Wednesday, 2019-07-03

« Tuesday, 2019-07-02 Index Thursday, 2019-07-04 »
*** yamamoto has joined #openstack-lbaas00:04
*** mithilarun has quit IRC00:41
openstackgerritMichael Johnson proposed openstack/octavia master: Make amphora use a single HAProxy instance  https://review.opendev.org/66806800:51
*** ricolin_ has joined #openstack-lbaas00:51
*** ricolin_ is now known as ricolin00:52
*** ramishra has quit IRC00:56
*** yamamoto has quit IRC00:59
*** yamamoto has joined #openstack-lbaas00:59
*** yamamoto has quit IRC01:30
*** yamamoto has joined #openstack-lbaas01:40
*** yamamoto has quit IRC01:51
*** yamamoto has joined #openstack-lbaas02:15
*** yamamoto has quit IRC02:36
*** dasp has quit IRC02:46
*** dasp has joined #openstack-lbaas03:03
*** yamamoto has joined #openstack-lbaas03:15
*** yamamoto has quit IRC03:25
*** psachin has joined #openstack-lbaas03:35
*** ramishra has joined #openstack-lbaas03:42
*** numans has joined #openstack-lbaas03:52
*** ricolin_ has joined #openstack-lbaas03:54
*** ricolin has quit IRC03:57
*** ajay33 has joined #openstack-lbaas04:12
*** tkajinam has quit IRC05:01
*** gcheresh_ has joined #openstack-lbaas05:05
*** vishalmanchanda has joined #openstack-lbaas05:05
*** pcaruana has joined #openstack-lbaas05:06
*** ricolin_ is now known as ricolin05:37
openstackgerritMerged openstack/octavia master: only rollback DB when we have a connection to the DB  https://review.opendev.org/66803205:52
*** tkajinam has joined #openstack-lbaas06:00
*** ramishra has quit IRC06:08
*** ramishra has joined #openstack-lbaas06:16
*** luksky has joined #openstack-lbaas06:27
*** lemko has joined #openstack-lbaas06:35
*** luksky has quit IRC06:48
*** ricolin_ has joined #openstack-lbaas06:51
openstackgerritGregory Thiemonge proposed openstack/octavia master: Prevent UDP LBs to use different IP protocol versions in amphora driver  https://review.opendev.org/66861706:52
*** ricolin has quit IRC06:53
*** luksky has joined #openstack-lbaas07:06
*** rpittau|afk is now known as rpittau07:06
*** ccamposr has quit IRC07:18
*** tesseract has joined #openstack-lbaas07:21
openstackgerritGregory Thiemonge proposed openstack/octavia-tempest-plugin master: Add tests for mixed IP networks UDP members  https://review.opendev.org/66861907:27
openstackgerritGregory Thiemonge proposed openstack/octavia-tempest-plugin master: Add UDP test scenario  https://review.opendev.org/65651507:27
*** luksky11 has joined #openstack-lbaas07:43
*** luksky has quit IRC07:45
*** luksky11 has quit IRC07:55
*** trident has quit IRC08:08
*** luksky11 has joined #openstack-lbaas08:08
*** trident has joined #openstack-lbaas08:09
*** luksky11 has quit IRC08:11
*** luksky11 has joined #openstack-lbaas08:27
*** luksky11 has quit IRC08:33
*** ivve has joined #openstack-lbaas08:34
*** tkajinam has quit IRC08:39
*** ricolin__ has joined #openstack-lbaas08:44
*** ricolin_ has quit IRC08:47
*** ricolin__ is now known as ricolin08:55
*** tesseract-RH has joined #openstack-lbaas08:57
*** tesseract has quit IRC08:58
*** luksky11 has joined #openstack-lbaas09:12
openstackgerritAnn Taraday proposed openstack/octavia master: Transition l7policy flows to dicts  https://review.opendev.org/66597709:25
openstackgerritAnn Taraday proposed openstack/octavia master: Transition l7rule flows to dicts  https://review.opendev.org/66817309:25
*** tesseract-RH has quit IRC09:29
*** tesseract has joined #openstack-lbaas09:29
*** tesseract has quit IRC09:33
*** tesseract has joined #openstack-lbaas09:33
*** tesseract has quit IRC09:38
*** tesseract has joined #openstack-lbaas09:39
*** aojea has joined #openstack-lbaas10:03
*** aojea has quit IRC10:03
*** psachin has quit IRC11:06
*** sapd1_x has joined #openstack-lbaas11:14
*** sapd1_x has quit IRC11:30
*** boden has joined #openstack-lbaas12:04
*** gcheresh_ has quit IRC12:15
*** boden has quit IRC12:34
*** psachin has joined #openstack-lbaas12:44
*** happyhemant has joined #openstack-lbaas12:46
*** gcheresh_ has joined #openstack-lbaas12:54
openstackgerritAnn Taraday proposed openstack/octavia master: [WIP] Transition amphora flows to dicts  https://review.opendev.org/66889813:01
squarebrackethurray my patch was merged13:10
*** ajay33 has quit IRC13:14
*** boden has joined #openstack-lbaas13:17
openstackgerritElod Illes proposed openstack/octavia stable/ocata: Add bindep.txt and ignore sha1 warning  https://review.opendev.org/66890113:21
*** ccamposr has joined #openstack-lbaas13:24
*** ramishra has quit IRC13:26
*** ramishra has joined #openstack-lbaas13:28
*** vishalmanchanda has quit IRC13:32
*** psachin has quit IRC13:47
*** spatel has joined #openstack-lbaas13:56
*** gcheresh_ has quit IRC14:14
*** ivve has quit IRC14:14
*** ricolin has quit IRC14:16
*** mithilarun has joined #openstack-lbaas14:20
*** gcheresh_ has joined #openstack-lbaas14:58
*** vishalmanchanda has joined #openstack-lbaas14:58
*** gcheresh_ has quit IRC15:13
*** henriqueof has joined #openstack-lbaas15:24
*** Vorrtex has joined #openstack-lbaas15:38
openstackgerritAdam Harwell proposed openstack/octavia master: Make amphora use a single HAProxy instance  https://review.opendev.org/66806815:43
*** ataraday_ has joined #openstack-lbaas15:51
*** mithilarun has quit IRC15:51
*** ajay33 has joined #openstack-lbaas15:52
spateljohnsom: yt15:52
*** mithilarun has joined #openstack-lbaas15:52
johnsomspatel Yes. We are just about to the weekly IRC meeting time15:52
spatelgo ahead.. i will catch you after meeting15:53
johnsomspatel We have 7 minutes.15:53
johnsomgrin15:53
*** ataraday_ has quit IRC15:53
spatelhttps://github.com/rcbops/rpc-octavia/blob/master/INSTALLATION.md15:53
johnsomThe rackspace stuff?15:54
johnsomI don't think they even use that anymore15:54
spateli am successfully spun up amphora and it wire up with neutron but not getting ip from DHCP15:54
spatelif you see in that doc they used specially bridge v-br-lbaas and v-br-vlan15:55
johnsomspatel Why aren't you using the OpenStack Ansible role instead of this?15:55
spatelopenstack-ansible doesn't wire up neutron with lb-mgmt network15:56
johnsomyes it does15:56
xgerman+115:56
spatelYou are saying i don't need to do anything what that rackspace document saying?15:56
johnsomAh, the author of both the RPC-octavia and OpenStack Ansible role has arrived....15:57
*** mithilarun has quit IRC15:57
johnsomspatel yes15:57
spatelI think i am confused here..15:57
spatelhow neutron DHCP namespace going to talk to lb-mgmt network?15:58
-spatel- [root@ostack-infra-2-1 ~]# ip netns list15:58
-spatel- qdhcp-acf559ef-2a89-4956-80d3-ec7bfd03b225 (id: 2)15:58
-spatel- qdhcp-1f81a77d-02d2-4f64-b767-22222fc5368c (id: 1)15:58
spatelThis is my lb-mgmt network ip address on dhcp ns15:59
-spatel- [root@ostack-infra-2-1 ~]# ip netns exec qdhcp-1f81a77d-02d2-4f64-b767-22222fc5368c ip a | grep 172.27.12.215:59
-spatel- inet 172.27.12.2/21 brd 172.27.15.255 scope global ns-99b9b080-9115:59
spatelmy amphora not able to talk to this IP that is why they are not able to get IP from dhcp15:59
johnsomspatel This is the OSA task that sets up the lb-mgmt-net: https://github.com/openstack/openstack-ansible-os_octavia/blob/master/tasks/octavia_mgmt_network.yml16:00
spatelhttp://paste.openstack.org/show/753835/16:00
rm_work#startmeeting Octavia16:00
openstackMeeting started Wed Jul  3 16:00:55 2019 UTC and is due to finish in 60 minutes.  The chair is rm_work. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: Octavia)"16:00
openstackThe meeting name has been set to 'octavia'16:00
rm_workHeyas :D16:01
johnsomo/16:01
nmagnezio/16:01
gthiemongeo/16:01
*** mithilarun has joined #openstack-lbaas16:01
cgoncalveso/16:01
rm_work#topic Announcements16:01
*** openstack changes topic to "Announcements (Meeting topic: Octavia)"16:01
xgermanO/16:02
rm_workCFP is ... closed? almost closed?16:02
rm_workWe aren't submitting anything that I'm aware of for Shanghai, other than the project update16:02
cgoncalvesclosed yesterday EOD (PST time?)16:02
rm_workand ... onboarding? might be part of the regularly scheduled stuff... I need to wait to hear from the organizer folks16:02
cgoncalvesI submitted one with dulek16:02
rm_workah ok16:02
johnsomThe on boarding is being handled differently this time. Not sure what it will look like.16:03
cgoncalvesah, sorry. CFP deadline was extended until July 8th16:03
cgoncalves"Accepting submissions until Jul 8th 8:59 am (Europe/Berlin)"16:03
dulekrm_work: Oh, so project updates emails were already sent to PTL's?16:03
* dulek excuses for interrupting but as cgoncalves pinged him…16:04
rm_workNot yet, waiting on that16:04
dulekrm_work: Okay, good, we're waiting for that too. :)16:04
johnsomKendall said it would still be a week or so16:04
rm_workI'm glad you know, johnsom :D16:04
rm_workas the conference liason...16:05
dulekI'll just tag dmellado here then. ^ - project updates emails are going to be there in a week or so.16:05
* rm_work shoots a quick email to Kendall to clarify that johnsom is the conference liason16:05
johnsomHa, sigh. Well, considering I am not planning to attend....16:05
rm_workthat's fine, you did it for Boston and only I went to that one :D16:05
rm_workah, and german too16:06
johnsomTrue16:06
xgermanyep, and we had people helping at the lab16:07
rm_workanywho, any other announcements?16:07
johnsomThe only other thing I can think of is the upper-constraints changes16:08
johnsomTony had an e-mail chain about changes to how upper-constraints should be used and are distributred.16:08
johnsomI blasted out patches for all of the repos and branches to update our repos as I was starting to see random/wrong patches come in.16:09
johnsom#link https://review.opendev.org/#/q/topic:constraints-updates16:09
cgoncalvesYAUCC (yet another u-c change)16:09
johnsomlol, yes16:09
johnsomSo please help by reviewing so we can get this nailed down.16:10
johnsomIn the process I did find some issues in our repos that I have corrected in these patches.16:10
rm_workyeah i've been really singularly focused so i haven't been doing reviews the past couple of days, need to do that16:10
johnsomThis should help us not end up with broken packaging16:10
johnsomThese are all fairly short patches, so should go quick16:11
*** ataraday_ has joined #openstack-lbaas16:11
johnsomI think that is all I have for announcements16:11
rm_work#topic Brief progress reports / bugs needing review16:13
*** openstack changes topic to "Brief progress reports / bugs needing review (Meeting topic: Octavia)"16:13
rm_workI've got ... a few patches that I wish people would look at -- but no matter how hard I rub my bedside lamp, Will Smith won't pop out of it, so I guess those will remain un-reviewed :D16:14
*** rpittau is now known as rpittau|afk16:14
ataraday_As always please review: https://review.opendev.org/#/c/659538/ and https://review.opendev.org/#/c/662791/16:15
ataraday_and I've got a bunch of transition reviews https://review.opendev.org/#/q/status:open+project:openstack/octavia+branch:master+topic:jobboard_dicts16:16
johnsomOther than the UC patches and some other bug fixes, I have been focused on the single-haproxy process work with rm_work. It's a critical bug/issue so my current top priority.16:16
rm_workyep, basically have put everything else aside for that recently16:17
rm_workwould be sweet if people took a look at multivip tho :)16:17
cgoncalvesI've been focused on figuring out what's wrong with the centos job. hard to say I've made any progress as it still doesn't work :/16:18
johnsomcgoncalves Bummer, I thought you had figured it out and made magic happen16:18
cgoncalvesthis is a priority for me as we could be merging stuff that fails on centos. I reckon the UDP work in Rocky that was not working on centos few days before release16:19
cgoncalvesevery day I find something fishy and work around it. I'm now on "why ubuntu CI job says it's on a nested virt env??"16:20
johnsomOk, that is easy, it's a kernel module that loaded. Not the nested virt you are thinking of16:20
cgoncalvesalso why systemd says "Detected virtualization other." on DIB-built + TCG while same but for ubuntu says "Detected virtualization qemy."16:20
cgoncalvesjust confirmed 5 minutes ago both OS amps have the kvm_amd kernel module loaded16:21
johnsomYeah, but that isn't used16:21
cgoncalvesanyway, I don't want to hijack the meeting with this16:21
rm_workthis is in the gate? because SOME hosts have nested virt  support and some don't... right?16:22
rm_workor did we disable it globally now16:22
rm_workanywho, yeah... review patches :D16:22
johnsomWe have had is disabled globally for some time now, probably over a year16:22
rm_work#link https://review.opendev.org/66748416:22
rm_work#link https://review.opendev.org/66023916:22
rm_workah you did finally review multivip, sweet16:22
rm_workjust need to find time to go back and look at it <_16:23
rm_work<16:23
openstackgerritMichael Johnson proposed openstack/octavia master: Fix cryptsetup --pbkdf-memory failures  https://review.opendev.org/66821516:24
openstackgerritMichael Johnson proposed openstack/octavia stable/stein: Fix cryptsetup --pbkdf-memory failures  https://review.opendev.org/66821616:25
rm_workok so16:26
rm_work#topic Open Discussion16:26
*** openstack changes topic to "Open Discussion (Meeting topic: Octavia)"16:26
rm_workAnything? noticed we have more than the normal amount of folks here?16:27
rm_workah, I do know that we're seeing some sort of issue with members in pools in senlin (internally at verizon media) but I can't speak to it and the guy who can I don't think is responding presently16:28
rm_workso all I can say is nebulously "we'll be looking at the senlin<->octavia integration stuff more closely soon"16:29
rm_workor possibly already are16:29
johnsomCool16:30
rm_workno one else? guess we can close this up?16:31
rm_workthanks for showing up everyone \o/16:31
rm_workback to work! or sleep! or whatever you were about to do!16:31
rm_work#endmeeting16:31
*** openstack changes topic to "Discussions for OpenStack Octavia | Train PTG etherpad: https://etherpad.openstack.org/p/octavia-train-ptg"16:31
openstackMeeting ended Wed Jul  3 16:31:49 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:31
openstackMinutes:        http://eavesdrop.openstack.org/meetings/octavia/2019/octavia.2019-07-03-16.00.html16:31
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/octavia/2019/octavia.2019-07-03-16.00.txt16:31
openstackLog:            http://eavesdrop.openstack.org/meetings/octavia/2019/octavia.2019-07-03-16.00.log.html16:31
cgoncalvesslacking16:31
xgermanspatel: when neutron creates the subnet it should inject a dhcp server16:32
xgermanso surprised it did not… I haven’t looked at it in a while but octavia-ansible has tests for that code...16:33
spatelI can see neutron created lb-mgmt-net network and subnet range, also i can see dns service running16:34
spatelbut i don't know how neutron dhcp wire up that to my lb-mgmt-net VLAN ?16:34
spatelsince i have created RPC v-br-lbaas and v-br-vlan bridge, my br-lbaas stopped pinging :(16:36
spatellook like it totally blocked that interface for me..16:36
johnsomYeah, it's probably bad if you mixed OSA and the RPC-octavia stuff. They are two different deployment models.16:37
xgermanyep, especially since roc-octavia is deprecated (was for a time when roc-o was very disticnt form OSA)16:38
spateljohnsom: right now trying to fix this blocking interface issue.. don't know how to fix it.. i did reboot also but my br-lbaas not pingable from other host16:38
johnsomThe DHCP stuff is all handled by neutron. The lb-mgmt-net subnet should be "dhcp enabled" in the neutron API.  if that is set like it should be, then the neutron agents should have dhcp on the subnet.16:39
xgermansounds like traffic is somewhere blackholing for him16:39
johnsomIt could be that one of the bridges is down causing the DHCP to not make it from the neutron agent to one of the computes16:39
xgermanmake sure that the interfaces on the bridges make sense16:39
johnsomAnd that they are all up, and that the addresses are either on the bridge interface or not as required.16:40
xgermanalso what johnsom said — and then there is always the issue if it’s RAX that network ports are not working16:40
spatelI did reboot also controller node and verify v-br-vlan and v-br-lbaas not loaded anywhere but still not able to ping :(16:41
johnsomHave you checked your neutron agents, are they all up and healthy?16:42
spatelYes neutron is up and running agent is up16:42
spateli can spin up other vms16:42
*** henriqueof has quit IRC16:43
spatelxgerman: & johnsom  look at this.. https://bugs.launchpad.net/openstack-ansible/+bug/183515716:43
openstackLaunchpad bug 1835157 in openstack-ansible "Octavia strange br-lbaas bridge network issue" [Undecided,Invalid]16:43
spateli have removed v-br* RPC stuff16:43
spatelmostly system reboot should fix any bridge issue..16:44
johnsomI don't think that is the case. If the bridges are not configured in a persistent way, they will disappear after a reboot16:48
xgermanBoth rpc-octavia and OSA configure them in a persistent way IHMO16:51
johnsomI am pretty sure OSA does.16:52
spatelI didn't configure them presistent way because i was tesing..  all my bridge working fine.. br-host, br-mgmt, br-vxlan etc.. only br-lbaas isn't working16:53
spateli have removed every single RPC stuff also..16:53
spatelvery very odd issue..16:54
spateli am running 400 servers and never seen this kind of issue before..16:54
spatelnothing in logs also saying why its block, also no activity on tcpdump16:54
*** ccamposr has quit IRC16:54
johnsomSo the bridge is up and the STP isn't in blocking?16:57
spatelyes bridge is up and STP is disabled16:58
spateli can seee in dmesg its saying16:59
-spatel- [ 1217.768381] br-lbaas: port 2(d9cb19fb_eth14) entered blocking state16:59
-spatel- [ 1217.768385] br-lbaas: port 2(d9cb19fb_eth14) entered forwarding state16:59
spatelwhen i restart network16:59
*** ccamposr has joined #openstack-lbaas16:59
*** Vorrtex has quit IRC17:00
*** Vorrtex has joined #openstack-lbaas17:01
spatellet me poke around..17:01
spatelmore fun.. i did system restart network17:02
spatelnow i can ping 1 compute node out of 3  This make no sense..17:03
-spatel- [root@ostack-infra-2-1 network-scripts]# brctl showmacs br-lbaas17:04
-spatel- port nomac addris local?ageing timer17:04
-spatel- 138:ea:a7:33:b9:a8yes 0.0017:04
-spatel- 138:ea:a7:33:b9:a8yes 0.0017:04
-spatel- 1e4:11:5b:98:5d:65no 5.8917:04
-spatel- 2fe:c0:e3:1e:18:f1yes 0.0017:04
-spatel- 2fe:c0:e3:1e:18:f1yes 0.0017:04
*** openstackgerrit has quit IRC17:04
spatel1e4:11:5b:98:5d:65this mac is pinging.. not other17:04
*** Vorrtex has quit IRC17:09
*** ccamposr has quit IRC17:32
*** ramishra has quit IRC17:37
*** luksky11 has quit IRC17:46
*** vishalmanchanda has quit IRC18:02
*** lucashxu has joined #openstack-lbaas18:17
*** gcheresh_ has joined #openstack-lbaas18:19
lucashxuhi there, I am trying to ssh into a load balancer and see the haproxy log. But the ssh connection can be established. I cannot ping the lb either. I have checked the lb_network_ip, and it is on lb-mgmt-net, having it own subnet.18:19
lucashxuAny idea on what I should do so that I can ssh into the lb created with using a private subnet? Thanks!18:20
johnsomDid you configure the nova keypair for Octavia to use?18:20
johnsomhttps://docs.openstack.org/octavia/latest/configuration/configref.html#controller_worker.amp_ssh_key_name18:21
lucashxujohnsom, i have changed the octavia.conf, so the keypair points to a public key that I am using locally18:21
johnsomAlso, for Train (master) you can setup log offloading: https://docs.openstack.org/octavia/latest/admin/log-offloading.html18:21
lucashxujohnsom: great, thanks for the links!18:22
xgerman_yeah, awesome write up...18:22
johnsomThanks!18:23
spatelxgerman: i think something is wrong in OSA based octavia networking...18:24
xgerman_Possible. I haven’t touched it in over a year18:24
spatelit feel OSA created and wire up br-vlan with lb-mgmt-net and that may be creating loop in br-lbaas which is totally block..18:25
johnsomThey run gate tests on that role, so I would be surprised if it is broken.18:25
spateli have created br-lbass on other lab box and put them in same VLAN and they are pinning but only these 3 controller not are bricks :(18:25
spateljohnsom: i am 100% sure something is not right in ansible playbooks..18:26
johnsomHave you asked in the openstack-ansible channel about this?18:26
spateli haven't and i doubt people will help because hardly anyone deployed octavia18:26
spateli am going to ask anyway18:27
johnsomlucashxu If you can't connect and the keypair was in place before the load balancer was created, check that you are in a network namespace that can get to the lb-mgmt-net.18:27
johnsomspatel There are multiple people with Octavia deployed via OSA in the openstack-ansible channel. Including the PTL18:28
lucashxujohnsom: yeah, that's something I am trying to resolve. I cannot find a place that I can get to the lb-mgmt-net18:28
xgerman_+118:28
spatelI drop mesg in channel and lets see18:29
spatellucashxu: is this a bug so i stop wasting my time :(18:29
spatellast 5 days i am banging my head on my desk..18:29
xgerman_lucashxu: make also sure the security groups allow port 2218:31
xgerman_if keys are configured Octavia will add it automatically but always safe to double check18:32
lucashxuxgerman_: yeah, I have checked the secgroup, port 22 is opened18:32
lucashxuso the lb-mgmt-net should at least be accessible from the controller, correct? Thanks guys for helping :)18:33
spatellucashxu: are you using OSA ?18:38
lucashxuspatel: nope, i am using the tripleo18:39
spatellucky you :)18:39
spatelOSA is just painful to get it work :(  very few people available for help18:40
*** lemko has quit IRC18:40
lucashxuspatel: :) yeah, tripleO works for me pretty well so far.18:41
*** luksky11 has joined #openstack-lbaas18:42
spateltripleO is complicated but i found Redhat did very good job with documentation18:43
spatelmy 2 cloud running on OSA so i am trying to stick with it but i think i need to find other way soon18:44
*** tesseract has quit IRC18:44
lucashxugood luck :)18:45
johnsomlucashxu As a test, you could get on a neutron agent node, find the network namespace for the lb-mgmt-net network (sudo ip netns), it should be named qdhcp-42537612-5ae8-451e-b1e3-4a2d35c65160 where 42537612-5ae8-451e-b1e3-4a2d35c65160 is the lb-mgmt-net network ID in neutron (openstack subnet list).18:50
xgerman_johnsom: ’s people did a bunch of Octavia installs with OSA back in the day :-)18:50
*** KeithMnemonic has joined #openstack-lbaas18:51
johnsomlucasxu Then do sudo ip netns exec qdhcp-42537612-5ae8-451e-b1e3-4a2d35c65160 ssh ubuntu@<lb-mgmt-net IP on the nova instance>18:51
spatelxgerman_: i love OSA only problem is getting help out if something broken :(18:51
spatelat present i am all blocked :)18:52
johnsomHere we can help with Octavia, but when it comes to the deployment tools, we can't really track them all. There are at least five supporting Octavia now.18:52
lucashxujohnsom: great, i will give it a try. Really appreciate it18:52
*** ajay33 has quit IRC19:04
*** gcheresh_ has quit IRC19:10
*** mithilarun has quit IRC19:11
squarebracketi'm kind of confused by all the certificates octavia wants... i need to generate two CAs? and then all also some certs from one of the CAs? is that correct?19:26
squarebracketand for a barebones POC, can I get away with just providing a packstack-generated self-signed cert?19:26
squarebracketoh, is it just saying i need a CA on both controller + amphora, such that both controller + amphora can validate the SSL cert it's getting?19:28
johnsomsquarebracket There is a certificate guide here: https://docs.openstack.org/octavia/latest/admin/guides/certificates.html19:29
squarebracketjohnsom: that is exactly what i'm reading :)19:29
johnsomOctavia uses two-way TLS authentication, so there are two CAs typically. one issues certs for the amphora, one for the controllers19:29
squarebracketjohnsom: i had assumed that the controllers would spawn an amphora, then the amphora would send a CSR to the controller which would sign a request, and then send back the valid cert. but i guess here, amphora is generating its own certs?19:32
johnsomsquarebracket No, all of the csr/cert creation is done on the controllers. They get installed in the amphora on boot via config-drive19:33
johnsomThere is no CA inside the amps19:33
squarebracketok, that's what i had assumed. so then why the need for two CAs? doesn't only the controller need a CA cert (since it's the only one signing certs)?19:34
johnsomWell, as the document mentions, if you used the same CA, amps with their cert/private key could sign controller certs and pretend to be a controller19:35
johnsomThe controllers need the CA cert to verify the amp certs, the amps need the controller CA cert to verify the controller certificates.19:36
*** mithilarun has joined #openstack-lbaas19:36
johnsomIt is a bit complicated.  Technically, if security isn't your top priority, you can use just one CA19:37
squarebracketoh, hah, my eyes skipped over the NOTE section >_>19:37
squarebracketright, i got it now. the controller signs all certs, but two different kinds of certs -- one for the amps, and one for itself for the "other end" of the two-way tls, which is itself.19:38
johnsomYep19:39
squarebracketand just so i understand fully, the client CA isn't used to generate certs/keys for the controllers right? since the instructions also include CSR/cert generation. it's just needed since the amp needs the CA to verify the connection?19:51
*** lemko has joined #openstack-lbaas19:53
johnsomSo, this is another tricky thing. The "server" is the amp as that is what we connect to for establishing the TLS handshake. The "client" is the controller.  The Client CA public cert is installed in the amphora so they can validate the controller certificates.20:05
*** goldyfruit has quit IRC20:24
*** goldyfruit has joined #openstack-lbaas20:24
*** gcheresh_ has joined #openstack-lbaas20:26
*** lucashxu has quit IRC20:28
*** gcheresh_ has quit IRC20:38
spateljohnsom: no kidding..20:39
-spatel- 2019 Jun 28 10:34:30 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel13 on VLAN0027.20:39
-spatel- 2019 Jun 28 10:44:16 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel23 on VLAN0027.20:39
-spatel- 2019 Jun 28 10:48:13 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel33 on VLAN0027.20:39
-spatel- 2019 Jun 30 22:23:29 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel34 on VLAN0027.20:39
-spatel- 2019 Jul 2 22:25:34 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel24 on VLAN0027.20:39
-spatel- 2019 Jul 2 22:26:36 swt-tor1-010101-1-3-hd %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port port-channel14 on VLAN0027.20:39
johnsomspatel Yep, looks like you have a loop. I wonder if you are bridging off multiple controllers for the lb-mgmt-net and don't have stp enabled on the bridges20:41
spatelThis is horrible, it may bring down my whole datacenter..20:41
johnsomI.e. popping the neutron lb-mgmt-net off onto a VLAN multiple places that are interconnected20:41
johnsomha, well, you have bigger problems if that is the case20:42
spatelgood i have all STP protection enabled on switches so good it blocked ports20:42
spatelI belive that RPC document created loop20:42
johnsomYeah, I would certainly expect that.20:43
*** trident has quit IRC20:43
spatelbecause it was linking br-lbass ---> br-vlan--->lb-mgmt-net20:43
spatellet me start over with fresh config and see if i get some positive result20:44
*** trident has joined #openstack-lbaas20:45
*** goldyfruit has quit IRC20:47
*** goldyfruit has joined #openstack-lbaas21:02
xgerman_Yeah, that’s wrong. We use a vlan for the provider net. Then we use br-lbaas to get the tagged vlan untagged. Alternatively, you can connect a tagged port to the container as well (though that’s not automated)21:13
*** mithilarun has quit IRC21:14
colin-scary stuff!21:15
colin-nice that they switched to blocking fast though21:16
*** pcaruana has quit IRC21:16
spatelxgerman_: let me first get out of this mess.. don't know how to remove loop from those switch21:22
*** openstackgerrit has joined #openstack-lbaas21:31
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Fix IPv6 tests if ipv6-private-subnet is stateless  https://review.opendev.org/66899621:31
*** mithilarun has joined #openstack-lbaas21:33
*** boden has quit IRC21:34
spatelxgerman_: how do i tell octavia to stop re-creating amphora ?21:35
spatelI am seeing in logs it creating and destroying amphora vms21:35
xgerman_yeah, that’s an indication the managment net is not working21:36
xgerman_you cna try to delete the LB from the CLI and if that does not work delete it from the DB21:36
johnsomDon't delete it from the DB21:37
johnsomIf you want to stop it temporarily, shutdown your health manager and housekeeping processes. (gracefully as always)21:38
spateli did delete LB from GUI but i can see its re-creating vms21:38
johnsomDo you have the spares pool enabled?21:38
spatelwhat is that ?21:38
johnsomhttps://docs.openstack.org/octavia/latest/configuration/configref.html#house_keeping.spare_amphora_pool_size21:38
johnsomIf that is greater than zero, the controllers are trying to make sure there are spare amphora booted up.21:39
spateli should set that 0 right?21:40
spatellet me first shutdown housekeeping process21:41
johnsomYes, it should be zero, then restart the housekeeping process21:41
spateland later i will make my way out21:41
squarebracketif i get an UnknownConnectionError with 'No connection adapters were found for...' from octavia.compute.drivers.nova_driver does that mean the nova config isn't correct?21:42
spateldamn it 5:49PM gotta go i will rsync with you guys again21:50
spatelhave a great weekend and 4th july..21:50
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Fix IPv6 tests if ipv6-private-subnet is stateless  https://review.opendev.org/66899621:50
*** mithilarun has quit IRC21:52
*** mithilarun has joined #openstack-lbaas21:54
*** lemko has quit IRC22:00
squarebracketn/m, it was various endpoint misconfigs22:02
*** rcernin has quit IRC22:04
*** spatel has quit IRC22:05
*** ccamposr has joined #openstack-lbaas22:09
squarebrackethuh, now it thinks the security group doesn't exist, but it does....22:27
*** yamamoto has joined #openstack-lbaas22:45
*** mithilarun has quit IRC22:45
*** luksky11 has quit IRC22:48
*** tkajinam has joined #openstack-lbaas22:54
*** spatel has joined #openstack-lbaas23:06
*** rcernin has joined #openstack-lbaas23:09
openstackgerritNoboru Iwamatsu proposed openstack/octavia master: Add failover logging to show the amphora details.  https://review.opendev.org/66731623:29
*** yamamoto has quit IRC23:48
« Tuesday, 2019-07-02 Index Thursday, 2019-07-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!