Tuesday, 2016-04-05

openstackgerritTin Lam proposed openstack/neutron-lbaas-dashboard: Update requirement for horizon in stable/mitaka  https://review.openstack.org/30140600:08
kongping rm_work, today i spent some time on the tls termination implementation (especially for cert management part) in neutron-lbaas and octavia07:06
rm_workso what approach are you taking?07:06
kongwhen using local_cert_manager, I wonder how to get the cert info on users's perspective07:06
konglocal_cert_manager, i mean in neutron-lbaas side07:07
rm_workso, that is what I meant -- it needs to have an addition to the API07:07
kongrm_work: i am not doing any approach, just try to understand it07:07
rm_workto allow the API to accept EITHER a container_id for the cert (for things like Barbican) or to take in raw cert/key data (to store in LocalCertManager)07:08
rm_workor, even better would probably be DatabaseCertManager honestly07:08
rm_workand it would want to do something like a simple salted hash07:08
rm_workbut, this is not something we chose to move forward with07:08
kongbut adding another mechanism to do cert management seems to be far away from neutron and octavia...07:09
rm_workI mean, if you made a DatabaseCertManager, that would be within the system too, but would still need an API addition07:10
kongyes, need api to let user create/retrieve their cert info07:11
kongrm_work: I'm trying to find a best approach for us, deploy octavia without barbican. but find there is no better solution than using barbican, if we want to provide TLS termination07:12
kongand that's the feature our customers want, i have confirmed that07:12
rm_workyeah, deploying barbican is probably less effort than fixing LBaaS/Octavia07:13
kongbtw, I suspect the local_cert_manager driver in neutron-lbaas, doesn't make sense for real deployment07:13
rm_workactually i need to remove that too07:14
rm_workit has the same problem as Octavia07:14
rm_workI just didn't get to doing it yet07:14
kongbut I didn't find loca_cert part in octavia07:15
kongin certificate/manager, there is only barbican driver07:15
rm_workyes, it was removed07:15
rm_workbecause it is not possible to use it07:15
kongso, for now, only barbican is available, and there will be not another option in the near future, right?07:16
rm_worknot unless someone volunteers to write it07:17
kongis there other choice deserves a driver for that?07:17
rm_worknot any external services I'm aware of :/07:19
rm_workthe issue is that SOMEHOW the *user* needs to store the cert/key, which means something has to run an API07:20
rm_workwhich means either another service (like Barbican) or a change to the Neutron-LBaaS + Octavia APIs to allow taking in Certs/Keys as raw data, and then adding another driver that stores locally like a DBCertManager or LocalCertManager07:20
rm_workLocalCertManager is actually just a proof of concept, you would NEVER want to use that in production, it was just for "development"07:21
rm_workI could see an acceptable DatabaseCertManager driver for use in production07:21
rm_workif it was written properly07:21
rm_workthe reason Barbican is good is because in theory it is written properly, and people who do not understand security fully don't have to write code for it (and mess up!)07:22
*** kobis has joined #openstack-lbaas09:55
*** prabampm1 has joined #openstack-lbaas10:09
bharathmkong: Barbican can do two task: Certificate generation and Centificate container.. In the later case, all it does is securely store the certificates.. So In Octavia's case, we use Barbican as a default cert manager (aka just to store and retrieve certs)..10:10
*** prabampm has quit IRC10:11
kongbharathm: so, as a result, octaiva will work with barbican together tightly, if we want to provide TLS termination feature10:12
bharathmSo the user, running a web application load balanced through octavia, should buy a certificate from verisign (or some other CA) and store it in barbican container and create LbaaS listener with the barbican container id..10:12
kongour end user need create or upload certificate to barbican first, then he can use octavia10:13
bharathmYes. Atleast for now, barbican is our cert manager.. This can be extended to support a different cert manager service in the future if needed10:14
kongok, seems deploying barbican is unavoidable :-(10:14
kongand our customers should be told there will be 2 new services when we provide lbaas10:15
kongand our operators should deploy 2 new service, too10:15
kongooh my god, kill me10:16
bharathmWell it's a matter of security consideration.. As rmwork pointed out, Barbican has been built considering these security factors so it's better to use that rather than reinventing the wheel (more like a crippled one).. :-)10:17
kongbharathm: yeah, correct10:19
bharathmUntil two days ago I was in the impression that we could use local_generator but rmwork englightened me it wasn't part of api10:19
bharathmok.. I am going to bed then..10:20
kongbharathm: yes, me too10:20
kongbharathm: what's your timezone?10:20
kongbharathm: 22:20 for me10:20
banszmarmestery: Hello Kyle. I'd like to ask you a question on LBAAS driver in networking-odl. It seems to me that it is not fully implemented. Is it working? I've raised a bug report (https://bugs.launchpad.net/networking-odl/+bug/1559939), but so far there was no response.10:21
openstackLaunchpad bug 1559939 in networking-odl "can't get networking-odl LBaaS driver to work" [Undecided,New]10:21
bharathmPacific time.. it's 3:21am here10:21
kongbharathm: ooh, really early10:21
banszmarmestery: I was thinking about fixing it but wanted to check with you first.10:22
*** yamamoto has joined #openstack-lbaas12:31
*** yamamoto has quit IRC12:36
*** prabampm1 has quit IRC12:57
*** yamamoto has joined #openstack-lbaas12:58
mesterybanszmar: have at it, I don't work on ODL any longer.13:42
nmagnezidougwig, ping re: haproxy15:10
dougwignmagnezi: ack15:10
openstackgerritNir Magnezi proposed openstack/neutron-lbaas: (WIP) Adds option to auto reschedule loadbalancers from dead lbaas agents  https://review.openstack.org/29999815:42
nmagnezidougwig, also, wanted to ask for your opinion about https://bugs.launchpad.net/neutron/+bug/156580115:50
openstackLaunchpad bug 1565801 in neutron "[RFE] Add process monitor for haproxy" [Undecided,New]15:50
nmagnezidougwig, should we go with an RFE path for the latter?15:50
nmagnezidougwig, going offline. catch you later15:59
dougwignmagnezi: one sec15:59
nmagnezidougwig, aye15:59
dougwignmagnezi: check with kevinbenton about how we're handling that with other agents. i don't want to invent some new scheme if we already have one.16:00
nmagnezidougwig, there is something very similar to this in l3 agent16:01
nmagnezidougwig, we have a server side loop spawned if allow_automatic_l3agent_failover=True to reschedule routers from deal l3 agents.16:02
johnsomnmagnezi You might look at my upstart script in Octavia.  It auto-restarts haproxy16:02
nmagnezijohnsom, cloud you elaborate?16:03
johnsomnmagnezi Upstart will respawn haproxy in the Octavia Amphora.  If you want to take it to the next level, you can use active/standby in Octavia.16:05
johnsomIt could be adapted easily I think.16:07
nmagnezijohnsom, aye, but as ajo said it's distro specific16:08
ajohi johnsom nmagnezi  :)16:08
ajoI need to leave now :)16:08
nmagneziactually me too16:08
ajojohnsom, in other agents with spawn processes we use the neutron process monitor, it's rather simple16:08
nmagnezidougwig, i will speak with kevinbenton but please see what I also wrote here and in the commit msg :)16:08
ajojohnsom, for the amphora (if looking only to ubuntu) I guess upstart does a good job,16:09
ajoprobably when looking at other amphoraed distros we may need systemd I guess... :) and nothing if we had containers :)16:09
johnsomSure.  I just wanted to highlight an option.  Systemd has something similar16:09
ajojohnsom, you mean the respawn ?16:11
ajowe looked at something like this, but when we wrote ProcessMonitor I think systemd was not widely available,16:11
johnsomYep, agreed16:12
ajomay be it's something we can revisit I'll think about it16:12
ajothanks for the feedback :)16:12
ajobut anyway, I believe we should just use the ProcessMonitor interface, and may be write another driver to use systemd for example16:12
ajoor upstart16:12
ajoor whatever the distro has16:12
ajothat'd be cool :)16:12
*** nmagnezi has quit IRC16:13
openstackgerritLucas Palm proposed openstack/neutron-lbaas-dashboard: Show the member status properties  https://review.openstack.org/29962916:53
bana_khi, Is there any option in laabs v1 to restrict the traffic from some particular subnet?17:22
*** yamamoto has joined #openstack-lbaas18:46
*** yamamoto_ has joined #openstack-lbaas22:31
openstackgerritTrevor Vardeman proposed openstack/neutron-lbaas: WIP - Get Me A LB  https://review.openstack.org/25720123:50
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!