Wednesday, 2018-11-21

« Tuesday, 2018-11-20 Index Thursday, 2018-11-22 »
*** yamamoto has quit IRC00:34
*** ramishra has quit IRC02:41
openstackgerritzhufl proposed openstack/octavia master: Add missing ws separator between words  https://review.openstack.org/61913702:55
openstackgerritwangxiyuan proposed openstack/octavia master: [WIP] Tags support for lb resources  https://review.openstack.org/60600603:35
*** yamamoto has joined #openstack-lbaas04:05
*** numans has quit IRC04:18
*** yamamoto has quit IRC05:20
*** yamamoto has joined #openstack-lbaas05:24
openstackgerritMerged openstack/octavia master: Treat null admin_state_up as False  https://review.openstack.org/58292905:27
*** yamamoto has quit IRC05:47
*** yamamoto has joined #openstack-lbaas05:51
*** yamamoto has quit IRC06:07
*** annp has joined #openstack-lbaas06:17
*** yamamoto has joined #openstack-lbaas06:41
*** yboaron_ has joined #openstack-lbaas06:49
*** ccamposr has joined #openstack-lbaas06:49
*** rcernin has quit IRC07:26
*** velizarx has joined #openstack-lbaas07:51
*** yboaron_ has quit IRC08:10
*** yamamoto has quit IRC08:24
*** yamamoto has joined #openstack-lbaas08:47
*** sapd1__ has quit IRC08:54
*** sapd1 has joined #openstack-lbaas08:55
*** velizarx has quit IRC08:59
*** yboaron_ has joined #openstack-lbaas09:05
*** velizarx has joined #openstack-lbaas09:06
openstackgerritwangxiyuan proposed openstack/octavia master: [WIP] Tags support for lb resources  https://review.openstack.org/60600609:14
*** yboaron_ has quit IRC09:35
*** yboaron_ has joined #openstack-lbaas09:36
*** pcaruana has joined #openstack-lbaas09:48
*** yamamoto has quit IRC09:55
*** Emine has joined #openstack-lbaas10:10
openstackgerritAntoni Segura Puimedon proposed openstack/octavia master: [WIP] Allow LB creation to specify Access SGs  https://review.openstack.org/61919310:11
*** salmankhan has joined #openstack-lbaas10:14
*** yboaron_ has quit IRC10:15
*** yboaron_ has joined #openstack-lbaas10:16
*** salmankhan1 has joined #openstack-lbaas10:16
*** salmankhan has quit IRC10:18
*** salmankhan1 is now known as salmankhan10:18
*** yamamoto has joined #openstack-lbaas10:22
*** yamamoto has quit IRC10:28
*** yamamoto has joined #openstack-lbaas10:30
*** Emine has quit IRC10:31
*** Emine has joined #openstack-lbaas10:54
*** yamamoto has quit IRC11:45
*** mugsie has joined #openstack-lbaas11:49
*** yamamoto has joined #openstack-lbaas12:07
*** yamamoto has quit IRC12:36
*** ramishra has joined #openstack-lbaas12:51
*** yamamoto has joined #openstack-lbaas13:06
*** yamamoto has quit IRC13:18
*** hvhaugwitz has quit IRC13:22
*** hvhaugwitz has joined #openstack-lbaas13:29
*** velizarx has quit IRC14:02
*** velizarx has joined #openstack-lbaas14:07
*** Emine has quit IRC15:17
*** Emine has joined #openstack-lbaas15:18
*** velizarx has quit IRC15:21
*** ramishra has quit IRC15:45
*** ccamposr has quit IRC15:58
*** velizarx has joined #openstack-lbaas16:42
*** yboaron_ has quit IRC16:43
*** ccamposr has joined #openstack-lbaas16:50
*** pcaruana has quit IRC16:50
*** fnaval has joined #openstack-lbaas17:03
*** Emine has quit IRC17:05
*** cgoncalves has quit IRC17:12
*** velizarx has quit IRC17:12
*** cgoncalves has joined #openstack-lbaas17:14
*** yamamoto has joined #openstack-lbaas17:16
*** yamamoto has quit IRC17:20
openstackgerritAntoni Segura Puimedon proposed openstack/octavia master: [WIP] Allow LB creation to specify Access SGs  https://review.openstack.org/61919317:31
*** cgoncalves has quit IRC17:42
*** cgoncalves has joined #openstack-lbaas17:42
*** salmankhan has quit IRC18:11
rm_workmeeting today? or none due to US holiday week?20:00
johnsom#startmeeting Octavia20:00
openstackMeeting started Wed Nov 21 20:00:52 2018 UTC and is due to finish in 60 minutes.  The chair is johnsom. Information about MeetBot at http://wiki.debian.org/MeetBot.20:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.20:00
rm_work:P20:00
*** openstack changes topic to " (Meeting topic: Octavia)"20:00
rm_worko/20:00
openstackThe meeting name has been set to 'octavia'20:00
cgoncalvesrm_work, only because you asked20:01
johnsomSorry, was slow on the draw there.20:01
nmagnezio/20:01
rm_worklol20:01
ltomasboo/20:01
johnsomTrying to research what I know the hot topic is today...20:01
johnsomAs we have a LONG history of discussing the solution20:01
johnsom#topic Announcements20:01
*** openstack changes topic to "Announcements (Meeting topic: Octavia)"20:01
rm_workToday is my last working day at GD, will start at Oath on Dec 3 :)20:02
johnsomThe summit was last week. It sounds like it went well for us. We had two keynotes mentioning Octavia, so that is great!20:02
cgoncalvesrm_work, congratulations!!20:02
johnsomrm_work Congrats!20:02
cgoncalveshttps://j.apps.cgoncalves.pt/UI/Dashboard20:02
cgoncalvesoosp20:03
nmagnezirm_work, Congrats and good luck! :)20:03
rm_workthanks :)20:03
rm_workI know they are using Octavia there so maybe I will have more time?20:03
nmagnezicgoncalves, Bad Gateway, Bad!20:03
johnsomSadly, I guess the conference venue in Berlin didn't have the bandwidth for the videos, so they had to ship hard drives back to the states.  They are estimating mid-December for the non-keynote sessions to be posted.20:03
rm_worklol wat20:03
nmagnezijohnsom, that's actually a first. wow.20:04
johnsomcgoncalves nginx/1.14.1 ???  Really..... sigh20:04
rm_worksuch sneakernet20:04
rm_workaww, cert not trusted? wheres your letsencrypt?20:04
cgoncalvesjohnsom, wasn't pwd protected yet, so I shut it off immediately20:04
johnsomlol20:04
johnsomDon't want to share your cat videos?20:05
cgoncalvesit's letsencrypt'ed20:05
cgoncalvesI'm a dog person, sorry20:05
johnsomStill, nginx?20:05
rm_workhmm, wonder if my root certs are crazy old on this machine20:05
rm_workwhat's wrong with nginx? :P20:05
nmagnezijohnsom, he's secretly coding an Octavia driver for it20:06
johnsomAlso, if you weren't aware, the openstack-dev and ops mailing lists are merging and going away.20:06
johnsomPlease make sure you are subscribed to the new mailing list (if you are interested).20:06
johnsom#link http://lists.openstack.org/pipermail/openstack-dev/2018-September/134911.html20:06
johnsomAll of the details are at that link20:06
rm_worki wish they had one for nginx... would be nice to really proof out our interface for the amp driver20:06
cgoncalvesw00t, I was not aware of this. thank you20:07
johnsomYeah, but I'm not approving an API so you can load you license key....20:07
johnsomThere is some talk of new [dev] tags, but I didn't get a chance to read up on that.20:08
rm_workthe link in that mail seems to go to the wrong place20:08
rm_workit's this one I think? http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-discuss20:08
johnsomYeah, it's now "discuss"20:08
cgoncalvesyeah, subscribed now20:08
rm_workjohnsom: i assume that'd be a config variable specific to nginx? :P20:08
johnsomI guess you could add a flavor for it... sigh20:09
rm_workand we'd need to split out config stuff specific to backends into their own sections (ie, haproxy stuff would need to be in [haproxy])20:09
johnsomOk, last thing I have:20:10
johnsomOctavia priority review list....20:10
johnsom#link https://etherpad.openstack.org/p/octavia-priority-reviews20:10
johnsomI have updated the list for Stein20:10
johnsomWe are way behind on reviews20:11
johnsom~56 reviews or so20:11
johnsomJust a reminder. This is a list of patches that *appear* ready for reviews. It is not a list of patches I think should merge. It is roughly ordered in a priority I think makes sense (patches that have children first, impact on the project, etc.)20:12
johnsomIf it has a -1 or WIP it is not on this list20:12
johnsomThat is by design20:12
johnsomIf there are things you think should be on the list, add them to "Awaiting prioritization" so I can order it and be aware of it.20:13
johnsomHopefully this is useful. At least it highlights the need for reviews on patches and our backlog.20:13
johnsomFeel free to poke me if you think we should re-order, etc.20:14
johnsomAny questions/comments on the review list?20:14
johnsomAny other announcements today?20:15
johnsom#topic Brief progress reports / bugs needing review20:15
*** openstack changes topic to "Brief progress reports / bugs needing review (Meeting topic: Octavia)"20:15
cgoncalvesI proposed tagging octavia-tempest-plugin 0.2.0: https://review.openstack.org/#/c/619314/20:15
johnsomI am on vacation this week, so not a ton of things going on.20:15
johnsomI finished the work for creating octavia-lib and moving the code out to it.20:16
johnsomI also finished the first patch in the flavors work, which adds APIs for managing flavors.  Still a lot of work to do there, but a start.20:16
nmagnezias a followup to what cgoncalves just wrote, we work to promote the RPM for octavia-tempest-plugin for both OSP13 and OSP14 (which is in the works).20:16
openstackgerritCarlos Goncalves proposed openstack/octavia master: Fix devstack plugin for /var/log/dib-build exists  https://review.openstack.org/61783820:17
rm_workOh i think this one should be easy (speaking of tempest) https://review.openstack.org/#/c/607382/20:17
johnsomCool.20:17
nmagneziFor whomever is interested, that is also going to be the case in RDO20:18
johnsomrm_work FYI, I did include that in the review list20:18
rm_workah k20:18
johnsomI also spent time creating the list and doing some reviews last week.20:19
rm_workI'm gonna be out until like mid-december prolly for most stuff still, but I REALLY hope I can get back to reviewing at that point20:19
johnsomWe hope too!20:19
rm_workone of the first things i'll ask my new team is "so, do you guys want me to run for PTL of this project?" :P20:20
johnsomAny other updates of note?20:20
johnsomSweet!20:20
johnsomIt's time for some new leadership around here...  lol20:20
rm_workthough I'm secretly hoping cgoncalves wants to do it :P20:20
rm_workI still *hate* paperwork20:20
rm_workwith a fiery passion20:21
cgoncalvesrm_work, there's no paperwork. we are 100% digital20:21
rm_work(enough that it tends to incinerate any paperwork i come in contact with)20:21
rm_worklol well that's good then20:21
nmagneziOk so we're going to vote now? :)20:21
johnsomThere is *plenty* of bit-work to do however20:21
johnsomOk, moving on to the hot topic today......20:22
johnsom#topic VIP ACLs/SGs20:22
*** openstack changes topic to "VIP ACLs/SGs (Meeting topic: Octavia)"20:22
johnsomSo there is a patch posted:20:22
rm_workdidn't we discuss this at length at the last PTG?20:22
johnsom#link https://review.openstack.org/#/c/602564/20:22
johnsomAnd a patch to immediately deprecate it20:23
johnsomrm_work Yes, we have had lengthy conversations about this at multiple PTGs and IRC meetings.20:23
johnsomHowever, this patch is not the approach we decided on at those previous meetings.20:23
johnsom#link https://review.openstack.org/#/c/612631/220:24
johnsomdeprecation patch20:24
rm_worklol k20:24
johnsomI had hoped to pull up the meeting logs and have a list of links for the history, but with vacation I didn't get time.20:24
johnsomHere is my summary of the issue:20:24
johnsomUsers want to be able to restrict the source addresses allowed to access the VIP of their load balancers.20:25
johnsomDo we agree on the problem statement?20:25
nmagneziYup20:25
ltomasbojohnsom, yep20:25
cgoncalvesyes20:25
johnsomCool! Just want to set a common ground work20:25
johnsomThe challenge comes in that Octavia "owns" the VIP and security group today. It will update it as ports are added for listeners, etc. It will also rebuild it should a failover occur and the SG needs to be rebuilt.20:27
cgoncalvesalso FYI, we have customers requesting this feature in our queens-based product20:27
johnsomNeutron only supports an "OR" operation with SGs on ports.20:27
johnsomThis means if we stacked a user SG and the octavia SG on a port, it's which ever is more open wins.20:28
johnsomWe did move the VIP port itself into the tenant project to allow floating IP assignment. However this has been proven to be a horrible idea as people are using automation tools to manage their projects which have "delete all" logic, and we (at least us) are seeing a large number of support calls where they have shot themselves in the foot.20:29
ltomasbojohnsom, but in this case the user will not be able to delete the SG if the amphora VM is using it20:30
johnsomSo, due to this, and the fact that moving the SG into the tenant means they can open ports/protocols against our managed amphora is not a popular idea for some.20:31
ltomasbojohnsom, which is different to the VIP, as the VIP is not 'attached' to any VM in the amphora driver (just used through allowed address pair)20:31
johnsomltomasbo Yes you can20:31
ltomasbojohnsom, if the SG is in used by another port (as is the case) you cannot remove it, neutron will reject it20:32
johnsomIf the SG is owned by the tenant they can do anything to it.  Common is open it wide up, no rules20:32
johnsomltomasbo They already own the ports20:32
ltomasbojohnsom, how? the SG is attached to the vrrp port20:32
ltomasboand that is owned by the octavia tennant20:33
ltomasboso, the SG cannot be removed20:33
ltomasboplus, the user is able to define listeners opening any port he wants on the octavia created SG, therefore the security concern is not a real one, as the user could to just the same without owning the SG20:34
rm_workwhat about the thing i was pushing last time -- having a user port and an internal port? It's been so long i actually forgot the details of my own proposal though, unfortunately20:34
johnsomAh, but they cannot open protocols and any port they open as a listener is configured and has the appropriate haproxy listening on the port.20:34
johnsomopenstack security group rule create ec2b4ea4-fe88-41ed-904c-5be2b88d188c20:35
johnsomThat is really the worst issue20:35
johnsomThat opens everything basically20:35
ltomasbojohnsom, I don't know enogh about octavia, but I though you can specify tcp/udp on the listeners, and create as much as you want20:36
ltomasbothought20:37
johnsomThe approach we eventually agreed upon was adding an ACL API to the listener that allowed users to add the source ACLs they want applied. We can then manage those, and restore those on failover. It is also a very explicit "here are the rules" interface.20:37
johnsomIt would be setup similar to adding the ACLs via neutron, but with a limited set of features down to source IP, etc.20:37
johnsomltomasbo You can, but you can't open protocol 50 for example.20:38
johnsomOr the VRRP protocols20:38
ltomasbojohnsom, that is true20:39
johnsomWe looked at accepting a user SG and cloning it, but then the user experience gets horrible as if they change the SG rules, the LB would not get updated. That is unless we added a dependency that we are tied into the neutron event stream and watch for those update events, which gets super ugly quickly.20:40
cgoncalvesjohnsom, is there a draft somewhere of how that ACL API extension would look like?20:40
ltomasbobut if you allow the user to pass the SG you are in the same situation, and reimplementing the SG API (restricted) on octavia...20:40
johnsomI think there is in a story.20:40
johnsomBut adding an ACL API is super simple20:41
ltomasbojohnsom, celebdor1 started a PoC to handle that: https://review.openstack.org/#/c/619193/20:42
cgoncalvesthe downside of ACL API is reinventing the wheel, sort of20:42
nmagneziAlso not backportable20:42
johnsomYeah, we went down that path and decided it was a bad idea. (allowing the passing of an SG in)20:42
ltomasbocgoncalves, I agree20:42
nmagneziBut I guess most suggestions won't be anyways20:43
johnsomnmagnezi None of these options are backportable20:43
cgoncalvesnmagnezi, let's forget about that for a moment. let's focus on the right fix to the problem20:43
nmagneziAgreed.20:43
ltomasbojohnsom, reimplementing SG API is a bad idea too, it already exists...20:43
cgoncalvesjohnsom, I cannot find the story for the ACL API, sorry. could you please share?20:44
celebdor1ltomasbo: and took a long time and man hours to get right and sort out the bugs20:44
johnsomThe ACL option has an advantage as well, that the F5 guys liked. It allows us to implement it in different ways. For example, the amphora driver *may* use neutron SGs, or may use the haproxy ACLs. The F5 could opt to use the hardware ACLs.20:44
cgoncalvesstoryboard is not easy to navigate/search20:44
rm_workit'd be a simplified version of the existing ACL type apis tho right?20:44
johnsomcgoncalves, yeah I would have to dig. The title is not ACL, the comment is.... So their search is useless20:45
rm_workor do we just THINK it'd start that way, but it'd eventually grow to be the same huge mess?20:45
celebdor1rm_work: I bet for the latter20:45
johnsomI think it would be very simple. We already handle all of the port stuff20:45
celebdor1unless you really restrict it to just CIDRs20:46
johnsomSo there is no real need for anything more complex that the source ACLs20:46
celebdor1which is not too powerful20:46
cgoncalveson the pro side of ACL API is that we wouldn't be tightly coupled to neutron, which is good for e.g. octavia standalone20:46
johnsomThe only downside we came up with is you can't use the transitive trust neutron SGs provide. I.e. if ports on members of the same SG they have full access. However, we felt that was better as this way the access is explicit and not implied.20:47
celebdor1johnsom: it is not implied in Neutron IIRC20:48
johnsomRight. I think the hadware ACLs is a good case too. Why use slow iptables when you have an ASIC that can do the work20:48
celebdor1you have a rule allowing from same SG, right ltomasbo?20:48
celebdor1just that it is always put in the 'default' SG20:48
ltomasboyep, you can simply allow from other ports having a specific SG, not an specific CIRD20:49
ltomasboCIDR20:49
johnsomIn neutron, two ports can be part of the same SG. That SG may exclude the IP of one port. However, the traffic will pass20:49
ltomasbojohnsom, in neutron everything is block by default, unless you open it20:50
ltomasbo(ingress)20:50
johnsomIf you don't share the SG, yes20:50
ltomasboof course, as everything is deny by default, the policy is that is denied unless you specifically allow it20:51
ltomasboso, if you add a rule allowing it... it will pass20:51
celebdor1johnsom: even if you share the SG20:51
johnsomIf the ports share an SG, it always passes20:52
ltomasbojohnsom, that is not true, depend on the rule20:52
celebdor1http://paste.openstack.org/show/735917/20:52
celebdor1those two rules that allow all ingress and egress from the same group20:52
ltomasbojohnsom, if they don't have the allow from remote_group_id SG_ID, then it will be blocked20:52
celebdor1are not special20:52
celebdor1they can be there20:52
johnsomThey would have had to change that recently if that is the case. Plus a bunch of k8s people will get really grumply quickly if that stops working20:52
celebdor1(and they are for the 'default' group)20:53
celebdor1but they don't need to be there20:53
celebdor1this has been the case for as long as I can remember20:53
ltomasboyep, same here20:53
johnsomAnyhow, I think that is a bit of a side issue, and not that important for this conversation.20:53
ltomasbothat is there since newton at least20:53
celebdor1johnsom: it was important to point out so if that would affect its usage we'd not be left with the wrong impression of how it works20:55
celebdor1but it's not the main part of the topic20:56
celebdor1of course20:56
johnsomWhat I am talking about is not remote SGs.20:56
johnsomYeah, the ACL list approach would not be affected by neutron's behavior as the tenant would have access to the SG for other ports.20:57
ltomasbojohnsom, I don't get that20:57
johnsomBy adding the ACL API, Octavia would retain ownership of the SG applied to the amphora. A tenant would not be able to add the SG to their other ports.20:58
ltomasboahh, by contrast you will be redoing the SG API (and that was not a simple task)21:00
johnsomA very small part of the SG API. Probably could be done in a week or so21:00
celebdor1johnsom: ltomasbo: I probably missed it before (I was putting the toddler to bed). Why does it matter if they put the SG to other ports if it is one SG that they precreated like in the patch I sent21:01
johnsomIf the VIP and other ports share an SG, their are not rules applied. But again, this isn't really the bigger issues.21:02
celebdor1johnsom: is that small part of the API just a single CIDR for all the listeners in an LB? Or a list of CIDRs? or different CIDRs per listener?21:02
celebdor1johnsom: I already showed that even if they share the SG unless the SG has explicit rules to allow same SG traffic, the rules apply21:03
ltomasbocelebdor1, and the remote_group_id...21:03
johnsomIt would have to be a list. I would assume per listener for flexibility. CIDRs only.21:03
celebdor1ltomasbo: no, I don't think the ACL proposal Octavia pushes for has remote group21:03
celebdor1since it can't refer to Neutron stuff if it is a reimplementation21:04
johnsomDang we are out of time.21:04
johnsom#endmeeting21:04
*** openstack changes topic to "Discussions for Octavia | Stein priority review list: https://etherpad.openstack.org/p/octavia-priority-reviews"21:04
openstackMeeting ended Wed Nov 21 21:04:10 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:04
openstackMinutes:        http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-11-21-20.00.html21:04
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-11-21-20.00.txt21:04
openstackLog:            http://eavesdrop.openstack.org/meetings/octavia/2018/octavia.2018-11-21-20.00.log.html21:04
ltomasboand what about other octavia drivers...21:04
johnsomSorry I wasn't watching that21:04
johnsomWe can of course keep discussing, we just have a fixed hour for the meeting.21:04
celebdor1johnsom: I think ltomasbo went for a late dinner21:06
johnsomcelebdor1 If you missed the discussion, passing in SGs has a few issues: 1, neutron ORs them; 2. Octavia won't know when they change if we just "clone" the SG and users get confused; 3. it doesn't allow offloading the ACL to the drivers. and probably a few others I am forgetting here.21:07
celebdor1that's why my patch doesn't clone them21:07
celebdor1just makes the user take ownership if they pass the SG21:08
celebdor1they are on their own21:08
johnsomYeah, but those protect *our* managed resource.  I have not looked at your patch yet, but is it just stacking the tenant SG on the port?21:09
celebdor1johnsom: no, no. It's a very basic patch just proposing adding a param to the lb creation called access_group21:10
celebdor1that takes an SG uuid21:10
celebdor1if you pass that, the vrrp ports get this SG21:10
celebdor1and that's where Octavia work ends21:10
johnsomOh, so total replacement21:10
cgoncalvesyes21:10
celebdor1the user is on the hook for opening the ports to their listeners and so on21:10
johnsomSo not protecting our amps at all21:11
celebdor1(I prefer that than adding Octavia code that tries to do what the user wants)21:11
celebdor1johnsom: right, it only protect the amp haproxy namespace as much as the user deems necessary21:11
cgoncalvesjohnsom, +1. in the likelyhood of penetrating into an amp, an attacker would have access to the whole lb-mgmt-network21:12
celebdor1cgoncalves: how do you propose it escapes the network namespace?21:12
celebdor1s/network/haproxy/21:12
johnsomWell, not the lb-mgmt-net.21:12
johnsomThat SG would remain in affect21:12
celebdor1I thought they are isolated and the communication is with a unix domain socket21:13
celebdor1so if they want to open whatever on the haproxy namespace21:13
celebdor1what do we care?21:13
johnsomIt removes our control and opens the attack surface greatly against a resource Octavia is supposed to be managing.21:14
celebdor1how? what network resource is running there?21:15
celebdor1I thought that it only runs haproxy21:15
celebdor1which only listens to what you tell it to21:15
johnsomAnd keepalived.21:15
celebdor1for both UDP and the VIP21:16
celebdor1right21:16
johnsomRight now all that is allowed in is TCP and UDP ports. No other IP protocols, etc.21:16
celebdor1well, you control the amp image21:16
celebdor1nothing else is listening on other protocols, is it?21:16
johnsomBoth of which we know there is something configured to listen on those ports.21:16
johnsomSo you would expose an other kernel modules that happen to be loaded that deal with other protocols, you expose the VRRP and haproxy ports to the "outside" should a version come along that opens a new port, or an operator modifies the haproxy template exposing the management ports, etc.21:18
johnsomWhat we have now is a managed service, that is restricted to just the ports/protocols we support and test. If a user configures a TCP listener on 80, I know the SG is correct to allow that traffic. I don't get support calls because the user forgot to add the SG rule or didn't know someone applied a custom SG.21:20
celebdor1all I'm hearing is that you are having SGs do the linux network namespace work that belongs by right to iptables21:21
*** AlexStaf has joined #openstack-lbaas21:21
johnsomWell, I will try next week to dig through everything and pull out links to the decisions we made on this before. Just so folks can read through the thought processes that went into this. Then we can decide if we want to go a different direction or stick with what we previously decided.21:22
celebdor1sorry if that came across as harsh. I meant that the right tool for closing that in an operator provided image is to use iptables on that SG21:22
celebdor1s/SG/namespace/21:22
johnsomAdding iptables in the namespace means conntrack, which tanks the throughput and means you need to put more resources into your amphora instances.21:23
celebdor1johnsom: thanks for that and for taking the time for us amidst your holidays21:23
johnsomThat is why we have avoided it. Plus having the ACL outside the amp means if the amp gets compromised, they intruder can't just light up ports, they would have to go change the ACLs too.21:24
celebdor1well, if you only care about opening the ports, you can probably do without conntrack21:25
celebdor1(which is already on the default ml2/ovs firewall driver and I agree that better one than two)21:25
johnsomSure, no problem. This has been a topic for a long time that the team has spent a lot of time discussing. There is hope that FWaaS shared groups would also be a solution to this, which is why the ACL option has been a lower priority, but he FWaaS v2 work has been slow.21:26
celebdor1fwaas would leave you with the same problem for other octavia providers not being able to do their own impl21:27
johnsomCorrect21:27
*** yamamoto has joined #openstack-lbaas21:50
*** rcernin has joined #openstack-lbaas22:09
*** fnaval has quit IRC22:36
*** ccamposr has quit IRC23:15
rm_workhmmm alright ima be out until at least dec 3-423:27
rm_workbut johnsom and cgoncalves know how to reach me, at least23:27
rm_workif you need emergency reviews :P23:27
*** rm_work has quit IRC23:33
*** rm_work has joined #openstack-lbaas23:33
*** celebdor1 has quit IRC23:43
rm_workjohnsom: this still kills me: http://paste.openstack.org/show/720201/23:45
rm_work"loadbalancers": "654ddf45-b50c-40d8-9603-e2358503df1c",23:45
rm_workplural >_>23:45
« Tuesday, 2018-11-20 Index Thursday, 2018-11-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!