Wednesday, 2017-01-04

« Tuesday, 2017-01-03 Index Thursday, 2017-01-05 »
diltramnmagnezi: good to know00:00
diltramrm_work: for me even after merging into octavia it didn't worked :P00:01
rm_workhmm00:01
rm_workdiltram: wait, so that patch *isn't* working?00:02
diltramit should work00:02
diltramI don't know why it's not working00:02
rm_workI am wondering if maybe those patches need to actually merge first00:03
rm_workI think i ran into this before00:03
rm_workwhen I was redoing the barbican gate00:03
rm_workdepending on them might not actually work, because zuul doesn't allow changes to project-config to actually RUN in the gate00:03
rm_workor something like that00:03
nmagnezijohnsom, hey, would love to know what you think about https://review.openstack.org/#/c/415681/ (a sub-patch for the amphora agent work)00:04
johnsomOk, I will take a look00:04
nmagnezijohnsom, thanks :-)00:05
nmagnezinight all00:05
*** nmagnezi has quit IRC00:05
diltramrm_work: but how often zuul refreshes configs00:06
diltrambecause in octavia we have this config merged and it's not working00:06
rm_workah....00:08
rm_workit should be immediate00:08
rm_workor ... hmm maybe not00:08
rm_workI think it might be ~1h now that I think back00:08
diltramhahaha :P00:08
rm_workman, i forgot basically everything being out for three months >_<00:08
rm_workjohnsom / diltram: newly generated config by devstack, has the same duplicate entries00:13
rm_workper http://paste.openstack.org/show/593820/00:13
rm_workdiltram: do you know which ones it actually NEEDS/uses?00:14
diltramrm_work: it's not duplicated00:14
rm_workdoes it use both?!00:14
diltramyep00:14
rm_workuhh00:14
rm_workbut they have a different setting for signing_dir (or are they both essentially default)?00:14
rm_workand is "auth_uri" actually used?00:15
diltramthis config is generated using devstack method00:15
diltramto generate it00:15
rm_workwell00:15
rm_workit's from plugin.sh right?00:15
diltramthey have different signing_dirs because they use different accounts00:15
diltramyep00:15
johnsomIsn't one for authenticating API users and the other for our client uses?00:15
diltramyes00:16
rm_workaugh ok00:16
rm_workso one is supposed to be ...00:16
rm_workadmin, and the other isn't?00:16
diltramservice_auth is used to authenticate octavia as admin in OpenStack to perform operations like create vm00:16
diltramand keystone_auth is used to verify user tokens - service account00:17
*** yamamoto has joined #openstack-lbaas00:17
diltramwe can probably remove some options from service_auth section but devstack doesn't provide any way to configure properly this00:17
rm_workhmm00:18
diltramI was thinking about writing it based on this keystone_authtoken but didn't had time for that00:18
rm_workyeah so I guess I am not sure why they ever need to be different, in reality00:19
diltramrm_work: by mistake I rechecked your patchset00:20
rm_workone account who is nova and neutron admin, and one account who is keystone admin00:20
rm_work?00:20
*** fnaval has joined #openstack-lbaas00:20
rm_workah00:20
rm_workdoesn't matter prolly00:20
diltramso in OpenStack you have a service account00:20
diltramaccounts like nova, neutron, octavia00:20
diltramthey are allowed to verify that token send with request is valid, extract data about this account etc00:21
diltramand there are normal accounts like demo, admin, rm_work :P00:21
rm_workhmm00:21
diltramthis accounts has some projects assigned, some roles like admin, user00:21
diltramand they can obtain token which they will use to communicate with project like octavia which will use it's service account to verify that token00:22
rm_workerr, both need to have admin, don't they?00:22
diltramyep00:22
rm_workso what is the point of them being different accounts00:22
diltramI spend a month on understanding how everything is working, how it's interacting with each other and how to configure that stuff :P00:22
diltramhahaha00:22
rm_workone is just doing keystone token validation, and the other is doing all the requests00:22
diltramI just wrote all how it's working :P00:23
rm_worklol00:23
diltramyep00:23
rm_worki don't understand why i'd bother to use two accounts00:23
rm_workin my sample deployment both config sections are just exactly the same... and works great :)00:23
rm_workand seems simpler00:24
rm_workmaybe it is a security concern?00:24
diltrambecause you're not using keystone in octavia :P00:24
diltramenable keystone without configuring this00:24
rm_workah, i thought your keystone patch merged00:24
diltramyes, it's merged because of this there are two sections00:24
diltram:P00:24
rm_workright, and auth_strategy is keystone00:25
diltrambut remember that by default octavia is not using keystone00:25
diltramnope00:25
diltramauth_strategy is None00:25
rm_workhmm00:25
diltrambecause it breaks neutron-lbaas00:25
diltrambecause neutron-lbaas is not forwarding tokens to octavia00:26
diltramso if you're using nlbaas you need to disable octavia00:26
diltramafter dropping nlbaas you can enable auth_strategy :P00:26
rm_workoh, yeah i don't have n-lbaas00:27
rm_workand i set auth_strategy=keystone in my config00:27
diltramand how your octavia.conf looks like?00:28
rm_workboth sections for keystone look identical00:28
rm_workother than one has an extra auth_uri00:29
rm_workI can censor the password and pastebin I guess00:29
diltramwould be great :)00:29
diltramehhh, this project-config is still not refreshed00:30
*** eezhova has quit IRC00:31
johnsomIt merged?00:31
johnsomYeah, ok.  It does sometimes take an hour00:33
rm_workdiltram: http://paste.openstack.org/show/593824/00:35
rm_workI think I don't need insecure=True there....00:36
rm_workit seems to do keystone auth correctly00:37
*** fnaval has quit IRC00:38
*** fnaval has joined #openstack-lbaas00:39
rm_workto be clear, this all *works great*00:39
rm_workmy point is that I don't understand why you'd need those to be different accounts00:39
rm_workis it a security issue?00:39
rm_workdiltram: ah I guess it's about going-home-time for you00:42
johnsomI think it is a good idea.  For example, the API processes should only need the "authenticate this" level account, where the backend processes (cw, hm, maybe hk) would need the account with credentials to crate things, etc.00:42
rm_workok, so yeah, security00:42
johnsomSo, if you isolate your API processes, it's config would only need the "authenticate this" account and not the config for the "make me this"00:42
johnsomAssuming that is how we have it setup...  ha.   Vacation brain00:43
rm_workI think it is00:43
rm_workI mean, I believe that will happen00:43
rm_workjust means I have to track twice as many accounts >_<00:43
diltramso yest it is security but also you not suppose to be able to create load balancer using service account00:44
rm_work?00:44
diltramor maybe you have some magic in keystone00:44
diltramservice account - like octavia - is not admin account00:44
rm_workI'd POST to /loadbalancers as a user like rm_work00:44
rm_workit's admin on SOMETHING00:45
rm_workwe use it to do admin operations like network plugging, no?00:45
diltramyes but there should be used octavia (service user) to verify "rm_work" user credentials00:45
rm_worki mean, one account needs keystone admin to do token validation00:45
rm_workthe other account needs nova/neutron admin to do plugging and such00:45
diltramno, service account is used to keystone token validation00:45
rm_workthey both aren't *normal* user accounts00:45
rm_workerr00:46
diltramand only service account should be able to do this00:46
rm_workso in the devstack config, "admin" is an admin account, no?00:46
rm_workand "octavia" is a service account which has admin00:46
diltramyes but admin account which has admin role is a normal account00:46
diltramnot service00:46
rm_workerr00:46
rm_workbut we use it for [service_auth]00:46
rm_worki wouldn't put `rm_work` as the service_auth account in octavia config <_<00:47
diltramin service_auth we're using account which admin role in some project00:47
diltramso in devstack it's admin user00:47
diltrambecause admin has admin role in project admin00:47
rm_workit's supposed to be a service account00:47
rm_workyeah but doesn't it also need admin role in neutron and nova?00:47
diltramthis is why we're using admin00:48
rm_work...00:48
rm_workok so in a production deployment00:48
diltrambecause admin is admin in nova, neutron and all projects00:48
rm_workwe'd have to create `octavia1` and `octavia2`00:48
rm_workoctavia1 would have admin in keystone00:48
rm_workand octavia2 would have admin in nova/neutron?00:49
rm_work[service_auth] would use octavia200:49
diltramthere is keystone admin00:49
diltramthere is no*00:49
rm_work[keystone_authtoken] would use octavia100:49
rm_workerr00:49
rm_workdoesn't token auth need to be done via the keystone admin endpoint?00:50
rm_worki thought that wasn't a user-level operation00:50
diltramno00:51
rm_workso wait, using my regular user account `rm_work`, I can validate someone's token?00:51
rm_workusing the normal keystone endpoint?00:51
*** fnaval has quit IRC00:51
* rm_work looks up the API again00:51
diltramno00:52
rm_workAPI says the auth token you pass has to be an admin token00:52
*** fnaval has joined #openstack-lbaas00:52
rm_workto do token validation on a subject token00:52
rm_workhttp://developer.openstack.org/api-ref/identity/v3/index.html?expanded=validate-and-show-information-for-token-detail00:53
diltramthis is why you need to have keystone_authtoken which is configured to use service account00:53
diltramlike octavia00:53
rm_work.... the octavia service account, which has keystone admin?00:53
diltramthis service accounts are used just to verify tokens00:53
diltramif you say so00:54
diltramit's just service account00:54
rm_workDoesn't the API doc say so?00:54
rm_workX-Auth-TokenheaderstringA valid authentication token for an administrative user.00:54
diltramthis acc type tells that it may be used to authenticate tokens00:54
rm_workerr00:55
rm_workwhat00:56
diltramhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py00:56
rm_workSo you're saying that with my account, I can validate someone else's token, as long as I'm admin on my OWN account?!00:57
rm_workthat seems like a kind of nonsensical restriction00:57
rm_workbut maybe it's because I'm used to how RAX sets things up00:58
rm_workliterally every user has admin on their own account00:58
*** eezhova has joined #openstack-lbaas00:59
rm_workso backing up00:59
rm_work[keystone_authtoken] user needs to have at least the role "keystone:admin"01:00
rm_workright?01:00
rm_workerr01:00
rm_workis it "identity:admin"?01:00
diltrambased on my knowledge no01:00
diltramit must be service account01:00
diltramso one of01:01
diltramnova, neutron, octavia, etc01:01
rm_workwhat defines something as a "service account"?01:01
*** eezhova has quit IRC01:01
rm_workthere's no "service_account = True" flag that I know of01:01
diltramhttps://github.com/openstack/octavia/blob/master/devstack/plugin.sh#L4801:01
rm_workok but what does that do >_>01:01
rm_worklooking....01:02
rm_workhttps://github.com/openstack-dev/devstack/blob/master/lib/keystone#L451-L45801:03
rm_workhttps://github.com/openstack-dev/devstack/blob/master/functions-common#L860-L88401:04
rm_workit's just adding specific roles01:04
*** yamamoto has quit IRC01:04
rm_workso it adds the role "service"01:05
rm_workfor the project01:05
rm_workto a regular user01:05
diltramit's not a regular user01:06
diltrambut this is how openstack divides "services" from normal projects and users01:06
rm_workuntil it added the service role to it, the user was the same as any other regular user01:07
diltramthis service project is magical in keystone01:07
*** fnaval has quit IRC01:07
rm_workhmm ok01:07
diltramyes, they use same capabilities01:07
diltrambut it's magical internal openstack account01:07
rm_workI think this diverges a lot from how RAX does their auth stuff01:07
rm_workwhich is what I'm used to01:08
diltrambecause belongs to service project and has service role01:08
rm_workgoing to have to try to forget all of that01:08
diltramyep01:08
diltramRAX is really breaking a lot of stuff in OpenStack01:08
rm_work:301:09
diltramthey even don't understand how to use keystone endpoints :P01:09
diltramand because of them we need to implement workarounds in Octavia :P01:09
johnsomAll I can say is they are not alone is some of these issues....01:10
diltramI know :P01:10
rm_workok so01:11
rm_work[keystone_authtoken] user needs to be any user with service role added, no admin roles01:11
rm_work[service_auth] needs to have nova:admin and neutron:admin01:12
rm_workis that right?01:12
johnsomSounds right to me01:13
diltramyep01:13
rm_workok01:13
diltramand based on this you can create "loadbalancers" user01:14
diltramwhich will be nova:admin, neutron:admin01:14
diltramand noone will know the password to this account01:14
diltramand it will be used to make Octavia working01:14
rm_workk01:14
diltramand normal admin account will be available for admins01:14
xgermanSo the two users were not remnants of using a different account for barbican?01:14
diltramand they will not mess anything in octavia01:14
rm_worki might name them like ... octavia_tokens and octavia_service01:15
diltramyep01:15
diltrambut standard is to use project name as service account01:15
diltramso nova uses nova01:15
rm_worki don't think we do that here01:15
diltramneutron uses neutron user01:15
diltrametc01:15
diltramyes we do01:16
xgermanOctavia01:16
diltramwe're using octavia as service account user01:16
rm_workin fact I think I get a randomly generated string of characters+numbers as the account names I get anyway <_<01:16
rm_workhere == godaddy01:16
diltramyou need to take a look into how they generate that accounts01:16
xgermanBlame jharlow01:16
diltrammaybe to obfuscate them a little they randomly generate names01:16
rm_worklol yeah01:17
rm_workprobably01:17
diltramcheck in nova.conf what is specified01:17
rm_worki assume it's the same01:17
rm_workyeah, random01:18
rm_workwoo >_>01:18
rm_workso I just have to remember two accounts01:18
rm_workremember / paste into config management db01:18
diltramyep01:19
rm_workhokay01:19
diltramok, I'm out01:27
diltramCU people01:27
*** mixos has joined #openstack-lbaas01:41
openstackgerritJingLiu proposed openstack/octavia: Set access_policy for messaging's dispatcher  https://review.openstack.org/41639401:48
*** yamamoto has joined #openstack-lbaas02:02
*** gongysh has joined #openstack-lbaas02:03
*** kevo has quit IRC02:06
*** bana_k has quit IRC02:12
*** ducttape_ has quit IRC03:04
*** ducttape_ has joined #openstack-lbaas03:05
*** ducttape_ has quit IRC03:09
*** ankur-gupta-f1 has left #openstack-lbaas03:55
*** links has joined #openstack-lbaas03:56
*** ducttape_ has joined #openstack-lbaas04:02
*** ducttape_ has quit IRC04:25
*** ducttape_ has joined #openstack-lbaas04:26
*** ducttape_ has quit IRC04:26
*** ducttape_ has joined #openstack-lbaas04:26
*** mixos has quit IRC04:36
*** mixos has joined #openstack-lbaas05:03
*** reedip has joined #openstack-lbaas05:05
*** csomerville has quit IRC05:43
*** cody-somerville has joined #openstack-lbaas05:43
*** cody-somerville has quit IRC05:43
*** cody-somerville has joined #openstack-lbaas05:43
*** amotoki has joined #openstack-lbaas06:22
*** gcheresh_ has joined #openstack-lbaas06:22
*** kobis has joined #openstack-lbaas06:38
BlackDexHello there, is there someone who can please help me with fixing lbaas ?06:45
BlackDexi get the following messages06:45
BlackDex2017-01-03 19:21:16.310 16456 INFO neutron.common.config [-] Logging enabled!06:45
BlackDex2017-01-03 19:21:16.380 16456 INFO neutron.common.config [-] /usr/bin/neutron-lbaasv2-agent version 9.0.006:45
BlackDex2017-01-03 19:21:16.380 16456 DEBUG neutron.common.config [-] command line: /usr/bin/neutron-lbaasv2-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/lbaas_agent.ini --log-file=/var/log/neutron/neutron-lbaasv2-agent.log06:45
BlackDexsetup_logging /usr/lib/python2.7/dist-packages/neutron/common/config.py:10706:45
BlackDex2017-01-03 19:21:16.381 16456 WARNING stevedore.named [req-78b2a76b-c913-4cb4-9475-ca1c5858676f - - - - -] Could not load06:45
BlackDexneutron_lbaas.drivers.haproxy.namespace_driver.HaproxyNSDriver06:45
BlackDex2017-01-03 19:21:16.961 16456 WARNING stevedore.named [req-78b2a76b-c913-4cb4-9475-ca1c5858676f - - - - -] Could not load06:45
BlackDexneutron.agent.linux.interface.OVSInterfaceDriver06:46
*** bana_k has joined #openstack-lbaas06:46
*** pcaruana has joined #openstack-lbaas06:51
*** rcernin has joined #openstack-lbaas07:15
*** tesseract has joined #openstack-lbaas07:18
*** gongysh_ has joined #openstack-lbaas07:59
*** gongysh has quit IRC08:00
*** gongysh_ has quit IRC08:37
*** anilvenkata has joined #openstack-lbaas08:45
openstackgerritJeremy Liu proposed openstack/octavia: Remove MANIFEST.in from repo  https://review.openstack.org/41647808:48
openstackgerritJingLiu proposed openstack/octavia: Set access_policy for messaging's dispatcher  https://review.openstack.org/41639408:49
*** kevo has joined #openstack-lbaas08:51
*** gongysh has joined #openstack-lbaas08:51
*** bana_k has quit IRC09:10
*** kevo has quit IRC09:22
openstackgerritKevin Benton proposed openstack/neutron-lbaas: Fixing the scenario tests on master branch  https://review.openstack.org/41125709:23
openstackgerritValleriya Perelman proposed openstack/octavia: ACTIVE-ACTIVE Topology - Distributor image creation  https://review.openstack.org/40359409:24
*** anilvenkata has quit IRC10:17
*** Alex_Stef has joined #openstack-lbaas10:27
Alex_Stefblogan_, ping10:28
*** anilvenkata has joined #openstack-lbaas10:29
*** eezhova has joined #openstack-lbaas10:33
*** armax has joined #openstack-lbaas10:36
*** mixos has quit IRC10:36
*** eezhova has quit IRC10:39
*** yamamoto has quit IRC10:47
*** mixos has joined #openstack-lbaas10:48
*** links has quit IRC10:57
openstackgerritZhaoBo proposed openstack/octavia: Add check when plug vrrp port in LB creation  https://review.openstack.org/41651911:09
*** links has joined #openstack-lbaas11:21
*** gongysh has quit IRC11:21
*** ducttape_ has quit IRC11:25
*** anilvenkata has quit IRC11:32
*** ducttape_ has joined #openstack-lbaas11:36
*** yamamoto has joined #openstack-lbaas11:40
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology: Initial Distributor Noop Driver  https://review.openstack.org/31300611:44
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology: OVS-based Distributor Driver  https://review.openstack.org/31762911:44
*** yamamoto has quit IRC11:46
*** anilvenkata has joined #openstack-lbaas11:46
*** yamamoto has joined #openstack-lbaas11:47
*** yamamoto has quit IRC11:51
*** nmagnezi has joined #openstack-lbaas11:53
*** ducttape_ has quit IRC11:54
*** nmagnezi has quit IRC12:02
*** catintheroof has joined #openstack-lbaas12:14
*** yamamoto has joined #openstack-lbaas12:17
*** openstackgerrit has quit IRC12:33
*** mixos has quit IRC12:34
*** openstackgerrit has joined #openstack-lbaas12:39
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology OVS-based Distributor Backend  https://review.openstack.org/32042212:39
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE - controller network tasks  https://review.openstack.org/32348112:39
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE - network driver related changes  https://review.openstack.org/32249412:39
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology OVS-based Distributor Driver  https://review.openstack.org/31762912:39
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - Distributor image creation  https://review.openstack.org/40359412:41
*** yamamoto has quit IRC12:42
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - Initial Cluster Manager  https://review.openstack.org/40523812:44
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - Distributor related tasks  https://review.openstack.org/40695112:46
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE - distributor certificate tasks  https://review.openstack.org/40695212:46
openstackgerritAdit Sarfaty proposed openstack/neutron-lbaas: [WIP] VMWare driver support for l7 rules & policies  https://review.openstack.org/41621112:47
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - distributor creation flow  https://review.openstack.org/40695312:50
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - Distributor related tasks  https://review.openstack.org/40695112:58
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE - distributor certificate tasks  https://review.openstack.org/40695212:58
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - distributor creation flow  https://review.openstack.org/40695312:58
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - create distributor network flow  https://review.openstack.org/40976313:03
openstackgerritAbed Abu dbai proposed openstack/octavia: Active-Active Topology - register/uregister amphorae tasks  https://review.openstack.org/40976513:03
openstackgerritAbed Abu dbai proposed openstack/octavia: Active-Active Topology - Cluster DB Tasks  https://review.openstack.org/40976413:03
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - create shared distributor  https://review.openstack.org/40695413:03
*** yamamoto has joined #openstack-lbaas13:16
*** yamamoto has quit IRC13:28
*** reedip_ has joined #openstack-lbaas13:47
*** Deep_Thought has joined #openstack-lbaas13:55
Deep_ThoughtHello, when creating & configuring a pool for a load balancer on Horizon, where the corresponding configuration for haproxy is created?13:57
*** reedip_outofmemo has joined #openstack-lbaas14:06
xgermano/14:07
*** ducttape_ has joined #openstack-lbaas14:20
*** fnaval has joined #openstack-lbaas14:59
*** links has quit IRC14:59
xgermanDeep_Thought you mean in code or on disk? And are you using Octavia or Namespace driver?15:01
openstackgerritAbed Abu dbai proposed openstack/octavia: ACTIVE-ACTIVE Topology - create distributor network flow  https://review.openstack.org/40976315:09
openstackgerritAbed Abu dbai proposed openstack/octavia: Active-Active Topology - register/uregister amphorae tasks  https://review.openstack.org/40976515:09
openstackgerritAbed Abu dbai proposed openstack/octavia: Active-Active Topology - Cluster DB Tasks  https://review.openstack.org/40976415:09
*** armax_ has joined #openstack-lbaas15:12
*** armax has quit IRC15:13
*** armax_ is now known as armax15:13
*** gcheresh_ has quit IRC15:28
Deep_Thoughtxgerman: Namespace15:34
xgermanok15:34
Deep_Thoughtxgerman: I mean on the disk15:34
xgermanso it goes by a config option: loadbalancer_state_path15:39
xgermanhttps://github.com/openstack/neutron-lbaas/blob/36f0f578a689be3964c8bb56f07982bb22852148/neutron_lbaas/drivers/haproxy/namespace_driver.py#L48-L5315:39
xgermanusually I just do find -f on a box but…15:40
Deep_Thoughtxgerman: thanks15:42
*** reedip_ has quit IRC15:45
*** matt-borland has joined #openstack-lbaas15:54
*** Deep_Thought has left #openstack-lbaas15:55
*** _ducttape_ has joined #openstack-lbaas15:59
*** ducttape_ has quit IRC16:03
*** rcernin has quit IRC16:09
openstackgerritmelissaml proposed openstack/octavia: Fix a typo  https://review.openstack.org/41660416:18
*** kobis has quit IRC16:24
diltrammorning16:32
*** _ducttape_ has quit IRC16:33
*** ducttape_ has joined #openstack-lbaas16:33
xgermano/16:33
openstackgerritMerged openstack/octavia: Add context to unit tests  https://review.openstack.org/41595317:01
*** tesseract has quit IRC17:21
*** kobis has joined #openstack-lbaas17:27
openstackgerritLubosz Kosnik (diltram) proposed openstack/octavia: Fix tenant_id reference  https://review.openstack.org/41667817:29
*** bana_k has joined #openstack-lbaas17:31
*** reedip_outofmemo has quit IRC17:33
*** kobis has quit IRC17:39
*** kevo has joined #openstack-lbaas17:40
*** bana_k has quit IRC17:49
diltramrm_work: pinggg17:59
rm_workHey17:59
diltramany progress with this tempest?17:59
rm_workjust abandoned mine because kevinbenton uploaded my same changes onto the original patch :P17:59
rm_workwhich should be fine17:59
*** aleph1 is now known as agarner17:59
rm_workactually JUST commented as you pinged me17:59
rm_workit should work once the barbican issue is resolved ...18:00
diltramok :P18:00
diltrambarbican is merged18:00
rm_workhmm then i'll recheck18:00
rm_workthis permission denied thing is still super odd to me18:12
rm_workhttp://logs.openstack.org/57/411257/4/check/gate-neutron-lbaas-dsvm-functional-ubuntu-xenial-nv/8ad96a8/console.html#_2017-01-04_18_06_49_50389518:12
diltramrm_work: it's sudo issue18:16
diltramshould be sudo -H pip xxx18:17
johnsomo/18:17
diltramhey18:17
rm_workyeah it mentions that but18:17
rm_worki thought it was an intermittent fail18:17
johnsomThe day of my dentist appointment had to be a snow day....18:17
rm_worko/18:17
diltramit not even suppose to fail because of this18:17
diltramjohnsom: problems with getting there? :P18:18
diltramrm_work: may you give me the url to kevinbenton patch?18:18
*** eezhova has joined #openstack-lbaas18:18
johnsomGetting there and getting back.  Saw 6-7 accidents...18:18
rm_workit's the same one18:18
rm_workhttps://review.openstack.org/#/c/411257/18:18
johnsomIn good local fashion, they haven't even started sanding the roads yet.18:19
diltramhahaha18:19
diltramnice :P18:19
johnsomWe don't get much snow....18:19
diltramrm_work: it's still not refreshed18:21
rm_work:/18:21
xgermano/18:22
xgermanno snow in my neck of the woods but they are quick to salt18:22
rm_workwe don't salt on the west coast, we sand or dirt :P18:23
xgermani am pretty sure if they could use ground up coal they would18:23
rm_worklol18:23
diltramrm_work: it's working18:30
rm_workk18:31
rm_workyeah just saw too18:31
diltrambut it's not gonna work with this project_id18:31
rm_workerm18:31
diltramhttp://logs.openstack.org/78/416678/1/check/gate-octavia-v1-dsvm-scenario-ubuntu-xenial-nv/7f05c62/console.html18:32
diltramI done the same in octavia18:32
rm_workwut18:32
rm_workno project_id on listener18:32
*** bana_k has joined #openstack-lbaas18:32
rm_workwait18:33
rm_workthat's the same self18:33
rm_workso does it not have tenant_id *or* project_id?18:33
diltramyep18:33
rm_work<_<18:34
diltramtempest like always make our life miserable :/18:35
xgermandiltram I was long advocating to switch to rally AFAIK18:36
johnsomPublic service announcement: Don't forget .copy() is a shallow copy in python....  That one hung me up on the darn quota patch.18:36
diltramjohnsom: rotfl :P18:36
diltramxgerman: I'm advocating for using both of them, but from day to day I have a fillings that we not suppose to use rally18:37
diltrambecause it's performance benchmarker18:37
johnsomOh, please, let's not bring back the rally war for a while....18:37
diltramand this test what would verify18:37
diltramnova boot performance?18:37
johnsomYeah, adding it in addition I'm more open to than replacing.  At least at this point.18:38
johnsomBut, after the merge is done?????18:38
diltramjohnsom: but again, rally is to measuring performance18:39
diltramand performace of what we suppose to measure?18:39
diltramnova18:39
diltramneutron port bindingg?18:39
johnsomThose are two interesting metrics.   The previous war was about a complete replacement of tempest with rally18:40
diltrambut there are specific rally tests to test nova and neutron port binding feature :P18:40
rm_work.copy() is shallow by inference because .deepcopy() exists :P18:40
diltramyep I know, we discussed this on mid-cycle18:40
diltram:P18:40
johnsomYeah, there probably are now18:40
johnsomrm_work Yeah, I was being an idiot and hate myself for how long it took to track that down.  I was getting errors about pools not existing the DB, which I thought might be a DB session issue as that is what I have been monkeying with.18:42
rm_workit happens18:42
johnsomIt turns out it was missing, because the lb.copy was missing the pool definition on the second test call.18:42
johnsomAnyway, just trying to share my failures so others learn...  Grin.18:43
rm_workright now i'm trying to figure out why the routing gets hosed when the agent plugs a VIP that's on the same subnet as the Management interface18:43
johnsomHmm, yeah, it shouldn't with the namespace...18:44
rm_worki'll let you know if i have any interesting data18:44
johnsomSure, happy to provide a second set of eyes too as I touched a lot of that in the last year18:45
diltramrm_work: I need to tell you that this patch looks the best for me to fix this issues18:51
diltramhttps://review.openstack.org/#/c/406033/4/neutron_lbaas/tests/tempest/v2/scenario/base.py18:51
diltramand it's working18:52
rm_workfine by me18:52
*** pcaruana has quit IRC18:52
rm_workdiltram: last ran tests on jan 118:53
rm_workdo you mind if we recheck?18:53
diltramsure18:53
rm_workI'm glad I only spent like 15 minutes looking at this yesterday18:54
diltrambut this guy was the first, it removes this self.tenant_id18:55
*** Alex_Stef has quit IRC18:57
*** anilvenkata has quit IRC18:59
openstackgerritLubosz Kosnik (diltram) proposed openstack/octavia: Fix tenant_id reference  https://review.openstack.org/41667819:05
*** gcheresh_ has joined #openstack-lbaas19:14
rm_workhey johnsom, one question here: https://github.com/openstack/octavia/blob/master/octavia/network/drivers/neutron/allowed_address_pairs.py#L30419:15
johnsomOk19:17
rm_workjohnsom: that plugs the vip subnet ... but that function creates a new port only knowing a subnet_id, and then the next line uses vip.ip_address ... how could the correct ip_address be in the vip object if we JUST created the port19:17
rm_workerr sorry, it plugs based on just network_id19:17
rm_worknot even subnet19:18
johnsomYeah, you would pick one part I didn't touch...  So, it doesn't get the default subnet from the network when we ask neutron to create that port?  Isn't this the same thing neutron-lbaas is doing?19:23
*** pck has quit IRC19:36
*** kevinbenton has quit IRC19:36
*** raginbajin has quit IRC19:36
*** jschwarz has quit IRC19:36
*** adam_g has quit IRC19:36
*** pck has joined #openstack-lbaas19:36
*** jschwarz has joined #openstack-lbaas19:36
*** adam_g has joined #openstack-lbaas19:36
*** adam_g has quit IRC19:36
*** adam_g has joined #openstack-lbaas19:36
*** kevinbenton has joined #openstack-lbaas19:37
*** raginbajin has joined #openstack-lbaas19:38
*** eezhova has quit IRC19:41
*** TrevorV has joined #openstack-lbaas19:55
TrevorVrm_work, pssss19:55
TrevorVpsssst****19:55
johnsomHey neighor19:55
TrevorVHey hey johnsom!19:56
TrevorVHow goes it?19:56
johnsomNot too bad, how about you?19:56
TrevorVDay 2 new job, so far so good I'd say19:56
rm_workpsssst19:56
johnsom+100 excellent!  Congrats19:57
TrevorVThanks!19:57
TrevorVThese guys are a riot.  Memes/Gifs in all the channels and whatnot.19:57
TrevorVGood times19:57
xgermanTrevorV congrats!!19:58
TrevorVxgerman, thanks!  Heard you ended up at the Rax, how's that goin for ya?19:59
xgermanyep, I am at the RAX… so far so good… made top table in RookieO whatever that means19:59
TrevorVWell, that just means most of us that contribute to LBaaS and work(ed) at rax got #1 table20:00
xgermanCool!! So I continued that tradition ;-)20:01
johnsomOctavia meeting starting soon on #openstack-meeting-alt20:01
*** m-greene has joined #openstack-lbaas20:03
diltramrm_work: https://review.openstack.org/#/c/406033/4 - tested20:06
*** m-greene has quit IRC20:29
openstackgerritLubosz Kosnik (diltram) proposed openstack/octavia: Fix tenant_id reference  https://review.openstack.org/41667820:33
openstackgerritLubosz Kosnik (diltram) proposed openstack/octavia: Fix tenant_id reference  https://review.openstack.org/41667820:41
diltramok this one should work :P20:41
rm_workjohnsom: my question wasn't about how it gets the subnet -- more like ... it's not going to assign an ip_address until that point, so how is the vip object populated?20:51
rm_workit does: interface = self._plug_amphora_vip(amphora, subnet.network_id)20:51
rm_workthen: self._add_vip_address_pair(interface.port_id, vip.ip_address)20:51
rm_workbut vip.ip_address can't possibly be populated, can it?20:51
rm_workoh whoops i missed the meeting while i grabbed lunch >_<20:53
johnsomDoesn't this get done first to setup the VIP that is passed into this?  https://github.com/openstack/octavia/blob/master/octavia/network/drivers/neutron/allowed_address_pairs.py#L32420:53
rm_workhmmm20:56
rm_workomg taskflow20:58
rm_workkill me now20:58
johnsomSeriously?  It's so easy20:59
rm_workit was just annoying to trace through the amp flow21:00
rm_workfound what i needed21:00
johnsomhttp://docs.openstack.org/developer/octavia/_images/LoadBalancerFlows-get_create_load_balancer_flow.svg21:00
rm_workin get_new_LB_networking_subflow()21:00
rm_workyou are correct, it does AllocateVIP then PlugVIP21:00
rm_workbut21:01
rm_workI still don't quite understand21:01
rm_workbecause it has allocated the vip, but21:01
rm_workeven allocated, it will still run: interface = self._plug_amphora_vip(amphora, subnet.network_id)21:01
rm_workright?21:01
rm_workwhich does new_port = self.neutron_client.create_port(port)21:02
rm_workcreating that port will allocate a totally different IP won't it?21:02
johnsomI will be the first to say this code could use a refactor21:03
*** kobis has joined #openstack-lbaas21:06
johnsomOk, figured this stuff out again.  So, allocate vip gets the vrrp IP, which is added to the port created by _plug_amphora_vip21:06
xgermanI just +1’d somethign which makes sure that we actually end up in the correct subnet21:07
rm_workuhh21:07
johnsom_plug_amphora_vip is just creating that base port on the subnet, it's the allocate and allowed address pairs port that adds the vrrp IP that moves back and forth.21:07
xgermanhttps://review.openstack.org/#/c/416519/21:07
rm_workah i see21:08
rm_workyeah ok21:08
kobisis there any doc describing creation of amphora image, excluding devstack's?21:15
kobise.g if i install from packages or such?21:15
johnsomkobis There is an extensive readme in the diskimage-create directory21:16
johnsomhttps://github.com/openstack/octavia/tree/master/diskimage-create21:16
kobisjohnsom but diskimage-create is not included in the pypi package21:17
johnsomOh, interesting.  That kind of makes sense though.  Hmmm, probably should put a bug in to fix that21:17
kobiscool, will do21:18
kobisbtw ive started to look at writing a native octavia driver for nsx lb21:22
johnsomAh, cool!21:22
kobisso where do i start with this? is there any base class which i should implement?21:23
*** _ducttape_ has joined #openstack-lbaas21:23
kobisi basically need a starting point…21:23
johnsomkobis So I am guessing you are planning to implement a driver like you have in neutron-lbaas right?21:24
johnsomOr is this something you want behind the octavia controller worker?21:24
kobisi need this to be as thin as possible so i'd probably write something which will rpc to our neutron plugin21:26
kobisour LB is integrated into the networking platform…21:26
johnsomkobis Got you.  Take a look at this: https://review.openstack.org/#/c/409398/21:26
*** ducttape_ has quit IRC21:26
kobisso I should build my driver on top of this patch - yeah that makes sense21:27
*** _ducttape_ has quit IRC21:27
rm_workthere was a native a10 driver in testing wasn't there?21:27
johnsomI think we may not have everything in place yet.21:27
rm_workthis is still the nlbaas-shim, that was true-native which is different, i think21:27
johnsomkobis I can't say that patch is "done" or remotely complete.  For one thing it still points to v121:28
johnsomkobis Also, check this out: https://github.com/openstack/octavia/blob/master/octavia/api/v1/handlers/abstract_handler.py21:28
kobisrm_work is there a patch for a10's?21:28
johnsomkobis I think you can implement that handler API and run with it.21:29
johnsomThis is the current Octavia controller worker handler: https://github.com/openstack/octavia/blob/master/octavia/api/v1/handlers/queue/producer.py21:29
kobisyeah this is doable too :)21:29
johnsomkobis A handler would probably be the best "native" solution21:30
kobisI think that a handler wouldn't be a big effort comparing to a nlbaas shim21:31
rm_workI'm trying to find where that was21:31
rm_workI swear dougwig had done something21:31
kobisso i guess that it's the better option21:32
rm_workor maybe they were just testing his with the shim :/21:32
johnsomkobis +1 We don't have the code to switch those handlers on the fly, but you can config it via octavia.conf for now21:33
xgermanhe always told me he was trying to make an A10 amphora…21:33
kobisjohnsom once we have support for multiple providers: will this support multiple handlers?21:34
kobisor multiple shim drivers?21:34
johnsomRight, we will eventually have a way that maps providers/flavors to handlers/shims21:34
johnsomOr you can add that too....  Grin21:34
johnsomRight now we are just loading the handler in the config: https://github.com/openstack/octavia/blob/master/octavia/api/v1/controllers/base.py#L3221:35
kobislets take these one at a time :)21:35
johnsomAs Octavia API doesn't have the concept of providers yet21:35
johnsomYeah, the config setting should get you far enough for your driver implementation21:36
kobisand that's fine - for now. but once we do - will we support multiple handlers? or multiple drivers? or both?21:36
kobisi guess that we will need both...21:37
johnsomThe driver shim is a "handler", so...  It's just there to try to minimize the work of driver porting.21:37
johnsomSafe to say, handlers are not going away and is the path forward21:38
kobisyeah - but if i wanna load a10 via the nlbaas shim, and use radware too via the shim...21:39
kobisso a) i should be able to load it twice21:39
johnsomRight, that would have to work21:39
kobiscool…21:39
kobiswell i'm calling it a day… have a good one21:40
johnsomProbably some ugly legacy mapping logic that we will strive to remove as soon as we can kind of thing.21:40
johnsomLater21:40
rm_workthis is lulzy... so basically, I am changing things so the VIP isn't provided by the user, it's pulled from whatever network the amp happened to boot on <_<21:44
*** gcheresh_ has quit IRC21:51
openstackgerritMerged openstack/neutron-lbaas: Fix for error "no attribute tenant_id"  https://review.openstack.org/40603321:57
*** matt-borland has quit IRC22:02
*** ducttape_ has joined #openstack-lbaas22:06
rm_workjohnsom: so when it runs "self.neutron_client.create_port(port)"22:12
rm_workthe created port is *supposed* to have fixed_ips on it right?22:12
*** kobis has quit IRC22:12
rm_workI wonder if that's up to the neutron configuration?22:13
rm_worki create ports and they don't have fixed_ips :/22:13
redrobotohai octavia friends!22:14
redrobotI saw someone was pinging me during your weekly meeting?22:14
rm_workheya redrobot22:15
redrobotin regards to BBQ?22:15
xgermanof course22:15
* redrobot waves at rm_work 22:15
rm_workyeah I guess we've still got issues with ACLs maybe? diltram has details22:15
xgermandiltram had questions22:15
rm_workredrobot: oh BTW i'm back working on octavia :P22:15
redrobotrm_work woot!!!22:15
redrobotrm_work gainful employment is always a good thing. :D22:15
xgerman+122:15
redrobotrm_work in JP or back in the US?22:15
rm_workthough here we don't have barbican nor do we have short term plans for using SSL-term lol22:15
rm_workback in US :/22:16
redrobotrm_work womp womp ... grats anyway22:16
rm_workyeah22:17
rm_workthanks :P22:17
rm_workit's been pretty dead in the barbican channel, how are things going over there? :/22:17
johnsomrm_work No, the can be allocated ips, they don't have to be fixed.  I think our default is to pass in the subnet_id and let neutron give us an IP22:18
redrobotrm_work I was out almost two weeks for holidays and such.  pretty slow right now though.  hopefully that'll be ramping up here pretty soon.22:19
rm_workhmmm22:20
rm_workjohnsom: so right after `new_port = self.neutron_client.create_port(port)` it does `return self._port_to_vip(new_port, load_balancer)`22:20
rm_workin _port_to_vip it assumes there's fixed_ips22:21
rm_workreturn data_models.Vip(ip_address=fixed_ip.ip_address,22:21
johnsomYeah, those are assigned by neutron if we didn't pass in an IP22:21
rm_workok that's what I mean22:21
rm_work"fixed_ips" should be filled though, not None22:21
johnsomUm, yeah I think so.  Maybe it is that bug German mentioned earlier?22:22
rm_workI don't think so -- i think that just means it gets one on the wrong subnet22:22
rm_workI wonder if behavior has changed since liberty22:25
rm_worki don't think so?22:25
xgermanrm_work youbtried the patch I referenced22:25
xgerman?22:25
rm_workno, this is unrelated22:26
rm_workthough i did LOOK at it22:26
xgermanmaybe we need that fix in more places…22:26
xgermangiven the amunt of ports we create ;-)22:26
rm_workah yeah22:28
rm_workso apparently I need to set admin_state_up=True for it to get any fixed_ips assigned22:28
rm_workjohnsom: any idea what the ramifications of creating it "UP" might be?22:29
xgermanI think we only use it to hold the IP?22:31
xgermanso active would make things being routed to it22:31
rm_workhmm22:37
rm_workso maybe i have to bring it up22:37
rm_workand then take it down22:37
rm_workand maybe it'll keep the IP it gets assigned22:37
rm_workoh22:38
rm_workhuh weird nm22:38
rm_workit's not admin_state22:38
rm_worki see22:39
*** m-greene has joined #openstack-lbaas22:40
*** openstack has joined #openstack-lbaas22:56
*** amotoki has quit IRC23:00
*** amotoki has joined #openstack-lbaas23:02
*** armax has quit IRC23:04
*** armax has joined #openstack-lbaas23:05
*** armax has quit IRC23:06
rm_workwhat does the amphora lb_network_ip come from?23:16
*** ducttape_ has quit IRC23:16
*** ducttape_ has joined #openstack-lbaas23:17
johnsomlb_network is the management network23:18
johnsomA lot has changed since liberty, so...23:18
rm_workyeah it was just a translation issue, i figured it out23:18
rm_workit wasn't admin_state related, that was a false positive23:18
rm_workit LOOKED like fixed_ips was None, because the to_dict() method doesn't do anything with lists... i guess23:19
johnsomAh23:19
rm_workor something. anyway, there was a list with a valid fixed_ip but doing to_dict() just returns None for fixed_ips23:19
rm_workport.to_dict()23:20
rm_workanywho, new problem23:20
*** ducttape_ has quit IRC23:21
*** ducttape_ has joined #openstack-lbaas23:24
*** amotoki has quit IRC23:26
*** gongysh has joined #openstack-lbaas23:28
rm_workcrap, it doesn't wait long enough...23:29
rm_workin the nova driver, when it does `inf_list = nova_response.interface_list()` the interface_list comes back empty23:29
rm_workbut if i pdb and run it again, it has an entry :(23:29
rm_workit just takes a second :/23:29
rm_workthat seems ... odd23:29
*** amotoki has joined #openstack-lbaas23:31
rm_workoh, it runs twice?23:32
rm_workderp k23:33
*** ducttape_ has quit IRC23:35
*** ducttape_ has joined #openstack-lbaas23:35
*** ducttape_ has quit IRC23:40
*** ducttape_ has joined #openstack-lbaas23:40
rm_workinteresting ...23:52
rm_workplugging the VIP port (just the actual neutron plug, nothing yet with the agent) causes the routing *in* to the amp to break :(23:54
johnsomHmm, it could be changing the default route to the new interface.  or the SSH rebind script isn't working.  Can you still SSH?23:57
johnsomIt kind of looks like someone fixed the resolv.conf element for RedHat but didn't fix the ssh rebind element....23:58
johnsomFixed:https://github.com/openstack/octavia/blob/master/elements/no-resolvconf/finalise.d/99-disable-resolv-conf23:59
johnsomNo fixed: https://github.com/openstack/octavia/blob/master/elements/rebind-sshd/finalise.d/98-rebind-sshd-after-dhcp23:59
johnsomMaybe that is is23:59
johnsomis it23:59
« Tuesday, 2017-01-03 Index Thursday, 2017-01-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!