[openstack-dev] [octavia]redirection and barbican config

[Abed Abu-Dbai]

Hi,

I updated the description accordingly. Please update the status
 
https://bugs.launchpad.net/devstack/+bug/1655656

Thanks,
Abed

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [octavia]redirection and barbican config

[Abed Abu-Dbai]

Hi,

Please consider the bug:

https://bugs.launchpad.net/devstack/+bug/1655656

Thanks,
Abed Abu dbai

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [octavia]redirection and barbican config

[Michael Johnson]

Hi Akshay,

Currently we are only allowing one VIP per amphora.

You can log into the amphora if you specify a ssh keypair loaded into
nova in the octavia.conf file.  When that is specified you can log
into the amphora via SSH on the management network interface.

Michael

On Mon, Aug 1, 2016 at 5:15 PM, Akshay Kumar Sanghai
 wrote:
> Hi Michael,
> Thanks. I have few more queries:
> - Is it possible to create multiple VIPs on one amphora?
>
> -I created a LB 2 days back. I created all the objects loadbalancer,
> listener, pool and members. The curl was successful for the vip. Today I
> added one more listener listening on port 443 (Terminated https) and added
> pool for it and members for the pool. I have barbican installed and I have
> tried ssl offloading with barbican with haproxy namespace driver.  The curl
> for http and https were giving me code 503, but when I did a curl to the
> member, it was working 200 ok. I tried to figure out where its going wrong,
> but could not. I could not find any errors in octavia-api.log and
> octavia-worker.log. So, I deleted everything and recreated again. Now it was
> working. But for a similar future scenario, how should i figure out where
> things went wrong or where the packet is dropped. Is it possible to login to
> the amphora vm?
>
> Thanks
> Akshay
>
> On Sat, Jul 30, 2016 at 11:45 PM, Michael Johnson 
> wrote:
>>
>> Hi Akshay,
>>
>> For 80 to 443 redirection, you can accomplish this using the new L7
>> rules capability.  You would setup a listener on port 80 that has a
>> redirect rule to the 443 URL.
>>
>> On the barbican question, if you are using the octavia driver, you
>> will need to set the required settings in the octavia.conf file for
>> proper barbican access.
>> Those settings are called out here:
>>
>> http://docs.openstack.org/developer/octavia/config-reference/octavia-config-table.html
>>
>> Michael
>>
>>
>> On Thu, Jul 28, 2016 at 1:02 PM, Akshay Kumar Sanghai
>>  wrote:
>> > Hi,
>> > I have a couple on questions on octavia. Please answer or redirect me to
>> > relevant documentation:
>> > - Assume listener is listening on 443 and client hits the vip on port
>> > 80,
>> > the connection will be refused.  Is it possible to configure http to
>> > https
>> > direction?
>> >
>> > - For the barbican config, the only config item i can find is
>> > cert_manager_type in neutron_lbaas.conf. How do we configure the
>> > barbican
>> > access for lbaas. I assume since we do the access config for nova and
>> > keystone in neutron.conf, there should be some config file where we
>> > define
>> > the barbican access(username, password, auth_url).
>> >
>> > The community has been very helpful to me. Thanks a lot Guys. Appreciate
>> > your efforts.
>> >
>> > Thanks
>> > Akshay Sanghai
>> >
>> >
>> > __
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [octavia]redirection and barbican config

[Akshay Kumar Sanghai]

Hi Michael,
Thanks. I have few more queries:
- Is it possible to create multiple VIPs on one amphora?

-I created a LB 2 days back. I created all the objects loadbalancer,
listener, pool and members. The curl was successful for the vip. Today I
added one more listener listening on port 443 (Terminated https) and added
pool for it and members for the pool. I have barbican installed and I have
tried ssl offloading with barbican with haproxy namespace driver.  The curl
for http and https were giving me code 503, but when I did a curl to the
member, it was working 200 ok. I tried to figure out where its going wrong,
but could not. I could not find any errors in octavia-api.log and
octavia-worker.log. So, I deleted everything and recreated again. Now it
was working. But for a similar future scenario, how should i figure out
where things went wrong or where the packet is dropped. Is it possible to
login to the amphora vm?

Thanks
Akshay

On Sat, Jul 30, 2016 at 11:45 PM, Michael Johnson 
wrote:

> Hi Akshay,
>
> For 80 to 443 redirection, you can accomplish this using the new L7
> rules capability.  You would setup a listener on port 80 that has a
> redirect rule to the 443 URL.
>
> On the barbican question, if you are using the octavia driver, you
> will need to set the required settings in the octavia.conf file for
> proper barbican access.
> Those settings are called out here:
>
> http://docs.openstack.org/developer/octavia/config-reference/octavia-config-table.html
>
> Michael
>
>
> On Thu, Jul 28, 2016 at 1:02 PM, Akshay Kumar Sanghai
>  wrote:
> > Hi,
> > I have a couple on questions on octavia. Please answer or redirect me to
> > relevant documentation:
> > - Assume listener is listening on 443 and client hits the vip on port 80,
> > the connection will be refused.  Is it possible to configure http to
> https
> > direction?
> >
> > - For the barbican config, the only config item i can find is
> > cert_manager_type in neutron_lbaas.conf. How do we configure the barbican
> > access for lbaas. I assume since we do the access config for nova and
> > keystone in neutron.conf, there should be some config file where we
> define
> > the barbican access(username, password, auth_url).
> >
> > The community has been very helpful to me. Thanks a lot Guys. Appreciate
> > your efforts.
> >
> > Thanks
> > Akshay Sanghai
> >
> >
> __
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [octavia]redirection and barbican config

[Michael Johnson]

Hi Akshay,

For 80 to 443 redirection, you can accomplish this using the new L7
rules capability.  You would setup a listener on port 80 that has a
redirect rule to the 443 URL.

On the barbican question, if you are using the octavia driver, you
will need to set the required settings in the octavia.conf file for
proper barbican access.
Those settings are called out here:
http://docs.openstack.org/developer/octavia/config-reference/octavia-config-table.html

Michael


On Thu, Jul 28, 2016 at 1:02 PM, Akshay Kumar Sanghai
 wrote:
> Hi,
> I have a couple on questions on octavia. Please answer or redirect me to
> relevant documentation:
> - Assume listener is listening on 443 and client hits the vip on port 80,
> the connection will be refused.  Is it possible to configure http to https
> direction?
>
> - For the barbican config, the only config item i can find is
> cert_manager_type in neutron_lbaas.conf. How do we configure the barbican
> access for lbaas. I assume since we do the access config for nova and
> keystone in neutron.conf, there should be some config file where we define
> the barbican access(username, password, auth_url).
>
> The community has been very helpful to me. Thanks a lot Guys. Appreciate
> your efforts.
>
> Thanks
> Akshay Sanghai
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [octavia]redirection and barbican config

[Akshay Kumar Sanghai]

Hi,
I have a couple on questions on octavia. Please answer or redirect me to
relevant documentation:
- Assume listener is listening on 443 and client hits the vip on port 80,
the connection will be refused.  Is it possible to configure http to https
direction?

- For the barbican config, the only config item i can find is
cert_manager_type in neutron_lbaas.conf. How do we configure the barbican
access for lbaas. I assume since we do the access config for nova and
keystone in neutron.conf, there should be some config file where we define
the barbican access(username, password, auth_url).

The community has been very helpful to me. Thanks a lot Guys. Appreciate
your efforts.

Thanks
Akshay Sanghai
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev