Friday, 2018-09-07

*** threestrands has joined #openstack-lbaas00:32
*** threestrands has quit IRC00:32
*** threestrands has joined #openstack-lbaas00:32
*** spartakos has quit IRC00:45
*** hongbin_ has joined #openstack-lbaas00:55
*** Emine has quit IRC01:11
*** Emine has joined #openstack-lbaas01:11
openstackgerritMerged openstack/octavia master: Validate member address for lb graph creation
*** ramishra has joined #openstack-lbaas02:22
openstackgerritchenge proposed openstack/octavia master: Spelling Mistakes
openstackgerritMerged openstack/octavia master: Use openstack-tox-cover template
*** annp has joined #openstack-lbaas03:32
*** andy_ has quit IRC03:49
*** andy_ has joined #openstack-lbaas03:54
*** hongbin__ has joined #openstack-lbaas04:22
*** hongbin_ has quit IRC04:25
*** spartakos has joined #openstack-lbaas04:28
*** celebdor has joined #openstack-lbaas04:54
*** rcernin has quit IRC04:57
*** spartakos has quit IRC04:57
*** KeithMnemonic1 has joined #openstack-lbaas05:04
*** KeithMnemonic has quit IRC05:07
*** reedip has joined #openstack-lbaas05:09
*** spartakos has joined #openstack-lbaas05:12
*** hongbin__ has quit IRC05:23
*** rcernin has joined #openstack-lbaas05:30
*** lxkong has quit IRC05:57
*** kobis1 has joined #openstack-lbaas06:04
*** kobis1 has quit IRC06:05
*** pcaruana has joined #openstack-lbaas06:13
*** Guest64 has joined #openstack-lbaas06:27
*** Guest64 has quit IRC06:28
*** vimal1 has joined #openstack-lbaas06:32
vimal1Hi all, I installed Octavia on Pike RDO, but then "neutron" load balancer commands fail. Only "openstack load balancer .." is able to create the Octavia amphoras. As a result, LB functions in Horizon dashboard are failing too. has anyone encountered this? Any suggestions? Thanks..06:57
sapd1vimal1: Maybe you are using lbaas-dashboard instead of octavia-dashboard. Please use one:
vimal1I tried octavia dashboard earlier but apache did not start again after installing it.07:07
vimal1CommandError: An error occurred during rendering /usr/share/openstack-dashboard/openstack_dashboard/templates/horizon/_scripts.html:07:07
vimal1Got this error in the compress step07:07
sapd1vimal1: what branch did you install?07:08
vimal1pip install octavia-dashboard07:09
vimal1It installed octavia-dashboard-2.0.007:09
vimal1Later on I found that there is no octavia-dashboard branch for Pike07:10
vimal1sapd1: my main concern is, all guides on octavia use "neutron" cli to create LBs, but that same command never works for me. I have to use 'openstack load balancer create" to create and manage the octavia LBs.07:12
sapd1If you are using Pike, You have to configure neutron-lbaas plugin to use use so you can use neutron lbaas command line .07:13
vimal1sapd1: r u referring to "configuring Neutron LBaaS" section in
sapd1yes. have you configured service_provider yet?07:15
vimal1exactly as that same line07:15
vimal1actually, everything in octavia is working as expected.. amphora get created fine, load balancing is happening fine and all..07:16
sapd1Please check your neutron-lbaas-agent log. I recommend you use octavia alone.07:16
vimal1How can I use octavia alone?07:16
vimal1I have created service and endpoints for octavia07:17
sapd1so the problem is about horizon.07:17
vimal1but then what to do after that07:17
vimal1sapd1, r u saying when i have octavia running alone, creating LBs using "neutron" command will fail (as it is happening in my case)?07:18
sapd1you can use horizon (queens) and octavia-dashboard (queens) It's compatible with pike.07:18
vimal1and that I should only use "openstack load balancer" command for creating LBs?07:18
sapd1neutron-lbaas is deprecated from queens release07:19
vimal1so i have to try installing horizon (queens) and octavia-dashboard (queens) ?07:20
sapd1install octavia-dashboard is simple than configure neutron-lbaas.07:22
vimal1sapd1: as I am on Pike RDO, does that mean I have to remove current horizon package, and then install horizon and octavia-dashboard of queens from github? right?07:22
vimal1"openstack-dashboard" to be removed07:22
sapd1please use another environment for test. maybe a VM.07:23
vimal1yes, i will try on another machine..07:23
vimal1thank u for being so helpful, sapd1.. i almost gone crazy with this..07:23
*** vimal1 has quit IRC07:27
*** tesseract has joined #openstack-lbaas07:27
*** vimal1 has joined #openstack-lbaas07:28
*** AlexeyAbashkin has joined #openstack-lbaas07:30
*** AlexeyAbashkin has quit IRC07:30
*** AlexeyAbashkin has joined #openstack-lbaas07:40
*** AlexeyAbashkin has quit IRC07:40
*** ipsecguy_ has joined #openstack-lbaas07:47
*** velizarx has joined #openstack-lbaas07:48
openstackgerritCarlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping
*** ramishra has quit IRC07:58
*** reedipb_ has joined #openstack-lbaas08:04
*** reedip has quit IRC08:08
*** AlexeyAbashkin has joined #openstack-lbaas08:08
*** ramishra has joined #openstack-lbaas08:14
*** lxkong has joined #openstack-lbaas08:15
*** luksky has joined #openstack-lbaas08:16
*** spartakos has quit IRC08:18
*** velizarx has quit IRC08:23
*** threestrands has quit IRC08:33
*** velizarx has joined #openstack-lbaas08:38
vimal1Hi sapd1, I installed queens packages of dashboard and octavia-ui and it worked perfectly!! Thank you.. Cheers :-)08:45
*** vimal1 has quit IRC09:04
*** phuoc_ has joined #openstack-lbaas09:09
*** phuoc has quit IRC09:12
*** rcernin has quit IRC09:16
*** phuoc has joined #openstack-lbaas09:33
*** phuoc_ has quit IRC09:35
*** vimal1 has joined #openstack-lbaas09:37
*** vimal1 has left #openstack-lbaas09:38
openstackgerritMerged openstack/octavia master: Raise minimum coverage to 90%
*** phuoc_ has joined #openstack-lbaas09:47
*** phuoc has quit IRC09:51
*** ramishra_ has joined #openstack-lbaas10:51
*** ramishra has quit IRC10:53
*** annp has quit IRC11:13
*** takamatsu has joined #openstack-lbaas11:28
*** velizarx has quit IRC12:29
*** reedipb_ has quit IRC12:44
*** amuller has joined #openstack-lbaas12:51
*** yamamoto has joined #openstack-lbaas13:08
*** velizarx has joined #openstack-lbaas13:11
*** fnaval has joined #openstack-lbaas14:23
*** pcaruana has quit IRC14:33
*** hvhaugwitz has quit IRC14:41
*** spartakos has joined #openstack-lbaas14:52
*** velizarx has quit IRC15:21
*** ramishra_ has quit IRC15:30
*** luksky has quit IRC15:38
*** yamamoto has quit IRC15:53
*** yamamoto has joined #openstack-lbaas15:54
*** yamamoto has quit IRC15:59
*** lxkong has quit IRC16:14
*** spartakos has quit IRC16:27
*** yamamoto has joined #openstack-lbaas16:35
*** AlexeyAbashkin has quit IRC16:36
johnsomHmm, digging into this scenario failure on the HM patch.... Joy.16:52
johnsomA couple of updates. The Ubuntu Rocky release is out, including Octavia packages (python3 only, which is fine with me).16:53
johnsomAlso Doug reached out about the python3 first goal and might join us on Wednesday afternoon to let us know what we have left to do for the goal.16:54
*** Swami has joined #openstack-lbaas17:01
openstackgerritMichael Johnson proposed openstack/octavia master: Fix a few devstack plugin settings that are deprecated
*** tesseract has quit IRC17:20
*** spartakos has joined #openstack-lbaas17:39
tobias-urdinjohnsom: does octavia-dashboard support standalone octavia v2 api without neutron lbaas v2?17:44
johnsomtobias-urdin Yes, it ONLY supports the Octavia v2 API, it will not interact with neutron-lbaas at all.17:44
tobias-urdinhm ok, it just logouts my user when i click the load balancer page, nothing in api logs or horizon.log only this in the horizon access log17:45
tobias-urdinGET /api/lbaas/loadbalancers/?full=true HTTP/1.1" 40317:45
johnsomHmm, that is an odd path, but that might be local settings for the endpoint URL.17:47
johnsomtobias-urdin Per the API docs,, 403 means the user does not have the RBAC rights to access the API.17:47
johnsomThe logout thing is a long standing horizon bug that when something goes wrong, it logs folks out.17:48
johnsomDoes the same user credentials work via CLI?17:48
tobias-urdinfound something17:48
tobias-urdin"GET /v2.0/lbaas/loadbalancers?project_id=3fad4eac76ae4f3fb8df25ce4e911a3c HTTP/1.1" 40317:48
tobias-urdinperhaps something simple, does a normal user require any of the roles by default?17:48
johnsomtobias-urdin By default Octavia is using the advanced RBAC that requires users to be a member of a role before they can access the API. Are you aware of that?17:49
tobias-urdinso add load-balancer_member17:49
johnsomYou can disable advanced RBAC by installing the admin_or_owner-policy.json  from octavia/etc/policy in your /etc/octavia/policy.json file on your API servers.17:50
*** sapd1_ has joined #openstack-lbaas17:50
johnsomYes, that would enable access to the user, or group of users17:50
tobias-urdinjohnsom: yay :) lucky me it was that simple17:55
cgoncalvesyeah, users are not used to that behavior as default. barbican also has advanced RBAC enabled17:58
johnsomnova just added it as well, slightly different than ours, but similar18:00
tobias-urdinyeah i was not even thinking about it until i after starring at 403 for a while18:01
tobias-urdini think i'm missing some keystone related option18:01
tobias-urdinauth_plugin or auth_type or smth18:01
johnsomtobias-urdin Check this section of the config file:
johnsomThough I haven't seen that error specifically, it could be a missing python module.18:03
tobias-urdinso that's the service user that is used against keystone?18:04
tobias-urdinwhat's different from the keystone_authtoken section?18:05
tobias-urdinbecause i haven't specified anything in that service_auth section18:05
johnsomkeystone_authtoken is used to validate user tokens with keystone. service_auth is the keystone info used when Octavia makes calls to other services, such as neutron in this case.18:05
tobias-urdinah ok, i'll test18:06
tobias-urdinhm, no luck same after specifying all options in that section18:11
tobias-urdinah! it was used by api and not all other service18:11
tobias-urdinworked after restart18:11
tobias-urdinaw soooooo close just had wrong security group so got SecurityGroupNotFound :(18:17
tobias-urdinhm the sec group id was correct, i created it with openstack security group create amphora --project octavia18:20
tobias-urdinbut nova couldn't find it18:20
tobias-urdinmaybe wrong project owner and not project permission18:20
johnsomDid you setup a project "octavia" or is it project service and user octavia?18:20
johnsomopenstack project list18:21
tobias-urdinthat an octavia project18:21
tobias-urdinwhich config option determines which project to place instances in18:26
johnsomThe service_auth section18:26
tobias-urdinah, then the project_name is wrong there, thanks :)18:27
*** sapd1_ has quit IRC18:44
tobias-urdinjohnsom: when i change [service_auth]/project_name from "services" to "octavia" which is the proper tenant18:46
tobias-urdini just get 400 bad request from the octavia api18:47
tobias-urdin"POST /v2.0/lbaas/loadbalancers HTTP/1.1" 40018:47
tobias-urdinthe octavia user in the service_auth section has "admin" for octavia project, also tried with "member" role18:47
tobias-urdinif I change back to "services" it's successful but fails since the security group is not on the services project18:47
tobias-urdinopenstack role add --user octavia --project octavia <admin or member>18:48
johnsomHmmm, check the logs to see why you got 400. That is usually a user input error, but could be some other item, like flavor or image that aren't in the octavia project18:48
tobias-urdinjohnsom: so close right now, have network access to the amphora19:01
tobias-urdin Could not connect to instance. Retrying.: SSLError: ("bad handshake: Error([('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'block type is not 01'), ('rsa routines', 'RSA_EAY_PUBLIC_DECRYPT', 'padding check failed'), ('SSL routines', 'ssl3_get_key_exchange', 'bad signature')],)",)19:01
tobias-urdinbut some cert issues, should the test-only-ubuntu-xenial amphora image work for testing purposes?19:01
johnsomYeah, the certs are loaded at boot time and are not stored in the image19:02
tobias-urdinhm wonder what's wrong with my certs19:04
tobias-urdinjohnsom: would you mind verifying? :)
*** hvhaugwitz has joined #openstack-lbaas19:14
johnsomtobias-urdin I think there is an issue with the CA.  The part to note here is the controllers are the "TLS Client" and the amphora-agents are the "servers"19:26
johnsomSo the cert with the CA endorsement is the one needed in the ca_certificate field to allow the controller to generate and issue certs to the amphora19:27
*** spartakos has quit IRC19:49
*** amuller has quit IRC20:08
openstackgerritDirk Mueller proposed openstack/neutron-lbaas master: neutron-lbaas haproxy agent prevent vif unplug when failover occurs
*** luksky has joined #openstack-lbaas20:54
*** spartakos has joined #openstack-lbaas21:01
*** spartakos has quit IRC21:02
tobias-urdinjohnsom: i dont quite understand, i must have misunderstood something that caused me too confuse what to use where, could you elaborate?21:27
*** KeithMnemonic1 has quit IRC21:32
openstackgerritMichael Johnson proposed openstack/octavia master: Fix health manager performance regression
johnsomtobias-urdin The [certificates] section of the configuration is about how we issue the amphora unique certificates.  the controllers use a CA to issue "server" certificates that are unique to each amphora. Thus, the cert used for that must have the CA endorsement.21:37
tobias-urdinok, so I think I understand where it went wrong now. I should have signed the client.crt certificate with the server_ca.crt CA and not the client_ca.crt CA21:46
johnsomWell, no, not if you are using a dual CA deployment.21:47
johnsomIf you are just doing testing, just follow the steps we do for devstack and the gates:
johnsomThe client CA and client certs are issued to the control plane processes to present to the amphora-agent. The amphora-agent validates those using the client-ca.crt in [certificates] client_ca21:49
tobias-urdinSuper confused, I've been comparing my commands to to understand where it went wrong21:55
johnsomAh, ok. That is using the dual CA method where there is one CA for the "client" side, or the controller certs, and one CA for the "server" side, which is the CA for issuing certs to the amphora21:56
*** spartakos has joined #openstack-lbaas21:56
tobias-urdinyeah, then I broke it down to this but I must have missed or swapped something the wrong way.21:57
*** sapd1 has quit IRC21:59
*** luksky has quit IRC22:01
*** fnaval has quit IRC22:02
openstackgerritMichael Johnson proposed openstack/neutron-lbaas master: Exclude limestone from running with kvm
*** yamamoto has quit IRC22:05
openstackgerritMichael Johnson proposed openstack/octavia master: Disable KVM at limestone (again)
openstackgerritMichael Johnson proposed openstack/octavia-tempest-plugin master: Disable KVM at limestone (again)
*** fnaval has joined #openstack-lbaas22:07
openstackgerritAdam Harwell proposed openstack/octavia master: DNM: three dumb downstream things to fix, IGNORE
*** spartakos has quit IRC22:14
*** spartakos has joined #openstack-lbaas22:15
*** spartakos has quit IRC22:23
openstackgerritCarlos Goncalves proposed openstack/octavia master: Make health checks resilient to DB outages
*** spartakos has joined #openstack-lbaas22:27
cgoncalves^ seems to work for me. played a bit with stopping/restarting DB22:28
johnsomLooking (though don't think it will stay in pending create forever...)22:28
johnsomAh, nevermind, right, it can't update the status in the DB because there is not DB in this scenario22:29
*** spartakos has quit IRC23:17

Generated by 2.15.3 by Marius Gedminas - find it at!