master: Drop nose dependencies  https://review.openstack.org/59314719:21
abaindurjohnsom: to clarify, when we create a pool member, we do not need to specify the subnet correct? If we want the amphora VM to have direct L2 connectivity to that subnet/backend pool members, we can specify the subnet20:32
abaindurbut if we do not, we can give any arbitrary IP (assuming it is routable), such as the floating IP of the backend pool members20:32
abaindurinstead of its fixed IP and directly attaching the subnet to amphora20:32
johnsomabaindur, If you do not specify the subnet for members, it will go out the VIP subnet.20:32
abaindurinteresting. So theoretically we can have a loadbalancer for VMs that are not even part of our Openstack cloud20:33
johnsomSimilar, as long as a member has a route out the subnet you specify, it doesn't actually have to live on the subnet you specify20:33
abaindursince our VIP subnet must be reachable by the worker processing running on the host, this implies its a provider network and already has external access20:34
johnsomCorrect, you could put www.openstack.org in and we will load balance it as long as the member network has a route there20:34
johnsomYou are using the same subnet for lb-mgmt-net and the VIPs?20:34
abainduryea, our VIP subnet is a provider network routed by physical router w/ external access and to other data centers20:34
abainduryes, same subnet ID we specify when creating the loadbalancer20:35
johnsomOctavia worker does not need access to the VIP network, normally.20:35
johnsomOk20:35
abainduroh so we can specify a 3rd subnet for the VIP too?20:36
abaindurok, i was assuming it was on the lb mgmt net20:36
johnsomNo, VIP does not live on lb-mgmt-net unless you tell it to.  There are the following:20:36
johnsom1. lb-mgmt-net: Just for controller processes and amphora-agent.  Network namespace isolated from the VIP and member networks. Typically a private neutron network. Does not need external/internet access.20:37
johnsom2. VIP network: User specifies this at load balancer creation time. Used for tenant traffic and IP the user connects to the LB on. If the users does not specify a subnet for a member, it is also the member network (This is a one-armed load balancer).20:38
johnsom3. Member network(s): One or more networks the user specifies at member creation time. If none specified, the VIP network is used, otherwise if the network is not already attached to the amphora, we hot plug that network into the isolated network namespace for the tenant traffic.20:39
abaindurbut lb-mgmt-net needs external access right? How else will our octavia-worker process, which runs directly on the host - not a VM - communicate with it? Here the worker is talking out the host's networking, not via OVS or any neutron network20:40
johnsomlb-mgmt-net does not need external access.20:40
johnsomJust the controller processes and the amphora-agents talk on that network. You can make it external if you want, but that is up to how you deploy your Octavia.20:41
abaindurso if our lg-mbmt-net is an isolated tenant network, 192.168.1.0/24, How does the controller process on host talk to it?20:42
abaindurthe controller's traffic would leave directly from the host - no OVS20:42
abaindurhence we had to tag that subnet 192.168.1.0/24 and its vlan in our physical router20:43
johnsomWell, you can add a port on the host that connects to OVS like we do in devstack, you can add the host to a neutron vxlan, you can use private provider nets, etc.  Many different ways to do it.20:44
*** KeithMnemonic has quit IRC21:11
*** fnaval has quit IRC22:40
*** SumitNaiksatam has quit IRC22:46
*** SumitNaiksatam has joined #openstack-lbaas22:47
*** SumitNaiksatam has quit IRC23:21
*** SumitNaiksatam has joined #openstack-lbaas23:22
*** luksky has quit IRC23:25
*** SumitNaiksatam has quit IRC23:30
« Thursday, 2018-08-16 Index Saturday, 2018-08-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!