| opendevreview | Miguel Lavalle proposed openstack/neutron master: [DNM] Fix support of IPv6 only networks in OVN metadata agent https://review.opendev.org/c/openstack/neutron/+/922264 | 00:09 |
|---|---|---|
| opendevreview | Miguel Lavalle proposed openstack/neutron master: [DNM] Fix support of IPv6 only networks in OVN metadata agent https://review.opendev.org/c/openstack/neutron/+/922264 | 00:11 |
| opendevreview | Miguel Lavalle proposed openstack/neutron master: [DNM] Fix support of IPv6 only networks in OVN metadata agent https://review.opendev.org/c/openstack/neutron/+/922264 | 00:18 |
| sahid | o/ | 06:55 |
| sahid | quick question, have you already noticed that, sometime we have to restart ovsdb because some rules are not applied correctly to the vswitch | 06:55 |
| ralonsoh | sahid, not really, if you have any specific rule that is not correctly created, please report it\ | 06:58 |
| ralonsoh | I've never seen that | 06:59 |
| ralonsoh | I guess this is ML2/OVS | 06:59 |
| sahid | yes it is, but the other point is that we are still running on ussuri, so it's difficult to complaign or report it to master | 07:00 |
| gokhani | hello folks, I have some questions about neutron fwaas. I am trying to test neutron fwaas on antelope. It can filter network traffic between different subnets but It can not filter east west intra subnet network traffic. is it expected behaviour? can we also add both vm and router ports to a firewall ? | 07:07 |
| gokhani | I am using ha routers in neutron not dvr. this is ovs based deployment. | 07:07 |
| ralonsoh | gokhani, fwaas is a FW for router ports | 07:09 |
| ralonsoh | however you have the in-tree SGs for east-west traffic, that will enforce a set of firewall rules for this traffic | 07:09 |
| gokhani | ralonsoh: thanks you mean we we can not use vm ports with fwaas. I also can not use security groups and fwaas together. | 07:16 |
| ralonsoh | why not the second? | 07:17 |
| ralonsoh | SGs are for VM ports, fwaas is for router ports | 07:17 |
| ralonsoh | you can use both | 07:17 |
| gokhani | ralonsoh: I am testing now. previously I got an error. mat be ı explained wrong my situation. I can explain my network configs. I have created 2 networks which have 192.168.29.0/24 and 172.16.29.0/24 subnets and 1 router. I have connected 2 networks to this router. I have also created 3 instances and their ips are respectively 192.168.29.21,192.168.29.22 and 172.16.29.35 | 07:34 |
| gokhani | then I created a firewall group which have 192.168.29.1, 172.16.29.1,192.168.29.21,192.168.29.22 and 172.16.29.35 | 07:36 |
| gokhani | with tihs setup I can filter network traffic between 192.168.29.0/24 and 172.16.29.0/24 but ı can not filter network traffic between 192.168.29.21 and 192.168.29.22. | 07:37 |
| ralonsoh | gokhani, why not? you can add any SG rule to block/allow any traffic | 07:42 |
| ralonsoh | you can, for example, allow only SSH egress connections only | 07:42 |
| ralonsoh | in any case, I don't know what do you mean with "filter". The SGs/FW doesn't filter, only blocks/allow | 07:43 |
| gokhani | ralonsoh: yes filter meaning blocks/allow | 07:44 |
| gokhani | for example block ping from 192.168.29.21 to 192.168.29.22 | 07:45 |
| ralonsoh | by default all traffic is blocked, so if you don't enable icmp, you won't be able to ping from any VM to another | 07:46 |
| gokhani | ralonsoh: for security groups situation I can explain my network setting. I have created a port security enabled network which has 192.168.28.0/24 subnet. I have created an instance from this network and its ip is 192.168.28.119. then ı tried to create firewall with adding 192.168.28.1 and 192.168.28.119. it can add 192.168.28.1 port but It can not add 192.168.28.119 port | 07:51 |
| gokhani | it throws this error https://paste.openstack.org/show/b3UVMvGESpCZe041CIWR/ | 07:51 |
| gokhani | but If I create networks without port security enabled, ı can also add vm interface ports to fwaas | 07:53 |
| ralonsoh | I think maybe can ask lajoskatona ^ | 07:54 |
| ralonsoh | yes, according to the spec, fwaas should also handle e/w traffic https://github.com/openstack/neutron-specs/blob/master/specs/newton/fwaas-api-2.0.rst | 07:55 |
| ralonsoh | fwaas 2.0 | 07:55 |
| gokhani | ralonsoh: yes but it didn't work on antelope. ı am using fwaas v2.0 | 07:58 |
| gokhani | can you help for upper fwaas problem lajoskatona when you are available. ı will also create bug for this. | 08:03 |
| lajoskatona | gokhani, ralonsoh: Hi, Let me read the discussion | 08:05 |
| lajoskatona | gokhani: Am I right that your main problem is that you have the exception which you linked? (https://paste.openstack.org/show/b3UVMvGESpCZe041CIWR/ ) | 08:11 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [DHCP] Do not force the DHCP disable call in a network creation https://review.opendev.org/c/openstack/neutron/+/924385 | 08:11 |
| ralonsoh | ykarel, ^ | 08:11 |
| ykarel | ralonsoh, thx. i tried that in https://review.opendev.org/c/openstack/neutron/+/924248 and had some failures, so would need adjustment | 08:13 |
| gokhani | lajoskatona: not only this, there is also problem which I can not allow/block traffic in same subnet. for example block ssh from 192.168.29.21 to 192.168.29.22 | 08:13 |
| ralonsoh | ykarel, ok in the UTs, perfect! | 08:14 |
| gokhani | lajoskatona: in fwaas spec it says it can support allow/block east west network traffic https://github.com/openstack/neutron-specs/blob/master/specs/newton/fwaas-api-2.0.rst | 08:15 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [DHCP] Do not force the DHCP disable call in a network creation https://review.opendev.org/c/openstack/neutron/+/924385 | 08:20 |
| ralonsoh | ykarel, what are the most affected jobs? to create a follow-up patch on top of this one running multiple instances | 08:21 |
| ralonsoh | could be neutron-tempest-plugin-openvswitch and neutron-tempest-plugin-linuxbridge, right? | 08:21 |
| opendevreview | Merged openstack/neutron master: Adjust flavor extension unit test to case when tenant_id is not there https://review.opendev.org/c/openstack/neutron/+/921647 | 08:21 |
| opendevreview | Merged openstack/neutron master: Don't send project_id as QoS rule attribute in the tests https://review.opendev.org/c/openstack/neutron/+/922790 | 08:22 |
| gokhani | lajoskatona: ı have to go now. ı will be available in an hour again. please write your recommendation and ı can check again, thanks for your help :) | 08:23 |
| lajoskatona | gokhani: Please open a lauchpad bug report (https://bugs.launchpad.net/neutron) collect all the info there with possible logs where you think that can be relevant, I try to check that in the meantime | 08:24 |
| ralonsoh | hi folks, after the following n-lib patches, I'm going to propose a new release | 08:26 |
| ralonsoh | https://review.opendev.org/c/openstack/neutron-lib/+/921649 | 08:26 |
| ralonsoh | https://review.opendev.org/c/openstack/neutron-lib/+/923926 | 08:26 |
| ralonsoh | I think we have enough new features/fixes to deserve a new version | 08:26 |
| ykarel | ralonsoh, yes can run all ovs and linuxbridge jobs | 08:31 |
| ralonsoh | perfect, I'll create a testing patch | 08:31 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - TESTING PATCH: DHCP agent https://review.opendev.org/c/openstack/neutron/+/924386 | 08:38 |
| ykarel | ralonsoh, i think have not seen failures in those ovs*multinode jobs | 08:49 |
| ykarel | just scenario jobs ovs, ovs-iptables, hybrid etc | 08:50 |
| ralonsoh | right, only the single node ones | 08:52 |
| ykarel | yeap quite stable https://zuul.openstack.org/builds?job_name=neutron-ovs-tempest-multinode-full&job_name=neutron-ovs-tempest-dvr-ha-multinode-full&branch=master&skip=0 | 08:52 |
| ykarel | out of latest 3 failures, 2 are unshelve host known issue | 08:53 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - TESTING PATCH: DHCP agent https://review.opendev.org/c/openstack/neutron/+/924386 | 08:53 |
| ykarel | 3rd one still checking | 08:53 |
| ykarel | 924386 better now | 08:54 |
| ykarel | let's see how it goes | 08:54 |
| ykarel | 3rd one failed as dhcp agent took more than 90 seconds to process that port and meanwhile the all metadata attempts should have failed | 09:10 |
| ykarel | failed 20/20: up 95.21. request failed | 09:11 |
| ralonsoh | this one? https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_013/907313/24/check/neutron-ovs-tempest-dvr-ha-multinode-full/01324c6/testr_results.html | 09:12 |
| ralonsoh | yes, this one | 09:12 |
| ykarel | yes that one | 09:14 |
| ralonsoh | when we are processing a RPC request, I really don't know what is the status of the DhcpAgent._queue | 09:21 |
| ralonsoh | in other words, I don't know if the DHCP agent is overloaded or not | 09:21 |
| ralonsoh | I'm going to add an extra debug line to, every time a command is processes, inform how many commands are still pending in the queue | 09:22 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [DHCP] Inform about the number of pending events to be processed https://review.opendev.org/c/openstack/neutron/+/924392 | 09:59 |
| opendevreview | Lajos Katona proposed openstack/tap-as-a-service master: Do not set ageing in case of system datapath type https://review.opendev.org/c/openstack/tap-as-a-service/+/922400 | 10:17 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [DHCP] Inform about the number of pending events to be processed https://review.opendev.org/c/openstack/neutron/+/924392 | 10:24 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - TESTING PATCH: DHCP agent https://review.opendev.org/c/openstack/neutron/+/924386 | 11:13 |
| opendevreview | Merged openstack/neutron master: Adding manager role support https://review.opendev.org/c/openstack/neutron/+/923578 | 11:14 |
| opendevreview | Merged openstack/neutron master: Change to new syntax of calling super() in policies unit tests modules https://review.opendev.org/c/openstack/neutron/+/923840 | 11:14 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [DHCP] Lock the execution of ``_dhcp_ready_ports_loop`` https://review.opendev.org/c/openstack/neutron/+/924300 | 11:15 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - TESTING PATCH: Lock method in DHCP agent https://review.opendev.org/c/openstack/neutron/+/924397 | 11:15 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Add "subnet-external-network" extension to "subnet" resource https://review.opendev.org/c/openstack/neutron/+/907313 | 11:18 |
| ralonsoh | slaweq, ^^ that patch had a +W but I needed to rebase it to fix a trivial merge error in tests/unit/conf/policies/test_subnet.py | 11:18 |
| frickler | ykarel: https://github.com/cirros-dev/cirros/pull/116#issuecomment-2236476297 , you may also want to join #cirros on libera if needed (and I likely should have suggested that earlier) | 13:23 |
| ykarel | frickler, thanks for following this up, had to drop for today so will check and update tomorrow | 13:29 |
| ralonsoh | ykarel, https://review.opendev.org/c/openstack/neutron/+/924385 (and the testing patch https://review.opendev.org/c/openstack/neutron/+/924386/3): that seems to work quite well | 13:39 |
| ralonsoh | same for the upper patch on top of this one https://review.opendev.org/c/openstack/neutron/+/924300 | 13:39 |
| ykarel | ralonsoh, ack thx, have to drop for now so will check later | 14:03 |
| ralonsoh | thanks | 14:04 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Log the number of RPC workers created https://review.opendev.org/c/openstack/neutron/+/924408 | 14:47 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [WSGI] Move all OVN jobs to use WSGI API module https://review.opendev.org/c/openstack/neutron/+/924317 | 14:58 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM - TESTING PATCH: StandardAttribute load method to "selectin" https://review.opendev.org/c/openstack/neutron/+/923931 | 15:04 |
| opendevreview | Brian Haley proposed openstack/neutron master: Use convert_version_to_tuple() instead of pkg_resources https://review.opendev.org/c/openstack/neutron/+/924374 | 15:09 |
| *** elodilles is now known as elodilles_ooo | 17:10 | |
| ralonsoh | haleyb, hi! can you check https://review.opendev.org/c/openstack/neutron/+/924385/2? | 18:59 |
| ralonsoh | thanks in advance | 18:59 |
| ralonsoh | that should health the LB/OVS jobs | 19:00 |
| ralonsoh | heal* | 19:00 |
| haleyb | ralonsoh: hi, i had *just* opened that, i'll take a look along with any other ones | 19:00 |
| ralonsoh | thanks! | 19:01 |
| haleyb | ihrachys: about the nested router bug, it's broken worse than i thought, it's really only good at fixing things when the sync tool is run or 'repair' mode is set in the conf file. I've been playing locally but don't have a new PS yet, and I'm out next week so won't get to it until after that | 19:14 |
| opendevreview | Jakub Libosvar proposed openstack/neutron master: Remove Open vSwitch plugin mentioned in allowed address pairs note https://review.opendev.org/c/openstack/neutron/+/924439 | 20:46 |
| opendevreview | Merged openstack/neutron master: [DHCP] Do not force the DHCP disable call in a network creation https://review.opendev.org/c/openstack/neutron/+/924385 | 21:07 |
| opendevreview | Merged openstack/neutron master: [DHCP] Lock the execution of ``_dhcp_ready_ports_loop`` https://review.opendev.org/c/openstack/neutron/+/924300 | 21:37 |
| opendevreview | Dmitrii Shcherbakov proposed openstack/ovn-bgp-agent master: Make the local chassis ID configurable https://review.opendev.org/c/openstack/ovn-bgp-agent/+/922957 | 22:40 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!