Monday, 2016-09-26

« Sunday, 2016-09-25 Index Tuesday, 2016-09-27 »
*** sdake has quit IRC00:22
*** sdake has joined #openstack-kuryr00:32
*** tonanhngo has joined #openstack-kuryr00:49
*** tonanhngo has quit IRC00:51
*** yamamoto_ has joined #openstack-kuryr01:03
*** hongbin has joined #openstack-kuryr01:25
*** yamamoto_ has quit IRC01:26
*** yamamoto_ has joined #openstack-kuryr01:38
*** tonanhngo has joined #openstack-kuryr01:57
*** tonanhngo has quit IRC01:57
*** yedongcan has joined #openstack-kuryr02:12
*** sdake has quit IRC02:35
*** yuanying has quit IRC02:52
*** huikang has joined #openstack-kuryr02:57
*** huikang_ has joined #openstack-kuryr03:02
*** yamamoto_ has quit IRC03:03
*** huikang has quit IRC03:05
*** yedongcan1 has joined #openstack-kuryr03:05
*** yedongcan has quit IRC03:07
*** huikang_ has quit IRC03:08
*** yedongcan1 has quit IRC03:23
*** janonymous has joined #openstack-kuryr03:32
*** tonanhngo has joined #openstack-kuryr03:42
*** tonanhngo has quit IRC03:42
*** yamamoto_ has joined #openstack-kuryr03:44
*** yuanying has joined #openstack-kuryr03:47
*** yuanying has quit IRC03:49
*** yuanying has joined #openstack-kuryr03:55
*** hongbin has quit IRC04:18
*** yedongcan has joined #openstack-kuryr04:30
openstackgerritJaivish Kothari(janonymous) proposed openstack/kuryr-libnetwork: call start in sys.exit(start()) instead of start()  https://review.openstack.org/37616204:46
*** limao has joined #openstack-kuryr04:55
*** lezbar__ has joined #openstack-kuryr05:13
*** lezbar has quit IRC05:21
openstackgerritDongcan Ye proposed openstack/kuryr-libnetwork: [TrivialFix] Fix README  https://review.openstack.org/37617305:27
*** irenab_ has joined #openstack-kuryr05:45
*** tonanhngo has joined #openstack-kuryr05:46
*** tonanhngo has quit IRC05:48
*** yedongcan has quit IRC05:51
*** yedongcan has joined #openstack-kuryr05:57
*** yedongcan1 has joined #openstack-kuryr05:59
*** yedongcan has quit IRC06:02
*** tonanhngo has joined #openstack-kuryr07:01
*** tonanhngo has quit IRC07:02
*** oanson has joined #openstack-kuryr07:40
*** pablochacin has joined #openstack-kuryr08:00
*** janki has joined #openstack-kuryr08:29
yedongcan1apuimedo, vikasc: ping, hello08:33
*** dingboopt_ has joined #openstack-kuryr09:04
*** irenaber has joined #openstack-kuryr09:14
*** irenab_ has quit IRC09:18
*** irenab_ has joined #openstack-kuryr09:28
*** irenaber has quit IRC09:32
*** tonanhngo has joined #openstack-kuryr09:32
*** tonanhngo has quit IRC09:33
*** ivc_ has joined #openstack-kuryr09:42
*** tonanhngo has joined #openstack-kuryr09:53
*** tonanhngo has quit IRC09:54
*** sdake has joined #openstack-kuryr10:06
*** yamamoto_ has quit IRC10:07
apuimedoyedongcan1: pong10:21
*** limao has quit IRC10:22
yedongcan1apuimedo: Hello, today I had tracked the bug in https://bugs.launchpad.net/kuryr/, I saw that some bugs had already fixed, but status is not marked correctly.10:24
yedongcan1apuimedo: Can you please mark it?10:25
apuimedoyedongcan1: that is great10:25
apuimedowhich need to be fixed?10:25
apuimedo(status fix)10:25
yedongcan1apuimedo: I will give you a link10:25
apuimedothanks10:26
yedongcan1https://bugs.launchpad.net/kuryr/+bug/1578356 fixed in: https://review.openstack.org/#/c/314245/10:26
openstackLaunchpad bug 1578356 in kuryr "new libnetwork API" [Medium,New]10:26
apuimedocool10:27
yedongcan1https://bugs.launchpad.net/kuryr/+bug/1604180 Fixed in: https://review.openstack.org/#/c/341891/10:27
openstackLaunchpad bug 1604180 in kuryr "Add Python 3.5 classifier and venv in kuryr-libnetwork" [Undecided,New] - Assigned to Liping Mao (limao)10:27
yedongcan1Forgive me, I had marked a bug, https://bugs.launchpad.net/kuryr/+bug/1569142. Maybe I had no right here.10:28
openstackLaunchpad bug 1569142 in kuryr "Exposing ports" [Medium,Fix committed] - Assigned to Mohammad Banikazemi (mb-s)10:28
apuimedocool, yedongcan1. I updated them ;-)10:31
yedongcan1apuimedo: Thanks.10:32
apuimedoyedongcan1: thanks to you10:33
apuimedoyedongcan1: if you'd like to keep helping with triaging it will be great10:33
yedongcan1apuimedo: Sure, I will10:36
apuimedoyedongcan1: if you can't mark bugs as triaged let me know so I can sort out the permissions10:36
apuimedoirenab: could you raise https://review.openstack.org/#/c/371432/ to +2 ?10:37
apuimedoI want to merge this stuff and move forward10:37
yedongcan1apuimedo: Thanks, I will told you if I meet.10:37
apuimedocool10:38
yedongcan1vikasc: ping10:39
apuimedoyedongcan1: he's not online10:44
yedongcan1apuimedo: Got it, I will ping he in future.10:45
apuimedoI thought you said that now it is a dictionary10:47
apuimedooops, wrong channel10:47
apuimedo:P10:47
*** prithiv has joined #openstack-kuryr10:56
*** yedongcan1 has quit IRC10:59
*** sdake has quit IRC11:04
*** sdake_ has joined #openstack-kuryr11:04
*** yamamoto has joined #openstack-kuryr11:05
*** yamamoto has quit IRC11:11
*** yedongcan has joined #openstack-kuryr11:12
*** sdake_ has quit IRC11:43
*** prithiv has joined #openstack-kuryr12:06
*** janki has quit IRC12:11
*** yamamoto has joined #openstack-kuryr12:12
irenab_apuimedo, sure12:18
*** yamamoto has quit IRC12:19
irenab_apuimedo, can you please refer to the question I posted regarding accompaning documentation, i.e wiki or README12:20
*** tonanhngo has joined #openstack-kuryr12:25
*** tonanhngo has quit IRC12:27
*** prithiv has joined #openstack-kuryr12:27
*** yamamoto has joined #openstack-kuryr12:31
*** yamamoto has quit IRC12:37
*** yamamoto has joined #openstack-kuryr12:39
apuimedoirenab_: I'll add info on the readme, sorry I forgot your question12:55
apuimedo(follow up patches)12:55
irenab_apuimedo, thanks12:55
*** mchiappero has joined #openstack-kuryr12:57
*** sdake has joined #openstack-kuryr12:58
*** yamamoto has quit IRC12:59
*** yamamoto has joined #openstack-kuryr13:00
*** yamamoto has quit IRC13:00
openstackgerritMerged openstack/kuryr-kubernetes: devstack: First version of kuryr-kubernetes plugin  https://review.openstack.org/37143213:02
*** sdake_ has joined #openstack-kuryr13:03
*** sdake has quit IRC13:06
*** pablochacin has quit IRC13:07
openstackgerritAntoni Segura Puimedon proposed openstack/kuryr-kubernetes: move config and opt generation to new kuryr-lib  https://review.openstack.org/37414413:11
*** limao has joined #openstack-kuryr13:15
*** pablochacin has joined #openstack-kuryr13:19
openstackgerritMerged openstack/kuryr-kubernetes: move config and opt generation to new kuryr-lib  https://review.openstack.org/37414413:27
openstackgerritAntoni Segura Puimedon proposed openstack/kuryr: Add 'deployment_type' configuration parameter  https://review.openstack.org/36202313:29
*** banix has joined #openstack-kuryr13:32
*** tonanhngo has joined #openstack-kuryr13:39
*** tonanhngo has quit IRC13:40
*** limao_ has joined #openstack-kuryr13:42
*** limao has quit IRC13:45
*** sdake has joined #openstack-kuryr13:48
*** yamamoto has joined #openstack-kuryr13:48
openstackgerritMerged openstack/kuryr: Add 'deployment_type' configuration parameter  https://review.openstack.org/36202313:48
apuimedoYay13:48
apuimedoI love merging sprees13:48
*** vikasc has joined #openstack-kuryr13:49
*** sdake_ has quit IRC13:50
*** pablochacin has quit IRC13:51
*** sdake_ has joined #openstack-kuryr13:51
*** lmdaly has joined #openstack-kuryr13:52
*** sdake has quit IRC13:54
apuimedohttps://wiki.openstack.org/wiki/Meetings/Kuryr#Meeting_September_26th.2C_201613:55
apuimedobanix: irenab_ ivc_ janonymous limao_ lmdaly vikasc  yedongcan: just posted the agenda13:56
apuimedoI keep doing it later and later, sorry13:56
*** tonanhngo has joined #openstack-kuryr14:02
*** hongbin has joined #openstack-kuryr14:03
*** yamamoto has quit IRC14:05
*** yamamoto has joined #openstack-kuryr14:06
*** yamamoto has quit IRC14:11
*** yamamoto has joined #openstack-kuryr14:23
*** prithiv has quit IRC14:33
*** yamamoto has quit IRC14:57
*** sdake_ has quit IRC14:59
apuimedoOk, here we are!15:01
apuimedowe can follow the discussions15:01
apuimedobanix: you're not going to ask be about el5, right?15:02
apuimedoin general the limit is pyroute215:02
banixyeah wondering if pyroute2 has a requirement15:02
apuimedothough svinota very kindly added some ioctl backwards compatibility code last week for us15:02
apuimedonow it should work with 3.10+15:02
banixcool15:02
limao_hi apuimedo, vikasc,15:04
apuimedolimao_: hi15:06
limao_in macvlan/ipvlan case, all the containers on one vm will share the sg of the vm. If we have two containers on the vm, one want to open 22 port, another want to open 80. sg of the vm will open 22 and 80 at same time. Is this right?15:07
apuimedolimao_: it depends on the vendor15:08
yedongcanapuimode: Lauchpad is oops, so I paste comments here15:10
apuimedoyedongcan: thanks15:10
apuimedoI tried to look at it before and it went "boom"15:10
apuimedolimao_: I would hope that if we update SGs for the address of one of the container ports15:11
apuimedothe iptables on the host where it is not bound would still allow it to be open15:11
apuimedobut the opening is usually per address, not per port15:11
apuimedoso opening for one container, should not impact the others15:11
*** pablochacin has joined #openstack-kuryr15:12
yedongcanThe problem is caused by multiple networks with same cidrs in Neutron side and Kuryr.I had a subnet created in Neutron already.15:12
apuimedoah, I see15:12
*** yamamoto has joined #openstack-kuryr15:12
yedongcanSo, I had some thoughts here, I think we can check overlapping cidrs in ipam_request_pool, and if exists overlapping cidrs, we can give a warning message for user.15:13
apuimedoyedongcan: this sounds like what vikasc had raised about address scopes15:13
apuimedovikasc: could you weigh in on that?15:13
*** sdake has joined #openstack-kuryr15:15
*** reedip has quit IRC15:16
yedongcanMeanwhile, should we add the logic in network_driver_create_network(Like the patch I had commit) if user really forget passing pool_name in options? We can't assure that user check in Neutron side. Actually we also15:16
yedongcanprovides a case that pool_name not passed in options when we requesting pool.15:16
limao_apuimedo: In case we have Nested VM which ip is 100.0.0.2, there are two containers on it , they are 100.0.0.3(need to open 22 port) and 100.0.0.4(need to open 80 port). How to add rules only open 100.0.0.3:22 and 100.0.0.4:80 in security group?15:17
limao_I mean in the security group of 100.0.0.215:17
apuimedoyedongcan: I think we should just error out saying that there is no pool in Neutron and maybe we can link to the documentation saying how to create it15:18
apuimedolimao_: you mean Neutron API wise?15:19
apuimedoor ovs agent wise?15:19
vikascapuimedo, we already have it under limitations in kuryr-lib readme15:19
vikascapuimedo, yedongcan we should move it to kuryr-libnetwork15:19
apuimedovikasc: but I think we should put a meaninful error when that happens15:19
apuimedowith a link to documentation15:19
apuimedoso the user can see it and go to solve it15:20
vikascapuimedo, thats what i suggested to yedongcan other day15:20
apuimedoyedongcan: what do you think about it?15:21
vikascapuimedo, we can add warning message15:21
yedongcanvikasc: apuimedo:  oh, I find it.15:21
*** prithiv has joined #openstack-kuryr15:22
yedongcanThere was one question, how about existing Neutron subnet and kuryr created subnet?15:22
apuimedoyedongcan: for that specific thing is why we need the address scopes, right vikasc ?15:23
*** prithiv has quit IRC15:23
limao_apuimedo: I mean in the security group of 100.0.0.2, there is no way to only open 22 for 100.0.0.3, once you open 22 port, it will open all 22 for both of the container.15:23
apuimedolimao_: the security group will usually be the same for all the ports in the subnet15:24
*** yedongcan1 has joined #openstack-kuryr15:24
vikascapuimedo, right15:24
apuimedoshouldn't it be possible to open port 22 for 100.0.0.315:24
apuimedo?15:24
apuimedoit has no relation to ports, or at least that was my understanding15:24
yedongcan1vikasc, I will add a warning message in next patch.15:24
vikascthanks yedongcan15:24
yedongcan1Do you mean option is forcing?15:25
vikascyedongcan, sorry could not get your question15:25
vikascyedongcan, would you mind reword15:26
apuimedolimao_: (me checking what happens on ovs )15:26
* vikasc need to go 15:26
limao_apuimedo:  >the security group will usually be the same for all the ports in the subnet  , if all sg on the subnet are same, you can use fwaas in vrouter :)15:26
*** yedongcan has quit IRC15:26
apuimedolimao_: I actually have never tried fwaas15:27
apuimedo:P15:27
limao_Chain neutron-openvswi-i4f8b9d33-4 (1 references)15:28
limao_ pkts bytes target     prot opt in     out     source               destination15:28
limao_    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */15:28
limao_    0     0 RETURN     udp  --  *      *       10.225.14.202        0.0.0.0/0            udp spt:67 udp dpt:6815:28
limao_    0     0 RETURN     udp  --  *      *       10.225.14.201        0.0.0.0/0            udp spt:67 udp dpt:6815:28
limao_    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NIPv405015ba4-6203-430d-b67c- src15:28
limao_    0     0 RETURN     tcp  --  *      *       10.0.0.0/16          0.0.0.0/0            tcp dpt:33315:28
limao_    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2215:28
limao_    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */15:28
limao_    0     0 neutron-openvswi-sg-fallback  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* Send unmatched traffic to the fallback chain. */15:29
yedongcan1I mean the pool name option is necessary ?15:29
*** reedip has joined #openstack-kuryr15:29
apuimedothe question is whether the iptables rule will be pushed to all the hosts or only if the port is bound15:29
limao_apuimedo: only the port is bound15:30
*** jerms has quit IRC15:30
apuimedolimao_: well, that is a problem then15:31
*** jerms has joined #openstack-kuryr15:31
apuimedomeans that security group rules will not work with the ipvlan approach with the current state of ovs15:31
apuimedobut maybe we can patch ovs-agent iptables to take allowed address pairs into account15:32
*** devvesa has joined #openstack-kuryr15:32
*** devvesa has quit IRC15:32
limao_that's why I'm saying if sg can't work, why do not we disable port security directly15:32
limao_apuimedo: I'm afraid kuryr can't do it, since it is running in vm, not the compute host15:33
apuimedolimao_: I'm saying to fix this in Neutron15:33
apuimedoif they accept it15:34
ivc_limao_: it would probably work but do you think users would want to disable port security?15:34
apuimedoIMHO it should be doable, that the subscriber for security groups checks if the address is allowed15:34
limao_ivc_: I'm not sure, but if you need ACL, you still can use fwaas(which is network based, not port based)15:35
ivc_i mean the whole point of kuryr is to bring neutron power to containers15:36
*** irenab_ has quit IRC15:40
*** reedip has quit IRC15:40
*** yamamoto has quit IRC15:44
apuimedoivc_: limao_: I was now asking and it seems that the SG rules would apply15:45
*** yamamoto has joined #openstack-kuryr15:45
limao_ivc_:  Yeap, try fix it then :-)15:45
apuimedothat the ovs subscriber that modifies rules only checks if there is a port of that SG in the host15:45
apuimedoso I don't think we need a fix15:46
apuimedobecause there will always be a port of the containers SG bound in the host (the instance port)15:46
limao_apuimedo: there will be sg bound in the vm port15:48
apuimedolimao_: I think that works for us15:49
limao_apuimedo: but for sg of the container ports (ipvlan/macvlan), ovs will not process. because ovs only detect the port plug in br-int15:50
*** yamamoto has quit IRC15:50
*** pablochacin has quit IRC15:50
apuimedolimao_: are you sure about that?15:51
limao_apuimedo: 100% sure..15:51
apuimedoI was talking with jlibosva of the neutron folk and he thought it would apply since the VM port has membersihp15:51
apuimedo*membership15:51
apuimedoon the SG15:51
limao_apuimedo: did he talked about trunk/sub port?15:52
apuimedolimao_: no, regular ports15:52
apuimedohe said that the only check there is for processing SG rules is if there is a bound port of the SG15:52
apuimedoif we use the same SG for the VM port and for the container ports, we should be fine15:53
limao_limao_: our container port even did not bind, how did neutron know he should set up the sg rules on which compute node15:53
*** reedip has joined #openstack-kuryr15:53
limao_Yes, if we use same SG for all the containers on one vm, it should be ok15:54
ivc_but then we need to enforce it somehow15:54
apuimedolimao_: I think that until we have the trunk subport, we must enforce same SG15:56
limao_apuimedo: +115:56
apuimedoI don't like it, but it is the path of least resistance for now15:56
apuimedolmdaly: ^^15:57
apuimedoivc_: I think it won't be hard to enforce15:57
apuimedoit's what we would do by default, we'll just fail the operations that specify a different SG15:57
apuimedowhen running in container-in-vm mode15:57
apuimedo(when in ipvlan/macvlan mode)15:58
hongbin+115:59
*** banix has quit IRC16:00
apuimedohongbin: thanks for following the discussion!16:00
limao_apuimedo: hongbin: looks like magnum can accept this limitation :)16:00
hongbinI guess it is ok16:00
hongbinat least, sounds better than disable port security :)16:01
limao_:)16:02
apuimedoindeed16:03
limao_BTW, here is the reason why we have limitation of 10 allowed address pairs for one port :https://bugs.launchpad.net/neutron/+bug/133620716:05
openstackLaunchpad bug 1336207 in OpenStack Security Advisory "[OSSA 2014-025] There is no quota for allowed address pair (CVE-2014-3555)" [High,Fix released] - Assigned to Tristan Cacqueray (tristan-cacqueray)16:05
apuimedolimao_: I imagined something of the sort16:06
apuimedoiptables get slow when there are too many16:06
limao_yes16:06
apuimedoso it's good that Neutron adds the ovs rules instead16:06
limao_then ovs ruls will be many :)16:07
apuimedolimao_: they are much better performant I think16:09
limao_I'm not sure ovs can support how much flow,  I tested iptables before, if we have more than 2000 iptables rule, the performance will be sharp down16:09
*** reedip has quit IRC16:10
limao_Thanks apuimedo and ivc_ for your kindly explain and discuss.  c u later.16:13
apuimedothank you limao16:14
openstackgerritDongcan Ye proposed openstack/kuryr-libnetwork: Check overlapping subnet cidr when creating subnetpool  https://review.openstack.org/37397716:14
openstackgerritDongcan Ye proposed openstack/kuryr-libnetwork: Check overlapping subnet cidr when creating subnetpool  https://review.openstack.org/37397716:16
*** limao_ has quit IRC16:16
*** limao has joined #openstack-kuryr16:16
yedongcan1apuimedo: vikasc: Updated a new patch.16:19
apuimedothanks yedongcan116:20
*** limao has quit IRC16:20
yedongcan1apuimedo: you're welcome. :)16:21
*** banix has joined #openstack-kuryr16:22
*** reedip has joined #openstack-kuryr16:22
mchiapperoYes, ovs is probably a better performer16:41
mchiapperoBut what's the reason for having an ipchain rule by default?16:41
*** reedip has quit IRC16:45
*** lmdaly has quit IRC16:51
*** reedip has joined #openstack-kuryr16:59
*** ivc_ has quit IRC17:02
*** yamamoto has joined #openstack-kuryr17:02
*** yedongcan1 has quit IRC17:04
*** ivc_ has joined #openstack-kuryr17:09
*** yamamoto has quit IRC17:11
*** mchiappero has quit IRC17:15
*** ivc_ has quit IRC17:16
*** ivc_ has joined #openstack-kuryr17:19
*** devvesa has joined #openstack-kuryr17:21
*** tonanhngo has quit IRC17:40
*** salv-orlando has joined #openstack-kuryr17:43
*** devvesa has left #openstack-kuryr17:47
*** irenab has quit IRC17:51
*** irenab has joined #openstack-kuryr17:52
*** ivc_ has quit IRC17:58
*** tonanhngo has joined #openstack-kuryr18:03
*** tonanhngo has quit IRC18:04
*** hongbin has quit IRC18:20
*** banix has quit IRC18:31
*** tonanhngo has joined #openstack-kuryr18:46
*** tonanhngo_ has joined #openstack-kuryr18:47
*** tonanhngo_ has quit IRC18:48
*** tonanhngo_ has joined #openstack-kuryr18:49
*** tonanhngo has quit IRC18:50
*** tonanhngo has joined #openstack-kuryr19:02
*** tonanhngo_ has quit IRC19:05
*** banix has joined #openstack-kuryr19:30
*** sdake has quit IRC19:33
*** tonanhngo_ has joined #openstack-kuryr19:34
*** irenab has quit IRC19:36
*** irenab has joined #openstack-kuryr19:37
*** tonanhngo has quit IRC19:37
*** salv-orl_ has joined #openstack-kuryr19:42
*** salv-orlando has quit IRC19:45
*** sdake has joined #openstack-kuryr19:46
*** tonanhngo_ has quit IRC20:36
*** tonanhngo has joined #openstack-kuryr20:37
*** portdirect has joined #openstack-kuryr21:08
portdirectHi, I've put OpenStack in Kubernetes, which makes quite extensive use of Kuryr - both libnetwork and cni to replace flannel and the kube-proxy. I've put the code up here: https://github.com/portdirect/harbor and plan to have AMI's and an ISO to download in the next few days - if anyone has any feedback I'd really appreciate it.21:11
*** salv-orl_ has quit IRC21:30
*** salv-orlando has joined #openstack-kuryr21:32
*** sdake has quit IRC21:33
*** salv-orlando has quit IRC22:08
*** huikang has joined #openstack-kuryr22:16
*** huikang has quit IRC22:32
*** huikang has joined #openstack-kuryr22:33
*** portdirect_ has joined #openstack-kuryr22:35
*** portdirect has quit IRC22:36
*** portdirect_ is now known as portdirect22:36
*** huikang has quit IRC22:37
*** banix has quit IRC22:42
*** reedip has quit IRC23:18
*** reedip has joined #openstack-kuryr23:30
*** salv-orlando has joined #openstack-kuryr23:39
*** vikasc has quit IRC23:44
*** sdake has joined #openstack-kuryr23:44
*** salv-orlando has quit IRC23:45
*** tonanhngo has quit IRC23:50
*** reedip has quit IRC23:50
*** tonanhngo_ has joined #openstack-kuryr23:55
*** tonanhngo has joined #openstack-kuryr23:57
*** tonanhng_ has joined #openstack-kuryr23:58
*** tonanhngo_ has quit IRC23:59
« Sunday, 2016-09-25 Index Tuesday, 2016-09-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!