Wednesday, 2025-01-15

« Tuesday, 2025-01-14 Index Thursday, 2025-01-16 »
opendevreviewMichael Johnson proposed openstack/octavia master: Add support for SR-IOV member ports  https://review.opendev.org/c/openstack/octavia/+/92015604:06
opendevreviewMerged openstack/octavia stable/2024.2: Fix verification of certificates signed by a private CA  https://review.opendev.org/c/openstack/octavia/+/93889405:55
opendevreviewTakashi Kajinami proposed openstack/octavia master: Refactor tox environments  https://review.opendev.org/c/openstack/octavia/+/93904107:16
opendevreviewGregory Thiemonge proposed openstack/octavia master: Make keystone default roles the default RBAC  https://review.opendev.org/c/openstack/octavia/+/92958008:22
opendevreviewPierre Riteau proposed openstack/octavia stable/2024.1: Fix verification of certificates signed by a private CA  https://review.opendev.org/c/openstack/octavia/+/93932308:23
skraynev@gthiemonge hello. I am reading the cookbook: https://docs.openstack.org/octavia/latest/user/guides/l7-cookbook.html Is it possible to configure redirect group of domains http://test1.test.com, http://test2.test.com on corresponding https domains ? Rule could match like "endswith test.com", however redirect_to_url and redirect_prefix does not allow to specify something like https://*.test.com 10:24
skraynevi.e. I could not redirect http://test1.test.com -> https://test1.test.com, http://test2.test.com -> https://test2.test.com with one policy. right ?10:25
gthiemongeskraynev: well, I don't think you can do it, but let's wait for johnsom, he may know more about this than i do10:45
gthiemongehmm weird, the first example in the cookbook describes REDIRECT_TO_URL but the CLI uses REDIRECT_PREFIX10:46
skraynev@gthiemonge : thank you. I also found the doc: https://bugs.launchpad.net/octavia/+bug/2060539 . and here we also have comment from @johnsom .10:46
skraynevmoreover REDIRECT_PREFIX parameter expect valid URL. So it's not possible to set only "https://"10:47
gthiemonge#startmeeting Octavia16:00
opendevmeetMeeting started Wed Jan 15 16:00:40 2025 UTC and is due to finish in 60 minutes.  The chair is gthiemonge. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
opendevmeetThe meeting name has been set to 'octavia'16:00
gthiemongehey16:00
tweiningo/16:00
johnsomo/16:01
gthiemonge#topic Announcements16:02
gthiemonge* 2025.1 Epoxy Release Schedule16:02
gthiemongewe passed Epoxy-2 milestone last week16:02
gthiemongethe next important milestones are16:02
gthiemonge- Final release for non-client libraries (octavia-lib) - Feb 2016:03
gthiemonge- Feature freeze/final release for client libraries - Feb 2716:03
gthiemongeso, basically in one month16:03
gthiemongeand I would like to take the opportunity to request reviews on the "Custom Security Groups on VIP ports" feature16:03
johnsomYeah, feature freeze is coming up quick16:03
gthiemongehttps://review.opendev.org/q/topic:%22custom_sg%22+is:open16:03
gthiemongenote: I'm working on a python-octaviaclient patch, to make it easier for the reviewers to test the feature16:04
gthiemongeyeah16:04
tweiningFYI, I will be on PTO for one week mid-Feb16:04
gthiemongeack16:04
gthiemonge* 2025.2 F Release16:06
gthiemongeanother important update: It's official, 2025.2 will be named Flamingo!16:06
tweiningnot a bad name IMO16:06
gthiemongeany other updates/announcements folks?16:07
johnsomPTL elections is coming up too16:08
johnsomPTL Election from 2025-02-26T23:45 to 2025-03-19T23:4516:09
gthiemongewow16:09
johnsomThey announced the dates on the mailing list. It's a bit of a longer window I understand16:09
gthiemongeyeah16:09
johnsomNominations start 2/516:10
gthiemongeack16:12
gthiemongethanks johnsom 16:12
gthiemonge#topic CI Status16:12
gthiemongewe've made a lot of progress there16:12
gthiemongewe have fixed a great number of issues (pep8 x2, doc, tls/httpx)16:13
gthiemongewe migrated the jobs of the master branch to ubuntu noble16:13
gthiemongewe updated the jobs for 2025.116:13
gthiemongeetc...16:13
tweiningvery good16:13
gthiemonge(and all the disabled jobs have been re-enabled)16:14
gthiemongeso yeah.. thanks for your help guys16:14
gthiemonge#topic Brief progress reports / bugs needing review16:15
gthiemongeI already talked about my patches in the announcement..16:16
tweiningthe only update I have is that rate limiting is no longer realistic for Epoxy. it's too much work to do still16:17
johnsomI am finally back to being able to work on the SRIOV for members / tech debt patch16:17
gthiemongecool16:19
gthiemongejust a quick note: we have ~20 backports in review in gerrit: https://review.opendev.org/q/(project:openstack/octavia+OR+project:openstack/octavia-dashboard)+status:open+branch:%5Estable/.*16:20
gthiemonge#topic Open Discussion16:22
gthiemongeany other topics for this meeting?16:23
danfaihi, we had recently lost an amphora due to a kernel panic. I was wondering if there was consideration of having a watchdog on the amphora or most people just leverage the failover and let the old VM die?16:23
gthiemongedanfai: AFAIK no, we never had a plan for it16:24
tweiningwatchdog meaning to reboot the vm when it panics I guess16:24
gthiemongedanfai: I think active-standby + failover can be the solution16:24
johnsomYeah, there already is a watchdog that catches kernel panics (though I have not seen this issue). It is the health manager process. If the Amphora doesn't respond in 60 seconds (default config) the health manager will automatically fail over the Amphora16:24
danfaitweining: correct, with the libvirt process involved to detect it as well16:25
danfaigthiemonge: yes, this is what I thought, in our use case we disabled the automatic failover for a few reasons and thought about different solutions16:25
johnsomAutomatic reboots are not enough, a reboot will loose the cryptography keys16:25
johnsomWhy would you disable the automatic failovers????? Not a good idea really16:26
johnsomIt's kind of the last layer of defense against nova/neutron failures in our overall HA strategy16:27
danfaijohnsom: political and historical reasons with not trusting automated systems that introduced more downtime before my time, I would say. Plus a few others, that I cannot easily discuss online16:27
danfaiif there is an interest in such an dib-element, I can propose it upstream, but also happy to keep this a downstream patch for now. (only change is to the image anyway)16:28
johnsomWell, that is the exact watchdog you are looking for.16:29
johnsomWhat is this db-element?16:29
gthiemongejohnsom: I guess that after a reboot, losing the crypto keys will trigger a failover because the listeners don't start, right?16:29
johnsomgthiemonge correct16:29
danfaiwell the watchdog I mean here is contained in a hypervisor and would work even if the whole octavia/nova control plane is down. It is libvirt triggering the reboot16:30
johnsomBut, since they have turned that off, it will just be a broken LB16:30
danfaior you need to have keys stored persistently on disk16:30
danfaiwhich might not be the best idea either16:30
johnsomdanfai The tenant keys are stored in encrypted RAM disk16:31
johnsomThey are never stored on disk16:31
danfaijohnsom: dib-element = disk image builder, the one for building the amphora image, then used to spawn amphoras. An element would be one of the jobs run there16:31
johnsomYeah, I know disk image builder, I wrote all of the code for Octavia image building16:32
danfaijohnsom: If you use the default image from octavia, yes they would be stored in tmpfs16:32
johnsomI was asking what is your proposed change there16:32
danfaiit would be to have automated restarts, but I see that in the default behavior this would not work, if the keys could not be loaded anymore or there needs to be another layer to send them again, which then defeats the purpose16:33
gthiemongeyeah, i don't think we need such an element, it would not match most use cases16:33
danfai+1, ok, thanks16:34
johnsomInside the amp we already have systemd auto restarts and keepalived failovers for Active/Standby topologies.16:34
johnsomBut a kernel panic would mean nothing *inside* the amphora can be done beyond having the kernel reboot on panic automatically16:35
danfaiyeah, I see if the keys are not there before the panic, you don't have a chance.16:38
danfai*not there = not persisted16:38
gthiemongeso if you want to propose the feature, I guess it would be an optional feature in the disk image create script, so I don't know if it's worth it16:39
danfaiyes, and it could only work if certs-ramfs is not enabled, which would not be best practice16:41
danfaianyway thanks for the feedback. I think this is covered now. also thanks for the comments on the active/active spec16:42
gthiemongenp, thank you danfai!16:43
gthiemongeanything else folks?16:43
tweiningnope16:43
johnsomNothing here16:44
danfainot from me16:44
gthiemongeok, good discussions!16:45
gthiemongethank you folks!16:45
gthiemonge#endmeeting16:45
opendevmeetMeeting ended Wed Jan 15 16:45:12 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:45
opendevmeetMinutes:        https://meetings.opendev.org/meetings/octavia/2025/octavia.2025-01-15-16.00.html16:45
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/octavia/2025/octavia.2025-01-15-16.00.txt16:45
opendevmeetLog:            https://meetings.opendev.org/meetings/octavia/2025/octavia.2025-01-15-16.00.log.html16:45
-opendevstatus- NOTICE: The paste service at paste.opendev.org will have a short (15-20) minute outage momentarily to replace the underlying server.17:08
« Tuesday, 2025-01-14 Index Thursday, 2025-01-16 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!