Thursday, 2019-05-09

« Wednesday, 2019-05-08 Index Friday, 2019-05-10 »
*** yamamoto has quit IRC00:18
*** hyang has left #openstack-lbaas00:45
*** hyang has joined #openstack-lbaas00:51
*** gthiemonge has quit IRC01:25
*** gthiemonge has joined #openstack-lbaas01:25
*** yamamoto has joined #openstack-lbaas01:41
*** yamamoto has quit IRC02:03
*** yamamoto has joined #openstack-lbaas02:39
*** ricolin has joined #openstack-lbaas02:42
*** yamamoto has quit IRC02:51
*** yamamoto has joined #openstack-lbaas02:54
*** psachin has joined #openstack-lbaas03:34
*** ramishra has joined #openstack-lbaas03:55
*** HVT has joined #openstack-lbaas03:55
*** ramishra has quit IRC04:03
*** gcheresh has joined #openstack-lbaas04:12
*** ramishra has joined #openstack-lbaas04:18
*** gcheresh has quit IRC04:34
*** ramishra has quit IRC04:34
*** gcheresh has joined #openstack-lbaas04:44
*** ivve has quit IRC04:45
*** gcheresh has quit IRC04:54
*** gcheresh has joined #openstack-lbaas05:15
*** gcheresh has quit IRC05:25
*** ramishra has joined #openstack-lbaas05:41
*** yamamoto has quit IRC05:42
*** yamamoto has joined #openstack-lbaas05:46
*** ivve has joined #openstack-lbaas05:49
*** yamamoto has quit IRC05:51
*** vishalmanchanda has joined #openstack-lbaas05:58
openstackgerritVishal Manchanda proposed openstack/neutron-lbaas-dashboard master: Update hacking version  https://review.opendev.org/62847806:07
*** ccamposr has joined #openstack-lbaas06:09
*** yamamoto has joined #openstack-lbaas06:28
*** yamamoto has quit IRC06:29
*** yamamoto has joined #openstack-lbaas06:30
openstackgerritGregory Thiemonge proposed openstack/octavia-tempest-plugin master: Add UDP test scenario  https://review.opendev.org/65651506:59
openstackgerritAdam Harwell proposed openstack/octavia master: Performance improvement for non-udp health checks  https://review.opendev.org/65775607:02
*** tesseract has joined #openstack-lbaas07:09
*** gcheresh has joined #openstack-lbaas07:16
*** rpittau|afk is now known as rpittau07:35
*** gcheresh has quit IRC07:47
*** mkuf has quit IRC08:30
*** mkuf has joined #openstack-lbaas08:32
*** mkuf_ has joined #openstack-lbaas08:34
*** mkuf has quit IRC08:38
*** yamamoto has quit IRC09:45
*** ramishra has quit IRC10:04
*** yamamoto has joined #openstack-lbaas10:06
*** ramishra has joined #openstack-lbaas10:13
*** mugsie has quit IRC10:25
*** yamamoto has quit IRC10:27
*** yamamoto has joined #openstack-lbaas10:27
*** yamamoto has quit IRC10:28
*** yamamoto has joined #openstack-lbaas10:32
*** yamamoto has quit IRC10:32
*** yamamoto_ has joined #openstack-lbaas10:32
*** yamamoto_ has quit IRC10:33
*** mugsie has joined #openstack-lbaas10:35
*** mugsie has quit IRC10:35
*** mugsie has joined #openstack-lbaas10:36
*** HVT has left #openstack-lbaas10:36
*** mugsie has quit IRC10:38
*** mugsie has joined #openstack-lbaas10:39
*** tesseract has quit IRC10:40
*** tesseract has joined #openstack-lbaas10:41
*** tesseract has quit IRC10:45
*** tesseract has joined #openstack-lbaas10:45
*** yamamoto has joined #openstack-lbaas11:08
*** yamamoto has quit IRC11:13
openstackgerritMerged openstack/neutron-lbaas-dashboard master: Imported Translations from Zanata  https://review.opendev.org/65732811:26
*** yamamoto has joined #openstack-lbaas11:34
*** zigo has quit IRC11:59
*** yamamoto has quit IRC12:02
*** yamamoto has joined #openstack-lbaas12:07
*** zigo has joined #openstack-lbaas12:23
*** yamamoto has quit IRC12:40
*** ramishra has quit IRC12:56
*** ramishra has joined #openstack-lbaas12:56
*** yamamoto has joined #openstack-lbaas13:06
*** ramishra has quit IRC13:09
*** boden has joined #openstack-lbaas13:09
*** boden has quit IRC13:13
*** ramishra has joined #openstack-lbaas13:20
*** tesseract has quit IRC13:35
*** tesseract has joined #openstack-lbaas13:35
*** gcheresh has joined #openstack-lbaas13:42
*** altlogbot_0 has quit IRC13:43
*** altlogbot_2 has joined #openstack-lbaas13:45
*** boden has joined #openstack-lbaas13:49
*** psachin has quit IRC13:51
*** vishalmanchanda has quit IRC13:57
*** rpittau is now known as rpittau|afk14:08
*** Vorrtex has joined #openstack-lbaas14:20
*** tesseract has quit IRC14:24
*** happyhemant has joined #openstack-lbaas14:28
*** fnaval has joined #openstack-lbaas14:29
*** yamamoto has quit IRC14:35
*** tesseract has joined #openstack-lbaas14:50
*** tesseract has quit IRC14:51
*** tesseract has joined #openstack-lbaas14:51
*** tesseract has quit IRC15:01
*** tesseract has joined #openstack-lbaas15:03
*** tesseract has quit IRC15:11
*** yamamoto has joined #openstack-lbaas15:12
*** tesseract has joined #openstack-lbaas15:16
*** yamamoto has quit IRC15:17
*** tesseract has quit IRC15:18
*** tesseract has joined #openstack-lbaas15:20
*** gcheresh has quit IRC15:24
*** trident has quit IRC15:33
*** trident has joined #openstack-lbaas15:35
*** ivve has quit IRC15:40
openstackgerritMichael Johnson proposed openstack/octavia master: Add provider feature support matrix  https://review.opendev.org/65197415:44
*** tesseract has quit IRC16:01
*** henriqueof has joined #openstack-lbaas16:07
cgoncalvesrm_work, ping16:14
cgoncalvesAllison and Jimmy replied to my email sent yesterday about adding two questions to the survey. they ask if we want to add options + free form area or just the latter16:17
johnsomPersonally, I lean towards leaving it open and see what we get16:18
cgoncalvesI'm slightly more for giving options + free form16:18
cgoncalveshttps://etherpad.openstack.org/p/cItdtzi32r16:18
cgoncalvesnames of vendors are ones that have drivers in neutron-lbaas or in octavia16:19
cgoncalvesthis is just a proposal. open to the discussed within the team :)16:21
cgoncalvesI'm going offline soon for a couple of hours. if you and others could please come to an agrement meanwhile, that would be great!16:23
*** ricolin has quit IRC16:45
*** irclogbot_2 has quit IRC16:46
*** irclogbot_0 has joined #openstack-lbaas16:47
rm_workYeah I like the idea of including the most common vendors we've seen and having a freeform "other", but don't want to be seen as biased if we forget one16:47
rm_workAnd I like having a list of some features too, we could pull the stuff in our roadmap and get some idea of priority16:49
*** ramishra has quit IRC16:50
cgoncalvesrm_work, so what do you suggest to tell to Allison and Jimmy?17:01
*** ccamposr has quit IRC17:02
*** yamamoto has joined #openstack-lbaas17:22
eanderssonrm_work, johnsom you guys mentioned some potential race conditions in neutron-lbaas17:30
johnsomYeah, there are a bunch17:31
johnsomAny high rate of change via the API can lead to problems.17:31
eanderssonWhat was the general cause of that?17:32
johnsomThis is one reason for Octavia, the whole API in neutron-lbaas needed a re-write17:33
*** ivve has joined #openstack-lbaas17:42
*** livelace has joined #openstack-lbaas17:47
rm_workSorry I'm out running an errand, be back in a few cgoncalves17:56
*** yamamoto has quit IRC18:11
openstackgerritAdam Harwell proposed openstack/octavia master: Performance improvement for non-udp health checks  https://review.opendev.org/65775618:15
rm_workfixed, and yeah i'll propose it directly to stable/rocky johnsom18:17
rm_workthough ... uhh18:17
rm_workshouldn't it technically also be in master, even though it doesn't REALLY matter much?18:17
rm_workwhat about for amps that are on old versions18:17
rm_workwith an updated control-plane18:18
rm_worki feel like we should just do a standard backport18:18
rm_worknot to mention avoiding making further backports PITA because of different code18:18
rm_workposted a comment to that effect18:27
rm_workcgoncalves: commented on https://review.opendev.org/#/c/657901/18:28
rm_workcgoncalves: up to you on the email thing, i agree with you on providing options+other for both, so either draft up a list of what you think the options should be and we can give feedback, or else just allow it to be freeform (which might be more PC anyway)18:29
rm_workI am fine with either18:29
*** hyang has left #openstack-lbaas18:30
johnsomrm_work Commented. I really don't want to make the "common" path slower in stein/master...18:47
rm_workdo you think this does so?18:47
johnsomAlso it looks like a bandit released and is not happy with our code18:47
rm_workit's one additional field18:48
johnsomYes18:48
rm_workit should be negligable18:48
johnsomYou also loop over EVERY listener for every call18:48
rm_worki could move that inside the `if not ver`18:48
rm_workeasy18:48
rm_workprolly should have anyway18:48
rm_workwill do that now18:49
rm_workdone18:49
openstackgerritAdam Harwell proposed openstack/octavia master: Performance improvement for non-udp health checks  https://review.opendev.org/65775618:49
rm_workthat was just an oversight, i was looking for the cleanest place to put it18:50
*** yamamoto has joined #openstack-lbaas18:51
*** happyhemant has quit IRC18:58
*** yamamoto has quit IRC19:02
colin-hope that gitweb overall diff link will come back to opendev at some point19:44
colin-really liked that19:44
johnsomYeah, I don't know. You would have to ask in #openstack-infra19:53
openstackgerritMichael Johnson proposed openstack/octavia master: Add provider feature support matrix  https://review.opendev.org/65197420:15
*** boden_ has joined #openstack-lbaas20:15
*** boden has quit IRC20:19
*** Vorrtex has quit IRC20:25
*** livelace has quit IRC20:31
*** logan- has quit IRC21:00
*** logan- has joined #openstack-lbaas21:03
openstackgerritAdam Harwell proposed openstack/octavia master: Performance improvement for non-udp health checks  https://review.opendev.org/65775621:41
openstackgerritAdam Harwell proposed openstack/octavia master: Performance improvement for non-udp health checks  https://review.opendev.org/65775621:45
*** dasp has quit IRC21:52
*** boden_ has quit IRC21:55
*** emccormick has joined #openstack-lbaas22:10
emccormickHey all, getting an error building Rocky's amphora image. "There were unauthenticated packages and -y was used without --allow-unauthenticated"22:12
emccormickseems to just bomb out after that22:12
emccormickit's really just base system packages it's complaining about22:13
*** trident has quit IRC22:19
*** trident has joined #openstack-lbaas22:22
emccormickupgraded my builder box to bionic and it's at least getting farther.22:30
rm_workxgerman: so the issue with config is that it's difficult to be consistent22:32
rm_workthere's two places that need to base their protocol selection off the config value -- in the rest_api_driver where we call out to the amp, and in the agent.py server on the amp which is gunicorn based22:32
xgermanyep22:33
rm_workin the rest_api_driver I can do a whitelist style thing and allow the user to set "allowed_tls_protocols"22:33
rm_workand that is fine22:33
rm_workbecause I can construct a very specific ssl-context22:33
rm_workbut on the gunicorn side on the agent, I can only specify a single protocol thing22:33
xgermanThat is sad...22:34
rm_workI can't use the fine-grained selection stuff22:34
rm_workyeah, there's bugs open22:34
rm_worksee: https://github.com/benoitc/gunicorn/issues/168022:34
xgermanok, the other thing we need to consider on the cleint side if you don’t conenct to an old server22:34
xgermanso maybe making the client configurable so it can do old/new and the operator can change that — not that we run a mass replacement22:35
rm_workwell, an old server SHOULD still *support* higher versions of TLS22:35
rm_workso it's just how to limit the negotiation22:35
*** icey has quit IRC22:35
rm_workan old amp with no protocol-version specified in guniucorn will allow any of SSLv23 and TLS1.0+22:35
rm_workspecifying it on the driver side will just force negotiation to start at a higher protocol level, which is what we want22:36
rm_workand then for the amps, the same is true22:36
*** icey has joined #openstack-lbaas22:36
rm_workso no matter which way you upgrade first, it should all be backwards-compatible22:36
rm_workAND either one will cause a bump up to the higher version22:36
colin-weird behavior on the agent side, that stinks22:36
*** fnaval has quit IRC22:36
rm_workso, personally I do agree it'd be better to do it with the whitelist/blacklist context flags, but until we can do that on the amp side, i don't know what to say22:37
rm_workmaybe instead of having it be a list, I can just say "specify which version you want"22:37
colin-there's no chance it works as a minimum version right?22:37
rm_workit ... does kinda22:37
xgermanI think it has value if you cna get rid of things with the config just in case there is a CVE for some version a nd you need to roll quickly22:38
rm_workso SSLv23 will allow TLSv1_2 connections22:38
rm_workyeah, i agree, but not sure how to do it effectively22:38
rm_workso if we just say "min_tls_protocol_version"22:38
rm_workI think that could work22:39
rm_workwe can take one value and I can blacklist anything below that22:39
rm_workand that will still work for passing to gunicorn for now22:39
xgermanwell, we can always commit yoru change and out soemthign in storyboard for when gunicorn evolved (if we only woudl have stayed with flask:-)22:39
rm_worklol well, exposing raw flask/werkzeug is not great practice, heh22:39
rm_workmaybe uwsgi does it better? >_>22:39
rm_workno idea22:39
xgermanlol22:40
rm_workI'll just do "tls_protocol_version" in config and have that set the minimum (I am reasonably sure that's how it works with the deprecated system)22:40
colin-o/t but it was so infuriating i have to share it: the old ACE from cisco used to offer a... maximum... tls version. much to my dismay22:41
rm_workugh so the blacklisting fine-grained stuff may not be in py27 at all >_>22:43
*** fnaval has joined #openstack-lbaas22:43
rm_workand we're moving AWAY from that but technically still have to support it for now...22:43
rm_workthe NEW new way appears to be `SSLContext.minimum_version` but that isn't available until py3722:43
colin-yea that seems ideal22:44
rm_workah nm the OP_NO_SSLv3 stuff is in 2.7.922:44
rm_workbut SSLContext.minimum_version isn't until 3.7 for real22:44
rm_workso can't use that yet22:44
rm_workso anyway, I THINK if I set "PROTOCOL_TLSv1_2" then it will work with 1.2+22:46
rm_workso ima try this way22:46
rm_work(this is what I had worked up for the blacklisting... but not using it now i guess: http://paste.openstack.org/show/751187/)22:47
openstackgerritAdam Harwell proposed openstack/octavia master: Force amp-agent communication to TLSv1.2  https://review.opendev.org/65790123:03
rm_workOK, I think this is ... better?23:03
rm_workI was going to add a quick test too but getting the requests lib (and urllib3) to actually expose the details of the tls session is really hacky23:04
rm_worksee: https://stackoverflow.com/a/5546202223:05
*** fnaval has quit IRC23:51
*** fnaval has joined #openstack-lbaas23:51
« Wednesday, 2019-05-08 Index Friday, 2019-05-10 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!