Tuesday, 2018-12-18

*** Emine has quit IRC		00:04
*** PagliaccisCloud has quit IRC		00:09
*** PagliaccisCloud has joined #openstack-lbaas		00:15
rm_work	ok well, found one bug	00:20
johnsom	In the doc?	00:20
rm_work	yes	00:20
rm_work	one sec, finishing up my review	00:21
rm_work	err, maybe another	00:21
openstackgerrit	Michael Johnson proposed openstack/octavia master: Updates Octavia to support octavia-lib https://review.openstack.org/613709	00:22
rm_work	oh nm, fallout from the first one	00:22
openstackgerrit	Michael Johnson proposed openstack/octavia master: Migrate constants to use octavia-lib - Part 1 https://review.openstack.org/617015	00:29
openstackgerrit	Michael Johnson proposed openstack/octavia master: Migrate constants to use octavia-lib - Part 2 https://review.openstack.org/617058	00:29
*** Emine has joined #openstack-lbaas		00:34
rm_work	ok yeah this needs some help	00:34
rm_work	but it's close :)	00:35
johnsom	hmmm, I ran through that step by step	00:35
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Adds get_amphora_stats to the service client https://review.openstack.org/585060	00:37
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Add an active/standby scenario test https://review.openstack.org/584681	00:37
johnsom	Oh crumb	00:37
johnsom	Oh, nevermind, that is fine.	00:38
rm_work	posted comments	00:41
rm_work	i ran into two issues	00:41
rm_work	i was trying to be pretty dumb, so that accounts for one of them, but the other is a legit issue	00:41
johnsom	Ok, looking. Hey, BTW, when you have a chance, can you look at this? https://review.openstack.org/606918	00:41
openstackgerrit	Michael Johnson proposed openstack/octavia master: Adds a simple golang udp server https://review.openstack.org/621281	00:49
rm_work	err johnsom, if the VIP is ipv6, can the user point an ipv4 FLIP at it? does that work?	00:51
rm_work	does it depend on the FLIP implementation?	00:51
johnsom	No, neutron doesn't support it	00:51
johnsom	Technically there is no reason it could not work, but neutron doesn't support it	00:52
rm_work	k	00:52
*** dmellado has joined #openstack-lbaas		00:53
openstackgerrit	Merged openstack/neutron-lbaas master: Fix the scenario test gates https://review.openstack.org/625658	01:01
rm_work	johnsom: not sure how your run-through of that guide worked, with that naming consistency issue >_>	01:03
johnsom	rm_work look at the patchset 2 comments. Tobias asked me to change that and I must have fumbled it.	01:05
rm_work	ah	01:05
rm_work	yep :P	01:06
rm_work	that reminds me of the 1000 times i've done a "quick fix" and not re-run pep8 and then cried	01:07
johnsom	Yep	01:07
rm_work	such tears	01:07
johnsom	I have missed the shame nun while you were gone....	01:07
rm_work	lol	01:07
johnsom	rm_work You think a default CN is a good idea??? I guess I can throw in example.org	01:18
bzhao__	Ehh, I have no idea to make jinja to output '\n', could anybody know and give some help? Thanks..;-)	01:19
rm_work	i mean	01:27
rm_work	i don't know	01:27
rm_work	that or a comment	01:27
rm_work	in the doc	01:28
openstackgerrit	Michael Johnson proposed openstack/octavia master: Adds a certificates configuration guide https://review.openstack.org/613454	01:30
johnsom	bzhao__ Can you give me more context on what you are trying to do?	01:30
bzhao__	johnsom: Thanks, I',m trying to implement the http health check based on domain name feature yesterday. And I make the jinja template like:	01:33
bzhao__	https://usercontent.irccloud-cdn.com/file/UpWu0qk0/image.png	01:34
bzhao__	This is the output, but I only want the '\r\n' string, seem jinja treat "\n" as a newline. https://usercontent.irccloud-cdn.com/file/w7FWmxMX/image.png	01:34
bzhao__	I'm doing it based on http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#option%20httpchk .	01:36
bzhao__	https://www.irccloud.com/pastebin/MpNy3vjp/	01:37
bzhao__	what a naughty "\n". ;-)	01:39
*** hongbin has joined #openstack-lbaas		01:42
*** bbbbzhao_ has joined #openstack-lbaas		01:44
*** phuoc has joined #openstack-lbaas		01:50
johnsom	bzhao__ This works for me:	01:51
johnsom	{% set test = "%s foo\\nbar"\|format("test") %}	01:51
johnsom	{{ test }}	01:51
johnsom	test foo\nbar	01:51
johnsom	That last line is the result. I think that accomplishes what you are trying to do.	01:52
bzhao__	This is my test. ;-), running the current template and print.. https://usercontent.irccloud-cdn.com/file/ev4FJUpR/image.png	01:56
bzhao__	I change the macro to : https://usercontent.irccloud-cdn.com/file/ridqGeky/image.png	01:57
bzhao__	But the output is..., is that some other issue I didnt realized. https://usercontent.irccloud-cdn.com/file/xYhmWYwB/image.png	01:58
johnsom	The difference is probably this: https://github.com/openstack/octavia/blob/master/octavia/common/jinja/haproxy/jinja_cfg.py#L111	01:59
johnsom	I wasn't running with those settings	01:59
*** Emine has quit IRC		02:00
bzhao__	seem this also doesn't work. ;-) https://usercontent.irccloud-cdn.com/file/CkYQb0a5/image.png	02:02
johnsom	Yeah, it would have to be around the {% set } block I think	02:02
bzhao__	OH, Thanks, let me try again.	02:03
johnsom	I think that is a bad idea though given the string takes user input. I think we need to come up with another option, or substitute in the \n separate from the user variable setting.	02:04
johnsom	It is an important setting so that user input cannot have \n in them and allow a user to inject new haproxy settings.	02:06
johnsom	example, if pool.health_monitor.domain_name = 'example.org\noption insecure-haproxy\n'	02:07
johnsom	<not a true command, but you get the idea	02:07
bzhao__	Sorry, michael. I'm not follow you, Oh..I know. You mean that user input the domain name "example.org\n" and requests. Please hold I test with this case as I bring a new paratype for validate domain name.	02:10
bzhao__	Please wait some seconds.	02:11
johnsom	We don't want the user to be able to insert a "\n" string via user input and have it become a newline in the config file.	02:11
johnsom	There is also the "safe" filter that tells jinja a string should not be escaped, but again we have to use it very carefully.	02:13
johnsom	https://overiq.com/flask-101/basics-of-jinja-template-language/#escaping	02:13
bzhao__	Oh, the validator pass this case. https://usercontent.irccloud-cdn.com/file/2PZnT4YE/image.png	02:14
johnsom	bzhao__ I need to go make dinner. Please message me a link to what you come up with and I will validate it is ok and safe in the morning.	02:15
johnsom	I think I have given you the pointers you need to move forward.	02:15
bzhao__	Agree, we need to process internally if user input / not input the para like "example.org\n"	02:16
johnsom	Well, or just break the jinja template down in a way that all user input is still checked by autoescape and your strings are preserved. I think that is the best case	02:17
bzhao__	johnsom: Thanks very much for help. And I think if it can be done, I can continue the last work of tls_client_cert staff.. ;-)	02:17
johnsom	+1	02:17
bzhao__	johnsom: Have a great dinner! ;-) Thank you.	02:18
johnsom	something like: httpchk {{ http_method }} HTTP/{{ http_version }} {{ "\r\n"\|safe }}'Host':\ {{domain_name}}	02:19
johnsom	or even httpchk {{ http_method }} HTTP/{{ http_version }}\r\n Host:\ {{domain_name}}	02:20
bzhao__	Yeah, I will refactor this part. And make the validator to check the user input not '\n' inject.. I will test them both. ;-) . Thanks micheal. You help me so much.	02:23
*** hongbin_ has joined #openstack-lbaas		02:28
*** hongbin has quit IRC		02:29
*** reedipb has quit IRC		02:37
openstackgerrit	Merged openstack/octavia master: Add missing ws separator between words https://review.openstack.org/619137	02:37
*** psachin has joined #openstack-lbaas		02:40
*** hongbin has joined #openstack-lbaas		03:20
*** hongbin_ has quit IRC		03:21
*** rcernin has quit IRC		03:25
*** rcernin has joined #openstack-lbaas		03:27
*** rcernin has quit IRC		03:28
*** rcernin has joined #openstack-lbaas		03:28
*** ramishra has joined #openstack-lbaas		03:32
*** hongbin has quit IRC		03:43
*** PagliaccisCloud has quit IRC		04:31
*** PagliaccisCloud has joined #openstack-lbaas		04:36
openstackgerrit	Merged openstack/octavia master: Tags support for lb resources https://review.openstack.org/606006	04:41
*** PagliaccisCloud has quit IRC		05:01
*** sapd1_x has joined #openstack-lbaas		05:53
sapd1_x	johnsom: Do we need create VIP port on user tenant/	05:55
sapd1_x	*?	05:55
sapd1_x	https://github.com/openstack/octavia/blob/master/octavia/network/drivers/neutron/allowed_address_pairs.py#L410	05:55
sapd1_x	because user can see this port and delete this port.	05:55
sapd1_x	It makes load balancer will be failed	05:55
*** gcheresh_ has joined #openstack-lbaas		06:01
*** PagliaccisCloud has joined #openstack-lbaas		06:06
*** gcheresh has joined #openstack-lbaas		06:13
*** gcheresh_ has quit IRC		06:13
*** yboaron has joined #openstack-lbaas		06:17
*** PagliaccisCloud has quit IRC		06:27
johnsom	sapd1_x I agree, this is a problem. We put it in place to allow floating IPs be assigned, but it is bad. I think we need to work towards refactoring this so users cannot access the port. We see many tenants "deleting all" and breaking things they don't expect.	06:35
sapd1_x	johnsom: I will fire a story and fix this problem.	06:36
johnsom	We may need to add the ability to allocate a FIP via the ocatvia API so we don't expose the port	06:36
sapd1_x	johnsom: I think we should allocate this port to tenant service.	06:37
*** ccamposr has joined #openstack-lbaas		06:48
*** sapd1_x has quit IRC		07:10
*** rpittau has joined #openstack-lbaas		07:59
*** celebdor has joined #openstack-lbaas		08:10
*** celebdor has quit IRC		08:10
*** celebdor has joined #openstack-lbaas		08:10
*** velizarx has joined #openstack-lbaas		08:11
*** yboaron has quit IRC		08:23
openstackgerrit	Nir Magnezi proposed openstack/octavia master: Change openstack-dev to openstack-discuss https://review.openstack.org/622005	08:54
openstackgerrit	Carlos Goncalves proposed openstack/octavia-tempest-plugin master: Fix dependency on requests library version https://review.openstack.org/625836	08:56
cgoncalves	nmagnezi, ^ there	08:56
nmagnezi	cgoncalves, I had a feeling that would be it :)	08:57
nmagnezi	cgoncalves, thanks for this	08:57
*** yboaron has joined #openstack-lbaas		09:06
*** rcernin has quit IRC		09:18
openstackgerrit	Carlos Goncalves proposed openstack/octavia master: Install HAProxy 1.8 from Software Collections https://review.openstack.org/625672	09:45
openstackgerrit	Carlos Goncalves proposed openstack/octavia-tempest-plugin master: Fix dependency on requests library version https://review.openstack.org/625836	10:00
*** abaindur has quit IRC		10:00
*** salmankhan has joined #openstack-lbaas		10:16
*** sapd1_x has joined #openstack-lbaas		10:47
*** salmankhan has quit IRC		10:52
openstackgerrit	Yang JianFeng proposed openstack/octavia master: Add compute_flavor field for amphora api https://review.openstack.org/582914	10:53
openstackgerrit	Yang JianFeng proposed openstack/octavia master: Add compute_flavor field for amphora api https://review.openstack.org/582914	10:58
*** yamamoto has quit IRC		11:01
*** sapd1_x has quit IRC		11:15
*** sapd1 has joined #openstack-lbaas		11:18
*** sapd1 has quit IRC		11:21
*** sapd1 has joined #openstack-lbaas		11:22
*** brtknr has quit IRC		11:22
*** yangjianfeng has joined #openstack-lbaas		11:28
*** yamamoto has joined #openstack-lbaas		11:38
*** sapd1 has quit IRC		11:44
*** sapd1 has joined #openstack-lbaas		11:45
*** sapd1 has quit IRC		11:47
*** sapd1 has joined #openstack-lbaas		11:48
openstackgerrit	Yang JianFeng proposed openstack/octavia master: Add compute_flavor field for amphora api https://review.openstack.org/582914	11:49
*** yamamoto has quit IRC		11:54
*** yamamoto has joined #openstack-lbaas		11:54
*** salmankhan has joined #openstack-lbaas		11:54
*** yangjianfeng has quit IRC		12:01
*** rpittau has quit IRC		12:02
*** rpittau has joined #openstack-lbaas		12:03
*** PagliaccisCloud has joined #openstack-lbaas		12:07
*** rpittau is now known as rpittau\|lunch		12:08
*** sapd1 has quit IRC		12:17
*** salmankhan has quit IRC		12:27
*** ramishra has quit IRC		12:27
*** salmankhan has joined #openstack-lbaas		12:28
*** ramishra has joined #openstack-lbaas		12:37
*** brtknr has joined #openstack-lbaas		12:46
*** brtknr has quit IRC		13:00
*** rpittau\|lunch is now known as rpittau		13:12
*** brtknr has joined #openstack-lbaas		13:13
*** sapd1 has joined #openstack-lbaas		13:18
*** ramishra has quit IRC		13:22
*** ramishra has joined #openstack-lbaas		13:22
*** brtknr has quit IRC		13:25
*** brtknr has joined #openstack-lbaas		13:25
*** brtknr has quit IRC		13:29
*** brtknr has joined #openstack-lbaas		13:29
*** velizarx has quit IRC		13:30
*** yamamoto has quit IRC		13:37
*** yamamoto has joined #openstack-lbaas		13:38
*** velizarx has joined #openstack-lbaas		13:39
*** yamamoto has quit IRC		13:43
*** serhatd has joined #openstack-lbaas		13:56
*** velizarx has quit IRC		14:12
*** psachin has quit IRC		14:12
serhatd	do we need provider provider network for managing amphore instances? how can octavia-worker reach amhpora instances? I guess tenant networks are not suitable for this purpose, right?	14:12
*** velizarx has joined #openstack-lbaas		14:13
*** PagliaccisCloud has quit IRC		14:20
*** yamamoto has joined #openstack-lbaas		14:22
*** brtknr has quit IRC		14:27
*** brtknr has joined #openstack-lbaas		14:27
*** velizarx has quit IRC		14:28
sapd1	serhatd: yes. You can use tenant network with type: gre or vxlan for amphora management network.	14:29
*** amuller has joined #openstack-lbaas		14:32
serhatd	sapd: you say octavia-worker(which is in management network) will be able to reach amphora instances in tenant network?	14:37
serhatd	sapd: btw we are using vlan tenant networks	14:38
*** ramishra_ has joined #openstack-lbaas		14:54
*** ramishra has quit IRC		14:56
*** ramishra_ has quit IRC		15:27
*** gcheresh has quit IRC		15:28
*** fnaval has joined #openstack-lbaas		15:53
sapd1	serhatd: Yes. You can using a vlan for this network. Just create network	15:58
sapd1	serhatd: allow vlan for octavia-worker node. and add sub port.	15:59
serhatd	sapd1: do know any configuration guide that explains that steps? I am little confused:) not sure how can i add port to octavia-worker containers :)	16:14
serhatd	sapd1: I guess need to add subport health-managers too	16:15
sapd1	yes.	16:15
sapd1	serhatd: you are running worker and healthmanager inside container	16:15
serhatd	yep	16:16
sapd1	with healthmanager , bind container port to host port	16:16
sapd1	octavia-agent is not need reach octavia-worker	16:16
sapd1	octavia-worker will call octavia-agent.	16:16
*** spa-87 has joined #openstack-lbaas		16:26
*** ccamposr has quit IRC		16:44
*** dayou has quit IRC		17:01
*** rpittau has quit IRC		17:06
*** yboaron has quit IRC		17:08
*** dayou has joined #openstack-lbaas		17:17
*** spa-87 has quit IRC		17:20
*** serhatd has quit IRC		17:33
openstackgerrit	German Eichberger proposed openstack/octavia stable/queens: Fix health manager performance regression https://review.openstack.org/617385	17:36
*** salmankhan has quit IRC		17:37
*** gcheresh has joined #openstack-lbaas		18:03
*** sapd1 has quit IRC		18:08
*** fnaval has quit IRC		18:16
*** PagliaccisCloud has joined #openstack-lbaas		18:20
*** gcheresh has quit IRC		18:49
*** celebdor has quit IRC		19:14
*** celebdor has joined #openstack-lbaas		19:16
*** salmankhan has joined #openstack-lbaas		19:34
*** salmankhan has quit IRC		19:39
colby_	Hey is it possible to trigger the build of a backup node on a load balancer that was created before we switched to always create a backup?	19:50
*** abaindur has joined #openstack-lbaas		20:19
rm_work	colby_: you mean switch a LB from SINGLE to ACTIVE_STANDBY topology?	20:21
rm_work	johnsom / cgoncalves / xgerman could I beg a review for https://review.openstack.org/#/c/610284/ ? :)	20:45
rm_work	xgerman: an ipv6 gate?	20:47
rm_work	that is what johnsom is working on i suppose -- but i did add unit tests to cover this	20:48
rm_work	actually i added unit tests that cover more than even what was changed :P	20:48
xgerman	yeah, without a gate I am not sure if it works… code looks reasonable though but didn’t want to be the first to +2 without proper testing	20:48
rm_work	yeah	20:48
rm_work	if you pull it down you can run the new unit test `test_write_vip_interface_file` with and without the change to the osutils.py	20:49
rm_work	and you can see what the issue is and how this resolves it	20:49
rm_work	it took me a minute to grasp exactly what the problem was, without having a test to illustrate it]	20:49
*** PagliaccisCloud has quit IRC		21:04
rm_work	hmm, gonna make a slight tweak anyway	21:06
openstackgerrit	Adam Harwell proposed openstack/octavia master: Fix prefix for vip_ipv6 https://review.openstack.org/610284	21:07
johnsom	There are IPv6 gates: https://review.openstack.org/611980 and https://review.openstack.org/611405 just stuck waiting for reviews....	21:08
openstackgerrit	Michael Johnson proposed openstack/octavia master: Updates Octavia to support octavia-lib https://review.openstack.org/613709	21:17
johnsom	There, coverage even for the silly cmd file....	21:17
*** amuller has quit IRC		21:17
*** gcheresh has joined #openstack-lbaas		21:20
*** rcernin has joined #openstack-lbaas		21:22
rm_work	well, it would be good if those gates were passing, johnsom :P	21:26
johnsom	What? they aren't now? Argh. I saw the active/standby gate also bit-rot'd	21:26
rm_work	it's the stables, it seems	21:26
rm_work	stable-scenario	21:27
johnsom	Oh, yeah, the IPv6 patches have to be backported	21:27
rm_work	is that... maybe because it's actually broken there? lol	21:27
rm_work	they were	21:27
rm_work	maybe the recheck will take care of it	21:27
rm_work	might not have been done by the time it ran last	21:27
johnsom	Yeah, it hasn't run the tests since the 6th when I know they were not backported yet	21:27
rm_work	then maybe can merge that today :)	21:27
colby_	rm_work: yes. I was trying to avoid having to recreate	21:28
rm_work	the one after it was failing all kinds of things but ... maybe it'll be ok too? dunno, more dubious on that one	21:28
rm_work	colby_: yes, I have done it, theoretically possible if you are willing to muck around in the DB and do things no sane person should attempt :)	21:28
johnsom	Sweet, they were all backported, so yes, this should be good to go	21:29
rm_work	colby_: i was trying to do a PoC migration script but got stalled by it being crazy	21:29
rm_work	i felt a little like a magician attempting a trick with the warning "don't do this at home"	21:29
colby_	rm_work: sure I have no problem messing with db. Worst case scenario we have to recreate the lb anyways	21:29
rm_work	yeah	21:29
rm_work	so, what you can do	21:30
rm_work	duplicate the single amphora entry for the LB (giving it a new `id` field, obviously) and set the compute_id and vrrp_port_id to random new uuids as well	21:31
rm_work	set it as BACKUP and the original as MASTER	21:31
rm_work	change the LB's topology to ACTIVE_STANDBY	21:31
rm_work	update the priority field to also match what MASTER/BACKUP amps should have	21:31
rm_work	like, 90 and 100	21:31
colby_	out of curiosity too. It would be cool if you could decide on having active/standby per load balancer instead of them all having it. Is that something that is being looked at?	21:32
rm_work	and then trigger a failover on the new fake BACKUP amp	21:32
rm_work	colby_: that will be possible with Flavors	21:32
rm_work	you can choose a SINGLE topo flavor, or an ACTIVE_STANDBY topo flavor	21:32
colby_	oh nice. What version will that be enabled?	21:32
rm_work	i think johnsom is hoping to have it done for stein?	21:33
rm_work	the initial patches for it are up for review	21:33
colby_	not all our users need HA, and Id rather not waste compute resources if not needed	21:33
rm_work	yeah, soon	21:34
colby_	thanks for the info on the standby migration. Maybe its just easier to recreate :-) might actually be fewer steps	21:34
johnsom	Yeah, this is a committed Stein feature	21:34
johnsom	flavors that is	21:34
rm_work	colby_: most definitely yes	21:34
rm_work	lol	21:34
colby_	thanks!	21:35
rm_work	doing LB surgery like that in the DB is not for the faint of heart	21:35
rm_work	sometimes when I do things like that, I feel shame	21:35
colby_	haha	21:36
rm_work	but also like a mad scientist	21:36
*** rcernin has quit IRC		21:37
*** gcheresh has quit IRC		21:38
johnsom	Ok, sent out the e-mails cancelling the IRC meeting on the 26th and reminding folks that the neutron-lbaas/Octavia v1 API retirement is coming up in September 2019.	22:00
*** rcernin has joined #openstack-lbaas		22:04
*** yboaron has joined #openstack-lbaas		22:16
cgoncalves	\o/	22:17
cgoncalves	FYI, I will probably not be able to attend tomorrow's meeting either, sorry	22:18
johnsom	Ok, NP. I expect it to be semi-short. I have put an agenda up.	22:18
*** celebdor has quit IRC		22:32
*** rcernin has quit IRC		22:37
*** rcernin has joined #openstack-lbaas		22:41
*** rcernin has quit IRC		22:43
*** rcernin has joined #openstack-lbaas		22:45
openstackgerrit	Merged openstack/octavia master: Add compute_flavor field for amphora api https://review.openstack.org/582914	22:46
openstackgerrit	German Eichberger proposed openstack/octavia master: Amphora logging https://review.openstack.org/624835	22:46
*** yboaron has quit IRC		22:56
*** ccamposr has joined #openstack-lbaas		23:08
openstackgerrit	Michael Johnson proposed openstack/octavia-tempest-plugin master: Add traffic tests using an IPv6 VIP https://review.openstack.org/611980	23:42
johnsom	rm_work Passed: https://review.openstack.org/#/c/611405/	23:50
rm_work	noice	23:50
rm_work	+2	23:51
johnsom	The second one had a bug, so I'm looking at it	23:51
rm_work	kk	23:51
johnsom	Missed a noop test	23:51
rm_work	was just gonna ask, since you posted another patchset	23:51
johnsom	Yeah, it was trying to lookup a subnet even though it was running noop...	23:51
rm_work	xgerman: want to merge that one ^^ so you can have the gate you asked for on my other patch? :P	23:51
rm_work	ah i guess we'll need both before that's technically true	23:52
johnsom	Yeah, that first one is half the test suite	23:52

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!