Thursday, 2018-08-23

« Wednesday, 2018-08-22 Index Friday, 2018-08-24 »
openstackgerritAdam Harwell proposed openstack/octavia master: DNM: three dumb downstream things to fix, IGNORE  https://review.openstack.org/59398600:37
*** harlowja has quit IRC01:06
*** abaindur has joined #openstack-lbaas01:28
*** abaindur has quit IRC01:30
*** abaindur has joined #openstack-lbaas01:31
openstackgerritAdam Harwell proposed openstack/octavia master: DNM: three dumb downstream things to fix, IGNORE  https://review.openstack.org/59398601:38
*** abaindur has quit IRC01:48
*** hongbin has joined #openstack-lbaas01:57
openstackgerritMichael Johnson proposed openstack/octavia master: Fix the amphora noop driver  https://review.openstack.org/59539002:05
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Fix tests to honor Octavia API versioning  https://review.openstack.org/59478602:18
*** jiteka has quit IRC02:29
*** ctracey has quit IRC02:29
*** hongbin_ has joined #openstack-lbaas03:21
*** hongbin has quit IRC03:24
*** abaindur has joined #openstack-lbaas03:49
*** abaindur has quit IRC03:53
*** KeithMnemonic has quit IRC04:27
*** yboaron_ has joined #openstack-lbaas04:43
*** ramishra has joined #openstack-lbaas04:44
*** abaindur has joined #openstack-lbaas04:51
*** abaindur has quit IRC04:56
*** hongbin_ has quit IRC05:19
*** dmellado has joined #openstack-lbaas05:27
*** dolly has quit IRC06:14
*** abaindur has joined #openstack-lbaas06:33
*** pcaruana has joined #openstack-lbaas06:33
*** ramishra has quit IRC06:49
*** rcernin has quit IRC06:59
*** ramishra has joined #openstack-lbaas07:07
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Gate on CentOS 7 and check on Ubuntu Bionic  https://review.openstack.org/58741407:12
*** numans_ has joined #openstack-lbaas07:15
*** abaindur has quit IRC07:17
*** abaindur has joined #openstack-lbaas07:21
*** yboaron_ has quit IRC07:22
*** celebdor has joined #openstack-lbaas07:38
*** abaindur has quit IRC07:40
*** abaindur has joined #openstack-lbaas07:41
*** abaindur_ has joined #openstack-lbaas07:45
*** abaindur has quit IRC07:46
*** velizarx has joined #openstack-lbaas08:02
*** ktibi has joined #openstack-lbaas08:04
*** abaindur_ has quit IRC08:06
*** velizarx has quit IRC08:18
*** yboaron_ has joined #openstack-lbaas08:30
*** velizarx has joined #openstack-lbaas08:35
*** pck has quit IRC08:49
*** pck has joined #openstack-lbaas08:50
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Update amphora agent api ref  https://review.openstack.org/58889309:15
sapd1Hi johnsom I would like to add expected status as format (2|3|4)[0-9][0-9]. How to do that?10:18
openstackgerritCarlos Goncalves proposed openstack/octavia master: WIP: Ensure required options are set on startup  https://review.openstack.org/59557810:41
*** jiteka has joined #openstack-lbaas11:14
openstackgerritYang JianFeng proposed openstack/octavia master: Add quota support to octavia's l7policy and l7rule  https://review.openstack.org/59062011:38
openstackgerritYang JianFeng proposed openstack/octavia master: Add quota support to octavia's l7policy and l7rule  https://review.openstack.org/59062011:40
*** yboaron_ has quit IRC11:50
*** yboaron_ has joined #openstack-lbaas11:51
*** yboaron_ has quit IRC12:02
*** pcaruana has quit IRC12:16
*** pcaruana has joined #openstack-lbaas12:16
*** yboaron_ has joined #openstack-lbaas12:27
*** velizarx has quit IRC12:35
*** dims_ is now known as dims12:37
*** yboaron_ has quit IRC12:38
*** KeithMnemonic has joined #openstack-lbaas12:46
*** velizarx has joined #openstack-lbaas12:47
openstackgerritNguyen Hai proposed openstack/neutron-lbaas master: import zuul job settings from project-config  https://review.openstack.org/59574913:13
openstackgerritNguyen Hai proposed openstack/neutron-lbaas master: switch documentation job to new PTI  https://review.openstack.org/59575013:13
openstackgerritNguyen Hai proposed openstack/neutron-lbaas-dashboard master: import zuul job settings from project-config  https://review.openstack.org/59575113:13
openstackgerritNguyen Hai proposed openstack/neutron-lbaas-dashboard master: switch documentation job to new PTI  https://review.openstack.org/59575213:13
openstackgerritNguyen Hai proposed openstack/octavia master: import zuul job settings from project-config  https://review.openstack.org/59575313:13
openstackgerritNguyen Hai proposed openstack/octavia master: switch documentation job to new PTI  https://review.openstack.org/59575413:13
openstackgerritNguyen Hai proposed openstack/octavia master: add python 3.6 unit test job  https://review.openstack.org/59575513:13
openstackgerritNguyen Hai proposed openstack/octavia-dashboard master: import zuul job settings from project-config  https://review.openstack.org/59575613:13
openstackgerritNguyen Hai proposed openstack/octavia-dashboard master: switch documentation job to new PTI  https://review.openstack.org/59575713:13
openstackgerritNguyen Hai proposed openstack/octavia-tempest-plugin master: import zuul job settings from project-config  https://review.openstack.org/59575813:14
openstackgerritNguyen Hai proposed openstack/octavia-tempest-plugin master: switch documentation job to new PTI  https://review.openstack.org/59575913:14
openstackgerritNguyen Hai proposed openstack/python-octaviaclient master: import zuul job settings from project-config  https://review.openstack.org/59576013:14
openstackgerritNguyen Hai proposed openstack/python-octaviaclient master: switch documentation job to new PTI  https://review.openstack.org/59576113:14
openstackgerritNguyen Hai proposed openstack/python-octaviaclient master: add python 3.6 unit test job  https://review.openstack.org/59576213:14
*** velizarx has quit IRC13:35
*** ktibi has quit IRC13:35
*** ktibi_ has joined #openstack-lbaas13:35
*** fnaval has joined #openstack-lbaas13:41
*** yboaron has joined #openstack-lbaas13:44
*** velizarx has joined #openstack-lbaas13:50
*** celebdor has quit IRC13:51
cgoncalvesspeaking of py3 community goal ^13:57
*** ianychoi has quit IRC13:59
*** ianychoi has joined #openstack-lbaas14:00
*** celebdor has joined #openstack-lbaas14:01
nmagnezicgoncalves, looks like *all* projects are going to meet the goal :D https://review.openstack.org/#/q/owner:%22Nguyen+Hai%22+status:open14:06
cgoncalvesfine by me14:46
*** sapd1 has quit IRC14:49
*** Swami has joined #openstack-lbaas14:50
*** sapd1 has joined #openstack-lbaas14:50
cgoncalves[health_manager]/controller_ip_port_list doesn't seem to be the right place. it misleads admins to thinking the opt is consumed by the health manager service14:55
cgoncalves[controller_worker]/controller_ip_port_list would be better, no?14:55
*** rpittau has quit IRC14:57
johnsomHm is the only process listening on the ip:ports in that list...14:59
*** ktibi_ has quit IRC15:23
*** ktibi_ has joined #openstack-lbaas15:23
*** velizarx has quit IRC15:36
*** pcaruana has quit IRC15:36
*** ktibi_ has quit IRC16:07
cgoncalvesjohnsom, sorry, didn't understand16:09
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: WIP: Add octavia-v2-dsvm-scenario-ipv6  https://review.openstack.org/59407816:16
*** harlowja has joined #openstack-lbaas16:17
*** harlowja has quit IRC16:40
*** Swami has quit IRC16:49
*** ramishra has quit IRC16:52
*** yboaron has quit IRC16:56
*** bbbbzhao_ has quit IRC18:14
*** pcaruana has joined #openstack-lbaas18:52
*** abaindur has joined #openstack-lbaas18:53
*** pcaruana has quit IRC19:09
*** vakuznet has joined #openstack-lbaas19:48
vakuznethi, can ocatavia work with barbican? if so how to set it up?19:50
rm_workyes19:51
rm_workour devstack plugin is a good place to look for sample config -- it will use barbican19:51
vakuzneti'm getting octaviaclient.api.v2.octavia.OctaviaClientException: Could not retrieve certificate:19:54
jitekasapd1 johnsom : so about these API call that were never failing for any GET (that stay with the API) but sometime fail silently on POST action that are forwarded to octavia-worker got a simple explaination that won't require a story19:56
jitekasapd1 johnsom : I just forgot to kill a test server that was running all octavia service with older version and wrong configuration and octacvia-worker was fetching msg from rabbitMQ and failing on every attempt to contact amphora Rest API (cert problem)19:57
rm_workhaha yeah that has happened to me19:59
rm_work"wtf why do some of my requests just disappear"19:59
jitekarm_work: I absolutely looking everywhere19:59
rm_work"oh right i forgot about that old defunct control-plane test from a month ago"19:59
rm_workstill pulling from RMQ :P19:59
jitekarm_work: was like, ok it's haproxy in front, no because I have the get. So it's probably between uwsgi/nginx or between octavia-api binary and uwsgi20:00
rm_workvakuznet: what version of octavia are you using?20:01
jitekarm_work: the worst part was that failure was random so insisting on the same command would always work (if another octavia-worker take it)20:01
rm_workyes20:02
rm_worklol20:02
vakuznetrm_work: 2.0.2.dev3020:06
rm_workerr20:06
rm_workis that master?20:06
rm_workor rocky basically?20:06
rm_workor was 2.0 queens?20:07
vakuznetqueens20:08
rm_workcgoncalves: did we merge the barbican auto-acl stuff?20:09
rm_worki've been a little out of the loop20:09
johnsomrm_work Yeah, it merged, but for Rocky20:14
rm_workand not backported, k20:14
rm_workvakuznet: so probably octavia's service account does not have access to that secret in barbican20:15
rm_workyou'll either need to create an ACL on the secret to allow it, or else grant the octavia account global access to barbican secrets via policy (this is gross but lots of people do it if they don't care so much about security)20:15
cgoncalvesrm_work, yes20:46
cgoncalvesoh, johnsom had already replied sorry :)20:46
vakuznetlike that?  openstack acl user add --user octavia $URI20:52
rm_workah, no20:54
rm_workoh, wait, maybe it is20:58
rm_worki thought they put acl under the secret resource but i guess not20:58
rm_workso yeah, looks like your command is correct20:58
*** abaindur has quit IRC21:05
*** abaindur has joined #openstack-lbaas21:06
*** abaindur_ has joined #openstack-lbaas21:10
*** abaindur has quit IRC21:12
*** abaindur has joined #openstack-lbaas21:16
*** abaindur_ has quit IRC21:16
vakuznetrm_work, still got 400 Could not retrieve certificate21:16
rm_workdo the octavia api logs show any more info? a traceback or something?21:17
*** abaindur_ has joined #openstack-lbaas21:21
*** abaindur has quit IRC21:23
*** abaindur has joined #openstack-lbaas21:27
*** abaindur_ has quit IRC21:28
*** vakuznet has quit IRC21:29
*** abaindur_ has joined #openstack-lbaas21:33
*** vakuznet has joined #openstack-lbaas21:33
*** abaindur has quit IRC21:35
*** vakuznet has quit IRC21:37
*** abaindur has joined #openstack-lbaas21:42
*** abaindur_ has quit IRC21:43
*** rcernin has joined #openstack-lbaas21:46
abaindurjohnsom: have some other cert related questions22:33
johnsomUh-Oh... grin22:33
abaindurthe Docs say that octavia acts as a certificate authority itself22:33
abaindurwhen you spin up new amphora, does it create a new cert for each amphora?22:33
abainduror Do they use the same cert specified in client_cert in [haproxy_amphora]22:34
johnsomIt does, yes, correct. Each amphora gets it's own cert. The housekeeping process will rotate them automatically22:34
abaindurwhat is the client_cert in haproxy_amphora then?22:34
johnsomWe do two-way authentication with the amphora when connecting.  The amp presents it's certificate, the controller presents the "client" certificate. Both sides validate them against the CA's they have22:36
johnsomhttps://en.wikipedia.org/wiki/Mutual_authentication22:36
abaindurHow do they certs get into the amphora?22:36
johnsomThey are loaded at amphora boot time via config drive or via the amphora agent API.22:37
johnsomEach amp cert has it's amphora ID as the subject, making them unique22:38
abaindurah ok, and johnsom: what then is diff between server_ca and client_ca?22:43
abainduri remember reading previously here we arent supposed to use the same?22:43
johnsomServer CA is what the controllers use to validate the amphora certs. Client CA is what the amphora uses to validate the controller "client" certs22:44
johnsomRight, you don't want an amp to use it's own cert to pretend to be a controller, thus both roles have their own CA22:45
abaindurok, still trying to wrap my head around it, its a little confusing :)22:49
abainduri got it to work by blindly running the create certs scrit, and emulating what devstack does22:49
abaindurBut want to understand what needs to be done in production22:49
johnsomYeah we still need that detailed installation guide...22:49
abaindurca_certificate refers to which CA?22:51
abaindurthe client or server?22:51
abaindurand server here referst o the octavia controller worker, and client, the amphora?22:51
johnsomShould be the other way around. The amphora is the "server" the controllers are the clients.22:52
*** threestrands has joined #openstack-lbaas22:53
*** celebdor has quit IRC22:55
abaindurjohnsom: i guess i am confused between the ca_certificate and the client_ca then23:00
abaindurwe have them set to the same .pem key23:00
*** fnaval has quit IRC23:01
abaindurnoticed the ca_certificate and ca_private_key is missing from the config docs too23:01
rm_work<johnsom>Should be the other way around. The amphora is the "server" the controllers are the clients.23:02
rm_work^^ THAT is the part that is the real confusing bit for most people23:02
johnsomYeah, I need to look if I can fix that or not. It's because those config definitions are in the certificate driver code23:02
rm_workit even took me a bit to really internalize that23:03
rm_workand i still get confused periodically23:03
rm_workbecause yeah, the "server" is the amp-agent23:03
johnsomWe could have named the stuff better in the config file too23:03
johnsomSo, in production, you don't want those two to be the same.23:04
johnsomThe ca_certificate configs are for the controllers to generate the "server" certs issued to the amphora and to validate them.23:04
johnsomclient_ca is loaded onto the amphora to validate the "client" certificate the controllers are going to present to the amphora on connection23:05
abaindurSo it seems like server_ca == ca_ceritifcate?23:10
abaindurthat is what I am now confused on23:10
abaindur"Server CA is what the controllers use to validate the amphora certs."23:11
abaindur"ca_certificate configs are for the controllers to generate the "server" certs issued to the amphora and to validate them."23:12
abaindurjohnsom: ?23:30
johnsomSorry, got distracted here23:30
johnsomSo here are a few things you might be confused on.23:31
johnsom1. In production you want to create two CAs. One is "server" one is "client"23:32
johnsom2. Each CA has the following files: ca_cert, a cert.pem file, a cert.key file.23:32
abaindurright that makes sense... client CA in amphora validates the client cert presented by octavia, and server_ca is used to generate the cert used by the amphora23:33
johnsom3. ca_cert is used to validate the cert.pem23:33
johnsom4. No "CA" is located in the amphora, only the ca_cert file for the client CA, it's "server.pem" and "server.key".23:35
johnsom5. When the controller makes an HTTPS connection to the amphora a few things happen:23:36
johnsoma. The amphora presents it's "server.pem" to the controller.23:37
johnsomb. The controller validates it a using the "server" ca_cert file.23:37
johnsomc. The controller then presents it's "client.pem" to the amphora.23:38
johnsomd. The amphora validates the "client.pem" against the "client" ca_cert file.23:38
johnsom6. The controllers use the "server" CA files to generate new "server.pem" files for new or renewing amphora.23:39
*** abaindur_ has joined #openstack-lbaas23:44
*** abaindur has quit IRC23:47
*** abaindur has joined #openstack-lbaas23:47
*** abaindur_ has quit IRC23:50
abaindurjohnsom: that all makes sense, but I am confused by the aactual names of the config23:51
abaindur"The controllers use the "server" CA files to generate new "server.pem" files for new or renewing amphora."23:51
abainduris this server_ca under [haproxy_amphora], or ca_certificate under [certificates]23:52
abaindurfrom what you've said It seems to me like the config entries ca_certificate and server_ca are the same. They are the ca_cert used to generate the amphora's server.pem, and to validate it23:52
abaindurI understand that client_ca in [controller_worker section] is the CA cert used to validate the client.pem presented by controller (the value of client_cert in [certificates] section)23:53
johnsom[certificates] gets the following:23:54
johnsomcert_generator = local_cert_generator23:54
johnsomca_certificate = server CA's "server.pem" file23:55
johnsomca_private_key = server CA's "server.key" file23:55
johnsomca_private_key_passphrase = pass phrase for ca_private_key23:55
johnsom[controller_worker]23:56
johnsomclient_ca = Client CA's ca_cert file23:56
johnsom[haproxy_amphora]23:57
johnsomclient_cert = Client CA's client.pem file (I think with it's key concatenated is what rm_work said the other day)23:57
johnsomserver_cert = Server CA's ca_cert file23:58
johnsomThat should be it.23:59
« Wednesday, 2018-08-22 Index Friday, 2018-08-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!