Friday, 2016-06-03

openstackgerritAaron Rosen proposed openstack/networking-ovn: refactor sg/sgr event handing and add code coverage
openstackgerritAaron Rosen proposed openstack/networking-ovn: ignore.. testing patch below with ml2
openstackgerritAaron Rosen proposed openstack/networking-ovn: refactor sg/sgr event handing and add test coverage
openstackgerritAaron Rosen proposed openstack/networking-ovn: ignore.. testing patch below with ml2
-openstackstatus- NOTICE: CI is experiencing issues with test logs, all jobs are currently UNSTABLE as a result. No need to recheck until this is fixed! Thanks for your patience.09:37
-openstackstatus- NOTICE: CI is experiencing issues with test logs, all jobs are currently UNSTABLE as a result. No need to recheck until this is fixed! Thanks for your patience.10:09
*** ChanServ changes topic to "CI is experiencing issues with test logs, all jobs are currently UNSTABLE as a result. No need to recheck until this is fixed! Thanks for your patience."10:09
-openstackstatus- NOTICE: CI is experiencing issues with test logs, all jobs are currently UNSTABLE as a result. No need to recheck until this is fixed! Thanks for your patience.11:42
openstackgerritRichard Theis proposed openstack/networking-ovn: Convert core plugin to ML2 mechanism driver
*** yamamoto has joined #openstack-neutron-ovn13:17
openstackgerritNa Zhu proposed openstack/networking-ovn: Sync static routes
russellbrtheis: sounds like CI is unstable at the moment, so recheck may not work13:48
russellbopenstackstatus set our topic :)13:48
rtheisrussellb: thanks, I missed that but should have guessed when I saw unstable in jenkins failure13:49
russellball good, just letting you know it's not your fault :)13:50
russellbor an ovn bug afaik13:50
russellbhopefully resolved soon, would be cool if we can merge that!13:50
rtheisyes, I hope so too13:50
russellbthanks again for the heroic effort the last weeks13:51
*** ChanServ changes topic to " -=- OVN meeting Thursdays 10:15am Pacific / 1:15pm Eastern #openvswitch -=- Tempest health:"14:00
-openstackstatus- NOTICE: Cleanup from earlier block storage disruption on has been repaired, and any jobs which reported an "UNSTABLE" result or linked to missing logs between 08:00-14:00 UTC can be retriggered by leaving a "recheck" comment.14:00
openstackgerritMerged openstack/networking-ovn: refactor sg/sgr event handing and add test coverage
russellbrtheis: really minor comments on the big ML2 patch, if you file a bug for some followup, i'm happy to merge14:30
rtheisthanks russellb: I'll take a look and see what's going on14:30
*** ssalagame has quit IRC14:34
rtheisrussellb: It appears that any exceptions taken by mechanism driver will result in MechanismDriverError exception being raised.  We are indeed taking exceptions while validating the ports in these tests.  So I suspect 500 is the result of this.  Now need to determine why core plugin gets 40014:36
russellbah, so it's a more general ML2-ism14:36
russellbi still think we should have a bug on it, but maybe it's not urgent14:36
russellbwe should be able to report a proper failure for invalid input14:37
russellbbut this is also binding:profile custom OVN-only stuff14:37
russellbin a perfect world, all API validation could be done at higher layers14:37
russellbthis is sort of a hack14:37
russellbmaybe it's not worth worrying about?14:37
russellbin random other news, ben acked guru's L3 gateway patches!14:37
rtheisrussellb: I'll see if there's a better way to report this invalid input14:38
russellbok, like i said, don't need to block on it14:38
russellbi just don't want to forget to look closer at it14:38
rtheisI'll open a bug to track it14:39
openstackgerritNa Zhu proposed openstack/networking-ovn: Sync static routes
russellbsounds good14:39
rtheisrussellb: opened
openstackLaunchpad bug 1588848 in networking-ovn "ML2 driver now returns 500 for invalid port bindings" [Undecided,Confirmed] - Assigned to Richard Theis (rtheis)14:44
russellbi think it's pretty amazing that this will be in newton-1!14:47
russellbsounds like newton-1 deadline was actually yesterday, oops14:51
russellbwe'll still do it, not sure what the "late" impact is14:52
russellbsorry everyone ....14:54
russellbi checked with the release team, we won't be doing a newton-1 since we missed the window.  we just need to be sure to get newton-2 before the deadline.  i apologize for the mistake.15:08
russellbmestery: fyi ^15:08
openstackgerritMerged openstack/networking-ovn: Convert core plugin to ML2 mechanism driver
Sam-I-Amquestion is, did these patches include docs with the config changes :)17:07
rtheisSam-I-Am: the final patch did include doc updates with the config changes.  If I missed anything, let me know17:09
Sam-I-Amrtheis: which # is the final patch?17:10
*** salv-orlando has joined #openstack-neutron-ovn17:12
Sam-I-Amrtheis: is the old method still available?17:14
rtheisSam-I-Am: core plugin is gone17:16
Sam-I-Amhmm, which means downstream things ought to break something fierce soon17:17
Sam-I-Amguess there was no way for a transitional period?17:17
Sam-I-Amrtheis: i'm a bit confused by the contents of ml2_conf.ini, re tenant_network_types, firewall_driver, etc.17:18
Sam-I-Amlooking at the gate job17:19
rtheisSam-I-Am: what is your concern?17:21
Sam-I-Amovn uses geneve for tenant networks. is that option just ignored?17:21
rtheisSam-I-Am: I'll check17:22
Sam-I-Amand the firewall_driver references something bogus17:22
rtheisSam-I-Am: tenant_network_types is used as part of the network segment allocation17:25
Sam-I-Amyeah, in the reference arch17:28
Sam-I-Amovn supports geneve and technically stt17:28
Sam-I-Amso how is this working with vxlan?17:28
mesteryIt shouldn't work with VXLAN, it should be using geneve17:30
Sam-I-Amthats why the config file is confusing me17:31
rtheisSam-I-Am: good question, it does work but I think that is because the segment network type isn't used by the driver17:32
Sam-I-Ampretty sure ovn's tunnel type is configured in ovs17:32
Sam-I-Amsame thing with the firewall driver?17:33
rtheisI think so but haven't checked that one yet17:35
mesteryrtheis: ++ I agree with that17:35
Sam-I-Amquestion is can we leave out these bogus options that do not apply17:35
Sam-I-Amthey will create confusion17:35
rtheisrather the segment17:37
Sam-I-Amright now we do this17:38
Sam-I-Amovs-vsctl --no-wait set open_vswitch . external-ids:ovn-encap-type="geneve"17:38
Sam-I-Amthere's not a lot of config-file-able things in ovn, they're mostly ovs commands17:38
Sam-I-Amit would be nice to wrap those ovs commands in config file things17:38
Sam-I-Amtheoretically vxlan is supported for vteps, but that wouldnt be a tenant network17:40
Sam-I-Amits sort of an odd case because i dont think neutron itself supports vxlan provider nets17:41
openstackgerritOpenStack Proposal Bot proposed openstack/networking-ovn: Updated from global requirements
rtheisSam-I-Am: I've opened related to the firewall/security issue that you pointed out18:33
openstackLaunchpad bug 1588935 in networking-ovn "ML2 driver does not support enable_security_group configuration" [Undecided,New] - Assigned to Richard Theis (rtheis)18:33
rtheisSam-I-Am: looks easy enough to fix tenant_network_types so it is set to geneve, but wondering if we can/should use the segmentation ID when creating the resulting ports19:04
* russellb catching up on backlog19:05
russellbthe choice of geneve vs something else is opaque to neutron with OVN19:05
russellbneutron has no input19:05
russellbin terms of Neutron, ideally it's either unspecified and we get to do what we want, or if it *is* explicitly specfied, i suppose the best thing is to only accept Geneve and reject anything else19:06
rtheisrussellb: so the ovn ml2 driver is safe to ignore what neutron generates for segments19:06
russellbsegmentation ID?19:06
russellbif neutron generates something, yes, we should ignore it, at least for now19:06
russellbthere's nowhere to put it, OVN decides that on its own19:06
russellbwe could add the ability to specify it, but that's a little awkward19:07
russellbwe need to support reading the segmentation_id for a vlan provider network19:07
russellbi assume that is still there?19:07
rtheisrussellb: that is19:07
Sam-I-Amrussellb: with the conventional ovs agent, tenant network type is somehow passed to ovs19:07
Sam-I-Amrussellb: i dont see why ovn is any different19:08
russellbSam-I-Am: because ovn is different?19:08
Sam-I-Amwell, it is, but isn't it just ovs underneath the covers when it comes to tunnels?19:08
russellbneutron is directly configuring ovs in that case19:08
russellbOVN is hiding a lot of that19:08
Sam-I-Amright now we hand-run an ovs-vsctl command on every ovn controller node to set the tunnel type and endpoint ip19:08
russellbwho is we19:09
russellbOVN doesn't run ovs-vsctl19:10
Sam-I-Amwe = deployment tools19:10
Sam-I-Am        ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-encap-type="geneve"19:10
Sam-I-Amthat thing19:10
Sam-I-Amand also the ovn-encap-ip19:10
russellbi think it's safe to assume that's always just geneve though19:10
russellbstt is technically in the code, but i don't know if anyone has ever even tried it19:10
russellband it doesn't really have a future since it's not in the upstream kernel19:11
Sam-I-Ampeople coming from ML2 are going to expect tenant_network_types to do something19:11
Sam-I-Amwell, ml2 + conventional agents19:11
rtheisWe can enforce geneve is set19:11
russellbgeneve should be fine19:11
russellbi guess vlan should work too19:11
russellbthat's just the same thing as vlan provider networks, except letting neutron dynamically pick VLAN IDs19:11
Sam-I-Amvlan shouldnt work...19:11
russellbwhy not19:11
Sam-I-Amtheres no vlan tenant networks in ovn19:12
russellbvlan tenant network and a vlan provider network are the same thing19:12
russellbfrom ovn's perspective19:12
russellband in neutron, in practice it's really a matter of how it gets created19:12
russellbbut they are mostly the same internally...19:12
Sam-I-Amthe difference is who creates it19:13
* russellb nods19:13
Sam-I-Amand things like router:external19:13
Sam-I-Amcurrently, if a tenant creates a network and vlan type is default, it picks a vlan range out of the ml2 config19:13
Sam-I-Amand there's some sort of mapping to a bridge19:13
russellbi think that should work, and if it doesn't, it shouldn't be much work to make it work19:13
russellbsince it's all the same infrastructure in ovn required to vlan provider nets19:14
Sam-I-Ambridge mappings move from the l2 agent config to ovs-vsctl commands19:14
russellbi think the best thing to do re: conversion period was rip the bandaid off and clean up any fallout as quick as we can19:14
russellbhaving both would be really painful19:14
* russellb nods19:15
russellbovn has the same style bridge mappings19:15
russellbnetwork name <--> ovs bridge19:15
Sam-I-Ami guess what i'm wondering is do we need some sort of ovn-controller (agent) config file that contains stuff like local_ip, bridge mappings, etc.19:15
russellbSam-I-Am: bridge mappings exist, as an external_id right now19:16
Sam-I-Amright now its like yeahhhh its ml2, but most of the config is done by ovs-vsctl19:16
Sam-I-Ambut with the ovs agent, they're in openvswitch_agent.ini19:16
russellbi see the ovs-vsctl config and the config file as funcionalliy equivalent19:16
russellbthey are both host-local configuration19:16
Sam-I-Amto me its easier to do config file management than command line management19:16
Sam-I-Ami'm thinking about this from the perspective of migrating ovs agent users to ovn19:17
Sam-I-Amcan we make this look like a more typical neutron config19:17
Sam-I-Amnow that we're under ml219:17
russellbbtw, Babu on my team has been working on a grenade job that tests the migration19:17
russellbthat we'll be able to iterate on19:17
russellbwe could add config file support to ovn-controller, sure19:17
russellbwe talked about it at one point19:18
russellbfor the reason you suggest, being a bit easier to deal with19:18
*** salv-orlando has quit IRC19:18
russellbbut nobody took it on19:18
russellbi'm supportive of that though if someone wanted to work on it19:18
Sam-I-Ami think its important for getting people on board, documentation, and migrations19:19
*** ssalagame has joined #openstack-neutron-ovn19:19
rtheisI can open a bug to track this config file work if you'd like19:20
Sam-I-Amrtheis: i dont think geneve has id ranges, or at least ones that are configurable in ovn19:20
Sam-I-Amrtheis: yes, pls do19:20
russellbcorrect, they are not configurable in OVN19:20
rtheisSam-I-Am: will do19:20
russellband i'm not particularly interested in letting neutron specify them19:21
russellbi don't see the value19:21
rtheisso we basically ignore what neutron specifies19:21
Sam-I-Amso we probably wouldnt need anything in a [ml2_type_geneve] that i can think of19:21
Sam-I-Amand thats fine19:21
russellbi think arosen had a geneve type driver at one point19:21
Sam-I-Amwe solve that issue with docs "you dont need these"19:21
russellbnot sure if that merged19:21
Sam-I-Amyeah, its around19:21
Sam-I-Ambut in the case of ovn, we'd just doc it as "not configurable for reason X"19:22
Sam-I-Ampeople will be curious about securitygroup (which rtheis already posted a bug for), ml2_type_vlan, ml2_type_flat, and tenant_network_types19:23
russellbwhat's the sec group issue?19:23
openstackLaunchpad bug 1588935 in networking-ovn "ML2 driver does not support enable_security_group configuration" [Undecided,New] - Assigned to Richard Theis (rtheis)19:23
Sam-I-Amand from the agent perspective, bridge_mappings and local_ip19:23
rtheislooks like we don't honor security groups being disabled19:23
russellbSam-I-Am: we have those, it's just ovsdb and not config file, right?19:23
russellbrtheis: just being able to disable them?19:24
russellbok, seems easy enough19:24
russellbi think we have some code for seeing if port security is disabled?19:24
rtheisI think so, and cleaning up the devstack deployment19:24
russellbso the check would be similar ...19:24
Sam-I-Amrussellb: some of them. i'm not aware of tenant network vlan ranges anywhere in ovn.19:24
russellbSam-I-Am: OVN lets you specify a VLAN ID for a VLAN network19:24
russellbwhich is all we need from OVN to do it19:24
Sam-I-Amtenants cant specify vlan ids19:25
Sam-I-Amonly admins can19:25
russellbfrom our driver perspective, a vlan ID is given, maybe an admin set it, maybe neutron made it up, right?19:25
russellbhowever a VLAN ID is decided upon19:25
russellbwe have a way to tell OVN what it is19:25
russellband all is happy19:25
rtheisso we only do that when we have PHYSICAL_NETWORK ... should we do the same for vlan tenant networks?19:26
Sam-I-Amso if we support network_vlan_ranges, ml2 and ovn Just Work ?19:27
russellbconceptually anyway :) ... rtheis, yes, that's the idea19:27
russellbSam-I-Am: conceptually we should be able to, sounds like we have a fix to make based on rtheis' comment19:27
Sam-I-Ami was sort of under the impression that all non-provider nets use geneve19:27
russellbbut it shouldn't be a ton of work19:27
rtheisI'll open another bug for that19:27
Sam-I-Ambut theres an audience that would probably make use of vlan tenant nets19:27
russellbrtheis: thanks19:27
russellbfrom ovn perspective, there's really no such thing as tenant network vs provider network19:28
russellbthere's logical network, allowing OVN to implement it how it wants (typically geneve)19:28
Sam-I-Amrtheis russellb sorry i didnt think of these things earlier, but time... and i think doing the init conversion as quickly as possible was important19:28
russellband then specifying that it's a flat network, or a vlan network19:28
russellbSam-I-Am: no worries, these are just new things we need to work through in ML2 land19:28
russellbnot regressions19:28
Sam-I-Ami have an interesting perspective on things19:30
Sam-I-Amsometimes good, sometimes bad.19:30
Sam-I-Amas for the secgroup thing, noop should do what people expect it to do... disable secgroups. otherwise a dummy setting just lets ovn enable its secgroup model19:31
Sam-I-Amwhat i want to avoid is confusion between the native ovs secgroup driver and the ovn secgroup implementation19:31
Sam-I-Amthats where i fear we'll see confusion19:32
russellbthis is a neutron-server side config item?19:32
Sam-I-Amgood question :)19:33
Sam-I-Amit has gone through some changes recently19:33
russellbso 2 options ... enable_security_group and firewall_driver19:34
rtheisenable_security_group option under [securitygroup] in ml2_conf.ini.19:34
russellbleaving them to defaults should do what we normally expect19:34
russellbenable_security_group=False should make us disable security groups / not configure ACLs19:35
rtheissounds good19:35
russellband really, we should just ignore firewall_driver19:35
russellbit's not relevant at all19:35
Sam-I-Ami think its just enable_security_groups19:36
Sam-I-Ami think firewall_driver defaults to noop, which may be confusing to people19:36
russellbit defaults to empty / not set19:36
russellbnoop means something a little different19:36
russellbit's weird19:36
rtheislooks like firewall_driver default is None19:36
rtheiswe don't have a driver so that seems appropriate19:37
russellbwe should just totally ignore that config item19:37
Sam-I-Amok, thats good19:37
Sam-I-Amwe can doc that one out19:38
russellbthere's a *lot* of very mixed stuff in neutron between general abstraction and stuff very specific to the ref impl / neutron agents19:38
russellbthis is an example of that19:39
russellbenable_security_group == a very generally useful config item, next to firewall_driver == a very ref impl specific thing19:39
rtheisyeah, definitely19:39
Sam-I-Amok, i think we're on similar pages now19:40
Sam-I-Amif we put things into config files, converting from ovs agent to ovn should be a lot easier from a config management pov19:41
Sam-I-Amthe underlying rebuilding of network bits... glhf :)19:41
Sam-I-Ambut at least i can make the docs pretty19:41
*** ssalagame has quit IRC19:41
russellba lot easier from a technical perspective?  or just "less different", so less scary to people19:42
russellbwe're only talking about 3 or 4 config items19:42
*** ssalagame has joined #openstack-neutron-ovn19:43
Sam-I-Amwell, more in line with the expections of configuration with ml219:43
Sam-I-Amrather than scary, somewhat obscure ovs-vsctl commands19:43
russellbthis is the compute host / agent side19:44
russellbunrelated to ML219:44
russellbbut i understand the scariness angle19:44
russellbbut i also wonder if most people using ovs today are familiar with ovs-vsctl?19:45
russellbis it that scary?19:45
russellbprobably to most folks that want to mess with it as litle as possible and just want it to work19:45
russellband if they ever have to run ovs-vsctl, they're pissed off19:45
russellbbecause that means something wasn't working and they're debugging19:45
Sam-I-Amyeah, this is the equiv of some of the items in the openvswitch_agent.ini file19:47
Sam-I-Amthey edit file, run agent... done.19:47
Sam-I-Amthe only ovs-vsctl command people expect to run is plugging a host interface into a provider bridge19:47
Sam-I-Ambridge mappings and local tunnel endpoint are in a config file19:48
Sam-I-Ampeople do fear ovs, so the more we can do to make it look more polished will help adoption19:54
Sam-I-Ama lot of this is from experience in #openstack, docs bugs, etc.19:55
-openstackstatus- NOTICE: The infrastructure team is taking Gerrit offline for maintenance this afternoon, beginning shortly after 20:00 UTC. We aim to have it back online around 00:00 UTC.19:59
russellbi'm good with config file support20:00
russellbSam-I-Am: funny story, i apparently said almost a year ago that i might work on it20:03
russellbi clearly forgot20:03
Sam-I-Amrussellb: lol20:03
Sam-I-Amguess you just signed up20:04
*** banix has quit IRC20:04
Sam-I-Amre-signed up :)20:04
russellbheh, maybe ....20:04
russellbi need to finish what i've started first20:04
russellband then maybe!20:04
russellbi'm happy for someone else to ...20:04
-openstackstatus- NOTICE: Gerrit is offline for maintenance until 00:00 UTC20:10
*** ChanServ changes topic to "Gerrit is offline for maintenance until 00:00 UTC"20:10
*** ssalagame has joined #openstack-neutron-ovn20:12
rtheisrussellb, Sam-I-Am: and, I attempted to capture our discussion in these 2 bugs.  Feel free to update as needed.20:48
openstackLaunchpad bug 1588966 in networking-ovn "ML2 driver should only support geneve and vlan tenant network types" [Undecided,New] - Assigned to Richard Theis (rtheis)20:48
openstackLaunchpad bug 1588969 in networking-ovn "Support ovn-controller configuration file" [Undecided,New]20:48
*** azbiswas has quit IRC20:48
