Earlier  
Posted Nick Remark
#openstack-nova - 2019-04-25
20:03:11 mriedem weeee https://bugs.launchpad.net/nova/+bug/1826382
20:03:12 openstack Launchpad bug 1826382 in OpenStack Compute (nova) "Updates to placement api fail if placement endpoint changes" [Undecided,Triaged] - Assigned to Liam Young (gnuoy)
20:03:14 mriedem we're too smart for our own good
20:03:24 mriedem jaypipes: ^ thoughts on how to handle and auto-detect/correct that?
20:04:12 mriedem tl;dr if don't configure nova to talk to placement with a specific endpoint url, we look it up via the service catalog and ksa; if the endpoint changes and we're using a stale client adapter, all requests fail (http to https)
20:04:19 mriedem you have to restart all the computes to fix it
20:05:19 efried mriedem: There was some attempt to address that via safe_connect
20:06:01 mriedem that probably gets a bit confusing though b/c we raise a nova-specific exception,
20:06:02 efried mriedem: One thing we could do is rebuild the adapter on SIGHUP
20:06:21 mriedem in this case ResourceProviderRetrievalFailed
20:06:25 mriedem heh, i mentioned that in the bug,
20:06:29 mriedem but if sighup were fixed
20:06:42 efried mriedem: Well, there was *one* path through @safe_connect that swallowed the error and rebuilt the adapter and retried. But I don't think it was the right one.
20:06:53 mriedem still, let's say you have 1000 computes and you change the placement endpoint, do you want to sighup 1k computes? maybe that's normal
20:07:05 mriedem right that's the EndpointNotFound case
20:07:06 efried yeah, why tf are you changing the endpoint
20:07:13 mriedem ksa doesn't raise an exception here, we just get a 400 response back
20:07:15 efried you deserve to have to sighup 1000 computes
20:07:24 efried whoah
20:07:30 mriedem true, i can't really decide if this is low priority or what
20:07:57 efried Because the endpoint is there, just no longer accepting http? Is that what you meant by (http to https)?
20:08:14 artom Yeah, I'd have thunk if you change the endpoint you put a redirect in place first
20:08:19 mriedem "In my deployment this occurred when the placement end point switched from http to https after the nova-compute node had started."
20:08:29 efried because if the old endpoint is gone gone, that should be a connect failure, which ksa converts.
20:08:36 efried Yeah, that makes... some sense I guess?
20:08:43 efried but yeah, a redirect would be nice
20:09:41 artom I don't really think it's reasonable to expect Nova to pull the endpoint list form the catalog for every single request.
20:09:42 efried mriedem: btw, I got ultra screwed on the school runs, won't be back until even later than originally anticipated.
20:09:53 efried artom: ++
20:10:04 artom What do we do for Neutron and Cinder?
20:10:06 mriedem artom: i don't think anyone is suggesting that
20:10:24 efried mriedem: actually, the fact that we get a 400 from the API is the kicker here.
20:10:28 mriedem right
20:10:36 efried If it were any kind of 500, I would say we might should do something about it.
20:10:44 mriedem we could put a decorator on the get/put/post/delete methods to sniff the response for a 400 and if "Reason: You're speaking plain HTTP to an SSL-enabled server port." is in the text, but that's super hacky
20:10:47 efried but the fact that there's still something at that endpoint, just ain't working anymore, is not our fault.
20:10:54 efried yeah, that's bs
20:11:17 jroll I've never seen an https web server return a response when you try to talk http to it
20:11:18 artom Wait, they switched to HTTPS *on the same port*?
20:11:24 artom Is that a thing?
20:11:26 jroll the client just fails to negotiate a tls connection
20:11:54 fungi i *think* you can do starttls that way, but it's more common to see it on the assigned plaintext port equivalent
20:11:57 efried artom: Suspect portless therefore using defaults (80/443)
20:12:14 efried gotta run
20:12:20 fungi also more common for other protocols than http
20:12:21 jroll huh, looking at the bug and apparently it's a thing, wtf
20:12:31 artom fungi, ah, true
20:13:38 fungi e.g., you can initiate a tls negotiation blind on the smtps port, or on the smtp port you can issue a starttls command (if its advertised on ehlo) and then start tls negotiation
20:14:21 fungi https://en.wikipedia.org/wiki/Opportunistic_TLS
20:14:52 fungi leads to https://en.wikipedia.org/wiki/HTTP/1.1_Upgrade_header
20:15:47 melwitt efried: tinyurl for what now?
20:15:50 fungi so possible, and has a standard, but... not common in the wild
20:18:15 artom fungi, yeah, though in this case it's almost inverted: the server responds with a 400 because the request *isn't* HTTPS
20:18:58 fungi oh, so protocol downgrade? that's generally just considered a security vulnerability
20:19:44 fungi ahh, or client trying to make plaintext connection on tls port? i think the phrase for that is "broken configuration"
20:22:01 jroll fungi: right, I'm surprised that apache actually responds to that, rather than the tls negotiation failing
20:26:08 fungi i'd have come up with a more humorous term, but my comedy circuits are currently overridden by the fact that my mower just kicked up a clam shell, and i'm certain there's a joke in there somewhere if i can just shuck it out
20:26:44 mriedem i see what you did there
20:38:12 melwitt mriedem: I was just reading into the ML thread and looking at your results here https://review.opendev.org/654468 and wondered, don't you need LIBS_FROM_GIT=oslo.config to avoid it using the installed version from pypi? I see it checking out the commit you Depends-On in the job output but then see oslo.config installed later? http://logs.openstack.org/68/654468/6/check/openstack-tox-py27/05facc9/job-output.txt.gz#_2019-04-25_20_12_50_27
20:38:13 melwitt 0275
20:38:49 melwitt http://logs.openstack.org/68/654468/6/check/openstack-tox-py27/05facc9/job-output.txt.gz#_2019-04-25_20_12_50_270275
20:41:44 mriedem i was under the impression zuulv3 handled that for us
20:42:07 mriedem but maybe that's only if it's in required_projects in zuul.yaml
20:43:01 mriedem pip freeze is showing a tag rather than a git hash though http://logs.openstack.org/68/654468/6/check/openstack-tox-py36/6c5ead4/tox/py36-4.log
20:43:05 mriedem oslo.config==6.8.1
20:44:33 melwitt yeah that was my concern
20:45:08 mriedem not sure what this is about "cannot set the recursion limit to 10 at the recursion depth 55: the limit is too low"
20:45:20 mriedem the python docs don't say anything about a lower bound
20:46:34 melwitt where are you seeing that?
20:46:41 mriedem http://logs.openstack.org/68/654468/6/check/openstack-tox-py36/6c5ead4/testr_results.html.gz
20:47:19 melwitt oh different job
20:48:19 mriedem yeah the bug only hits on py36 for some reason
20:49:05 fungi mriedem: melwitt: yes, a repository will only be checked out alongside if it's in the required-projects list
20:49:24 mriedem ack, ok, that's easily fixable in this hack patch
20:49:59 fungi otherwise depends-on means "don't merge until this other change merges"
20:50:45 fungi (which also applies to a required project, but an rp will also be tested in conjunction with your change)
20:51:14 melwitt mriedem: I guess the doc does say "Changed in version 3.5.1: A RecursionError exception is now raised if the new limit is too low at the current recursion depth." https://docs.python.org/3/library/sys.html#sys.setrecursionlimit
20:51:26 melwitt so it has to be at least 55?
20:51:32 melwitt based on the error message it put
20:52:07 mriedem hmm
20:52:07 mriedem b'RecursionError: cannot set the recursion limit to 56 at the recursion depth 55: the limit is too low'
20:52:22 melwitt lol, what are we supposed to
20:52:27 melwitt do
20:53:50 melwitt I guess that means at that moment, the depth is 55
20:54:03 mriedem yeah
20:54:09 mriedem i bumped to 100 and then it passed
20:54:09 melwitt so the limit has to be some headroom above that to allow for more
20:54:16 melwitt ok, cool
20:54:29 mriedem it was 1000 in my local py3.6
20:54:39 mriedem i mean the default or whatever
20:54:41 mriedem which is a bionic node
20:54:57 melwitt ok, I see
20:59:36 openstackgerrit Matt Riedemann proposed openstack/nova master: DNM: debug config opts infinite recursion https://review.opendev.org/654468
20:59:41 mriedem fungi: melwitt: ^ hopefully that does it
21:00:25 mriedem nova meeting
21:00:39 melwitt good call excluding all the other jobs too
21:27:02 openstackgerrit Matt Riedemann proposed openstack/nova stable/pike: Move legacy-grenade-dsvm-neutron-multinode-live-migration in-tree https://review.opendev.org/640207
21:28:49 openstackgerrit Takashi NATSUME proposed openstack/nova master: Remove deprecated 'default_flavor' config option https://review.opendev.org/645476
21:29:32 openstackgerrit Takashi NATSUME proposed openstack/nova master: Fix cleaning up console tokens https://review.opendev.org/637716
21:31:48 openstackgerrit Matt Riedemann proposed openstack/nova stable/queens: Fix nova-grenade-live-migration run book for opendev migration https://review.opendev.org/655800

Earlier   Later