*** threestrands has joined #openstack-lbaas | 00:32 | |
*** threestrands has quit IRC | 00:32 | |
*** threestrands has joined #openstack-lbaas | 00:32 | |
*** spartakos has quit IRC | 00:45 | |
*** hongbin_ has joined #openstack-lbaas | 00:55 | |
*** Emine has quit IRC | 01:11 | |
*** Emine has joined #openstack-lbaas | 01:11 | |
openstackgerrit | Merged openstack/octavia master: Validate member address for lb graph creation https://review.openstack.org/599467 | 02:14 |
---|---|---|
*** ramishra has joined #openstack-lbaas | 02:22 | |
openstackgerrit | chenge proposed openstack/octavia master: Spelling Mistakes https://review.openstack.org/600623 | 02:51 |
openstackgerrit | Merged openstack/octavia master: Use openstack-tox-cover template https://review.openstack.org/600503 | 03:25 |
*** annp has joined #openstack-lbaas | 03:32 | |
*** andy_ has quit IRC | 03:49 | |
*** andy_ has joined #openstack-lbaas | 03:54 | |
*** hongbin__ has joined #openstack-lbaas | 04:22 | |
*** hongbin_ has quit IRC | 04:25 | |
*** spartakos has joined #openstack-lbaas | 04:28 | |
*** celebdor has joined #openstack-lbaas | 04:54 | |
*** rcernin has quit IRC | 04:57 | |
*** spartakos has quit IRC | 04:57 | |
*** KeithMnemonic1 has joined #openstack-lbaas | 05:04 | |
*** KeithMnemonic has quit IRC | 05:07 | |
*** reedip has joined #openstack-lbaas | 05:09 | |
*** spartakos has joined #openstack-lbaas | 05:12 | |
*** hongbin__ has quit IRC | 05:23 | |
*** rcernin has joined #openstack-lbaas | 05:30 | |
*** lxkong has quit IRC | 05:57 | |
*** kobis1 has joined #openstack-lbaas | 06:04 | |
*** kobis1 has quit IRC | 06:05 | |
*** pcaruana has joined #openstack-lbaas | 06:13 | |
*** Guest64 has joined #openstack-lbaas | 06:27 | |
*** Guest64 has quit IRC | 06:28 | |
*** vimal1 has joined #openstack-lbaas | 06:32 | |
vimal1 | Hi all, I installed Octavia on Pike RDO, but then "neutron" load balancer commands fail. Only "openstack load balancer .." is able to create the Octavia amphoras. As a result, LB functions in Horizon dashboard are failing too. has anyone encountered this? Any suggestions? Thanks.. | 06:57 |
sapd1 | vimal1: Maybe you are using lbaas-dashboard instead of octavia-dashboard. Please use one: https://github.com/openstack/octavia-dashboard | 07:06 |
vimal1 | I tried octavia dashboard earlier but apache did not start again after installing it. | 07:07 |
vimal1 | CommandError: An error occurred during rendering /usr/share/openstack-dashboard/openstack_dashboard/templates/horizon/_scripts.html: | 07:07 |
vimal1 | Got this error in the compress step | 07:07 |
sapd1 | vimal1: what branch did you install? | 07:08 |
vimal1 | pip install octavia-dashboard | 07:09 |
vimal1 | It installed octavia-dashboard-2.0.0 | 07:09 |
vimal1 | Later on I found that there is no octavia-dashboard branch for Pike | 07:10 |
vimal1 | sapd1: my main concern is, all guides on octavia use "neutron" cli to create LBs, but that same command never works for me. I have to use 'openstack load balancer create" to create and manage the octavia LBs. | 07:12 |
sapd1 | If you are using Pike, You have to configure neutron-lbaas plugin to use use so you can use neutron lbaas command line . | 07:13 |
vimal1 | sapd1: r u referring to "configuring Neutron LBaaS" section in https://docs.openstack.org/octavia/pike/contributor/guides/dev-quick-start.html | 07:14 |
sapd1 | yes. have you configured service_provider yet? | 07:15 |
vimal1 | yes | 07:15 |
vimal1 | exactly as that same line | 07:15 |
vimal1 | actually, everything in octavia is working as expected.. amphora get created fine, load balancing is happening fine and all.. | 07:16 |
sapd1 | Please check your neutron-lbaas-agent log. I recommend you use octavia alone. | 07:16 |
vimal1 | How can I use octavia alone? | 07:16 |
vimal1 | I have created service and endpoints for octavia | 07:17 |
sapd1 | so the problem is about horizon. | 07:17 |
vimal1 | but then what to do after that | 07:17 |
vimal1 | sapd1, r u saying when i have octavia running alone, creating LBs using "neutron" command will fail (as it is happening in my case)? | 07:18 |
sapd1 | you can use horizon (queens) and octavia-dashboard (queens) It's compatible with pike. | 07:18 |
vimal1 | and that I should only use "openstack load balancer" command for creating LBs? | 07:18 |
sapd1 | yes | 07:19 |
sapd1 | neutron-lbaas is deprecated from queens release | 07:19 |
vimal1 | so i have to try installing horizon (queens) and octavia-dashboard (queens) ? | 07:20 |
sapd1 | yep | 07:21 |
sapd1 | install octavia-dashboard is simple than configure neutron-lbaas. | 07:22 |
vimal1 | sapd1: as I am on Pike RDO, does that mean I have to remove current horizon package, and then install horizon and octavia-dashboard of queens from github? right? | 07:22 |
vimal1 | "openstack-dashboard" to be removed | 07:22 |
sapd1 | please use another environment for test. maybe a VM. | 07:23 |
vimal1 | yes, i will try on another machine.. | 07:23 |
vimal1 | thank u for being so helpful, sapd1.. i almost gone crazy with this.. | 07:23 |
sapd1 | NP | 07:24 |
*** vimal1 has quit IRC | 07:27 | |
*** tesseract has joined #openstack-lbaas | 07:27 | |
*** vimal1 has joined #openstack-lbaas | 07:28 | |
*** AlexeyAbashkin has joined #openstack-lbaas | 07:30 | |
*** AlexeyAbashkin has quit IRC | 07:30 | |
*** AlexeyAbashkin has joined #openstack-lbaas | 07:40 | |
*** AlexeyAbashkin has quit IRC | 07:40 | |
*** ipsecguy_ has joined #openstack-lbaas | 07:47 | |
*** velizarx has joined #openstack-lbaas | 07:48 | |
openstackgerrit | Carlos Goncalves proposed openstack/octavia master: Gate on octavia-dsvm-base based jobs and housekeeping https://review.openstack.org/587442 | 07:49 |
*** ramishra has quit IRC | 07:58 | |
*** reedipb_ has joined #openstack-lbaas | 08:04 | |
*** reedip has quit IRC | 08:08 | |
*** AlexeyAbashkin has joined #openstack-lbaas | 08:08 | |
*** ramishra has joined #openstack-lbaas | 08:14 | |
*** lxkong has joined #openstack-lbaas | 08:15 | |
*** luksky has joined #openstack-lbaas | 08:16 | |
*** spartakos has quit IRC | 08:18 | |
*** velizarx has quit IRC | 08:23 | |
*** threestrands has quit IRC | 08:33 | |
*** velizarx has joined #openstack-lbaas | 08:38 | |
vimal1 | Hi sapd1, I installed queens packages of dashboard and octavia-ui and it worked perfectly!! Thank you.. Cheers :-) | 08:45 |
*** vimal1 has quit IRC | 09:04 | |
*** phuoc_ has joined #openstack-lbaas | 09:09 | |
*** phuoc has quit IRC | 09:12 | |
*** rcernin has quit IRC | 09:16 | |
*** phuoc has joined #openstack-lbaas | 09:33 | |
*** phuoc_ has quit IRC | 09:35 | |
*** vimal1 has joined #openstack-lbaas | 09:37 | |
*** vimal1 has left #openstack-lbaas | 09:38 | |
openstackgerrit | Merged openstack/octavia master: Raise minimum coverage to 90% https://review.openstack.org/600583 | 09:39 |
*** phuoc_ has joined #openstack-lbaas | 09:47 | |
*** phuoc has quit IRC | 09:51 | |
*** ramishra_ has joined #openstack-lbaas | 10:51 | |
*** ramishra has quit IRC | 10:53 | |
*** annp has quit IRC | 11:13 | |
*** takamatsu has joined #openstack-lbaas | 11:28 | |
*** velizarx has quit IRC | 12:29 | |
*** reedipb_ has quit IRC | 12:44 | |
*** amuller has joined #openstack-lbaas | 12:51 | |
*** yamamoto has joined #openstack-lbaas | 13:08 | |
*** velizarx has joined #openstack-lbaas | 13:11 | |
*** fnaval has joined #openstack-lbaas | 14:23 | |
*** pcaruana has quit IRC | 14:33 | |
*** hvhaugwitz has quit IRC | 14:41 | |
*** spartakos has joined #openstack-lbaas | 14:52 | |
*** velizarx has quit IRC | 15:21 | |
*** ramishra_ has quit IRC | 15:30 | |
*** luksky has quit IRC | 15:38 | |
*** yamamoto has quit IRC | 15:53 | |
*** yamamoto has joined #openstack-lbaas | 15:54 | |
*** yamamoto has quit IRC | 15:59 | |
*** lxkong has quit IRC | 16:14 | |
*** spartakos has quit IRC | 16:27 | |
*** yamamoto has joined #openstack-lbaas | 16:35 | |
*** AlexeyAbashkin has quit IRC | 16:36 | |
johnsom | Hmm, digging into this scenario failure on the HM patch.... Joy. | 16:52 |
johnsom | A couple of updates. The Ubuntu Rocky release is out, including Octavia packages (python3 only, which is fine with me). | 16:53 |
johnsom | Also Doug reached out about the python3 first goal and might join us on Wednesday afternoon to let us know what we have left to do for the goal. | 16:54 |
*** Swami has joined #openstack-lbaas | 17:01 | |
openstackgerrit | Michael Johnson proposed openstack/octavia master: Fix a few devstack plugin settings that are deprecated https://review.openstack.org/600819 | 17:03 |
*** tesseract has quit IRC | 17:20 | |
*** spartakos has joined #openstack-lbaas | 17:39 | |
tobias-urdin | johnsom: does octavia-dashboard support standalone octavia v2 api without neutron lbaas v2? | 17:44 |
johnsom | tobias-urdin Yes, it ONLY supports the Octavia v2 API, it will not interact with neutron-lbaas at all. | 17:44 |
tobias-urdin | hm ok, it just logouts my user when i click the load balancer page, nothing in api logs or horizon.log only this in the horizon access log | 17:45 |
tobias-urdin | GET /api/lbaas/loadbalancers/?full=true HTTP/1.1" 403 | 17:45 |
johnsom | Hmm, that is an odd path, but that might be local settings for the endpoint URL. | 17:47 |
johnsom | tobias-urdin Per the API docs, https://developer.openstack.org/api-ref/load-balancer/v2/index.html#response-codes, 403 means the user does not have the RBAC rights to access the API. | 17:47 |
johnsom | The logout thing is a long standing horizon bug that when something goes wrong, it logs folks out. | 17:48 |
johnsom | Does the same user credentials work via CLI? | 17:48 |
tobias-urdin | found something | 17:48 |
tobias-urdin | "GET /v2.0/lbaas/loadbalancers?project_id=3fad4eac76ae4f3fb8df25ce4e911a3c HTTP/1.1" 403 | 17:48 |
tobias-urdin | perhaps something simple, does a normal user require any of the roles by default? | 17:48 |
johnsom | tobias-urdin By default Octavia is using the advanced RBAC that requires users to be a member of a role before they can access the API. Are you aware of that? | 17:49 |
johnsom | tobias-urdin https://docs.openstack.org/octavia/latest/configuration/policy.html | 17:49 |
tobias-urdin | so add load-balancer_member | 17:49 |
johnsom | You can disable advanced RBAC by installing the admin_or_owner-policy.json from octavia/etc/policy in your /etc/octavia/policy.json file on your API servers. | 17:50 |
*** sapd1_ has joined #openstack-lbaas | 17:50 | |
johnsom | Yes, that would enable access to the user, or group of users | 17:50 |
tobias-urdin | johnsom: yay :) lucky me it was that simple | 17:55 |
tobias-urdin | thanks | 17:55 |
johnsom | NP | 17:55 |
cgoncalves | yeah, users are not used to that behavior as default. barbican also has advanced RBAC enabled | 17:58 |
johnsom | nova just added it as well, slightly different than ours, but similar | 18:00 |
tobias-urdin | yeah i was not even thinking about it until i after starring at 403 for a while | 18:01 |
tobias-urdin | i think i'm missing some keystone related option | 18:01 |
tobias-urdin | http://paste.openstack.org/show/3IWdvR05dxQYbhO6GAs4/ | 18:01 |
tobias-urdin | auth_plugin or auth_type or smth | 18:01 |
johnsom | tobias-urdin Check this section of the config file: https://github.com/openstack/octavia/blob/master/etc/octavia.conf#L333 | 18:02 |
johnsom | Though I haven't seen that error specifically, it could be a missing python module. | 18:03 |
tobias-urdin | so that's the service user that is used against keystone? | 18:04 |
tobias-urdin | what's different from the keystone_authtoken section? | 18:05 |
tobias-urdin | because i haven't specified anything in that service_auth section | 18:05 |
johnsom | keystone_authtoken is used to validate user tokens with keystone. service_auth is the keystone info used when Octavia makes calls to other services, such as neutron in this case. | 18:05 |
tobias-urdin | ah ok, i'll test | 18:06 |
tobias-urdin | hm, no luck same after specifying all options in that section | 18:11 |
tobias-urdin | ah! it was used by api and not all other service | 18:11 |
tobias-urdin | worked after restart | 18:11 |
tobias-urdin | aw soooooo close just had wrong security group so got SecurityGroupNotFound :( | 18:17 |
tobias-urdin | hm the sec group id was correct, i created it with openstack security group create amphora --project octavia | 18:20 |
tobias-urdin | but nova couldn't find it | 18:20 |
tobias-urdin | maybe wrong project owner and not project permission | 18:20 |
johnsom | Did you setup a project "octavia" or is it project service and user octavia? | 18:20 |
johnsom | openstack project list | 18:21 |
tobias-urdin | that an octavia project | 18:21 |
tobias-urdin | thats* | 18:21 |
tobias-urdin | which config option determines which project to place instances in | 18:26 |
johnsom | The service_auth section | 18:26 |
tobias-urdin | ah, then the project_name is wrong there, thanks :) | 18:27 |
*** sapd1_ has quit IRC | 18:44 | |
tobias-urdin | johnsom: when i change [service_auth]/project_name from "services" to "octavia" which is the proper tenant | 18:46 |
tobias-urdin | i just get 400 bad request from the octavia api | 18:47 |
tobias-urdin | "POST /v2.0/lbaas/loadbalancers HTTP/1.1" 400 | 18:47 |
tobias-urdin | the octavia user in the service_auth section has "admin" for octavia project, also tried with "member" role | 18:47 |
tobias-urdin | if I change back to "services" it's successful but fails since the security group is not on the services project | 18:47 |
tobias-urdin | openstack role add --user octavia --project octavia <admin or member> | 18:48 |
johnsom | Hmmm, check the logs to see why you got 400. That is usually a user input error, but could be some other item, like flavor or image that aren't in the octavia project | 18:48 |
tobias-urdin | johnsom: so close right now, have network access to the amphora | 19:01 |
tobias-urdin | Could not connect to instance. Retrying.: SSLError: ("bad handshake: Error([('rsa routines', 'RSA_padding_check_PKCS1_type_1', 'block type is not 01'), ('rsa routines', 'RSA_EAY_PUBLIC_DECRYPT', 'padding check failed'), ('SSL routines', 'ssl3_get_key_exchange', 'bad signature')],)",) | 19:01 |
tobias-urdin | but some cert issues, should the test-only-ubuntu-xenial amphora image work for testing purposes? | 19:01 |
johnsom | Yeah, the certs are loaded at boot time and are not stored in the image | 19:02 |
tobias-urdin | hm wonder what's wrong with my certs | 19:04 |
tobias-urdin | johnsom: would you mind verifying? :) http://paste.openstack.org/show/729709/ | 19:13 |
*** hvhaugwitz has joined #openstack-lbaas | 19:14 | |
johnsom | tobias-urdin I think there is an issue with the CA. The part to note here is the controllers are the "TLS Client" and the amphora-agents are the "servers" | 19:26 |
johnsom | So the cert with the CA endorsement is the one needed in the ca_certificate field to allow the controller to generate and issue certs to the amphora | 19:27 |
*** spartakos has quit IRC | 19:49 | |
*** amuller has quit IRC | 20:08 | |
openstackgerrit | Dirk Mueller proposed openstack/neutron-lbaas master: neutron-lbaas haproxy agent prevent vif unplug when failover occurs https://review.openstack.org/578966 | 20:39 |
*** luksky has joined #openstack-lbaas | 20:54 | |
*** spartakos has joined #openstack-lbaas | 21:01 | |
*** spartakos has quit IRC | 21:02 | |
tobias-urdin | johnsom: i dont quite understand, i must have misunderstood something that caused me too confuse what to use where, could you elaborate? | 21:27 |
*** KeithMnemonic1 has quit IRC | 21:32 | |
openstackgerrit | Michael Johnson proposed openstack/octavia master: Fix health manager performance regression https://review.openstack.org/600332 | 21:33 |
johnsom | tobias-urdin The [certificates] section of the configuration is about how we issue the amphora unique certificates. the controllers use a CA to issue "server" certificates that are unique to each amphora. Thus, the cert used for that must have the CA endorsement. | 21:37 |
tobias-urdin | ok, so I think I understand where it went wrong now. I should have signed the client.crt certificate with the server_ca.crt CA and not the client_ca.crt CA | 21:46 |
johnsom | Well, no, not if you are using a dual CA deployment. | 21:47 |
johnsom | If you are just doing testing, just follow the steps we do for devstack and the gates: https://github.com/openstack/octavia/blob/master/devstack/plugin.sh#L298-L305 | 21:48 |
johnsom | The client CA and client certs are issued to the control plane processes to present to the amphora-agent. The amphora-agent validates those using the client-ca.crt in [certificates] client_ca | 21:49 |
tobias-urdin | Super confused, I've been comparing my commands to https://github.com/openstack/openstack-ansible-os_octavia/blob/master/tasks/octavia_certs.yml to understand where it went wrong | 21:55 |
johnsom | Ah, ok. That is using the dual CA method where there is one CA for the "client" side, or the controller certs, and one CA for the "server" side, which is the CA for issuing certs to the amphora | 21:56 |
*** spartakos has joined #openstack-lbaas | 21:56 | |
tobias-urdin | yeah, then I broke it down to this http://paste.openstack.org/show/729709/ but I must have missed or swapped something the wrong way. | 21:57 |
*** sapd1 has quit IRC | 21:59 | |
*** luksky has quit IRC | 22:01 | |
*** fnaval has quit IRC | 22:02 | |
openstackgerrit | Michael Johnson proposed openstack/neutron-lbaas master: Exclude limestone from running with kvm https://review.openstack.org/600543 | 22:04 |
*** yamamoto has quit IRC | 22:05 | |
openstackgerrit | Michael Johnson proposed openstack/octavia master: Disable KVM at limestone (again) https://review.openstack.org/600542 | 22:05 |
openstackgerrit | Michael Johnson proposed openstack/octavia-tempest-plugin master: Disable KVM at limestone (again) https://review.openstack.org/600536 | 22:05 |
*** fnaval has joined #openstack-lbaas | 22:07 | |
openstackgerrit | Adam Harwell proposed openstack/octavia master: DNM: three dumb downstream things to fix, IGNORE https://review.openstack.org/593986 | 22:07 |
*** spartakos has quit IRC | 22:14 | |
*** spartakos has joined #openstack-lbaas | 22:15 | |
*** spartakos has quit IRC | 22:23 | |
openstackgerrit | Carlos Goncalves proposed openstack/octavia master: Make health checks resilient to DB outages https://review.openstack.org/600876 | 22:27 |
*** spartakos has joined #openstack-lbaas | 22:27 | |
cgoncalves | ^ seems to work for me. played a bit with stopping/restarting DB | 22:28 |
johnsom | Looking (though don't think it will stay in pending create forever...) | 22:28 |
johnsom | Ah, nevermind, right, it can't update the status in the DB because there is not DB in this scenario | 22:29 |
*** spartakos has quit IRC | 23:17 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!