| *** ministry is now known as __ministry | 07:18 | |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: WIP [S-RBAC] Switch to new policies by default https://review.opendev.org/c/openstack/neutron/+/879827 | 08:12 |
|---|---|---|
| opendevreview | Slawek Kaplonski proposed openstack/neutron-tempest-plugin master: [S-RBAC] Switch to new policies by default https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/879828 | 08:15 |
| sahid | o/ quick question, should we keep bug that as indicated as NEW 6 years old? | 09:27 |
| sahid | bugs that are | 09:27 |
| *** elodilles is now known as elodilles_pto | 10:11 | |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: WIP [S-RBAC] Switch to new policies by default https://review.opendev.org/c/openstack/neutron/+/879827 | 11:25 |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: [S-RBAC] Allow network owners to get ports from that network https://review.opendev.org/c/openstack/neutron/+/879891 | 11:25 |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: WIP [S-RBAC] Switch to new policies by default https://review.opendev.org/c/openstack/neutron/+/879827 | 11:32 |
| haleyb | sahid: it just means noone has triaged it, otherwise it should be Confirmed. But we've been closing things that old if we don't think they'll ever be fixed | 12:44 |
| sahid | haleyb: ack thank you, I may start to clean some of those very old reports, i will take care to be sure that they will ever be fixed before doing it | 13:00 |
| sahid | thanks a lot for your back | 13:00 |
| opendevreview | Brian Haley proposed openstack/neutron master: DNM: Test neutron gate failure https://review.opendev.org/c/openstack/neutron/+/879894 | 13:00 |
| haleyb | sahid: yes, it was mentioned at the vPTG, we closed about 400 last cycle in various states, so we should continue. if need be they can re-open with more data | 13:02 |
| sahid | haleyb: ack i may have missed some details during vPTG :-) | 13:05 |
| haleyb | sahid: yeah, we might have just talked about it during the good/bad discussion. actually if you look at the previous meeting notes, there is a good query for this, https://etherpad.opendev.org/p/neutron-antelope-ptg L127 | 13:08 |
| haleyb | that's what I've been using, then filter by priority perhaps? it's a start | 13:08 |
| sahid | oh yes interesting query I was using one to see old bugs that are new and still undecided without the priority criteria | 13:19 |
| dvo-plv | #startmeeting neutron_drivers | 14:03 |
| opendevmeet | Meeting started Fri Apr 7 14:03:56 2023 UTC and is due to finish in 60 minutes. The chair is dvo-plv. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:03 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:03 |
| opendevmeet | The meeting name has been set to 'neutron_drivers' | 14:03 |
| haleyb | meeting was cancelled, odd | 14:04 |
| haleyb | dvo-plv: ? | 14:05 |
| haleyb | #endmeeting | 14:05 |
| dvo-plv | Hello, haleyb | 14:06 |
| dvo-plv | will threre be a driver meeting ? | 14:06 |
| haleyb | dvo-plv: no, it was canceled, and only the chair should start meetings | 14:06 |
| haleyb | please type #endmeeting or it will be stuck open | 14:07 |
| dvo-plv | I see, sorry, I thought that it required to be joined | 14:07 |
| dvo-plv | #endmeeting | 14:07 |
| opendevmeet | Meeting ended Fri Apr 7 14:07:31 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 14:07 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/neutron_drivers/2023/neutron_drivers.2023-04-07-14.03.html | 14:07 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2023/neutron_drivers.2023-04-07-14.03.txt | 14:07 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/neutron_drivers/2023/neutron_drivers.2023-04-07-14.03.log.html | 14:07 |
| haleyb | no, meetings are in this channel, so if you're here don't need to join | 14:07 |
| haleyb | it is a holiday for most today | 14:08 |
| dvo-plv | I see, I was guided by this schedule https://meetings.opendev.org/#Neutron_drivers_Meeting | 14:08 |
| dvo-plv | Thank you, sorry for troubling | 14:09 |
| haleyb | dvo-plv: the agenda is sent to openstack-discuss mail list usually the day before by the ptl, who chairs the meeting | 14:10 |
| mlavalle2 | dvo-plv: the drivers meeting takes place normally in this channel at this time and day. Today is an exception, because it is a holiday in a lot of countries, so we wouldn't reach quorum today | 14:25 |
| mlavalle2 | dvo-plv: drivers meetings require a minimum quorum to make decisions | 14:26 |
| dvo-plv | okay, thank you, sorry for mess | 14:28 |
| mlavalle2 | dvo-plv: I think you are here because of https://bugs.launchpad.net/neutron/+bug/2013540. It will be discussed next week | 14:28 |
| dvo-plv | yes, exactly | 14:28 |
| mlavalle2 | dvo-plv: last week during the session with you in the PTG, we didn't realize that today was a holiday in most countries. so, it is a mess of our creation because we inadvertintly misled you :-) | 14:30 |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: WIP [S-RBAC] Switch to new policies by default https://review.opendev.org/c/openstack/neutron/+/879827 | 15:10 |
| opendevreview | Brian Haley proposed openstack/neutron master: Fix NoSuchOptError error in Ipam unit tests https://review.opendev.org/c/openstack/neutron/+/879908 | 18:16 |
| ihrachys | haleyb the reason why ovn allows RA/NA traffic for stateful SGs is because it skips ACLs for the protocols: https://github.com/ovn-org/ovn/blob/c85835fc84befb700f3f224e9153160b4ff613fc/northd/northd.c#L6480-L6486 | 20:56 |
| ihrachys | but... only if LS "has_stateful" ACLs... | 20:56 |
| ihrachys | which also makes for weird behavior when - in neutron - we combine ports with stateless and stateful SGs... when only stateless SG ports are present in a network, they can't receive RA/NA... but once I create a VM attached to stateful SG in the same network, suddenly the stateless ports can also receive RA/NAs. | 20:57 |
| haleyb | ihrachys: interesting. so it did that to not do conntrack on them? and that's an interesting side-effect ^^ | 21:01 |
| ihrachys | yeah. default behavior in ovn is allow not drop, so it's to skip ct only; they assume no functional difference either way (because it will be allowed anyway)... except that we drop all | 21:02 |
| haleyb | hopefully it didn't make your work that much harder | 21:03 |
| ihrachys | I'm still thinking what to do with this knowledge | 21:03 |
| ihrachys | I also wonder if this behavior described above - where a random port created in a network affects other ports from other SG - should be explored further as a violation of security guarantees / isolation | 21:04 |
| haleyb | sounds like a bug at first thought | 21:06 |
| ihrachys | if it only affects RA/NA etc. it can be considered part of the bug I care about (the protocols not enabled by default). just thinking if these are all the protocols that get affected by the "has_stateful" magic, or there's something else lurking. | 21:08 |
| ihrachys | I wouldn't want some other protocols enabled in the same manner | 21:08 |
| opendevreview | Brian Haley proposed openstack/neutron master: OVN: Always try and create a metadata port on subnets https://review.opendev.org/c/openstack/neutron/+/879913 | 21:15 |
| ihrachys | haleyb I'm thinking that maybe this skip-ct block for the protocols should be moved from under the has_stateful if-clause in OVN. the blocks does two things 1) skip-ct for the protocols and 2) skips all ACLs for the protocols. Yes, (1) indeed makes sense only when stateful ACLs are present; but (2) doesn't seem to have a relation to statefulness. If OVN skips ACLs for them for stateful, it should | 21:16 |
| ihrachys | do it for stateless too. Now, maybe (2) is a side-effect / was never intended. Gotta talk to OVN folks to understand what their intent was. | 21:16 |
| haleyb | ack. i watch the ovn ML too will keep an eye out | 21:18 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!