Monday, 2020-09-21

« Sunday, 2020-09-20 Index Tuesday, 2020-09-22 »
*** hongbin has quit IRC00:35
*** spatel has joined #openstack-lbaas00:49
*** hongbin has joined #openstack-lbaas00:57
*** redrobot has quit IRC01:08
*** spatel has quit IRC01:10
*** hongbin has quit IRC02:23
*** hongbin has joined #openstack-lbaas02:31
openstackgerritZihao Wang proposed openstack/octavia master: Bump hacking min version to 3.0.1  https://review.opendev.org/75284502:50
openstackgerritXiaoYu Zhu proposed openstack/octavia master: Alternative Distributor for L3 Active-Active, N+1 Amphora Setup  https://review.opendev.org/74668802:56
*** ramishra has joined #openstack-lbaas02:59
*** sapd1 has joined #openstack-lbaas03:20
*** psachin has joined #openstack-lbaas03:41
*** ramishra has quit IRC03:59
*** zzzeek has quit IRC04:15
*** zzzeek has joined #openstack-lbaas04:17
*** hongbin has quit IRC04:20
*** ramishra has joined #openstack-lbaas04:21
*** hongbin has joined #openstack-lbaas04:24
*** hongbin has quit IRC04:29
*** rcernin has quit IRC04:31
*** hongbin has joined #openstack-lbaas04:38
*** rcernin has joined #openstack-lbaas04:40
*** vishalmanchanda has joined #openstack-lbaas05:15
*** hongbin has quit IRC05:29
*** hongbin has joined #openstack-lbaas05:31
*** hongbin has joined #openstack-lbaas05:36
*** rcernin has quit IRC05:39
*** hongbin has quit IRC05:40
*** sapd1 has quit IRC05:46
*** gthiemon1e is now known as gthiemonge06:00
*** rcernin has joined #openstack-lbaas06:01
*** gcheresh has joined #openstack-lbaas06:02
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Set Grub timeout to 0 for fast boot times  https://review.opendev.org/75285306:03
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Set Grub timeout to 0 for fast boot times  https://review.opendev.org/75285406:04
openstackgerritCarlos Goncalves proposed openstack/octavia stable/stein: Set Grub timeout to 0 for fast boot times  https://review.opendev.org/75285506:05
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Update devstack plugin  https://review.opendev.org/75285606:07
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Update devstack plugin  https://review.opendev.org/75285806:07
openstackgerritCarlos Goncalves proposed openstack/octavia stable/stein: Update devstack plugin  https://review.opendev.org/75285906:08
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Add missing log line for finishing amp operations  https://review.opendev.org/75286006:09
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Add missing log line for finishing amp operations  https://review.opendev.org/75286106:11
openstackgerritCarlos Goncalves proposed openstack/octavia stable/stein: Add missing log line for finishing amp operations  https://review.opendev.org/75286206:12
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Fix user permission for WSGI configuration Task: 35692 Story: 2006172  https://review.opendev.org/75286306:13
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Fix user permission for WSGI configuration Task: 35692 Story: 2006172  https://review.opendev.org/75286406:14
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Add some details on enable_anti_affinity option  https://review.opendev.org/75286506:15
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Add some details on enable_anti_affinity option  https://review.opendev.org/75286606:16
openstackgerritCarlos Goncalves proposed openstack/octavia stable/stein: Add some details on enable_anti_affinity option  https://review.opendev.org/75286706:16
*** rcernin has quit IRC06:20
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Fix operational status for disabled UDP listeners  https://review.opendev.org/75286906:23
openstackgerritCarlos Goncalves proposed openstack/octavia stable/ussuri: Fix invalid DOWN status when updating a UDP pool  https://review.opendev.org/75287006:23
*** mchlumsky has quit IRC06:28
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Fix operational status for disabled UDP listeners  https://review.opendev.org/75287106:29
openstackgerritCarlos Goncalves proposed openstack/octavia stable/train: Fix invalid DOWN status when updating a UDP pool  https://review.opendev.org/75287206:29
*** mchlumsky has joined #openstack-lbaas06:35
openstackgerritCarlos Goncalves proposed openstack/octavia stable/stein: Fix operational status for disabled UDP listeners  https://review.opendev.org/75287506:46
*** ccamposr has joined #openstack-lbaas06:47
*** ccamposr__ has joined #openstack-lbaas07:15
*** ccamposr has quit IRC07:17
*** sapd1 has joined #openstack-lbaas07:22
*** BlackFX has joined #openstack-lbaas07:34
BlackFXHi guys. I seem to have an issue with Octavia, all my pool members are operating status = offline, but I have captured the traffic between the LB and the member and I can see the member returning 20007:35
*** rcernin has joined #openstack-lbaas07:39
*** wuchunyang has joined #openstack-lbaas07:45
*** rcernin has quit IRC07:52
BlackFXInterestingly I cant see the traffic or an interface in the amphora instance.08:08
*** gcheresh has quit IRC08:11
BlackFX[    4.060126] virtio_net virtio1 eth1: renamed from ens408:19
BlackFXI get that in dmesg, but there is no ens4/eth108:19
*** gcheresh has joined #openstack-lbaas08:44
*** gcheresh has quit IRC09:00
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add not-voting aarch64 scenario job  https://review.opendev.org/74762909:08
*** gcheresh has joined #openstack-lbaas09:10
*** psachin has quit IRC09:11
*** ataraday_ has joined #openstack-lbaas09:19
*** lemko has quit IRC09:35
*** lemko has joined #openstack-lbaas09:35
*** ramishra has quit IRC10:05
*** wuchunyang has quit IRC10:06
*** ramishra has joined #openstack-lbaas10:45
*** ramishra_ has joined #openstack-lbaas11:10
*** ramishra has quit IRC11:12
*** sapd1 has quit IRC11:17
*** terdei has joined #openstack-lbaas11:49
*** servagem has joined #openstack-lbaas12:00
*** vishalmanchanda has quit IRC12:11
*** njohnston has joined #openstack-lbaas12:26
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Fix copy output in two-node jobs  https://review.opendev.org/75293612:54
ataraday_cgoncalves, Hi! Could you take a look at https://review.opendev.org/#/c/738609/ ?12:57
cgoncalvesataraday_, LGTM13:01
ataraday_cgoncalves, Thanks!13:10
*** numans_ has joined #openstack-lbaas13:27
*** numans_ is now known as numans13:28
*** ataraday_ has quit IRC13:28
openstackgerritCarlos Goncalves proposed openstack/octavia master: Add HTTP/2 example to the load balancing cookbook  https://review.opendev.org/75295213:30
*** TrevorV has joined #openstack-lbaas13:40
*** ramishra has joined #openstack-lbaas13:44
*** ramishra_ has quit IRC13:48
*** gcheresh has quit IRC13:51
*** gcheresh has joined #openstack-lbaas14:28
*** hongbin has joined #openstack-lbaas14:31
openstackgerritCarlos Goncalves proposed openstack/octavia master: Add ALPN support for TLS-enabled pools  https://review.opendev.org/75209514:42
*** armax has joined #openstack-lbaas15:10
*** redrobot has joined #openstack-lbaas15:24
openstackgerritCarlos Goncalves proposed openstack/octavia-tempest-plugin master: Add non-voting aarch64 scenario job  https://review.opendev.org/74762915:32
*** hongbin has quit IRC15:38
johnsomThanks for all of the backport updates!15:40
johnsomI think I have one I need to do as well.15:40
*** hongbin has joined #openstack-lbaas15:44
cgoncalvesit may be the one (UDP-related) I purposely skipped. was not caffeinated that early in the morning to resolve the merge conflict :P15:44
johnsomI think it is the VRRP port missing patch15:45
cgoncalvesah, also skipped that one purposely. "grin"15:46
*** vishalmanchanda has joined #openstack-lbaas16:10
*** sapd1 has joined #openstack-lbaas16:10
*** weiguo has joined #openstack-lbaas16:28
johnsomBlackFX The tenant traffic is inside a network namespace, use "sudo ip netns exec amphora-haproxy ip a" to see the other interfaces.16:31
weiguoHi all. Our tenant reported that they were able to get a full list of octavia loadbalancer list (from all tenants) with an unscoped token. We were able to reproduce it with both rocky and train releases we deployed. This raises a serious security concern and we wonder if this is expected and we might have missed some configuration?16:35
weiguoAnd the call we used is like this:   curl -X GET https:${URL}:9876/v2.0/loadbalancers/ -H "Accept: application/json" -H "User-Agent: openstacksdk/0.31.1 keystoneauth1/3.14.0 python-requests/2.18.4 CPython/2.7.12" -H "X-Auth-Token: ${my_unscoped_token}"16:37
johnsomThat would only happen if they have one of the admin roles, such as the global "Admin" for the cloud, the load-balancer_admin role, or the load-balancer_global_observer role16:37
weiguonot in our test cases, where we only grant normal user / _member_ role.16:38
johnsomThis is the code that checks that: https://github.com/openstack/octavia/blob/master/octavia/api/v2/controllers/base.py#L22416:43
weiguoThanks, Michael. Let me put some debug flag in that file and verify if this is a bug or not.16:46
johnsomYeah, I am going to try to reproduce this locally. The general case doesn't reproduce it, but I need to get an unscoped token16:47
*** ccamposr__ has quit IRC16:56
weiguoYou can get an unscope token this way; source my_open.rc; export OS_PROJECT_ID=; export OS_PROJECT_NAME=;  my_unscoped_token=$(openstack token issue -f value -c id)16:57
johnsomI did it this way: openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> token issue16:58
*** ccamposr has joined #openstack-lbaas16:58
weiguoYup, that would do as well16:59
johnsomwith a clean environment. I get a 403 Forbidden back.16:59
weiguook, let me do a bit testing on our end and report back17:00
johnsomYeah, even doing it the other way, where there is more context in the environment, I get the users load balancer list and not all of them.17:05
*** hongbin has quit IRC18:05
*** hongbin has joined #openstack-lbaas18:11
*** AlexStaf has quit IRC18:40
*** hongbin has quit IRC19:05
*** vishalmanchanda has quit IRC19:11
openstackgerritMerged openstack/octavia stable/ussuri: Update amphora v2 for the failover refactor  https://review.opendev.org/75063219:21
johnsomWell, that will make my backport work easier....19:53
*** hongbin has joined #openstack-lbaas20:16
weiguoHi Michael, a small question about your clean environment, did you use legacy policy vs the new one? We are using the legacy policy model. Wonder if that might have made a difference.20:36
johnsomI am not using a policy override file20:36
johnsomYeah, even with the owner-admin policy file I only get my own list back20:43
weiguodo you mind sharing your owner-admin  policy file?20:44
johnsomhttps://opendev.org/openstack/octavia/src/branch/master/etc/policy20:45
weiguothx20:45
johnsomNote, that version is in yaml, since you are on train you might want to grab the older json version20:47
weiguoWe did and verified that we are using the similar one.20:52
johnsomweiguo Also make sure you don't have auth_strategy = noauth in you octavia.conf. That will elevate everyone.20:58
weiguoMike, we have that set to keystone. BTW, does your test user have a default project set up? According to keystone doc, to get an unscoped token "Your identity must not have a “default project” associated with it that you also have role assignments, and thus authorization, upon."21:02
weiguoIn theory, if you get an unscoped token, a cURL call to the API endpoint without any project ID info in the URL should not be able tell what project you belong to. You mentioned that you got a small list back for your own project, which makes me suspect that the token you got is not actual a 'clean' unscoped token21:04
*** sapd1 has quit IRC21:05
johnsomHmm, that is interesting. I followed your steps to get this last token. I wonder how I would see if that user has a default or not.21:08
weiguoopenstack user show xxxx should be able to tell21:08
johnsomI am using this user:21:09
johnsomhttps://www.irccloud.com/pastebin/yyooDX5m/21:09
johnsomweiguo Ok, there was a stray tenant ID in there. I can reproduce it with the override file, but cannot with the advanced RBAC enabled (default).21:13
weiguoCool, at least that matches what we found so far21:14
weiguowe had hoped that we didn't have to create extra roles which requires extra work for our upstream user integration system. Hence we have sticked to our 'legacy' override model.21:16
johnsomWell, you can give everyone a role pretty easy. It's not like each user has to have them added21:17
*** sapd1 has joined #openstack-lbaas21:18
*** gcheresh has quit IRC21:18
johnsomYeah, so that sample is bogus I think.21:30
johnsomNo, ok21:34
weiguook, we use basically that. Guess that is the problem? We just tried without the override file and the requested was denied with 403.21:34
weiguoSo with that override file, upscoped token will be allowed to list all for sure, yes?21:35
johnsomThat appears to be what is happening. I'm just trying to figure out why21:36
weiguoCool. We will keep trying our end and let you know if we see anything funny. Thanks very much for helping!21:37
johnsomrm_work Are you around?21:41
rm_workI am, sup?21:41
johnsomhttps://github.com/openstack/octavia/blob/master/octavia/api/v2/controllers/base.py#L22421:41
johnsomSo currious case. With an unscoped token, it has no project_id, that is allowing it through with the policy override file admin-owner21:42
*** TrevorV has quit IRC21:55
rm_workeugh, amphora agent still splits a bunch of logging to syslog doesn't it22:05
rm_workrather than its unit22:05
rm_workjohnsom: also, what am i looking at in that function you linked?22:05
johnsomI was wondering if you remembered much about that. It's doing the wrong thing with unscoped tokens22:06
johnsomI think I have figured it out however.22:06
rm_workit's like a haze22:08
rm_worki think I just refactored?22:08
rm_workwtf, my UDP fix didn't work22:09
rm_worki couldn't replicate the issue in my testing so thought it had22:09
rm_workbut just had another instance in prod with the new image where it has the bad check_script present22:09
openstackgerritMichael Johnson proposed openstack/octavia master: Fixes API list handling of unscoped tokens  https://review.opendev.org/75316922:24
johnsomweiguo That patch will fix your issue22:25
weiguoAwesome, we will verify and let you know.22:26
weiguojohnsom works like a charm. We saw from the debug output eariler in that function earlier and wonder if the "none" project_id had anything to do with the issue. Thanks for the super speedy fix!22:33
johnsomYeah, confluence of issues there with the policy definition and the unscoped token. I'm adding a test now.22:34
rm_workjohnsom: where should the LOG messages from the amphora agent end up in centos?22:41
rm_worknot seeing what I'm looking for in journalctl -u amphor-agent, or /var/log/messages, or /var/log/amphora-agent.log22:41
johnsomshould and are is two different answers22:41
rm_workwhich all have different data lol22:41
johnsomIf I remember right, gunicorn goes into amphora-agent and the oslo.log goes into the syslog/messages.22:42
johnsomI don't think I fixed that, but I might have.22:42
openstackgerritMerged openstack/octavia stable/ussuri: Remove haproxy_check_script for UDP-only LBs  https://review.opendev.org/75190722:44
rm_work^^ whelp that patch doesn't work22:46
rm_workapparently the first few tests we ran were false positives22:46
rm_workit looks like that `vrrp_check_script_update` function doesn't ever run after the initial create22:47
rm_workit LOOKS like it should22:47
rm_workbut I think in reality it doesn't22:47
rm_workjust haven't figured out why yet22:47
rm_workjohnsom: http://paste.openstack.org/show/798179/22:52
rm_worklvs_udp_check.sh is written 6 seconds after the haproxt one (so, on listener create, not LB create)22:52
rm_workbut, the other script is NOT removed?22:52
johnsomWell, if there is an TCP listener, the script would still exist, it just wouldn't have exit 1 in it22:53
rm_workthat file is written during `upload_udp_listener_config`22:53
rm_work(for the record, one listener EVER, only UDP)22:54
johnsomYeah, I'm just saying, you probably don't what to blind nuke it22:54
rm_workit should be nuked given the logic we merged already, that patch that just backported22:55
rm_workbut that path apparently isn't ever called post-create22:55
rm_worki think that function needs to be run again in the `upload_udp_listener_config` function22:56
rm_worklike....22:57
*** rcernin has joined #openstack-lbaas23:02
*** zzzeek has quit IRC23:10
*** rcernin has quit IRC23:11
*** rcernin has joined #openstack-lbaas23:11
openstackgerritMichael Johnson proposed openstack/octavia master: Fixes API list handling of unscoped tokens  https://review.opendev.org/75316923:12
*** zzzeek has joined #openstack-lbaas23:13
openstackgerritAdam Harwell proposed openstack/octavia master: Followup Remove haproxy_check_script for UDP-only  https://review.opendev.org/75318923:16
rm_worksorry, that took longer than expected because I had to fix a test... but, like that ^^ johnsom23:16
johnsomYeah, that was what I was doing. 4 line change, 310 lines of tests23:17
*** zzzeek has quit IRC23:17
*** zzzeek has joined #openstack-lbaas23:20
rm_workjohnsom: tested that and it actually runs now on a listener update23:21
rm_workand fixes VRRP23:21
rm_workthe amp-side stuff is a bit of a maze23:21
rm_workreally thought that was supposed to run more often...23:21
johnsomYeah, there could really be some restructuring there.23:23
johnsomThe old init systems can come out too. I don't think upstart is going to come back23:24
johnsomrm_work While you are here, how about a quick look at https://review.opendev.org/753169 and https://review.opendev.org/75051823:27
openstackgerritMichael Johnson proposed openstack/octavia stable/ussuri: Fix amphora failover when VRRP port is missing  https://review.opendev.org/75319023:30
rm_workon the first one, no idea, but i trust that it works because the person you wrote it for confirmed it works :D23:43
johnsomWell, there are tests too23:44
rm_workyeah...23:44
rm_workwell, doesn't look like you put in any backdoors or disabled TLS, so +223:44
rm_workgonna let tempest sort out the rest23:45
johnsomThe other is a release not fix, so trivial23:47
rm_workyep already +A23:47
johnsomHowever it needs to get in the release23:47
*** spatel has joined #openstack-lbaas23:49
openstackgerritMichael Johnson proposed openstack/octavia stable/train: Fix amphora failover when VRRP port is missing  https://review.opendev.org/75319323:52
« Sunday, 2020-09-20 Index Tuesday, 2020-09-22 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!