Friday, 2017-01-06

« Thursday, 2017-01-05 Index Saturday, 2017-01-07 »
*** fnaval has quit IRC00:04
*** diltram has quit IRC00:09
*** diltram_ has joined #openstack-lbaas00:09
openstackgerritMerged openstack/neutron-lbaas: Fix a typo  https://review.openstack.org/39931100:35
*** yamamoto_ has joined #openstack-lbaas00:56
*** kbyrne has quit IRC00:57
*** armax has quit IRC00:59
*** yuanying has quit IRC01:00
*** kbyrne has joined #openstack-lbaas01:01
*** yuanying has joined #openstack-lbaas01:03
*** bana_k has quit IRC01:08
*** bana_k has joined #openstack-lbaas01:11
*** agarner has quit IRC01:13
*** robcresswell has quit IRC01:13
*** blogan_ has quit IRC01:13
*** HenryG has quit IRC01:13
*** basilAB has quit IRC01:13
*** greghaynes has quit IRC01:13
*** bedis has quit IRC01:13
*** dasanind has quit IRC01:13
*** Kdecherf has quit IRC01:13
*** mugsie_ has quit IRC01:13
*** sbalukoff has quit IRC01:13
*** blogan has joined #openstack-lbaas01:14
*** bedis_ has joined #openstack-lbaas01:14
*** aleph1 has joined #openstack-lbaas01:14
*** mugsie_ has joined #openstack-lbaas01:14
rm_workjohnsom: ugh later than i thought01:14
*** sbalukoff has joined #openstack-lbaas01:14
rm_workjohnsom: if you need to run i don't blame you, otherwise i'm here01:14
*** mugsie_ has quit IRC01:14
*** mugsie_ has joined #openstack-lbaas01:14
*** greghaynes has joined #openstack-lbaas01:14
*** Kdecherf has joined #openstack-lbaas01:14
*** HenryG has joined #openstack-lbaas01:15
*** robcresswell has joined #openstack-lbaas01:19
johnsomYeah, getting close to date night time.  Tomorrow?01:20
rm_workkk01:20
johnsomUgh, net split...  I can see irccloud queuing my posts01:20
*** diltram_ has quit IRC01:23
*** diltram has joined #openstack-lbaas01:24
*** dasanind has joined #openstack-lbaas01:27
openstackgerritMichael Johnson proposed openstack/octavia: Add quota support to Octavia  https://review.openstack.org/36079401:30
johnsomDarn it, didn't get all the tests done I had hoped.  Really good coverage on the quota checks now.  I will have to pick it up in the morning.01:32
*** ducttape_ has joined #openstack-lbaas01:32
*** bana_k has quit IRC01:36
*** kevo has quit IRC01:37
openstackgerritJingLiu proposed openstack/neutron-lbaas: Set access_policy for messaging's dispatcher  https://review.openstack.org/41580502:08
*** ducttape_ has quit IRC02:08
*** ipsecguy has quit IRC02:09
*** madhu_ak has joined #openstack-lbaas02:15
*** catintheroof has joined #openstack-lbaas02:22
*** gongysh has joined #openstack-lbaas02:25
*** ipsecguy has joined #openstack-lbaas02:25
*** ducttape_ has joined #openstack-lbaas02:28
*** yamamoto_ has quit IRC02:41
*** ducttape_ has quit IRC02:48
*** catintheroof has quit IRC02:50
*** yuanying has quit IRC03:01
*** ducttape_ has joined #openstack-lbaas03:02
*** yuanying has joined #openstack-lbaas03:06
*** ducttape_ has quit IRC03:37
*** yamamoto_ has joined #openstack-lbaas03:45
*** amotoki has joined #openstack-lbaas03:50
*** yuanying has quit IRC03:56
*** yuanying has joined #openstack-lbaas03:56
*** yuanying has quit IRC04:01
openstackgerritJoe Mills proposed openstack/neutron-lbaas: scenario test: Open up port for second listener  https://review.openstack.org/41727704:02
*** saju_m has joined #openstack-lbaas04:03
*** gongysh has quit IRC04:09
*** cody-somerville has joined #openstack-lbaas04:13
*** csomerville has quit IRC04:15
*** madhu_ak has quit IRC04:28
*** links has joined #openstack-lbaas04:40
*** ducttape_ has joined #openstack-lbaas04:45
*** gongysh has joined #openstack-lbaas04:52
*** yuanying has joined #openstack-lbaas04:57
*** ducttape_ has quit IRC04:59
*** saju_m has quit IRC05:45
*** bana_k has joined #openstack-lbaas06:15
*** gongysh has quit IRC06:15
*** reedip_ has joined #openstack-lbaas06:15
*** amotoki has quit IRC06:25
*** Alex_Stef has joined #openstack-lbaas06:33
*** gongysh has joined #openstack-lbaas06:42
*** bana_k has quit IRC06:52
*** rcernin has quit IRC06:55
*** ducttape_ has joined #openstack-lbaas07:00
*** gcheresh_ has joined #openstack-lbaas07:01
*** reedip_ has quit IRC07:01
*** ducttape_ has quit IRC07:05
*** gcheresh_ has quit IRC07:07
*** tesseract has joined #openstack-lbaas07:09
*** pcaruana has joined #openstack-lbaas07:10
*** rcernin has joined #openstack-lbaas07:13
*** kobis has joined #openstack-lbaas07:18
*** nmagnezi_ has joined #openstack-lbaas07:34
*** kobis has quit IRC07:47
*** yuanying has quit IRC07:51
*** Alex_Stef has quit IRC08:06
*** kevo has joined #openstack-lbaas08:14
*** mjblack has quit IRC08:24
*** robcresswell has quit IRC08:31
*** greghaynes has quit IRC08:31
*** harlowja has quit IRC08:31
*** matt-borland has quit IRC08:31
*** links has quit IRC08:31
*** ipsecguy has quit IRC08:31
*** diltram has quit IRC08:31
*** bedis_ has quit IRC08:31
*** mhayden has quit IRC08:31
*** openstackgerrit has quit IRC08:31
*** Kdecherf has quit IRC08:31
*** mugsie_ has quit IRC08:31
*** adam_g has quit IRC08:31
*** cody-somerville has quit IRC08:31
*** kbyrne has quit IRC08:31
*** reedip has quit IRC08:31
*** kong has quit IRC08:31
*** Kiall has quit IRC08:31
*** dasanind has quit IRC08:31
*** sbalukoff has quit IRC08:31
*** rm_work has quit IRC08:31
*** BlackDex has quit IRC08:31
*** kevo has quit IRC08:31
*** rcernin has quit IRC08:31
*** yamamoto_ has quit IRC08:31
*** HenryG has quit IRC08:31
*** blogan has quit IRC08:31
*** jschwarz has quit IRC08:31
*** nmagnezi_ has quit IRC08:31
*** pcaruana has quit IRC08:31
*** tesseract has quit IRC08:31
*** aleph1 has quit IRC08:31
*** kevinbenton has quit IRC08:31
*** ajo has quit IRC08:31
*** jidar has quit IRC08:31
*** ankur-gupta-f has quit IRC08:31
*** pck has quit IRC08:31
*** mestery has quit IRC08:31
*** sindhu has quit IRC08:34
*** Kiall has joined #openstack-lbaas08:37
*** kevo has joined #openstack-lbaas08:37
*** mjblack has joined #openstack-lbaas08:37
*** cody-somerville has joined #openstack-lbaas08:37
*** nmagnezi_ has joined #openstack-lbaas08:37
*** rcernin has joined #openstack-lbaas08:37
*** pcaruana has joined #openstack-lbaas08:37
*** tesseract has joined #openstack-lbaas08:37
*** links has joined #openstack-lbaas08:37
*** ipsecguy has joined #openstack-lbaas08:37
*** dasanind has joined #openstack-lbaas08:37
*** diltram has joined #openstack-lbaas08:37
*** robcresswell has joined #openstack-lbaas08:37
*** HenryG has joined #openstack-lbaas08:37
*** Kdecherf has joined #openstack-lbaas08:37
*** greghaynes has joined #openstack-lbaas08:37
*** sbalukoff has joined #openstack-lbaas08:37
*** mugsie_ has joined #openstack-lbaas08:37
*** aleph1 has joined #openstack-lbaas08:37
*** bedis_ has joined #openstack-lbaas08:37
*** blogan has joined #openstack-lbaas08:37
*** harlowja has joined #openstack-lbaas08:37
*** matt-borland has joined #openstack-lbaas08:37
*** ankur-gupta-f has joined #openstack-lbaas08:37
*** mhayden has joined #openstack-lbaas08:37
*** openstackgerrit has joined #openstack-lbaas08:37
*** kevinbenton has joined #openstack-lbaas08:37
*** adam_g has joined #openstack-lbaas08:37
*** jschwarz has joined #openstack-lbaas08:37
*** pck has joined #openstack-lbaas08:37
*** reedip has joined #openstack-lbaas08:37
*** BlackDex has joined #openstack-lbaas08:37
*** kong has joined #openstack-lbaas08:37
*** rm_work has joined #openstack-lbaas08:37
*** ajo has joined #openstack-lbaas08:37
*** mestery has joined #openstack-lbaas08:37
*** jidar has joined #openstack-lbaas08:37
*** Kiall is now known as Guest8720008:39
*** kbyrne has joined #openstack-lbaas08:40
*** ctracey has quit IRC08:40
*** jsheeren has joined #openstack-lbaas08:42
*** yamamoto has joined #openstack-lbaas08:43
*** sindhu has joined #openstack-lbaas08:51
*** Alex_Stef has joined #openstack-lbaas08:58
*** ducttape_ has joined #openstack-lbaas09:01
*** ctracey has joined #openstack-lbaas09:02
*** ducttape_ has quit IRC09:06
*** armax has joined #openstack-lbaas09:06
*** gcheresh_ has joined #openstack-lbaas09:08
*** nmagnezi_ has quit IRC09:20
*** yuanying has joined #openstack-lbaas09:24
*** gcheresh_ has quit IRC09:42
*** Alex_Stef has quit IRC09:56
*** pck has quit IRC09:56
*** pck has joined #openstack-lbaas09:56
*** pck_ has joined #openstack-lbaas10:06
*** pck has quit IRC10:06
*** amotoki has joined #openstack-lbaas10:15
*** pck has joined #openstack-lbaas10:16
*** pck_ has quit IRC10:16
*** kobis has joined #openstack-lbaas10:50
*** kobis has quit IRC10:54
*** amotoki has quit IRC10:57
*** ducttape_ has joined #openstack-lbaas11:02
*** ducttape_ has quit IRC11:06
*** yamamoto has quit IRC11:13
*** mugsie_ has quit IRC11:18
*** kevo has quit IRC11:19
*** amotoki has joined #openstack-lbaas11:20
*** mugsie_ has joined #openstack-lbaas11:25
*** gongysh has quit IRC11:29
*** gongysh has joined #openstack-lbaas11:30
*** gongysh has quit IRC11:36
*** amotoki has quit IRC11:50
*** amotoki has joined #openstack-lbaas11:52
*** kobis has joined #openstack-lbaas11:57
*** kobis has quit IRC12:06
*** amotoki has quit IRC12:06
*** kobis has joined #openstack-lbaas12:09
*** amotoki has joined #openstack-lbaas12:13
*** Alex_Stef has joined #openstack-lbaas12:18
*** kobis has quit IRC12:18
*** amotoki has quit IRC12:28
*** catintheroof has joined #openstack-lbaas12:32
*** catintheroof has quit IRC12:32
*** catintheroof has joined #openstack-lbaas12:32
*** ducttape_ has joined #openstack-lbaas12:33
*** amotoki has joined #openstack-lbaas12:35
*** catintheroof has quit IRC12:36
*** catintheroof has joined #openstack-lbaas12:37
*** ducttape_ has quit IRC12:38
*** amotoki has quit IRC13:03
*** amotoki has joined #openstack-lbaas13:05
*** amotoki has quit IRC13:12
*** amotoki has joined #openstack-lbaas13:15
*** Alex_Stef has quit IRC13:15
*** yamamoto has joined #openstack-lbaas13:15
*** amotoki has quit IRC13:16
*** anilvenkata has joined #openstack-lbaas13:27
*** ducttape_ has joined #openstack-lbaas13:47
*** jsheeren has quit IRC13:49
*** amotoki has joined #openstack-lbaas13:54
*** beardedeagle has joined #openstack-lbaas13:57
*** yamamoto has quit IRC13:57
*** anilvenkata has quit IRC13:59
*** anilvenkata has joined #openstack-lbaas14:00
*** chlong has joined #openstack-lbaas14:02
*** anilvenkata has quit IRC14:02
*** anilvenkata has joined #openstack-lbaas14:02
*** amotoki has quit IRC14:10
*** ducttape_ has quit IRC14:31
*** links has quit IRC14:37
xgermano/14:39
*** Dave has quit IRC14:41
*** gcheresh_ has joined #openstack-lbaas14:50
*** ducttape_ has joined #openstack-lbaas14:55
*** gcheresh_ has quit IRC14:57
*** ducttape_ has quit IRC15:01
*** ducttape_ has joined #openstack-lbaas15:01
*** ducttape_ has quit IRC15:06
*** Alex_Stef has joined #openstack-lbaas15:08
*** ducttape_ has joined #openstack-lbaas15:28
*** ankur-gupta-f1 has joined #openstack-lbaas15:41
*** Dave has joined #openstack-lbaas15:49
*** rcernin has quit IRC15:53
*** TrevorV has joined #openstack-lbaas15:57
*** _ducttape_ has joined #openstack-lbaas15:58
*** ducttape_ has quit IRC16:02
*** Dave has quit IRC16:05
*** Alex_Stef has quit IRC16:08
johnsomo/16:10
*** _ducttape_ has quit IRC16:10
ankur-gupta-f1johnsom: morning16:11
*** ducttape_ has joined #openstack-lbaas16:11
*** cody-somerville has quit IRC16:11
*** cody-somerville has joined #openstack-lbaas16:11
*** ducttape_ has quit IRC16:17
*** ducttape_ has joined #openstack-lbaas16:17
*** Alex_Stef has joined #openstack-lbaas16:31
*** ducttape_ has quit IRC16:40
*** ducttape_ has joined #openstack-lbaas16:40
*** Alex_Stef has quit IRC16:41
*** mixos has joined #openstack-lbaas16:42
*** mixos has quit IRC16:46
*** tesseract has quit IRC16:47
*** bana_k has joined #openstack-lbaas16:50
*** fnaval has joined #openstack-lbaas16:57
*** amotoki has joined #openstack-lbaas16:59
diltramankur-gupta-f1: back again in the castle?17:02
ankur-gupta-f1diltram: not back till Monday. Dont worry. We will have a 2 hr pow wow to figure everything out and start crushing this API stuff17:03
diltramI'm just thinking ankur-gupta-f1 about rebasing this all patches on top of my pagination/sorting patch17:04
diltrambased on this we can start reviewing all patches and they will work after merging this pagination17:04
johnsomSounds like a decent plan17:04
ankur-gupta-f1We can deal with it next week, don't want to add additional dependencies. currently they are still all dependent on the yet to be merged base classes17:04
ankur-gupta-f1specifically they are all dependent (or should be) on the Test Base class for V2 API patch.17:05
diltramI know but even they should all depend on previous because right now we will loose all reviews because there will be huge merge conflict17:05
diltrambut if I will make this test base class dependent of pagination17:06
diltramI will have the whole beautifull chain of patches17:06
diltramwhich will be mergable17:06
ankur-gupta-f1okay that makes sense.17:08
ankur-gupta-f1johnsom: could use your eyes on https://review.openstack.org/#/c/405599/ and https://review.openstack.org/#/c/405621/17:09
johnsomok17:10
ankur-gupta-f1thanks17:10
openstackgerritLubosz Kosnik (diltram) proposed openstack/octavia: Implement sorting and pagination for octavia  https://review.openstack.org/38214717:15
*** kobis has joined #openstack-lbaas17:29
diltramOctavia will be the first project with working py3x dsvm test :P17:32
*** bana_k has quit IRC17:32
diltramdims implemented that stuff in keystone but in not working way :p17:32
johnsomHa17:36
johnsomAssuming we can get the gates merged...17:38
openstackgerritMichael Johnson proposed openstack/octavia: Updated from global requirements  https://review.openstack.org/41722917:44
openstackgerritMichael Johnson proposed openstack/octavia: Remove an erroneous MarkHealthMonitorActiveInDB task  https://review.openstack.org/40940317:44
*** kevo has joined #openstack-lbaas17:45
*** woodster_ has joined #openstack-lbaas17:47
*** jerrygb has joined #openstack-lbaas17:50
*** gcheresh_ has joined #openstack-lbaas17:54
diltramit's gonna work :)17:58
diltramjlvillal - which is OSIC member - works on enabling it everywhere17:58
diltramwe just need to align names :)17:59
diltramhe by mistake in commit msg specified different name that used in code17:59
diltramok reboot, my display is not working L/18:00
diltram:/18:00
*** pcaruana has quit IRC18:01
*** bana_k has joined #openstack-lbaas18:22
*** gcheresh_ has quit IRC18:23
*** _beardedeagle has joined #openstack-lbaas18:31
*** _beardedeagle has quit IRC18:35
*** beardedeagle has quit IRC18:35
*** Alex_Stef has joined #openstack-lbaas18:54
openstackgerritMichael Johnson proposed openstack/octavia: Add quota support to Octavia  https://review.openstack.org/36079418:56
*** jerrygb_ has joined #openstack-lbaas18:57
*** amotoki has quit IRC18:58
*** jerrygb has quit IRC19:00
*** ducttape_ has quit IRC19:00
*** ducttape_ has joined #openstack-lbaas19:00
*** gcheresh_ has joined #openstack-lbaas19:17
*** raginbajin has quit IRC19:21
*** ducttape_ has quit IRC19:23
*** ducttape_ has joined #openstack-lbaas19:24
*** ducttape_ has quit IRC19:24
*** ducttape_ has joined #openstack-lbaas19:24
*** anilvenkata has quit IRC19:37
*** jerrygb_ has quit IRC19:43
*** TrevorV has quit IRC19:46
*** TrevorV has joined #openstack-lbaas19:48
*** Alex_Stef has quit IRC19:56
*** amotoki has joined #openstack-lbaas19:59
*** jerrygb has joined #openstack-lbaas20:02
*** jerrygb has quit IRC20:03
*** jerrygb has joined #openstack-lbaas20:03
*** beardedeagle has joined #openstack-lbaas20:11
*** jerrygb_ has joined #openstack-lbaas20:13
*** jerrygb has quit IRC20:15
*** jerrygb has joined #openstack-lbaas20:17
*** jerrygb_ has quit IRC20:19
*** TrevorV has quit IRC20:20
*** csomerville has joined #openstack-lbaas20:30
*** TrevorV has joined #openstack-lbaas20:32
*** cody-somerville has quit IRC20:33
*** Dave has joined #openstack-lbaas21:00
*** gongysh has joined #openstack-lbaas21:15
*** catintheroof has quit IRC21:18
*** gcheresh_ has quit IRC21:27
rm_workjohnsom: can you check my logic on https://review.openstack.org/#/c/416519/3/octavia/network/drivers/neutron/allowed_address_pairs.py@95 ?21:28
johnsomSure, looking21:28
openstackgerritMerged openstack/octavia: Updated from global requirements  https://review.openstack.org/41722921:30
openstackgerritMerged openstack/octavia: Introduce API Decorators  https://review.openstack.org/40562121:30
johnsomrm_work You are correct, there is no real point to that iteration over the subnets.  We should just put the subnet_id in the "fixed_ips" field (which is a strange overload IMHO) and call it a day.21:32
rm_workkk21:32
rm_workI'm never sure with the ports stuff because I'm not sure i fully understand what happens under the hood there21:33
rm_workoh, as for what we were discussing earlier (your concerns about using FLIPs), the way they're implemented here the swing time is in milliseconds21:34
rm_workso it shouldn't be a problem to use FLIPs instead of the AAP ports21:35
johnsomInteresting21:35
rm_workit's not GARP based, it's static routes21:35
johnsomUpstream it's like 30+ seconds21:35
rm_workyeah21:35
rm_worknot here :)21:36
johnsomHmm21:36
rm_workalso looking at options for configuration of amps besides rest_api21:36
rm_workthere's some stuff that would be kinda "out of band" that could work21:36
rm_workgetting more details still21:37
rm_workthat'd simplify the image a ton, no need for a mgmt interface, no need for netns, no need for agent21:37
rm_workmy main concerns are security, consistency of updates, and speed of updates21:38
johnsomYou are creeping my out with "no agent, no netns"21:39
rm_workheh21:39
rm_workwell, i'm not yet convinced myself, but the concept of getting rid of that stuff is alluring21:39
johnsomHa21:39
*** armax has quit IRC21:39
johnsomAdded my comment and -1'd that patch21:40
rm_workpeople here want to poll a config management system like Consul.io so I'm in the research phase21:40
*** armax has joined #openstack-lbaas21:40
johnsomAh, yeah, we considered that at a "place" I used to work21:40
*** gcheresh_ has joined #openstack-lbaas21:41
johnsomThat exact package too21:41
xgermanbut then the designaye people couneled against it21:41
rm_worklol21:41
rm_workhmm21:41
rm_workthen maybe I can get a jumpstart21:41
johnsomWell, it brought up other issues21:41
rm_workI'm concerned about the security model primarily21:42
rm_worksupposedly the amps could register as nodes in it as well for health monitoring?21:42
xgermanthat sounds more like etcd21:42
rm_workwhich is interesting? but makes me concerned about scale21:42
johnsomBingo21:43
rm_workheh yeah was looking at that too21:43
xgermanto be fair those things are fairly scalable and k8 is using etcd for it;s work21:43
xgermanso I would assume it works21:43
rm_workso you've already basically gone down both of these routes and decided they weren't feasible21:43
xgermanwe have been counseled against consul from the DNS people21:44
xgermanI think etcd was never considered21:44
xgermanbut those things behave beastly in netsplits and failures21:44
xgermansecurity might be ok - I think they have RBAC21:45
johnsomYeah, it was a few years ago.  I looked at etcd too.  SOP issues, netsplits, preference to decentralized solutions, secure communication paths, trusted to untrusted, etc.  All thoughts that went into it21:45
rm_workthe other thing I had always kinda considered was using a configuration "drive"21:45
rm_workhttps://blueprints.launchpad.net/cinder/+spec/multi-attach-volume21:45
rm_worksupposedly this has been implemented for a while?21:45
xgermanwe have a config drive in Octavia to distrinute certs and configuration21:46
rm_workso you could have the controller attach and write configs to tiny cinder volumes21:46
rm_workwhich are mounted read-only on the amps21:46
rm_work(on multiple amps!)21:46
johnsomYeah, we do already have config drive there, but it is limited in it's scope of use.21:46
rm_worksorry i didn't mean real config-drive21:46
rm_workthat's why i tried to put it in quotes and such21:46
johnsomCurrently it is one drive to one amp21:46
xgermanmmh, so you like to change config while the amp is running but not use the REST interface because yo like them all to discover it themselves21:47
rm_workI mean, if it's running with a shared volume21:47
rm_workit can literally be running with the haproxy configs on that volume21:47
rm_workand soft-restart on i-notify changes21:47
johnsomWhat locking fun you will have.....   Going to run OCFS2?  hahahahaha21:47
rm_workcompletely out-of-band config21:47
rm_workwell, if it's read-only on amps21:47
rm_workit shouldn't have serious issues21:48
xgermanwell, I like the etcd type things better for that - then you can have some sort of feedback who actually applied there change21:48
johnsomAnyhow, ummm, if you feel the need....21:48
xgermanyeah, mostly I can see people putting things on it so they can update without rolling amps21:49
rm_workhmm21:49
xgermanwell, I guess yiu like that as a replacement for our REST/Healthmonitoring setup21:49
rm_workwell, i'm interested in any of the negatives you found about Consul, so i can argue those points and see if there's any good solution21:49
rm_workreally it's a networking thing21:49
rm_worki'd like to not have to plug two interfaces21:50
rm_workit would simplify things insanely lots21:50
xgermanconsul would be running on mgmt net or would you run it on the Interwebs?21:50
rm_workand if we didn't need an agent, that'd simplify things quite a lot again21:50
rm_worksimple is good21:50
rm_workerg21:50
rm_worksoooooo21:50
rm_workthere isn't really ... a difference here21:50
xgermanwe had ssh maybe you want to return to that :-)21:50
rm_workwhich is why i'm kinda disliking it right now21:51
johnsomI really don't see how you won't have an agent with native haproxy21:51
xgermanyep, you will need somethign to push health21:51
rm_workerr, well21:51
rm_worki guess it'll need just the health part21:52
rm_workbut not the rest-api part21:52
rm_workno binding on a port21:52
rm_workand the health part is tiny21:52
johnsomWe did push model to make security a priority, but you could always do a pull agent21:52
xgermanwell, in the case of etcd they usually use TCP so health would be more heavy21:52
rm_workyeah, it's essentially still an agent, just pulling from Consul21:52
rm_workI guess what mean is, it's not a huge block of agent code in our codebase21:53
johnsomYou might also talk with arimth, he is facing a bunch of issues with an "agentless" trove21:53
rm_workand it doesn't bind to a port21:53
xgermanwell, I have seen Kubernetes using etcd so i think it might work21:53
rm_workdo you remember any of the specific negatives of Consul?21:53
johnsomI gave you a list a few lines back.  What I remember off my head21:54
rm_workI mean, security-model-wise, to be truly secure it'd still need all of the same multi-net/netns stuff21:54
xgermanbesides doing unspeakable things to DNS… I assume it comes with the (un)reliabelity of DNS and it’s updates21:54
rm_workah "SOP issues, netsplits, preference to decentralized solutions, secure communication paths, trusted to untrusted, etc"21:55
rm_workgot it21:55
rm_workyeah, i'm more interested in true out-of-band21:55
xgermanyeah, netsplits and failures are a bitch with those systems. etcd goes in read-only BTW21:55
johnsomWell, we have a security model were actions always flow from a more trusted environment to the less trusted.21:55
rm_worklike what I mentioned with using multi-attach volumes21:55
johnsomarimth is fighting with one trove vm sending fake messages up on behalf of another trove vm.  He's getting into a bunch of strange signing things.21:56
xgermantrove? they are still a thing?21:57
johnsomOur model is so much cleaner21:57
xgermanyeah, we are pretty fail safe21:58
xgermanas long as you can keep the mysql chugging everyhting can fail and you come back21:58
rm_workstill not sure i see issues with a config volume approach :P21:59
johnsomYeah, that is "better", but you still have locking stuff to deal with.22:00
rm_workwhy?22:00
rm_worki mean22:00
johnsomWell, and does your cinder scale to that22:01
xgermansay you have two controllers22:01
rm_workright but only one controller can act on a LB config at once22:01
rm_workright?22:01
rm_workwe ALREADY lock there22:01
johnsomplus you have controllers writing and amps reading/writing22:01
*** catintheroof has joined #openstack-lbaas22:01
rm_workwait, amps write?22:01
xgermanhealth messages?22:01
rm_workoh22:01
johnsom+122:01
rm_worki'm still imagining that being via UDP22:02
rm_worki guess that means for security we still need two interfaces... hmm22:02
xgermanok,  so instead of the rest calls you would push a haproxy config to the drive and some “software” will see the change and do soemthign meaningful22:02
rm_workthough in my case it doesn't matter22:02
*** TrevorV has quit IRC22:02
rm_workyeah, i mean, can set up the image to auto-soft-restart haproxy on i-notify events22:03
rm_workassuming those work on cinder volumes22:03
johnsomI come back to, is this necessary.  In clouds virtual networks are basically free and readily available.22:03
xgermanaha, so you would stop having one haproxy process for listener22:03
rm_worklulz22:03
rm_workjohnsom: unfortunately there are no custom networks here22:04
rm_workso i'm in an interesting position :P22:04
rm_workthere is exactly one subnet you can bind to22:04
rm_workperiod22:04
rm_workend of cloudstory :P22:04
johnsomSo create your own tunnel22:04
rm_worklol22:04
* xgerman is glad they hired rm_work instead of me22:04
johnsomHahaha, you can IPSec your mgmt lan22:04
rm_workthat's just... lol22:05
rm_worki mean22:05
xgermanssh tunnel?22:05
rm_workactually that'd save me from having to plug two interfaces22:05
johnsomSolves your problem22:05
rm_workit's ... funny, but i'm not immediately seeing how it's a bad idea22:05
rm_worklol22:05
johnsomIt doesn't use up ports22:05
rm_workhmmmmmmmmmmmmmmmmmm22:06
johnsomIf you guys do it, I get my DNS fees waived.....22:06
johnsomGrin22:06
rm_worklol22:06
rm_workcan't use netns with that though right? because if you moved the original interface into a netns and tried to leave the tun interface outside it ... WOULD that work? or would it break22:07
xgermanyou cna map whatever you want to nentns22:07
xgermanbut tun would be  mgmt so outside ns?22:07
johnsomYou can make it work, there are ways to "share"22:08
johnsomIt gets a bit mind twisty, but can be done22:08
*** TrevorV has joined #openstack-lbaas22:08
xgermanI have seen people running their vpn agent in a. container so…22:09
johnsomYeah, exactly22:09
rm_workhmm22:10
rm_worki think that might actually be ... the way to go22:10
rm_workthough billing for bandwidth gets a bit tricky :P22:10
rm_worki guess you can estimate standard traffic caused by HM noise and just map-remove it from everything22:11
rm_workbut it's imprecise22:11
xgermancan’t you use iptables in the ns?22:11
johnsomYou could measure it with iptables rules22:11
xgerman+122:11
rm_workunless you're billing from haproxy stats i guess :P22:11
johnsomYeah, what he said22:11
rm_workmagic22:12
*** jerrygb has quit IRC22:13
*** gongysh_ has joined #openstack-lbaas22:15
*** gongysh has quit IRC22:17
*** matt-borland has quit IRC22:28
*** gcheresh_ has quit IRC22:37
*** armax has quit IRC22:46
*** ducttape_ has quit IRC23:00
*** _beardedeagle has joined #openstack-lbaas23:01
diltramrm_work: I didn't saw your vote for this code https://review.openstack.org/#/c/399117/23:03
diltramso I'm pinging you :)23:03
rm_workah23:03
diltramit's not complete work, require additional patches but they will be added later23:04
diltramafter merging API :)23:04
rm_workI am weak on policy stuff23:04
diltrambut it's not really policy23:04
diltramit's just some code which enables policy23:04
diltramthere are just maybe 3 or 4 rules23:05
diltrambecause it's a ground for moving policy rules from nlbaas into octavia23:05
*** beardedeagle has quit IRC23:05
rm_workBTW What are the copyright rules now? I can never keep track... are you supposed to put some company copyright at the top or is it all implied now? >_<23:06
rm_workalso BTW, was this copy/pasted from somewhere?23:06
johnsomSame, yeah, if you create a file it should have a copyright23:06
diltramyes, this code is moved from nova23:07
rm_workkeep the original copyright from that code then, since you're just doing mods?23:08
rm_worklike, names?23:08
rm_workif i can see this is exactly what nova used, it's prolly an easy +223:08
johnsomYeah, it should keep the original.  You can add a line for yourself if you modify23:08
openstackgerritMichael Johnson proposed openstack/octavia: Add quota support to Octavia  https://review.openstack.org/36079423:09
*** kevo has quit IRC23:12
diltramit's taken as is from nova23:15
rm_workalright23:15
rm_workthen I'm sold :P23:15
diltramif there is no copyrights there was no copyrights23:15
diltram:P23:15
diltrammy code is just octavia/common/context and some changes in octavia/common/policy - because nova is using global var I'm using a class23:16
*** gongysh_ has quit IRC23:17
*** _beardedeagle has quit IRC23:21
rm_workok so23:21
rm_workwe already have the PKI in place for IPSEC via cert...23:22
rm_workwe re-use the existing ca / client certs that are already on the amps23:22
rm_workthe boot interface *is* the vip, we create the IPSEC tunnel and move the vip into the netns23:23
rm_workbam23:23
diltramrm_work: what you're trying to build?23:23
diltram:P23:23
rm_workit really doesn't seem like a horrible idea at first glance, i'm still trying to figure out why it's not23:23
*** fnaval has quit IRC23:23
rm_worktrying to figure out a security model for management net without the ability to create neutron networks23:24
johnsomYeah, I don't think it is a bad solution actually.23:25
johnsomIt doesn't solve your act/stndby issue but is a start23:25
rm_worki'm playing around with strongswan23:25
*** fnaval has joined #openstack-lbaas23:25
rm_worki've never actually done ipsec before but it doesn't look TOO bad, just really horrible docs/guides23:25
*** TrevorV has quit IRC23:26
johnsomI can help you with it.  I ran ~6,000 ipsec tunnels to retail stores all over the world.23:27
rm_worklol23:27
johnsomThough, now, with ikev2 your job is a lot easier23:27
rm_workyeah it seems that way23:27
rm_workthe old way seems ... ugh23:27
johnsomAlso, compare strongswan and openswan.  One is kind of dying, but I always get them confused.23:27
rm_workbut yeah, if we wanted this to be an option, i'm willing to put in some effort on it23:27
rm_worksupposedly strongswan is the living one i think?23:28
rm_workbut will doublecheck23:28
rm_worki wonder if we run into issues with having strongswan as a binary dep? though maybe it doesn't matter if it's not the default/reference23:29
johnsomYeah, it looks like strongswan is what ubuntu bundles, so probably the best bet23:29
johnsomIt's in our image, so just add an element if there isn't one already.   vpnaas (now dead) uses one of them, so there might be an element already23:30
rm_workheh23:30
johnsompretty easy to add an element either way23:31
rm_workyep23:33
*** fnaval has quit IRC23:34
rm_workjust trying to figure out how to configure the client side in a way that's less server-server network bridge, and more client-server23:35
rm_workall the guides seem to assume you want to bridge the networks of two routers <_<23:35
*** ducttape_ has joined #openstack-lbaas23:36
openstackgerritMichael Johnson proposed openstack/octavia: Add support for policy.json  https://review.openstack.org/39911723:37
rm_workdid that need a rebase?23:40
johnsomYeah, I couldn't check the test coverage23:40
rm_workah23:42
openstackgerritMerged openstack/octavia: Introduct Test Base classes for V2 API  https://review.openstack.org/40559923:58
« Thursday, 2017-01-05 Index Saturday, 2017-01-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!