Friday, 2019-06-21

« Thursday, 2019-06-20 Index Saturday, 2019-06-22 »
*** raildo has quit IRC00:17
*** mattw4 has quit IRC00:19
*** mattw4 has joined #openstack-meeting00:22
*** markvoelker has joined #openstack-meeting00:40
*** mattw4 has quit IRC00:47
*** yamamoto has quit IRC00:49
*** ricolin has joined #openstack-meeting00:55
*** ykatabam has quit IRC00:55
*** ykatabam has joined #openstack-meeting00:56
*** markvoelker has quit IRC00:59
*** dviroel has quit IRC01:22
*** yamahata has quit IRC01:27
*** iyamahat has quit IRC01:27
*** brinzhang has joined #openstack-meeting01:39
*** iyamahat has joined #openstack-meeting01:41
*** boxiang has joined #openstack-meeting01:46
*** brinzhang has quit IRC01:49
*** brinzhang has joined #openstack-meeting01:52
*** brinzhang has quit IRC01:55
*** brinzhang has joined #openstack-meeting01:55
*** markvoelker has joined #openstack-meeting01:56
*** apetrich has quit IRC01:57
*** mattw4 has joined #openstack-meeting01:57
*** ykatabam has quit IRC02:00
*** markvoelker has quit IRC02:01
*** cheng1 has quit IRC02:07
*** cheng1 has joined #openstack-meeting02:08
*** kevinluuuuu has quit IRC02:32
*** markvoelker has joined #openstack-meeting02:57
*** brinzhang_ has joined #openstack-meeting02:58
*** brinzhang has quit IRC03:00
*** markvoelker has quit IRC03:02
*** psachin has joined #openstack-meeting03:06
*** yamamoto has joined #openstack-meeting03:11
*** dmacpher__ has joined #openstack-meeting03:14
*** dmacpher_ has quit IRC03:18
*** brinzhang_ has quit IRC03:31
*** ayoung has joined #openstack-meeting03:49
*** yamamoto has quit IRC03:53
*** yamahata has joined #openstack-meeting03:58
*** markvoelker has joined #openstack-meeting03:58
*** ykatabam has joined #openstack-meeting04:00
*** imsurit has joined #openstack-meeting04:00
*** yamamoto has joined #openstack-meeting04:01
*** markvoelker has quit IRC04:02
*** slaweq has joined #openstack-meeting04:13
*** imsurit has quit IRC04:14
*** imsurit has joined #openstack-meeting04:17
*** slaweq has quit IRC04:25
*** whoami-rajat has joined #openstack-meeting04:35
*** bobh has joined #openstack-meeting04:39
*** mattw4 has quit IRC04:39
*** ianw is now known as ianw_pto04:44
*** zaneb has quit IRC04:44
*** pcaruana has joined #openstack-meeting04:45
*** bobh has quit IRC04:47
*** zaneb has joined #openstack-meeting04:52
*** markvoelker has joined #openstack-meeting04:59
*** ykatabam has quit IRC05:00
*** janki has joined #openstack-meeting05:02
*** markvoelker has quit IRC05:04
*** ykatabam has joined #openstack-meeting05:04
*** davee_ has quit IRC05:06
*** kopecmartin|off is now known as kopecmartin05:12
*** jbadiapa has quit IRC05:13
*** Luzi has joined #openstack-meeting05:24
*** brinzhang has joined #openstack-meeting05:54
*** rcernin has quit IRC05:59
*** markvoelker has joined #openstack-meeting06:00
*** ykatabam has quit IRC06:03
*** markvoelker has quit IRC06:04
*** vishalmanchanda has joined #openstack-meeting06:05
*** e0ne has joined #openstack-meeting06:22
*** boxiang_ has joined #openstack-meeting06:33
*** boxiang has quit IRC06:34
*** boxiang_ has quit IRC06:35
*** boxiang_ has joined #openstack-meeting06:35
*** janki has quit IRC06:53
*** iyamahat has quit IRC06:53
*** jbadiapa has joined #openstack-meeting07:00
*** markvoelker has joined #openstack-meeting07:01
*** slaweq has joined #openstack-meeting07:04
*** iyamahat has joined #openstack-meeting07:13
*** tesseract has joined #openstack-meeting07:19
*** markvoelker has quit IRC07:28
*** janki has joined #openstack-meeting07:31
*** brinzhang_ has joined #openstack-meeting07:38
*** brinzhang__ has joined #openstack-meeting07:40
*** ricolin_ has joined #openstack-meeting07:40
*** brinzhang has quit IRC07:42
*** brinzhang_ has quit IRC07:43
*** ricolin has quit IRC07:43
*** tssurya has joined #openstack-meeting07:44
*** ralonsoh has joined #openstack-meeting07:52
*** ttsiouts has joined #openstack-meeting07:55
*** ykatabam has joined #openstack-meeting07:58
*** apetrich has joined #openstack-meeting08:07
*** ttsiouts has quit IRC08:20
*** ttsiouts has joined #openstack-meeting08:21
*** ttsiouts has quit IRC08:26
*** janki has quit IRC08:28
*** ttsiouts has joined #openstack-meeting08:37
*** brinzhang has joined #openstack-meeting08:43
*** ociuhandu has joined #openstack-meeting08:46
*** brinzhang__ has quit IRC08:46
*** ociuhandu has quit IRC08:46
*** ociuhandu has joined #openstack-meeting08:46
*** ociuhandu has quit IRC08:50
*** ociuhandu has joined #openstack-meeting08:50
*** janki has joined #openstack-meeting08:57
*** ttsiouts has quit IRC09:00
*** ttsiouts has joined #openstack-meeting09:01
*** ttsiouts has quit IRC09:05
*** ttsiouts has joined #openstack-meeting09:07
*** ricolin_ has quit IRC09:10
*** ricolin has joined #openstack-meeting09:11
*** brinzhang has quit IRC09:39
*** lpetrut has joined #openstack-meeting09:45
*** ricolin has quit IRC09:57
*** ttsiouts has quit IRC10:08
*** ttsiouts has joined #openstack-meeting10:09
*** lpetrut has quit IRC10:10
*** lpetrut has joined #openstack-meeting10:10
*** ttsiouts has quit IRC10:13
*** yamamoto has quit IRC10:25
*** boxiang_ has quit IRC10:33
*** ttsiouts has joined #openstack-meeting10:41
*** ttsiouts has quit IRC10:46
*** yamamoto has joined #openstack-meeting10:57
*** yamamoto has quit IRC10:59
*** yamamoto has joined #openstack-meeting11:00
*** ykatabam has quit IRC11:01
*** bbowen has quit IRC11:04
*** Luzi has quit IRC11:07
*** ttsiouts has joined #openstack-meeting11:08
*** jbadiapa has quit IRC11:09
*** janki has quit IRC11:14
*** janki has joined #openstack-meeting11:19
*** Lucas_Gray has joined #openstack-meeting11:21
*** carloss has joined #openstack-meeting11:21
*** imsurit has quit IRC11:23
*** imsurit has joined #openstack-meeting11:26
*** ykatabam has joined #openstack-meeting11:33
*** ykatabam has quit IRC11:38
*** raildo has joined #openstack-meeting11:40
*** imsurit has quit IRC11:42
*** ykatabam has joined #openstack-meeting11:50
*** EmilienM is now known as EvilienM11:59
*** priteau has joined #openstack-meeting12:17
*** cheng1 has quit IRC12:17
*** ab-a has quit IRC12:18
*** ab-a has joined #openstack-meeting12:24
*** baojg has quit IRC12:34
*** priteau has quit IRC12:36
*** priteau has joined #openstack-meeting12:40
*** vkmc has quit IRC12:40
*** jbadiapa has joined #openstack-meeting12:48
*** ykatabam has quit IRC12:52
*** ttsiouts has quit IRC12:55
*** ttsiouts has joined #openstack-meeting12:56
*** bbowen has joined #openstack-meeting13:00
*** ttsiouts has quit IRC13:01
*** rfolco has joined #openstack-meeting13:02
*** mriedem has joined #openstack-meeting13:08
*** jchhatbar has joined #openstack-meeting13:18
*** janki has quit IRC13:21
*** vishalmanchanda has quit IRC13:28
*** lbragstad has joined #openstack-meeting13:28
*** markvoelker has joined #openstack-meeting13:29
*** davidsha has joined #openstack-meeting13:31
*** ttsiouts has joined #openstack-meeting13:33
*** eharney has joined #openstack-meeting13:38
*** priteau has quit IRC13:41
*** jchhatbar has quit IRC13:47
*** priteau has joined #openstack-meeting13:51
*** mlavalle has joined #openstack-meeting13:55
*** markvoelker has quit IRC13:57
*** jamesmcarthur has joined #openstack-meeting13:58
mlavalle#startmeeting neutron_drivers14:00
openstackMeeting started Fri Jun 21 14:00:13 2019 UTC and is due to finish in 60 minutes.  The chair is mlavalle. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
*** openstack changes topic to " (Meeting topic: neutron_drivers)"14:00
openstackThe meeting name has been set to 'neutron_drivers'14:00
yamamotohi14:00
slaweqhi14:01
amotokio/14:01
ralonsohhi14:01
mlavalleok14:02
mlavallegood evening / afternoon / morning to everybody14:03
mlavallelet's get going14:03
mlavalle#topic RFEs14:03
*** openstack changes topic to "RFEs (Meeting topic: neutron_drivers)"14:03
haleybhi14:03
mlavalleToday we have 1 RFE to discuss: https://bugs.launchpad.net/neutron/+bug/183275814:03
openstackLaunchpad bug 1832758 in neutron "[RFE] Allow/deny custom ethertypes in security groups" [Wishlist,New]14:03
slaweqthat is interesting one :)14:04
amotokiI haven't followed comments so far, but as a quick look it looks okay to accept ether types other than IPv4/IPv6.14:06
amotokiovs flow allows us to do it.14:07
slaweqamotoki: yes, but the problem here is that in case of iptables fw driver all such custom ethertypes are allows already14:08
slaweqand there is no way to block them currently14:08
slaweqso we have totally different behaviour depends on what driver is used14:08
haleybyes, with iptables_hybrid we might be able to do it using ebtables, right now it's almost a bug in the iptables_hybrid code imho14:08
amotokislaweq: ah.... the fallback default rule allows all traffic?14:08
slaweqat least IIUC this bug report and what njohnston explained us recently, it is like that14:09
mlavalleso that tells me that we should strive for consistency, right?14:09
slaweqso IMO first question here is:14:09
slaweqwhich behaviour is correct14:10
slaweq1. iptables_hybrid driver which allows custom ethertypes14:10
slaweqor14:10
slaweq2. ovs driver which blocks it14:10
mlavalleanother way to pose the question is:14:10
mlavalledo we believe that there are already users with this use case going on with iptables_hybrid14:11
mlavalle?14:11
mlavalleif yes, that kind of tells us that is the right behavior14:11
haleybyes, there are, but it might have been an oversight since we're allowing traffic that wasn't allowed by an SG rule14:12
mlavalleI know14:12
slaweqmlavalle: as njohnston wrote in comment, we had customers using e.g. InfiniBand which require such traffic14:12
*** hemna has quit IRC14:13
mlavalleI understand that. But if those users are working with those use cases without a problem, why would we rule it out?14:13
mlavallethe way I see it, we should catch up with reality14:14
mlavalleand make it explicit14:14
amotokiI generally agree with mlavalle.14:16
amotokiOne point is how operators can check if such use cases are being used in their deployments.14:16
mlavalleahhh, that's good point14:17
mlavallethe same as us, many of those deployment managers might not even know that this is going on14:17
*** jamesmcarthur has quit IRC14:18
haleybwe had no idea, new deployment used ovsfw and boom!14:18
mlavalleexactly14:18
slaweqIMHO current situation is: correct behaviour is in ovs fw but some users are rely on broken iptables_hybrid driver, so do we want to "break" ovs fw driver and allow such traffic there too, or do we want to break some of existing deployments which uses iptables_hybrid driver?14:18
*** jgriffith has joined #openstack-meeting14:19
mlavallebut we wouldn't be breaking any ovs fw driver sitaution14:19
mlavallewe would just open up another possibility to them14:20
mlavallethe converse is not true14:20
haleybi guess i don't think we can change iptables_hybrid without a solution to then allow different ethertypes14:20
mlavallewith iptables_hybrid users, we would be braking scenarios14:20
slaweqmlavalle: exactly14:21
yamamotoslaweq: why do you think ovs-fw behaviour is correct?14:21
amotokiit would be nice if we have a kind of "permissive" mode as selinux does.... but I am not sure it can and is feasible14:21
mlavalleand yes, that is the next question, yamamoto14:21
slaweqyamamoto: because iptables driver now allows traffic which isn't explicity set to be allowed in SG rules14:21
amotokiyamamoto: I agree with slaweq. all traffic which aree not defined in SG rules should be dropped I think.14:21
slaweqbut maybe it's "only" matter of proper documentation where we will say explicity what SG can filter and what not14:22
mlavalleI think it boils down to saying the community clearly what happened14:23
mlavalleallow the new behavior14:23
mlavalleand maybe, as suggested by amotoki's previous comment, provide tools for deployment managers to audit their deployments14:23
mlavalleand add rules in the case of iptables_hybrid14:24
mlavalleto make it explicit14:24
haleybcan probably do that by changing default to DROP instead of ACCEPT, i don't know14:25
*** apetrich has quit IRC14:26
mlavallemaybe14:26
haleybaltough that's at iptables, which isn't in play14:26
haleybi was getting ahead of myself...14:26
mlavallemaybe the way forward is approve the RFE with the comments ^^^^ and ask for a spec where we can sort out the details14:27
mlavallebut I don't see us dodging this one14:27
amotokiThe RFE is about ovs-fw. one idea is to keep the current behavior of iptables-based impl and to add non-IP ethertype to ovs-fw. It would break nothing.14:28
mlavallethat's true14:28
amotokiwe can accept non-IP ethertype if ovs-fw is used.14:28
amotokithe API extension would help us14:29
mlavalleand document exactly what happened, so community is aware14:29
yamamotoi wonder how other impls do14:29
haleybthat get's back to the question of should we be doing that?  it seems like a security issue since user didn't authorize it14:29
*** rajinir has joined #openstack-meeting14:30
slaweqmaybe we can align ovs-fw with iptables for now, so allow this non-IP ethertypes and update docs and later as second step add possibility to enable/disable such traffic - this second step would be treated as RFE14:30
amotokihow about making it explicitly? for example, we can insert a SG rule to allow non-IP ethertype traffic14:31
haleybthat would let you audit it i'd assume, seeing byte/packet counts on a flow rule14:32
slaweqamotoki: but this may be tricky to implement in case of iptables_driver, no?14:32
*** lpetrut has quit IRC14:32
amotokislaweq: perhaps what we need to do is to keep ovs-fw compatible with iptable-hybrid w/ some audit way14:33
mlavalleit should be made explicit in both cases14:33
mlavallewith rules14:34
*** whoami-rajat has quit IRC14:34
slaweqamotoki: I agree, that would be good solution14:35
*** dklyle has joined #openstack-meeting14:37
yamamotodo we want to make some research about other SG impls?  i can look at midonet if desirable14:38
mlavalleamotoki: what exactly is meant by "keep ovs-fw compatible?14:39
mlavalledoes it mean just opening up those ethertypes by default?14:39
amotokimlavalle: what I think is to allow non-IP traffic by default.14:39
amotokimlavalle: yes14:40
mlavallewithout explicit rules?14:40
amotokiI think "explicit (SG) rules" is optional.  operators can check such traffic is sent from ovs flow stats (though we need to check it is feasible)14:41
slaweqamotoki: or maybe add new config option to allow operator to explicity say: "on this node, non-IP traffic should be allowed with ovs-fw driver"14:41
*** lseki has joined #openstack-meeting14:42
amotokislaweq: yes, that's another good option14:42
mlavalleanother alternative is to enforce it / make it explicit at the upgrade moment:14:43
mlavalle1) iptables-hybrid continues as is14:43
*** bnemec is now known as beekneemech14:44
mlavalle2) when user upgrades to ovs-fw, he / she needs to create rules to allow other ether types14:44
mlavallethis way, over time, we nudge the community to make this bahvior explicit14:44
mlavalleand we provide tools for the upgrade14:45
*** TheJulia is now known as needssleep14:46
yamamotomlavalle: does it mean "an SG implementation can choose either behaviors"?14:47
*** kopecmartin is now known as kopecmartin|off14:47
mlavalleyamamoto: it means that when you upgrade to ovs-fw you have make your choice to allow other ether types explicit with rules in your security groups14:48
mlavallethis way, as the community adopts ovs-fw, we gradually line up the actual behavior with what is expressed in the security groups14:50
amotokiI think yamamoto's question is about third-party SG implementation. do they need to change the behavior on non-IP ether traffic at some time? or do they choose a behavior?14:50
mlavallefor that part of the proble, I think we need to understand what the current posture is, as suggested by yamamoto himself14:51
mlavallewhat doesn midonet do now?14:52
mlavallemaybe some investigation is needed to answer this14:52
yamamotomlavalle: dunno. i need to investigate14:52
mlavallewhat doesn ovn do, haleyb?14:53
haleybmlavalle: since it uses the ovsfw I'm assuming it drops the traffic, but i have not tested14:53
*** markvoelker has joined #openstack-meeting14:54
mlavalleI think boden can help us with the nsx plugin14:54
yamamotohaleyb: doesn't it use ovn acls?14:54
haleybyamamoto: i can ask, just not something i've looked at yet14:55
mlavalleok, it seems that we need to take a pause on this one and revisit it next week14:56
mlavalleI'll try to find out what's the situation with networking-odl14:56
mlavalledoes that sound sensible?14:56
slaweq+114:57
amotoki+1. it would be nice if we can cover vmware-nsx as well.14:57
yamamoto+114:57
yamamotoalthough i'm not sure i have time to look at midonet in a week.14:58
mlavalleamotoki: yes, I'll ask boden for help with that14:58
*** markvoelker has quit IRC14:58
mlavalleok guys, have a great weekend14:59
mlavallethanks for attending14:59
mlavalle#endmeeting14:59
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"14:59
openstackMeeting ended Fri Jun 21 14:59:22 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:59
openstackMinutes:        http://eavesdrop.openstack.org/meetings/neutron_drivers/2019/neutron_drivers.2019-06-21-14.00.html14:59
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/neutron_drivers/2019/neutron_drivers.2019-06-21-14.00.txt14:59
openstackLog:            http://eavesdrop.openstack.org/meetings/neutron_drivers/2019/neutron_drivers.2019-06-21-14.00.log.html14:59
amotokithanks all14:59
slaweqthanks o/14:59
yamamotogood night15:00
*** efried is now known as efried_pto15:06
*** bobh has joined #openstack-meeting15:13
*** davidsha has quit IRC15:17
*** mlavalle has left #openstack-meeting15:19
*** Lucas_Gray has quit IRC15:21
*** hemna has joined #openstack-meeting15:22
*** cmurphy is now known as cmorpheus15:28
*** ttsiouts has quit IRC15:43
*** ttsiouts has joined #openstack-meeting15:43
*** bobh has quit IRC15:46
*** gyee has joined #openstack-meeting15:46
*** tssurya has quit IRC15:46
*** ttsiouts has quit IRC15:48
*** yamamoto has quit IRC15:48
*** yamamoto has joined #openstack-meeting15:49
*** clarkb has quit IRC15:53
*** yamamoto has quit IRC15:54
*** markvoelker has joined #openstack-meeting15:55
*** jamesmcarthur has joined #openstack-meeting15:56
*** markvoelker has quit IRC15:59
*** clarkb has joined #openstack-meeting16:05
*** panda is now known as panda-pto16:08
*** priteau has quit IRC16:17
*** mattw4 has joined #openstack-meeting16:21
*** mattw4 has quit IRC16:27
*** mattw4 has joined #openstack-meeting16:28
*** _alastor_ has quit IRC16:32
*** jamesmcarthur has quit IRC16:44
*** markvoelker has joined #openstack-meeting16:56
*** markvoelker has quit IRC17:01
*** diablo_rojo has joined #openstack-meeting17:04
*** ralonsoh has quit IRC17:04
*** jamesmcarthur has joined #openstack-meeting17:07
*** lbragstad has quit IRC17:09
*** raildo has quit IRC17:09
*** whoami-rajat has joined #openstack-meeting17:09
*** _alastor_ has joined #openstack-meeting17:14
*** yamahata has quit IRC17:15
*** iyamahat has quit IRC17:15
*** raildo has joined #openstack-meeting17:16
*** _alastor_ has quit IRC17:21
*** jamesmcarthur has quit IRC17:23
*** igordc has joined #openstack-meeting17:25
*** iyamahat has joined #openstack-meeting17:28
*** iyamahat_ has joined #openstack-meeting17:32
*** iyamahat has quit IRC17:35
*** ociuhandu has quit IRC17:38
*** yamahata has joined #openstack-meeting17:47
*** tesseract has quit IRC17:50
*** markvoelker has joined #openstack-meeting17:56
*** eharney has quit IRC18:01
*** markvoelker has quit IRC18:01
*** _alastor_ has joined #openstack-meeting18:01
*** _alastor_ has quit IRC18:37
*** eharney has joined #openstack-meeting18:40
*** markvoelker has joined #openstack-meeting18:57
*** psachin has quit IRC18:59
*** whoami-rajat has quit IRC19:19
*** lbragstad has joined #openstack-meeting19:23
*** markvoelker has quit IRC19:26
*** EvilienM is now known as EmilienM19:39
*** yamamoto has joined #openstack-meeting19:49
*** yamamoto has quit IRC19:53
*** ayoung has quit IRC19:55
*** ayoung has joined #openstack-meeting20:04
*** ayoung has quit IRC20:16
*** e0ne has quit IRC20:17
*** markvoelker has joined #openstack-meeting20:23
*** rfolco has quit IRC20:25
*** markvoelker has quit IRC20:28
*** ayoung has joined #openstack-meeting20:28
*** woojay has joined #openstack-meeting20:46
*** pcaruana has quit IRC21:16
*** lbragstad has quit IRC21:20
*** markvoelker has joined #openstack-meeting21:24
*** iyamahat__ has joined #openstack-meeting21:26
*** iyamahat_ has quit IRC21:29
*** markvoelker has quit IRC21:29
*** iyamahat_ has joined #openstack-meeting21:44
*** persia_ is now known as persia21:45
*** iyamahat__ has quit IRC21:47
*** slaweq has quit IRC21:55
*** raildo has quit IRC21:56
*** carloss has quit IRC22:01
*** slaweq has joined #openstack-meeting22:16
*** slaweq has quit IRC22:24
*** markvoelker has joined #openstack-meeting22:25
*** markvoelker has quit IRC22:30
*** brinzhang has joined #openstack-meeting22:35
*** gyee has quit IRC22:40
*** igordc has quit IRC23:02
*** rajinir has quit IRC23:09
*** slaweq has joined #openstack-meeting23:12
*** slaweq has quit IRC23:25
*** markvoelker has joined #openstack-meeting23:26
*** markvoelker has quit IRC23:30
*** woojay has quit IRC23:48
*** jamesmcarthur has joined #openstack-meeting23:59
« Thursday, 2019-06-20 Index Saturday, 2019-06-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!