Wednesday, 2017-01-25

« Tuesday, 2017-01-24 Index Thursday, 2017-01-26 »
*** limao has quit IRC00:04
*** mattmceuen has quit IRC00:13
*** hongbin has quit IRC00:22
*** tonanhngo has quit IRC00:44
*** tonanhngo has joined #openstack-kuryr00:44
*** neiljerram has quit IRC00:45
*** limao has joined #openstack-kuryr00:46
*** dougbtv__ has joined #openstack-kuryr01:18
*** dougbtv has quit IRC01:19
*** yedongcan has joined #openstack-kuryr01:25
*** yedongcan1 has joined #openstack-kuryr01:37
*** yedongcan has quit IRC01:41
*** yedongcan has joined #openstack-kuryr02:13
*** yedongcan1 has quit IRC02:15
*** hongbin has joined #openstack-kuryr03:02
*** hongbin has quit IRC03:20
*** hongbin has joined #openstack-kuryr03:21
*** portdirect_away is now known as portdirect03:55
openstackgerritJaivish Kothari(janonymous) proposed openstack/kuryr-kubernetes: Bump tox min version to 2.3.1  https://review.openstack.org/42497204:21
*** hongbin has quit IRC04:23
*** hongbin has joined #openstack-kuryr04:41
*** hongbin has quit IRC04:53
*** vikasc has quit IRC05:20
*** janki has joined #openstack-kuryr05:32
*** tonanhngo has quit IRC05:36
*** tonanhngo has joined #openstack-kuryr05:37
*** tonanhngo has quit IRC05:41
*** jchhatbar has joined #openstack-kuryr05:50
*** janki has quit IRC05:51
*** janki has joined #openstack-kuryr06:02
*** jchhatbar has quit IRC06:04
*** irenab_ has joined #openstack-kuryr06:11
*** irenab_ has quit IRC06:12
*** vikasc has joined #openstack-kuryr06:23
*** jchhatbar has joined #openstack-kuryr06:26
*** janki has quit IRC06:29
irenablimao: ltomasbo : hi guys06:42
limaoHi irenab06:42
irenablimao: I just saw your reply regarding nested case limitations06:43
irenablimao: Maybe we need to record this on kuryr side06:43
irenablooks like the unexpected limitations can be an issue for kuryr consumers06:44
limaoirenab: Do you mean this patch? https://review.openstack.org/#/c/422641/06:44
irenablimao: related to this discussion ]http://eavesdrop.openstack.org/irclogs/%23openstack-neutron/%23openstack-neutron.2016-11-22.log.html06:45
irenab(15:29)06:46
limaoirenab: oh, get it06:46
irenabits more about deployment limitations06:46
ltomasboI tried that myself06:47
ltomasboand if memory works, there was a problem with ovs-hybrid06:47
ltomasbobut it was working with ovs-firewall06:47
limaoirenab: how about add this limitation in kuryr-libnetwork/README.rst ?06:47
*** jchhatbar is now known as janki06:47
irenabltomasbo: do you have in mind the options that work? It will be great to add this in README, as ‘known limitations’06:48
irenabto help kuryr users06:48
ltomasbofor the kubernetes devstack conf06:48
ltomasboit is already there that you require ovs-firewall06:48
ltomasbothen there should be no problem06:49
limaoHow to try out nested-containers locally06:49
limao~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~06:49
limao1. Installing OpenStack running devstack with the desired local.conf file but06:49
limao   including the next to make use of OVS-firewall and enabling Trunk Ports::06:49
irenabltomasbo: what aboutdifferent vlans for ports on same network?06:49
ltomasboand if the ovs-hybrid was used, i think the only problem was if the ports have the same mac, not the same subnet06:49
ltomasbobut I can re-try this just in case06:49
ltomasboanyway, that is a trunk-port limitation, not a kuryr one06:50
ltomasboyes, it does not matter if they are in the same network06:50
irenabltomasbo: limao : the point is if there are more requirments/limitations, we better document it based on theway kuryr uses neutron trunk service06:50
ltomasboyep, it makes sense06:51
irenabltomasbo: since kuryr won’t work properly, and kuryr cuonsumers won’t be happy :-)06:51
limaoirenab: ltomasbo: agree to add that in Limitations section06:51
irenabthanks a lot06:52
irenablimao: I can push an update, just want t make sure what are the revealed limitations07:11
limaoirenab: Thanks, Kuryr nested-containers only work with neutron OVS-firewall(iptables_hybrid firewall will not work). This limitation is in Neutron Trunk Port by design.07:12
irenablimao: what about noop firewal driver?07:13
limaoirenab: also works, but we lost the sg in that case07:13
irenablimao: correct, but if for some reason it s the deployment choice… Maybe port security is disabled07:15
limaoirenab: Oh, yeah, that's make sense07:15
irenabok, will sum-on and push README update asap07:16
limaoirenab: Thanks for this07:16
*** yamamoto has quit IRC07:17
limaoirenab: maybe add the link which jlibosva pasted07:17
limaojlibosvalimao: "Obviously this solution is not compliant with iptables firewall." from https://github.com/openstack/neutron/blob/master/doc/source/devref/openvswitch_agent.rst#tackling-the-network-trunking-use-case07:17
irenablimao: yes, I will point to the neutron not to duplicate07:17
*** pcaruana has joined #openstack-kuryr07:28
ltomasbodo you know that it will work with noop firewall driver?07:43
limaoltomasbo: I remembered that I tried noop firewall driver at that time. Container can ping each other in that case(vm nested), but I did not do more test.07:46
ltomasbook, that should work07:48
limaoltomasbo: The problem is  mac flapping on linux bridge(in my memory), the fw driver without linux bridge should can work(ovs and noop, do not have lb)07:48
ltomasbomy concern is about if that would work a) if they are on the same network; b) if the ports have the same mac07:48
ltomasboahh, ok, didn't realized noop has no lb07:49
limaoltomasbo: Yeah, I think if it do not have lb, should be ok07:50
ltomasbothen is should be ok, yes07:50
limaoltomasbo: ;-)07:50
ltomasboanother limitation to include is the QoS07:50
ltomasboit does not work together with trunk ports07:50
ltomasbohttps://bugs.launchpad.net/neutron/+bug/163918607:51
openstackLaunchpad bug 1639186 in neutron "qos max bandwidth rules not working for neutron trunk ports" [Low,Confirmed] - Assigned to Luis Tomas Bolivar (ltomasbo)07:51
ltomasboirenab, ^^07:51
irenabltomasbo: on sub ports?07:52
ltomasboyep07:52
ltomasbothe problem is how trunk-ovs and br-int are linked07:53
ltomasboyou cannot apply QoS (as of today) on patch-ports07:53
ltomasboIIRC you cannot even apply it on parent port07:53
ltomasbofor the same reason07:53
openstackgerritBerezovsky Irena proposed openstack/kuryr-libnetwork: Add nested-containers limitations  https://review.openstack.org/42504008:00
*** yamamoto has joined #openstack-kuryr08:00
irenabltomasbo: tried not to enter into neutron details too much, more focus on the impact on kuryr users08:00
ltomasbook, but to me that is a limitation to kuryr users08:01
ltomasboas they may use QoS for side-by-side deployments08:01
ltomasbobut not for nested08:01
*** yamamoto has quit IRC08:02
*** yamamoto has joined #openstack-kuryr08:03
*** saneax-_-|AFK is now known as saneax08:06
*** pksingh has joined #openstack-kuryr08:15
*** gsagie has joined #openstack-kuryr08:29
*** vikasc has quit IRC08:33
*** vikasc has joined #openstack-kuryr08:51
*** garyloug has joined #openstack-kuryr08:52
*** pmannidi has quit IRC09:14
*** portdirect is now known as portdirect_brb09:22
*** limao has quit IRC09:31
ltomasboping yedongcan09:32
*** portdirect_brb is now known as portdirect09:32
yedongcanltomasbo: hi09:32
ltomasbojust saw your reply to https://review.openstack.org/#/c/420610/09:33
ltomasbojust curious, before, if show_extension failed, we have an error and raised the exception09:33
ltomasboand the proposed change removes that call, but if adding tag fails, we just log a warning and continue09:34
yedongcanltomasho: yes.09:35
ltomasbowhat happen if tag neutron extension is not supported09:35
ltomasbobefore, we got an error and exception, and now it will continue with just a warning09:35
yedongcannow, we will give an warning for users and at the end we will not add the tag.09:36
*** devvesa has joined #openstack-kuryr09:36
yedongcanbefore we give the warning message, we still get the exception from neutron client09:37
ltomasboit may happen then that the subnet gets deleted when the container is removed?09:37
ltomasboas there is no tag indicating it was already existing?09:37
*** yamamoto has quit IRC09:38
yedongcanltomasbo: I think not, we are not using tag indicate the subnet is existing Neutron subnet or created by Kuryr.09:45
ltomasboyedongcan, true09:48
ltomasbothat is for networks09:48
yedongcanltomasbo: thanks, :)09:50
openstackgerritDongcan Ye proposed openstack/kuryr-libnetwork: Removes subnetpool_id tag for Neutron existing subnet  https://review.openstack.org/41973509:51
*** dougbtv__ has quit IRC10:15
*** neiljerram has joined #openstack-kuryr10:16
*** openstackgerrit has quit IRC10:17
irenabjanonymous: hi10:21
*** openstackgerrit has joined #openstack-kuryr10:24
openstackgerritDongcan Ye proposed openstack/kuryr-libnetwork: Remove subnetpool_id tag for Neutron existing subnet  https://review.openstack.org/41973510:24
*** yamamoto has joined #openstack-kuryr10:25
*** yamamoto has quit IRC10:26
*** portdirect is now known as portdirect_away10:27
*** dougbtv__ has joined #openstack-kuryr10:31
janonymousirenab: hey10:34
irenabjanonymous: I wanted to verify the tls patch to seehow we can progress with it. I have a question regarding deployment10:36
janonymousirenab:sure10:37
irenabI am deploying devstack all-in-one based on https://review.openstack.org/#/c/410609/610:37
irenabany specific option to enable in local.conf?10:37
janonymousno10:38
irenabwhat are the addiotnal steps after devstack is done?10:38
janonymousPlease check 2 things10:38
janonymous1) kuryr.conf  have 3 things enabled: enable_ssl , ssl_* options10:39
janonymous2) kuryr.json file should have valid paths in /usr/... path where kuryr.json is placed10:39
irenabjanonymous: how did you generate the ssl file?10:41
janonymousAfter that we need to create 3 files for local test of ssl ( cert, ca, key) ... which i created but not 100% sure i did it correctly10:41
janonymousi followed limao's commads as below:10:41
janonymousopenssl genrsa -out ca.pem 2048;10:41
janonymousopenssl req -new -x509 -nodes -days 1000 -key ca.pem -out ca-cert.pem;10:41
janonymousopenssl req -newkey rsa:2048 -days 1000 -nodes -keyout key.pem -out server-req.pem;10:41
janonymousopenssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca.pem -set_serial 01 -out cert.pem;10:41
irenabjanonymous: and once this done, restart kuryr-libnetwork?10:42
janonymousbut please check on net, because i  tried several other links also10:42
janonymousirenab: yeah, both docker and libnetwork would be good10:42
irenabjanonymous: great, thanks for sharing the details10:42
janonymousirenab: when all things are done, to verify everythin run command mentioned by limao in comments10:43
janonymouscurl --cacert /var/lib/kuryr/certs/cert.pem -XPOST https://127.0.0.1:23750/Plugin.Activate10:43
janonymousthis would ensure that on kuryr side everything is working find10:43
janonymous*fine10:43
janonymousand certificates are generated properly10:43
irenabok10:44
irenabwill let you know once done with the bring up10:44
janonymousirenab: let me know if you face any issue till these steps :)10:44
irenabto verify the issue you ran into10:44
janonymoussure, as per investigation point of view there was a prblem with docker to verify self signed ceritificates. but anyway please take your time10:45
janonymousi will be around10:45
irenabjanonymous: any chance you have kuryr.con and kuryr.jsonsmaples to post?10:46
janonymousyes,10:47
janonymousi will paste it in a min10:47
*** vikasc has quit IRC10:48
*** yedongcan has left #openstack-kuryr10:50
janonymousirenab:http://paste.openstack.org/show/596416/10:56
janonymousi pasted all the configs and certs ^^10:56
*** yamamoto has joined #openstack-kuryr11:18
*** yamamoto has quit IRC11:18
*** vikasc has joined #openstack-kuryr11:20
*** pksingh has quit IRC11:28
*** devvesa has quit IRC11:32
*** yamamoto has joined #openstack-kuryr11:33
*** yamamoto has quit IRC11:34
irenabjanonymous: hi11:34
janonymousirenab:hi11:34
irenabjanonymous: I followed this link http://tech.paulcz.net/2016/01/secure-docker-with-tls/ to generate TLC certificates11:34
irenabseems to be working for me, but I added settings to the docker service  creation11:35
irenabsudo /usr/bin/docker daemon -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/var/lib/kuryr/certs/ca.pem --tlscert=/var/lib/kuryr/certs/cert.pem --tlskey=/var/lib/kuryr/certs/key.pem --cluster-store etcd://localhost:500111:36
janonymouswhat did you added in CN field11:36
irenabwhat is the CN field?11:37
irenabjanonymous: except for the curl --cacert /var/lib/kuryr/certs/cert.pem -XPOST https://127.0.0.1:23750/Plugin.Activate, didn’t try anything yet11:38
janonymousit takes the HOST in certificate gen11:38
janonymousohh cool11:38
janonymousirenab: doest that work?11:38
irenabcurl --cacert /var/lib/kuryr/certs/cert.pem -XPOST https://127.0.0.1:23750/Plugin.Activate11:39
irenab{11:39
irenab  "Implements": [11:39
irenab    "NetworkDriver", 11:39
irenab    "IpamDriver"11:39
irenab  ]11:39
irenab}11:39
janonymouscool11:40
janonymousnow try docker network create11:40
janonymous docker network create --driver kuryr --ipam-driver kuryr \11:41
janonymous--subnet 10.10.0.0/16 --gateway=10.10.0.1 test_net11:41
janonymous785f8c1b5ae480c4ebcb54c1c48ab875754e4680d915b270279e4f6a1aa5228311:41
irenabjanonymous: but following the link, thereis also openssl.cnf file11:41
irenabkuryr crashed11:45
janonymous:D11:45
irenabhttp://paste.openstack.org/show/596425/11:45
*** devvesa has joined #openstack-kuryr11:48
janonymousirenab: strange11:53
janonymousirenab: what about docker log11:53
janonymousAlso can you run  sudo /usr/bin/docker daemon -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --tlsverify --tlscacert=/var/lib/kuryr/certs/ca.pem --tlscert=/var/lib/kuryr/certs/cert.pem --tlskey=/var/lib/kuryr/certs/key.pem --cluster-store etcd://localhost:5001 with -D flag11:54
irenabDEBU[0010] Calling POST /v1.25/networks/create11:54
irenabDEBU[0010] form data: {"Attachable":false,"CheckDuplicate":true,"Driver":"kuryr","EnableIPv6":false,"IPAM":{"Config":[{"Gateway":"10.10.0.1","Subnet":"10.10.0.0/16"}],"Driver":"kuryr","Options":{}},"Internal":false,"Labels":{},"Name":"test_net","Options":{}}11:54
irenabWARN[0010] Unable to connect to plugin: 127.0.0.1:23750/Plugin.Activate: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39702->127.0.0.1:23750: read: connection reset by peer, retrying in 1s11:54
irenabWARN[0011] Unable to connect to plugin: 127.0.0.1:23750/Plugin.Activate: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39704->127.0.0.1:23750: read: connection reset by peer, retrying in 2s11:54
irenabWARN[0013] Unable to connect to plugin: 127.0.0.1:23750/Plugin.Activate: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39716->127.0.0.1:23750: read: connection reset by peer, retrying in 4s11:54
irenabWARN[0017] Unable to connect to plugin: 127.0.0.1:23750/Plugin.Activate: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39728->127.0.0.1:23750: read: connection reset by peer, retrying in 8s11:54
irenabERRO[0025] Handler for POST /v1.25/networks/create returned error: legacy plugin: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39760->127.0.0.1:23750: read: connection reset by peer11:54
irenabjanlet me pastebin this11:54
janonymousIt seems your ssl is working :O11:54
irenabhttp://paste.openstack.org/show/596427/11:54
janonymousyour problem is of keep_alive ..i guess11:55
janonymousBUT11:55
janonymoushttp ?11:56
janonymousWARN[0010] Unable to connect to plugin: 127.0.0.1:23750/Plugin.Activate: Post http://127.0.0.1:23750/Plugin.Activate: read tcp 127.0.0.1:39702->127.0.0.1:23750: read: connection reset by peer, retrying in 1s  has http:// not https://11:56
janonymousis there 2files kuryr.json, kuryr.spec ?11:57
janonymousirenab: ^^11:59
irenabchecking12:00
*** portdirect_away is now known as portdirect12:02
irenabyes12:02
irenabunder /opt/stack/kuryr-libnetwork12:02
janonymousremove spec one, and check json one contents once that link in https in it12:03
*** tonanhngo has joined #openstack-kuryr12:03
irenabthere are 2 kuryr.spec12:03
janonymousNo, in /usr/lib/ path..12:04
janonymouson /usr/lib/docker/plugins/kuryr/ path12:05
*** tonanhngo has quit IRC12:08
irenabError response from daemon: legacy plugin: plugin not found12:11
irenabjanonymous: looks like docker cannot locate the kuryr12:13
apuimedoirenab: are you testing the ssl patch?12:14
janonymousDocker checks kuryr.json in  /usr/lib/docker/plugins/kuryr/  , can you recheck and restart kuryr, docker services12:14
irenabapuimedo: yes12:14
apuimedothere are other places where it looks for json/spec files12:14
janonymousapuimedo: o/12:14
apuimedoand they have a precedence order12:14
apuimedoso probably you have an old .spec file elsewhere12:14
apuimedothat takes precedence12:14
apuimedoI think one possibility is on /etc12:15
janonymous /run/docker/plugins ,12:15
janonymous /etc/docker/plugins12:15
irenabshall I remove all of them?12:16
janonymousirenab: pls check for .spec if it exists on these locations, remove it12:17
irenabjanonymous: renamed all of them, hope this counts :-)12:18
janonymousirenab:In /usr/lib/docker/plugins/kuryr/ there should exist kuryr.json file with content having https://127.0.0.1:23750 in it12:18
janonymousgreat!12:18
janonymousrestart and try again pls12:19
irenabjanonymous: I have it here /opt/stack/kuryr-libnetwork/contrib/tls/kuryr.json12:19
irenabwill copy12:19
irenabyes!12:21
irenabworking12:21
janonymousAlso you could set InsecureSkipVerify:  true12:21
irenabjanonymous: I think probably the instructions in REAME should be impoved12:22
apuimedo;-)12:22
irenabjanonymous: what is the issue you were concerned about?12:22
janonymousnow try THE docker network create command mentioned above12:22
janonymous:D12:22
irenabjanonymous: just did12:22
janonymousirenab: docker logs? does that work?12:23
irenabait amin, need to create container12:23
janonymousis your network create working?12:24
irenabyes12:26
irenabalso create container12:27
irenabdocker seems to be happy12:28
janonymous:/12:28
janonymousi am not happy! What i did wrong12:28
janonymouscan you please paste docker logs and kuryr-logs12:28
irenabjanonymous: http://paste.openstack.org/show/596434/12:29
apuimedoivc_: please see irenab's comment to https://review.openstack.org/#/c/423903/ (in case my +2 shadowed it)12:29
apuimedojanonymous: you are not happy because it works?12:30
apuimedo:-D12:30
irenabjanonymous: try to follow the cert creation process in the link I posted, maybe there is something there you missed12:30
irenabhttp://tech.paulcz.net/2016/01/secure-docker-with-tls/12:30
irenabposting kuryr logs in a sec12:30
janonymousapuimedo: :P ,i tried 4 types of creating ssl certs in my entire day!12:31
janonymousirenab:thanks!12:31
openstackgerritMerged openstack/kuryr-libnetwork: trivial: nosetest .xml removal as testr is used now  https://review.openstack.org/35581212:32
openstackgerritMerged openstack/kuryr-libnetwork: Typo fix: happend => happened  https://review.openstack.org/42399512:32
apuimedojanonymous: :-)12:33
irenabhttp://paste.openstack.org/show/596436/12:34
apuimedogerrit is slow like a snail parade12:34
irenabapuimedo: maybe it got flu12:35
apuimedodon't tell me about it12:35
irenabjanonymous: what exactly didn’t work or you?12:35
apuimedoI'm fucking sick of being sick!!! When I thought we were all cured, different kind of coughing and belly ache kicks in...12:36
apuimedoI am so done with this12:36
*** neiljerram has quit IRC12:36
irenabapuimedo: you need to rest12:37
janonymousirenab:ssl certs genertions for sure! , i will try with your links tomorrow12:37
apuimedocan't, gotta take care of the children12:37
apuimedo:-)12:37
irenabjanonymous: hope I could help. Add comment about instruvtions, but otherwise it seems ok12:38
irenabapuimedo: yes, on this front there is no days off to take …12:38
janonymousapuimed: take care , get well sson12:38
*** neiljerram has joined #openstack-kuryr12:39
janonymousirenab:thanks for looking in that12:39
janonymousirenab: one last question, are you sure it kuryr server is on https :P12:39
irenabjanonymous: it seems so in the logs12:40
apuimedothanks12:40
apuimedoirenab: make a curl12:40
apuimedoit will surely enough tell you that your cert is crap12:41
apuimedo:-)12:41
irenabhttp://paste.openstack.org/show/596438/12:41
irenabapuimedo: already did12:41
janonymous:D12:41
apuimedocool12:41
irenabcurl --cacert /var/lib/kuryr/certs/cert.pem -XPOST https://127.0.0.1:23750/Plugin.Activate12:41
irenab{12:42
irenab  "Implements": [12:42
janonymousirenab: thanks  lot! really appreciate it12:42
irenab    "NetworkDriver", 12:42
*** vikasc has quit IRC12:42
irenab    "IpamDriver"12:42
irenab  ]12:42
irenab}12:42
irenabjanonymous: you welcome12:42
janonymousirenab: whole patch was correct, but i spent whole day to test it and that too improperly :/12:43
janonymouslimao, irenab, apuimedo: thanks! :)12:43
irenabapuimedo: can you please spend few mins explaining about kuryr.spec and kuryr.json, when it is used and why there can be number of them?12:43
*** neiljerram has quit IRC12:43
openstackgerritMerged openstack/fuxi: Updated from global requirements  https://review.openstack.org/41992912:43
janonymousirenab: https://docs.docker.com/engine/extend/plugin_api/12:43
irenabwhy there can be number of them?12:45
*** neiljerram has joined #openstack-kuryr12:45
janonymousbut i personally think that there should be one convention in kuryr12:45
irenabfor the same plugin12:45
janonymousjson one is top priority12:45
irenabso they are expected to be under /run/docker/plugins?12:47
janonymousunder any 3 locations12:47
irenabok, got it12:47
apuimedoirenab: this is just to find different network providers12:47
apuimedoyou can have several network remote drivers at the same time12:47
apuimedoirenab: it's a bit like with systemd12:48
irenabapuimedo: this make sense, but I was not sure why there are several kuryr.json and kury.spec files12:48
apuimedo/usr/lib/systemd/system has drivers installed by the system12:48
apuimedobut there's also /etc location for overriding locally12:48
irenabbut as long as the location matters, it should not be a problem12:48
apuimedoirenab: that's leftovers from devstack runs I suppose12:49
irenabapuimedo: so for the devstack, what would be the main one?12:49
* apuimedo checks12:51
apuimedo /etc12:51
irenabfor somereason I didn’t have them at all under the path mention in the docker page12:52
apuimedowrong12:52
apuimedo /usr/lib/docker/plugins/kuryr12:52
irenabdistro agnostic?12:52
apuimedoyes12:53
irenabthanks12:53
* janonymous calling it a day now! :)12:54
irenabjanonymous: enjoy the rest of the day/evening12:55
ivc_apuimedo https://review.openstack.org/#/c/423908/112:55
ivc_irenab, apuimedo, regarding 'missing bp' in https://review.openstack.org/#/c/42390312:56
ivc_i dont think we need to reference bp there12:56
ivc_first of all it does not implement a bp and has nothing to do with it. it's just a minor improvement12:56
irenabivc_: it is very convenient to see all realted patches from the launchpad bp page12:56
ivc_irenab the problem with that bp is it covers everything in kuryr-k8s12:57
ivc_irenab do you want _every_ patch in kuryr-k8s to have the reference to that bp?12:57
irenabivc_: checking the launshpad now, I do not see the bp at all ...12:59
irenablaunchpad12:59
ivc_irenab what bp are you looking for?13:00
ivc_https://blueprints.launchpad.net/openstack/?searchtext=kuryr-k8s-integration ?13:00
*** garyloug has quit IRC13:01
irenabwe actually referenced bp at kuryr and not kury-kuberntes13:01
*** vikasc has joined #openstack-kuryr13:01
irenabwhat a mess ..13:02
apuimedo:P13:02
apuimedoit can be changed13:02
irenabivc_: my point is that it is quite convenient for tracing the relevant patches if there is some linking to the launchpad bp or bug that this patch refers to13:03
ivc_i don't thing there's anything on lpad that refers to this patch13:03
irenabunless patches are trivial, it should be linked to something. What is trivial can be arguable ;-)13:03
openstackgerritIlya Chukhnakov proposed openstack/kuryr-kubernetes: OVO model for K8s Services support  https://review.openstack.org/42390813:05
irenabivc_: did you check that devref is still valid?13:05
irenabapuimedo: shall we just create new bp under kuryr-k8s?13:07
ivc_irenab why would it not?13:09
ivc_devref is quite abstract on this topic: 'Thread group maps to an unique K8s resource' and does not specify if it should be uid or selfLink13:10
apuimedoirenab: it can just be moved IIRC13:10
irenabivc_: good13:11
ivc_irenab you are a bureaucrat xD you want me to create a bug for https://review.openstack.org/#/c/422946/ ?13:13
irenabivc_: just hate changes not related to anything13:14
irenabin this case, I believe it really fixes a bug13:14
irenabivc_: but taking you criticism very hard and going to have a lunch :-)13:15
apuimedo:-D13:16
ivc_apuimedo, https://review.openstack.org/#/c/422910/ either you replied with incomplete copy/paste or i don't understand what you mean there13:16
apuimedoirenab: without you, kuryr would be far too chaotic13:16
ivc_irenab <313:16
apuimedoivc_: you're not considering the option of my fevered brain malfunctioning13:16
apuimedoxD13:16
ivc_xD13:17
irenab:-)13:17
ivc_apuimedo so, can you decrypt that? xD13:18
apuimedoyes13:18
apuimedobasically I was tlaking about another alternative13:18
apuimedobased on keeping a map13:19
apuimedothat is keyed by the event hash13:19
apuimedo*event json hash13:19
ivc_and?13:19
apuimedoand as value it has a reference to the handler (now that I don't have fever, I see it could be just a set)13:19
apuimedowhen you get a new event, if the hash of the event is in the queue, you ignore the event13:20
ivc_problem is13:20
apuimedo(the hashing would be only of certain relevant parts of the json)13:20
ivc_you wont get hash-hits ever13:20
ivc_or13:20
ivc_oh13:20
ivc_so not just plain hash(json)13:20
ivc_imo that would be overly complicated13:21
ivc_and will require special-casing to extract 'relevant' parts13:21
ivc_i've got a better solution actually13:21
ivc_instead of doing it on handler/pipeline layer we can do it as part of k8sclient13:22
apuimedoivc_: did you consider what we did in the PoC? Just check if it has already kuryr annotations13:23
ivc_resourceVersion patch can save resourceVersion on 'annotate' conflict and 'watch' will skip everything until it sees that version13:23
apuimedoso we at least filter our own MODIFIED events13:23
ivc_apuimedo i don't want to filter those13:23
*** jchhatbar has joined #openstack-kuryr13:24
apuimedowhich then?13:25
apuimedomaybe I missed something when reading the commit msg13:25
ivc_so the current 'skip stale' patch is just a temporary bandaid. the k8sclient patch will require more work/testing (tho its still quite trivial) and some thinking about ha case13:25
ivc_apuimedo k8s itself creates a bunch of events13:26
*** janki has quit IRC13:26
ivc_try 'watch'ing with curl on namespace/pods endpoint and create a new pod13:26
ivc_without kuryr there are several events fired13:27
apuimedoivc_: for scheduling and such13:27
apuimedoyeah13:27
*** v1k0d3n has quit IRC13:27
ivc_so K8s emits events A,B,C and neither of them have kuryr details13:27
ivc_we process A, add annotations and trigger event D13:27
ivc_but we still have B and C which from our point are no different from A13:28
ivc_and have no kuryr-related info13:28
*** v1k0d3n has joined #openstack-kuryr13:29
ivc_we do need to skip everything before D and it can be done in k8sclient, but the proposed timed 'skip stale' is just a simple solution and easiest one to implement and we need that13:29
apuimedoyeah13:30
ivc_its bandaid :)13:30
apuimedoI know13:30
apuimedoIt was more so users can put their own kuryr annotations13:30
apuimedoand have that not repeated by kuryr-controller13:31
apuimedo(for ports, so you can specify them)13:31
apuimedobut it had the (not processing our own modified events as a bonus)13:31
ivc_you mean hashing?13:31
apuimedono, the check for annotations13:32
apuimedohashing is a new though I had13:32
apuimedo:P13:32
apuimedonot part of the PoC13:32
apuimedoas you well know13:32
ivc_uhm can you clarify 'check for annotations'13:32
ivc_like https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/handlers/vif.py#L56-L58 ?13:33
apuimedoivc_: almost. But in this case we'd still have two green threads polling neutron for active13:36
apuimedowhich "kills the Neutron"13:36
apuimedo(dark knight reference, sorry)13:36
ivc_it only polls if active!=True13:37
ivc_and what are 'two' green threads?13:37
apuimedowhat I mean is13:38
apuimedoif we receive the event for our modified (due to our annotate PATCH req), the new handler will go and also poll Neutron....13:40
apuimedoDamn...13:40
apuimedoI can't read today13:40
apuimedoI see13:40
apuimedothe one that sets the vif finishes there13:40
apuimedothe one after the annotation is put is the one that polls neutron13:40
ivc_:P13:40
apuimedobut if there was any other event while the polling is happening, wouldn't we end up polling from multiple event handlers13:41
ivc_nope13:41
ivc_remember, we have a queue13:41
ivc_its an actor13:41
ivc_sort of13:41
apuimedoby cid, yes13:42
ivc_no concurrent events for the same object13:42
apuimedobut with the cahnge...13:42
apuimedolet me see to what you were changing it13:42
apuimedoI have no recollection of it now13:42
ivc_with the change we just drop everything but the latest event13:43
apuimedoah, you change it to self link13:43
irenabapuimedo: ivc_ : anything I can help?13:43
*** vikasc has quit IRC13:43
apuimedothat sounds like my concern is bollocks13:43
apuimedogood13:43
ivc_the 'selfLink' change is different patch (and its 0-impact as far as we are concerned)13:44
apuimedoivc_: I know13:44
apuimedothat's what I just said :-)13:44
apuimedotoday my brain is almost 55%13:44
apuimedo:-)13:44
ivc_cool!13:44
apuimedoup from when I did the reviews13:45
apuimedoivc_: so, on to the new proposal you have for this13:45
ivc_yes?13:46
apuimedobeing that we only process one at a time, won't we just be doing the if and elif https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/handlers/vif.py#L58-L7113:46
apuimedofor those?13:46
apuimedowe finish event A13:46
apuimedothen we go to event B13:46
apuimedooh13:46
apuimedodamn13:46
ivc_:P13:46
ivc_xD13:46
apuimedofucking slow brain13:46
apuimedothis sucks13:46
apuimedoso what was the solution that you favor from the list you put?13:47
ivc_in the comments for that patch? the 'feedback' one, sort of13:47
ivc_except it does not require any interaction with Async13:48
ivc_we just change k8sclient to skip everything after 'annotate'13:48
apuimedoI meant to ask about the 'handle it in the k8s client'13:48
apuimedohow would that change look like?13:48
apuimedoa selector ?13:49
ivc_after 'resourceVersion' patch in k8sclient we have the 'feedback' now on version conflicts13:49
ivc_so if there is a version conflict, we resolve it and store that 'resourceVersion' in k8sclient resource->resourceVersion mapping13:50
ivc_and 'watch' will be changed to check that mapping and skip everything unless it sees the resourceVersion from the mapping13:50
ivc_thats the implementation13:50
*** garyloug has joined #openstack-kuryr13:51
ivc_the logic is - after we 'annotate' we need to skip everything before the event triggered by our own annotation13:51
ivc_quite simple and effective actually13:51
ivc_i just need to check how it works considering 'resourceVersion' should be treated as opaque string and not a int-sequence13:52
apuimedoivc_: I think it's safe to treat it as an int13:53
ivc_its not13:53
ivc_google says not to13:54
apuimedothe only other thing I can think is that they'll change it to etcd timestamps13:54
apuimedoand we could then move to use that13:54
ivc_they are very specific about it13:54
apuimedoI know13:54
apuimedobut still, they internally allow you to establish an order13:54
apuimedothe fact that they tell you not to use ordering on client side is a bit vexing13:55
ivc_i do not think we need the ordering13:55
*** vikasc has joined #openstack-kuryr13:55
apuimedowell, IIRC the watch guarantees order13:55
apuimedoso you could match the string13:55
ivc_yes13:55
apuimedoand ignore all the events13:55
ivc_but there's one problem there13:56
apuimedountil you see the annotation13:56
ivc_'watch' can restart13:56
apuimedoI know :P13:56
apuimedowhen it does, you are stuck with checking from the last resourceversion13:56
ivc_yup and thats the only place where int/ordering would help13:57
ivc_but i'd like to solve it with google's constraints in place if possible13:57
ivc_its an interesting problem :)13:58
ivc_and that would be a clean solution without 'but's13:58
apuimedoalright13:59
ivc_but that requires time and i'm kinda low on that valuable resource now :/ hence the bandaid :P13:59
apuimedogot it14:00
* apuimedo -> lunch14:01
*** tonanhngo has joined #openstack-kuryr14:07
openstackgerritMerged openstack/kuryr-kubernetes: OVO model for K8s Services support  https://review.openstack.org/42390814:22
*** hongbin has joined #openstack-kuryr14:55
*** ivc_ has quit IRC15:00
*** ivc_ has joined #openstack-kuryr15:01
*** dougbtv__ is now known as dougbtv15:02
*** tonanhngo has quit IRC15:08
*** tonanhngo has joined #openstack-kuryr15:09
*** tonanhngo has quit IRC15:13
*** saneax is now known as saneax-_-|AFK15:15
*** devvesa has quit IRC15:28
*** devvesa has joined #openstack-kuryr15:44
*** jchhatbar has quit IRC15:55
*** vikasc has quit IRC15:56
*** gsagie has quit IRC16:00
*** tonanhngo has joined #openstack-kuryr17:07
openstackgerritAntoni Segura Puimedon proposed openstack/kuryr-libnetwork: Add nested-containers limitations  https://review.openstack.org/42504017:22
*** garyloug has quit IRC17:25
openstackgerritAntoni Segura Puimedon proposed openstack/kuryr-libnetwork: README: fix nested container rendering  https://review.openstack.org/42530917:30
openstackgerritMerged openstack/fuxi: Fix logging format  https://review.openstack.org/42357017:45
*** garyloug has joined #openstack-kuryr17:51
*** tonanhngo has quit IRC17:53
*** garyloug has quit IRC18:26
*** tonanhngo has joined #openstack-kuryr18:53
*** pcaruana has quit IRC18:53
*** tonanhngo has quit IRC18:57
*** saneax-_-|AFK has quit IRC20:46
*** yamamoto has joined #openstack-kuryr21:27
*** yamamoto has quit IRC21:36
*** v1k0d3n has quit IRC21:59
*** v1k0d3n has joined #openstack-kuryr22:01
*** yamamoto has joined #openstack-kuryr22:22
openstackgerritHongbin Lu proposed openstack/kuryr-libnetwork: Support creating network with pool uuid  https://review.openstack.org/42488922:54
« Tuesday, 2017-01-24 Index Thursday, 2017-01-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!