Friday, 2018-12-14

« Thursday, 2018-12-13 Index Saturday, 2018-12-15 »
*** fnaval has quit IRC00:10
*** PagliaccisCloud has quit IRC00:21
rm_workcgoncalves: what happens when you then REMOVE that listener? does it remove the existing rule for that port and break the peering? :P00:46
rm_workwas traveling today so I've been out, but what's happening00:48
rm_workxgerman: did you make it to kubecon?00:49
*** Swami has quit IRC00:49
johnsomAlso, I can reproduce this barbican ACL issue (queens). so fun times tracking that down00:50
rm_workhmmmmmmmm00:54
johnsomYeah, I grant octavia the ACL right, but octavia gets RBAC error. Only if the user creating the secret is in a different project/00:56
rm_workhmmmmmmm00:56
rm_worklet me spin up a queens env, do you have the steps written out somewhere? (story?)00:57
johnsomNo, but that could happen super quick00:57
johnsomHmm, nevermind, I think I screwed up reproducing it01:02
rm_workk01:03
*** yamamoto has quit IRC01:03
johnsomI need to switch the octavia account and try this too.01:03
rm_workok well, devstack is spinning01:07
lxkongjohnsom, rm_work, could you please take a look at this https://storyboard.openstack.org/#!/story/2004602? If it's bug or not?01:09
rm_workhmmm01:09
rm_worki mean, that SOUNDS like a thing that could be a bug01:10
rm_workI guess qos-policy needs to be a capability check?01:10
rm_worksimilar to some of the other stuff we check for in the network driver01:10
rm_workand then we can set a flag for whether to try or not01:10
rm_workthe question would be, what to do in the case it's unsupported -- do we let users set them and just ignore it? or do we do something like what happens if an operator disables TLS-Term in config?01:11
rm_workright now it's technically doing what I'd expect -- trying to do the requested provisioning, failing, and rolling back -> ERROR01:12
rm_workso that's "correct" kinda01:12
johnsomYeah, create should roll back the API request when the VIP port create fails.01:14
johnsomProbably doesn't give the best error though.01:14
johnsomUpdate probably needs a check01:14
rm_workthe user doesn't really have ANY insight into what happened01:15
rm_workwhich ... didn't we discuss fixing that, at the PTG?01:15
rm_workit came up again yesterday internally01:15
rm_work"how does the user get any visibility to what broke" -> "they don't"01:16
johnsomSure they do, the API will return a 400 and a fault string01:16
rm_worknot on an update01:16
rm_worki mean when something like THAT breaks01:16
johnsomRight, update should probably check the neutron capability01:16
rm_workand create won't either right now01:16
rm_workbecause it's on the async side01:16
rm_workisn't it?01:16
johnsomNo it is not01:17
rm_workoh, maybe it's on the API side if it's the VIP port01:17
johnsomYeah, we had to create that up front to give them the IP back in the respone01:17
rm_worki always forget we moved that to be sync01:17
rm_workwe're so nice to our users, lol01:17
lxkongjohnsom: but use just specify a None for that param, even neutron doesn't support, shoudn't that be ignored?01:17
rm_worknova don't care01:17
lxkongs/use/user01:17
rm_work"you'll get an IP when you get one"01:17
rm_worklol01:17
rm_workhmmm yeah, i kinda skimmed over the None part01:18
rm_workthat is prolly because of how the WSME stuff loads? None should technically be "no change" so it shouldn't even go through any logic for it01:18
rm_workbut ...01:18
johnsomI'm confused on the None thing?01:19
rm_workeither the WSME stuff is handling None wrong, or we're doing something we shouldn't on updates (which I don't think is true, because I ran on Liberty Neutron and updates were fine)01:19
johnsomYeah, in the API None/blank is "UnSetType" or something similar in the WSME objects  the API gets01:19
lxkongrm_work: 'None' means remove any policy on the port, right?01:19
rm_workonly if there WAS one01:20
johnsomOh, missed the story link01:20
johnsomlooking01:20
rm_worki mean, yes, it is different from Unset01:20
rm_workbut we SHOULD throw it away01:20
rm_workif it's a noop01:20
rm_work... oh, unless we're being lazy/dumb, which is highly probably01:20
rm_worklet me glance at that path01:20
lxkongwhat if neutron supports, we should not treat it as unsettype01:20
johnsomWe will pass "null" in as None through WSME. Is the client converting that "None" to null?01:21
johnsomYeah, the unset type gets dropped in our model handling. Unsets don't go into the update list01:21
lxkong`Set QoS policy ID for VIP port. Unset with 'None'.`01:21
lxkongNone is meaningful value01:22
johnsomThis is in the client?01:22
lxkongyeah01:22
rm_workwe do the validate for it only if there's a change.... looking at what we do after that01:22
johnsomThat is a fail01:22
lxkongfrom CLI helper01:22
johnsomthe CLI has an "unset" command for that01:22
johnsomProbably didn't get implemented though01:22
rm_workyeah but it MUST be passing through something01:23
rm_workbecause it's UUIDType in WSME01:23
johnsomProbably null01:23
rm_workwhich means for it to accept the request and get to provisioning, it has to either be a UUID or a null01:23
johnsomlxkong For your original question, yes, that is very much a bug01:23
rm_workright, so a null *would be correct* for "unsetting"01:23
rm_workright?01:23
johnsomYeah01:23
rm_workso i think the issue is past this01:24
rm_worki think because it's not "wsme-unset"01:24
rm_workwe DO pass it through in the model that goes to the handler01:24
rm_workat which point it'd try to do an update without actually checking to see if that'd be a noop01:24
rm_workwhich would call neutron with a json-body that's invalid for that version01:25
johnsomRight, null would get through and become None in the code, post validation01:25
rm_workso even though there wasn't a vip-qos01:25
rm_workit'll try to remove it in neutron01:25
rm_workwhich will fail01:25
rm_work(because that version of neutron doesn't support it)01:26
rm_workyep01:27
rm_workjust confirmed that for myself01:28
lxkongjohnsom, rm_work, could you please help to fix so I can help backport to  Queens and Rocky, we also need to do a quick release.01:28
rm_workhttps://github.com/openstack/octavia/blob/master/octavia/controller/worker/tasks/network_tasks.py#L542-L54801:28
rm_workso it'll try because it IS in the update-dict01:28
rm_workwell the quick thing to do here would be to just short-circuit01:28
rm_workif it's a real noop01:29
rm_workwhich I believe we can check here01:29
rm_workbut the real solution I think is to actually detect this feature availability, and avoid the operation in general if it is unavailable01:29
rm_workoh, maybe not tho? because NOW we store the data to the DB in the API layer, which means by the time we're here we can't tell if it's a noop or not01:31
rm_workumm, could short-circuit it in the API layer01:31
rm_workbut that's kinda hacky01:31
rm_worklxkong: how urgent is this really? can you communicate to users just not to try to set that?01:31
rm_workwhy would they even try, if they were not able to create a LB with a qos-policy to begin with?01:32
rm_workI feel like this isn't super critical, so we should be able to take the time to fix it correctly01:32
lxkongrm_work: that's not so urgent, because i can just restored the error status back to active, and it's not harmful for the users.01:32
rm_workyeah, ummm, find out what users are doing that, and tell them to *stop it*01:33
rm_workand ask why they thought that made any sense to begin with <_<01:33
lxkongthat happened because some users are trying the our LBaaS and specify some params that they thought safe to do01:33
lxkongi've already told them, and we do need a solution01:34
lxkongrm_work: thanks for all your analysis01:34
johnsomYeah, we should never 500 out01:34
rm_workI posted my comments on the story01:36
rm_workjohnsom: that wouldn't be a 50001:36
rm_workit'd be a 20201:36
rm_workerr, 20001:36
rm_workand then it'd fail async01:36
rm_workwell, yeah on a create it might 500? not sure exactly01:36
johnsomYeah, I realized that after I typed it01:36
rm_workbut this story is specifically about update01:36
johnsomToo many things going on01:36
rm_workyeah lol01:37
rm_worktook me a while to even get my brain to focus on what the issue was, but yeah, got it01:37
johnsomI'm adding a task for the "unset" issue in the client.01:38
johnsomWe need to fix a bunch of those01:38
johnsomI don't think any of our update commands have "unset"01:39
rm_workyeah, well, that's true01:39
rm_workbut not REALLY the issue01:39
rm_workI suppose we should do it anyway tho01:39
johnsomRight, but ...01:39
rm_workis there a way to mark a bug-story as "triaged" or "confirmed" or something in launchpad? :/01:39
johnsomIn launchpad yes, in our friend storyboard, no01:40
rm_workerrr01:40
rm_workoops lol yeah01:40
johnsomOther that adding tags to stories, but that is pointless because you can't search for *not* having a tag in SB either01:40
rm_worklol01:40
rm_workstoryboard != bug tracker, I guess01:41
johnsomOk, off to dinner. I have the release patch ready, just waiting for the last patch to finish merging. Will push that later tonight01:41
rm_worko/01:41
rm_workping me for a +2 if you need one01:42
johnsomEvidently we are "using it wrong"01:42
johnsomsigh01:42
rm_worklol01:42
johnsomNo, our stuff is all +2/+w, this will be a release team +2. So, no worries01:42
rm_workkk01:42
*** phuoc_ has joined #openstack-lbaas01:50
*** phuoc has quit IRC01:53
openstackgerritMerged openstack/octavia stable/pike: Stop Logging Amphora Cert  https://review.openstack.org/62506602:15
*** sapd1_ has joined #openstack-lbaas02:27
*** sapd1 has quit IRC02:29
*** yamamoto has joined #openstack-lbaas03:02
openstackgerritMerged openstack/octavia stable/queens: Bring up secondary IPs on member networks  https://review.openstack.org/62480403:05
*** hongbin has joined #openstack-lbaas03:14
*** hongbin has quit IRC03:15
*** hongbin has joined #openstack-lbaas03:16
johnsomstable branch release patch: https://review.openstack.org/62514403:28
*** yamamoto has quit IRC03:39
rm_workcool03:47
rm_workwait we're still cutting pike releases? lol03:47
rm_workwe haven't been backporting anything past queens tho03:47
rm_workoh, just that one03:47
*** ramishra has joined #openstack-lbaas03:49
*** hongbin has quit IRC04:34
*** PagliaccisCloud has joined #openstack-lbaas04:44
*** yamamoto has joined #openstack-lbaas04:55
*** yamamoto has quit IRC05:40
*** yamamoto has joined #openstack-lbaas06:20
*** JudeCross has joined #openstack-lbaas06:25
*** ccamposr has joined #openstack-lbaas06:34
*** JudeCross has quit IRC06:49
*** rcernin has quit IRC07:03
*** PagliaccisCloud has quit IRC07:12
*** pcaruana has joined #openstack-lbaas07:12
*** JudeCross has joined #openstack-lbaas07:15
*** yamamoto has quit IRC07:48
*** yamamoto has joined #openstack-lbaas07:48
*** yamamoto has quit IRC07:57
*** rpittau has joined #openstack-lbaas08:06
*** reedipb has joined #openstack-lbaas08:33
reedipbjohnsom : there?08:33
*** yamamoto has joined #openstack-lbaas08:35
*** velizarx has joined #openstack-lbaas08:35
openstackgerritOpenStack Proposal Bot proposed openstack/octavia-dashboard master: Imported Translations from Zanata  https://review.openstack.org/62518308:55
*** JudeCross has quit IRC09:01
*** Emine has joined #openstack-lbaas09:05
*** reedipb has quit IRC09:15
rm_workwhat channel is the storyboard team in again? >_>09:28
rm_workneed to ask them about bug flags09:28
rm_workfor priority we could use tags and add like "high" or "low" or whatever09:29
rm_workbut ...09:29
rm_workah, maybe if you could search for "lack of a flag" that'd do it09:29
*** yamamoto has quit IRC09:37
cgoncalvesrm_work, fields like such (priority) have been requested to the Storyboard team awhile ago IIRC. the workaround is indeed using tags, which I dislike09:47
*** salmankhan has joined #openstack-lbaas10:34
*** PagliaccisCloud has joined #openstack-lbaas10:59
*** rpittau is now known as rpittau|lunch11:10
*** yamamoto has joined #openstack-lbaas11:15
*** salmankhan has quit IRC12:06
*** salmankhan has joined #openstack-lbaas12:09
*** rpittau|lunch is now known as rpittau12:13
*** pcaruana has quit IRC12:21
*** pcaruana has joined #openstack-lbaas12:22
*** pcaruana is now known as pcaruana|intw|12:25
*** yamamoto has quit IRC12:28
*** yamamoto has joined #openstack-lbaas12:30
*** yamamoto has quit IRC12:30
*** yamamoto has joined #openstack-lbaas13:05
*** yamamoto has quit IRC13:18
*** yamamoto has joined #openstack-lbaas13:18
*** velizarx has quit IRC13:20
*** velizarx has joined #openstack-lbaas14:00
*** pcaruana|intw| has quit IRC14:05
*** Emine has quit IRC14:16
*** pcaruana has joined #openstack-lbaas14:31
*** ccamposr has quit IRC14:49
*** ivve has joined #openstack-lbaas15:05
*** yangjianfeng has joined #openstack-lbaas15:10
*** yangjianfeng has quit IRC15:26
*** ivve has quit IRC15:34
*** velizarx has quit IRC15:47
*** ccamposr has joined #openstack-lbaas15:50
*** PagliaccisCloud has quit IRC16:15
*** pcaruana has quit IRC16:20
*** ivve has joined #openstack-lbaas16:24
johnsomFYI, I have also posted patches to bump OSA to get the taskflow logging patch16:53
*** salmankhan has quit IRC16:56
*** salmankhan has joined #openstack-lbaas16:57
*** ccamposr has quit IRC17:15
*** PagliaccisCloud has joined #openstack-lbaas17:15
johnsomreedipb Looking for me?17:17
*** rpittau has quit IRC17:22
*** Emine has joined #openstack-lbaas17:36
*** PagliaccisCloud has quit IRC17:43
*** Swami has joined #openstack-lbaas18:26
cgoncalvesI clarified Reedip's questions off channel. ovn devstack plugin is doing weird things for enabling its provider driver in octavia, they have been advised how on to best do it18:54
johnsomOk, cool. Thanks!18:54
cgoncalvesand second, he was looking for if it is possible and how to enable multiple provider drivers18:54
johnsomYes, we support that18:55
cgoncalvesright18:55
cgoncalveshe was setting enabled_provider_drivers option in python dict format :)18:55
cgoncalvesshould be "enabled_providers_drivers: amphora:'some description', ovn:'another description'"18:56
cgoncalves"Documentation for Octavia's OVN Driver" -- https://review.openstack.org/#/c/624937/18:57
*** salmankhan has quit IRC18:57
*** abaindur has joined #openstack-lbaas19:06
*** Emine has quit IRC19:26
*** abaindur has quit IRC19:54
*** abaindur has joined #openstack-lbaas20:14
*** abaindur has quit IRC20:15
*** abaindur has joined #openstack-lbaas20:15
openstackgerritGerman Eichberger proposed openstack/octavia master: Amphora logging  https://review.openstack.org/62483520:54
xgerman(hopefully goo to go)20:54
xgermannext week haproxy log format to include project-id20:55
openstackgerritMichael Johnson proposed openstack/octavia master: Updates Octavia to support octavia-lib  https://review.openstack.org/61370921:34
*** badloop has joined #openstack-lbaas21:50
badloopwe are having issues with ha-proxy working intermittently for our loadbalancers (communication just stops and starts randomly with no clear reason why).  where would be the best place to look for troubleshooting that21:51
badloopit is pretty much a vanilla install of ocata21:51
*** colby_ has joined #openstack-lbaas22:09
colby_Hey Guys,22:09
colby_I just upgraded to queens and we had octavia working under pike. Suddenly the worker and health monitor are unable to connect. We get the following:SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')],)",)22:10
rm_workbadloop: my INITIAL guess, with no real evidence or view into your particular situation, would be that healthchecks are periodically failing for some reason and taking nodes offline22:10
colby_did the configs change for the certs that Im not aware of?22:11
rm_workand by healthchecks, i mean the haproxy ones, not amphora health22:11
rm_workcolby_: i don't think so? are you sure the files didn't get swapped out or something by the upgrade process by accident?22:11
colby_no our SSL certs are stored outside the octavia config directory22:12
johnsomHow did up upgrade? Did the process recreate the certificates on the controllers?22:13
colby_no I created all the certs manually for pike. Just pointing to them in the config22:14
johnsomI don’t think anything changed with the amp cert system.22:18
rm_workjohnsom: err, is redhat really supposed to write the vip-interface-file twice? https://github.com/openstack/octavia/blob/master/octavia/amphorae/backends/agent/api_server/osutils.py#L393-L40922:19
johnsomAre you using selinux or apparmour that is denying access to to the certs?22:20
rm_work(in the case of keepalived)22:20
rm_workand why does keepalived on Ubuntu not handle the vip in the same was is it does in redhat?22:20
rm_workthe ubuntu version of that function is missing all of the stuff past the first write (where it says "Keepalived will handle this"22:21
rm_work)22:21
colby_johnsom: no both are not enabled.22:21
johnsomNir would be best to answer that, but I know RH requires more files than Ubuntu22:22
rm_workoh, or is it that keepalived handles the same things on both, but Ubuntu's networking handles the VIP better in the non-keepalived case (and redhat does not)22:22
rm_workyeah ok... nmagnezi maybe if you're around22:22
rm_workah it's a different path too, ok, yeah, an extra alias file22:22
johnsomUbuntu we write an int file in single mode, and not in act/stdby22:23
*** ivve has quit IRC22:29
johnsomcolby_: that is in the worker log right?22:31
colby_both the worker and health manager22:31
johnsomYeah, somehow the certs are not aligned. I would double check the config via the startup debug logs and then compare the certs to what you get from openssl on the amp agent port.22:34
rm_workfor ipv6, the "netmask" *is* the prefixlength?23:14
rm_work(of the network)23:14
rm_workyeah ok read some docs, i get it23:18
rm_workbut does ipv6 have a concept of host_routes?23:18
rm_workjohnsom: ^^23:18
rm_worki ... feel like it wouldn't need them?23:19
johnsomYes, but the term “host route” is a neutron isem23:19
johnsomThe whole netmask vs prefix thing had a problem. Someone posted a patch for that. We were not using it consistently.23:20
rm_workright i am fixing that patch now23:22
johnsomAwesome23:22
rm_workalmost done23:22
rm_workpatiently waiting on local tests... >_>23:23
*** PagliaccisCloud has joined #openstack-lbaas23:29
*** yamamoto has quit IRC23:39
*** abaindur has quit IRC23:53
« Thursday, 2018-12-13 Index Saturday, 2018-12-15 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!