Monday, 2018-09-10

« Sunday, 2018-09-09 Index Tuesday, 2018-09-11 »
openstackgerritsapd proposed openstack/octavia master: Support REDIRECT_PREFIX action for L7Policy  https://review.openstack.org/60108602:07
openstackgerritMerged openstack/octavia-dashboard master: Imported Translations from Zanata  https://review.openstack.org/60105002:50
*** yamamoto has joined #openstack-lbaas04:13
*** reedipb has joined #openstack-lbaas05:00
*** reedipb has quit IRC05:01
*** reedipb has joined #openstack-lbaas05:01
*** threestrands has joined #openstack-lbaas05:45
*** threestrands has quit IRC05:45
*** threestrands has joined #openstack-lbaas05:45
*** annp has joined #openstack-lbaas06:07
*** fnaval has quit IRC06:37
*** rcernin has quit IRC07:02
*** ccamposr has joined #openstack-lbaas07:02
*** fnaval has joined #openstack-lbaas07:06
*** fnaval has quit IRC07:11
*** tesseract-RH has joined #openstack-lbaas07:17
*** threestrands has quit IRC07:25
*** pcaruana has joined #openstack-lbaas07:31
*** velizarx has joined #openstack-lbaas07:34
*** AlexeyAbashkin has joined #openstack-lbaas07:44
*** velizarx has quit IRC07:50
*** velizarx has joined #openstack-lbaas07:55
*** dims has quit IRC07:57
*** dims has joined #openstack-lbaas07:57
*** celebdor has joined #openstack-lbaas08:01
*** velizarx has quit IRC08:08
*** velizarx has joined #openstack-lbaas08:17
*** reedipb has quit IRC08:30
*** annp has quit IRC08:40
*** yamamoto has quit IRC09:29
*** yamamoto has joined #openstack-lbaas09:32
*** yamamoto has quit IRC09:37
*** dolly has joined #openstack-lbaas09:44
*** yamamoto has joined #openstack-lbaas10:28
*** yamamoto has quit IRC11:45
*** yamamoto has joined #openstack-lbaas11:48
*** yamamoto has quit IRC11:53
*** reedipb has joined #openstack-lbaas12:01
*** amuller has joined #openstack-lbaas12:09
*** velizarx has quit IRC12:11
*** velizarx has joined #openstack-lbaas12:22
*** yamamoto has joined #openstack-lbaas12:23
*** fnaval has joined #openstack-lbaas14:09
*** velizarx has quit IRC14:15
*** velizarx has joined #openstack-lbaas14:26
*** hongbin has joined #openstack-lbaas14:47
*** velizarx has quit IRC14:50
*** velizarx has joined #openstack-lbaas14:55
*** sapd1_ has joined #openstack-lbaas14:55
*** velizarx has quit IRC15:01
rm_worksapd1_: looks like your functional tests are still failing :(15:03
*** velizarx has joined #openstack-lbaas15:03
sapd1_rm_work: yes. I'm trying to fix. Because I changed data model. So everything which associate with l7 policy will fail15:04
sapd1_Could you help me?15:04
rm_workprobably15:04
sapd1_rm_work:  Do you attend PTG?15:05
rm_worki was going to fix my barbican patch really quick as i'm in the barbican PTG meetup room right now15:05
rm_work^^ so that's your answer :P15:05
sapd1_rm_work: That's great. :D15:06
rm_workare you?15:06
sapd1_no. I'm not a developer :D15:06
rm_worki see15:07
rm_workso you're just pretending to be a developer to make this L7 patch? :P15:07
sapd1_just system engineer in Vietnam.15:07
rm_workanyone is a developer if they develop ^_^15:08
sapd1_Sometimes I work as a developer, Sometimes I don't :D15:08
sapd1_two months ago, I tried with feature boot from volume. :D But I can't write unit test :D15:09
reedipbrm_work : ping15:14
rm_workpong15:14
reedipbrm_work: Hi, long time , no chat :)15:15
rm_workindeed15:15
reedipbrm_work: since you are in the PTG, can you, johnsom and xgerman_ / xgerman get a chance to discuss https://review.openstack.org/#/c/599393/ ?15:15
rm_workyou make it to the PTG?15:15
rm_workah i guess not15:15
reedipbNope, sitting at home :)15:15
rm_workOctavia is Wed-Fri15:15
xgerman_Yep15:16
rm_workright now we're doing Barbican and Infra stuff mostly I think15:16
reedipbxgerman_ your comment is there on the patch, do discuss and let me know how you( i.e. you rm_work, johnsom and others ) wish to proceed :)15:17
reedipbAnd if there is any timeslot, please let me know so that I can also join the discussion15:17
rm_workyeah, Octavia will be Wed-Fri15:32
rm_workthere's an etherpad for the PTG somewhere, so if i can find that we can add it to the agenda15:32
rm_workjohnsom: can you put that link in the topic maybe?15:33
dayouhttps://etherpad.openstack.org/p/octavia-stein-ptg15:55
*** hongbin_ has joined #openstack-lbaas15:55
*** hongbin has quit IRC15:56
openstackgerritsapd proposed openstack/octavia master: Support REDIRECT_PREFIX action for L7Policy  https://review.openstack.org/60108615:58
*** AlexeyAbashkin has quit IRC16:11
*** yamamoto has quit IRC16:14
*** ccamposr has quit IRC16:14
*** yamamoto has joined #openstack-lbaas16:14
*** yamamoto has quit IRC16:19
*** sapd1_ has quit IRC16:27
*** velizarx has quit IRC16:33
*** yamamoto has joined #openstack-lbaas16:43
*** tesseract-RH has quit IRC16:46
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: DNM: Testing bionic nodes  https://review.openstack.org/60053916:46
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: DNM: Testing bionic nodes  https://review.openstack.org/60053916:49
*** ChanServ changes topic to "OpenStack PTG etherpad: https://etherpad.openstack.org/p/octavia-stein-ptg"16:51
johnsomDone16:51
tobias-urdinjohnsom: i'm getting crazy over here, i used the generate script from the bin folder, in two different folders `client` and `server`16:59
tobias-urdinthen configured like this http://paste.openstack.org/show/729796/16:59
tobias-urdini went through your link in slow-motion still, something is not right "bad handshake"16:59
tobias-urdini also set [certificates]/ca_private_key_passphrase to the proper passphrase for the /etc/octavia/certs/server/private/cakey.pem file.17:00
*** Swami has joined #openstack-lbaas17:04
xgerman_tobias-urdin:  you are at the PTG?17:21
tobias-urdinno :(17:23
*** velizarx has joined #openstack-lbaas17:26
xgerman_What you posted looks right… I have written the ansible part: https://github.com/openstack/openstack-ansible-os_octavia/blob/master/tasks/octavia_certs.yml — maybe that will help shed light on it17:28
xgerman_without having openssl outputs which certificates are which it’s hard for me to see what’s wrong17:29
tobias-urdinok, yeah i've checked the os_octavia ansible module many many times, and the irclog that johnsom sent but no success17:30
tobias-urdintesting to use one CA now, just to see if it works17:30
xgerman_yeah, two CAs is tricky17:31
xgerman_I often have to debug the generated certs with openssl since (for instance the sensible cert module) was generating garbage17:31
tobias-urdinseems like that didn't work either17:32
*** sanfern has joined #openstack-lbaas17:32
xgerman_Yeah, this link helps me to find the right openssl https://www.sslshopper.com/article-most-common-openssl-commands.html17:33
xgerman_commands17:33
openstackgerritMichael Johnson proposed openstack/octavia master: Update for DIB using bionic  https://review.openstack.org/60132917:38
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: DNM: Testing bionic nodes  https://review.openstack.org/60053917:38
*** yamamoto has quit IRC17:43
tobias-urdinsomething is clearly wrong, used a simple generated using the script in the bin folder17:44
tobias-urdin2018-09-10 19:43:15.312 15032 WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.: SSLError: ("bad handshake: Error([('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'block type is not 01'), ('rsa routines', 'RSA_EAY_PUBLIC_DECRYPT', 'padding check failed'), ('SSL routines', 'ssl3_get_key_exchange', 'bad signature')],)",)17:44
tobias-urdinhttp://paste.openstack.org/show/729798/17:44
tobias-urdinmaybe its my openssl version 1.0.2k or that i'm using the test-only image17:45
tobias-urdinalso generated from my local workstation though that has openssl 1.0.2g17:46
*** velizarx has quit IRC17:47
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Use the infra mirrors for DIB  https://review.openstack.org/60133217:47
xgerman_yeah, once you have reviewed the the certs — you can look at the connection with curl17:48
xgerman_https://docs.google.com/presentation/d/1p8ekZ99E30XR6w1hkPufTQJKCwkX9tRctnCIWVlx4Zw/edit?usp=sharing17:50
xgerman_this describes how to access the amp and which certs it would be using17:50
xgerman_use -v so it show you the certs sends over17:50
tobias-urdinPeer's certificate issuer has been marked as not trusted by the user.17:52
tobias-urdinthen with "-k" Peer's certificate has an invalid signature.17:52
xgerman_yeah, somehow those certs are shot17:53
tobias-urdinafter a quick google "The problem was that my CA DN was the same as the certificate DN."17:56
tobias-urdinchecking the create_certificates.sh script that seems the case, worth a try i guess17:56
tobias-urdinxgerman_: thanks for the help, atleast one step closer now, it could connect to the amphora now, but still failed on something else18:08
tobias-urdinbut progress i guess18:08
tobias-urdinhttp://paste.openstack.org/show/729801/18:08
*** hongbin_ has quit IRC18:10
*** yamamoto has joined #openstack-lbaas18:20
*** abaindur has joined #openstack-lbaas18:23
*** sanfern has quit IRC18:25
*** yamamoto has quit IRC18:30
*** fnaval has quit IRC18:30
*** yamamoto has joined #openstack-lbaas18:30
*** fnaval has joined #openstack-lbaas18:55
*** yamamoto has quit IRC19:56
*** pcaruana has quit IRC20:08
*** yamamoto has joined #openstack-lbaas20:27
*** celebdor has quit IRC20:53
*** luksky has joined #openstack-lbaas20:57
*** luksky has quit IRC21:17
*** hongbin has joined #openstack-lbaas21:53
*** fnaval has quit IRC21:58
*** fnaval has joined #openstack-lbaas22:10
lxkonghey, could anybody please help review https://review.openstack.org/#/c/600912/?22:12
*** takamatsu has quit IRC22:23
*** hongbin has quit IRC22:25
abaindurjohnsom: some clarifcation about certs expiring22:35
abaindur1. We only need to failover the amphora if the client CA itself expires or changes, correct?22:36
abaindur2. If the self-genrated amphora server certs expire, octavia takes care of this automatically, injecting it into the amphora using the internal API and req. no intervention on our part, also correct?22:36
abaindur3. if the octavia controller's client cert expires, no failover or anything else needs to be also also, right? Besides obviously updating the cert in file on host and restarting services22:38
abaindur4. And finally regarding the server CA expiring - I can't seem to figure out what needs to be done in this case. If this changes it seems like we'd need to gen and refresh certs for all existing amphora (similar to all amphora expring at same time). But i can't find in the code where this is done22:40
*** rcernin has joined #openstack-lbaas22:46
*** bcafarel has quit IRC23:37
*** abaindur has quit IRC23:37
*** abaindur has joined #openstack-lbaas23:38
« Sunday, 2018-09-09 Index Tuesday, 2018-09-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!