Friday, 2019-05-31

*** ianychoi has joined #openstack-lbaas		00:00
*** mithilarun has quit IRC		00:55
*** mithilarun has joined #openstack-lbaas		00:56
*** mithilarun has quit IRC		01:00
v1k0d3n	hey folks. can someone tell me what may be causing this error in the octavia logs `Exception during message handling: Error: [('PEM routines', 'get_name', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]`	01:13
v1k0d3n	obviously i'm assuming it's something with my pem file, but i tried following the instructions on how to set this up. that kinda got me to this point, and now i'm scratching my head a bit.	01:13
*** yamamoto has joined #openstack-lbaas		01:16
openstackgerrit	sunkai proposed openstack/neutron-lbaas master: touch a test.sh for myself https://review.opendev.org/662372	02:17
*** ricolin has joined #openstack-lbaas		02:54
johnsom	v1k0d3n: view your private key files, they should have a text header. Double check you followed the instructions accurately, they have been widely used/tested. If they are binary files, you generated DER format instead of PEM as the instructions list.	03:11
v1k0d3n	that was the first thing i checked actually	03:13
v1k0d3n	johnsom: it's definitely text. the guide is how i created them.	03:13
johnsom	Maybe the controller process doesn’t have permission to read it?	03:14
v1k0d3n	hmmm...now that could be.	03:15
v1k0d3n	let me check.	03:15
v1k0d3n	octavia owns is	03:17
v1k0d3n	i would imagine it needs to be 600 still, right?	03:18
johnsom	Yes	03:18
*** sapd1_x has joined #openstack-lbaas		03:59
*** sapd1_x has quit IRC		04:07
*** pcaruana has joined #openstack-lbaas		05:03
*** ricolin has quit IRC		05:05
*** rcernin has quit IRC		05:07
*** ramishra_ has quit IRC		05:26
*** ramishra has joined #openstack-lbaas		05:42
*** yamamoto has quit IRC		06:01
*** rcernin has joined #openstack-lbaas		06:10
*** sapd1_x has joined #openstack-lbaas		06:11
*** mkuf_ has joined #openstack-lbaas		06:11
*** mkuf has quit IRC		06:12
*** mkuf has joined #openstack-lbaas		06:17
*** mkuf_ has quit IRC		06:21
*** luksky has joined #openstack-lbaas		06:30
*** yamamoto has joined #openstack-lbaas		06:36
*** yamamoto has quit IRC		06:41
*** yamamoto has joined #openstack-lbaas		06:41
*** ramishra has quit IRC		06:47
*** ramishra has joined #openstack-lbaas		06:49
*** yamamoto has quit IRC		06:51
openstackgerrit	Gregory Thiemonge proposed openstack/octavia-tempest-plugin master: Add UDP test scenario https://review.opendev.org/656515	06:59
*** yamamoto has joined #openstack-lbaas		06:59
*** ccamposr has quit IRC		07:01
*** ivve has quit IRC		07:01
*** ccamposr has joined #openstack-lbaas		07:08
*** tesseract has joined #openstack-lbaas		07:12
*** yamamoto has quit IRC		07:18
*** yamamoto has joined #openstack-lbaas		07:24
*** luksky has quit IRC		07:45
*** rcernin has quit IRC		07:52
*** sapd1_x has quit IRC		07:58
*** happyhemant has joined #openstack-lbaas		08:05
*** luksky has joined #openstack-lbaas		08:29
*** ramishra has quit IRC		08:46
*** ramishra has joined #openstack-lbaas		08:46
*** sapd1_x has joined #openstack-lbaas		09:19
*** yboaron_ has quit IRC		09:36
*** yboaron_ has joined #openstack-lbaas		09:37
openstackgerrit	Gregory Thiemonge proposed openstack/octavia-tempest-plugin master: Add UDP test scenario https://review.opendev.org/656515	09:42
*** gthiemon1e is now known as gthiemonge		09:46
*** yamamoto has quit IRC		09:58
*** yboaron_ has quit IRC		10:07
openstackgerrit	Gregory Thiemonge proposed openstack/octavia stable/queens: DNM Testing CI https://review.opendev.org/662428	10:27
*** yamamoto has joined #openstack-lbaas		10:32
*** yboaron_ has joined #openstack-lbaas		10:38
*** yamamoto has quit IRC		10:40
*** yboaron_ has quit IRC		10:40
*** yboaron_ has joined #openstack-lbaas		10:41
*** yboaron_ has quit IRC		10:46
*** yboaron_ has joined #openstack-lbaas		10:51
*** yboaron_ has quit IRC		10:53
*** yboaron_ has joined #openstack-lbaas		10:54
*** yboaron_ has quit IRC		10:56
*** yboaron_ has joined #openstack-lbaas		10:56
*** yboaron_ has quit IRC		10:58
*** yboaron_ has joined #openstack-lbaas		10:59
*** yboaron_ has quit IRC		11:04
*** yboaron_ has joined #openstack-lbaas		11:07
*** yboaron_ has quit IRC		11:09
*** yboaron_ has joined #openstack-lbaas		11:10
*** yboaron_ has quit IRC		11:12
*** yboaron_ has joined #openstack-lbaas		11:15
*** yboaron_ has quit IRC		11:16
*** yboaron_ has joined #openstack-lbaas		11:17
*** sapd1_x has quit IRC		11:18
*** yboaron_ has quit IRC		11:22
*** yboaron_ has joined #openstack-lbaas		11:38
*** yboaron_ has quit IRC		11:42
*** yboaron_ has joined #openstack-lbaas		11:44
*** yboaron_ has quit IRC		11:47
*** logan- has quit IRC		12:07
*** logan- has joined #openstack-lbaas		12:07
*** boden has joined #openstack-lbaas		12:11
*** openstack has joined #openstack-lbaas		12:30
*** ChanServ sets mode: +o openstack		12:30
*** yamamoto has joined #openstack-lbaas		12:32
*** yamamoto has quit IRC		12:36
*** ramishra has quit IRC		12:59
*** ramishra has joined #openstack-lbaas		12:59
*** yamamoto has joined #openstack-lbaas		13:07
*** goldyfruit has joined #openstack-lbaas		13:23
boden	Hi, I have a question regarding oslo.config and how to handle duplicate opts... Currently both Octavia and Neutron register the 'host' opt (https://opendev.org/openstack/octavia/src/branch/master/octavia/common/config.py#L39) so there's a collision when trying to use neutron + octavia	13:29
boden	ERROR octavia DuplicateOptError: duplicate option: host	13:29
boden	What's the best way to handle this scenario?	13:29
*** yamamoto has quit IRC		13:50
*** yamamoto has joined #openstack-lbaas		13:51
*** yamamoto has quit IRC		13:51
boden	I created a bug https://storyboard.openstack.org/#!/story/2005808	13:51
*** yamamoto has joined #openstack-lbaas		13:51
*** yamamoto has quit IRC		13:56
*** yamamoto has joined #openstack-lbaas		14:01
*** yamamoto has quit IRC		14:05
johnsom	boden: They are separate processes, how are you getting them mixed?	14:12
boden	johnsom I think by (non-neutron) code that uses both neutron and octavia	14:13
boden	isn't it realistic to think some consumer could use the APIs from both neutron and octavia? if so, this issue becomes apparent	14:13
johnsom	boden: nothing should ever import octavia code.	14:14
boden	johnsom I think the reality is some people are still transisitoning to octavia-lib http://codesearch.openstack.org/?q=from%20octavia%5C.&i=nope&files=&repos=	14:15
boden	I will check and see if its possible to remove the octavia imports, but I'm not sure we're there yet	14:16
johnsom	boden: We have always documented that you should never import Octavia. It has never been in G-R.	14:16
boden	johnsom sure that's fine, you can reject the bug as you see fit	14:17
johnsom	boden We never had a transition from importing Octavia to using octavia-lib. That doesn’t mean people didn’t do it, but doing so would be bugs against those projects.	14:19
boden	johnsom ack	14:19
*** luksky has quit IRC		14:24
*** openstackstatus has joined #openstack-lbaas		14:34
*** ChanServ sets mode: +v openstackstatus		14:34
*** goldyfruit_ has joined #openstack-lbaas		14:40
*** goldyfruit has quit IRC		14:42
*** Vorrtex has joined #openstack-lbaas		14:47
*** spatel has joined #openstack-lbaas		14:59
spatel	Hello folks!!!	15:00
-openstackstatus- NOTICE: Gerrit is now entering its maintenance window. Expect Gerrit outages in the near future. We will notify when it is back up and running.		15:07
*** ChanServ changes topic to "Gerrit is now entering its maintenance window. Expect Gerrit outages in the near future. We will notify when it is back up and running."		15:07
johnsom	spatel o/ Welcome to the Octavia club	15:12
johnsom	grin	15:12
spatel	:)	15:18
*** luksky has joined #openstack-lbaas		15:18
v1k0d3n	hey johnsom, super sorry to bother, but that pem error i mentioned yesterday...it doesn't exactly look like there's anything wrong with the certs/keys that are being used in octavia. but could it potentially be an issue with barbican?	15:27
v1k0d3n	i'm not 100% sure the barbican installation is completed from a conf standpoint yet.	15:27
v1k0d3n	but i think that _might_ be down the line a bit. i get those errors (above) after a few of these...	15:28
johnsom	v1k0d3n Could be, which log is it in? What is the context around the error?	15:28
v1k0d3n	https://www.irccloud.com/pastebin/CMcMtZNP/	15:28
v1k0d3n	which i would imagine is around the ssh key?	15:29
johnsom	v1k0d3n Those are normal, it means nova hasn't finished booting the instance yet.	15:29
v1k0d3n	it does succeed after that. ok....that makes sense.	15:29
johnsom	It will loop with that warning, waiting for the instance to respond	15:29
v1k0d3n	so then i see the outputs (text) of the pem files.	15:29
v1k0d3n	which i think is expected in the logs.	15:29
v1k0d3n	those all say success as well.	15:29
johnsom	v1k0d3n They should be encrypted	15:30
johnsom	Maybe you are running an old version?	15:30
v1k0d3n	they look encrypted actually i believe.	15:30
v1k0d3n	one sec, and let me validate that though.	15:30
v1k0d3n	yeah definitely appear to be encrypted.	15:31
v1k0d3n	then in goes through a tree of logs (all seem ok)	15:31
v1k0d3n	https://www.irccloud.com/pastebin/YN2kSFyM/	15:32
johnsom	Ok, that is an error	15:32
johnsom	The error is going to be right before that tree	15:32
v1k0d3n	ok, good to know.	15:32
v1k0d3n	here's the full flow w/end error....	15:32
v1k0d3n	https://www.irccloud.com/pastebin/6FWYlYz2/	15:32
* redrobot pokes head in after hearing "barbican"		15:33
v1k0d3n	and that's that last line that i can't seem to search very well on. the googles doesn't really like searching messages like that.	15:33
johnsom	Yeah, that tree doesn't give us a lot to go on, we need the ERROR line before that tree starts	15:33
v1k0d3n	hmmm	15:33
johnsom	redrobot o/	15:33
v1k0d3n	i guess another service log perhaps?	15:34
redrobot	johnsom, 👋	15:34
v1k0d3n	o/ :)	15:34
johnsom	redrobot This looks like an Octavia config issue, so I think you are safe.	15:34
v1k0d3n	most likely....the config is...whoa.	15:34
v1k0d3n	i know you helped me with some config stuff before johnsom. i think _most_ things are worked through.	15:35
johnsom	Yeah, this looks like the TLS between the controller and the amphora instance has an issue. One of the private keys is not setup correctly.	15:35
v1k0d3n	but trying to find bread crumbs to the next thing is tough. the logs that describe network, key, etc. those are very nice...and helped a lot.	15:35
v1k0d3n	ok. i saw a couple of guides on setting this up.	15:36
johnsom	If you grep for "ERROR" you should get the exception line.	15:36
v1k0d3n	i'm running stein, and if i'm not mistaken, that's where i got the docs from on how to create the keys.	15:36
v1k0d3n	ok let me check real quick.	15:36
johnsom	This is the guide: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html	15:36
v1k0d3n	is this the one you're referring to?	15:37
v1k0d3n	`2019-05-31 15:15:38.755 19 ERROR oslo_messaging.rpc.server [-] Exception during message handling: Error: [('PEM routines', 'get_name', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]`	15:37
johnsom	Yes, that is probably it.	15:37
v1k0d3n	ok, that's the guide i followed.	15:37
johnsom	Ok, let's debug this if you have time.	15:38
v1k0d3n	i ended up validating the password/key when i _first_ saw this error.	15:38
v1k0d3n	just to make sure that amphora could also read/use it.	15:38
v1k0d3n	i definitely have time.	15:38
v1k0d3n	i appreciate the help!	15:38
johnsom	Ok, from the guide, the first file I want to look at is: /etc/octavia/certs/client.cert-and-key.pem	15:39
johnsom	You don't need to paste these	15:39
johnsom	I will explain what to look for	15:39
v1k0d3n	ok one sec, it's in a kolla container...so let me check both the source and destination in the container.	15:40
johnsom	If you view that file, you should see two sections, one after the other.	15:40
johnsom	One section should have a header "-----BEGIN CERTIFICATE-----" and the other section should have a header of "-----BEGIN PRIVATE KEY-----". These same files need to be loaded on all of your controller instances if you are running more than one controller instance.	15:42
v1k0d3n	hmmmm	15:43
v1k0d3n	that may be the problem. octavia wants cert and key in the same file for that client cert?	15:43
johnsom	Yes, step 1 in this section creates that file: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html#configuring-octavia	15:44
johnsom	It's actually a limitation of a python library we are using.	15:44
v1k0d3n	ok, that makes a lot of sense as to the why; for sure.	15:44
v1k0d3n	let me try to concat this, and see what happens.	15:46
v1k0d3n	now i realize what you were saying last night.	15:46
johnsom	We try to do strong security with Octavia, so the setup is a bit complicated. This is why I wrote that detailed guide with all of the required steps.	15:46
v1k0d3n	another breadcrumb...this helps. should know something soon.	15:46
v1k0d3n	i thought i saw a script that sort of does everything in an automated way for testing too, right?	15:48
johnsom	Not really, there is a script that creates some files, but it's not complete for a deployment	15:48
v1k0d3n	this is for testing only right now. and then i was going to produce better certs after testing through it and after understanding it better.	15:48
johnsom	It is for our testing. You could be successful using it, but the guide is setup to not use that script. The setup the script creates is not secure. It uses the same CA for both sides of the channel, etc.	15:49
johnsom	Really, at some point, we should get rid of that script.	15:50
v1k0d3n	limiting docs to only something that works might reduce confusion, and how much you guys get pinged by noobs like me :)	15:51
johnsom	Is there a doc pointing to that script?	15:51
*** goldyfruit__ has joined #openstack-lbaas		15:52
johnsom	Ah, the quick start does.... Ok, I will fix that right now.	15:52
v1k0d3n	when i googled octavia installation, the net was super wide...ranging from useful (this guide) to old (just because how OS docs work) to that script.	15:52
v1k0d3n	yes, that...exactly.	15:52
v1k0d3n	docs are hard to keep up with; i get it.	15:52
v1k0d3n	i did a lot of work in the openstack-helm docs a long time ago...and they're still rough (and we redid them probably 6 different times/ways).	15:53
v1k0d3n	just the nature of the beast.	15:53
johnsom	Yes, we evolve pretty quickly, so sometimes things get lost. We try to keep https://docs.openstack.org/octavia/latest/ up to date	15:53
v1k0d3n	and of course, everyone has an opinion on docs :P	15:53
v1k0d3n	good to know. well, that's one reason why i'm using stein...hoping that i'm not that far off from latest. because i've been down that train with other services...	15:54
v1k0d3n	when things change quickly; it's just so hard to go back and update docs.	15:54
v1k0d3n	still to this day why OSH doesn't really have a true release yet.	15:54
johnsom	Yeah, you are in good shape with Stein	15:55
*** goldyfruit_ has quit IRC		15:55
v1k0d3n	a coworker of mine is trying with Rocky...any issues there that you're aware of?	15:55
johnsom	No, we try to maintain back to Queens, but newer is obviously going to be "better". grin	15:56
johnsom	Another thing to note, so far we have been able to make it so you can run newer Octavia on older clouds.	15:57
johnsom	We don't gate test this, but it should work. We use stable interfaces when talking to the other OpenStack services.	15:57
*** ChanServ changes topic to "Discussions for OpenStack Octavia \| Train PTG etherpad: https://etherpad.openstack.org/p/octavia-train-ptg"		15:59
*** mithilarun has joined #openstack-lbaas		16:01
*** boden has quit IRC		16:09
openstackgerrit	Michael Johnson proposed openstack/octavia master: Clarify that the certificate guide should be used https://review.opendev.org/662512	16:13
johnsom	Ok, that should help folks find the certificate configuration guide.	16:13
johnsom	At some point someone can create a new script, but I can't take that time right now.	16:14
*** goldyfruit__ is now known as goldyfruit		16:22
*** boden has joined #openstack-lbaas		16:23
*** mithilarun has quit IRC		16:26
*** ramishra has quit IRC		16:29
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the l7policy command https://review.opendev.org/662518	16:43
-openstackstatus- NOTICE: Gerrit is back up and running again. Thank you for your patience and sorry for the delay in this notification (we thought the statusbot was still busy updating channel topics).		16:47
v1k0d3n	so johnsom...success!	16:51
v1k0d3n	i actually just used the wrong client side pem. it was that one little miss at the end :)	16:51
*** mithilarun has joined #openstack-lbaas		16:51
johnsom	Yay! Glad we got you up and running.	16:52
v1k0d3n	can't thank you enough. i might run into other things, but so far, it looks like it's working. now it's just putting it all to work.	16:53
v1k0d3n	thank you for being there for us users. i think sometimes it's hard for us to remember that the users are the ones who promote the product. :)	16:54
v1k0d3n	you guys have obviously not forgotten this.	16:54
johnsom	We feel strongly about building a community.	16:54
v1k0d3n	i totally agree.	16:55
v1k0d3n	a lot say that, but don't really do as well. you guys are backing that up totally.	16:55
v1k0d3n	`2019-05-31 16:49:16.322 19 DEBUG octavia.controller.worker.controller_worker [-] Flow 'octavia-create-loadbalancer-flow' (956982b6-212e-4275-9759-a0ded9e7045b) transitioned into state 'SUCCESS' from state 'RUNNING' _flow_receiver /var/lib/kolla/venv/local/lib/python2.7/site-packages/taskflow/listeners/logging.py:145`	16:55
v1k0d3n	seems like good so far.	16:55
johnsom	Yep! That is the line you want to see	16:56
johnsom	Add an HTTP listener, curl the VIP, you should get a 503 back since there are no members defined yet.	16:56
johnsom	That is the smoke test. If that works, you have the basics all working	16:57
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the l7policy command https://review.opendev.org/662518	17:05
v1k0d3n	good info johnsom; i'll try that now.	17:06
*** goldyfruit has quit IRC		17:06
johnsom	The next thing to check is ten seconds or so later, do a stats show and make sure the traffic shows up. That proves that the amphora can communicate back to the controller.	17:07
*** goldyfruit has joined #openstack-lbaas		17:42
*** sapd1_x has joined #openstack-lbaas		17:46
*** sapd1_x has quit IRC		17:51
v1k0d3n	johnsom...an assumption here, but octavia will work with both tenant _and_ flat networks; is that right?	17:53
v1k0d3n	i am going to have a setup that's using only flat networks leveraging calico as the sdn controller.	17:53
johnsom	Yes, if neutron supports it, we do	17:53
*** goldyfruit has quit IRC		17:56
v1k0d3n	👍🏼	17:57
*** rouk has joined #openstack-lbaas		18:02
rouk	anyone know if i can get active connections to a pool member in octavia, when preparing for swapping out a member?	18:03
johnsom	rouk We do not currently have member level statistics, but you can set a member weight to 0 which will "drain" the connections from the member.	18:04
*** tesseract has quit IRC		18:04
johnsom	I.e. no new connections will get scheduled to that member, but current connections can finish.	18:04
rouk	is the member statistics a thing on a roadmap somewhere?	18:12
rouk	trying to do a 100 node rolling upgrade in heat is kinda scary if you have to wait [some random number] minutes for members to drain	18:13
johnsom	I don't think so, but certainly could be. You can open an RFE story here: https://storyboard.openstack.org/#!/dashboard/stories	18:13
rouk	unless im going about the rolling upgrade the wrong way and i dont need member stats?	18:13
johnsom	Yeah, you can't get the connection info from the member servers themselves?	18:13
rouk	thats implementation specific, a10/f5 let you see the ongoing connections to members, so thats what everything was automated against	18:14
johnsom	Yeah, I get the use case. We should add it to the API.	18:15
johnsom	rouk Let me know if you need help creating the RFE story for us	18:16
rouk	just a story with a couple tasks?	18:17
johnsom	A story with even just one task that captures the use case and desired API information.	18:18
johnsom	Simple is fine as long as it captures your need	18:18
rouk	johnsom: 33552	18:23
johnsom	rouk Looks good, thank you.	18:24
v1k0d3n	johnsom: so i tried curling the vip and got a connection refused...so i may have some addition issues to chase down.	18:35
johnsom	Hmm, yeah. I am assuming the VIP network is reachable from where you curled.	18:35
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the l7rule command https://review.opendev.org/662540	18:38
*** yamamoto has joined #openstack-lbaas		18:41
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the l7rule command https://review.opendev.org/662540	18:44
*** yamamoto has quit IRC		18:46
*** openstackgerrit has quit IRC		19:01
*** ccamposr__ has joined #openstack-lbaas		19:02
*** ccamposr has quit IRC		19:06
*** happyhemant has quit IRC		19:27
*** mithilarun has quit IRC		19:28
v1k0d3n	yeah it is johnsom	19:37
v1k0d3n	i can provide some details in a minute (calls).	19:37
*** openstackgerrit has joined #openstack-lbaas		20:03
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the l7rule command https://review.opendev.org/662540	20:03
openstackgerrit	Michael Johnson proposed openstack/octavia master: Fix l7rule API handling of None updates https://review.opendev.org/662569	20:11
*** mithilarun has joined #openstack-lbaas		20:25
*** Vorrtex has quit IRC		20:28
*** goldyfruit has joined #openstack-lbaas		21:00
*** boden has quit IRC		21:19
*** mithilarun has quit IRC		21:28
*** mithilarun has joined #openstack-lbaas		21:29
*** spatel has quit IRC		21:33
*** mithilarun has quit IRC		21:33
*** mithilarun has joined #openstack-lbaas		21:45
*** pcaruana has quit IRC		21:54
*** spatel has joined #openstack-lbaas		22:17
*** spatel has quit IRC		22:21
*** yamamoto has joined #openstack-lbaas		22:44
*** yamamoto has quit IRC		22:48
*** mithilarun has quit IRC		22:51
openstackgerrit	Michael Johnson proposed openstack/python-octaviaclient master: Adds "unset" action to the quota command https://review.opendev.org/662588	22:52
johnsom	Wahoo, that should wrap up the unset patches! (Aside from tags which still need some work).	22:53
openstackgerrit	Michael Johnson proposed openstack/octavia master: Fix flavor profile API handling of None updates https://review.opendev.org/662344	22:55
*** goldyfruit has quit IRC		22:59
*** ccamposr__ has quit IRC		23:01
*** mithilarun has joined #openstack-lbaas		23:07
openstackgerrit	Adam Harwell proposed openstack/octavia master: WIP: Allow multiple VIPs per LB https://review.opendev.org/660239	23:09
*** goldyfruit has joined #openstack-lbaas		23:09
*** goldyfruit has quit IRC		23:35
*** goldyfruit has joined #openstack-lbaas		23:38
openstackgerrit	Adam Harwell proposed openstack/octavia master: WIP: Allow multiple VIPs per LB https://review.opendev.org/660239	23:53
*** mithilarun has quit IRC		23:54
*** mithilarun has joined #openstack-lbaas		23:55

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!