Monday, 2018-04-09

« Sunday, 2018-04-08 Index Tuesday, 2018-04-10 »
*** maysamacedos has quit IRC00:00
*** maysamacedos has joined #openstack-kuryr00:42
*** salv-orlando has quit IRC01:16
*** salv-orlando has joined #openstack-kuryr01:16
*** caowei has joined #openstack-kuryr01:27
*** hongbin has joined #openstack-kuryr01:27
*** janonymous has joined #openstack-kuryr03:22
*** janki has joined #openstack-kuryr03:53
*** hongbin has quit IRC04:05
*** jchhatbar has joined #openstack-kuryr04:30
*** janki has quit IRC04:33
*** maysamacedos has quit IRC05:04
*** yboaron has quit IRC05:38
*** natanbro has joined #openstack-kuryr05:58
*** snapiri- has quit IRC06:16
*** snapiri has joined #openstack-kuryr06:16
*** gcheresh has joined #openstack-kuryr06:32
*** pcaruana has joined #openstack-kuryr06:35
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Fix the experimental multinode jobs  https://review.openstack.org/55876206:41
*** leyal has quit IRC06:42
*** lihi has quit IRC06:42
*** irenab has quit IRC06:42
*** oanson has quit IRC06:42
*** irenab has joined #openstack-kuryr06:43
*** oanson has joined #openstack-kuryr06:44
*** lihi has joined #openstack-kuryr06:45
*** lihi has quit IRC06:54
*** lihi has joined #openstack-kuryr06:55
*** lihi has quit IRC07:04
*** lihi has joined #openstack-kuryr07:05
*** natanbro has quit IRC07:05
*** yboaron has joined #openstack-kuryr07:14
*** yboaron has quit IRC07:15
*** lihi has quit IRC07:16
*** lihi has joined #openstack-kuryr07:17
*** lihi has quit IRC07:27
*** lihi has joined #openstack-kuryr07:28
*** jistr is now known as jistr|dentist07:34
openstackgerritLuis Tomas Bolivar proposed openstack/kuryr-kubernetes master: Add documentation about supported kubernetes versions  https://review.openstack.org/55934207:35
*** lihi has quit IRC07:40
*** lihi has joined #openstack-kuryr07:41
*** juriarte has quit IRC08:31
*** juriarte has joined #openstack-kuryr08:31
openstackgerritMerged openstack/kuryr-kubernetes master: [Trivial] Remove redundant check service is enabled  https://review.openstack.org/55717008:33
openstackgerritDaniel Mellado proposed openstack/kuryr-kubernetes master: Fix the experimental multinode jobs  https://review.openstack.org/55876208:44
*** garyloug has joined #openstack-kuryr08:45
dulekcelebdor: ping08:45
*** jistr|dentist is now known as jistr09:02
*** juriarte has quit IRC09:06
*** juriarte has joined #openstack-kuryr09:07
*** juriarte has quit IRC09:08
*** juriarte has joined #openstack-kuryr09:08
dmelladodulek: ping any news from the investigation?09:19
dulekdmellado: Well, I'm running out of my networking debugging skills. :P09:20
dmelladodulek: lol, so, overall?09:21
dmelladodidn't you get to find anything unusual?09:21
dulekdmellado: I know the traffic gets only to Neutron router and isn't passed to K8s API.09:22
dmelladodulek: can you get to connect to the K8s API from cli in the gate?09:23
dulekdmellado: Sure. It's only the K8s API Service IP that's not working.09:23
dmelladohmmm09:29
irenabdmellado, dulek what are you investigating?09:40
dulekirenab: Gate failures on https://review.openstack.org/#/c/555040/09:41
irenabmultinode?09:42
dulekirenab: Containerized. For some reason there's no connectivity to K8s API from the pod.09:45
celebdordulek: pong09:46
dulekcelebdor: Can you help me with debugging this connectivity issue?09:47
dulekcelebdor: I can add your key to the VM so you can login there.09:47
celebdordulek: how may I help you09:47
celebdorok09:47
celebdordulek: I'm in09:49
*** natanbro has joined #openstack-kuryr09:50
dulekcelebdor: It's https://10.1.0.129 that's not answering.09:50
celebdoryes, I saw it09:50
celebdordulek: found it :D09:52
dulekcelebdor: Well, it's good. So what's wrong?09:53
celebdorah, no09:53
celebdorsorry, I forgot a param xD09:53
*** jchhatbar has quit IRC09:55
irenabdulek, in the kubelet log, there is : network: failed to find plugin "kuryr-cni" in path [/opt/kuryr-cni/bin /opt/stack/cni/bin]09:58
dulekMhm, that's because cni_ds_init is failing. And it's failing because of connectivity issue with K8s API through LBaaS.10:00
celebdorirenab: that's because the cni container fails to find the API10:00
celebdordulek: what I can see is that kubectl through the API LB works10:00
celebdordulek: check .kube/config10:00
celebdorI changed it10:00
celebdordamn10:01
celebdorI thought I did10:01
celebdorlet me do it again10:01
dulek:P10:01
celebdorthe https one requires auth10:02
celebdor:P10:02
celebdorone sec10:02
celebdorit does reply though10:03
dulekHm>10:04
dulek?10:04
*** livelace-link has quit IRC10:07
celebdordulek: I'm now trying to connect to it with certs10:09
dulekcelebdor: The curl command had the certs supplied, so I think that's not the issue.10:10
celebdorI thought it only had the ca10:10
celebdorbut I see that I get unable to connect to server EOF10:10
dulekcelebdor: Yup, that's what I observed.10:12
celebdorok, I at least got kubectl to work with the 6443 (without the lb)10:14
celebdornow I can concentrate on the LB issue10:14
celebdordulek: I have a meeting now. I'll continue after that10:27
dulekcelebdor: Okay, I'm going lunching in a moment.10:31
celebdorok10:31
dmelladowe should just remove tls-proxy and that's it xD10:41
*** livelace-link has joined #openstack-kuryr10:45
*** livelace-link has quit IRC10:46
*** livelace-link has joined #openstack-kuryr10:48
*** livelace-link has quit IRC10:49
celebdordmellado: tls-proxy?11:14
dmelladoyeah, dealing with some issues on the certs on multinode too11:15
*** atoth has joined #openstack-kuryr11:44
*** gcheresh_ has joined #openstack-kuryr11:48
*** gcheresh has quit IRC11:48
*** gcheresh has joined #openstack-kuryr11:52
*** gcheresh_ has quit IRC11:53
*** maysamacedos has joined #openstack-kuryr11:53
dulekdmellado: I tried that. Doesn't help with that issue.12:03
openstackgerritGenadi Chereshnya proposed openstack/kuryr-tempest-plugin master: Testing curl succeeds from pod to the service  https://review.openstack.org/55848212:41
*** pcaruana has quit IRC12:46
*** pcaruana has joined #openstack-kuryr13:11
*** janki has joined #openstack-kuryr13:22
*** jchhatbar has joined #openstack-kuryr13:50
*** janki has quit IRC13:52
dulekIRC meeting? I've already started it on #openstack-meeting-4.14:03
celebdordulek: coming14:03
*** celebdor1 has joined #openstack-kuryr14:09
*** celebdor1 is now known as apuimedo14:09
*** janonymous has quit IRC14:32
*** gcheresh has quit IRC14:40
apuimedodulek: I think I found it for real this time :P14:52
dulekapuimedo: Oh my, Christmas is early this year!14:52
dulekapuimedo: So what it is?14:53
apuimedodulek: 2 minutes for verification of my hypothesis, hold on14:53
apuimedohere's the thing15:04
apuimedofirst. We are putting the lbaas member IP wrong15:05
apuimedowe are putting the host IP and not the kubelet IP15:05
apuimedosecond, since we generate the kubernetes api certs before we have the kubelet interface, the certificate does not include the kubelet ip address15:06
dulekapuimedo: Hm. Okay. So why does it work fine on my env?15:15
apuimedodulek: is it nested?15:16
dulekapuimedo: Nope.15:17
apuimedos/nested/pod-in-vm/15:17
dulekapuimedo: It's just a VM with DevStack, pretty much like in the gate.15:17
dulekapuimedo: And why do we need kubelet IP as LBaaS member?15:18
apuimedodulek: because the host IP is not part of the cloud15:20
apuimedoso the lbaas may not be able to reach it15:20
apuimedocuriously, now I can ping it from the LB15:21
dulekapuimedo: Are you changing it now? Because I see 10.1.0.68 as member IP.15:21
apuimedodulek: yes, I'm testing my hypothesis15:21
apuimedobut for some reason if I go inside the LB and try to curl, it tells me no route to host15:22
dulekapuimedo: We needed to add a route to make 10.1… IPs reachable. Not sure if that's related.15:23
apuimedodulek:  let me show you15:24
apuimedodulek: http://paste.openstack.org/show/718750/15:24
apuimedothis is from inside the lb namespace, as you can see15:24
dulekapuimedo: That's odd. Ping routes okay, but not kubectl?15:25
apuimedodulek: yeah15:25
apuimedoit totally looks like SG thing15:25
apuimedobut I added the missing sg15:26
apuimedothe kubelet did not have the SG of the (service_pod_access)15:26
apuimedoI'll check if it is SG15:27
apuimedonope, modifying the default one didn't seem to work either15:28
apuimedoI'll try it from the router15:29
apuimedodulek: :O15:30
apuimedoCan't get there either from the router15:30
apuimedowtf15:30
dulekapuimedo: I've noticed that router port has no SG set, but I thought it's expected.15:31
apuimedodulek: that's expected, yes15:31
dulekapuimedo: Any ideas what to do next?15:37
apuimedodulek: of course15:38
apuimedo:-)15:38
apuimedodulek: it's working now15:38
apuimedo:-)15:39
apuimedotry15:39
apuimedokubectl --kubeconfig=/opt/stack/.kube/lbconfignoverify get nodes15:39
dulekapuimedo: Yep, it does.15:39
apuimedodulek: also, if you have your env available15:39
apuimedopaste me the output of "sudo iptables -n -L -v"15:39
dulekapuimedo: I've unstacked, so it might not include DevStack's stuff.15:40
apuimedodulek: it prolly doesn't15:40
apuimedobut let's check anyways15:40
dulekapuimedo: http://pastebin.test.redhat.com/57352115:42
apuimedoit's definitely different15:43
dulekapuimedo: Okay, so how do we fix that?15:44
apuimedodulek: now I'm checking the possibilities15:45
apuimedoI still believe we should do the fixes I put above15:45
dulekapuimedo: #1 - SG for loadbalancer port.15:46
dulek#2 - 10.1.0.68 as member of the LB.15:46
dulek#3 - certificate.15:46
apuimedoyup15:47
apuimedoand now we need to see why the rule I put on openstack-INPUT is necessary15:48
apuimedocause it feels weird to have to put it15:48
dulekapuimedo: tcp dpt:6443 - this one?15:49
apuimedosudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -dport 6443 -j ACCEPT15:49
apuimedothis one15:49
dulekDon't you just manually adjusting an SG with that?15:50
apuimedosorry, sudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 6443 -j ACCEPT15:50
apuimedodulek: I don't think it is equivalent to an SG15:52
apuimedodulek: if you remember this is using hybrid firewall15:52
apuimedoso our kubelet interface does not get any SG applied to it15:53
apuimedoI may be wrong, but I think the problem is that the communication does not go through   16M 4383M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/015:54
apuimedowell, of course it doesn't match that15:56
apuimedothe point is15:56
apuimedocommunication from 10.1.0.129 reaches the host networking namespace15:56
apuimedo(from the LB vip, from its namespace)15:56
apuimedoand the host networking iptables rules are applied15:56
apuimedosince we have no rule for the k8s api server15:57
apuimedoit goes to hell15:57
*** gianpietro has joined #openstack-kuryr15:57
dulekapuimedo: Sounds like adding the rule is acceptable then?15:58
apuimedodulek: I'm debating myself on that point :P15:58
apuimedodid you try with ovs firewall or with hybrid?15:59
apuimedoin your env15:59
dulekapuimedo: The default, so OVS IIRC.15:59
apuimedodulek: I thought the default is hybrid16:00
dulekapuimedo: Ah, right, it is.16:01
dulekapuimedo: You want me to switch to OVS and recheck?16:01
apuimedodulek: you probably guessed, but the question is whether this iptables rule is necessary with the native driver or if it is not16:02
apuimedodulek: your env is centos?16:02
dulekapuimedo: Yup.16:03
apuimedodulek: I don't know if it changed after you unstacked16:04
apuimedobut if you looked at your iptables, INPUT chains don't end up with reject16:04
apuimedoso that's the difference16:04
*** gianpietro has quit IRC16:05
dulekapuimedo: Right. Plus I don't have issues with the rest of stuff you've listed - IP or certificate.16:05
dulekapuimedo: Gotta go now, I'll produce the patch fixing SG, member IP and certificate later in the evening. I don't have an opinion on what to do with iptables rule though.16:08
dulekapuimedo: BTW - gate is configured with hybrid as well: `firewall_driver = iptables_hybrid`16:10
*** jchhatbar has quit IRC16:10
apuimedodulek: IMHO, these gate iptables rules are probably part of the image they use in infra to prevent hacks16:12
apuimedodulek: IMHO, you should add the iptable rule for now as I put it above16:12
apuimedoinstall it just after creating the kubelet device16:12
apuimedowe can discuss it in the patch review16:13
dulekapuimedo: Yup, I've found that place in the code.16:13
apuimedodulek: thanks dulek16:13
dulekapuimedo: Okay, I'll add you to the review once finished.16:13
apuimedoI meant16:13
apuimedodulek: Thanks Michał16:13
dulekapuimedo: It's me who owe you! I wouldn't be able to debug it myself. :)16:13
apuimedodulek: I love these things16:14
apuimedothey are the most fun I have at work16:14
apuimedo:-)16:14
*** shadower has quit IRC16:15
*** hongbin has joined #openstack-kuryr16:32
*** yamamoto has joined #openstack-kuryr16:37
*** yamamoto has quit IRC16:38
*** shadower has joined #openstack-kuryr16:44
*** garyloug has quit IRC16:49
*** yamamoto has joined #openstack-kuryr17:16
*** maysamacedos has quit IRC17:22
*** maysamacedos has joined #openstack-kuryr17:25
*** natanbro has quit IRC17:28
*** yamamoto has quit IRC17:57
*** gcheresh has joined #openstack-kuryr17:58
*** CrayZee has quit IRC18:12
*** atoth has quit IRC19:02
*** atoth has joined #openstack-kuryr19:04
*** atoth has quit IRC19:07
*** yamamoto has joined #openstack-kuryr19:18
*** gcheresh has quit IRC19:27
*** yamamoto has quit IRC19:33
*** yamamoto has joined #openstack-kuryr20:09
*** yamamoto has quit IRC20:18
*** yamamoto has joined #openstack-kuryr20:19
*** yamamoto has quit IRC20:22
*** salv-orlando has quit IRC20:36
*** pcaruana has quit IRC20:36
*** salv-orlando has joined #openstack-kuryr20:36
*** maysamacedos has quit IRC20:48
*** yamamoto has joined #openstack-kuryr20:54
*** yamamoto has quit IRC20:58
*** hongbin has quit IRC22:45
*** yamamoto has joined #openstack-kuryr23:22
*** yamamoto has quit IRC23:26
*** yamamoto has joined #openstack-kuryr23:59
« Sunday, 2018-04-08 Index Tuesday, 2018-04-10 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!