Friday, 2022-07-08

« Thursday, 2022-07-07 Index Saturday, 2022-07-09 »
opendevreviewErik Olof Gunnar Andersson proposed openstack/neutron master: Add initial tests for the Designate DNS backend  https://review.opendev.org/c/openstack/neutron/+/84842400:48
opendevreviewErik Olof Gunnar Andersson proposed openstack/neutron master: Add initial tests for the Designate DNS backend  https://review.opendev.org/c/openstack/neutron/+/84842400:50
opendevreviewMerged openstack/neutron master: Fix remaining typos in comments and tests  https://review.opendev.org/c/openstack/neutron/+/84883903:50
opendevreviewKarthik S proposed openstack/neutron master: WIP: Add min bandwidth support to ml2-ovn  https://review.opendev.org/c/openstack/neutron/+/84229205:46
opendevreviewKarthik S proposed openstack/neutron master: WIP: Add min bandwidth support to ml2-ovn  https://review.opendev.org/c/openstack/neutron/+/84229205:50
sahidmorning all07:30
sahidI'm trying to execute dsvm-fullstack using this command `PBR_VERSION=1.2.3  tox -e dsvm-fullstack test_l3_agent`07:31
sahidThe tests are executed but I have this assertion:  AssertionError: backend 'mysql' unavailable07:31
sahidI have mysql install and its client, It's a VM running devstack actually, so I'm wondering to know if someone as already seen this error?07:33
ralonsohbecause you need to install first the DB backends07:35
ralonsohsahid, execute ./neutron/tools/configure_for_func_testing.sh <devstack_patch>07:39
ralonsohpath*07:40
sahidoh interesting, trying... :-) thank you ralonsoh 07:47
* sahid should have read TESTING.rst ...07:47
sahidI have executed the command `./tools/configure_for_func_testing.sh:main:351  echo 'Phew, we'\''re done!'                                                           `08:08
sahidPhew, we're done!  08:08
sahideven with that I still have the issue08:08
opendevreviewLajos Katona proposed openstack/neutron master: [sqlalchemy-20] Remove retry decorator from update_floatingip_status  https://review.opendev.org/c/openstack/neutron/+/84870108:21
fricklersahid: I have also given up on trying to get fullstack to run locally. If you want to investigate further what is the difference from the CI setup, you could ask to get access to a held CI node. it would be really helpful if the instructions could be updated in such a way that they work08:50
lajoskatonafrickler, sahid: I have a VM in which I run fullstack, and few weeks ago it worked, if you have any update on the test doc would be really good, as it was updated years ago I think08:56
lajoskatonasahid: I execute configure_for_func_testing with something like this: export VENV=dsvm-fullstack; export IS_GATE=False; tools/configure_for_func_testing.sh ~/devstack/ -i08:58
lajoskatonasahid: IS_GATE=False switches to install databases also (https://opendev.org/openstack/neutron/src/branch/master/tools/configure_for_func_testing.sh#L332 )08:59
lajoskatonasahid: the doc also mentiones it: https://docs.openstack.org/neutron/latest/contributor/testing/testing.html#id408:59
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add release note for OVN "requested-chassis" feature  https://review.opendev.org/c/openstack/neutron/+/84908209:52
opendevreviewRodolfo Alonso proposed openstack/neutron master: Remove workaround for LP#1767422  https://review.opendev.org/c/openstack/neutron/+/84831210:07
*** sean-k-mooney1 is now known as sean-k-mooney10:10
sahidlajoskatona, frickler thanks a lot for you returns10:50
sahidfrickler: interesting point to get qccess to the CI directly thanks a lot I will keep that in mind10:51
sahidlajoskatona: Ok I'm rebuilding a new VM and will try10:51
sahidfor sure I will update the doc if I found any diff, no worries10:52
opendevreviewRodolfo Alonso proposed openstack/neutron master: Remove import of 'imp' module  https://review.opendev.org/c/openstack/neutron/+/84245011:30
opendevreviewRodolfo Alonso proposed openstack/neutron master: [WIP] Script to manually remove duplicated port bindings  https://review.opendev.org/c/openstack/neutron/+/84642211:31
lajoskatonasahid: +1, thanks, we are happy for any feedback :-)11:39
sahidlajoskatona, frickler Ok I was able to make it working without too much pain using a french VM and devstack. The only thing that failed was that the process was looking for something in /requierements but the repository was not yet cloned. I had to clone it under /opt/stack and re-execute the command13:07
sahidI will try to investigate that later to double check if there is really a need and try to fix that if possible13:07
sahids/french/fresh :-)13:08
lajoskatonasahid: cool13:26
lajoskatonamnaser: Hi, we have a vpnaas related RFE for today's drivers meeting: https://bugs.launchpad.net/neutron/+bug/1979044 ([RFE] Adding the "rekey" parameter to the api for strongswan like "dpd_action" )13:26
lajoskatonamnaser: would be nice if you could join us, perhaps you have some opinion on it, or have some thoughts for the feature13:27
mnaserlajoskatona: ah cool just ping me when that discussion comes up and I’ll gather context now :)13:28
lajoskatonamnaser: thanks, 1400 UTC when we start, 9 minutes from now13:51
lajoskatonamnaser: and that is the first topic for today, so we won't waste your time :-)13:54
*** dasm|off is now known as dasm13:56
lajoskatona#startmeeting neutron_drivers14:00
opendevmeetMeeting started Fri Jul  8 14:00:09 2022 UTC and is due to finish in 60 minutes.  The chair is lajoskatona. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'neutron_drivers'14:00
lajoskatonao/14:00
mlavalleo/14:00
slaweqo/14:00
njohnstono/14:00
ralonsohhi14:00
obondarevhi. Just realised I missed PTL meeting, sorry14:01
haleybhi14:01
amotokihi14:01
lajoskatonaOk, I think we can start14:03
lajoskatonaThe first RFE for today:14:03
lajoskatona[RFE] Adding the "rekey" parameter to the api for strongswan like "dpd_action" (#link https://bugs.launchpad.net/neutron/+bug/1979044)14:03
lajoskatonait is for VPNasS, so I asked mnaser to come and tell his opinion if he as some time14:04
mlavalleyeah, mnaser's is a very relevant opinion. amotoki's is too14:05
mnaserI looked at it and I think it’s actually a pretty good idea however I’m not sure if I have Amelia time to be able to look into implementing this but I’d be happy to review somebody makes a chance address14:05
lajoskatonamnaser: thanks14:05
obondarevfirst dumb question that I have is: if it's device specific, can't device driver take care of setting needed 'rekey' value14:06
amotokiwhat I am not sure is 'rekey' proposed here should be determined by neutron API users14:06
lajoskatonaThat is my feeling also, that extending the API to have a new key: rekey is a good idea14:06
amotokior it depends on devices or vpn situations14:06
lajoskatonaobondarev, amotoki: good point14:08
obondarevfrom description it seems it depends on the device, and that strongswan is not aware of underlying device14:08
obondarev*strongswan driver14:08
obondarevand that's where a user should step in and advice the driver14:09
opendevreviewMerged openstack/neutron-dynamic-routing master: Consume BGP service plugin queue in RPC workers  https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/84238314:09
obondarevso maybe the driver itself should have the ability to identify the device somehow?14:09
slaweqobondarev++14:10
lajoskatonatransparently for the enduser?14:10
amotokiAFAIK rekey itself is not specific to strongswan. other VPN products also support it.14:10
obondarevyes, not sure about the technical possibility however14:11
amotokibut I am still not sure it should be visible to VPNaaS users14:11
mnaserIm looking at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html14:12
mlavalleahhh, looking at the alternative... always wise14:13
mnaserIt seems like they don’t provide option to disable it14:13
mnaserGCP doesn’t either14:15
mnaserSo I feel like it would be wise to ask or understand why the user wants to do this14:15
amotokiyeah, it is not a good idea to disable rekey in general14:16
mnaserI guess maybe a poor implementation on the other side…14:16
obondarev++ and if there is a possibility to identify the needed value from within the strongswan driver14:17
amotokiit looks better to ask the rfe submitter more detail on what situations requires rekey=no14:18
lajoskatonaok, so this is not something that user should set on API, but more a technical question which the driver can determine and set, am I right?14:19
amotokiI think so14:19
obondarevthat's my vision also14:19
amotokiif it depends on vpn peers, we may need to pass rekey parameter to a driverr like strongswan but perhaps we first need to clarify when such situation happens14:21
lajoskatonaok14:22
-amotoki- (my memory on vpn is not so fresh. it was from several years ago :p)14:22
lajoskatonamnaser: shall I ask you to write down to the RFE what information should be necessary as my VPN background is very weak :-(14:23
mnasersure, I can update the issue asking that14:24
lajoskatonamanser: thanks for the help14:24
lajoskatonaAnd thanks everybody for the discussion14:24
lajoskatonaIf there is no more comments for this RFE we can move on to the next one14:25
lajoskatona[RFE] Firewall Group Ordering on Port Association (#link https://bugs.launchpad.net/neutron/+bug/1979816)14:25
lajoskatonaThis one comes from a security bug, which I made public, after long discussion under it, and agreeing that we don't need to have it private:14:26
lajoskatonahttps://bugs.launchpad.net/neutron/+bug/197849714:26
lajoskatonaif I understand well the behaviur here is already documented in the original spec for FWaaS14:27
opendevreviewMerged openstack/neutron master: [sqlalchemy-20] Remove retry decorator from update_floatingip_status  https://review.opendev.org/c/openstack/neutron/+/84870114:28
opendevreviewMerged openstack/neutron master: Remove workaround for LP#1767422  https://review.opendev.org/c/openstack/neutron/+/84831214:28
lajoskatonasomewhere here: https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html#multiple-firewall-policies14:28
ralonsohthat's the point: does it depends on the order of those groups or in evaluating the security for a specific traffic (that means, evaluating all rules)?14:30
ralonsohaccording to the documentation: This spec defines that packets will be allowed if any one of the firewall groups associated with that Neutron port allows the packet. 14:30
ralonsohthat means you need to evaluate all rules (or at least find one allowing this traffic)14:31
slaweqbut it also says that in future it should be changed and ordering should be added14:32
slaweqI think that current RFE is exactly about that14:32
mlavallemeaning that future has arrived14:32
ralonsohso perfect then (just one concern: if implemented, some environments will change their current behaviour)14:33
mlavalleyeap14:33
mlavalleit should go with a release note14:34
lajoskatona+114:34
slaweqmaybe ordering could be optional14:34
slaweqif none of groups would have it, behaviour would stay as it is now14:34
slaweqwdyt?14:34
atimminsAgree on the release note, but fwiw, if an environment is working today, where ordering does not matter, then it would continue to work if ordering was added.14:35
mlavalleslaweq: +++14:35
mlavalleyeah make it optional14:35
obondarevI'm not sure that currently this behaviour is predictable, according to the rfe it's not14:35
amotokias of now, we can define the order of rules inside a firewall policy and a point is that a rule can define 'deny' action.14:35
ralonsohatimmins, you need to guarantee no rule is in conflict with othrs14:36
amotokiwhat happens if the order of groups are ambiguous14:36
amotoki?14:36
haleybisn't it inderminate today? if I have rules that both allow and deny a packet whichever is first wins14:36
obondarevhaleyb: ++14:37
ralonsohnow "allow" should prevail, according to the documentation14:37
haleybEven if I feel allow should always win14:37
atimminsThat's the current behavior. Ordering changes any time a policy is edited, and if denies are present, traffic could start to get blocked unintentionally.14:37
haleybralonsoh: and the opposite argument is that deny should prevail, else it's a vulnerability14:38
lajoskatonaby optional you mean to add an API extension with a new ordered=True/false option?14:38
obondarevto me current behaviour seems buggy, so should be fixed without any options14:39
amotokii think there are two directions: one is to improve the behavior to be more determinestic. hte ohter is to introduce ordered=True/false. what do you think?14:39
ralonsohatimmins, sorry, I'm confused now. Does it means the current behaviour changes with the order?14:39
ralonsohit shouldn't now14:39
ralonsohI have the same impression as obondarev. And agree with amotoki to make the current behaviour deterministic, before implementing anything new14:41
atimminsYes, the spec is not accurate. Changing the order of groups on a port could impact whether traffic is allowed or denied. iptables processes the rules in order.14:41
atimminsThis is why there should be an order to groups, just as there is an order to rules within a policy.14:41
haleybI wonder what OVS does? But I agree making it deterministic is first step14:42
lajoskatona+114:42
obondarevthe question I have is: should it be ordered, or just 'deny' actions should be of highest priority?14:42
obondarevthe question I have is: should it be ordered, or just 'deny' actions should be of highest priority?14:43
atimminsNo, this would limit the functionality that iptables provides natively.14:43
mlavalleno, deny should be the default. But once something is defined, it should behave the way the user defined14:43
amotokiobondarev: or another option is to make the behaviro described in the initial spec14:44
lajoskatonathat's my understanding and it should be after editing also14:44
lajoskatonaamotoki: you mean as "future" work?14:44
amotokilajoskatona: yes14:45
amotokibut we can discuss what is the right future14:45
amotokithe initial spec is just one idea on multiple fw groups14:45
obondarevso I guess we agree with the RFE/bug and need a spec, right?14:46
atimminsimo, it's far more work to have neutron consolidate/reconcile rules among multiple groups, compared to adding an ordering to the port-group associations. The former could also have unintended consequences.14:47
ralonsohno sorry, I think we need first to determine if the current behaviour is what is defined in the spec14:47
amotokilajoskatona: correction: what I mean is the paragraph "This spec defines that packets will be allowed if any one of the firewall groups associated ...." in https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html#multiple-firewall-policies14:47
amotokilajoskatona: I do not mean "In future phases, ..." paragraph in the above spec14:48
ralonsoh^^ this is the key point here that fwaas is "maybe" not honoring 14:48
amotokiralonsoh: +114:48
lajoskatonaamotoki: ok, thanks14:48
obondarevralonsoh: agree14:48
lajoskatonaok, so generally the idea is good, but before starting any work the current situation must be checked compared to the original design /spec14:50
lajoskatonaand after that we can have a spec for example where the details can be discussed to have the good direction and decisions14:51
lajoskatonaIs that correct?14:51
mlavalle+114:51
ralonsoh+114:51
atimminsI think the original bug report provides sufficient evidence that the original spec is incorrect, but totally fine if others would like to verify.14:51
amotokilajoskatona: is "the idea" the ordering of groups or does it mean to match the current implemetation with the initial spec?14:52
obondarevatimmins: you mean the spec is incorrect or the implementation?14:52
lajoskatonaatimmins:  you mean this one: https://bugs.launchpad.net/neutron/+bug/1978497 ?14:52
atimminsYes, that one14:52
atimminsThe statement in the spec is incorrect based on the behavior we see today.14:53
lajoskatonaatimmins: than the first step should be to make the implementation in sync with the spec, am I right?14:53
atimminsI find it more desirable to add ordering to the groups14:55
atimminsI'm not immediately aware of how one would make the implementation in sync with the spec, as it is contrary to how traditional ACLs work.14:56
lajoskatonawith and API extension like ordered=True?14:56
opendevreviewMiro Tomaska proposed openstack/neutron master: [WIP] Need to update unit tests once we agree on implementation! Fix eventlet bug in get_hypervisor_hostname  https://review.opendev.org/c/openstack/neutron/+/84912214:56
obondarevhonestly, I'm a bit confused there are 'deny' rules in a "deny until explicitly allowed" concept, by maybe it's just my lack of expertise in this topic14:57
* mlavalle has to leave to a doctor's appointment (routine check). On demand agenda topic can wait to Neutron's meeting on Tuesday14:57
lajoskatonamalavalle: ack, thanks for joining14:57
atimminsBy adding a "position" column to the relevant table, we can provider the ordering. Maybe if the value is Null, then the behavior stays the same? IE. order for that groups does not matter?14:58
ralonsohatimmins, please, before adding anything new to a project, let's fix what does not match with the current spec14:58
ralonsohthis is even more important if security is related14:59
lajoskatonaralonsoh: +114:59
amotokiralonsoh: +114:59
slaweq++14:59
atimminsI'm proposing the best way to fix the current spec is by implementing group ordering.15:00
lajoskatonaok, so let's write sown in the current RFE, what is that is not working in the current implementation as it is written in the spec15:00
lajoskatonaatimmins: thanks for it15:01
atimminsNo problem, thanks everyone15:01
lajoskatonaperhaps the best would be to open a spec where in review the discussion is quite easy to go in the agreed direction15:01
lajoskatonaWe reached the end of the hour, wdyt of a spec for this and countinue the discussion under it with more details what is the need compared to the original spec?15:02
ralonsohperfect15:02
amotoki+115:02
slaweq+!15:02
slaweq+115:02
obondarev+115:03
lajoskatonaok, thanks for the discussion, I will update the RFE, and let's see the spec :-)15:03
lajoskatona#endmeeting15:03
opendevmeetMeeting ended Fri Jul  8 15:03:46 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:03
opendevmeetMinutes:        https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-07-08-14.00.html15:03
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-07-08-14.00.txt15:03
opendevmeetLog:            https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-07-08-14.00.log.html15:03
ralonsohhave a nice weekend15:03
lajoskatonaBye, have a nice weekend !15:03
slaweqo/15:03
amotokithanks everyone. have a nice weekend!15:04
obondarevo/15:04
amotokiobondarev: regarding on your question on 'deny' rules, 'deny' rules allows us to define firewall rules which allow all in general but deny traffic from this range. It is not easy to define such rules in security groups15:09
amotokithis is what most ACLs in network switches support.15:10
obondarevamotoki: got it, thanks!15:11
amotokiobondarev: yw15:11
*** dasm is now known as dasm|off21:36
« Thursday, 2022-07-07 Index Saturday, 2022-07-09 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!