Re: [openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
Hey Douglas, Thanks for the reply. Will look into barbican ACLs and test it out. Also, had 1 more follow up questionŠ 1) Currently the HAProxy LBaaS instance sits on the controller. The certificate download happens on the controller too. 2) Once we move to service-vm model, where service-vms could reside on compute hypervisors, where will the cert download happen? Still on controller in the flow? Thanks, Varun On 9/18/15, 10:53 PM, "Douglas Mendizábal" <douglas.mendiza...@rackspace.com> wrote: >* PGP Signed by an unknown key > >Hi Varun, > >I believe the expected workflow for this use case is: > >1. User uploads cert + key to Barbican >2. User grants lbass access to the barbican certificate container >using the ACL API [1] >3. User requests tls container by providing Barbican container reference > >Since the user grants the lbass user access in step 2, the token >generated using the conf file credentials will be accepted by Barbican >and the certificate will be made available to lbass. > >- Douglas Mendizábal > >[1] http://docs.openstack.org/developer/barbican/api/quickstart/acls.htm >l > >On 9/19/15 12:13 AM, Varun Lodaya wrote: >> Hi Guys, >> >> With lbaasv2, I noticed that when we try to associate tls >> containers with lbaas listeners, lbaas tries to validate the >> container and while doing so, tries to get keystone token based on >> tenant/user credentials in neutron.conf file. However, the barbican >> containers could belong to different users in different tenants, in >> that case, container look up would always fail? Am I missing >> something? >> >> Thanks, Varun >> >> >> __ > >> >> >OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >* Unknown Key >* 0x2098B5FB(L) > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][lbaas] Barbican container lookup fron lbaas
Hi Guys, With lbaasv2, I noticed that when we try to associate tls containers with lbaas listeners, lbaas tries to validate the container and while doing so, tries to get keystone token based on tenant/user credentials in neutron.conf file. However, the barbican containers could belong to different users in different tenants, in that case, container look up would always fail? Am I missing something? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] port-create with network from a different tenant does not fail
Hi, We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create network-id in tenant A where network-id is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants. varunlodaya@ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984 +---+--+ | Field | Value | +---+--+ | admin_state_up| True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {subnet_id: 8c9f5682-daf8-40e1-9b6a-57cfed7f024c, ip_address: 10.1.1.13} | | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 | | mac_address | fa:16:3e:18:6e:95 | | name | | | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 | | status| DOWN | | tenant_id | d0d1e6e21268418bb0adcea413a3 | +---+--+ varunlodaya@ubuntu:~/devstack$ neutron net-show 0036a345-35ea-42c8-a66c-f9831d0a03a5 +---+--+ | Field | Value| +---+--+ | admin_state_up| True | | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | name | alt_private | | provider:network_type | vxlan| | provider:physical_network | | | provider:segmentation_id | 1003 | | router:external | False| | shared| False| | status| ACTIVE | | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c | | tenant_id | 099bfd6e59434b51a479ab7142ff01df | +---+--+ varunlodaya@ubuntu:~/devstack$ Is this an expected behavior or a known bug? Should I create a new one? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] - port-create with network from a different tenant does not fail
Adding the right subject line. From: Varun Lodaya varun_lod...@symantec.commailto:varun_lod...@symantec.com Date: Tuesday, February 10, 2015 at 2:26 PM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: port-create with network from a different tenant does not fail Hi, We were seeing this issue where if the user role is admin in 2 tenants A and B and he issues neutron port-create network-id in tenant A where network-id is in tenant B, it ends up creating that port. Ideally, it should have failed since you cannot have the port/network in different tenants. varunlodaya@ubuntu:~/devstack$ neutron port-show fc6917ea-0c0c-4ec5-9202-4441701c9984 +---+--+ | Field | Value | +---+--+ | admin_state_up| True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {subnet_id: 8c9f5682-daf8-40e1-9b6a-57cfed7f024c, ip_address: 10.1.1.13} | | id| fc6917ea-0c0c-4ec5-9202-4441701c9984 | | mac_address | fa:16:3e:18:6e:95 | | name | | | network_id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | security_groups | 45786089-d53f-4eec-8be6-cb49766e55c1 | | status| DOWN | | tenant_id | d0d1e6e21268418bb0adcea413a3 | +---+--+ varunlodaya@ubuntu:~/devstack$ neutron net-show 0036a345-35ea-42c8-a66c-f9831d0a03a5 +---+--+ | Field | Value| +---+--+ | admin_state_up| True | | id| 0036a345-35ea-42c8-a66c-f9831d0a03a5 | | name | alt_private | | provider:network_type | vxlan| | provider:physical_network | | | provider:segmentation_id | 1003 | | router:external | False| | shared| False| | status| ACTIVE | | subnets | 8c9f5682-daf8-40e1-9b6a-57cfed7f024c | | tenant_id | 099bfd6e59434b51a479ab7142ff01df | +---+--+ varunlodaya@ubuntu:~/devstack$ Is this an expected behavior or a known bug? Should I create a new one? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] [lbaas] LBaaS Haproxy performance benchmarking
Thanks Miguel. From: Miguel Ángel Ajo majop...@redhat.commailto:majop...@redhat.com Reply-To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Date: Wednesday, February 4, 2015 at 1:10 AM To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [neutron] [lbaas] LBaaS Haproxy performance benchmarking You can try with httperf[1], or ab[2] for http workloads. If you will use overlay, make sure your network MTU is correctly configured to handle the extra size of the overlay (GRE / VXLAN packets) otherwise you will be introducing fragmentation overhead on the tenant networks. [1] http://www.hpl.hp.com/research/linux/httperf/ [2] http://httpd.apache.org/docs/2.2/programs/ab.html Miguel Ángel Ajo On Wednesday, 4 de February de 2015 at 01:58, Varun Lodaya wrote: Hi, We were trying to use haproxy as our LBaaS solution on the overlay. Has anybody done some baseline benchmarking with LBaaSv1 haproxy solution? Also, any recommended tools which we could use to do that? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribemailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] [lbaas] LBaaS Haproxy performance benchmarking
Thanks Baptiste. I will try that tool. I worked with ab and was seeing really low results. But let me give httpress a shot :) Thanks, Varun On 2/3/15, 7:01 PM, Baptiste bed...@gmail.com wrote: On Wed, Feb 4, 2015 at 1:58 AM, Varun Lodaya varun_lod...@symantec.com wrote: Hi, We were trying to use haproxy as our LBaaS solution on the overlay. Has anybody done some baseline benchmarking with LBaaSv1 haproxy solution? Also, any recommended tools which we could use to do that? Thanks, Varun _ _ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev Hi Varun, large subject :) any injector could do the trick. I usually use inject (from HAProxy's author) and httpress. They can hammer a single URL, but if the purpose is to measure HAProxy's performance, then this is more than enough. Baptiste __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] [lbaas] LBaaS Haproxy performance benchmarking
Hi, We were trying to use haproxy as our LBaaS solution on the overlay. Has anybody done some baseline benchmarking with LBaaSv1 haproxy solution? Also, any recommended tools which we could use to do that? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron][lbaas] Pool member status 'ACTIVE' even on health check failure
Hi All, I am trying to get LBaaS running on stable Juno. I can get all the LBaaS components correctly installed and working as expected. But I am facing some issues with the health-monitor. I am not quite sure if it’s working as expected. I have 2 ubuntu servers as members of http-pool and I have stopped apache process on 1 of the servers. I have HTTP health-monitor configured on the pool which runs every 1 min and checks for 200 response code on HTTP GET. I was expecting it to FAIL after 3 retries and make the status “INACTIVE” for the member where apache is not running. But for some reason, it’s always ACTIVE. Can somebody help me with how is it suppose to work and if it’s a bug? Also, currently I don’t see any health monitor stats with neutron. Is there any plan to get health monitor stats in future releases? Thanks, Varun __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron][lbaas] Pool member status 'ACTIVE' even on health check failure
Hey Brandon, Thanks for the response. My bad. Seems there is a small bug in horizon. The moment you configure a health monitor, it shows up in the pool. I thought it automatically got associated. But when I checked via CLI, it was not. After associating it via CLI (not able to associate it via horizon, the drop down for health-monitors doesn¹t seem to work), it seems to work fine :). As per stats, ideally, it¹s good to get counters like: ICMP successful requests: x ICMP response timeouts: y ICMP response failures: z HTTP successful responses: a HTTP timeouts: b . . . Just an initial thought, this sort of verifies that monitors are working as expected. Like in current situation, I had to manually login to the server to see if the server is catering to any health-monitoring requests. Even getting haproxy stats is not very straightforward, as you need to open a unix socket in haproxy cfg and restart the haproxy instance which might not be possible in production sometimes. Thanks, Varun On 1/19/15, 8:21 PM, Brandon Logan brandon.lo...@rackspace.com wrote: Hi Varun, Could you tell me which driver you are using? If you're running the HaproxyOnHostPluginDriver then that should do a check every 6 seconds for members being down. However, other drivers may not do this. It's up to the driver. As for providing health monitor stats, those currently are not being provided. There haven't been any plans for that yet because everyone has been focused on getting the v2 API out. Which is almost complete and plan for that to be completed for Kilo-3. If you'd like to be able to retrieve some health stats, please list them and let us know. We'll hopefully be able to get them in after v2 has completed. Thanks, Brandon On Mon, 2015-01-19 at 14:42 -0800, Varun Lodaya wrote: Hi All, I am trying to get LBaaS running on stable Juno. I can get all the LBaaS components correctly installed and working as expected. But I am facing some issues with the health-monitor. I am not quite sure if it¹s working as expected. I have 2 ubuntu servers as members of http-pool and I have stopped apache process on 1 of the servers. I have HTTP health-monitor configured on the pool which runs every 1 min and checks for 200 response code on HTTP GET. I was expecting it to FAIL after 3 retries and make the status ³INACTIVE² for the member where apache is not running. But for some reason, it¹s always ACTIVE. Can somebody help me with how is it suppose to work and if it¹s a bug? Also, currently I don¹t see any health monitor stats with neutron. Is there any plan to get health monitor stats in future releases? Thanks, Varun _ _ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev