<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
Seems we are quite a few having difficulties getting it to work.<br>
<br>
I missed adding operators ML to my previous reply, sent it again.<br>
<br>
I'm at the point where SSL pretty much becomes a hassle for
operations, if there was an option to just<br>
go with a shared secret I would've done a while ago, which probably
says a lot about the amount of time on this.<br>
<br>
Best regards<br>
Tobias<br>
<br>
<div class="moz-cite-prefix">On 10/20/2018 01:58 AM, Gaël THEROND
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAG+53ua-Hcjjq=_00rUZNsATmWq7g_8uZbMXAB_9VghtR_ByZA@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>
<div dir="auto">Hi eric!</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Glad I’m not the only one having this issue with
the ssl communication between the amphora and the CP.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Even if I don’t yet get a clear answer regarding
that issue, I think your second issue is not an issue as the
interface is mounted on a namespace and so you’ll need to list
all nic even those from namespace.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Use an ip netns ls to get the namespace.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Hope it will help.</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">Le ven. 19 oct. 2018 à 20:40, Erik McCormick
<<a href="mailto:emccormick@cirrusseven.com"
moz-do-not-send="true">emccormick@cirrusseven.com</a>>
a écrit :<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I've been wrestling with getting Octavia up and running and
have<br>
become stuck on two issues. I'm hoping someone has run into
these<br>
before. My google foo has come up empty.<br>
<br>
Issue 1:<br>
When the Octavia controller tries to poll the amphora
instance, it<br>
tries repeatedly and eventually fails. The error on the
controller<br>
side is:<br>
<br>
2018-10-19 14:17:39.181 26 ERROR<br>
octavia.amphorae.drivers.haproxy.rest_api_driver [-]
Connection<br>
retries (currently set to 300) exhausted. The amphora is
unavailable.<br>
Reason: HTTPSConnectionPool(host='10.7.0.112', port=9443):
Max retries<br>
exceeded with url: /0.5/plug/vip/<a
href="http://10.250.20.15" rel="noreferrer"
target="_blank" moz-do-not-send="true">10.250.20.15</a>
(Caused by<br>
SSLError(SSLError("bad handshake: Error([('rsa routines',<br>
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa
routines',<br>
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1
encoding<br>
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',<br>
'tls_process_server_certificate', 'certificate verify<br>
failed')],)",),)): SSLError:
HTTPSConnectionPool(host='10.7.0.112',<br>
port=9443): Max retries exceeded with url: /0.5/plug/vip/<a
href="http://10.250.20.15" rel="noreferrer"
target="_blank" moz-do-not-send="true">10.250.20.15</a><br>
(Caused by SSLError(SSLError("bad handshake: Error([('rsa
routines',<br>
'RSA_padding_check_PKCS1_type_1', 'invalid padding'), ('rsa
routines',<br>
'rsa_ossl_public_decrypt', 'padding check failed'), ('asn1
encoding<br>
routines', 'ASN1_item_verify', 'EVP lib'), ('SSL routines',<br>
'tls_process_server_certificate', 'certificate verify<br>
failed')],)",),))<br>
<br>
On the amphora side I see:<br>
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Error processing
SSL request.<br>
[2018-10-19 17:52:54 +0000] [1331] [DEBUG] Invalid request
from<br>
ip=::ffff:<a href="http://10.7.0.40" rel="noreferrer"
target="_blank" moz-do-not-send="true">10.7.0.40</a>:
[SSL: SSL_HANDSHAKE_FAILURE] ssl handshake<br>
failure (_ssl.c:1754)<br>
<br>
I've generated certificates both with the script in the
Octavia git<br>
repo, and with the Openstack Ansible playbook. I can see
that they are<br>
present in /etc/octavia/certs.<br>
<br>
I'm using the Kolla (Queens) containers for the control
plane so I'm<br>
sure I've satisfied all the python library constraints.<br>
<br>
Issue 2:<br>
I"m not sure how it gets configured, but the tenant network
interface<br>
(ens6) never comes up. I can spawn other instances on that
network<br>
with no issue, and I can see that Neutron has the port
attached to the<br>
instance. However, in the instance this is all I get:<br>
<br>
ubuntu@amphora-33e0aab3-8bc4-4fcb-bc42-b9b36afb16d4:~$ ip a<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN<br>
group default qlen 1<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet <a href="http://127.0.0.1/8" rel="noreferrer"
target="_blank" moz-do-not-send="true">127.0.0.1/8</a>
scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000
qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
link/ether fa:16:3e:30:c4:60 brd ff:ff:ff:ff:ff:ff<br>
inet <a href="http://10.7.0.112/16" rel="noreferrer"
target="_blank" moz-do-not-send="true">10.7.0.112/16</a>
brd 10.7.255.255 scope global ens3<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::f816:3eff:fe30:c460/64 scope link<br>
valid_lft forever preferred_lft forever<br>
3: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
state DOWN group<br>
default qlen 1000<br>
link/ether fa:16:3e:89:a2:7f brd ff:ff:ff:ff:ff:ff<br>
<br>
There's no evidence of the interface anywhere else including
udev rules.<br>
<br>
Any help with either or both issues would be greatly
appreciated.<br>
<br>
Cheers,<br>
Erik<br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org"
target="_blank" moz-do-not-send="true">OpenStack-operators@lists.openstack.org</a><br>
<a
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>