| *** rlandy|bbl is now known as rlandy | 00:03 | |
| *** rlandy is now known as rlandy|out | 01:19 | |
| *** rlandy is now known as rlandy|out | 01:24 | |
| *** rlandy|out is now known as rlandy | 10:18 | |
| *** rlandy_ is now known as rlandy__ | 10:24 | |
| *** rlandy__ is now known as rlandy | 14:16 | |
| *** jmcdade is now known as FlexibleToast | 14:39 | |
| *** rlandy is now known as rlandy|mtg | 18:13 | |
| *** rlandy|mtg is now known as rlandy | 19:12 | |
| guesswhat | Has anyone deployed Octavia in Ubuntu with Openvswitch? How can worker and healthmanager reach amphoras? | 19:56 |
|---|---|---|
| johnsom | guesswhat Yes, works great. | 19:57 |
| johnsom | In fact I think most of the Octavia test jobs still run with that setup | 19:57 |
| guesswhat | johnsom: I am can make it work... Are You using hm-0 interface ? | 19:58 |
| guesswhat | *I can not, ehm, its late.. | 19:58 |
| johnsom | Yeah, you can call it whatever you want, but the test jobs call it hm-0 | 19:58 |
| guesswhat | But thats working only for linuxbridge, not for openvswitch | 19:59 |
| guesswhat | See https://stackoverflow.com/questions/65885301/how-configure-octavia-in-openstack-kolla#comment120355367_65892547 | 19:59 |
| johnsom | Nope, works for linuxbridge, OVS, OVN | 19:59 |
| guesswhat | And is it secure? According to the https://docs.openstack.org/kolla-ansible/latest/reference/networking/octavia.html docs, its not for "production" use | 20:00 |
| johnsom | We run with all three in the test gates | 20:00 |
| johnsom | That says reliable and must be a kolla issue. | 20:01 |
| johnsom | It's very secure, the traffic on that network is all signed or two-way TLS authenticated and encrypted. | 20:01 |
| johnsom | The lb-mgmt-net is very simple. It's just a neutron network of your choosing (provider, vxlan, etc.). The only tricky part is getting the controllers, o-cw, o-hm, o-hk to have access to that network. | 20:02 |
| guesswhat | Hm, I did not get any info from kolla community ... | 20:03 |
| johnsom | You can do that by popping a port of OVS/OVN (as we do in the gate jobs), using provider networks, or setting up a router path to it | 20:03 |
| guesswhat | I tried external L2 network, but I have problem without routing from host, where is controller running ( healthchecks, worker ) | 20:03 |
| johnsom | Yeah, I'm part of the Octavia team. We can't participate in all of the deployment tool teams, there are just too many of them. | 20:03 |
| johnsom | Here is how our gate jobs do it: https://github.com/openstack/neutron/blob/master/devstack/lib/octavia | 20:04 |
| johnsom | Which is very simple. | 20:04 |
| johnsom | If you are doing production, you may want to setup a more robust way of getting the port from OVS/OVN, etc. | 20:05 |
| guesswhat | Seem they are doing the same thing https://github.com/openstack/kolla-ansible/blob/master/roles/veth/tasks/main.yml, but according to kayobe https://github.com/openstack/kayobe/blob/master/ansible/roles/veth/tasks/Debian.yml , it's not persistent for debian based distro | 20:07 |
| guesswhat | Every restart will break it.. | 20:08 |
| johnsom | Yeah, you would need to setup ovs to create the port in a systemd unit or something like that. | 20:08 |
| guesswhat | Kolla covers this https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/octavia/templates/octavia-interface.service.j2 | 20:09 |
| guesswhat | Still dont know why its not reliable... | 20:10 |
| johnsom | That service doesn't create the port in OVS/OVN. it looks like that is maybe just for linuxbridge? | 20:11 |
| guesswhat | I have virtual env, not production, just one controller and node and router ( pfsense ), I am basically using two networks ( wan as neturon external and plan as management network ), now I probably need to do this with with veth pair + bridge plugged to the openvswitch, or know sure what else... | 20:11 |
| guesswhat | Still learning stuff, so it really hard to understand to this "problem" with Octavia | 20:12 |
| johnsom | Yeah, I see that service is related to docker, so... don't know how they have it wired up there. | 20:12 |
| johnsom | I think if you just keep in mind that lb-mgmt-net is just a neutron network, and the tricky part is getting the controllers access to it, you should be able to narrow down what is wrong in kolla or your deployment. | 20:13 |
| guesswhat | Seems its one time only action https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/octavia/tasks/hm-interface.yml#L40 | 20:13 |
| guesswhat | What if lb-mgmt-net would be an external vlan provider network, should I use gateway and router for it ? Or how would be routing done from controllers? | 20:17 |
| johnsom | Yeah, vlan provider networks work fine. You can then either create a port for the controllers directly on the VLAN, or setup routing such that the controllers have a route to reach the amphora on the VLAN and the amphora can route back to the controllers. | 20:19 |
| guesswhat | Here https://drive.google.com/file/d/1XsHKzWni52Xyogy8N0xspuqwE0Ekubuf/view?usp=sharing .. | 20:23 |
| guesswhat | Should I add another network ( vlan trunk ), add L2 external network with vlan range and create lb-mgmt-net on this network with specific segment id ? | 20:25 |
| johnsom | I requested access | 20:26 |
| johnsom | Yeah, then connect that VLAN to the node, for neutron to manage ports, then connect controller container directly to the VLAN and create an interface on that VLAN. | 20:28 |
| johnsom | That would be the easiest way | 20:28 |
| johnsom | It does not need external access for anything. | 20:29 |
| guesswhat | I tried this https://pastebin.com/raw/wvSnNf27, and octavia management network range was 172.18.0.0/16, but i couldn't get it working, routing didn't work from host | 20:33 |
| guesswhat | Maybe I need to create router lb-mgmt-net network and set static routing on trunk.octavia interface to route via this neutron router | 20:35 |
| johnsom | In general that should work fine. With a port directly on the VLAN there is no routing needed, it would be local | 20:35 |
| guesswhat | Maybe I need to read some docs, cuz I am not sure what exactly is a port | 20:38 |
| johnsom | Ok, yeah, maybe read some about setting up neutron provider networks and adding a port on a VLAN in the container. | 20:39 |
| johnsom | Good luck. BTW, the octavia team IRC channel is #openstack-lbaas if you have Octavia questions | 20:40 |
| guesswhat | Does it enable routing from the host if I add port ? | 20:41 |
| johnsom | No, you don't need to enable forwarding on the host. But the host or container would have access onto the network depending on how you setup it up. | 20:43 |
| guesswhat | oh, okay, thanks :) | 20:45 |
| johnsom | No problem, good luck! | 20:45 |
| guesswhat | Everything is running correctly in my install ( zun, magnum, cinder, etc ), but last thing I wanted to enable is octavia and i have a hard times... | 20:46 |
| *** timburke_ is now known as timburke | 20:59 | |
| *** rlandy is now known as rlandy|out | 22:44 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!