Sunday, 2019-02-24

« Saturday, 2019-02-23 Index Monday, 2019-02-25 »
*** yamamoto has joined #openstack-lbaas00:49
*** yamamoto has quit IRC00:54
openstackgerritMichael Johnson proposed openstack/octavia master: Add client_ca_tls_container_ref to listener API  https://review.openstack.org/61226701:51
openstackgerritMichael Johnson proposed openstack/octavia master: Add an option to the Octavia V2 listener API for client cert  https://review.openstack.org/61226801:52
openstackgerritMichael Johnson proposed openstack/octavia master: Add crl-file option for certification  https://review.openstack.org/61226901:52
openstackgerritMichael Johnson proposed openstack/octavia master: Add new ssl header into Listener for client certificate  https://review.openstack.org/61227001:53
openstackgerritMichael Johnson proposed openstack/octavia master: L7rule support client certificate cases  https://review.openstack.org/61227101:53
*** yamamoto has joined #openstack-lbaas03:08
*** yamamoto has quit IRC03:13
*** yamamoto has joined #openstack-lbaas04:29
*** yamamoto has quit IRC04:34
*** yamamoto has joined #openstack-lbaas04:45
*** yamamoto has quit IRC05:49
*** gcheresh has joined #openstack-lbaas07:18
*** yamamoto has joined #openstack-lbaas07:50
*** yamamoto has quit IRC07:55
*** celebdor has joined #openstack-lbaas08:21
*** celebdor has quit IRC08:27
*** yamamoto has joined #openstack-lbaas09:10
*** yamamoto has quit IRC09:14
*** yamamoto has joined #openstack-lbaas09:49
*** yamamoto has quit IRC09:54
*** yamamoto has joined #openstack-lbaas11:02
*** yamamoto has quit IRC11:06
*** yamamoto has joined #openstack-lbaas11:41
*** yamamoto has quit IRC11:45
*** yamamoto has joined #openstack-lbaas11:53
*** yamamoto has quit IRC12:04
*** yamamoto has joined #openstack-lbaas12:07
*** yamamoto has quit IRC12:17
*** yamamoto has joined #openstack-lbaas12:49
*** yamamoto has quit IRC12:53
*** yamamoto has joined #openstack-lbaas13:00
openstackgerritNir Magnezi proposed openstack/octavia master: Encrypt certs and keys  https://review.openstack.org/62706413:41
openstackgerritCarlos Goncalves proposed openstack/python-octaviaclient master: Adds loadbalancer amphora configure to OSC  https://review.openstack.org/63362615:25
*** gcheresh has quit IRC15:48
openstackgerritMerged openstack/python-octaviaclient master: Adds loadbalancer amphora configure to OSC  https://review.openstack.org/63362615:51
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add active/standby scenario test  https://review.openstack.org/63707316:18
cgoncalvesjohnsom, pretty sure https://review.openstack.org/#/c/613685/ broke act-stby when [taskflow]/engine=parallel16:20
cgoncalvesengine=serial works fine. tested locally16:20
cgoncalvesuhm, maybe it wasn't 613685 as rocky and queens jobs also failed16:21
cgoncalvesargh! I meant to say https://review.openstack.org/#/c/604479/16:22
johnsomI would be surprised if the parallel engine was the issue.16:23
johnsomThe VIP patch is more likely16:25
cgoncalvesI could only reproduce the issue at the gate with engine=parallel. serial runs fine16:27
johnsomcgoncalves: are you working on that, or should I have a look?16:27
johnsomWhich job?  Can you give me a link?16:27
cgoncalvesI'm not familiar with the flows there. I can try but if you have some time that would be great16:28
johnsomMaybe we are running out of resources with that setting in the gate16:28
cgoncalveshttps://review.openstack.org/#/c/584681/16:28
cgoncalveshttps://review.openstack.org/#/c/637073/16:28
cgoncalvesyours ran successfully until some point in time16:28
johnsomIt may need to only be enabled in the multinode jobs. If I can ever figure out what is wrong with neutron there16:30
cgoncalvesI don't follow. how come parallel consume more resources?16:30
*** yamamoto has quit IRC16:30
cgoncalvesalso, how come your act-stby used to pass and now it does not?16:31
*** yamamoto has joined #openstack-lbaas16:32
*** yamamoto has quit IRC16:32
cgoncalvesthis is not urgent or anything, so don't spend your Sunday morning with this :)16:32
*** yamamoto has joined #openstack-lbaas16:33
johnsomYeah, today is going to be about backend re-encryption patches.16:35
johnsomWith parallel enabled it boots the amps at the same time, so more cpu, more transient ram, more disk io16:35
johnsomI will take a quick look once I get some coffee and get going.16:36
*** yamamoto has quit IRC16:37
johnsomActive standby is important since everyone but OSP uses it. Grin16:37
johnsomI was able to finish the tls client auth stuff yesterday, so starting on the backend reencrypt today.16:39
cgoncalvesla-la-la!16:40
cgoncalvesI get exact same failure locally as CI. 8GB RAM and nested virtualization enabled16:41
cgoncalvesthis to say I'm not convinced it is resources16:42
cgoncalvesreverted code to refactor vip~1. runs fine with parallel enabled16:48
cgoncalvesah, right, I had forgotten. rocky and queens jobs failed (Permission denied: '/etc/octavia/.ssh/octavia_ssh_key') but due to different reasons than master16:49
cgoncalvesso, yeah, 99% sure it was the refactor vip16:49
johnsomAnd you questioned the half awake PTL....16:57
johnsomAs you should have... lol16:58
nmagnezijohnsom, good morning :D17:14
johnsomIt's a morning....17:14
nmagneziWell I hope it will improve... :)17:15
johnsomMe too.  Hope your day is going well.17:16
nmagneziSo far so good17:19
*** yamamoto has joined #openstack-lbaas17:20
*** yamamoto has quit IRC17:25
johnsomcgoncalves Ok, so this is the problem with the VIP patch: https://github.com/openstack/octavia/blob/master/octavia/network/drivers/neutron/allowed_address_pairs.py#L59817:26
*** pcaruana has quit IRC17:26
johnsomIt's another one of these where the method works across both amps when it should only act on one.17:26
johnsomSo either that task is at the wrong point in the flow, or needs to be changed to only act on one amphora.17:27
cgoncalvesjohnsom, I don't think it is there. the error is that vip port was not found (L596), so before the for loop17:27
johnsomcgoncalves It is there: http://logs.openstack.org/81/584681/18/check/octavia-v2-act-stdby-dsvm-scenario/73b18a5/controller/logs/screen-o-cw.txt.gz?#_Feb_16_11_53_56_65769717:29
cgoncalvesyou're right17:30
johnsomLooking at the flow, I think that method probably just needs to have the ability to work on one amp. I would need to do a grep to confirm all of it uses, but that would be my approach to fixing this.17:32
johnsomThe only step after is an amp specific call, then it merges back with the other build and reloads the LB details.17:32
*** celebdor has joined #openstack-lbaas17:37
johnsomEh, ok, so this is going to be tricky, as the output of that is used in other tasks and flows. Namely AmphoraVRRPUpdate17:38
johnsomYeah, ok. I would probably do a single amp get details in the parallel flow, then after the merge do a combined call for the later items in the flow to use.17:42
johnsomcgoncalves You or me?17:43
cgoncalvesjohnsom, you17:43
johnsomOk, could you put a story in?17:44
cgoncalvesand a big thank you!17:44
cgoncalvessure17:44
cgoncalveshttps://storyboard.openstack.org/#!/story/200508017:48
cgoncalvesstoryboard is freaking slow17:48
johnsomThanks17:48
johnsomYes it is17:48
*** celebdor has quit IRC17:52
openstackgerritMichael Johnson proposed openstack/octavia master: Fix parallel plug vip  https://review.openstack.org/63899218:24
johnsomcgoncalves ^^^^ That should fix this, however I have not tested it or updated the unit/functionals yet.18:25
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Add an active/standby scenario test  https://review.openstack.org/58468118:26
johnsomThat should kick the tires and let me know if it is worth finishing. (or someone else if they have time)18:26
openstackgerritMichael Johnson proposed openstack/octavia master: Fix parallel plug vip  https://review.openstack.org/63899218:28
openstackgerritMichael Johnson proposed openstack/octavia master: Fix the loss of access to barbican secrets  https://review.openstack.org/63764618:57
*** yamamoto has joined #openstack-lbaas19:08
*** yamamoto has quit IRC19:13
cgoncalvesjohnsom, thank you! I'll test it today19:24
johnsomIt's broken19:24
johnsomLooking at it now19:24
cgoncalveslol19:24
openstackgerritMichael Johnson proposed openstack/octavia master: Fix parallel plug vip  https://review.openstack.org/63899219:52
cgoncalvesjohnsom, http://paste.openstack.org/show/745950/20:50
johnsomYeah, same in the gate20:50
johnsomSigh. I will have to load this up in a devstack and poke at it.20:50
johnsomNot sure I'm going to take that on today thoguh20:51
cgoncalveswell, it is Sunday. you prolly shouldn't be near a keyboard anyway :)20:51
johnsomTrue, but need to get these features straightened out.20:52
johnsomI see zuul isn't exactly happy today either. DNS errors, post job permission denied....20:53
cgoncalvestrue20:53
*** yamamoto has joined #openstack-lbaas20:56
*** yamamoto has quit IRC21:01
johnsomcgoncalves I moved the priority of the RHEL 8 down. Let me know if we should pull it from the Stein list21:35
johnsomi.e. if that dependent patch isn't going to land21:36
cgoncalvesjohnsom, ok. yeah, it will depend on that patch being merged21:36
cgoncalveshmm, tempest runs under a different user in CI and thus does not have permissions to read the private key in /etc/octavia/.ssh. is there a hook option in Zuul one can use to run arbitrary commands post-stack/before tempest?21:41
cgoncalvespre-run is pre-stack. run is stack + tempest run, no?21:42
johnsompre-run is a zuul2 legacy job thing right?21:42
cgoncalvesis it? I had imagined not21:42
johnsomOh, ok, yeah, never mind.21:43
johnsomUmmm, yes, that should work21:44
cgoncalvesa play in pre-run?21:46
johnsomyes21:46
cgoncalvesso pre-run is after stack?21:47
johnsombefore21:47
cgoncalvesright. so doesn't help21:47
johnsomAh, I see your problem.  So, hmm, devstack plugin creates that. Tempest isn't running under stack, which makes some sense.21:48
cgoncalvesright21:48
johnsomYou could have your tempest base load a new SSH key into nova that your test knows21:49
cgoncalveswell, one option could be create /etc/octavia/.ssh and set 075521:49
cgoncalves... in pre-run I mean21:49
johnsomSince tempest has an "admin" context it could just overwrite the one devstack loads.21:49
cgoncalvestrue21:50
johnsomThat is what I would do21:50
cgoncalvesuhm, actually no. it would work for the purpose of running tempest, yes, but it would mess up the environment21:52
cgoncalveslike if you run tempest not in a CI environment21:52
johnsomThis is true21:53
cgoncalvesonly idea I have left it the one I had mentioned: create and 0755 /etc/octavia/.ssh in pre-run21:54
johnsomThat isn't awesome either...21:54
cgoncalvesit would be a less pleasant workaround applicable only in upstream CI21:55
cgoncalvesif anyone has other ideas, please share :)21:55
*** rcernin has joined #openstack-lbaas22:00
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707322:00
johnsomThat path probably doesn't exist yet22:01
johnsomI think you need directory and the a second set file permissions. Since, ansible...22:03
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707322:03
cgoncalvesgood point22:04
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707322:04
cgoncalves^ fixed22:05
johnsomAre you sure that is going to set the perms. I thought it didn't22:06
cgoncalveswhy do you think it will not?22:08
cgoncalveshttps://docs.ansible.com/ansible/latest/modules/file_module.html22:08
johnsomIf directory, all intermediate subdirectories will be created if they do not exist. Since Ansible 1.7 they will be created with the supplied permissions.22:08
johnsomOh, right, they will be.... not will not be22:09
johnsomUgh, context switches22:09
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707322:40
*** yamamoto has joined #openstack-lbaas22:45
*** yamamoto has quit IRC22:49
cgoncalveshmm, devstack plugin sets the private key file with 0600. I missed that23:13
cgoncalvesnext: OCTAVIA_USE_PREGENERATED_SSH_KEY23:13
cgoncalvesbut of course! ansible openssh_keypair module would be handy (new in 2.8). CI has Ansible 2.523:16
*** yamamoto has joined #openstack-lbaas23:17
*** yamamoto has quit IRC23:22
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707323:27
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add iptables-based active/standby scenario test  https://review.openstack.org/63707323:29
openstackgerritMichael Johnson proposed openstack/octavia master: Add crl-file option for certification  https://review.openstack.org/61226923:30
openstackgerritMichael Johnson proposed openstack/octavia master: Add new ssl header into Listener for client certificate  https://review.openstack.org/61227023:30
openstackgerritMichael Johnson proposed openstack/octavia master: L7rule support client certificate cases  https://review.openstack.org/61227123:31
« Saturday, 2019-02-23 Index Monday, 2019-02-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!