Tuesday, 2019-02-26

« Monday, 2019-02-25 Index Wednesday, 2019-02-27 »
openstackgerritGhanshyam Mann proposed openstack/octavia-tempest-plugin master: Fix barbican service_available check  https://review.openstack.org/63908300:06
*** fnaval has quit IRC00:15
*** eandersson has quit IRC00:16
*** eandersson_ has joined #openstack-lbaas00:17
cgoncalvesrm_work, depends. if I like what you have for me, sure. otherwise, I'll play the card of "have to check with management first" ;-)00:22
rm_worklol00:22
* johnsom is familiar with "check with management via /dev/null"00:22
* cgoncalves throws in the "pass" card00:24
colin-s/null/urandom/00:28
*** sapd1 has joined #openstack-lbaas00:45
*** fnaval has joined #openstack-lbaas01:02
*** Swami has quit IRC01:04
*** yamamoto has joined #openstack-lbaas01:24
sapd1hi johnsom , currently, Nova has supported create instance with specify volume_type for bdmv2 ( https://github.com/openstack/nova/blob/master/nova/api/openstack/api_version_request.py#L165)01:26
sapd1do we need a function to create volume, another word do we need split cinder to other module.01:27
johnsomYes, that was one of my comments. The other was that it fails when tested.01:28
johnsomIf I can clear the rest of these TLS patches, the volume based was next on my list of things to work on trying to get into Stein.01:28
johnsomI have two and a half TLS patches left.01:29
*** yamamoto has quit IRC01:29
johnsomThe test gate is here: https://review.openstack.org/#/c/638293/01:29
johnsomIf you are saying the new nova capability would allow us to remove "_create_cinder_volume()", then that might be a easy path forward.01:30
johnsomMy concern was we are calling out to cinder from inside the compute driver, which doesn't fit our model.01:31
sapd1johnsom: Yes. I think We can use this new feature in nova_driver. But It will not work with old nova version. (before rocky)01:55
johnsomsapd1 That is a bummer, we currently support a very old version of nova API.01:55
*** hongbin has joined #openstack-lbaas01:55
johnsomMaybe it's best to keep doing what we have, but just reorganize it01:56
sapd1johnsom:  I think so.01:56
sapd1johnsom: I have just relocated to Korea, So it takes some days to back to work.01:56
johnsomYeah, moves definitely slow things down.01:57
johnsomsapd1 Like I mentioned earlier, if I have time, I will work on the patch. I need to prioritize the TLS work first though.01:57
sapd1johnsom: yeah02:01
*** abaindur has quit IRC02:06
*** Dinesh_Bhor has joined #openstack-lbaas02:53
*** psachin has joined #openstack-lbaas02:56
*** sapd1 has quit IRC02:57
*** yamamoto has joined #openstack-lbaas03:00
*** sapd1 has joined #openstack-lbaas03:04
*** sapd1 has quit IRC03:14
*** hongbin has quit IRC03:33
*** ramishra has joined #openstack-lbaas03:36
*** yamamoto has quit IRC03:57
*** yamamoto has joined #openstack-lbaas03:58
*** yamamoto has quit IRC04:00
*** yamamoto has joined #openstack-lbaas04:25
*** yamamoto has quit IRC04:26
*** yamamoto has joined #openstack-lbaas04:30
openstackgerritguang-yee proposed openstack/octavia master: Update osutil support for SUSE distro  https://review.openstack.org/54181104:56
*** ramishra has quit IRC05:32
*** ramishra has joined #openstack-lbaas05:38
*** gcheresh has joined #openstack-lbaas06:22
*** ivve has joined #openstack-lbaas06:23
*** gcheresh has quit IRC06:36
openstackgerritJacky Hu proposed openstack/octavia-dashboard master: WIP: Add load balancer flavor support  https://review.openstack.org/63836506:50
*** ccamposr has joined #openstack-lbaas07:27
*** ramishra has quit IRC07:31
*** ramishra has joined #openstack-lbaas07:32
*** logan- has quit IRC07:35
*** logan- has joined #openstack-lbaas07:37
*** gcheresh has joined #openstack-lbaas07:45
*** rcernin has quit IRC07:56
*** abaindur has joined #openstack-lbaas08:00
*** abaindur has quit IRC08:29
*** celebdor has joined #openstack-lbaas08:31
*** pcaruana has joined #openstack-lbaas08:35
*** fnaval has quit IRC09:43
*** yboaron_ has joined #openstack-lbaas09:45
*** sapd1 has joined #openstack-lbaas09:49
*** yboaron_ has quit IRC09:53
*** yboaron_ has joined #openstack-lbaas09:53
*** yamamoto has quit IRC09:53
*** yamamoto has joined #openstack-lbaas10:10
*** yamamoto has quit IRC10:21
*** yamamoto has joined #openstack-lbaas10:26
*** salmankhan has joined #openstack-lbaas10:26
*** Dinesh_Bhor has quit IRC10:32
openstackgerritMerged openstack/octavia master: Add client_ca_tls_container_ref to listener API  https://review.openstack.org/61226710:55
openstackgerritMerged openstack/octavia master: Add an option to the Octavia V2 listener API for client cert  https://review.openstack.org/61226811:04
openstackgerritMerged openstack/octavia master: Add crl-file option for certification  https://review.openstack.org/61226911:07
openstackgerritMerged openstack/octavia master: Add new ssl header into Listener for client certificate  https://review.openstack.org/61227011:07
openstackgerritMerged openstack/octavia master: L7rule support client certificate cases  https://review.openstack.org/61227111:07
*** psachin has quit IRC11:40
*** yamamoto has quit IRC12:10
*** yamamoto has joined #openstack-lbaas12:15
*** logan_ has joined #openstack-lbaas12:27
*** logan_ is now known as Guest1164712:28
*** dmellado_ has joined #openstack-lbaas12:28
*** dayou has quit IRC12:30
*** cgoncalves has quit IRC12:30
*** yboaron_ has quit IRC12:30
*** dosaboy has quit IRC12:30
*** dmellado has quit IRC12:30
*** logan- has quit IRC12:30
*** ramishra has quit IRC12:30
*** openstackgerrit has quit IRC12:30
*** dmellado_ is now known as dmellado12:30
*** yboaron_ has joined #openstack-lbaas12:30
*** Guest11647 is now known as logan-12:31
*** dayou has joined #openstack-lbaas12:31
*** cgoncalves has joined #openstack-lbaas12:32
*** ramishra_ has joined #openstack-lbaas12:38
*** henriqueof has joined #openstack-lbaas12:47
rm_workjohnsom: ahhh i think... did i misunderstand client_ca_tls_container_ref when you asked the other day?13:15
rm_worki thought you were asking about an old one?13:15
rm_worki would definitely not have named it that for a totally new field <_<13:15
rm_workmaybe client_ca_tls_ref <_<13:15
rm_worki thought you were talking about doing work to rename an old typwe13:15
rm_work*typw13:15
rm_work*type13:15
rm_workbecause the old ones are technically a ref to a container whether it's a "barbican container" or a "secret containing a certbag container"13:16
rm_workthe new one... is not a container in any way/shape/form13:16
rm_workbut we still have time to fix that I guess13:16
rm_work?13:16
*** trown|outtypewww is now known as trown13:24
*** yamamoto has quit IRC13:40
*** yamamoto has joined #openstack-lbaas13:40
*** dosaboy has joined #openstack-lbaas13:51
zigoHi. When I create a load balancer, I get: "An auth plugin is required to fetch a token (HTTP 500)", what's missing?14:02
rm_workProbably the service_auth section of the config for the API process14:23
rm_workOr ... The other auth section. There's two. I always forget how they're different.14:23
rm_workOne is for dealing with nova/neutron/etc as a service, the other is for authentication with keystone for request tokens14:24
rm_workCheck to make sure you have both I guess14:24
*** ivve has quit IRC14:27
henriqueofI've got a problema with octavia as ingress controller for kubernetes, can I get help here?14:44
henriqueofWhen it creates a load balancer it fails when updating the pool members.14:49
johnsomrm_work: you did, that was exactly what I was asking about15:14
johnsomhenriqueof: you are in the right place, what is the issue you are seeing?15:15
sapd1henriqueof: Could you check octavia-worker log?15:16
zigorm_work: You are correct, that was it, now it looks like the API works.15:16
henriqueofLogs: https://pastebin.com/N0DrxWYd15:17
zigorm_work: Now, I am having issue with Octavia's PKI. I haven't done anything about this, so of course, octavia-worker just crashes, not being able to sign anything.15:17
zigorm_work: The bin/create_certificates.sh script just crashes on me... Is there a better tutorial or something I could rely on?15:18
sapd1henriqueof:  seem like your octavia-worker can't connect to amphora. Could you ping to amphora after  they are created.15:18
sapd1henriqueof: what network type of this subnet 192.168.0.0/x ? VLAN or Overlay (VXLAN/GRE)15:19
zigoHum... This maybe: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html :)15:19
sapd1zigo: how crash?15:20
henriqueofsapd1: 192.168.0.0/24 (lb-mgmt-net) is of type vxlan as per plugin.sh on the devstack deployment script.15:20
sapd1henriqueof:  Have you create a port on this network and bind to host which is running octavia-worker? after create port, You need add-port in openvswitch br-int bridge (type internal) and get dhcp for that interface.15:22
sapd1then you can check by ping to dhcp port or gateway. now you can create a load balancer.15:22
henriqueofsapd1: Yes, I did and it bind to the correct IP.15:22
sapd1henriqueof:  Sorry I'm wrong .15:23
henriqueofI have a question, I changed the bind_ip on the health_manager of the octavia configs to the IP on that insterface instead of the controller node IP, is that correct?15:24
sapd1henriqueof:  yes. it's correct15:24
henriqueofsapd1: The problem I am seeng is on the batch_update_members call, looks like some parameters are invalid.15:25
sapd1henriqueof: yes. I saw it.15:26
henriqueofI checked the pool's member's list on Horizon, they're there...15:27
johnsomzigo: that guide is what you want.15:28
sapd1henriqueof: what version of octavia are you running?15:28
henriqueofsapd1: It was deployed by kolla yesterday, used the stable/rocky tag.15:29
johnsomhenriqueof: It looks like your database is failing. Check the connection string and if you have multiple instances listed that both are syncing the octavia database.15:32
henriqueofAnother question, on Horizon the load balance panel show one IP on the public network and on instances panel I see another floating IP, shouldn't they be the same? Also, I can't ping to none of then.15:33
*** mloza has joined #openstack-lbaas15:34
*** sapd1 has quit IRC15:35
*** fnaval has joined #openstack-lbaas15:35
johnsomPing is disabled in a security group, that is normal. Same with the instance and vip being different IPs.  It isn’t a float though. We don’t manage floating IPs.15:37
*** yamamoto has quit IRC15:37
*** yamamoto has joined #openstack-lbaas15:38
*** yamamoto has quit IRC15:38
*** yamamoto has joined #openstack-lbaas15:39
*** yamamoto has quit IRC15:39
henriqueofjohnsom: Thanks!15:42
*** fnaval has quit IRC15:43
*** gcheresh has quit IRC15:45
henriqueofsapd1: Can this be a database related problem like johnsom said?15:49
*** roukoswarf has joined #openstack-lbaas15:52
mlozahello, is it possible there way to tell octavia just create a new listener in existing loadbalancer but not create a new one?15:52
mlozahello, is it there way to tell octavia just create a new listener in existing loadbalancer but not create a new one?*15:52
*** fnaval has joined #openstack-lbaas15:56
johnsommloza Yes.16:00
johnsommloza You can have as many listeners on a load balancer as there are TCP/UDP ports.16:01
henriqueofjohnsom: How do you recommend me to check those database connection erros? I made some queries and tested the management vip and everything seems to be working...16:02
roukoswarfjohnsom:  but lets say if i have multiple components on multiple external ports in a project, but dont want to have a bloat of 12 extra amphora instead of just 2, could that be done?16:03
johnsomhenriqueof I would check the configuration of Octavia for each of the controller instances, i.e. do they have the same DB connection strings. Then check those DB endpoints that they are all syncing the octavia database.16:03
johnsomroukoswarf Yes. As many ports on a single load balanacer as you want.16:04
johnsomUp to 65535 lol16:04
henriqueofjohnsom: I have only one controller node and I can connect a mysql client and make queries from there, also any other service seems to be facing problems with database, can this be outdated schema?16:07
roukoswarfjohnsom: the ui confused me, i didnt notice pools were per listener, that makes more sense. so i guess my real problem is how do i get kubernetes integration to create listeners instead of full new loadbalancers...16:08
johnsomhenriqueof Maybe. You can use octavia-db-manage to make sure you have the current schema16:08
*** yboaron_ has quit IRC16:09
johnsomroukoswarf Ok, cool.  Good luck!16:09
henriqueofroukoswarf: I was using Octavia ingress controllers, it creates only one LB and the controller keeps track of where traffic go, the bad news is that I am facing a problem right to make it work.16:12
henriqueofFor reference: https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-octavia-ingress-controller.md16:12
*** yamamoto has joined #openstack-lbaas16:19
zigoNow I am getting: novaclient.exceptions.Conflict: Multiple possible networks found, use a Network ID to be more specific.16:22
zigoHow to fix that one?16:22
zigoWhere's that network id to fix?16:22
zigoIs it amp_boot_network_list ?16:23
johnsomHmm, this is during LB create?16:23
zigojohnsom: Yeah.16:23
*** yamamoto has quit IRC16:24
johnsomYeah, check that setting "amp_boot_network_list" It typically is just one network ID16:24
zigojohnsom: So, I should give the lb-mgmt-net ?16:25
johnsomYes16:25
zigook, thanks.16:25
colin-it will still expect a list type tho iirc16:25
zigojohnsom: Oh, btw, one question... If I have my cloud set on 2 data centers, can I use different lb-mgmt-net depending on which compute it starts?16:26
zigoCurrently, it's in only one DC, but we expect to grow it to the 2nd one ...16:26
colin-disregard my last16:26
johnsomzigo We do not have that capability at this time.16:27
zigoOk.16:27
johnsomzigo Please feel free to create a storyboard story for us that describes your need/expectations for that configuration.16:27
johnsomhttps://storyboard.openstack.org/#!/dashboard/stories16:28
zigoThanks.16:28
*** pcaruana has quit IRC16:32
henriqueofjohnsom: still no luck, it says 'Creating load balancer '5ecbb7ed-c3fa-4c2e-8d4d-d1da7efe7f4e'...' and right after 'Failed to fetch load_balancer 5ecbb7ed-c3fa-4c2e-8d4d-d1da7efe7f4e from DB', with 7ms difference, can this be a concurrency problem?16:34
henriqueofAlso, after I query for the id it returns correctly...16:34
johnsomhenriqueof I don't think so. We would have been hit with a bunch of people if there was a concurrency problem. Plus we do significant locking in our code to avoid that.  This really seams like a DB issue. I haven't heard anyone with this issue before.16:39
johnsomWhat DB are you using?16:39
henriqueofI am using kolla-ansible to deploy, it uses MariaDB 10.1, I haven't changed anything on the database configuration.16:43
johnsomI haven't used kolla, but mariadb should be fine. It support transactions.16:45
johnsom[database]16:46
johnsomconnection = mysql+pymysql://<user>:<password>@127.0.0.1:3306/octavia16:46
johnsomYou have something like that in your octavia.conf for each of the controller processes right?16:46
henriqueofYup.16:49
henriqueofI am reboot my controller node, will let you know in a momemt.16:49
*** celebdor has quit IRC16:50
zigo# openstack loadbalancer delete --cascade 305092e2-668e-4730-a556-d19f962bf4f216:50
zigoInvalid state PENDING_CREATE of loadbalancer resource 305092e2-668e-4730-a556-d19f962bf4f2 (HTTP 409) (Request-ID: req-2b8de7fe-05f1-4d8b-943f-c59517544eb6)16:50
zigo:/16:50
zigoWhat am I supposed to do then?16:50
zigoI need to do that, because security group setup was wrong, and therefore, I guess that's why the SSL cert is wrong too...16:51
zigojohnsom: ^16:52
johnsomzigo You have to wait for the controller to finish it's retries. Anything in a PENDING_* state means a controller has ownership of the resource and is actively working on it. After the timeout it will go to ERROR and will be delete-able.  The timeout is set in your config.16:53
zigojohnsom: Oh ok, thanks.16:53
zigojohnsom: So, I guess I can tweak the timeout, and restart Octavia components, no?16:54
johnsomThe default is 25 minutes (though there is a patch up to drop that down a bit). It's an item for tuning in production.16:54
zigo#connection_max_retries = 300 and #connection_retry_interval = 5, I guess ... :P16:59
zigoI changed the value, restarted the worker, now it's not trying to connect anymore ... :/17:04
*** openstackgerrit has joined #openstack-lbaas17:08
openstackgerritVlad Gusev proposed openstack/octavia stable/rocky: Fix grenade job to clone Octavia from base branch  https://review.openstack.org/63934917:08
openstackgerritVlad Gusev proposed openstack/octavia stable/queens: Add error logging for amphora agent exceptions  https://review.openstack.org/63939517:31
*** yamamoto has joined #openstack-lbaas17:41
*** Adri2000 has joined #openstack-lbaas17:42
Adri2000hello17:42
johnsomHi17:42
colin-hello17:42
henriqueofNope, the problem persists. ;-;17:43
Adri2000I'm using queens, and it looks like my octavia-dashboard is trying to connect to the neutron lbaas api instead of the octavia api endpoint... where should I look to fix this?17:43
johnsomAdri2000 Did you install https://github.com/openstack/octavia-dashboard ?17:44
johnsomAdri2000 Make sure you do not have https://github.com/openstack/neutron-lbaas-dashboard installed17:44
*** yamamoto has quit IRC17:46
Adri2000johnsom: yes, and I'm using the /project/load_balancer dashboard page17:48
johnsomhenriqueof Can you check the "drivers" you have loaded? Maybe you have noop drivers enabled for one of the controllers.17:48
Adri2000johnsom: dashboard error is "Unable to retrieve load balancers.", and apache log says "Not Found: /api/lbaas/loadbalancers/"17:48
henriqueofjohnsom: Where can I check this info? I have only one controller node.17:49
johnsomAdri2000 That sounds like keystone has a bad endpoint defined.17:50
johnsomhttps://www.irccloud.com/pastebin/UfCBK4e4/17:50
Adri2000johnsom: looks good, also `openstack loadbalancer list` works perfectly17:51
johnsomhenriqueof It's in /etc/octavia/octavia.conf  Search for driver and make sure none of them are set to "noop"17:51
henriqueofjohnsom: I tried enabling debug on octavia worker, no relevant info, the error occurs always in the same pattern, it create a DB object and fails to retrieve it right after.17:51
henriqueofjohnsom: Just checked none of the drivers in Octavia conf are set to noop.17:53
johnsomAdri2000 Can you check that you ran the steps listed here: https://github.com/openstack/octavia-dashboard/blob/master/README.rst17:53
johnsomAdri2000 Also check that you only have one enable file in ${HORIZON_DIR}/openstack_dashboard/local/enabled/17:54
*** trown is now known as trown|lunch17:57
Adri2000johnsom: the whole cloud is deployed using openstack-ansible, so haven't done all of this myself, openstack-ansible probably did :s18:01
Adri2000I have a lot in this directory, including _1482_project_load_balancer_panel.py{,c}18:01
johnsom1842 is the right one, I just want to make sure there isn't another one for load_balancer.18:01
Adri2000just removed _1481_project_ng_loadbalancersv2_panel.pyc (pyc only) that was still there, no effect for now18:02
johnsomOk, so that means neutron-lbaas is either installed or was installed.  That will cause a problem.18:02
Adri2000all the rest is heat/magnum/sahara related it seems18:02
Adri2000indeed18:02
Adri2000it was installed, though maybe not properly "uninstalled"18:02
Adri2000I'll try to redeploy horizon from scratch then18:03
johnsomYou need to uninstall neutron-lbaas-dashboard, remove teh 1481 file, then re-run the $ ./manage.py collectstatic18:03
johnsom$ ./manage.py compress commands.18:03
johnsomYou also might need to remove the static content directory under horizon, then re-run the two commands to rebuild it.18:04
Adri2000johnsom: generally, you'd say it's a bad idea to have both neutron-lbaas and octavia (and their respectif dashboards) deployed at the same time? (was thinking to allow a transition timeframe for users)18:05
johnsomThey do run together, but there is a known issue with both dashboards installed.18:05
Adri2000johnsom: ok, thanks for that info, it really really helps. I'm a bit out of time for today so will try the horizon/neutron-lbaas cleanup/redeploy tomorrow... have a nice evening or whatever time of the day it is :)18:08
johnsomNo problem18:09
*** yamamoto has joined #openstack-lbaas18:13
*** amuller has joined #openstack-lbaas18:16
*** yamamoto has quit IRC18:18
*** salmankhan has quit IRC18:34
openstackgerritVlad Gusev proposed openstack/octavia stable/rocky: Fix grenade job to clone Octavia from base branch  https://review.openstack.org/63934918:40
openstackgerritVlad Gusev proposed openstack/octavia stable/rocky: Fix grenade job to clone Octavia from base branch  https://review.openstack.org/63934918:40
*** Swami has joined #openstack-lbaas18:50
*** henriqueof has quit IRC19:04
*** ccamposr has quit IRC19:06
*** ramishra_ has quit IRC19:09
*** trown|lunch is now known as trown19:18
*** dayou has quit IRC19:20
*** dayou has joined #openstack-lbaas19:21
*** yamamoto has joined #openstack-lbaas19:33
*** abaindur has joined #openstack-lbaas19:37
*** yamamoto has quit IRC19:37
*** henriqueof has joined #openstack-lbaas19:43
*** yamamoto has joined #openstack-lbaas19:45
*** abaindur has quit IRC19:50
*** yamamoto has quit IRC19:50
*** abaindur has joined #openstack-lbaas19:51
rm_workjohnsom: yeah just went back and re-read those messages, ffff20:09
*** salmankhan has joined #openstack-lbaas20:09
rm_workI was definitely in the mindset of the existing fields, but you did say the client one20:09
rm_workI was referencing pkcs12 and API changes20:10
rm_workNeither of which apply to the new thing T_T20:10
colin-https://docs.openstack.org/octavia/latest/configuration/configref.html#networking.reserved_ips does this accept cidr notations?20:10
*** yamamoto has joined #openstack-lbaas20:16
johnsomcolin- No20:18
johnsomhttps://github.com/openstack/octavia/blob/master/octavia/common/validate.py#L40520:18
colin-rats20:20
*** yamamoto has quit IRC20:21
*** roukoswarf has quit IRC20:21
johnsomcolin- Curious on the use case.  We basically added that so members can't point to metadata service addresses (If you use them in your cloud).20:28
zigojohnsom: I fixed most issues, though now, the octavia-worker logs "SSL: CERTIFICATE_VERIFY_FAILED" when trying to connect to port 9443 of the load balancer.20:44
zigoWhat can I do here? Is there a --insecure thing somewhere?20:44
zigoSo I can at least validate that things are working ...20:44
zigoAlso, I do have barbican in place, can't I just direct Octavia to use it instead of doing all of this manual stuff?20:46
zigoI see the insecure in [certificates], is that enough?20:47
*** takamatsu_ has quit IRC20:48
*** takamatsu_ has joined #openstack-lbaas20:50
*** abaindur has quit IRC20:51
*** abaindur has joined #openstack-lbaas20:54
*** abaindur has quit IRC20:58
*** celebdor has joined #openstack-lbaas21:10
johnsomzigo You need to follow this guide, then build a new load balancer.  https://docs.openstack.org/octavia/latest/admin/guides/certificates.html21:19
*** amuller has quit IRC21:19
johnsomAlso, barbican only stores certs, it doesn't create them, so can't be used for this.21:19
zigojohnsom: I did follow it bit by bit.21:21
zigojohnsom: But still, I have this issue...21:21
johnsomzigo Your [haproxy_amphora] server_ca is wrong21:23
*** yamamoto has joined #openstack-lbaas21:25
zigojohnsom: It doesn't look like wrong ... :/21:26
zigojohnsom: Oh, also, I noticed that the script to create the amphora doesn't work by default on Debian.21:27
zigoWe'll need to fix this.21:27
zigo:P21:27
zigo(if you didn't know, I've been packaging OpenStack in Debian since the Cactus release in 2011)21:27
johnsomWell, I know a few people including myself have run through that cert guide with success.  Let me get you some debug steps.21:28
johnsomzigo Yeah, nice.  Would be happy to have that fixed for folks21:28
zigoI intend to make a Buster image instead of Xenial, using my own tool instead of dib. But let's talk about this later...21:28
zigoProbably I can even make an official Debian amphora image at http://cdimage.debian.org/cdimage/openstack/21:29
johnsomSo, from the controller, do a "openssl s_client -connect 192.168.0.114:9443" to your amp. You will need to ctrl-c out of that21:29
johnsomAt the very top of the output, you will see the cert chain:21:30
johnsomhttps://www.irccloud.com/pastebin/seWN3fFL/21:30
*** yamamoto has quit IRC21:30
johnsomThen do a "openssl x509 -in <path to your server_ca.cert.pem in your octavia.conf haproxy_amphora} section> -noout -text"21:31
johnsomCompare the chain.21:31
zigoDoing that...21:31
johnsomThe 1 cert should match the subject of the cert on the controller21:31
johnsomIn my case: Subject: C = US, ST = Denial, L = Springfield, O = Dis, CN = www.example.com21:32
zigojohnsom: http://paste.openstack.org/show/746308/21:33
zigoSo, issue even with openssl ...21:33
zigoMaybe because Xenial is too old?21:34
zigoIs there a way to have the amphora use something newer than Xenial?21:34
johnsomWell, xenial isn't too old, but we also support bionic21:34
johnsomOk, does this "/C=CH/ST=Geneva/L=Carouge/O=OCI/OU=Production/CN=clint1-controller-1.infomaniak.ch" match the subject in the certificate on the controller?21:35
zigoOh, so the CN may be wrong ...21:36
zigoCN should be the address of my VIP or what?21:37
zigo(I mean, same address as endpoints?)21:37
johnsomNo, it doesn't have to be a proper CN hostname, we override that21:37
zigoThough the rest need to match?21:38
johnsomthe server_ca.cert.pem file must be the CA cert for that amp endpoint.  The full distinguished name must match.21:38
johnsomWhat is the subject line from this command: openssl x509 -in <path to your server_ca.cert.pem in your octavia.conf haproxy_amphora} section> -noout -text21:39
*** eandersson_ is now known as eandersson21:40
zigohttp://paste.openstack.org/show/746310/21:40
zigoSo, not matching, it looks like.21:40
zigoSo, I probably should redo all the tutorial from scratch, and pay attention that it matches /C=CH/ST=Geneva/L=Carouge/O=OCI/OU=Production/CN=clint1-controller-1.infomaniak.ch ...21:41
zigoRight?21:41
johnsomYep. That is the problem, the server_ca.cert.pem is not the right certificate21:52
*** salmankhan has quit IRC21:54
zigojohnsom: I re-did all, and I have the same problem... :/21:54
zigoCERTIFICATE_VERIFY_FAILED21:54
*** yamamoto has joined #openstack-lbaas21:56
*** henriqueof has quit IRC21:59
*** yamamoto has quit IRC22:01
*** rcernin has joined #openstack-lbaas22:05
colin-johnsom: just me being lazy and trying to enforce human policy constructs through your API config :)22:16
colin-wanted to black list certain networks from eligibility in a concise way22:16
colin-(as opposed to a white list on the valid_vip_networks22:16
colin-)22:17
johnsomcolin- I think that could be added pretty easy if you find value. Create a story for us if you want it.  Probably won't make Stein, but could go in Train.22:17
colin-nice, thanks, will open one if it looks like we want to use it22:19
openstackgerritMerged openstack/octavia stable/queens: Add error logging for amphora agent exceptions  https://review.openstack.org/63939522:35
*** henriqueof has joined #openstack-lbaas22:49
*** fnaval has quit IRC22:49
*** abaindur has joined #openstack-lbaas22:51
*** yamamoto has joined #openstack-lbaas23:17
*** celebdor has quit IRC23:18
*** yamamoto has quit IRC23:21
*** henriqueof has quit IRC23:28
*** sapd1 has joined #openstack-lbaas23:33
openstackgerritMerged openstack/python-octaviaclient master: Add 'client_ca_tls_container_ref' in Listener on client side  https://review.openstack.org/61615823:34
*** fnaval has joined #openstack-lbaas23:34
openstackgerritMerged openstack/python-octaviaclient master: Add 'client_authentication' in Listener on client  https://review.openstack.org/61687923:42
openstackgerritMerged openstack/python-octaviaclient master: Add client_crl_container_ref for Listener API in CLI  https://review.openstack.org/61761923:42
openstackgerritMerged openstack/python-octaviaclient master: Add 4 l7rule types into Octavia CLI  https://review.openstack.org/61871623:42
*** henriqueof has joined #openstack-lbaas23:43
*** yamamoto has joined #openstack-lbaas23:55
« Monday, 2019-02-25 Index Wednesday, 2019-02-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!