Friday, 2023-08-25

« Thursday, 2023-08-24 Index Saturday, 2023-08-26 »
opendevreviewliuxie proposed openstack/neutron master: Prevent internal IP change for floating IP  https://review.opendev.org/c/openstack/neutron/+/88979103:16
opendevreviewliuxie proposed openstack/neutron master: Prevent internal IP change for floating IP  https://review.opendev.org/c/openstack/neutron/+/88979103:20
opendevreviewmorice proposed openstack/neutron master: [ovn] AZs distribution in L3 port scheduler  https://review.opendev.org/c/openstack/neutron/+/89260407:28
opendevreviewLajos Katona proposed openstack/neutron-dynamic-routing master: DNM: Test patch only  https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/89080607:36
ralonsohhaleyb, hey! Do you mind checking these two patches?08:14
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/888769/08:15
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/88877608:15
ralonsoh(in order). Both are fixing the issue we currentlty have with live migration in OVN with trunk ports08:15
ralonsohtesting patch: https://review.opendev.org/c/openstack/tempest/+/88877008:15
opendevreviewmorice proposed openstack/neutron master: [ovn] AZs distribution in L3 port scheduler  https://review.opendev.org/c/openstack/neutron/+/89260408:18
opendevreviewyatin proposed openstack/neutron-tempest-plugin master: [DNM] Test ovs latest  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/89276608:42
opendevreviewRodolfo Alonso proposed openstack/neutron master: Use the new network HA parameter  https://review.opendev.org/c/openstack/neutron/+/88174208:43
opendevreviewRodolfo Alonso proposed openstack/neutron master: Fix race condition when creating two routers without HA network  https://review.opendev.org/c/openstack/neutron/+/88182608:43
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Allow multiple VIPs per LB  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/88511109:12
fnordahllajoskatona: thanks alot for taking the time to test and review. Have not looked at the whole end-to-end thing in a while as it's been in review for so long, will check.  It is my understanding that those extensions are supposed to be truly virtual and require no configuration but let's see whats up09:13
lajoskatonafnordahl: ok, please check it, if on top of the whole series there could be a doc or user config patch would be even better09:24
fnordahllajoskatona: yes, we do owe docs for sure09:26
opendevreviewMerged openstack/neutron-dynamic-routing master: Install os-ken from git repo  https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/89245009:43
opendevreviewMerged openstack/neutron master: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/88812710:15
opendevreviewLucas Alvares Gomes proposed openstack/neutron stable/2023.1: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/89277210:41
opendevreviewLucas Alvares Gomes proposed openstack/neutron stable/zed: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/89277310:41
opendevreviewLucas Alvares Gomes proposed openstack/neutron stable/yoga: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/89277410:42
opendevreviewLucas Alvares Gomes proposed openstack/neutron stable/xena: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/89277510:42
opendevreviewLucas Alvares Gomes proposed openstack/neutron stable/wallaby: [OVN] Disable the mcast_flood_reports option for LSPs  https://review.opendev.org/c/openstack/neutron/+/89277610:42
opendevreviewMerged openstack/neutron master: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89123211:46
opendevreviewMichal Arbet proposed openstack/neutron stable/yoga: Spread OVN metadata agent heartbeat response in time  https://review.opendev.org/c/openstack/neutron/+/89274512:07
opendevreviewMichal Arbet proposed openstack/neutron stable/yoga: Send ovn heatbeat more often.  https://review.opendev.org/c/openstack/neutron/+/89274612:07
opendevreviewMichal Arbet proposed openstack/neutron stable/yoga: Send ovn heatbeat more often.  https://review.opendev.org/c/openstack/neutron/+/89274612:13
opendevreviewMerged openstack/os-ken master: [CI] Run a ml2/ovs job  https://review.opendev.org/c/openstack/os-ken/+/89245212:41
opendevreviewRodolfo Alonso proposed openstack/neutron master: WIP == Add a "port" child table "porthardwareoffloadtype"  https://review.opendev.org/c/openstack/neutron/+/88283212:54
*** TheJulia is now known as needs_brains_and_sleep13:04
*** needs_brains_and_sleep is now known as TheJulia13:23
haleybralonsoh: looking...13:56
ralonsohthanks13:56
ralonsoh(no rush)13:56
opendevreviewRodolfo Alonso proposed openstack/neutron master: WIP == Add a "port" child table "porthardwareoffloadtype"  https://review.opendev.org/c/openstack/neutron/+/88283213:59
TheJuliaAny neutron folks around who know ovn and who might be up for a mystery of why NAT suddenly gets used again in my devstack?14:32
TheJulia... even though it is disabled.14:32
ralonsohTheJulia, sorry, can you provide more context?14:33
TheJuliaSo, I have to turn off NAT for OVN because I can't pass TFTP packets14:34
TheJuliaAnd I've done this on the test job I'm working on to verify ironic can use Neutron OVN14:34
TheJuliaAnd, works wonderfully on two jobs, but then I have another job where we run instance rescue, which rebinds the network ports14:34
TheJuliaand suddenly, we have MTU packet drops because NAT is suddenly back on14:35
TheJuliaand OVN can't handle the inbound packet being too large14:35
* TheJulia is also curious where 1430 bytes as a default MTU is coming from when the public bridge mtu in devstack is set to 1400 bytes14:35
TheJuliahttps://f65b0483f01fbf97cb5c-1988f1bc3d637497f7692396b58d77ce.ssl.cf2.rackcdn.com/885087/49/check/ironic-tempest-ipa-wholedisk-bios-agent_ipmitool/0990cd1/controller/logs/apache/ipxe_access_log.txt14:36
TheJuliayou can see the IP changes, but it is the same vif on the private network14:36
TheJuliaNAT is disabled by the devstack plugin in the change set14:36
ralonsohTheJulia, what does it means turn off NAT?14:36
TheJuliahttps://review.opendev.org/c/openstack/ironic/+/885087/49/devstack/lib/ironic#224114:38
TheJuliain that case, that is the router for the private network14:38
TheJuliain the linked apache logs, the 172 addresses are from the same instance with the vif detached/reattached from the first download of the same files14:40
ralonsohTheJulia, do you happen to know at what point, in this script, the "enable_snat" flag is restored?14:40
TheJuliait is not restored in the script14:40
TheJuliaand if we create a new vif on the network, later on you can see this in the apache log, there is no snat occuring14:41
ralonsohTheJulia, let me find a way to reproduce it14:42
ralonsohTheJulia, did you create a LP Neutron bug?14:42
TheJuliaralonsoh: not yet, I can't figure out how it has changed to begin with14:42
TheJuliait really makes no sense since I can confirm that the vif is always on the private network14:42
TheJuliait is frankly, the most bizar thing I've seen this week14:43
TheJuliaI also need to look at the public bridge logic, I guess something has changed there since we're getting different defaults when we create networks14:45
TheJuliabut that is aside from the NAT14:45
ralonsohI'm trying to find something in the neutron logs right now14:46
TheJuliaIf i didn't have an explicit route to ensure my packets didn't get silently dropped due to the MTU, i would have never discovered the source natting reappearing14:46
TheJulia(that route just clamps the mtu/mss)14:46
ralonsohTheJulia, sorry, I only see the command when the router GW is defined with 'enable_snat': False. And we execute the NAT rule deletion14:53
ralonsohbut then I see no other operation restoring it14:54
ralonsohTheJulia, ups, hold on14:56
ralonsohAug 24 22:09:02.321100 np0035045764 neutron-server[112824]: DEBUG ovsdbapp.backend.ovs_idl.transaction [None req-bd0cad9d-cfec-4fca-a502-cf9bf46eab43 None None] Running txn n=1 command(idx=0): AddNATRuleInLRouterCommand(_result=None, lrouter=neutron-cbfcbf42-6602-4e5d-95b4-60d5a50556f7, columns={'type': 'dnat_and_snat', 'logical_ip': '10.1.0.12', 'external_ip': '172.24.5.109', 'logical_port': '55e083e3-35a6-4a1f-a24b14:56
ralonsoh-d45308ae06c7', 'external_ids': {'neutron:fip_id': '982560e7-a6f3-4928-b090-6d72caa488e9', 'neutron:revision_number': '0', 'neutron:fip_port_id': '55e083e3-35a6-4a1f-a24b-d45308ae06c7', 'neutron:router_name': 'neutron-cbfcbf42-6602-4e5d-95b4-60d5a50556f7', 'neutron:fip_external_mac': 'fa:16:3e:4b:ad:6c', 'neutron:fip_network_id': '1def3279-3954-4727-9567-a141d2731047'}}) {{(pid=112824) do_commit /opt/stack/data/venv/14:56
ralonsohlib/python3.10/site-packages/ovsdbapp/backend/ovs_idl/transaction.py:89}}14:56
ralonsohdoes it match with the IP, private IP and router?14:56
TheJuliauhhhh hmm14:57
TheJuliaI believe that ip/port matches14:57
TheJuliabut we only detached and reattached the vif14:57
ralonsohbecause this is actually restoring the previous nat rule deletion14:57
TheJuliaand updated dhcp info14:57
TheJulia*how* ?!14:57
TheJuliathat seems like a bug, tbh14:57
ralonsohyeah, how?14:57
ralonsohmost probably14:57
ralonsohI'll try to find out when/how are we "restoring" that value14:58
TheJuliaokay14:58
TheJuliaThanks! I'm here basically all day but having to step away periodically since my wife is sick14:59
ralonsohI've created an initial LP bug to track this problem15:02
TheJuliaralonsoh: oh, cool, that actually sort of unblocks me already! :)15:04
racostaralonsoh, about this reported snat problem, from the log you posted the port seems to have a FIP configured, right? If so, with or without enable_snat on the router a dnat_and_snat type rule will be created and all traffic from/to this Private IP would be translated with 1:1 NAT mapping... The DNAT/SNAT rule for FIP is applied directly in the OVN controller on the chassis (openflow flows level).15:42
ralonsohracosta, with enable_snat=False, Neutron removes the NAT rule for the private network to the GW IP15:49
ralonsohlogical_ip=10.1.0.0/26, external_ip=172.24.5.9515:49
ralonsohthe FIP creates a 1:1 NAT rule15:49
ralonsoh'logical_ip': '10.1.0.12', 'external_ip': '172.24.5.109'15:49
ralonsohand yes, that is handled in the controller chassis or in the compute node, if DVR is enabled15:50
fricklerI don't grasp the whole scenario yet, but maybe using address scope(s) to avoid nat+fips completely might be a better approach?15:52
ralonsohthat should work fine as is, the problem (maybe) is this new FIP added using the fixed IP of an ironic port15:55
ralonsohI don't know why this FIP is created15:55
TheJuliaso the fip originally gets created by the tempest job for an instance16:00
ralonsohthis FIP is matching the fixed IP previously used in the ipxe calls16:01
TheJuliait is a flat network16:01
ralonsohit doesn't matter the network type16:02
ralonsohthe FIP is adding the NAT rule for 'logical_ip': '10.1.0.12', 'external_ip': '172.24.5.109'16:02
TheJuliathe fip gets created by the tempest job to create the ability to ssh in16:02
TheJuliaso fips *always* create nat rules now?16:02
TheJuliaalways create SNAT that is16:02
ralonsohyes, 1:1 rules16:02
TheJuliawas this the case with OVS in any configuration?16:03
ralonsohthe GW SNAT option is something like16:03
ralonsohlogical_ip=10.1.0.0/26, external_ip=172.24.5.9516:03
ralonsohnetwork:GW IP16:03
ralonsohTheJulia, what do you mean? 16:03
TheJuliawell, this worked just fine with OVS in configurations. Maybe it silently just sort of worked and was inherently broken, or it was not NAT'ed. I'll need to go dig through another jobs logs to be sure16:04
TheJuliabut the bottom line ends up being that we can't pass TFTP traffic then16:05
ralonsohno if the ftpf traffic cannot be SNATed16:05
TheJuliayeah, that shoots ironic in the foot hard16:05
TheJulialike... approaching unusable feature set territory16:05
TheJuliawith OVN if that is the case16:05
TheJuliaand we know operators use it today16:05
ralonsohbut I think the current behaviour is correct16:05
ralonsohif you create a FIP, you are asking to NAT a fixed IP into a public IP16:06
TheJuliapulling up an ovs version of that job to look at the logs16:06
TheJuliaokay, so we could nat that traffic with OVS and did in that case16:08
TheJuliathe fact tftp just can't be forwarded back with OVN is... wow16:08
TheJuliaThat *really* hurts us16:08
ralonsohso the issue is not the NAT but how OVN handles tftp traffic16:09
TheJuliawell, how OVN handles tftp traffic ended up driving me to disable snat for the CI job to begin with16:09
TheJuliawhich should also *just work*16:09
TheJuliaand it does, but I'm sort of back to square zero then16:10
TheJuliaor I move forward, begin documenting, and we figure out a new plan16:10
TheJuliaI'm guessing folks have been turning off OVN, this might actually explain some other things I've brushed up against in the past16:10
ralonsohTheJulia, on Monday I'll ping OVN core folks about this issue16:11
TheJuliaerr, not turning off ovn, but turning off fip usage16:11
TheJuliaralonsoh: that is much appreciated, I guess ultimately no is an answer, just... let me know what they say :\16:11
ralonsohfor sure16:11
* TheJulia opens up her ovn-documentation.rst file and begins to add a new entry on fip usage :)16:12
TheJuliaralonsoh: thanks for the assistance!16:12
racostaralonsoh, regarding we talked about in Vancouver (OVN 22.03 compatibility with Neutron Ussuri - 16.x)... with recent OVN northd patch applied from the ovs-discuss that I sent the link yesterday (northd recompute), and a single backport in the Neutron bump revision number - to solve the some loop issue. We are running load tests with more than 5k router and 8k VMs in our OpenStack "Ussuri" Lab... maybe that changes a little bit the idea of 17:29
racostascaling number that we have of OVN with OpenStack/Neutron.17:29
opendevreviewMerged openstack/neutron master: [OVN] Skip the port status UP update during a live migration  https://review.opendev.org/c/openstack/neutron/+/88876918:01
opendevreviewMerged openstack/neutron master: [OVN][Trunk] Set the subports correct host during live migration  https://review.opendev.org/c/openstack/neutron/+/88877618:01
ralonsohracosta, I'll check this tomorrow, I need to leave now, sorry18:18
opendevreviewMiro Tomaska proposed openstack/neutron stable/2023.1: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89274818:24
opendevreviewMiro Tomaska proposed openstack/neutron stable/zed: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89274918:25
opendevreviewMiro Tomaska proposed openstack/neutron stable/yoga: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89275018:25
opendevreviewMiro Tomaska proposed openstack/neutron stable/xena: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89275118:25
opendevreviewMiro Tomaska proposed openstack/neutron stable/wallaby: Fix ovn-metadata agent sync of unused namespaces  https://review.opendev.org/c/openstack/neutron/+/89275218:25
*** tbachman_ is now known as tbachman18:31
opendevreviewJakub Libosvar proposed openstack/neutron master: Forbid updating vnic type on a bound port  https://review.opendev.org/c/openstack/neutron/+/89281520:33
opendevreviewMiro Tomaska proposed openstack/neutron master: [DHCP agent] Add route to OVN metadata port if exists  https://review.opendev.org/c/openstack/neutron/+/88698821:13
« Thursday, 2023-08-24 Index Saturday, 2023-08-26 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!