| abaindur | hey, want to confirm... a loadbalancer == an amphora? | 00:18 |
|---|---|---|
| abaindur | spinning up a new loadbalancer will create new amphora, right? | 00:19 |
| abaindur | we've used AVI before where it will re-use an existing service engine VM (equivalent to an amphora), to loadbalance traffic for entirely different loadbalancers | 00:19 |
| *** rm_mobile has quit IRC | 00:22 | |
| *** Swami has quit IRC | 00:25 | |
| lxkong | johnsom, rm_work, hi, could either of you review https://review.openstack.org/#/c/600912/ and https://review.openstack.org/#/c/600913/? We really need both of them for our new internal release | 00:34 |
| *** abaindur has quit IRC | 01:04 | |
| *** annp has joined #openstack-lbaas | 01:11 | |
| *** sapd1 has joined #openstack-lbaas | 01:15 | |
| *** yamamoto has quit IRC | 01:29 | |
| *** hongbin has quit IRC | 02:00 | |
| *** sapd1 has quit IRC | 02:34 | |
| *** sapd1 has joined #openstack-lbaas | 02:36 | |
| *** sapd1_ has joined #openstack-lbaas | 02:36 | |
| *** ipsecguy has quit IRC | 03:13 | |
| *** ipsecguy has joined #openstack-lbaas | 03:14 | |
| *** yamamoto has joined #openstack-lbaas | 03:28 | |
| *** reedipb has quit IRC | 03:50 | |
| *** ivve has joined #openstack-lbaas | 04:10 | |
| *** yboaron_ has joined #openstack-lbaas | 04:16 | |
| *** sapd1 has quit IRC | 05:06 | |
| *** sapd1 has joined #openstack-lbaas | 05:06 | |
| *** yamamoto has quit IRC | 05:09 | |
| *** yamamoto has joined #openstack-lbaas | 05:09 | |
| *** fnaval has quit IRC | 05:19 | |
| *** reedipb has joined #openstack-lbaas | 05:20 | |
| *** luksky11 has joined #openstack-lbaas | 05:29 | |
| *** fnaval has joined #openstack-lbaas | 05:31 | |
| *** fnaval has quit IRC | 05:35 | |
| *** sapd1_ has quit IRC | 05:45 | |
| johnsom | abaindur Load balancer == one or more amphroa. two in the case of active/standby | 06:00 |
| *** abaindur has joined #openstack-lbaas | 06:59 | |
| *** abaindur has quit IRC | 07:00 | |
| *** abaindur has joined #openstack-lbaas | 07:00 | |
| *** rcernin has quit IRC | 07:01 | |
| *** tesseract has joined #openstack-lbaas | 07:01 | |
| *** ivve has quit IRC | 07:16 | |
| *** yamamoto has quit IRC | 07:19 | |
| *** velizarx has joined #openstack-lbaas | 07:20 | |
| *** celebdor has joined #openstack-lbaas | 07:26 | |
| *** AlexeyAbashkin has joined #openstack-lbaas | 07:34 | |
| *** velizarx has quit IRC | 07:42 | |
| *** velizarx has joined #openstack-lbaas | 07:45 | |
| *** yamamoto has joined #openstack-lbaas | 07:59 | |
| *** ccamposr has joined #openstack-lbaas | 08:01 | |
| *** irenab has quit IRC | 08:04 | |
| *** oanson has quit IRC | 08:04 | |
| *** abaindur has quit IRC | 08:07 | |
| *** velizarx has quit IRC | 08:09 | |
| *** velizarx has joined #openstack-lbaas | 08:11 | |
| *** irenab has joined #openstack-lbaas | 08:13 | |
| *** oanson has joined #openstack-lbaas | 08:19 | |
| *** fnaval has joined #openstack-lbaas | 08:23 | |
| *** fnaval has quit IRC | 08:27 | |
| *** irenab has quit IRC | 08:28 | |
| *** AlexeyAbashkin has quit IRC | 08:38 | |
| *** irenab has joined #openstack-lbaas | 08:38 | |
| *** AlexeyAbashkin has joined #openstack-lbaas | 08:38 | |
| *** annp has quit IRC | 08:46 | |
| *** gcheresh has joined #openstack-lbaas | 08:48 | |
| *** annp has joined #openstack-lbaas | 09:44 | |
| *** fnaval has joined #openstack-lbaas | 10:07 | |
| *** fnaval has quit IRC | 10:11 | |
| *** huseyin has joined #openstack-lbaas | 10:20 | |
| huseyin | Hello everyone. After creating certs, keys, intermediates and payloads on barbican, when I want to use these from octavia I get the following error: | 10:21 |
| huseyin | OctaviaClientException: Could not retrieve certificate: | 10:21 |
| huseyin | ACL for admin, project user and octavia user is defined | 10:22 |
| huseyin | Does anyone have an idea to resolve? | 10:22 |
| *** yamamoto has quit IRC | 10:24 | |
| huseyin | +----------------+----------------+-----------------------------------------------------------------------------------------------------------------+---------------------------+---------------------------+--------------------------------------------------------------------------+ | 10:24 |
| huseyin | | Operation Type | Project Access | Users | Created | Updated | Secret ACL Ref | | 10:24 |
| huseyin | +----------------+----------------+-----------------------------------------------------------------------------------------------------------------+---------------------------+---------------------------+--------------------------------------------------------------------------+ | 10:24 |
| huseyin | | read | True | [u'1fa597e23ac64a00a324094f7f65e03a', u'a756d5ed747b49308494ae45b4bda301', u'fe520c3d73dd4fb49c351f2ca1c3c0ae'] | 2018-09-13T09:28:00+00:00 | 2018-09-13T10:07:41+00:00 | http://testcont:9311/v1/secrets/c85dd5d8-1877-4cc2-9c28-27d03fd7f5cb/acl | | 10:24 |
| huseyin | +----------------+----------------+-----------------------------------------------------------------------------------------------------------------+---------------------------+---------------------------+--------------------------------------------------------------------------+ | 10:24 |
| *** yamamoto has joined #openstack-lbaas | 10:24 | |
| *** crazik has left #openstack-lbaas | 10:24 | |
| huseyin | Project user has a creator role on barbican | 10:27 |
| huseyin | I can list and get all the certs, keys, and payloads with the user | 10:27 |
| huseyin | When I want to create a listener with tls-termination it fails with the HTTP 400 OctaviaClientException: Could not retrieve certificate error | 10:28 |
| *** annp has quit IRC | 10:28 | |
| *** velizarx has quit IRC | 10:47 | |
| *** velizarx has joined #openstack-lbaas | 10:54 | |
| *** fnaval has joined #openstack-lbaas | 11:30 | |
| *** fnaval has quit IRC | 11:35 | |
| *** amuller has joined #openstack-lbaas | 11:50 | |
| *** ianychoi has quit IRC | 12:04 | |
| *** fnaval has joined #openstack-lbaas | 12:07 | |
| *** ianychoi has joined #openstack-lbaas | 12:11 | |
| *** fnaval has quit IRC | 12:12 | |
| *** velizarx has quit IRC | 12:15 | |
| openstackgerrit | Merged openstack/octavia master: Fix batch update members https://review.openstack.org/600912 | 12:19 |
| *** velizarx has joined #openstack-lbaas | 12:22 | |
| *** yboaron_ has quit IRC | 12:34 | |
| *** yboaron_ has joined #openstack-lbaas | 12:35 | |
| jlaffaye_ | what are the requirements on neutron ? in my deployment my network use bgp and not l3 router, I have the VIP port which is down, I dont understand why | 12:42 |
| huseyin | jlaffaye: i am also struggling with the similar problem. as far as i understand neutron also requires read access on the barbican side to access container when you create tls-terminated listener | 12:58 |
| huseyin | jlaffaye_: adding observer role to the neutron user is enough I think | 12:58 |
| *** reedipb has quit IRC | 13:11 | |
| *** fnaval has joined #openstack-lbaas | 13:41 | |
| *** huseyin has quit IRC | 13:44 | |
| *** colby_ has quit IRC | 14:00 | |
| *** colby_ has joined #openstack-lbaas | 14:03 | |
| *** huseyin has joined #openstack-lbaas | 14:20 | |
| *** colby_ has quit IRC | 14:26 | |
| *** gcheresh has quit IRC | 14:28 | |
| *** pcaruana has joined #openstack-lbaas | 14:28 | |
| *** colby_ has joined #openstack-lbaas | 14:29 | |
| *** reedipb has joined #openstack-lbaas | 14:39 | |
| *** sapd1 has quit IRC | 14:40 | |
| *** sapd1 has joined #openstack-lbaas | 14:42 | |
| johnsom | jlaffaye_ Note, Octavia uses two neutron "ports" but one is really a "fake" port. One will always be down, one will be up. | 15:07 |
| *** yboaron_ has quit IRC | 15:10 | |
| *** yboaron_ has joined #openstack-lbaas | 15:10 | |
| *** velizarx has quit IRC | 15:16 | |
| dulek | https://docs.openstack.org/newton/networking-guide/config-rbac.html | 15:31 |
| *** yamamoto has quit IRC | 15:38 | |
| *** yamamoto has joined #openstack-lbaas | 15:39 | |
| *** yamamoto has quit IRC | 15:39 | |
| *** yamamoto has joined #openstack-lbaas | 15:40 | |
| *** yamamoto has quit IRC | 15:44 | |
| *** yboaron_ has quit IRC | 16:00 | |
| *** ccamposr has quit IRC | 16:03 | |
| *** yamamoto has joined #openstack-lbaas | 16:31 | |
| *** celebdor has quit IRC | 16:45 | |
| *** tesseract has quit IRC | 17:00 | |
| *** yamamoto has quit IRC | 17:23 | |
| *** yamamoto has joined #openstack-lbaas | 17:23 | |
| *** yamamoto has quit IRC | 17:29 | |
| *** huseyin has left #openstack-lbaas | 17:32 | |
| *** AlexeyAbashkin has quit IRC | 17:32 | |
| *** luksky11 has quit IRC | 17:41 | |
| johnsom | nmagnezi Are you around by chance? | 17:46 |
| *** luksky has joined #openstack-lbaas | 18:04 | |
| *** abaindur has joined #openstack-lbaas | 18:49 | |
| *** jiteka has quit IRC | 18:49 | |
| *** jiteka has joined #openstack-lbaas | 18:51 | |
| colin- | any suggestions for the best place to learn about consuming containers for amphora? i see the disk image builder guide talks about building them appropriately but in terms of compute driver support i only see nova_driver.py in stable/rocky and figured i must have misunderstood something | 18:59 |
| *** rcernin has joined #openstack-lbaas | 19:00 | |
| *** rtjure has joined #openstack-lbaas | 19:03 | |
| rm_work | colin-: we don't yet support containers unfortunately | 19:18 |
| rm_work | work is underway, and we've discussed it this week at the PTG meetup | 19:18 |
| rm_work | so, hopefully this will happen sometime soon, but it is definitely not supported *yet* | 19:19 |
| openstackgerrit | Merged openstack/octavia master: Make health checks resilient to DB outages https://review.openstack.org/600876 | 19:32 |
| johnsom | colin- Yeah, we have made a few attempts at containerizing the amphora (this is why we call them amphora and not just service VMs), but so far we have run into bugs. At this point there is hope in Zun and and maybe nova-lxd, if we have folks that can work on it. | 20:14 |
| *** celebdor has joined #openstack-lbaas | 20:27 | |
| *** abaindur has quit IRC | 20:34 | |
| *** abaindur has joined #openstack-lbaas | 20:35 | |
| *** pcaruana has quit IRC | 20:38 | |
| johnsom | rm_work Would you be able to re-join us? | 20:46 |
| rm_work | yeah i can prolly | 20:47 |
| rm_work | soon | 20:47 |
| rm_work | were you looking to discuss something now/soon? | 20:47 |
| rm_work | johnsom: ^^ | 20:51 |
| *** rcernin has quit IRC | 20:51 | |
| colin- | thanks for the feedback folks i'll take these notes and consider our options | 21:00 |
| *** celebdor has quit IRC | 21:21 | |
| *** luksky has quit IRC | 21:25 | |
| *** rcernin has joined #openstack-lbaas | 21:29 | |
| *** rtjure has quit IRC | 22:25 | |
| *** abaindur has quit IRC | 22:32 | |
| *** abaindur has joined #openstack-lbaas | 22:34 | |
| *** fnaval has quit IRC | 22:55 | |
| *** fnaval has joined #openstack-lbaas | 23:06 | |
| abaindur | How do we just disable TLS altogether for the haproxy rest api? | 23:22 |
| abaindur | The CA cert expiry requiring failover of amphora is just too complicated, and not easy to automate since it requires staggering and can overload the system, and also leads to donwtime for SINGLE topology | 23:22 |
| abaindur | if the hosts themselves are secured well enough behind a firewall, is there any real risk? | 23:23 |
| colin- | i was thinking about these operations earlier and wondered if anyone successfully leveraged barbican for these cert needs or if that's only for terminating vips | 23:44 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!