New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
7.0.0[bc]: octavia (ovn) does not find existing subnet #890
Comments
This might be specific to the CiaB setup, where amphorae are disabled, but maybe the removal |
The upgrade to 7.0.0c did not help. OK, apparently, octavia does not accept the TLS certiificate from neutron:
|
This is really strange. Inside the octavia_api container, the cert validation with echo | openssl s_client -connect api.in-a-box.cloud:9696 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:
i:CN = OSISM Cloud-in-a-Box CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 20 15:21:35 2022 GMT; NotAfter: Nov 17 16:21:35 2032 GMT
1 s:CN = OSISM Cloud-in-a-Box CA
i:CN = OSISM Cloud-in-a-Box CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 20 16:21:20 2022 GMT; NotAfter: Nov 17 16:21:20 2032 GMT
---
[...]
subject=
issuer=CN = OSISM Cloud-in-a-Box CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3424 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[...] The [neutron]
region_name = RegionOne
endpoint_type = internal
ca_certificates_file = /etc/ssl/certs/ca-certificates.crt |
Still puzzled.
So I was reading through https://docs.openstack.org/octavia/latest/configuration/configref.html#neutron
Nova on the other hand ignores
|
And
in |
So, when octavia-api talks to neutron, it does not seem to have its own configuration in mind. |
According to other testers of v7.0.0[bc], this does not affect full installations, so maybe the issue is limited to CiaB. |
Related to osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
Hi Christian, |
I upgraded to 7.0.0d. |
Upgrade to 7.0.0 did not make a difference: Still no access to the existing subnet (neither ovn nor amphora): dragon@manager:/opt/configuration/environments/openstack$ openstack subnet list
+--------------------------------------+-----------------------------------+--------------------------------------+-----------------+
| ID | Name | Network | Subnet |
+--------------------------------------+-----------------------------------+--------------------------------------+-----------------+
| 98bb455b-387f-4d7c-a1e3-bdaf50b382ad | test-subnet | 7c7d9e93-5770-48c5-b29d-25d338d2831b | 192.168.64.0/24 |
| f9243dd5-59a0-4964-9d69-fefaa04820c7 | APIMonitor_1710528148_SUBNET_VM_0 | 14bba778-c773-4319-b797-2e44ba49cdf0 | 10.250.0.0/22 |
+--------------------------------------+-----------------------------------+--------------------------------------+-----------------+
dragon@manager:/opt/configuration/environments/openstack$ openstack loadbalancer create --vip-subnet-id 98bb455b-387f-4d7c-a1e3-bdaf50b382ad --name testlb --provider ovn
Subnet 98bb455b-387f-4d7c-a1e3-bdaf50b382ad not found. (HTTP 400) (Request-ID: req-bd00a62c-dbcc-465d-b06b-ab1018431e50)
dragon@manager:/opt/configuration/environments/openstack$ openstack loadbalancer create --vip-subnet-id 98bb455b-387f-4d7c-a1e3-bdaf50b382ad --name testlb --provider amphora
Subnet 98bb455b-387f-4d7c-a1e3-bdaf50b382ad not found. (HTTP 400) (Request-ID: req-e7ff6ada-ddbd-411a-8a7d-da66d388b81b)
dragon@manager:/opt/configuration/environments/openstack$ Same SSL exceptions in |
https://review.opendev.org/c/openstack/octavia/+/907426 Related to osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
https://review.opendev.org/c/openstack/octavia/+/907426 Related to osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
https://review.opendev.org/c/openstack/octavia/+/907426 Related to osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
Part of osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
Part of osism/issues#890 Signed-off-by: Christian Berendt <berendt@osism.tech>
Test of latest images including the bugfix:
|
Included in 7.0.1. Also tested in the cloud-in-a-box, works there as well.
|
Testing on a CiaB system with 7.0.0b and openstack-health-monitor:
Clearly the subnet exists and belong to the project.
Somehow, the OVN loadbalancer does not seem to accept tenant subnets. Which it obviously should. And did before.
The text was updated successfully, but these errors were encountered: