Wednesday, 2022-03-23

*** ysandeep|out is now known as ysandeep04:56
*** ysandeep is now known as ysandeep|afk07:19
*** ysandeep|afk is now known as ysandeep08:04
opendevreviewTom Weininger proposed openstack/octavia master: Documentation updates
*** ysandeep is now known as ysandeep|lunch09:35
*** ysandeep|lunch is now known as ysandeep10:51
*** nilushko is now known as Niko_iL11:33
gthiemonge#startmeeting Octavia16:00
opendevmeetMeeting started Wed Mar 23 16:00:25 2022 UTC and is due to finish in 60 minutes.  The chair is gthiemonge. Information about MeetBot at
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
opendevmeetThe meeting name has been set to 'octavia'16:00
gthiemongeHi Folks16:00
gthiemonge#topic Announcements16:02
gthiemonge* Yoga release schedule - Final RC16:02
gthiemongeFYI This week is the Final RCs (we don't have any additional RCs after RC1), next week is the Yoga Release!16:03
gthiemongeDo you have any other announcements?16:05
gthiemongeJust a reminder: Zed PTG - Octavia16:05
gthiemongeI need to work on the proposed topics/schedule16:05
gthiemonge#topic Brief progress reports / bugs needing review16:07
gthiemongeI have updated the huge "Fix plugging member subnets"/"Multi-VIP" patchchain16:07
gthiemongeI still need to sort out the dependencies between octavia and octavia-tempest-plugin16:07
gthiemonge(I still don't know if the octavia patch should depend on the tempest tests, any thoughts?)16:08
johnsomHa, the old chicken and egg issue. I think tests should depend on the code that implements. IMO16:09
gthiemongeanyway, I have removed the WIP from the Multi-VIP patch because I've completed the last concerns I had with it (improved coverage in the unit tests)16:09
*** ysandeep is now known as ysandeep|out16:09
gthiemongeI think I've mixed both approaches in the patch chain :D16:09
johnsomIt happens16:10
gthiemongeoh no I need to update the 2 main patches to reverse the depends-on16:10
spharmon`(Hopefully I'm not out of turn) I was hoping to discuss "Add rpc notification for load balancers" 16:11
gthiemongespharmon`: hi! and welcome!16:12
spharmon`Hi! Thanks! Nice to meet you :)16:13
spharmon`Yall keep going, but lmk when it's my turn to go. I have a specific question related to one comment.16:13
gthiemongespharmon`: please, go ahead16:14
spharmon`Awesome. The comment is this one:16:14
spharmon`This one:
spharmon`Essentially, I'm wondering whether anyone has concerns with raising here rather than rerunning init(). Other projects raise in a similar fashion which is why I've done that here (My main concern is opening additional rpc connections and running out of file descriptors). 16:16
gthiemonge"they specifically asked"... johnsom, was it you?16:16
johnsomNo, it looks like Erik16:17
johnsomI have not reviewed this patch16:17
spharmon`It was Erik who raised the concern because of some historical knowledge, but he also clarified that he thinks it's appropriate to raise here. I think I'd like to resolve if no one has concerns with raising. In another channel, we discussed possibly changing these to assertions.16:18
tweiningIMO adding an assert seems more pythonic than raising an equivalent AssertionError directly16:19
spharmon`I think the advantage of raising the assertion is to use the translation library, right?16:20
johnsomI guess my concern would be do we assume that get_client will init the transport no matter what. Ugh, I don' t know this code very well.16:21
gthiemongeI'm not sure that translating "'TRANSPORT' must not be None" would help the user ;-)16:21
tweiningassert TRANSPORT is None, _("'TRANSPORT' must not be None")   should be equivalent16:21
gthiemongeI don't know it either16:22
spharmon`I don't need an answer now. My assumption is no: TRANSPORT should be set elsewhere and never be None in get_client, but I'd conceed if that's not right.16:22
spharmon`Ah yeah ok. I can refactor for the assersion. I agree it's more pythonic.16:22
spharmon`As far as running init(), I think there's a risk if you don't cleanup the prior connections, right? Then, if you do run cleanup, like Erik mentions, there's a risk of race conditions with calls to the prior TRANSPORT, NOTIFIER, et c..16:24
johnsomI think their intent was to create a singleton for those16:25
johnsomWith lazy init16:25
spharmon`Ok, I see. I'll look more into create_transport to see if there's a safe way I can figure to do that.16:27
spharmon`Anyway, that's all. Thanks for the insight. If yall get some cycles to drop a comment, I'd appreciate it. I'll be hanging around in here as well, so reach out any time. 16:27
gthiemongespharmon`: BTW Have you seen the other proposed commit for notification support in Octavia?
spharmon`Yes, I have. I started off testing that one and landed here, in an effort to fix especially the non-singleton problem of reinitializing the rpc stuff here. There were also issues with placing the logic in with the database_tasks.16:30
gthiemongespharmon`: how is your patch now (WIP? almost ready?)? can I test it in my env?16:32
spharmon`I also like having separate tasks for notifications. In my case, I'm testing with a third-party driver. This way, I can import these tasks in the flows in the third party driver.16:33
spharmon`I'd say almost ready. We're running this in our dev environment. It's been in the lab for some time as well.16:33
gthiemongecool, I would like to test it ;-)16:33
spharmon`Awesome! I'd love any feedback! :)16:34
tweiningI started continuing the work on the failover stop threshold patch here:
gthiemongetweining: cool, I replied to your comment in the patch16:37
tweiningI added a new provisioning state FAILOVER_STOPPED for the amp, but get "foreign key constraint fails" errors. not sure why yet.16:37
johnsomThere are relational protections in the database for those states. Modifying the state machine is a big deal really.16:37
johnsomIs there a description of why we need a new state?16:38
johnsomI.e. the commit message or spec?16:38
gthiemongejohnsom: ^16:38
tweiningI don't think we must have a new state. I just thought it would help.16:39
johnsomIt's certainly possible to do, but some work. I will have to read through these comments and code to understand.16:39
gthiemongetweining: when you said you "added a new provisioning state FAILOVER_STOPPED", do you mean in the code? because the states are also defined in the DB16:40
johnsomOh, if this is amp state, that is less risky to change. I was talking about provisioning status which has wide implications.16:41
tweiningI added a new constant for that. I thought no DB schema change would be needed as it is an existing string field.16:42
tweiningso a constant in octavia-lib which gets used in octavia.common.constants.16:43
gthiemongethere's a provisioning_status table:
johnsomThe states have a database relational constraint to make sure they are consistent.16:43
johnsomI also have a topic for open discussion when we get there.16:45
tweiningok, I will try to make it work with that new state then if there are no objections or we can talk later about it.16:46
gthiemongeno objections from me ;-)16:46
gthiemongetweining: I can explain offline how to update an existing table in Octavia (add a migration script)16:47
gthiemonge#topic Open Discussion16:48
gthiemongejohnsom: o/16:48
johnsomI wanted to raise that we have a new bug:16:48
gthiemongeyeah I've just received the notification email16:48
johnsomCentOS 9 Stream recently updated OpenSSL and removed a number of features. SHA1 for sure, but it also looks like TLSv1.16:49
johnsomWe have tests that cover the various TLS versions (because we have code that allows you to allow/deny them).16:49
gthiemongejohnsom: so the bug is in the test?16:50
johnsomSo, we need to think about how to handle tests that will no longer pass on certain platforms.16:50
gthiemongejohnsom: can we set the minimum_tls_version for this job and check what the API returns?16:51
johnsomIn this case, yes it's a test issue.16:51
johnsomYeah, I'm not sure how the controller/amp side is going to work on CentOS 9 Stream if the user selects TLSv1. Obviously the operator can block TLSv1 if they know it's broken in CentOS 9 STream, but...  Maybe we need to come up with a strategy for dealing with this16:52
johnsomIt's not like an API version will tell you, etc. It's purely trying the OS and see if it works I guess.16:53
gthiemongecould the work query the capabalities of an amphora?16:53
johnsomWe could also just change the defaults to remove TLSv1 from the default available list and make the assumptions it's dead16:53
johnsomHmm, yeah, via a DIB image build time something... I guess16:54
gthiemongeI'm adding a topic to the agenda of the PTG ;-)16:54
johnsomJust wanted to raise awareness on this. It's a tricky one16:55
gthiemonge2 topics: TLS default settings, and amphora capabilities16:55
johnsomIn theory they are going to want a fix back to wallaby too.  sigh16:55
johnsomOk, that was all I had today16:56
gthiemongethanks for raising it16:56
gthiemongeany other topics folks?16:57
spharmon`Nothing from me16:58
gthiemongethank you Folks!16:58
opendevmeetMeeting ended Wed Mar 23 16:58:41 2022 UTC.  Information about MeetBot at . (v 0.1.4)16:58
opendevmeetMinutes (text):
spharmon`Thanks everyone!16:58
spateljohnsom just to follow up with you.. after setting up health TCP it works and allow to spin up everything cleanly 19:05
johnsomHmm, well, I'm glad you are working now.19:06
spatelSorry i was busy so not able to get back to you19:06
johnsomYou just did! grin19:06
spatelI have one more question related k8s with octavia 19:07
johnsomOk, I may or may not have an answer19:08
spatelI have working Magnum and i have created k8s cluster for testing. Now i want to use Octavia for Ingress controller for my containers 19:08
spatelI found this doc but little complicated to understand
spatelwhat is step 2.1 in that doc for? what is the use for Certificate here?19:10
johnsomThat document is about all I know about it. I have not done a deployment like that.19:10
johnsomI don't know. Maybe the K8S API is protected with mutual TLS authentication and requires a cert?19:12
johnsomSorry, not an area I have worked with.19:12
spatelno worry! i will keep poking :)19:13
opendevreviewMerged openstack/octavia-tempest-plugin master: Fix incorrect subnet_id for ipv6 member servers

Generated by 2.17.3 by Marius Gedminas - find it at!