Thursday, 2020-03-05

*** yamamoto has joined #openstack-lbaas		00:02
*** abaindur has quit IRC		00:13
*** abaindur has joined #openstack-lbaas		00:13
openstackgerrit	Tatsuma Matsuki proposed openstack/octavia master: WIP: Failover stop threshold https://review.opendev.org/656811	00:32
*** happyhemant has quit IRC		00:55
*** sapd1 has joined #openstack-lbaas		01:16
*** tkajinam has quit IRC		01:49
*** tkajinam has joined #openstack-lbaas		01:50
openstackgerrit	Dawson Coleman proposed openstack/octavia master: Add option for default ciphers in octavia.conf https://review.opendev.org/711376	02:15
*** psachin has joined #openstack-lbaas		02:50
*** spatel has joined #openstack-lbaas		03:04
*** nicolasbock has joined #openstack-lbaas		03:12
*** abaindur has quit IRC		03:51
*** spatel has quit IRC		04:05
*** spatel has joined #openstack-lbaas		04:06
*** gcheresh_ has joined #openstack-lbaas		04:07
openstackgerrit	Tatsuma Matsuki proposed openstack/octavia master: WIP: Failover stop threshold https://review.opendev.org/656811	04:16
*** nicolasbock has quit IRC		04:30
*** gcheresh_ has quit IRC		04:55
*** sapd1 has quit IRC		05:12
*** abaindur has joined #openstack-lbaas		05:22
*** spatel has quit IRC		06:07
*** sapd1 has joined #openstack-lbaas		06:09
*** threestrands has quit IRC		06:48
*** abaindur has quit IRC		06:55
*** abaindur has joined #openstack-lbaas		06:55
*** ccamposr has joined #openstack-lbaas		07:02
*** gcheresh has joined #openstack-lbaas		07:30
*** haleyb\|away has quit IRC		07:39
*** gcheresh has quit IRC		07:45
*** gcheresh has joined #openstack-lbaas		07:46
*** happyhemant has joined #openstack-lbaas		07:50
*** tesseract has joined #openstack-lbaas		07:52
*** maciejjozefczyk has joined #openstack-lbaas		07:59
*** tkajinam has quit IRC		08:16
*** abaindur has quit IRC		08:21
*** abaindur has joined #openstack-lbaas		08:22
*** abaindur has quit IRC		08:23
*** abaindur has joined #openstack-lbaas		08:23
*** rpittau\|afk is now known as rpittau		08:46
*** yamamoto has quit IRC		08:47
*** elenalindq has joined #openstack-lbaas		08:50
*** elenalindq has quit IRC		08:55
*** elenalindq has joined #openstack-lbaas		08:56
*** yamamoto has joined #openstack-lbaas		09:03
*** yamamoto has quit IRC		09:04
*** yamamoto has joined #openstack-lbaas		09:04
*** dayou has quit IRC		09:07
*** andy_ has quit IRC		09:08
*** dayou has joined #openstack-lbaas		09:43
*** andy_ has joined #openstack-lbaas		09:43
*** openstackstatus has quit IRC		09:45
*** abaindur has quit IRC		09:59
*** psachin has quit IRC		10:23
*** spatel has joined #openstack-lbaas		10:28
*** spatel has quit IRC		10:33
openstackgerrit	Ann Taraday proposed openstack/octavia master: Add option to set default ssl ciphers in haproxy https://review.opendev.org/685337	10:56
*** maciejjozefczyk is now known as mjozefcz\|lunch		11:15
*** elenalindq has quit IRC		11:26
*** rpittau is now known as rpittau\|bbl		11:27
*** elenalindq has joined #openstack-lbaas		11:27
*** elenalindq has left #openstack-lbaas		11:33
*** tesseract-RH has joined #openstack-lbaas		11:40
*** tesseract has quit IRC		11:43
*** nicolasbock has joined #openstack-lbaas		11:47
*** mjozefcz\|lunch is now known as maciejjozefczyk		12:10
openstackgerrit	Carlos Goncalves proposed openstack/octavia-tempest-plugin master: WIP: fix test_amphora.py https://review.opendev.org/711316	12:19
cgoncalves	rm_work, hey. this ^ change conflicts with https://review.opendev.org/#/c/607382. I'd like to check with you what you think of ^ as it, hopefully, works on busier environments than what is considered in your patch	12:22
cgoncalves	one think my patch doesn't do is limiting the results to 15 as you proposed in yours	12:23
cgoncalves	FWIW, context for the proposed code: https://bugzilla.redhat.com/show_bug.cgi?id=1803779	12:24
openstack	bugzilla.redhat.com bug 1803779 in python-octavia-tests-tempest "Random failures in test_amphora_list_and_show" [Low,Assigned] - Assigned to cgoncalves	12:24
openstackgerrit	Maciej Józefczyk proposed openstack/octavia-tempest-plugin master: Fix scenario tests for OVN LB https://review.opendev.org/711255	12:37
rm_work	cgoncalves: sure prolly fine, I'm not married to the other one :D	12:52
rm_work	ALSO I don't run tempest locally anymore so I never run into this	12:53
rm_work	T_T	12:53
*** yamamoto has quit IRC		13:03
*** gthiemonge has quit IRC		13:13
*** sapd1 has quit IRC		13:17
*** takamatsu has joined #openstack-lbaas		13:22
*** yamamoto has joined #openstack-lbaas		13:40
*** cgoncalves has quit IRC		13:41
*** sapd1 has joined #openstack-lbaas		13:44
*** cgoncalves has joined #openstack-lbaas		13:45
*** rpittau\|bbl is now known as rpittau		13:45
*** yamamoto has quit IRC		13:55
*** yamamoto has joined #openstack-lbaas		13:57
*** yamamoto has quit IRC		14:05
*** yamamoto has joined #openstack-lbaas		14:05
*** yamamoto has quit IRC		14:05
*** spatel has joined #openstack-lbaas		14:21
*** spatel has quit IRC		14:26
*** TrevorV has joined #openstack-lbaas		14:32
*** haleyb has joined #openstack-lbaas		14:35
*** cgoncalves has quit IRC		14:39
*** cgoncalves has joined #openstack-lbaas		14:40
*** haleyb is now known as haleyb\|away		14:50
*** spatel has joined #openstack-lbaas		14:54
*** gcheresh has quit IRC		15:15
*** ramishra has quit IRC		15:21
rm_work	johnsom: LOL, i hadn't even considered that people could be using the octavia client to talk with n-lbaas O_o	15:22
rm_work	I guess that compatibility works both ways XD	15:22
rm_work	we accidentally replaced the old neutron client	15:22
rm_work	hilarious	15:23
*** ramishra has joined #openstack-lbaas		15:23
johnsom	Well.... It's "octavia client" so.....	15:23
rm_work	yeah i mean, I don't know that we should be making changes to help it work better with n-lbaas (since it's dead), but	15:24
rm_work	i find it humorous that it works :D	15:24
johnsom	Where did you see that? In that stats bug?	15:24
rm_work	not something I'd ever thought about trying	15:24
rm_work	his response	15:24
rm_work	https://review.opendev.org/#/c/711270/3	15:24
rm_work	i guess we did too good a job with backwards compat XD	15:25
rm_work	though your comment about those statistics ALSO not existing in n-lbaas still has me a little confused	15:26
johnsom	Yeah, well, that was kind of our intent. The client however..... I was just reading the deprecation guide:	15:26
johnsom	https://wiki.openstack.org/wiki/Neutron/LBaaS/Deprecation#What_is_the_Command_Line_Interface_.28CLI.29_for_Octavia.3F	15:26
rm_work	maybe 3rd-party in n-lb returned more stats somehow?	15:26
johnsom	We didn't explicitly call that out.	15:26
johnsom	It would be a hack as nlbaas also used the DB stats.	15:27
rm_work	hmm	15:27
rm_work	just funny that it works	15:27
rm_work	and makes sense i guess that at least a limited subset of stuff will just function properly	15:27
rm_work	i'm sure it's possible to construct commands that don't work because of newer features, but...	15:28
johnsom	Right	15:28
rm_work	technically if you're careful, you can totally make it work	15:28
johnsom	Our un-official (evidently) was to continue using python-neutronclient for nlbaas	15:28
johnsom	That there will be no OSC for nlbaas	15:28
johnsom	I know I stated that at some summits	15:29
rm_work	yes that was our position	15:29
rm_work	since it was deprecated there was no reason to spend more work on a new thing, let them deprecate together	15:29
rm_work	it's cool that this is an option though	15:30
johnsom	Right, that was the plan. Both deprecated together, though python-neutronclient is supposed to live longer than nlbaas	15:30
rm_work	yes	15:30
rm_work	but our new client is much nicer as it's part of OSC :D	15:30
rm_work	so I can see wanting to switch	15:30
johnsom	I just don't want to say "yes, use it" as I bet there are other bugs there that I don't want to fix just for nlbaas	15:31
johnsom	It isn't tested at all	15:31
rm_work	right same	15:31
*** sapd1 has quit IRC		15:31
*** ramishra has quit IRC		15:48
*** sapd1 has joined #openstack-lbaas		15:48
rm_work	this is weird: https://storyboard.openstack.org/#!/story/2007370	15:52
*** spatel has quit IRC		15:52
rm_work	per my comment, that's a stumper, unless the DB is non-atomic	15:52
*** spatel has joined #openstack-lbaas		15:54
rm_work	johnsom: but also, i remembered why we didn't backport, I think -- it had a depends-on for a change in octavia-lib	15:55
rm_work	and i don't know that we're allowed to backport there	15:55
*** spatel has quit IRC		15:59
*** Trevor_V has joined #openstack-lbaas		16:01
*** TrevorV has quit IRC		16:05
*** KeithMnemonic1 has joined #openstack-lbaas		16:19
*** KeithMnemonic has quit IRC		16:23
*** ramishra has joined #openstack-lbaas		16:33
*** Trevor_V has quit IRC		16:47
*** TrevorV has joined #openstack-lbaas		16:50
*** rcernin has quit IRC		16:55
*** ccamposr has quit IRC		16:57
*** tesseract-RH has quit IRC		17:01
*** rpittau is now known as rpittau\|afk		17:25
nicolasbock	Hi. I just realized that I can ping an amphora from a VM on the VIP network using the amphora's IP on the lb-mgmt-net.	17:37
nicolasbock	This was surprising to me. But I think I kind of see now why it's possible.	17:38
nicolasbock	Is that not a security issue?	17:38
rm_work	that ... shouldn't be possible, but would have to be due to your cloud's specific network config	17:56
rm_work	normally this shouldn't be allowed	17:56
rm_work	for multiple reasons	17:56
rm_work	(vlans at the switch level; security groups at the neutron level)	17:56
rm_work	but even with connectivity to the management IP, I would not be worried, the only thing listening there is our agent HTTP server, and it does secure two-way cert auth	17:57
rm_work	some people deploy with what we call "management-on-vip-net" and that is fine	17:57
nicolasbock	The traffic exiting the VM hits the VM's subnet bridge	17:58
nicolasbock	And the amphora is connected to that bridge as well	17:58
nicolasbock	The forwarding iptables rules allow ingress to the amphora using the 172.30... IP	17:59
rm_work	I would think the switch would not allow that traffic to cross subnets, to me that still sounds like a vlan isolation issue	17:59
nicolasbock	I might be misunderstanding the flow though :)	17:59
nicolasbock	I agree, I wouldn't have expected this to be possible	18:00
rm_work	johnsom is the one who actually knows how networks work tho, so will wait for him to respond, i say words and sometimes they mean things and sometimes they are random collections of network-jargon :D	18:00
nicolasbock	:) Sounds like me then ;)	18:00
johnsom	Sorry, '	18:01
johnsom	I have been in video calls all morning	18:01
johnsom	reading scroll back	18:02
nicolasbock	Thanks johnsom !	18:02
*** gyee has joined #openstack-lbaas		18:02
johnsom	So you can ping from the lb-mgmt-net to the amphora VIP? Is that the scenario?	18:03
nicolasbock	I have a tenant network, a VM on that network, and a loadbalancer with VIP on tenant network	18:04
nicolasbock	I can ping VM -> amphora using the amphora's lb-mgmt-net IP	18:04
johnsom	So you are spoofing the source IP for the ping?	18:05
nicolasbock	No	18:05
nicolasbock	ping 172.30.1.18	18:05
johnsom	Ok, so tenant network to lb-mgmt-net IP	18:05
nicolasbock	Where my IP is 192.168.1.18	18:06
nicolasbock	Yes	18:06
nicolasbock	But the amphora's interface is connected to the tenant network's bridge on the compute host	18:06
johnsom	Yeah, so dictated by how the cloud was deployed. Typically the lb-mgmt-net is a private network with no gateway address, so not routable.	18:07
nicolasbock	To make sure I understand, the network's "shared" attribute should be False	18:08
nicolasbock	And the gateway of the subnet should not be set	18:08
johnsom	The default security group for the amphora interface on the lb-mgmt-net does allow ICMP ping, SSH, and port 9443. All of which are "fine" to be public, but typical cloud deployments don't have routes to the lb-mgmt-net from other networks.	18:08
nicolasbock	Did I understand that correctly?	18:08
johnsom	Those settings are up to you and your cloud.	18:09
nicolasbock	:)	18:09
johnsom	Typically, it would not be shared and would not have a gateway/route	18:09
nicolasbock	I meant in reference to your statement regarding how one typically deploys such a network	18:09
johnsom	But you can..... lol	18:09
nicolasbock	Ok thanks	18:09
nicolasbock	:)	18:09
nicolasbock	I have set a gateway IP on the management network	18:10
johnsom	There have been some large clouds that have "public" shared networks that they also use for the lb-mgmt-net. It is fine.	18:10
nicolasbock	Ok	18:10
nicolasbock	Thanks for the infor!	18:10
johnsom	As rm_work mentioned. The Amphora API is two-way TLS authenticated, so it is a "secure" port.	18:10
nicolasbock	Right. Maybe I am overly paranoid, but to me this looked like security issue	18:11
rm_work	yeah, there's no NEED for it to be routed, so you could lock that down	18:11
nicolasbock	But then again, I shouldn't have set the gateway on the management network :)	18:11
johnsom	If you disable that gateway, note that you will have to be in a neutron namespace or on the network to ssh into the amphora, but typically you don't need to. Many disable ssh access to the amphora	18:11
nicolasbock	How would I allow the service processes access then though?	18:12
nicolasbock	Start them in the netns?	18:12
rm_work	the service hosts should be attached to the management network	18:12
johnsom	Well, that again comes down to how the cloud is deployed. Many have the control plane processes on the lb-mgmt-net directly. If you are using the routed option, then yes, you need to have a gateway	18:13
rm_work	or that, yes (in the case of like, devstack)	18:13
nicolasbock	We currently have the lb-mgmt-net implemented as a provider network on top of physnet1	18:13
nicolasbock	Sitting on a separate VLAN ID	18:13
johnsom	You can also add security groups to the router port, or use FWaaS to put rules on who can access the lb-mgmt-net.	18:14
johnsom	Many options really	18:14
nicolasbock	True, it's like shopping the cereal aisle ;)	18:14
nicolasbock	So you are not concerned in terms of security that the amphorae are accessible in that way?	18:15
johnsom	I am not, no.	18:16
nicolasbock	No	18:16
nicolasbock	Ok	18:16
nicolasbock	Ok I meant	18:16
johnsom	Typically, end users won't even know they are there as the amphora details have RBAC rules limiting the visibility to admins only	18:16
nicolasbock	Ok	18:16
nicolasbock	Like I say, this is potentially an overly paranoid position	18:17
nicolasbock	But you could run a port scan from the VM :)	18:17
johnsom	If you don't have a controller certificate and key, you can't do anything with the amphora API other than get the version information.	18:17
johnsom	Yes, you could	18:17
nicolasbock	Ok, I'll check with my team to see how paranoid we should be	18:18
nicolasbock	Thanks again for the info!	18:18
johnsom	"Only the paranoid survive" as the late Andy Grove said.... Feel free to put additional controls in place.	18:18
nicolasbock	Thanks!	18:18
rm_work	it's not paranoia if they're really out to get you	18:18
rm_work	so I'm not really sure if it's possible to truly be paranoid when you work in tech, just realistic	18:19
nicolasbock	:)	18:22
nicolasbock	Paranoia and realism is a sliding scale. It all depends :)	18:23
johnsom	rm_work you have been tagged in an e-mail chain from Monty	19:41
johnsom	Funny really	19:42
rm_work	lol	19:42
johnsom	https://review.opendev.org/#/q/owner:self+project:openstack/openstacksdk	19:42
johnsom	https://review.opendev.org/#/q/owner:flux+project:openstack/openstacksdk	19:42
rm_work	thanks for the heads up, i never read email	19:42
johnsom	Guess I'm on mordred bad side, lol	19:43
rm_work	lol	19:43
rm_work	I can tell him I'm delegating :D	19:43
johnsom	Nope, I think you are it	19:44
rm_work	I think it's just cause we were literally just talking like yesterday about this and i rebased some patches for them, lol	19:44
rm_work	so fresh in mind	19:44
rm_work	obviously you're the better candidate for SDK work :D	19:44
rm_work	the PTL thread is fun too :D	19:50
*** maciejjozefczyk has quit IRC		19:53
johnsom	Yeah, PTL, OSC, throw it all away for k8s. All fun things recently in the world of OpenStack	19:57
*** gcheresh has joined #openstack-lbaas		19:58
johnsom	rm_work This is back too: https://storyboard.openstack.org/#!/story/2007370	20:04
johnsom	Oh, you saw it already and my e-mail page had not updated. nevermind	20:05
johnsom	As for the backport on that. It's implemented as a breaking change, but if it was always broken it probably should be backported.	20:08
*** vishalmanchanda has quit IRC		20:31
*** abaindur has joined #openstack-lbaas		20:32
*** trident has quit IRC		20:37
*** TrevorV has quit IRC		20:44
*** trident has joined #openstack-lbaas		20:47
*** rcernin has joined #openstack-lbaas		20:53
*** cgoncalves has quit IRC		20:53
*** gcheresh has quit IRC		20:55
*** cgoncalves has joined #openstack-lbaas		20:56
*** nicolasbock has quit IRC		21:05
*** cgoncalves has quit IRC		21:10
*** cgoncalves has joined #openstack-lbaas		21:11
*** rcernin has quit IRC		21:18
*** gcheresh has joined #openstack-lbaas		21:38
*** gcheresh has quit IRC		22:09
*** abaindur has quit IRC		22:14
*** abaindur has joined #openstack-lbaas		22:15
*** tkajinam has joined #openstack-lbaas		22:45
*** spatel has joined #openstack-lbaas		23:30
*** vishalmanchanda has joined #openstack-lbaas		23:34
*** spatel has quit IRC		23:35

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!