| *** bcafarel has quit IRC | 00:09 | |
| *** abaindur has joined #openstack-lbaas | 01:05 | |
| *** abaindur_ has quit IRC | 01:08 | |
| *** abaindur_ has joined #openstack-lbaas | 01:09 | |
| *** abaindur has quit IRC | 01:11 | |
| *** abaindur has joined #openstack-lbaas | 01:11 | |
| *** abaindur_ has quit IRC | 01:13 | |
| *** abaindu__ has joined #openstack-lbaas | 01:14 | |
| *** abaindu__ is now known as abaindur_ | 01:14 | |
| *** abaindur has quit IRC | 01:16 | |
| *** abaindur has joined #openstack-lbaas | 01:16 | |
| *** abaindur_ has quit IRC | 01:18 | |
| *** abaindur_ has joined #openstack-lbaas | 01:26 | |
| lxkong | thanks johnsom, i was so busy today so didn't reply you in time | 01:27 |
|---|---|---|
| *** abaindur has quit IRC | 01:28 | |
| *** abaindur has joined #openstack-lbaas | 01:30 | |
| *** abaindur_ has quit IRC | 01:32 | |
| lxkong | johnsom: btw, can we make the tasks configurable for octavia-house-keeper? e.g. we don't want the deleted recored to be cleaned up automatically. | 01:33 |
| *** abaindur has quit IRC | 01:50 | |
| *** jmccrory has joined #openstack-lbaas | 02:02 | |
| *** hongbin has joined #openstack-lbaas | 02:03 | |
| *** jarodwl has quit IRC | 02:29 | |
| *** yamamoto has quit IRC | 02:38 | |
| *** yamamoto has joined #openstack-lbaas | 02:38 | |
| *** bcafarel has joined #openstack-lbaas | 02:44 | |
| *** hongbin has quit IRC | 03:46 | |
| lxkong | johnsom: ignore the request. We could adjust the `amphora_expiry_age` option | 03:58 |
| *** abaindur has joined #openstack-lbaas | 06:10 | |
| *** pcaruana has joined #openstack-lbaas | 06:14 | |
| *** abaindur has quit IRC | 06:20 | |
| *** abaindur has joined #openstack-lbaas | 06:21 | |
| *** celebdor has joined #openstack-lbaas | 07:07 | |
| *** pcaruana has quit IRC | 07:09 | |
| *** rcernin has quit IRC | 07:17 | |
| *** pcaruana has joined #openstack-lbaas | 07:28 | |
| *** pcaruana is now known as pcaruana|elisa| | 07:30 | |
| *** abaindur has quit IRC | 07:34 | |
| ltomasbo | ping cgoncalves, johnsom, xgerman_ : a review on this will be much appreciated :) https://review.openstack.org/#/c/602564 | 08:00 |
| *** salmankhan has joined #openstack-lbaas | 08:51 | |
| openstackgerrit | Carlos Goncalves proposed openstack/octavia-tempest-plugin master: Adds a mixed IPv4/IPv6 members traffic test https://review.openstack.org/611405 | 09:07 |
| cgoncalves | ltomasbo, hi. I'd like to know your thoughts on upgradability support for listeners with custom SGs once the Listener API supports ACLs or FWaaS | 09:10 |
| *** zigo has joined #openstack-lbaas | 09:14 | |
| ltomasbo | cgoncalves, well, the admin/octavia project will be able to change that SG anyway, right? | 09:28 |
| ltomasbo | and once that is enabled (and the other option disabled) all new listeners will be on the octavia project id again | 09:29 |
| cgoncalves | ltomasbo, for new listeners it is okay. I am referring to existing listeners with custom SGs | 09:30 |
| ltomasbo | cgoncalves, they will work in the same way, right? you will use the ACLs for the new created ones | 09:31 |
| cgoncalves | because for those once we retire the feature you're proposing, someone has to migrate custom SGs to the new way (API+ACL or FWaaS) | 09:31 |
| ltomasbo | cgoncalves, not sure about how that will be implemented, but I assume it will replace the SG rules | 09:31 |
| ltomasbo | cgoncalves, and, do they need to be migrated? | 09:31 |
| cgoncalves | right, my question is exactly who is expected to handle that: the user or octavia | 09:32 |
| cgoncalves | ltomasbo, if we remove those two new options, they would need | 09:32 |
| ltomasbo | cgoncalves, as I see it (and I'm most probably missing something as I'm not that familiar with Octavia), FWaaS is orthogonal to the problem, as it gets applied in a different point | 09:33 |
| cgoncalves | ok, let's forget FWaaS and focus on Listener API with ACL capabilities | 09:33 |
| ltomasbo | cgoncalves, and regarding ACLs, not sure if you need to move the old SG to the new ones | 09:33 |
| ltomasbo | as, if hte user adds a new rule through the new ACL API, it will get added to the SG anyway | 09:34 |
| cgoncalves | but the SG would continue be owned by the user project | 09:34 |
| ltomasbo | but yep, it may not work as expected if the user already changed the other SG, and for instance has an ALLOW_ALL or somethign like that | 09:34 |
| cgoncalves | I think it should no longer be with ACL caps | 09:35 |
| ltomasbo | cgoncalves, so, you propose to have an upgrade script or something, that basically replicates the tenant SG, and applies to the LBaaS? | 09:35 |
| ltomasbo | cgoncalves, and then detach the tenant one? | 09:35 |
| cgoncalves | my question is one step before: should octavia handle that or the user? | 09:36 |
| cgoncalves | because what you're proposing is a workaround and only whitelisted projects can have custom SGs | 09:36 |
| ltomasbo | cgoncalves, yep, I'm not sure, my thought was that existing listener will remain with the SG belonging to the tenant | 09:42 |
| ltomasbo | cgoncalves, but new listeners (on the same LBaas) will already be on the octavia project | 09:42 |
| cgoncalves | ltomasbo, what would happen once we remove the 2 config opts and a user updates an existing listener with custom SG? | 09:44 |
| cgoncalves | hmm ok, probably nothing special there to handle | 09:46 |
| ltomasbo | cgoncalves, I think then a new rule will be added to the SG, right? regardless of the onwership | 09:50 |
| ltomasbo | cgoncalves, my only concern with that is how the ACL is implemented, it should first read the existing listeners to know about the current rules? | 09:51 |
| cgoncalves | ltomasbo, we haven't put any/much thought into that yet. why do you ask that? so that we avoid adding duplicated rules? | 09:54 |
| ltomasbo | cgoncalves, without even considering the tenancy of the SG | 09:54 |
| ltomasbo | cgoncalves, if you enable the ACL feature, that one should know about existing rules? | 09:55 |
| ltomasbo | cgoncalves, or it will simply try to add/delete rules base on the new information? and if it is duplicated, then it does not matter, just skip... | 09:56 |
| ltomasbo | cgoncalves, you cannot duplicate rules, neutron will reject it | 09:56 |
| cgoncalves | ltomasbo, hmm I think octavia doesn't need to keep DB records of ACL/rules. it could probably just map to/from SG rules | 09:58 |
| ltomasbo | cgoncalves, then it should be safe, right? | 09:58 |
| cgoncalves | ok, good (neutron rejecting duplicated rules) | 09:59 |
| ltomasbo | cgoncalves, yep, that I know for sure, because I hit it once! | 09:59 |
| cgoncalves | ltomasbo, yes. I am just of the opinion that if we have ACL feature we no longer need to have SGs owned by users hence moving ownership to octavia project or creating SG from scratch copying rules from user-owned SG | 10:00 |
| cgoncalves | to consolidate everything back again | 10:01 |
| ltomasbo | cgoncalves, sure, I fully agree | 10:01 |
| ltomasbo | cgoncalves, it will be as simple as: before adding the ACL rule, check if the SG belongs to the tenant or the octavia project | 10:01 |
| cgoncalves | ltomasbo, right, so that was my initial question: should octavia do it once ACL is supported and cloud upgraded or the user? | 10:02 |
| ltomasbo | then, if it belongs to it, create a new SG, copy the rules, switch the SG on the VRRP/VIP ports | 10:02 |
| ltomasbo | cgoncalves, asking the users to re-do their listeners will work too | 10:03 |
| cgoncalves | so you want octavia to have that responsability | 10:03 |
| cgoncalves | ok, great | 10:03 |
| ltomasbo | cgoncalves, but then you don't have control on when that would happen | 10:03 |
| cgoncalves | in that case, if we agree the users should re-do, it needs to be well stated in docs | 10:04 |
| cgoncalves | ltomasbo, well, if something breaks for the user it is his fault | 10:04 |
| cgoncalves | one more reason to have the whitelist -- it has to be an explicit allowance to use custom SGs | 10:05 |
| ltomasbo | cgoncalves, yep, I got that and thought it was a good approach | 10:05 |
| ltomasbo | cgoncalves, specially for something we know from the very beginning that is temporal | 10:05 |
| cgoncalves | +1 | 10:06 |
| cgoncalves | so let's wait for others to share their opinions. if we say it's up to the user to re-do your patch needs to be updated to add docs | 10:06 |
| cgoncalves | stating in the release note only is not enough | 10:07 |
| ltomasbo | cgoncalves, ok, I don't have strong opinion on that, both options are valid | 10:07 |
| ltomasbo | cgoncalves, I'll wait to update the patch set then. Can you leave a comment on that onto the patch set too? | 10:08 |
| ltomasbo | so that johnsom, nmagnezi, xgerman_, ... give their opinions on that | 10:09 |
| *** yamamoto has quit IRC | 10:13 | |
| *** yamamoto has joined #openstack-lbaas | 10:14 | |
| cgoncalves | I left that comment before "By confining to hand-picked projects, we can upfront state Octavia will not compulsorily be responsible for re-configuring ACLs once either the API is extended, via FWaaS or whichever will be the implemented approach." | 10:15 |
| cgoncalves | maybe I was not clear enough on that, sorry | 10:15 |
| ltomasbo | cgoncalves, thanks! | 10:18 |
| *** yamamoto has quit IRC | 10:19 | |
| *** yamamoto has joined #openstack-lbaas | 10:57 | |
| *** lingxian has joined #openstack-lbaas | 11:27 | |
| *** yamamoto has quit IRC | 11:39 | |
| *** lxkong has quit IRC | 11:39 | |
| *** lingxian is now known as lxkong | 11:40 | |
| *** yamamoto has joined #openstack-lbaas | 11:40 | |
| *** yamamoto has quit IRC | 11:44 | |
| *** yamamoto has joined #openstack-lbaas | 12:01 | |
| *** yamamoto has quit IRC | 12:07 | |
| *** yamamoto has joined #openstack-lbaas | 12:08 | |
| *** yamamoto has quit IRC | 12:08 | |
| tobias-urdin | decided to give it another go, anybody have any suggestions? Could not connect to instance. Retrying.: SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:579) | 12:09 |
| tobias-urdin | ported the openstack-ansible code to generate the certs this time, http://paste.openstack.org/show/732483/ | 12:09 |
| tobias-urdin | tried changing signing_digest to sha512, creating my own amphora image, generate the certificate on my local ubuntu workstation, generating the certs on the centos controller node | 12:09 |
| tobias-urdin | testing with openssl s_client http://paste.openstack.org/show/732486/ | 12:10 |
| tobias-urdin | now i'm stuck again :( | 12:11 |
| tobias-urdin | octavia.conf for cert stuff and their mapping based on the generated files from the ansible playbook http://paste.openstack.org/show/732487/ | 12:13 |
| tobias-urdin | 140038729774992:error:1408D07B:SSL routines:ssl3_get_key_exchange:bad signature:s3_clnt.c:2032: | 12:13 |
| *** yamamoto has joined #openstack-lbaas | 12:14 | |
| *** yamamoto has quit IRC | 12:20 | |
| *** yamamoto has joined #openstack-lbaas | 12:21 | |
| *** yamamoto has quit IRC | 12:30 | |
| tobias-urdin | openssl-1.0.2k is the openssl version, perhaps something with certificate generation causing it to be invalid | 12:38 |
| tobias-urdin | https://github.com/openssl/openssl/blob/OpenSSL_1_0_2k/ssl/s3_clnt.c#L2032 | 12:40 |
| *** yamamoto has joined #openstack-lbaas | 12:41 | |
| *** yamamoto has quit IRC | 12:46 | |
| *** yamamoto has joined #openstack-lbaas | 12:56 | |
| *** phuoc has joined #openstack-lbaas | 13:19 | |
| *** phuoc_ has quit IRC | 13:19 | |
| *** strigazi has quit IRC | 13:44 | |
| *** strigazi has joined #openstack-lbaas | 13:44 | |
| tobias-urdin | tried deploying octavia on ubuntu with python3 and openssl 1.1.0g, generating the certs on that machine | 13:44 |
| tobias-urdin | no improvement [SSL: BAD_SIGNATURE] bad signature (_ssl.c:841) | 13:45 |
| *** rpittau has quit IRC | 13:56 | |
| openstackgerrit | Vadim Ponomarev proposed openstack/octavia master: Add notifications about changed status to worker https://review.openstack.org/611882 | 14:16 |
| *** velizarx has quit IRC | 14:42 | |
| *** yamamoto has quit IRC | 14:56 | |
| *** pcaruana|elisa| has quit IRC | 14:56 | |
| *** yamamoto has joined #openstack-lbaas | 14:56 | |
| *** pcaruana|elisa| has joined #openstack-lbaas | 14:57 | |
| *** pcaruana|elisa| has quit IRC | 15:08 | |
| *** pcaruana has joined #openstack-lbaas | 15:08 | |
| *** pcaruana has quit IRC | 15:31 | |
| *** nmagnezi has quit IRC | 15:37 | |
| *** openstackgerrit has quit IRC | 16:24 | |
| *** yamamoto has quit IRC | 17:20 | |
| *** yamamoto has joined #openstack-lbaas | 17:21 | |
| *** yamamoto has quit IRC | 17:27 | |
| *** yamamoto has joined #openstack-lbaas | 17:32 | |
| *** yamamoto has quit IRC | 17:37 | |
| *** salmankhan has quit IRC | 18:13 | |
| *** yamamoto has joined #openstack-lbaas | 18:17 | |
| *** openstackgerrit has joined #openstack-lbaas | 18:50 | |
| openstackgerrit | Merged openstack/neutron-lbaas-dashboard master: sni_container_refs needed if we want to use sni https://review.openstack.org/601923 | 18:50 |
| openstackgerrit | Merged openstack/octavia-dashboard master: Show the 'Insert Headers' when listener protocol is 'HTTP' or 'TERMINATED_HTTPS' https://review.openstack.org/564963 | 19:14 |
| *** lxkong has quit IRC | 19:39 | |
| openstackgerrit | Merged openstack/neutron-lbaas stable/queens: Improve speed of listing from DB https://review.openstack.org/580874 | 20:22 |
| *** abaindur has joined #openstack-lbaas | 20:58 | |
| openstackgerrit | Merged openstack/octavia master: Remove deprecated API settings https://review.openstack.org/600819 | 20:59 |
| openstackgerrit | Merged openstack/octavia master: Remove deprecated parameters https://review.openstack.org/609570 | 20:59 |
| *** abaindur has quit IRC | 20:59 | |
| *** abaindur has joined #openstack-lbaas | 20:59 | |
| *** abaindur has quit IRC | 21:05 | |
| *** abaindur has joined #openstack-lbaas | 21:05 | |
| *** celebdor has quit IRC | 21:20 | |
| *** salmankhan has joined #openstack-lbaas | 21:20 | |
| openstackgerrit | Michael Johnson proposed openstack/octavia master: Bring up secondary IPs on member networks https://review.openstack.org/611460 | 21:35 |
| *** yamamoto has quit IRC | 21:40 | |
| *** yamamoto has joined #openstack-lbaas | 22:10 | |
| *** lingxian has joined #openstack-lbaas | 22:14 | |
| openstackgerrit | Michael Johnson proposed openstack/octavia-tempest-plugin master: Add traffic tests using an IPv6 VIP https://review.openstack.org/611980 | 22:45 |
| openstackgerrit | Michael Johnson proposed openstack/octavia master: Update docs conf.py for openstackdocstheme change https://review.openstack.org/611987 | 23:18 |
| *** abaindur has quit IRC | 23:35 | |
| *** yamamoto has quit IRC | 23:42 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!