Saturday, 2018-08-04

rm_workjohnsom: yeah, doing your test00:01
rm_workit works fine00:01
rm_workopenstack secret get --os-interface public00:01
rm_work^^ works fine00:01
rm_workopenstack secret get --debug --os-interface internal00:01
rm_work^^ breaks with a 40400:02
rm_workbecause i changed the internal endpoint to be invalid00:02
johnsomRight, and changed your code to default to False right?00:02
rm_workso I'm back to "they didn't install it right" or something00:02
rm_workare you sure you had them patch our code to pass federated=False?00:02
johnsomIn those two places right?00:03
rm_workreally in just one place00:03
johnsomYeah, I watched them do it00:03
rm_workbut yes00:03
johnsomOh, we changed it in two places00:03
rm_worklet me finish the test by actually using octavia00:03
rm_workyeah two is fine00:03
rm_workone is really all that's needed tho00:03
johnsomOk, yeah, we only did octavia with the endpoint_type=internal in the [certificates] section00:03
rm_worksince it really picks up the default in the get() function and passes a value to the next one00:03
rm_workand you updated the barbican patch to default to False?00:04
rm_workor you edited the octavia code to pass False explicitly?00:04
johnsomNo, hacked the bbq client to False, two lines, then added endpoint_type=internal, restarted octavia-*00:04
rm_workyeah k00:05
rm_workthat should be good00:05
johnsomCreated a listener, API log still bombed with the public endpoint URL00:05
rm_workdid they install python-barbicanclient with -e ?00:05
rm_workand in the right env?00:05
johnsom-e no, isolated though and in the octavia venv00:06
johnsompip uninstall bbq-client, pip install --isolated .00:06
rm_worki don't know what --isolated does00:06
johnsomisolated to turn off the funky repo stuff they are doing there00:06
johnsompip list gave the -dev version00:07
johnsomno package outside the venv00:07
johnsomI tried to check some of this stuff00:07
rm_workok well... it works00:07
rm_workso something is wonky00:07
johnsomSo you expected 404 but got 200?00:08
rm_workno, i expected 404 and got it00:08
rm_worksince with internal-url set to "broken", it should break00:08
rm_workand it does00:08
johnsomWhat the heck....00:09
johnsomAnd you stored using public?00:09
rm_workand passed the public URL00:09
johnsomWe didn't re-store a secret, we tried to use one that was in there.00:10
johnsomis that where we went wrong?00:10
rm_worki also didn't re-store00:10
rm_workand it won't matter00:10
rm_workthe way this works, it literally just scrapes the UUID and uses whatever endpoint type is specified via keystone session00:11
rm_work`Secret ref calculated to be: secrets/381d8b3f-e9e0-4f6c-ae82-f26053c8ab16`00:11
rm_workthat is the log line i added00:11
rm_workjust prints "secret_ref" after the if/else00:11
rm_workwhich indicates that it did reset it to a relative URL00:11
rm_workwhich means whatever else happens, is up to keystone00:12
rm_workyou can see the endpoints there00:12
rm_workand that it uses the expected one00:12
johnsomHmm looking at the log, this is interesting. it is saying "barbican_legacy"00:13
johnsomThis is an old log, before the patch.00:13
johnsomShould it be using barbican and not barbican_legacy?00:14
rm_work.... which one?00:14
rm_workah yeah00:14
rm_worklegacy means Container based00:14
rm_worknot PKCS1200:14
johnsomDo we have the wrong commands then? I know he create the pksc1200:14
rm_workthat is totally not pkcs1200:15
rm_workwait, give me a sec00:15
johnsomThat is all he had for a file, so I'm wondering if we have some bad instructions or something00:15
rm_workoh no, i see what it is00:16
rm_workthe way we do the cert stuff....00:16
rm_workwe try to load the ref as a container first00:16
rm_workif that is not found, then we go to the other method00:16
rm_workbut it is getting an SSL error00:17
rm_workwhich is not what we catch00:17
rm_workso yeah i need to fix the Container pieces00:17
johnsomAh, the final part drops into place00:17
rm_workone sec00:17
johnsomYeah, the public URL blows up due to the TLS differences...00:18
johnsomHmm, our code looks ok, but I wonder if the endpoint_type isn't going in on the pkcs12 path00:20
rm_workit will00:21
rm_worki need to update my patch00:21
rm_workit goes through the container route *first*00:21
rm_workthen does a fallback to secrets00:21
rm_workso i need to do the non-fed thing for containers too00:21
rm_workbut my Pycharm is not responding, give e  sec00:22
rm_work*me a sec00:22
rm_workmy whole mac is going wonky lol00:22
johnsomBut how did he store the pkcs12 in a container?  How did it go the wrong way?00:22
rm_workhe didn'00:22
rm_workit's in a secret00:22
rm_workbut the octavia cert code tries the legacy path first00:22
rm_workwe just do this:00:23
rm_work1) Try to get the cert ref as a container00:23
rm_work2) Did it work? Cool, DONE00:23
johnsomHmm, ok, this confuses me then:
rm_work3) It didn't work! It must be PKCS12, try as a secret00:23
rm_work4) Did it work? Cool, DONE00:23
rm_workyeah that's the non-legacy00:24
rm_workit goes as a secret00:24
rm_workthe legacy is first in the chain tho00:24
rm_workoh wait, it isn't?00:25
rm_workhold on00:25
rm_workyou're right, it isn't00:25
rm_worklegacy is the second in chain00:25
rm_workso the log you sent me is too late00:26
rm_worki need the logs BEFORE that00:26
johnsombbbbzhao_ Hi02:03
johnsomI didn't get to test/work on the flow order change. Still need to do that02:04
johnsomThough I worked on fixing the missing systemd script for udp only listener.02:04
johnsomI also started work cleaning up the tests.02:04
johnsomWhen we run the api test framework, those are functional tests.  I moved those for the keepalivedlvs tests.02:05
johnsomI am in the middle of finishing up the unit tests, but need to stop for the night.02:05
johnsomI will post my patch update soon02:05
openstackgerritMichael Johnson proposed openstack/octavia master: Followup patch for UDP support
*** yamamoto has joined #openstack-lbaas03:16
*** yamamoto has quit IRC03:37
bbbbzhao_johnsom:  Thanks, Michael. That's true the use cases in my mind are limited. I thought most of the scenes are covered and the works had been done, but it didn't seem not. I will look at the test which not be cleaned up after the several storyboard work done. Thank you again.06:54
openstackgerritCarlos Goncalves proposed openstack/octavia master: Revert "Fix the bionic gate to actually run Ubuntu bionic"
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Gate on CentOS 7 and check on Ubuntu Bionic
openstackgerritCarlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping
openstackgerritCarlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Fix failed member always in DRAIN status
openstackgerritZhaoBo proposed openstack/octavia master: [UDP] Update amphora agent api ref
bbbbzhao_johnsom:  OH,!/story/2003211  we already support it , as --session-persistence option accepts key-value12:23
*** PagliaccisCloud has quit IRC17:38
*** ipsecguy has quit IRC17:39
*** PagliaccisCloud has joined #openstack-lbaas17:40
*** yamamoto has joined #openstack-lbaas20:24
*** yamamoto has quit IRC20:26
*** yamamoto has joined #openstack-lbaas20:38
*** yamamoto has quit IRC20:55
*** yamamoto has joined #openstack-lbaas21:00
*** yamamoto has quit IRC21:09
*** yamamoto has joined #openstack-lbaas21:29
*** yamamoto has quit IRC21:29
*** yamamoto has joined #openstack-lbaas21:57
*** yamamoto has quit IRC21:58

Generated by 2.15.3 by Marius Gedminas - find it at!