Thursday, 2018-07-26

*** rcernin has joined #openstack-lbaas00:03
rm_workI ... can't believe we're going to have UDP load balancing00:14
rm_workwhere's dougwig and sbalukoff_, we all need to go out for drinks00:14
openstackgerritMerged openstack/python-octaviaclient master: LB support UDP - Client part
bzhao__johnsom: Thanks, Micheal. Let me fight for UDP LB then till 8.100:26
johnsombzhao__ We are going to fight to get it in00:29
bzhao__johnsom:  Thanks, :).  I might need to do the features in parallel for port_forwarding in neutron side. But don't worry, I had prepared the enough tea. :)00:31
*** yamamoto has quit IRC00:39
*** longkb has joined #openstack-lbaas00:40
*** JudeC_ has quit IRC00:42
*** JudeC__ has joined #openstack-lbaas00:42
*** JudeC__ has quit IRC01:02
*** yamamoto has joined #openstack-lbaas01:03
*** annp has quit IRC01:13
*** annp has joined #openstack-lbaas01:14
*** hongbin has joined #openstack-lbaas01:16
*** yamamoto has quit IRC01:22
*** yamamoto has joined #openstack-lbaas01:50
openstackgerritZhaoBo proposed openstack/octavia master: UDP jinja template
openstackgerritMerged openstack/octavia master: Add baseline object in the drivers update callbacks
*** yamamoto has quit IRC02:26
*** sapd has joined #openstack-lbaas02:28
bzhao__johnsom:  Hi, maybe I will change the task of the UDP story for fit the post patch, may I do that? :)  I'm afraid that our team and you won't like change the task personally.02:33
johnsombzhao__ I'm sorry, I do not understand the question02:34
openstackgerritMerged openstack/octavia-tempest-plugin master: Re-enable KVM
bzhao__johnsom:  That is, the udp storyboard,!/story/1657091    . I add some taskes for match the real patch do. Is that OK?02:36
johnsomYes, it is ok to add more tasks.  We don't need to have all of the tasks complete to merge either. Just the main feature part.  For example, we still have a few weeks to do the API reference task and we can add UDP session persistence to the client later.02:38
*** yamamoto has joined #openstack-lbaas02:39
bzhao__johnsom:  OK, thanks, Michael. It's clear.  ;-)02:39
*** openstack has joined #openstack-lbaas02:51
*** ChanServ sets mode: +o openstack02:51
*** hongbin has quit IRC02:56
*** yamamoto has quit IRC03:07
*** yamamoto has joined #openstack-lbaas03:13
*** ramishra has joined #openstack-lbaas03:15
*** phuoc has quit IRC03:41
*** sanfern has joined #openstack-lbaas03:58
openstackgerritMichael Johnson proposed openstack/octavia master: Automatically set Barbican ACLs
*** eanderson_ has joined #openstack-lbaas04:03
johnsom^^^ Fixed two issues there and now it runs fine for me.04:05
*** phuoc has joined #openstack-lbaas04:12
*** yamamoto has quit IRC04:13
*** eanderson_ has quit IRC04:16
*** yamamoto has joined #openstack-lbaas04:38
*** JudeC_ has joined #openstack-lbaas04:47
openstackgerritMichael Johnson proposed openstack/octavia master: Correct naming for quota resources
*** nmanos has joined #openstack-lbaas04:58
*** yamamoto has quit IRC05:13
*** yamamoto has joined #openstack-lbaas05:15
*** nmanos has quit IRC05:24
*** sanfern has quit IRC05:24
*** nmanos has joined #openstack-lbaas05:24
openstackgerritMichael Johnson proposed openstack/neutron-lbaas master: Fix neutron-lbaas tempest for filter validation
johnsom^^^ gate fix05:30
*** yamamoto has quit IRC05:31
*** yamamoto has joined #openstack-lbaas05:36
*** AlexStaf has joined #openstack-lbaas05:37
*** JudeC_ has quit IRC05:42
*** links has joined #openstack-lbaas05:48
*** yamamoto has quit IRC06:01
*** yamamoto has joined #openstack-lbaas06:03
openstackgerritAdit Sarfaty proposed openstack/octavia master: Add listener_id to the pool provider object
*** yamamoto has quit IRC06:19
*** sanfern has joined #openstack-lbaas06:45
*** velizarx has joined #openstack-lbaas06:58
openstackgerritZhaoBo proposed openstack/octavia master: UDP for [2]
openstackgerritZhaoBo proposed openstack/octavia master: UDP for [3][5][6]
*** ispp has joined #openstack-lbaas07:06
*** yboaron has joined #openstack-lbaas07:13
openstackgerritMerged openstack/neutron-lbaas master: Neutron-LBaaS to Octavia migration tool
*** pcaruana has joined #openstack-lbaas07:25
*** kobis has joined #openstack-lbaas07:30
*** AlexeyAbashkin has joined #openstack-lbaas07:33
*** kberger has joined #openstack-lbaas07:35
*** KeithMnemonic has quit IRC07:38
*** ispp has quit IRC07:40
*** velizarx has quit IRC08:03
*** ispp has joined #openstack-lbaas08:05
openstackgerritMerged openstack/octavia master: Correct naming for quota resources
*** velizarx has joined #openstack-lbaas08:11
*** JudeC_ has joined #openstack-lbaas08:11
*** yamamoto has joined #openstack-lbaas08:15
*** yamamoto has quit IRC08:18
*** devfaz has quit IRC08:34
*** devfaz has joined #openstack-lbaas08:34
*** tesseract has joined #openstack-lbaas08:42
KrastHi, i got this SSL Error : 'PEM routines', 'PEM_read_bio', 'no start line' when octavia create LB on flow called : "octavia-create-loadbalancer-flow"08:48
KrastWith openssl verify command my certificate look good08:48
*** JudeC_ has quit IRC08:50
*** ispp has quit IRC09:10
*** salmankhan has joined #openstack-lbaas09:12
*** yboaron has quit IRC09:13
KrastIf someone knows a way to help me :)09:35
openstackgerritMerged openstack/octavia master: Add listener_id to the pool provider object
*** kobis has quit IRC10:09
*** kobis has joined #openstack-lbaas10:18
*** ispp has joined #openstack-lbaas10:24
*** sanfern has quit IRC10:25
*** yamamoto has joined #openstack-lbaas10:32
*** yamamoto has quit IRC10:45
*** rcernin has quit IRC11:04
*** longkb has quit IRC11:26
*** phuoc_ has joined #openstack-lbaas11:27
*** phuoc has quit IRC11:30
*** yboaron has joined #openstack-lbaas11:34
*** ispp has quit IRC11:48
*** ispp has joined #openstack-lbaas11:48
*** amuller has joined #openstack-lbaas11:56
*** sanfern has joined #openstack-lbaas12:31
*** yamamoto has joined #openstack-lbaas12:34
*** openstackgerrit has quit IRC12:36
*** yamamoto has quit IRC12:38
*** yamamoto has joined #openstack-lbaas12:39
*** links has quit IRC12:46
*** velizarx has quit IRC13:02
*** velizarx has joined #openstack-lbaas13:04
*** AlexStaf has quit IRC13:20
*** ispp has quit IRC13:21
*** yamamoto has quit IRC13:22
johnsomKrast: make sure the certificate you are loading is in PEM format and has the normal certificate start lime ‘—-13:23
*** ispp has joined #openstack-lbaas13:35
*** sanfern has quit IRC13:37
*** yamamoto has joined #openstack-lbaas13:45
*** velizarx has quit IRC13:47
*** velizarx has joined #openstack-lbaas13:49
*** hongbin has joined #openstack-lbaas13:52
*** fnaval has joined #openstack-lbaas13:53
*** AlexStaf has joined #openstack-lbaas13:56
*** ispp has quit IRC13:58
*** ispp has joined #openstack-lbaas13:58
Krast@johnsom : Thanks for your answer, my certificate are generated by "" (it's a dev environment).13:58
cgoncalvesjohnsom, thank you much for testing and fixing the barbican acl patch!13:59
johnsomKrast If you look in the file it should say "-----BEGIN CERTIFICATE-----" Maybe the configuration file is pointing to the wrong place?14:00
johnsomKrast We use that script for you test gates daily, so I know it is working14:00
johnsomcgoncalves No problem, now we just need to get it merged14:01
KrastYes my certificate start with this "-----BEGIN CERTIFICATE-----"14:01
KrastI will review my configuration :)14:02
cgoncalvesjohnsom, want another pair of core review eyes? otherwise you could approve it ;)14:04
*** kobis1 has joined #openstack-lbaas14:04
*** kobis1 has quit IRC14:06
*** kobis has quit IRC14:07
johnsomI fixed my typo.  Hopefully we can get some core reviews this morning and get this stuff in.14:09
nmagneziLooking at it now14:20
*** yamamoto has quit IRC14:43
*** yamamoto has joined #openstack-lbaas14:45
johnsomThanks Nir14:46
nmagneziWith pleasure14:46
*** hongbin has quit IRC14:46
*** yamamoto has quit IRC14:49
cgoncalvesjohnsom, you mentioned issues with DVR-enabled clouds the other day. could you please refresh my mind?14:50
johnsomYeah, DVR has had a number of bugs that "do bad things'14:50
johnsomThey use a static ARP table that gets them in trouble14:50
sapdjohnsom: I'm still using L2 network instead of L3 :D14:51
johnsomBefore pike, you could not use neutron Allowed-Address-Pairs ports and floating IPs. It would just not bind the FLIP and traffic would not flow.14:51
cgoncalveswe're seeing same/similar issue with ODL14:52
johnsomI heard that recently there is a new bug in DVR that leads to issues with flows in and out14:52
cgoncalvesjohnsom, the issue we're facing with ODL and DVR is when trying to reach LB via FIP14:52
johnsomSwami mentioned it to me at the Vancouver summit14:52
johnsomYeah, probably this new bug in DVR14:52
johnsomLet me see if I can dig through all the dvr bugs and pull out a bug ID.14:53
johnsomHmm, too many candidates14:54
johnsomCould be this one:
openstackLaunchpad bug 1774459 in neutron "Update permanent ARP entries for allowed_address_pair IPs in DVR Routers" [High,Confirmed]14:55
johnsomCould be
openstackLaunchpad bug 1717302 in neutron "Tempest floatingip scenario tests failing on DVR Multinode setup with HA" [High,Confirmed] - Assigned to Miguel Lavalle (minsel)14:56
johnsomcgoncalves Yeah, probably about 12 of these DVR bugs could be impacting us14:57
cgoncalvesbummer :/15:04
cgoncalveshmmm I believe I've seen recently some internal CI FIP+DVR tests failing too15:05
yboaronHi folks, Does Octavia support L7policy/l7rule  for the HTTPS case, by HTTPS I mean for example to L7 load balancing based on TLS-SNI ?15:17
yboaron as far as I understand the answer is No.15:17
johnsomWe do support L7 with the TLS-TERMINATED listener type.  L7 based on SNI, not sure, give me a minute to refresh my memory.15:18
yboaronjohnsom, 10x!15:21
johnsomyboaron I think we only look at the "host" feild in the quest, not the matched certificate or CN in the SNI list.15:21
yboaronjohnsom, for the TLS-terminated, the L7policy/l7rules should be defined as in the plain HTTP case, right? the difference should be in the listener definition15:22
johnsomSo it is this use case: behind an TLS-TERMINATED listener.15:22
johnsomyboaron Correct, we define the TLS termination information on the listener, this includes SNI certificates. The listener will handle the decryption and then apply the L7 policies/rules.15:23
yboaronjohnsom, cool!, do you plan to support L7 LB for the passthrough (TLS SNI) case?15:25
johnsomWell, if we are not decrypting the flow there is every limited information we could use for L7 rules.15:27
johnsomWhat would you like to use for a rule in that case?15:27
yboaronjohnsom, actually this is the use case:
*** velizarx has quit IRC15:29
johnsomyboaron Oh, just straight pass through. We support that, set listener type to "HTTPS".15:31
yboaronjohnsom, it isn't just pass through, we should take L7 LB decision based on the host name in TLS hello packet15:33
johnsomyboaron Just a second let me test it. My memory is too fuzzy on the TLS handshake to say whether we support that today or not.  One minute15:34
yboaronjohnsom, I'm not familiar with ha-proxy at all, but this the code used in Openshift-router (based on ha-proxy) to for this requirement,
yboaronjohnsom, take your time ..15:35
*** ispp has quit IRC15:36
johnsomyboaron Yeah, I know it is *possible* with our engine, I'm just not sure if we have implemented it yet.15:37
*** pcaruana has quit IRC15:38
johnsomyboaron Ok, yeah, we don't have support for that level of L7 for TLS passthrough today. You are welcome to open a story for us to add it though: https://storyboard.openstack.org15:38
yboaronI"ll open, thanks a lot johnsom!15:40
johnsomSure, no problem15:40
johnsomyboaron Patches are always welcome too!15:40
yboaronjohnsom, :-)15:41
*** JudeC_ has joined #openstack-lbaas15:42
*** hongbin has joined #openstack-lbaas15:49
*** yamamoto has joined #openstack-lbaas15:55
*** AlexStaf has quit IRC15:58
*** yamamoto has quit IRC16:01
*** AlexeyAbashkin has quit IRC16:10
johnsomCores: still looking for reviews on the two provider driver patches: and
*** openstackgerrit has joined #openstack-lbaas16:16
openstackgerritMichael Johnson proposed openstack/octavia master: Separate the thread pool for health and stats update.
*** tesseract has quit IRC16:39
*** JudeC_ has quit IRC16:44
*** yboaron has quit IRC16:54
*** salmankhan has quit IRC17:15
rm_workanyone else getting bot spammed today in PMs? >_<17:17
*** JudeC_ has joined #openstack-lbaas17:25
*** JudeC__ has joined #openstack-lbaas17:26
*** JudeC_ has quit IRC17:26
johnsomI know some other channels got hit yesterday with "freenode" spam, but I haven't got an PMs17:29
rm_workit's like, constant17:45
rm_worki get a PM about once every 5 minutes17:45
xgerman_no PMs for me but only cazy stuff in channels17:53
xgerman_rm_work: wonder if you have seen the failover hanging because the vrrp port doesn’t deallocate17:54
*** phuoc_ has quit IRC18:02
rm_workdoubt it :P18:04
openstackgerritMerged openstack/octavia master: Automatically set Barbican ACLs
johnsomJust two more patches needing merged for the MS3 release: and
johnsomCores please take a glance18:38
*** atoth has quit IRC18:57
*** ianychoi_ has joined #openstack-lbaas19:15
*** pcaruana has joined #openstack-lbaas19:17
*** ianychoi has quit IRC19:18
openstackgerritZhaoBo proposed openstack/octavia master: UDP for [2]
*** pcaruana has quit IRC19:45
*** amuller has quit IRC19:54
*** yamamoto has joined #openstack-lbaas19:59
*** yamamoto has quit IRC20:03
johnsomStill looking for MS3 reviews20:58
openstackgerritGerman Eichberger proposed openstack/octavia master: [WIP] Allows failover if port is not deallocated by nova
*** AlexStaf has joined #openstack-lbaas21:25
*** rcernin has joined #openstack-lbaas22:19
*** bcafarel has quit IRC22:22
*** fnaval has quit IRC22:27
*** bcafarel has joined #openstack-lbaas22:50
*** hongbin has quit IRC23:00
rm_workwhich ones?23:15
openstackgerritMerged openstack/octavia master: Updates the amphora driver for new commit model
openstackgerritMerged openstack/octavia master: Implement provider drivers - Driver Library

Generated by 2.15.3 by Marius Gedminas - find it at!