Re: [Openstack-operators] Ubuntu Kernel with Meltdown mitigation SSL issues

2018-01-19 Thread Thierry Carrez
Sam Morrison wrote: > We updated our control infrastructure to the latest Ubuntu Xenial Kernel > (4.4.0-109) which includes the meltdown fixes. > > We have found this kernel to have issues with SSL connections with python and > have since downgraded. We get errors like: > > SSLError: SSL

Re: [Openstack-operators] Ubuntu Kernel with Meltdown mitigation SSL issues

2018-01-18 Thread Sam Morrison
We have an F5 doing all the SSL in front of our API servers. SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 The majority of the requests that were failing was a glance request /v2/images?limit=20 (around 25% of requests which is around 1-2 a second) Glance is on

Re: [Openstack-operators] Ubuntu Kernel with Meltdown mitigation SSL issues

2018-01-18 Thread Logan V.
We upgraded our control plane to 4.4.0-109 + intel-microcode 3.20180108.0~ubuntu16.04.2 several days ago, and are about 1/2 of the way thru upgrading our compute hosts with these changes. We use Ocata for all services, and no issue like this has been observed yet on our env. Control hosts are

Re: [Openstack-operators] Ubuntu Kernel with Meltdown mitigation SSL issues

2018-01-18 Thread Adam Heczko
Hello Sam, thank you for sharing this information. Could you please provide more information related to your specific setup. How is Keystone API endpoint TLS terminated in your setup? AFAIK in our OpenStack labs we haven't observed anything like this although we terminate TLS on Nginx or HAProxy.