Thursday, 2018-09-13

abaindurhey, want to confirm... a loadbalancer == an amphora?00:18
abaindurspinning up a new loadbalancer will create new amphora, right?00:19
abaindurwe've used AVI before where it will re-use an existing service engine VM (equivalent to an amphora), to loadbalance traffic for entirely different loadbalancers00:19
*** rm_mobile has quit IRC00:22
*** Swami has quit IRC00:25
lxkongjohnsom, rm_work, hi, could either of you review and We really need both of them for our new internal release00:34
*** abaindur has quit IRC01:04
*** annp has joined #openstack-lbaas01:11
*** sapd1 has joined #openstack-lbaas01:15
*** yamamoto has quit IRC01:29
*** hongbin has quit IRC02:00
*** sapd1 has quit IRC02:34
*** sapd1 has joined #openstack-lbaas02:36
*** sapd1_ has joined #openstack-lbaas02:36
*** ipsecguy has quit IRC03:13
*** ipsecguy has joined #openstack-lbaas03:14
*** yamamoto has joined #openstack-lbaas03:28
*** reedipb has quit IRC03:50
*** ivve has joined #openstack-lbaas04:10
*** yboaron_ has joined #openstack-lbaas04:16
*** sapd1 has quit IRC05:06
*** sapd1 has joined #openstack-lbaas05:06
*** yamamoto has quit IRC05:09
*** yamamoto has joined #openstack-lbaas05:09
*** fnaval has quit IRC05:19
*** reedipb has joined #openstack-lbaas05:20
*** luksky11 has joined #openstack-lbaas05:29
*** fnaval has joined #openstack-lbaas05:31
*** fnaval has quit IRC05:35
*** sapd1_ has quit IRC05:45
johnsomabaindur Load balancer == one or more amphroa.  two in the case of active/standby06:00
*** abaindur has joined #openstack-lbaas06:59
*** abaindur has quit IRC07:00
*** abaindur has joined #openstack-lbaas07:00
*** rcernin has quit IRC07:01
*** tesseract has joined #openstack-lbaas07:01
*** ivve has quit IRC07:16
*** yamamoto has quit IRC07:19
*** velizarx has joined #openstack-lbaas07:20
*** celebdor has joined #openstack-lbaas07:26
*** AlexeyAbashkin has joined #openstack-lbaas07:34
*** velizarx has quit IRC07:42
*** velizarx has joined #openstack-lbaas07:45
*** yamamoto has joined #openstack-lbaas07:59
*** ccamposr has joined #openstack-lbaas08:01
*** irenab has quit IRC08:04
*** oanson has quit IRC08:04
*** abaindur has quit IRC08:07
*** velizarx has quit IRC08:09
*** velizarx has joined #openstack-lbaas08:11
*** irenab has joined #openstack-lbaas08:13
*** oanson has joined #openstack-lbaas08:19
*** fnaval has joined #openstack-lbaas08:23
*** fnaval has quit IRC08:27
*** irenab has quit IRC08:28
*** AlexeyAbashkin has quit IRC08:38
*** irenab has joined #openstack-lbaas08:38
*** AlexeyAbashkin has joined #openstack-lbaas08:38
*** annp has quit IRC08:46
*** gcheresh has joined #openstack-lbaas08:48
*** annp has joined #openstack-lbaas09:44
*** fnaval has joined #openstack-lbaas10:07
*** fnaval has quit IRC10:11
*** huseyin has joined #openstack-lbaas10:20
huseyinHello everyone. After creating certs, keys, intermediates and payloads on barbican, when I want to use these from octavia I get the following error:10:21
huseyinOctaviaClientException: Could not retrieve certificate:10:21
huseyinACL for admin, project user and octavia user is defined10:22
huseyinDoes anyone have an idea to resolve?10:22
*** yamamoto has quit IRC10:24
huseyin| Operation Type | Project Access | Users                                                                                                           | Created                   | Updated                   | Secret ACL Ref                                                           |10:24
huseyin| read           | True           | [u'1fa597e23ac64a00a324094f7f65e03a', u'a756d5ed747b49308494ae45b4bda301', u'fe520c3d73dd4fb49c351f2ca1c3c0ae'] | 2018-09-13T09:28:00+00:00 | 2018-09-13T10:07:41+00:00 | http://testcont:9311/v1/secrets/c85dd5d8-1877-4cc2-9c28-27d03fd7f5cb/acl |10:24
*** yamamoto has joined #openstack-lbaas10:24
*** crazik has left #openstack-lbaas10:24
huseyinProject user has a creator role on barbican10:27
huseyinI can list and get all the certs, keys, and payloads with the user10:27
huseyinWhen I want to create a listener with tls-termination it fails with the HTTP 400 OctaviaClientException: Could not retrieve certificate error10:28
*** annp has quit IRC10:28
*** velizarx has quit IRC10:47
*** velizarx has joined #openstack-lbaas10:54
*** fnaval has joined #openstack-lbaas11:30
*** fnaval has quit IRC11:35
*** amuller has joined #openstack-lbaas11:50
*** ianychoi has quit IRC12:04
*** fnaval has joined #openstack-lbaas12:07
*** ianychoi has joined #openstack-lbaas12:11
*** fnaval has quit IRC12:12
*** velizarx has quit IRC12:15
openstackgerritMerged openstack/octavia master: Fix batch update members
*** velizarx has joined #openstack-lbaas12:22
*** yboaron_ has quit IRC12:34
*** yboaron_ has joined #openstack-lbaas12:35
jlaffaye_what are the requirements on neutron ? in my deployment my network use bgp and not l3 router, I have the VIP port which is down, I dont understand why12:42
huseyinjlaffaye: i am also struggling with the similar problem. as far as i understand neutron also requires read access on the barbican side to access container when you create tls-terminated listener12:58
huseyinjlaffaye_: adding observer role to the neutron user is enough I think12:58
*** reedipb has quit IRC13:11
*** fnaval has joined #openstack-lbaas13:41
*** huseyin has quit IRC13:44
*** colby_ has quit IRC14:00
*** colby_ has joined #openstack-lbaas14:03
*** huseyin has joined #openstack-lbaas14:20
*** colby_ has quit IRC14:26
*** gcheresh has quit IRC14:28
*** pcaruana has joined #openstack-lbaas14:28
*** colby_ has joined #openstack-lbaas14:29
*** reedipb has joined #openstack-lbaas14:39
*** sapd1 has quit IRC14:40
*** sapd1 has joined #openstack-lbaas14:42
johnsomjlaffaye_ Note, Octavia uses two neutron "ports" but one is really a "fake" port.  One will always be down, one will be up.15:07
*** yboaron_ has quit IRC15:10
*** yboaron_ has joined #openstack-lbaas15:10
*** velizarx has quit IRC15:16
*** yamamoto has quit IRC15:38
*** yamamoto has joined #openstack-lbaas15:39
*** yamamoto has quit IRC15:39
*** yamamoto has joined #openstack-lbaas15:40
*** yamamoto has quit IRC15:44
*** yboaron_ has quit IRC16:00
*** ccamposr has quit IRC16:03
*** yamamoto has joined #openstack-lbaas16:31
*** celebdor has quit IRC16:45
*** tesseract has quit IRC17:00
*** yamamoto has quit IRC17:23
*** yamamoto has joined #openstack-lbaas17:23
*** yamamoto has quit IRC17:29
*** huseyin has left #openstack-lbaas17:32
*** AlexeyAbashkin has quit IRC17:32
*** luksky11 has quit IRC17:41
johnsomnmagnezi Are you around by chance?17:46
*** luksky has joined #openstack-lbaas18:04
*** abaindur has joined #openstack-lbaas18:49
*** jiteka has quit IRC18:49
*** jiteka has joined #openstack-lbaas18:51
colin-any suggestions for the best place to learn about consuming containers for amphora? i see the disk image builder guide talks about building them appropriately but in terms of compute driver support i only see in stable/rocky and figured i must have misunderstood something18:59
*** rcernin has joined #openstack-lbaas19:00
*** rtjure has joined #openstack-lbaas19:03
rm_workcolin-: we don't yet support containers unfortunately19:18
rm_workwork is underway, and we've discussed it this week at the PTG meetup19:18
rm_workso, hopefully this will happen sometime soon, but it is definitely not supported *yet*19:19
openstackgerritMerged openstack/octavia master: Make health checks resilient to DB outages
johnsomcolin- Yeah, we have made a few attempts at containerizing the amphora (this is why we call them amphora and not just service VMs), but so far we have run into bugs.  At this point there is hope in Zun and and maybe nova-lxd, if we have folks that can work on it.20:14
*** celebdor has joined #openstack-lbaas20:27
*** abaindur has quit IRC20:34
*** abaindur has joined #openstack-lbaas20:35
*** pcaruana has quit IRC20:38
johnsomrm_work Would you be able to re-join us?20:46
rm_workyeah i can prolly20:47
rm_workwere you looking to discuss something now/soon?20:47
rm_workjohnsom: ^^20:51
*** rcernin has quit IRC20:51
colin-thanks for the feedback folks i'll take these notes and consider our options21:00
*** celebdor has quit IRC21:21
*** luksky has quit IRC21:25
*** rcernin has joined #openstack-lbaas21:29
*** rtjure has quit IRC22:25
*** abaindur has quit IRC22:32
*** abaindur has joined #openstack-lbaas22:34
*** fnaval has quit IRC22:55
*** fnaval has joined #openstack-lbaas23:06
abaindurHow do we just disable TLS altogether for the haproxy rest api?23:22
abaindurThe CA cert expiry requiring failover of amphora is just too complicated, and not easy to automate since it requires staggering and can overload the system, and also leads to donwtime for SINGLE topology23:22
abaindurif the hosts themselves are secured well enough behind a firewall, is there any real risk?23:23
colin-i was thinking about these operations earlier and wondered if anyone successfully leveraged barbican for these cert needs or if that's only for terminating vips23:44

Generated by 2.15.3 by Marius Gedminas - find it at!