Re: [Openstack-operators] [OCTAVIA][KOLLA] - Self signed CA/CERTS
Hi Michael, Ok, it was indeed an issue with the create_certificate.sh script for centos that indeed improperly created the client.pem certificate. However now the amphora is responding with a 404 not found when the worker is trying to post /v0.5/plug/vip/10.1.56.12 I know the amphora and the worker are correctly communicating as I can see the amphora-proxy net namespace being set with the subnet ip as eth1 and the vip as eth1:0 I did a tcpdump on each side (worker and amphora) and correctly see the network two ways communication. I checked the 9443 port and it is correctly binded to the gunicorn server using the lb-mgmt-net ip of the amphora. Is there any logs regarding the gunicorn server where I could check why does the amphora is not able to found the api endpoint? Le mar. 14 août 2018 à 19:53, Flint WALRUS a écrit : > I’ll try to check the certificate format and make the appropriate change > if required or let you know if I’ve got something specific regarding that > topic. > > Kind regards, > G. > Le mar. 14 août 2018 à 19:52, Flint WALRUS a > écrit : > >> Hi Michael, thanks a lot for your quick response once again! >> Le mar. 14 août 2018 à 18:21, Michael Johnson a >> écrit : >> >>> Hi there Flint. >>> >>> Octavia fully supports using self-signed certificates and we use those >>> in our gate tests. >>> We do not allow non-TLS authenticated connections in the code, even >>> for lab setups. >>> >>> This is a configuration issue or certificate file format issue. When >>> the controller is attempting to access the controller local >>> certificate file (likely the one we use to prove we are a valid >>> controller to the amphora agent) it is finding a file without the >>> required PEM format header. Check that your certificate files have the >>> "-BEGIN CERTIFICATE-" line (maybe they are in binary DER >>> format and just need to be converted). >>> >>> Also for reference, here are the minimal steps we use in our gate >>> tests to setup the TLS certificates: >>> >>> https://github.com/openstack/octavia/blob/master/devstack/plugin.sh#L295-L305 >>> >>> Michael >>> On Tue, Aug 14, 2018 at 4:54 AM Flint WALRUS >>> wrote: >>> > >>> > >>> > Hi guys, >>> > >>> > I continue to work on my Octavia integration using Kolla-Ansible and >>> I'm facing a strange behavior. >>> > >>> > As for now I'm working on a POC using restricted HW and SW Capacities, >>> I'm facing a strange issue when trying to launch a new load-balancer. >>> > >>> > When I create a new LB, would it be using CLI or WebUI, the amphora >>> immediately disappear and the LB status switch to ERROR. >>> > >>> > When looking at logs and especially Worker logs, I see that the error >>> seems to be related to the fact that the worker can't connect to the >>> amphora because of a TLS Handshake issue which so trigger the contact >>> timeout and rollback the amphora creation. >>> > >>> > Here is the worker.log relevant trace: >>> > >>> > 2018-08-07 07:33:57.108 24 INFO octavia.controller.queue.endpoint [-] >>> Creating load balancer 'bf7ab6e4-081a-4b4d-b7a0-c176a9cb995e'... >>> > 2018-08-07 07:33:57.220 24 INFO >>> octavia.controller.worker.tasks.database_tasks [-] Created Amphora in DB >>> with id c20af002-1576-446e-b99f-7af607b8d885 >>> > 2018-08-07 07:33:57.285 24 INFO octavia.certificates.generator.local >>> [-] Signing a certificate request using OpenSSL locally. >>> > 2018-08-07 07:33:57.285 24 INFO octavia.certificates.generator.local >>> [-] Using CA Certificate from config. >>> > 2018-08-07 07:33:57.285 24 INFO octavia.certificates.generator.local >>> [-] Using CA Private Key from config. >>> > 2018-08-07 07:33:57.286 24 INFO octavia.certificates.generator.local >>> [-] Using CA Private Key Passphrase from config. >>> > 2018-08-07 07:34:04.074 24 INFO >>> octavia.controller.worker.tasks.database_tasks [-] Mark ALLOCATED in DB for >>> amphora: c20af002-1576-446e-b99f-7af607b8d885 with compute id >>> 3bbabfa6-366f-46a4-8fb2-1ec7158e19f1 for load balancer: >>> bf7ab6e4-081a-4b4d-b7a0-c176a9cb995e >>> > 2018-08-07 07:34:04.253 24 INFO >>> octavia.network.drivers.neutron.allowed_address_pairs [-] Port >>> a7bae53e-0bc6-4830-8c75-646a8baf2885 already exists. Nothing to be done. >>> > 2018-08-07 07:34:19.656 24 WARNING >>> octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to >>> instance. Retrying.: ConnectTimeout: >>> HTTPSConnectionPool(host='10.1.56.103', port=9443): Max retries exceeded >>> with url: /0.5/plug/vip/192.168.56.100 (Caused by >>> ConnectTimeoutError(>> object at 0x7f4c28415c50>, 'Connection to 10.1.56.103 timed out. (connect >>> timeout=10.0)')) >>> > 2018-08-07 07:34:24.673 24 WARNING >>> octavia.controller.worker.controller_worker [-] Task >>> 'octavia.controller.worker.tasks.amphora_driver_tasks.AmphoraePostVIPPlug' >>> (c86bbab6-87d5-4930-8832-5511d42efe3e) transitioned into state 'FAILURE' >>> from state 'RUNNING' >>> > 34 predecessors (most recent first): >>> > Atom >>>
Re: [Openstack-operators] [openstack-dev] [puppet] migrating to storyboard
Hey :) I created all the puppet openstack repos in the storyboard-dev envrionment and made a project group[1]. I am struggling a bit with finding all of your launchpad projects to perform the migrations through, can you share a list of all of them? -Kendall (diablo_rojo) [1] https://storyboard-dev.openstack.org/#!/project_group/60 On Wed, Aug 15, 2018 at 12:08 AM Tobias Urdin wrote: > Hello Kendall, > > Thanks for your reply, that sounds awesome! > We can then dig around and see how everything looks when all project bugs > are imported to stories. > > I see no issues with being able to move to Storyboard anytime soon if the > feedback for > moving is positive. > > Best regards > > Tobias > > > On 08/14/2018 09:06 PM, Kendall Nelson wrote: > > Hello! > > The error you hit can be resolved by adding launchpadlib to your tox.ini > if I recall correctly.. > > also, if you'd like, I can run a test migration of puppet's launchpad > projects into our storyboard-dev db (where I've done a ton of other test > migrations) if you want to see how it looks/works with a larger db. Just > let me know and I can kick it off. > > As for a time to migrate, if you all are good with it, we usually schedule > for Friday's so there is even less activity. Its a small project config > change and then we just need an infra core to kick off the script once the > change merges. > > -Kendall (diablo_rojo) > > On Tue, Aug 14, 2018 at 9:33 AM Tobias Urdin > wrote: > >> Hello all incredible Puppeters, >> >> I've tested setting up an Storyboard instance and test migrated >> puppet-ceph and it went without any issues there using the documentation >> [1] [2] >> with just one minor issue during the SB setup [3]. >> >> My goal is that we will be able to swap to Storyboard during the Stein >> cycle but considering that we have a low activity on >> bugs my opinion is that we could do this swap very easily anything soon >> as long as everybody is in favor of it. >> >> Please let me know what you think about moving to Storyboard? >> If everybody is in favor of it we can request a migration to infra >> according to documentation [2]. >> >> I will continue to test the import of all our project while people are >> collecting their thoughts and feedback :) >> >> Best regards >> Tobias >> >> [1] https://docs.openstack.org/infra/storyboard/install/development.html >> [2] https://docs.openstack.org/infra/storyboard/migration.html >> [3] It failed with an error about launchpadlib not being installed, >> solved with `tox -e venv pip install launchpadlib` >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] User Committee Nominations Closing Soon!
As I write this, there are just over 12 hours left to get in your nominations for the OpenStack User Committee. Nominations close at August 17, 05:59 UTC. If you are an AUC and thinking about running what's stopping you? If you know of someone who would make a great committee member nominate them (with their permission, of course)! Help make a difference for Operators, Users and the Community! -- Ed Leafe ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [community][Rocky] Save the Date: Community Meeting: Rocky + project updates
Hi all, Save the date for an OpenStack community meeting on August 30 at 3pm UTC. This is the evolution of the “Marketing Community Release Preview” meeting that we’ve had each cycle. While that meeting has always been open to all, we wanted to expand the topics and encourage anyone who was interested in getting updates on the Rocky release or the newer projects at OSF to attend. We’ll cover: —What’s new in Rocky (This info will still be at a fairly high level, so might not be new information if you’re someone who stays up to date in the dev ML or is actively involved in upstream work) —Updates from Airship, Kata Containers, StarlingX, and Zuul —What you can expect at the Berlin Summit in November This meeting will be run over Zoom (look for info closer to the 30th) and will be recorded, so if you can’t make the time, don’t panic! Cheers, Anne Bertucio OpenStack Foundation a...@openstack.org | irc: annabelleB ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] Routing deployments + Storage networks
Hello, we route the Ceph storage network in the same fabric. We did not have problems with that so far. Cheers Saverio Il giorno gio 16 ago 2018 alle ore 10:43 Paul Browne ha scritto: > > Hi operators, > > I had a quick question for those operators who use a routed topology for > their OpenStack deployments, whether routed spine-leaf or routed underlay > providing L2 connectivity in tunnels; > > Where using one, would the storage network (e.g. Ceph public network) also be > routed on the same fabric, or would separate fabric be employed here to > reduce hops? > > Many thanks, > Paul Browne > > -- > *** > Paul Browne > Research Computing Platforms > University Information Services > Roger Needham Building > JJ Thompson Avenue > University of Cambridge > Cambridge > United Kingdom > E-Mail: pf...@cam.ac.uk > Tel: 0044-1223-746548 > *** > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [openstack-dev] [nova] ask deployment question
Hello Rambo, you can find information about other deployments reading the User Survey: https://www.openstack.org/user-survey/survey-2018/landing For blog posts with experiences from other operators check out: https://superuser.openstack.org/ and http://planet.openstack.org/ Cheers Saverio Il giorno gio 16 ago 2018 alle ore 11:59 Rambo ha scritto: > > Hi,all >I have some questions about deploy the large scale openstack > cloud.Such as >1.Only in one region situation,How many physical machines are the > biggest deployment scale in our community? >Can you tell me more about these combined with own practice? Would you > give me some methods to learn it?Such as the website,blog and so on. Thank > you very much!Looking forward to hearing from you. > > > > > > > > > Best Regards > Rambo > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [publiccloud-wg] Meeting this afternoon for Public Cloud WG
Hi folks, Time for a new meeting for the Public Cloud WG. Agenda draft can be found at https://etherpad.openstack.org/p/publiccloud-wg, feel free to add items to that list. See you all later this afternoon at IRC 1400 UTC in #openstack-publiccloud Cheers, Tobias -- Tobias Rydberg Senior Developer Twitter & IRC: tobberydberg www.citynetwork.eu | www.citycloud.com INNOVATION THROUGH OPEN IT INFRASTRUCTURE ISO 9001, 14001, 27001, 27015 & 27018 CERTIFIED ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [openstack-dev] [nova] ask deployment question
Hi,all I have some questions about deploy the large scale openstack cloud.Such as 1.Only in one region situation,How many physical machines are the biggest deployment scale in our community? Can you tell me more about these combined with own practice? Would you give me some methods to learn it?Such as the website,blog and so on. Thank you very much!Looking forward to hearing from you. Best Regards Rambo___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] Routing deployments + Storage networks
Hi operators, I had a quick question for those operators who use a routed topology for their OpenStack deployments, whether routed spine-leaf or routed underlay providing L2 connectivity in tunnels; Where using one, would the storage network (e.g. Ceph public network) also be routed on the same fabric, or would separate fabric be employed here to reduce hops? Many thanks, Paul Browne -- *** Paul Browne Research Computing Platforms University Information Services Roger Needham Building JJ Thompson Avenue University of Cambridge Cambridge United Kingdom E-Mail: pf...@cam.ac.uk Tel: 0044-1223-746548 *** ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
