Tuesday, 2018-09-18

*** ramishra has joined #openstack-lbaas02:18
openstackgerritMichael Johnson proposed openstack/octavia master: Fix the API list performance regression  https://review.openstack.org/60324202:31
johnsomAlright, more work to do on that tomorrow, but on a decent path. two minutes down to a few seconds. Yes, I know the functional tests have a few issues.02:32
*** hongbin has joined #openstack-lbaas02:37
*** hongbin has quit IRC03:25
*** abaindur has joined #openstack-lbaas03:50
*** abaindur_ has joined #openstack-lbaas03:55
*** abaindur has quit IRC03:59
*** abaindur has joined #openstack-lbaas04:03
*** yamamoto has joined #openstack-lbaas04:06
*** abaindur_ has quit IRC04:06
*** reedipb has quit IRC04:11
*** abaindur has quit IRC04:24
cgoncalvesjohnsom, excellent!04:37
cgoncalvesxgerman_, doesn't that look better now and is backport material?! ;-)04:39
*** dayou has quit IRC05:28
*** dayou has joined #openstack-lbaas05:58
sapd1johnsom: So It's a bug in base repository code :D06:11
rm_workthe repo work just helps06:26
rm_worki don't know if it's necessary06:26
rm_workbut it seemed like the easiest way to fix stuff probably06:26
sapd1rm_work:  I just delete joinedload('*') in get_all function .06:28
*** ccamposr has joined #openstack-lbaas06:43
rm_workyeah, that .... helps somewhat07:01
*** rcernin has quit IRC07:03
sapd1rm_work:  have you reviewed my patch for redirect prefix yet?07:09
rm_worki think i looked at it07:09
rm_worki will look again in the morning07:09
rm_workit's just after midnight, hopped on to check on some test runs. :P07:10
rm_workI just got back and caught up from travel today07:10
rm_workbut, i believe i looked during the PTG and thought it was basically correct07:10
*** celebdor has joined #openstack-lbaas07:10
rm_workneed to test, really07:10
sapd1rm_work: yes. In Vietnam, It's afternoon. We are working :D07:10
sapd1rm_work:  I think we have some cases such as set status code when redirect.07:11
openstackgerritOpenStack Proposal Bot proposed openstack/octavia-dashboard master: Imported Translations from Zanata  https://review.openstack.org/60330407:28
*** luksky has joined #openstack-lbaas08:19
openstackgerritOpenStack Proposal Bot proposed openstack/neutron-lbaas-dashboard master: Imported Translations from Zanata  https://review.openstack.org/60331708:19
*** hvhaugwitz has quit IRC08:55
*** hvhaugwitz has joined #openstack-lbaas08:55
openstackgerritReedip proposed openstack/octavia-tempest-plugin master: Add configuration support for skipping tests  https://review.openstack.org/59939309:49
*** Emine has joined #openstack-lbaas09:58
*** reedipb has joined #openstack-lbaas10:05
*** dayou has quit IRC10:08
ArchiFleKscgoncalves: LB update was stuck because LB had no agent associated, I don't know why but lbassloadbalanceragentbinding tale was empty after the update so I updated the DB with existing agent and existing LBaaS and they got recreated10:19
*** yamamoto has quit IRC10:31
*** dayou has joined #openstack-lbaas10:35
*** yamamoto has joined #openstack-lbaas10:44
*** yamamoto has quit IRC11:37
*** yamamoto has joined #openstack-lbaas12:01
*** salmankhan has joined #openstack-lbaas13:10
*** reedipb has quit IRC13:52
*** Emine has quit IRC14:06
*** KeithMnemonic has quit IRC14:14
*** KeithMnemonic has joined #openstack-lbaas14:14
*** Emine has joined #openstack-lbaas14:19
*** yamamoto has quit IRC14:19
*** yamamoto has joined #openstack-lbaas14:24
*** yamamoto has quit IRC14:24
*** yamamoto has joined #openstack-lbaas14:24
*** yamamoto has quit IRC14:29
*** celebdor has quit IRC14:57
ltomasboping johnsom14:58
*** luksky has quit IRC14:59
johnsomltomasbo Hello15:01
ltomasbojohnsom, I would like to know your opinion on this patch (as a temporal solution) https://review.openstack.org/#/c/602564/15:02
johnsomltomasbo Generally I am against it. We are already seeing problems with the current change allowing users to see the VIP port. People are running bulk delete tools that are deleting their VIP ports.15:03
johnsomltomasbo Can't you just delete the security group that is there and add your own?15:04
ltomasbojohnsom, I tried that but it is not working15:04
ltomasbojohnsom, the security group being applied is the one on the amphora port15:04
ltomasbonot the one on the VIP15:04
johnsomltomasbo Since we are a stable API project, temporary changes to the API are really rough15:04
ltomasbojohnsom, but this is not changing the API, right?15:05
ltomasbojohnsom, it will just change the ownership of the listeners being created after the change, so that users can just restrict the access to their loadbalancer in a more fine grain15:06
johnsomOne approach would be, the other would change the behavior of the VIP ports.15:06
johnsomltomasbo Can you do what you need be using FWaaS?15:06
ltomasbojohnsom, that will only work on the SDN that implements that feature15:06
ltomasbojohnsom, and it feels kind of wrong that you would allow access to a VM based on the ports attached through allow_address_pairs15:07
ltomasbojohnsom, that said, I even already asked about that, and it seems that was not the purpose of allow_address_pair, and enabling such thing will be a completely different feature that allow_address_pairs15:07
johnsomI think at the PTG we requested a few folks to go research options on this. One was proposed in stacking SGs, one was using shared FWaaS groups. I think there are others too. If I remember the RFE on this was going to add ACLs to our API.15:07
*** ramishra has quit IRC15:07
johnsomltomasbo Well, AAP is to allow a secondary address on the neutron port.15:08
ltomasbojohnsom, this is the storyboard I openned about it:15:08
ltomasbojohnsom, yep, but it is thought for HA issues, not to enable SG on it. Actually, security group attached to the VIP is kind of useless as it is not being used...15:09
ltomasbojohnsom, I know the solution is not the right one, but it is a simple fix until a proper one (extending the listeners API with more flexibility) will be in place15:09
ltomasbojohnsom, and removing it once that is there will be trivial too15:10
johnsomltomasbo Well, make sure your user story is in the storyboard story and how you envision it rolling back. I will be sure to bring it up during the weekly meeting so we don't forget about the research spike on this.15:11
ltomasbojohnsom, German Eichberger (who I don't know the nick) mentioned that could be a good temporal solution due to the other development being stuck at the moment15:12
johnsomltomasbo German is xgerman_15:12
ltomasboooh, thanks! good to know!15:12
* xgerman_ reading...15:12
ltomasboxgerman_, is about this (temporal) fix: https://review.openstack.org/#/c/602564/15:12
ltomasbojohnsom, well, use case is simple. You may want to have a loadbalancer that is only accessible from a given subnet or specific remote group (similarly to VMs), and currently is all or nothing15:15
xgerman_Yeah, we talked at the PTG and discussed several options. It’s a valid use case but SGs already complicate load balancer delete operations so this will need some more exploration and testing15:16
ltomasboxgerman_, you mean the security group could not be deleted if created in a different tenant?15:18
ltomasboxgerman_, should be exactly the same as the VIP port, right?15:18
ltomasbolet me see if I get leftovers...15:18
xgerman_yep, and we have trouble with that since we gave it to the tennat since they keep deleting it out of band15:19
ltomasboahh, you mean if the tenant deletes the SG?15:19
xgerman_or if the tenant adds ports and we can’t delete SG15:19
ltomasbotrue, though as you have the right sg in the database15:20
ltomasboif you get a NotFound exception you should just skipt it, right?15:20
ltomasboand, if the security group is in use, the tenant cannot remove it, right?15:20
ltomasboand the SG is on the amphora port, so even if it belongs to the tenant, it cannot be removed15:20
xgerman_Probably - but what if the tenant added a port - we have logic to delete all [ports pn the SG if we can’t delete15:21
ltomasboahh, the other case is true...15:21
ltomasbothough I guess in that case is not a left over and you can just leave it undeleted15:22
ltomasbofrom that point, the users is the one that needs to consider it15:22
xgerman_yeah, and then we leave stuff behind which irks other people...15:22
ltomasboxgerman_, but if the tenant is using the security group, is not left behind...15:24
ltomasboof course it is nicer to not allow the user to use that SG in other VMs15:24
ltomasboso that you will remove it for sure15:24
xgerman_well, users always blame Octavia...15:24
*** amuller has joined #openstack-lbaas15:24
ltomasboin that case, they are the one to blame... xD15:25
ltomasbobut yep, I agree the best solution is to offer it through the octavia API, so that the user cannot do that15:25
xgerman_but I am in favor of turning it over to the client. I will see if we can switch internally from SG to FWG (if the network supports that) and then have the user just do what they want...15:25
ltomasboxgerman_, FWG?15:26
xgerman_Firewall Group15:26
ltomasboahh, ok15:26
xgerman_Also the API idea or ACL’s are high on our list15:26
ltomasbonice to hear!15:27
ltomasboproblem is that current status is a security concern as the LBaaS need to be wide open, and that is why I wanted to have it temporary fix until the API/ACL solution is in15:28
xgerman_K, understood - but as johnsom siad if we do soemthing temporary we need to support it for 2+ cycles...15:29
cgoncalves+1 for ACL option: we solve the issue without adding a requirement on FWaaS (for now). neither ACL or FWaaS options would be backportable as would require API version bump15:30
xgerman_What? Everyone needs FWaaS ;-)15:31
*** Emine has quit IRC15:31
ltomasboxgerman_, yep I agree 2+ cycles is not desired, but there is not much to support regarding the change anyway15:31
ltomasboxgerman_, it would have been better to put it there 2 cycles ago xD15:32
cgoncalvesltomasbo, where were you 2 cycles ago? :P15:32
* ltomasbo thinking...15:32
xgerman_well, to be fair, gophercloud queries the SG and references it on the VMs somehow ;-)15:32
xgerman_Which infuriates aus, too15:33
ltomasboxgerman_, you are using gophercloud too?? nice15:33
xgerman_Yeah, I know it has some SG hacking in it15:33
*** luksky has joined #openstack-lbaas15:45
ltomasboxgerman_, cgoncalves, johnsom: btw, just one more thing. If the patch make the SG ownership configurable, and by default belongs to the admin, would it be ok-ish (or better)15:49
ltomasbothat way only on those env that needs to have this restrictions will be switched to the tenant creating the LBaaS15:49
xgerman_mmh, that would definitely be better15:56
cgoncalvesltomasbo, by means of adding a new config opt?15:56
xgerman_yeah, that’s my interpretation15:56
KeithMnemonicjohnsom: Hello Michael how are you doing? Do you know if/when what release does not use the neutron db for the loadbalancers?16:00
KeithMnemonicand only octavia16:00
johnsomKeithMnemonic Hi Keith, doing well. Missed you at the PTG.  Umm, tricky question to answer. Octavia has always had it's own DB, but to totally eliminate the neutron DB need, you want the Octavia V2 API which was released in the Octavia 1.0 release (Pike)16:02
cgoncalvesltomasbo, hacky approach. I don't like it still but would be better, sure16:02
KeithMnemonicthanks! is octavia v1 deprecated yet. or could it be a customer does not have to eliminate the neutron db yet?16:03
KeithMnemonicworking on my troubleshooting talk for berlin and wanted to cover DBs a small bit16:04
johnsomoctavia v1 will deprecate with the neutron-lbaas deprecation16:04
johnsomSo, yes16:04
cgoncalvesjohnsom, speaking of that, have you started the deprecation clock?16:04
KeithMnemonicok so i will focus on octavia but maybe make a small reference to neutrob16:05
johnsomcgoncalves Sigh, no, focused on the API perf issue yesterday16:05
johnsomKeithMnemonic This might help you: https://wiki.openstack.org/wiki/Neutron/LBaaS/Deprecation16:05
johnsomcgoncalves Yeah, seemed like a hot issue impacting a few folks16:06
*** ccamposr has quit IRC16:49
*** salmankhan has quit IRC17:10
*** celebdor has joined #openstack-lbaas17:18
*** amuller has quit IRC17:24
*** sapd1_ has joined #openstack-lbaas17:47
openstackgerritCarlos Goncalves proposed openstack/neutron-lbaas master: Fix memory leak in the haproxy provider driver  https://review.openstack.org/60346017:59
openstackgerritGerman Eichberger proposed openstack/octavia master: Updates the operator docs with the new lb failover command  https://review.openstack.org/60346318:13
openstackgerritGerman Eichberger proposed openstack/octavia master: Updates the operator docs with the new lb failover command  https://review.openstack.org/60346318:16
openstackgerritMerged openstack/octavia-dashboard master: Imported Translations from Zanata  https://review.openstack.org/60330418:18
*** abaindur has joined #openstack-lbaas18:35
*** abaindur has quit IRC18:35
*** abaindur has joined #openstack-lbaas18:36
*** luksky11 has joined #openstack-lbaas18:42
*** luksky has quit IRC18:46
*** celebdor has quit IRC18:56
openstackgerritCarlos Goncalves proposed openstack/neutron-lbaas master: Fix memory leak in the haproxy provider driver  https://review.openstack.org/60346018:59
rm_workah found the issue with the lvsquery tests19:00
*** sapd1_ has quit IRC19:03
rm_workbzhao__: are you around?19:04
openstackgerritCarlos Goncalves proposed openstack/neutron-lbaas master: Fix memory leak in the haproxy provider driver  https://review.openstack.org/60346019:28
*** fnaval has joined #openstack-lbaas19:42
*** dmellado has quit IRC20:01
*** cgoncalves is now known as cgoncalves|pto20:13
*** KeithMnemonic has quit IRC20:16
openstackgerritAdam Harwell proposed openstack/octavia master: Simplify keepalived lvsquery parsing for UDP  https://review.openstack.org/60349020:39
rm_workjohnsom: ^^20:41
*** abaindur has quit IRC21:17
*** abaindur has joined #openstack-lbaas21:19
*** dmellado has joined #openstack-lbaas21:20
*** Emine has joined #openstack-lbaas21:28
openstackgerritMichael Johnson proposed openstack/octavia master: Fix the API list performance regression  https://review.openstack.org/60324221:34
*** Emine has quit IRC21:40
rm_workjohnsom: ^^ done?21:48
johnsomI wish, not just fixed. LB and Listener are done in that21:48
*** luksky11 has quit IRC22:16
*** abaindur has quit IRC22:24
*** abaindur has joined #openstack-lbaas22:30
johnsomrm_work Any idea where "self.l7policies" is defined here: https://github.com/openstack/octavia/blob/master/octavia/db/models.py#L30922:35
xgerman_pycharm failing you?22:36
johnsomI expected that response22:36
johnsomOh, nevermind, found it22:37
johnsomIt's already been a bit of a day staring at data models...22:38
xgerman_Yeah,  i started to turn my head into a bezel looking at the AAP driver22:39
johnsomLots-o-refactor on the model so they actually have forward and back references, instead of just backrefs22:40
johnsomShould make our lives easier going forward, just a mental exercise to do the work.22:40
*** fnaval has quit IRC22:43
*** rcernin has joined #openstack-lbaas22:47
rm_worklol just got back from the post office23:40
johnsomFigured that out, but have another oddity, but I can work around it. Wish I had an sqlalchemy expert hanging around23:40
rm_worki can pretend to be that23:44
rm_workor ping zzzeek23:44
rm_workwhat's the oddity?23:45
johnsomJust a sec, running tests, I will push and show you23:46
johnsomWell, I can paste the part.23:47
johnsomSo this is pools, I want to joinedload l7policies with l7rules as I know I need both here.23:47
johnsomThe only way I can get it to work is lazy load the l7policies, which causes a bunch of round trips to the DB for the l7rules.23:48
johnsomWhat I can't figure out is how to get that to join load. If I just put joinedload(models.Pool.l7policies) the rules don't come in at all23:49
openstackgerritMichael Johnson proposed openstack/octavia master: Fix the API list performance regression  https://review.openstack.org/60324223:50
johnsomFor me, even with the extra round trips it is still 4 seconds to list pools with 1000 pools, but... Wish I could stop the excessive DB connections/queries23:52
rm_workcan you do23:53
rm_workjoinedload(models.Pool.l7policies).joinedload(models.L7Policy.l7rules) ?23:53
rm_worklike... that should work?23:53
rm_workor subqueryload23:54
rm_workwhatever you're using23:54
rm_workjust add the subqueryload for the rules23:54
* rm_work shrugs23:54
johnsomArgumentError: Can't find property 'l7rules' on any entity specified in this Query.  Note the full path from root (Mapper|Pool|pool) to target entity must be specified.23:55
rm_workah so23:55
rm_workmaybe it's models.Pool.l7policies.l7rules23:55
johnsomAttributeError: Neither 'InstrumentedAttribute' object nor 'Comparator' object associated with Pool.l7policies has an attribute 'l7rules'23:56
johnsomYeah, been down these paths....23:56
rm_workis it called l7rules23:56
rm_worki'm not where you are exactly23:56
rm_workis it a simple test i can run if i pull down your patch?23:56
johnsomYeah, create an LB with l7 redirect pool, that policy needs a rule23:57
johnsomopenstack loadbalancer pool list23:57
johnsomI add23:57
rm_workah i was hoping there was a functional test i could just run23:57
rm_workmaybe something in test_pool23:58
johnsominto the repo Pool class, listeners properties section to make sure I get the rule back23:58
johnsomNot sure, I only ran the tests with my "working" version23:58
johnsomI would expect something to puke23:59
johnsomas the list of listeners included with the pool list should be short L7 attached pools if it's broken23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!