<div><div dir="auto">Hi eric!</div></div><div dir="auto"><br></div><div dir="auto">Glad I’m not the only one having this issue with the ssl communication between the amphora and the CP.</div><div dir="auto"><br></div><div dir="auto">Even if I don’t yet get a clear answer regarding that issue, I think your second issue is not an issue as the interface is mounted on a namespace and so you’ll need to list all nic even those from namespace.</div><div dir="auto"><br></div><div dir="auto">Use an ip netns ls to get the namespace.</div><div dir="auto"><br></div><div dir="auto">Hope it will help.</div><div><br><div class="gmail_quote"><div dir="ltr">Le ven. 19 oct. 2018 à 20:40, Erik McCormick <<a href="mailto:emccormick@cirrusseven.com">emccormick@cirrusseven.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've been wrestling with getting Octavia up and running and have<br>
become stuck on two issues. I'm hoping someone has run into these<br>
before. My google foo has come up empty.<br>
<br>
Issue 1:<br>
When the Octavia controller tries to poll the amphora instance, it<br>
tries repeatedly and eventually fails. The error on the controller<br>
side is:<br>
<br>
2018-10-19 14:17:39.181 26 ERROR<br>
octavia.amphorae.drivers.haproxy.rest_api_driver [-] Connection<br>
retries (currently set to 300) exhausted. The amphora is unavailable.<br>
Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443): Max retries<br>
exceeded with url: /0.5/plug/vip/<a href="http://10.250.20.15" rel="noreferrer" target="_blank">10.250.20.15</a> (Caused by<br>
SSLError(SSLError("bad handshake: Error([('rsa routines',<br>
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',<br>
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding<br>
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',<br>
'tls_process_server_certificate', 'certificate verify<br>
failed')],)",),)): SSLError: HTTPSConnectionPool(host='10.7.0.112',<br>
port=9443): Max retries exceeded with url: /0.5/plug/vip/<a href="http://10.250.20.15" rel="noreferrer" target="_blank">10.250.20.15</a><br>
(Caused by SSLError(SSLError("bad handshake: Error([('rsa routines',<br>
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa routines',<br>
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1 encoding<br>
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',<br>
'tls_process_server_certificate', 'certificate verify<br>
failed')],)",),))<br>
<br>
On the amphora side I see:<br>
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing SSL request.<br>
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request from<br>
ip=::ffff:<a href="http://10.7.0.40" rel="noreferrer" target="_blank">10.7.0.40</a>: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake<br>
failure (_ssl.c:1754)<br>
<br>
I've generated certificates both with the script in the Octavia git<br>
repo, and with the Openstack Ansible playbook. I can see that they are<br>
present in /etc/octavia/certs.<br>
<br>
I'm using the Kolla (Queens) containers for the control plane so I'm<br>
sure I've satisfied all the python library constraints.<br>
<br>
Issue 2:<br>
I"m not sure how it gets configured, but the tenant network interface<br>
(ens6) never comes up. I can spawn other instances on that network<br>
with no issue, and I can see that Neutron has the port attached to the<br>
instance. However, in the instance this is all I get:<br>
<br>
ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>
group default qlen 1<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://10.7.0.112/16" rel="noreferrer" target="_blank">10.7.0.112/16</a> brd 10.7.255.255 scope global ens3<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::f816:3eff:fe30:c460/64 scope link<br>
valid_lft forever preferred_lft forever<br>
3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group<br>
default qlen 1000<br>
link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff<br>
<br>
There's no evidence of the interface anywhere else including udev rules.<br>
<br>
Any help with either or both issues would be greatly appreciated.<br>
<br>
Cheers,<br>
Erik<br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote></div></div>