#openstack-lbaas log

16:00:27 <johnsom> #startmeeting Octavia
16:00:27 <openstack> Meeting started Wed Nov 13 16:00:27 2019 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:30 <openstack> The meeting name has been set to 'octavia'
16:01:02 <rm_work> ohai
16:01:12 <rm_work> was reading logs and missed the time :D
16:01:14 <rm_work> but go ahead
16:01:31 <ataraday_> hi
16:01:39 <johnsom> rm_work Nice, you made it. I put an agenda together:
16:01:44 <johnsom> #link https://wiki.openstack.org/wiki/Octavia/Weekly_Meeting_Agenda#Meeting_2019-11-13
16:02:17 <johnsom> #topic Announcements
16:02:41 <johnsom> In case you missed it, our fearless PTL put together a PTG summary e-mail
16:02:48 <johnsom> #link http://lists.openstack.org/pipermail/openstack-discuss/2019-November/010682.html
16:03:19 <johnsom> BTW, I know a few people are travelling today, so attendance might be light today.
16:04:01 <johnsom> That is about all I have for announcements today.
16:04:20 <johnsom> I don't know when the video recordings will be available, so no update on that.
16:04:56 <johnsom> Any other announcements today?
16:05:32 <johnsom> #topic Brief progress reports / bugs needing review
16:06:28 <johnsom> I have been on a bug fix spree recently.  A lot of updates around barbican secrets and TLS offload.
16:06:42 <ataraday_> Small octaviaclient change become not so small https://review.opendev.org/#/c/693144/ :)
16:07:02 <redrobot> 👀
16:07:05 <johnsom> One set are important fixes for LBs with multi-listeners that are using TLS offload.
16:07:23 <openstackgerrit> Adam Harwell proposed openstack/octavia master: Availability Zone admin API  https://review.opendev.org/693765
16:07:24 <rm_work> We're making quick progress on the AZ work -- please to be reviewing :D ^^
16:07:52 <johnsom> redrobot Hi.  Just mentioning some of the patches I posted to handle pkcs12 secrets disappearing (since they don't support registration at the moment).
16:07:54 <ataraday_> I researched ciphers and ciphersuits a bit - maybe can discuss this in open discussion section
16:08:50 <johnsom> Ok, sounds good
16:09:26 <johnsom> I am now shifting focus back to the failover flow re-factor.
16:10:40 <johnsom> As part of the TLS work, I have proposed tempest tests for all of the listener/frontend TLS paths. TLS, SNI, client auth.
16:10:47 <johnsom> Super happy to have good coverage on those.
16:11:24 <johnsom> The backend is going to be a bit more work as we need to enhance our testing web server to have TLS support enough to cover the test cases.
16:11:58 <johnsom> Any other updates today?
16:13:21 <johnsom> #topic Helping Kolla-Ansible eitherpad
16:13:29 <johnsom> #link https://etherpad.openstack.org/p/kolla-ansible-octavia
16:13:57 <johnsom> We have recently had a number of folks come into the channel struggling to use Octavia with the kolla-ansible deployment project.
16:14:46 <johnsom> I don't think any of the core team regularly contribute to kolla-ansible, but we have offered to help resolve some of the issues.
16:15:00 <johnsom> In support of that I setup the above etherpad to answer questions, etc.
16:15:10 <johnsom> Please feel free to contribute, etc.
16:15:51 <johnsom> I think we are close to over ten ways to deploy Octavia, so it is to be expected that the Octavia team may not be directly involved in all of them.
16:16:46 <johnsom> Any other questions/comments on helping kolla-ansible?
16:17:20 <rm_work> I am probably the most experienced of core members, but have been stretched very thin recently, so not sure how much I can help directly
16:17:28 <rm_work> but I will see if I can answer some questions at least
16:17:53 <johnsom> Yep, all I can commit to at this point is helping to answer questions.
16:18:33 <johnsom> #topic Open Discussion
16:18:40 <johnsom> Ok, any other topics today?
16:19:18 <rm_work> Ah, I have one
16:19:45 <johnsom> Ok. I think Ann has one too
16:20:09 <rm_work> I've recently been testing to see if traffic that goes to members via the vip-net is marked as originating from the vrrp_ip (unknown to users), or the ha_ip (VIP) -- and it looks like it's coming from the vrrp_ip
16:20:24 <rm_work> Has anyone else noticed this?
16:21:00 <rm_work> I thought it was set up to route "from" the VIP... We use CentOS amps, it might be working properly in Ubuntu but not in CentOS, or maybe it's not working anywhere...
16:21:18 <rm_work> Anyway, if anyone has a moment to test that or happens to have noticed it is an issue, let me know
16:21:29 <johnsom> Ah, now that I think about this more, yes, I think that is the case. It is the same as for members going out member subnets. It's an arbitrary source IP
16:21:53 <johnsom> I should have a stack in about half an hour I can try it on
16:22:02 <rm_work> can't we have it originate from the VIP? since haproxy IS bound to that address?
16:22:45 <johnsom> Well, it cuts into your capacity if I remember correctly
16:23:30 <johnsom> We might have to make some jinja changes for that too.
16:23:42 <rm_work> yeah, I was looking in the port templates
16:23:59 <rm_work> but I can't read that stuff very well (the port config, not the jinja -- i speak jinja :D)
16:24:08 <johnsom> There is also a RFE to add multiple source IPs, which would conflict with forcing it all to the VIP
16:24:18 <rm_work> hmmm k
16:24:27 <rm_work> well i mean... yeah... multivip :D
16:24:33 <rm_work> also
16:24:54 <johnsom> I am guessing you just want this for "easy security group rules"?
16:25:04 <rm_work> well, not "easy" but "any at all"
16:25:19 <rm_work> it's otherwise impossible for a user to open members to the LB
16:25:24 <rm_work> without opening it to the whole world
16:25:33 <rm_work> since they can't predict the vrrp_ip
16:25:34 <johnsom> One-armed load balancers are less efficient anyway. I would hope that is a rare usecase
16:25:47 <rm_work> it's the only use-case
16:25:49 <rm_work> we have no SDN
16:25:56 <rm_work> there is only one network
16:26:02 <johnsom> Right, or the member subnet source IP, both of which change on failovers.
16:26:04 <ataraday_> sorry, I got disconncted, bad hotel wifi
16:26:24 <rm_work> we need a solution to this
16:26:26 <johnsom> Right now you have two options: Put the members on private networks with no router.
16:26:36 <johnsom> Use TLS client auth for the members
16:27:02 <rm_work> yeah neither of those are possible/viable with our setup
16:27:23 <rm_work> per PCI compliance we just can't open firewall ports that widely apparently
16:27:24 <johnsom> Do you use FWaaS?
16:27:58 <johnsom> Wait, what? Neither of those options provided require opening ports
16:28:08 <rm_work> no, there are physical (and somewhat manually managed for compliance) firewalls for our PCI environments
16:28:32 <rm_work> using TLS client auth for members "secures them" but still requires opening up the SGs to the world
16:28:43 <rm_work> ie exposing the serving port
16:28:47 <rm_work> is what i meant
16:28:58 <rm_work> which is non-viable
16:29:07 <johnsom> Not the world, just the range you are using for you VIP addresses
16:29:22 <johnsom> (the base ports are on the same range as the VIP)
16:29:26 <rm_work> yeah, but that means "any LB" and was rejected
16:29:39 <rm_work> so, no-go
16:29:45 <johnsom> Right. Did you answer my question, do you have FWaaS?
16:29:49 <rm_work> no we do not
16:30:04 <rm_work> we also do not have the ability to let users create private networks T_T
16:30:42 <rm_work> and humorously I'm 2 for 2, this is exactly the same issues we had at GD lol
16:30:45 <johnsom> Yeah, then at this point, there is no solution for that setup.
16:31:01 <rm_work> so either it's not that rare, or I manage to pick exactly the two companies with deployments like this
16:31:16 <johnsom> Ha, that later
16:31:27 <rm_work> i don't believe in those odds :D
16:32:27 <johnsom> Yeah, so you would need an RFE for any of the other changes I can think of. All of which really suck.
16:32:36 <rm_work> this issue was actually a decently relevant factor for the death of octavia in the GD deployment, and it worries me a lot here
16:32:48 <rm_work> and I really doubt it is just us
16:32:59 <rm_work> as funny as that would be :D
16:33:22 <johnsom> The one-armed solution would require a config option, then change the haproxy jinja to force the source to be VIP. This will have a negative impact on the performance and capacity of the LB.
16:33:48 <rm_work> one solution is to allow the user to pass us a SG just to attach it to the port -- then they can use that to allow traffic in
16:33:53 <rm_work> though it's a little janky
16:34:35 <rm_work> or i wonder if it is possible for a user to "allow" traffic via SG that they don't own -- if we exposed one for them
16:35:27 <rm_work> you can say "allow traffic from any port with security_group <ID>", right?
16:35:39 <rm_work> as a SG rule
16:35:48 <johnsom> The other would be (possibly, haven't tried it) to pass an SG ID to each member API create, then have the source ports added to that SG. In theory the neutron transitive-trust would magically make traffic flow. The downside is it would also open those arbitrary ports on our amphora source IPs.
16:36:35 <johnsom> Your second idea is what we can do with FWaaS if I remember, but I'm not sure neutron proper can do it.
16:39:00 <johnsom> I wish SGs had better support for "AND" than it does. Really that would solve a bunch of our problems.
16:39:01 <rm_work> hmm, i thought that was just part of the core SG stuff
16:39:17 <rm_work> that definitely worked at GD and I didn't think we deployed FWaaS
16:39:32 <rm_work> I'll check with Miguel and we can discuss it another time
16:39:39 <johnsom> Ok
16:39:50 <rm_work> You answered me question about drawbacks of the one-armed solution
16:40:08 <johnsom> ataraday_ You had a question about ciphers/suites?
16:40:14 <rm_work> though ... in reality, there's really only one physical NIC in use across all of these virtual NICs anyway, so I don't know how much it really affects throughput
16:40:43 <rm_work> (besides I guess the number of concurrent connections? though i don't think the member side will ever be the limiting factor there)
16:41:13 <johnsom> Well, that is a deployment flaw, but It's not just the nic. Don't forget you have TCP ports in use, queues in the kernel, etc. that have nothing to do with your NIC topology (though you should have more than one)
16:41:53 <ataraday_> johnsom, yes, I put comment on https://review.opendev.org/#/c/685337/ -  I look closer and we can use ssl-default-server-ciphersuites and ssl-default-server-ciphers in one config file. But ciphersuites available only since haproxy 1.8.20
16:42:14 <ataraday_> and for now we have 1.8.8
16:43:09 <rm_work> right, but given that there is one VIP, and it splits those connections to many members, I think it is impossible for that to be an issue on the backend side
16:43:37 <johnsom> Ah, interesting. We should probably request Ubuntu to update the available package. That said, we have code that can detect the version of HAProxy and make changes. This seems like a good candidate for that.
16:43:44 <rm_work> eugh, another thing going to 2.0 would resolve :D
16:44:36 <johnsom> ataraday_ https://github.com/openstack/octavia/blob/master/octavia/amphorae/backends/agent/api_server/haproxy_compatibility.py
16:45:14 <ataraday_> johnsom, thanks for pointing this!
16:45:21 <johnsom> We could expand that to remove the ciphersuite configuration line based on the available version. If it's not greater than 1.8.20 it probably doesn't support TLS 1.3 anyway.
16:46:05 <ataraday_> yeah, seems the way to do that
16:46:56 <johnsom> It looks like my code there only does major minor, so it may need to be expanded to look at the patch number too
16:48:28 <johnsom> Kind of lame they added that in a patch release reallly
16:49:13 <rm_work> yeah
16:49:21 <rm_work> alternatively, we had some plans to pre-cache this info
16:49:35 <rm_work> as a possible way to deal upfront with option validation for providers
16:50:00 <rm_work> we discussed this a bit at the summit, I believe it was in my summary, and there are more notes on the etherpad
16:50:01 <johnsom> Yeah, there is code for round tripping for the version too, but this seems straight forward for this case
16:51:29 <johnsom> #link https://github.com/openstack/octavia/blob/master/octavia/amphorae/drivers/haproxy/rest_api_driver.py#L78
16:51:35 <johnsom> #link https://github.com/openstack/octavia/blob/master/octavia/amphorae/backends/agent/api_server/haproxy_compatibility.py
16:51:42 <johnsom> Forgot we were in a meeting. lol
16:52:20 <johnsom> That L78 is the controller side query for version, but again, it might be more straight forward for this issue to just add it to the agent side adjustments.
16:53:40 <johnsom> Any other topics today?
16:56:11 <rm_work> reviews! reviews reviews! all reviews are useful!
16:56:46 <rm_work> only cores can +2, but the real power is in -1 and that's the same for everyone! reviews!
16:56:47 <johnsom> Yes please. I did a review-day recently, but we still have a bunch of patches that can use some reviews. +1's matter!
16:57:07 <rm_work> I guess I'm just thinking more negatively today :D
16:57:12 <johnsom> True, -1 matters more. lol
16:58:10 <johnsom> Ok, thanks for a great meeting!
16:58:15 <rm_work> I expect most code I write is going to have a bug or two that I didn't catch, and I'm counting on you guys to find them! it's a treasure hunt for bugs! the reward is internet brownie points! <3
16:58:30 <johnsom> #endmeeting