| spatel | johnsom morning | 14:05 |
|---|---|---|
| spatel | Do you know about SSLv3 ? | 14:05 |
| johnsom | Are you spying on me and know I'm in early morning training again today? | 14:05 |
| spatel | In my HAproxy i am seeing lots of SSL handshake issue and after doing tcpdump found all SSLv3 having issue | 14:06 |
| spatel | :) | 14:06 |
| johnsom | I do know a lot about TLS/SSL. | 14:06 |
| johnsom | Can you provide the errors (paste.openstack.org if the content is larger) or the pcap file? | 14:08 |
| spatel | johnsom - http://paste.openstack.org/show/806730/ | 14:33 |
| spatel | we have so many client running windows 7 and look like they have trying to use SSLv3 to talk to my haproxy | 14:33 |
| spatel | i believe haproxy default not allow SSLv3 because of POODL attack | 14:33 |
| spatel | johnsom i know SSLv3 is not secure but try to enable it to debug this issue to find out if client able to access or not | 14:45 |
| johnsom | Ok, yeah, one second | 14:48 |
| johnsom | spatel which version of haproxy are you running? | 14:49 |
| spatel | 2.4 latest | 14:49 |
| spatel | I want to enable SSLv3 for few minute to prove to my client its SSLv3 issue :) | 14:50 |
| spatel | but haproxy not letting me enable haproxy | 14:50 |
| spatel | http://paste.openstack.org/show/806731/ | 14:51 |
| spatel | it does has library support of SSLv3 | 14:51 |
| johnsom | Yeah, so you will need to set "ssl-min-ver SSLv3" in global ssl-default-bind-options | 14:51 |
| spatel | doing it | 14:53 |
| spatel | that works! :) | 14:54 |
| spatel | let me test | 14:54 |
| spatel | johnsom thank you so much :) | 15:04 |
| spatel | my customer able to access application now that means they are all using SSLv3 | 15:04 |
| spatel | This is china | 15:04 |
| spatel | so lots of people using Windows 7 | 15:04 |
| johnsom | Yeah, it may be some regional limitations. | 15:04 |
| johnsom | BTW, HAproxy has a slack channel and an IRC channel on libera.chat if you need direct HAProxy support. | 15:05 |
| spatel | i will sure join that | 15:34 |
| nicolasbock | Hi! Can I query Octavia to find out why a loadbalancer is PENDING_UPDATE? I have only incomplete logs and see messages such as `2021-06-16 06:31:48.599 14368 WARNING octavia.controller.healthmanager.health_manager [-] Load balancer 10e65047-56ec-4afb-b047-411411b6d313 is in immutable state PENDING_UPDATE. Skipping failover.` | 19:06 |
| johnsom | Hi neighbor. We don't go into status details via the API, just like designate and neutron don't. The details are in the worker of health manager logs. | 19:08 |
| nicolasbock | Hi :) | 19:09 |
| johnsom | I would check that one of the controllers isn't actively working on that load balancer (PENDING status means a controller has ownership), as it is likely retrying some action against another service that is failing (nova, neutron, etc.) | 19:09 |
| nicolasbock | Ok | 19:09 |
| nicolasbock | Thanks! | 19:10 |
| johnsom | All code paths lead back to either ACTIVE or ERROR once the retry timeouts expire. | 19:10 |
| nicolasbock | Ok, good to know | 19:10 |
| nicolasbock | Ah. So I would need the logs to say | 19:10 |
| johnsom | Yeah, so first step is to check the controller logs to see which controller is retrying the action on that LB. | 19:11 |
| opendevreview | Merged openstack/octavia stable/ussuri: Explicitely set nodeset to Bionic-based https://review.opendev.org/c/openstack/octavia/+/795356 | 19:13 |
| opendevreview | Merged openstack/octavia stable/ussuri: Make /healthcheck cache results https://review.opendev.org/c/openstack/octavia/+/791644 | 19:13 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix using subnets with host_routes in amphorav2 driver https://review.opendev.org/c/openstack/octavia/+/791647 | 19:13 |
| johnsom | nicolasbock Ping us back if you don't find one of the controllers scrolling retry logs. | 19:16 |
| opendevreview | Merged openstack/octavia stable/ussuri: Validate user access to vip_subnet_id when creating a LB https://review.opendev.org/c/openstack/octavia/+/791649 | 22:16 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix devstack cleanup when using amphorav2 https://review.opendev.org/c/openstack/octavia/+/791653 | 22:23 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix rsyslog configuration when disabling logs https://review.opendev.org/c/openstack/octavia/+/791659 | 22:28 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix task_flow.max_workers with persistence in amphorav2 https://review.opendev.org/c/openstack/octavia/+/791663 | 22:40 |
| opendevreview | Merged openstack/octavia stable/ussuri: Optimize CountPoolChildrenForQuota task in amphorav2 https://review.opendev.org/c/openstack/octavia/+/791669 | 22:40 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix comment for the ca_certificates_file opt https://review.opendev.org/c/openstack/octavia/+/791672 | 22:40 |
| opendevreview | Merged openstack/octavia stable/ussuri: Fix empty Batch Member Update to unlock objects https://review.opendev.org/c/openstack/octavia/+/787190 | 22:40 |
| rm_work | wow | 22:40 |
| johnsom | What? The backport backlog finally merging? | 22:42 |
| rm_work | yeah :D | 22:47 |
| rm_work | such merges | 22:47 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!