| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Replace usage of mirrorlist with an official Rocky mirror https://review.opendev.org/c/openstack/openstack-ansible/+/963417 | 07:34 |
|---|---|---|
| noonedeadpunk | we likely need to squash bunch of commits together for 2024.1 | 07:35 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2024.1: Set 2023.1 upgrade jobs to NV https://review.opendev.org/c/openstack/openstack-ansible/+/963486 | 07:38 |
| *** Guest28514 is now known as starkis | 09:12 | |
| starkis | Hello folks. I have a network related question. I have noticed that LXC container traffic headed to public IPs on the br-ex interface on the same node does not get routed. | 09:13 |
| starkis | haproxy listens on all IPs on br-ex '0.0.0.0%br-ex'. And traffic from lxcbr0 gets masqueraded via iptables. | 09:13 |
| starkis | So an LXC container on controller001 can reach the public IP on controller002 br-ex. But it cannot reach the public IP on the same controller, so controller001 br-ex. This also means that containers cannot reach the public keepalived vip if it's on the same controller node. | 09:13 |
| starkis | If I configure haproxy to bind to all interfaces it starts to work. So I'm thinking there is some problem around the masquerading rule between lxcbr0 <-> br-ex. Has someone else hit this problem? | 09:13 |
| noonedeadpunk | hey | 09:20 |
| noonedeadpunk | starkis: so how haproxy actually listens is configurable. I think most widespread default is to listen just on a VIP address | 09:22 |
| noonedeadpunk | but I think it might also depend if haproxy is running inside of LXC or not | 09:22 |
| noonedeadpunk | but also containers should not have a need to talk to a public VIP - all services are configured by default to talk via internal VIP | 09:23 |
| starkis | noonedeadpunk: right now I have `haproxy_bind_external_lb_vip_address: "*"` and `haproxy_bind_external_lb_vip_interface: br-ex` set. So the vip can move around. haproxy and keepalived are running directly on the controller nodes, no container | 09:26 |
| starkis | But i noticed the issue because octavia (running in lxc) tries to connect to the vip on the public endpoint. Maybe that's the real issue | 09:27 |
| starkis | ah I see now in the octavia log 'no such option valid_interfaces'. So maybe I messed something up with the octavia config when going from caracal to epoxy :p | 09:30 |
| noonedeadpunk | starkis: you can also set `haproxy_bind_external_lb_vip_address` to your VIP address and it will also be moving around | 09:35 |
| noonedeadpunk | because haproxy can bind on non-local IP addresses | 09:35 |
| noonedeadpunk | pretty much * is useful if haproxy is in container, or in case you're having DNS RR or smth like that (like in multi_AZ scenario) | 09:36 |
| noonedeadpunk | when you're having multiple VIPs and don't want to set them explictitly | 09:36 |
| noonedeadpunk | but this octavia issue rings me a bell | 09:36 |
| noonedeadpunk | starkis: also it's interesting, as `valid_interfaces` was introduced not that long ago. So I would check if Octavia was actually upgraded | 09:38 |
| noonedeadpunk | https://review.opendev.org/q/I541b52fdf87703fcf434742b6d259c57cc9e281a | 09:39 |
| noonedeadpunk | so there could be a bug in octavia configs and we did backport some changes for it | 09:40 |
| starkis | noonedeadpunk: aha I did not know that haproxy can bind on non-local, that's very good to know | 09:43 |
| starkis | yeah I'm starting to think that octavia was still on caracal and could not read `valid_interfaces` so maybe it defaulted to the public interface. | 09:44 |
| starkis | Re-running the octavia playbook now to see if that fixes it :) | 09:44 |
| noonedeadpunk | yeah, in general if smth requires to use public, un;ess that's maybe horizon or some oidc-related configuration for keystone, that is likely a bug | 09:45 |
| noonedeadpunk | as we aim for all communication between services to be performed through mgmt network | 09:45 |
| starkis | I think that fixed it, octavia looks happy on all controllers at least. Thanks :) | 09:50 |
| starkis | yeah the only other time I've seen this issue before is when trying to run tempest in the utility container. So if the vip is on controller001 and tempest runs in utility on controller001. But I will look a bit more into my haproxy config | 09:51 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_nova master: Add hashi_vault pki backend support https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/949426 | 10:19 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_octavia master: Add hashi_vault pki backend support https://review.opendev.org/c/openstack/openstack-ansible-os_octavia/+/949419 | 10:20 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible-os_nova master: Add hashi_vault pki backend support https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/949426 | 12:54 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Add support for hashi_vault PKI backend https://review.opendev.org/c/openstack/openstack-ansible/+/948888 | 13:02 |
| opendevreview | Damian Dąbrowski proposed openstack/openstack-ansible master: Enable openbao jobs https://review.opendev.org/c/openstack/openstack-ansible/+/948889 | 13:54 |
| opendevreview | Damian Dąbrowski proposed openstack/ansible-role-pki master: Add hashi_vault backend https://review.opendev.org/c/openstack/ansible-role-pki/+/948881 | 14:01 |
| opendevreview | Merged openstack/openstack-ansible-plugins master: Trivial fix for task name with OpenStack naming https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/961645 | 14:47 |
| noonedeadpunk | would be really nice to get some reviews for SHA bumps: https://review.opendev.org/q/topic:%22bump_osa%22+status:open | 15:07 |
| opendevreview | Merged openstack/openstack-ansible-os_tempest master: Tenant replaced to Project in tasks name https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/962540 | 17:06 |
| opendevreview | Merged openstack/openstack-ansible-os_keystone master: Remove checking version for Rocky Linux 9 https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/962488 | 17:06 |
| opendevreview | Merged openstack/openstack-ansible stable/2024.2: Bump SHAs for 2024.2 https://review.opendev.org/c/openstack/openstack-ansible/+/962492 | 17:26 |
| opendevreview | Merged openstack/openstack-ansible master: docs: updated information in the troubleshooting guide https://review.opendev.org/c/openstack/openstack-ansible/+/959965 | 17:26 |
| opendevreview | Merged openstack/openstack-ansible master: Imported Translations from Zanata https://review.opendev.org/c/openstack/openstack-ansible/+/963236 | 17:26 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible master: docs: remove outdated information "failed security hardening after host kernel upgrade from version 3.13" https://review.opendev.org/c/openstack/openstack-ansible/+/959966 | 18:10 |
| opendevreview | Dmitriy Chubinidze proposed openstack/openstack-ansible master: [doc] Document venv rebuild for python_venv_build role https://review.opendev.org/c/openstack/openstack-ansible/+/953493 | 18:11 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_keystone master: wip https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/963474 | 18:17 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_keystone master: Update links for shibboleth mirror for Rocky 10 https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/963474 | 22:41 |
| opendevreview | Ivan Anfimov proposed openstack/openstack-ansible-os_keystone master: Update links for shibboleth mirror for Rocky 10 https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/963474 | 22:41 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!