#openstack-lbaas log

16:01:01 <johnsom> #startmeeting Octavia
16:01:02 <openstack> Meeting started Wed Jul 24 16:01:01 2019 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:01:05 <openstack> The meeting name has been set to 'octavia'
16:01:21 <johnsom> Hi folks. I think I might be on tap to run the meeting today
16:01:31 * johnsom assumes someone will make it today
16:02:25 <ajay33> Hi
16:02:30 <ataraday_> hi
16:02:33 <johnsom> #topic Announcements
16:02:48 <johnsom> AUC codes for the Shanghai summit and PTG are being sent out today. Code is good until online sales close. Cheaper to register earlier.
16:03:04 <johnsom> These are the discount codes you get for contributing to OpenStack.
16:04:07 <johnsom> I don't think I have any more announcements today. Anyone else?
16:04:49 <johnsom> #topic Brief progress reports / bugs needing review
16:05:07 <johnsom> I have wrapped up development on the single-process haproxy patch
16:05:13 <johnsom> #link https://review.opendev.org/#/c/668068/
16:05:18 <johnsom> It is up for review now
16:05:50 <johnsom> My plan is to pivot back to finishing up the octavia-lib get work (functional tests), then I plan to spend some time on the failover flows.
16:07:21 <johnsom> Any other updates today?
16:07:25 <ataraday_> Started to collect everything together with https://review.opendev.org/#/c/647406/ - still, but will check if something in flows is missing
16:07:35 <ataraday_> and please review
16:07:36 <johnsom> ataraday_ is there a patch I should prioritize reviewing for you?
16:07:54 <ataraday_> johnsom, yes
16:08:01 <ataraday_> #link https://review.opendev.org/#/c/662791/
16:08:15 <johnsom> Ok
16:08:20 <johnsom> Thanks
16:08:32 <ataraday_> also this one really small
16:08:38 <ataraday_> #link https://review.opendev.org/#/c/659538
16:09:19 <johnsom> Ok, I will try to look at those after the meeting.
16:10:00 <ataraday_> johnsom, Thanks! I may need to get your listeners change rebased https://review.opendev.org/#/c/660236/
16:10:20 <johnsom> Yeah, I know that is a bit out of date now.  I will look at doing that today as well.
16:10:35 <johnsom> Though the single-process patch will also conflict. Sigh
16:11:10 <johnsom> #topic Gerrit ACLs and included groups (neutron-release)
16:11:28 <johnsom> I added this topic to the agenda, but I don't think we have core quorum to discuss it today.
16:11:57 <johnsom> Basically we have a legacy ACL on the Octavia gerrit config that it might be time to remove.
16:12:21 <johnsom> #topic Priority bug review list
16:12:32 <johnsom> #link https://etherpad.openstack.org/p/octavia-priority-reviews
16:12:48 <johnsom> I had an action item from a few weeks back to start the priority reviews list again.
16:13:04 <johnsom> I have made a first attempt at this with the link above.
16:13:32 <johnsom> I tried to order it with how old the patch is, is there a dependency chain, is it a user impacting bug, etc.
16:14:07 <johnsom> Feel free to discuss the ordering, etc. It is really to help us know how many reviews we are behind, etc.
16:15:21 <johnsom> I will also update the IRC channel topic to point to this etherpad after the meeting.
16:15:40 <johnsom> #topic Open Discussion
16:15:47 <johnsom> Any other topics today?
16:16:28 <ataraday_> not from my side
16:17:46 <ajay33> https://www.irccloud.com/pastebin/VAg0Dyf5/
16:18:05 <johnsom> Hi Ajay!  Welcome
16:18:38 <johnsom> ajay33 Is there an area you are interested in? Is there something I can do to help get you started?
16:18:49 <ajay33> Currently, I will like to deploy the octavia manually on my Openstack environment
16:19:15 <johnsom> Ok, cool. Is it a devstack or a full OpenStack deployment?
16:19:27 <ajay33> Can you guide/refer me any good link to deploy this
16:20:07 <johnsom> This sadly is an area we have more documentation needed, but here are some pointers:
16:20:09 <johnsom> https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start.html
16:20:12 <johnsom> #link https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start.html
16:20:23 <johnsom> That is an overview of the process, but not very detailed.
16:20:30 <ajay33> it is fully openstack deployent (I had deployed Keystone, nova, cinder, neutron , horizon on my setup)
16:20:45 <johnsom> #link https://github.com/openstack/octavia/blob/master/devstack/plugin.sh
16:21:10 <johnsom> Our devstack plugin does an install of Octavia for devstack deployments. This script can be used as a reference.
16:21:47 <ajay33> ok johnsom
16:21:47 <ajay33> Thanks for your help !!
16:22:14 <jrosser> i have a question about locally built amphora images
16:22:35 <johnsom> You can also look at our scenario test job output to see a reference octavia.conf file: http://logs.openstack.org/08/661308/3/check/octavia-v2-dsvm-scenario/5078a8e/controller/logs/etc/octavia/octavia_conf.txt.gz
16:22:40 <johnsom> #link http://logs.openstack.org/08/661308/3/check/octavia-v2-dsvm-scenario/5078a8e/controller/logs/etc/octavia/octavia_conf.txt.gz
16:23:01 <johnsom> We are also around in this channel so you can ask questions at any time.
16:23:17 <johnsom> jrosser Hi, what is your question?
16:23:29 <ajay33> ok johnsom, I will put my queries here :)
16:23:30 <jrosser> we have a jenkins pipeline running which is producing new amphora, and i'd like some advice about the correct credential to be using to authenticate with keystone to upload / replace the existing image
16:23:57 <jrosser> it feels almost like there could be an octavia role in keystone specifically for this?
16:24:27 <johnsom> jrosser The credentials you are using in your [service_auth] section of the octavia.conf.
16:25:32 <johnsom> Those are the credentials we will use when talking to nova, so the image should be visible to that user/project in glance.
16:26:10 <jrosser> right - i was a bit uneasy about extracting a quite powerful credential and embedding it in an external CI, whose job is to just bake and upload images
16:28:02 <johnsom> Are you using "admin" for your [service_auth]? I could see that being a bit scary yes. If you are using an "octavia" account, then it's less concerning, but still could impact the load balancers.
16:29:00 <johnsom> You could also setup custom RBAC on glance to allow a non-privileged account to upload and set the project_id on it. (At least I would assume you can. I have not looked at the glance RBAC)
16:29:33 <jrosser> [service_auth] has an octivia user in this case
16:29:53 <jrosser> and yes i was wondering really if there was any existing best practice for using RBAC for this
16:31:07 <johnsom> Looks like the glance policy documentation is a bit light
16:31:10 <johnsom> #link https://docs.openstack.org/glance/stein/admin/policies.html
16:31:29 <johnsom> Maybe ask about it in the  glance IRC or on openstack-discuss
16:32:02 <jrosser> ok, i think why i was nervous is that th octavia user is an admin in the service project
16:32:17 <jrosser> i will check the RBAC docs some more, thanks for the tips
16:32:24 <johnsom> Sure, NP
16:33:52 <johnsom> jrosser The "sharing" capability might also help.
16:33:54 <johnsom> #link https://docs.openstack.org/api-ref/image/v2/index.html#sharing
16:33:59 <johnsom> Not sure though, I haven't used it.
16:34:56 <jrosser> oh interesting yes - that could work too
16:35:26 <johnsom> Then in Octavia set octavia_amp_image_owner_id such that it considers the other owner ID as valid
16:36:59 <johnsom> Ok, other topics for today?
16:38:32 <johnsom> Ok, thank you for joining today!
16:38:35 <johnsom> #endmeeting