#openstack-lbaas log

16:00:17 <gthiemonge> #startmeeting Octavia
16:00:17 <opendevmeet> Meeting started Wed Nov 29 16:00:17 2023 UTC and is due to finish in 60 minutes.  The chair is gthiemonge. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:17 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:17 <opendevmeet> The meeting name has been set to 'octavia'
16:00:20 <gthiemonge> o/
16:00:25 <johnsom> o/
16:00:32 <tweining> o/
16:01:48 <gthiemonge> #topic Announcements
16:01:56 <gthiemonge> well I have no announcement...
16:02:01 <gthiemonge> did I miss something?
16:02:03 <johnsom> Gerrit is having many problems right now.
16:02:29 <johnsom> They seem related and in theory have been fixed in upstream gerrit, but not yet deployed for openinfra
16:02:45 <gthiemonge> hm
16:02:56 <johnsom> One issue is rebases will show as the original author instead of the person triggering the rebase in IRCbot.
16:03:11 <gthiemonge> ack
16:03:16 <johnsom> The more troublesome is patches can pass the gate pipeline, but not be marked as merged in gerrit
16:03:26 <gthiemonge> wow
16:03:53 <gthiemonge> good, our only approved patch looks correct
16:04:27 <johnsom> Yeah, so just a heads up. It's not clear if a recheck will resolve or if there is a bigger issue.
16:05:08 <gthiemonge> ok, thanks for the update johnsom
16:07:02 <gthiemonge> #topic CI Status
16:07:21 <gthiemonge> we still have some patches in review for the DB deadlock issue that we've seen multiple times in the CI
16:07:28 <gthiemonge> https://review.opendev.org/c/openstack/octavia/+/899662
16:07:33 <gthiemonge> https://review.opendev.org/c/openstack/octavia/+/899663
16:08:29 <gthiemonge> the greenlet error still appears randomly, no update for this issue :/
16:10:17 <gthiemonge> #topic Brief progress reports / bugs needing review
16:10:43 <gthiemonge> my fix for the TLS-HELLO HMs is approved but it's blocked because the parent patch is still waiting for another CR+2
16:10:49 <gthiemonge> https://review.opendev.org/c/openstack/octavia/+/901435
16:10:58 <johnsom> I created a patch for handling certificates with no subject or CN:
16:11:05 <johnsom> #link https://review.opendev.org/c/openstack/octavia/+/901689
16:11:25 <johnsom> I would like others to look at the comments there about the certificate definition.
16:11:52 <johnsom> They are asking for a call out that the certificate should meet the x.509 standard.
16:12:13 <johnsom> Which to me is the a bit silly given that is the standard that defines what a certificate *is*
16:12:21 <tweining> ok, I will have a look
16:12:43 <gthiemonge> ok, it's on my todo list
16:13:45 <tweining> since oschwart is not here today, I bring up these backports that are blocking another patch, which in turn blocks the tempest test patch about hsts
16:13:48 <tweining> https://review.opendev.org/q/I700c65fb17bad28b2b922e03d9c94c4716de9cbe
16:14:06 <tweining> I guess johnsom could approve it too
16:14:14 <gthiemonge> johnsom is the owner
16:14:17 <johnsom> Those are my patches
16:14:19 <gthiemonge> I'll review the backports
16:14:30 <johnsom> So, technically I should not approve them
16:15:05 <tweining> yeah, but didn't we say that backports that don't change the api can be approved by the owner after it has one CR+2?
16:15:17 <gthiemonge> the policy says "Where a team member has backported a fix, a single other +2 is sufficient for approval." :D
16:15:32 <gthiemonge> anyway I'll review them
16:15:40 <tweining> thanks
16:15:45 <gthiemonge> it's not a simple bugfix
16:16:28 <johnsom> +1
16:16:49 <gthiemonge> #topic Open Discussion
16:16:53 <gthiemonge> ok I have one topic
16:17:25 <gthiemonge> a user opened a launchpad bug because of an issue when using ACTIVE-STANDBY + additional_vips + HMs
16:17:30 <gthiemonge> https://bugs.launchpad.net/octavia/+bug/2044247
16:17:35 <gthiemonge> a summary:
16:17:54 <gthiemonge> basically, let's consider a LB in ACTIVE_STANDBY with vip_subnet_id subnet1 and additional_vips (subnet2 and subnet3)
16:18:29 <gthiemonge> when the LB is created the amphora has fixed ips only on subnet1 (it's required for VRRP connectivity) and the VIPs on subnet1, subnet2 and subnet3 are controlled by keepalived
16:18:56 <gthiemonge> it means that the BACKUP amphora doesn't have any IP addresses on subnet2 and subnet3
16:19:37 <gthiemonge> if a user creates a member that is on subnet2 (without specifying that the subnet_id is subnet2) the healthchecks from the BACKUP amp don't work (BACKUP amp have no address on subnet2)
16:19:44 <gthiemonge> so the BACKUP amp reports that the member is DOWN
16:19:56 <gthiemonge> there's a workaround/mitigation:
16:20:23 <gthiemonge> if the user specifies that the subnet_id of the member is subnet2, octavia explicitly plugs subnet2 into the amp, and fixed IPs are allocated in both amps
16:20:30 <gthiemonge> so now my questions:
16:20:45 <gthiemonge> is it a bug? should we fix the code (and how?)? should we only document this behavior?
16:21:12 <gthiemonge> (I'm not expecting an answer now, you can take your time and reply in the launchpad)
16:21:55 <gthiemonge> comment 3 shows the network configuration in the amphorae https://bugs.launchpad.net/octavia/+bug/2044247/comments/3
16:23:13 <johnsom> Yeah, that is an interesting scenario where they are not specifying subnets for members that are on "additional VIP" subnets.
16:23:47 <gthiemonge> I don't want to always allocate fixed ips for additional VIPs, that would consume too many IPs for a LB
16:24:38 <johnsom> Yeah, there are definitely concerns about consuming IPs, especially on the "public" or "external" networks
16:26:14 <tweining> is it possible to know during request validation whether there are additional VIPs used or not?
16:27:14 <gthiemonge> like checking that the member IP belongs to the CIDR of an additional VIP? I don't really like this idea
16:27:41 <gthiemonge> the member could also be on another subnet (routable from a VIP subnet)
16:27:59 <tweining> I mean to require the subnet id in such case as described there
16:28:54 <tweining> but yeah, if we don't consider it a bug we should at least document it
16:29:29 <johnsom> It is definitely worth a release note at least
16:29:57 <gthiemonge> ok, if the LB has additional vips and the user doesn't pass a subnet_id when creating a member, we could raise an exception
16:30:14 <gthiemonge> (in the amphora-driver)
16:30:18 <gthiemonge> not in the API
16:30:58 <johnsom> Hmm, why not in the API? It seems like we could check that
16:31:16 <gthiemonge> because this issue is limited to the amphora-driver
16:31:44 <gthiemonge> (we don't know how a 3rd party provider could handle it0
16:31:44 <gthiemonge> )
16:32:31 <johnsom> Hmm, ok, I get your point
16:33:22 <gthiemonge> ok so I will propose a release note + an update in the doc (I don't even think we have doc for additional_vips)
16:33:43 <gthiemonge> and a patch for the amphora-driver
16:34:43 <tweining> sounds good.
16:35:20 <gthiemonge> thank you guys!
16:37:21 <gthiemonge> any other topics for today?
16:37:41 <tweining> not from me
16:37:49 <johnsom> I don't think I have anything else
16:38:26 <gthiemonge> ok
16:39:15 <gthiemonge> then, have a good week! thanks!
16:39:21 <gthiemonge> #endmeeting