Friday, 2023-08-04

« Thursday, 2023-08-03 Index Saturday, 2023-08-05 »
spateljohnsom hey! 16:34
spatelaround?16:34
johnsomspatel Hi16:34
johnsomDid you see I found the patch you needed?16:34
spatelNo16:34
spatelsend me again16:34
johnsomspatel https://bugs.launchpad.net/octavia/+bug/202418816:35
johnsom https://review.opendev.org/c/openstack/octavia-dashboard/+/88930016:35
johnsomIt's related to a change in the Chrome browsers16:35
spatelreading..16:35
spateloh boy! got it so its browser issue 16:36
spatelI have one more issue for you and not sure how to troubleshoot related Octavia 16:37
spatelI have created k8s cluster and spun up hello-world app. Which I expose to octavia 16:38
johnsomOk16:38
spatelBut now my loadbalancer member going in Error state 16:39
spatelhttps://paste.opendev.org/show/bP16FrMlTvuT1eT5fYz1/16:39
spatelThat means octavia not able to reach hello-world app 16:39
johnsomThe health check is failing16:39
johnsomSo, here are a few things to check:16:40
spatelFor testing I have created foo1 vm on same network and did curl to member with port 30594 and that works.. 16:40
spatelFeels like my octavia LB has some security-group issue which not able to reach to member16:40
johnsom1. When you created the member, did you specify a subnet that can reach the hello-world instances? If you didn't specify a subnet, can the VIP network reach those instances?16:41
johnsomNope, it's not a security group issue16:41
johnsom2. Is your hello-world app on port 80 and responding with HTTP and a status code of 200? Check your health monitor configuration, what is it checking for?16:42
johnsomIt could be a security group issue on your hello-world instances, but it's not in Octavia16:42
johnsomCan you paste bin your health monitor config? "openstack loadbalancer healthmonitor show "16:44
spatelK8s deployment created LB so it did all right based on what I am looking here16:45
johnsomAlso one of the member config16:46
spatelBut I have. created foo1 VM using same network and from that VM i did curl to members and it works that means there is not security-group on hello-world app16:46
johnsomMy guess is you forgot to specify a subnet when creating the members in Octavia16:47
spatelhow do i check health monitor config? 16:47
spatelLet me post all the LB command output hold on16:48
johnsomopenstack loadbalancer healthmonitor show <health monitor uuid>16:48
johnsomopenstack loadbalancer member show <pool ID> <member ID>16:48
spatelhttps://paste.opendev.org/show/blUbaV2NfzktlLbzR7E8/16:49
johnsomHmm, ok, so that is a TCP health check, it will just do a SYN handshake on the port and not check HTTP health. That is ok.16:50
spatelhttps://paste.opendev.org/show/bb9VeSzg0lMyUZ0Db4Gq/16:50
spatelI did ssh into amphora and try to curl from amphora to members.. 16:51
johnsomFrom inside the network namespace?16:51
johnsomOk, so this member will connect from subnet dd0b518a-114d-4b34-b465-1c35a5ad8017 to 10.0.0.45 on port 3059416:52
johnsomCan that subnet reach that address/port is the question.16:52
spatelI can't ping member IPs from amphora VM - root@amphora-ee4400fe-3c90-45d0-8b1b-8dbfb574d1ce:~# ip netns exec amphora-haproxy ping 10.0.0.9516:53
johnsomFrom inside the amp, to test with curl, you have to run "sudo ip netns exec amphora-haproxy curl http://10.0.0.45:30594"16:53
spatelPing and curl both not working :(16:54
johnsomYeah, that is a sign that the members aren't reachable from that subnet. Either by routing, security group, or subnet scope16:54
johnsomSo, Octavia is correct, they are not healthy16:54
spatelbut security-group is mostly for INGRESS not for EGRESS correct?16:54
spatelIf I create LB without k8s and just deploy apache web server then everything works 16:55
johnsomThe security groups in Octavia are fine, there  is not issue there. It would be on the hello-world instances16:55
spatelBut from other VM i can access hello-world app so why do you think its issue on hello-world app?16:56
spatelI can curl curl http://10.0.0.45:30594 from my foo1 test vm sitting on same subnet/network of k8s. 16:56
johnsomBecause I know the SGs in Octavia are correct.16:56
johnsomFrom the dd0b518a-114d-4b34-b465-1c35a5ad8017 subnet?16:57
spatelYes from subnet - dd0b518a-114d-4b34-b465-1c35a5ad801716:57
spatelI created test VM on subnet dd0b518a-114d-4b34-b465-1c35a5ad8017 and ping members 10.0.0.45 and 10.0.0.95 and both pingable and I can curl both of them16:58
johnsomThen I would start tracking down what is broken in the k8s networking as something is odd16:58
spatelfelt like something is wrong with octavia networking or tenant network.. 16:58
johnsomProbably would start with tcpdump on the hello-world side16:58
spatelFeels like something is wrong either my networking or VxLAN tunnel 16:58
spatelThanks for checking. Let me dig deeper and see 16:59
johnsomOk, good luck16:59
spatelI found one bug similar to sec group  - https://bugs.launchpad.net/cdk-addons/+bug/188499516:59
spatelI am on Xena release17:00
johnsomWe haven't had a bug in Octavia security groups in like four-five years. It hasn't changed at all.17:01
spatelokie!! 17:02
johnsomAh, so that bug says the SG on the k8s nodeport was wrong17:02
johnsomYou could also try this, on your test VM, setup apache and add it as a member, I but it is online since it's a VM and not in K8s17:04
spateljohnsom sometime my nova giving me error for amphora image - exception.ImageUnacceptable: Image 5a06e450-7aed-418b-a7c5-59372cd080e1 is unacceptable: Image has no associated data17:47
spatelvery odd that its happening on only few compute nodes 17:49
spatelLook like my glance has some issue.. let me check 17:51
johnsomYeah, seems like a glance issue18:03
opendevreviewBrian Haley proposed openstack/octavia master: Don't fail if a provider driver cannot be loaded in Octavia API  https://review.opendev.org/c/openstack/octavia/+/78021518:32
« Thursday, 2023-08-03 Index Saturday, 2023-08-05 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!