Friday, 2020-12-04

« Thursday, 2020-12-03 Index Saturday, 2020-12-05 »
openstackgerritMerged openstack/octavia stable/train: Ignore DELETED amphorae when performing certificate rotation  https://review.opendev.org/c/openstack/octavia/+/75405700:04
openstackgerritMerged openstack/octavia-tempest-plugin master: Fix Go lint errors  https://review.opendev.org/c/openstack/octavia-tempest-plugin/+/75861600:04
*** spatel has joined #openstack-lbaas00:52
*** xgerman has quit IRC00:56
*** guilhermesp has quit IRC00:56
*** xgerman has joined #openstack-lbaas00:57
*** nicolasbock has quit IRC00:57
*** guilhermesp has joined #openstack-lbaas00:58
*** nicolasbock has joined #openstack-lbaas00:58
*** openstackgerrit has quit IRC01:38
*** spatel has quit IRC01:54
*** zzzeek has quit IRC02:14
*** zzzeek has joined #openstack-lbaas02:15
*** sapd1 has joined #openstack-lbaas03:31
*** sapd1 has quit IRC03:38
*** lemko has quit IRC04:26
*** lemko has joined #openstack-lbaas04:26
*** vishalmanchanda has joined #openstack-lbaas05:38
*** gcheresh has joined #openstack-lbaas05:46
*** gcheresh has quit IRC06:29
*** spatel has joined #openstack-lbaas06:33
*** spatel has quit IRC06:37
*** rcernin has quit IRC07:04
*** xgerman has quit IRC07:04
*** rcernin has joined #openstack-lbaas07:17
*** rcernin has quit IRC07:18
*** sapd1 has joined #openstack-lbaas07:35
*** ccamposr has joined #openstack-lbaas07:46
*** ccamposr__ has quit IRC07:49
*** luksky has joined #openstack-lbaas07:55
*** ccamposr__ has joined #openstack-lbaas08:02
*** ccamposr has quit IRC08:05
lxkonghi, i have an issue with UDP listener. I successfully created a load balancer with UDP listener, pool, and a member that provides UDP service. I can access the UDP server inside the amphora by `ip netns exec amphora-haproxy nc -vuz $member_ip $udp_port`, but can't access via the VIP, any chance you know why?08:13
lxkongif creating health monitor, it can also get the right response. Just access VIP failed.08:14
lxkongThe keepalivedlvs service looks fine, https://dpaste.com/8AJSPBWKT08:15
*** tkajinam has quit IRC08:31
*** tkajinam has joined #openstack-lbaas08:32
*** sapd1 has quit IRC08:50
*** sapd1 has joined #openstack-lbaas08:53
*** ramishra has quit IRC09:19
gthiemongelxkong: can you check the network traffic (with tcpdump) on the member port in the amphora? I had similar issues in the past because masquerading was not correctly enabled, packets were forwarded by the amphora but the UDP service was not able to reply because the source ip address was not correct09:39
*** ramishra has joined #openstack-lbaas09:40
lxkonggthiemonge: thanks for reply, but what do you mean by 'source ip address was not correct'?09:50
*** gcheresh has joined #openstack-lbaas09:50
gthiemongelxkong: masquerading is enabled in the amphora for UDP LBs, so it means that the amphora rewrites the source ip of the packets that are sent to the servers10:05
*** sapd1 has quit IRC10:05
*** spatel has joined #openstack-lbaas10:05
gthiemongelxkong: when it wasn't working for me: tcpdump showed that the source ip was the client source ip (the client that sent a packet to the LB)10:05
*** spatel has quit IRC10:11
*** gcheresh has quit IRC10:53
*** spatel has joined #openstack-lbaas11:54
*** spatel has quit IRC11:58
*** zzzeek has quit IRC12:36
*** zzzeek has joined #openstack-lbaas12:37
*** cgoncalves has quit IRC12:45
*** cgoncalves has joined #openstack-lbaas12:46
*** cgoncalves has quit IRC12:47
*** spatel has joined #openstack-lbaas13:00
*** spatel has quit IRC13:05
*** cgoncalves has joined #openstack-lbaas13:40
*** tkajinam has quit IRC14:07
*** kevinz has quit IRC14:35
*** damien_r has joined #openstack-lbaas14:44
*** TrevorV has joined #openstack-lbaas14:48
*** vishalmanchanda has quit IRC17:58
*** ccamposr has joined #openstack-lbaas18:36
*** ccamposr__ has quit IRC18:38
*** spatel has joined #openstack-lbaas18:44
spateljohnsom: Hi18:44
spatelI have create LB and this is what amphora looks like - http://paste.openstack.org/show/800750/18:45
spatel10.68.x.x is front end VIP18:45
spatel10.66.x.x my www server located18:46
johnsomYes, that looks correct18:46
spatelwhy do i have two VIP ip for front end?18:46
spatellook like i am going to waste lots of public IP in that case18:46
johnsomOne is the VIP itself that floats, one is the base port that is actually active on that instance18:47
spatelEven in SINGLE amphora deployment?18:47
spatelI am not looking for Active-Standby18:47
johnsomYeah, that is how it is implemented including single. We need to have a VIP port that reserves the IP in neutron permanently. Unfortunately we can't rely on unplugging it and moving it in the case of a failure as nova will not let go of the port should the host go down.18:48
johnsomSo, if you are concerned about using up public IPs with two per amp, the best option we have is to put the VIP on a private subnet and use floating IPs.18:49
spatelMy cloud doesn't support floating IP, we are using VLAN base provider18:50
spatelanyway just wanted to confirm that what is going on.18:51
johnsomYeah, we have considered writing an alternate single IP network driver, but it comes with the caveat that if the host goes down, we can't move the port and IP, nova won't let it or storage go until the host comes back up.18:51
spatelOne more issue, my LB is up but i can't ping VIP, does it use security group or something?18:51
johnsomYes, the SGs Octavia uses only open the ports needed. no ICMP18:52
spatelI can't telnet on port also.. very strange.18:53
spatelfrom amphora VM i can ping my gateway IP18:53
spatelfrom Amphora i can ping outside world but no traffic coming in.18:54
spatellet me debug it..18:54
johnsomOk18:54
spatelcan i modify security group and allow ICMP?18:55
spateli can see octavia_sec_grp18:56
spatellet me try18:56
johnsomNot currently. They are unique security groups per LB and they are generated in the code.18:56
spatel:(18:56
johnsomWe probably should add a configuration option to turn on ping. Feel free to open an RFE story for that.18:56
johnsomhttps://storyboard.openstack.org/#!/dashboard/stories18:56
spatelping is very important :)  without that hard to troubleshoot18:57
spatelI think operator should have control to modify rules18:57
johnsomWell, security people feel otherwise most of the time. As you said, telnet to a TCP port should work.18:57
spatelno telnet also not working on port 8018:58
spatelIt seems something is wrong with security-group.18:58
johnsomYeah, so then something is likely wrong outside the LB like a missing route, or HTTP proxy in the way, or other security group issue18:58
spatelLet me debug and find out with tcpdump etc..18:59
spateloh wait...19:02
spatelin amphora-haproxy route table has no default route19:03
-spatel- Destination Gateway Genmask Flags Metric Ref Use Iface19:03
-spatel- 10.66.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth219:03
-spatel- 10.68.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth119:03
johnsomAh, so the subnet in neutron is not setup correctly.19:03
spatellet me verify hold on19:03
spatelThey looks good and both has default route..19:04
spateleven i spin up VM with that subnet and it works19:04
johnsomCan you paste the openstack subnet show for the 68 subnet?19:05
spatelboth 10.66 and 10.68 has default route in neutron and lets say DHCP handover default route then how does amphora handle that?19:05
johnsomNeutron gives us all of the route information directly via the subnet configuration.19:06
spatelif both subnet trying to set default route then it will create issue19:06
spatelLet me ask question differently.19:07
johnsomRight, there are policy based routing tables in use inside the amphora19:07
spatelhmm19:08
johnsomIt's a complicated, but very tested/stable system.19:08
johnsomCan you paste the subnet show?19:08
spatelyes let me give you every single info hold on19:08
johnsomI'm on vacation, so do not have a reference amphora to give you the example output for the routing tables.19:09
spateljohnsom: here you go http://paste.openstack.org/show/800751/19:13
spateljohnsom: no worry, you should enjoy your vacation (you shouldn't be here.. haha)19:14
johnsomspatel So, on the VIP subnet, 68, it shows "gateway_ip           | None " and there are no host routes, so there is no gateway defined for that subnet19:14
spateloh wait.. you are right..19:15
johnsomYou should set the default gateway for that subnet in neutron "gateway_ip"19:15
spatelgood catch.. may be i am always pinging those VM from directly connected host and not other subnet.. (damn it)19:15
spatellet me try to do that and verify19:16
johnsomYou will need to do a failover of the LB after changing neutron for it to pick it up or wait until the DHCP interval is up19:16
spateli can destroy and re-create this is all in my lab19:17
spateljohnsom: added gateway now re-building new lb19:22
spateljohnsom: you are awesome!! its working now19:25
spatelthanks19:25
spatelLast question: How does it remove default route of my web server side subnet?19:26
johnsomWell, they go into separate policy based routing tables.19:27
johnsomPlay around with it in your lab and enter the netns and look at the various routing tables.19:28
johnsomI think there is still some open issue with member subnets that has not yet been resolved. There is an open story on it. But in general it will work.19:29
johnsomIf the members don't have gateways defined, it will route out the VIP subnet default gateway, like a one-armed load balancer.19:29
spateljohnsom: sure i will look into and poke around.19:30
spatelThank you!19:30
johnsomNo problem.19:30
spatelI doubt you are on vacation.. lol19:30
johnsomHa, well, in theory I am19:30
spatel:)19:33
*** xgerman has joined #openstack-lbaas19:33
spatelLet me destroy amphora and see if octavia create one more me.19:33
spatelhmm i destroyed amphora and it did start creating new vm but that vm got stuck in paused stat  (12   instance-0000004b   paused)19:35
*** luksky has quit IRC19:46
*** luksky has joined #openstack-lbaas19:46
spatelThis is the error i am getting - http://paste.openstack.org/show/800752/19:52
johnsomSomething is wrong with nova, check the nova logs20:01
spateldefault default] [instance: 53472774-1008-4b04-8780-3770e2f58171] Failed to allocate network(s): nova.exception.VirtualInterfaceCreateExcept20:07
spatelvery odd..20:07
spatellet me see..20:08
*** jamesdenton has quit IRC20:51
*** jamesdenton has joined #openstack-lbaas20:51
*** gcheresh has joined #openstack-lbaas20:58
*** openstackgerrit has joined #openstack-lbaas21:01
openstackgerritMerged openstack/octavia stable/train: Fix backend certificate file paths  https://review.opendev.org/c/openstack/octavia/+/75434221:01
spateljohnsom: on horizon GUI why my flavor drop down menu showing no flavor?21:18
johnsomWhat does “openstack loadbalancer flavor show” give for the flavor you setup?21:21
*** TrevorV has quit IRC21:36
spatelNo matching flavor21:45
spateljohnsom: https://ibb.co/LpjrQnX21:46
spateli did create flavor using octavia account so it should see them21:47
johnsomDid you create the flavor using my guide? https://docs.openstack.org/octavia/latest/admin/flavors.html21:48
spatelno, i did create normal way. let me read this..21:49
spateljohnsom: can i add huge page, because all my compute using hugepage21:49
johnsomYou can add that to the compute flavor and then either use it as the default or add an octavia flavor that points to the hugepage compute flavor21:51
spateljohnsom: i have deployed cloud using openstack-ansible and it created default octavia flavor that one also not visible.  so that is interesting21:55
spatelmay be that flavor has option  os-flavor-access:is_public | False21:56
johnsomHmm, I didn’t think ansible creates an octavia fflavor by default21:56
johnsomOctavia flavors don’t have that21:57
spatelit did, because i just deploy using osa and now i can see m1.amphora flavor in list21:57
johnsomNo, that is a compute flavor for nova21:57
johnsomIt is not an Octavia flavor21:57
johnsomRead the guide link I sent21:58
johnsomMost of the OpenStack services have flavors, they just mean different things21:58
spateljohnsom: you are right.. now i know what you trying to say..21:59
spatelopenstack loadbalancer flavor list  <-- this is empty list21:59
spatelI thought openstack flavor list will be visible in that GUI21:59
johnsomNope, different flavors22:00
*** tkajinam has joined #openstack-lbaas22:00
spatelThat is very clear now :) i got confused when its saying flavor22:01
spatellets saying i reboot my compute node and while its rebooting amphora think VM is dead and start rebuilding one on other compute node in that case how it will handle22:13
spatelTrying to think about disaster senarios22:13
*** gcheresh has quit IRC22:14
johnsomYeah, so if the host reboots and nova brings up the amphora inside the health check timeout (60 seconds by default), nothing happens (assuming standalone mode here).22:14
johnsomIt picks up where it left off and keeps going. The caveat is TLS offload, which the encrypted ram disk will have been cleared.22:15
johnsomIf it doesn’t make the time or it does have TLS, a failover will start and the old instance is marked for deletion and it’s ports are disabled22:16
spatelthat was my answer22:17
spatelit will delete old instance and keep new one22:17
spateljohnsom: sounds good.22:17
johnsomYeah, and if nova fails to delete it, we have a zombie killer as well22:18
spatelnice22:18
johnsomIt just keeps deleting it until nova stops failing22:18
spatelLet me try to reproduce more disaster scenario to understand how does it handle :)22:19
johnsomOk22:19
johnsomI am about to go rack leaves, so I will be offline for a while22:20
spateljohnsom: thank you for answering all my question :)22:20
spatelHave a great weekend and stay safe!22:20
johnsomRake, helps if I can type22:20
johnsomYou too22:21
spatel:)22:21
*** spatel has quit IRC22:22
*** jamesdenton has quit IRC22:40
*** jamesdenton has joined #openstack-lbaas22:40
*** luksky has quit IRC23:20
« Thursday, 2020-12-03 Index Saturday, 2020-12-05 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!