Friday, 2024-08-23

« Thursday, 2024-08-22 Index Saturday, 2024-08-24 »
opendevreviewGhanshyam proposed openstack/neutron master: DNM debugging designate job  https://review.opendev.org/c/openstack/neutron/+/92694504:57
fricklerJayF: I think the usual term is Neutrinos although that sounds weird in a quantum physical context ;) and I like that idea although I'm just a strange quark around here ;)  you'll likely want to create an RFE bug for more detailed discussion05:13
*** elodilles is now known as elodilles_pto05:18
gramiHi All, so I'm not 100% sure this is right I'm trying to add a new driver to networking-generic-switch could I ask if someone could review this please https://review.opendev.org/c/openstack/networking-generic-switch/+/92688607:53
gramiI also would like to cherry-pick it down to 2023.2 but I'm asking here first if this would be allowed?07:54
lajoskatona1grami: Hi, networking-generic-switch is not under the governance of Neutron team, and I don't think there are people who can review (aka nobody has the technical background)  your patch08:14
lajoskatona1grami: I would try to reach out for the cores if anybody is still around: https://review.opendev.org/admin/groups/eaf58f67a6c1ac4246bec3197d3fbd5ea42e9b5b,members08:15
gramithanks for the quick response :) I'll do that08:44
fricklergrami: iiuc the repo belongs to ironic, so you could also try asking in their channel09:09
JayFYes, please send ngs folks our way. It is exceedingly maintained13:12
*** joa_ is now known as joa13:29
lajoskatona1ykarel: Hi, perhaps you remember issue with issue like " Multiple possible networks found....", I can't find any trace of it.13:42
lajoskatona1ykarel: for novaclient they run into such an issue: https://bugs.launchpad.net/python-novaclient/+bug/207716813:43
mlavallelajoskatona1: most likely, ykarel is not on today. It is the quarterly "re-charge day" in RedHat-land13:57
haleybi wonder how many we'll get for the drivers meeting then14:00
mlavalleyeap14:01
joaHello, I'm here for it, at least14:01
lajoskatona1o/14:01
haleyb#startmeeting neutron_drivers14:01
opendevmeetMeeting started Fri Aug 23 14:01:21 2024 UTC and is due to finish in 60 minutes.  The chair is haleyb. Information about MeetBot at http://wiki.debian.org/MeetBot.14:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:01
opendevmeetThe meeting name has been set to 'neutron_drivers'14:01
haleybPing list: ykarel, mlavalle, mtomaska, slaweq, obondarev, tobias-urdin, lajoskatona, amotoki, haleyb, ralonsoh14:01
mlavalle\o14:01
lajoskatona1mlavalle: ahh, I missed his name from m irc clients active list14:01
lajoskatona1thanks14:02
haleybjoa: hi, just waiting to see if we have enough to make quorom. even if we don't can still talk about your rfe14:03
haleyb#link https://bugs.launchpad.net/neutron/+bug/2075955 is the only thing on the agenda today14:03
* mlavalle has a hard stop at 40 munutes after de hour14:03
joaSure :)14:03
haleybmlavalle: ack, i'm a hard stop at :30 so you'll make it :)14:04
haleybalright, i didn't know it was a RH re-charge day, but we can at least discuss the rfe and ask any questions to put in the bug14:05
mlavallehaleyb, lajoskatona1: while we wait, can I get reviews for https://review.opendev.org/c/openstack/neutron/+/91780014:05
mlavalleI added it to the priority list with +114:06
mlavalleno need to review now, just when you have some time14:06
haleybput it on my list, thanks14:06
lajoskatona1mlavalle: sure, I started to check the priority list anyway :-)14:07
mlavallethanks guys14:07
haleybjoa: do you want to give a quick overview? if we can get some clarifications on any questions might be able to discuss and/or approve at a future meeting14:08
joaSure.14:08
joaTo give a bit of context, my company is slowly switching towards openstack to manage our infrastructure, from a homemade stack, tailored to the specific needs of our historical product.14:09
mlavallegood decision14:09
joaIn there, we have a "service", exposed to most of our user's VMs, that we want to somehow fit into an openstack compliant model; but the said service has no equivalent whatsoever in openstack, so there's a bit of forceps involved.14:10
joaThus, our idea was to create a network model that represented the service on the Openstack side, and we'd custom-configure our hypervisors to provide whatever routing configurations we'd need, towards this service, unmanaged by openstack14:10
joaInitially, we hoped to be able to provide an external network, shared with only specific customers/projects, taht would "expose" the service.14:11
joathe issue with that is that it enables communicating between the VMs through that service network, which we want to prevent.14:11
joaWhich brings us to the current "hoped for" design:14:12
joa1. Our current RFE, which offers to associate Security-Groups with a network, making it an implied default set of rules for any port from that network14:13
joa2. I have another RFE opened about preventing a "user" that uses a shared network from associating SecurityGroups with the ports they manage.14:13
joawe hopes that with both these changes, we'd be able to defined a default security group, opening the way only to our services ; and that the user projects would not be able to further open this specific network14:14
joaannd that's it for the intro. Ask away any precision you think might help :)14:15
mlavalledoes it have to be two separate rfe's? or could we merge them together?14:15
joaI don't mind either way, I thought these could be considered and addressed separately. For the other RFE, I've been playing with it, and it seems sufficient to add a `enforce_policy` on the securitygroup extensions of the ports.14:16
joa(then I've found a way to express what I needed, to prevent users from creating/updating security grousp for ports of specific networks)14:16
joawith the help of slaweq  on the RFE14:16
joafor the record, the other RFE is linked in the one we are discussing14:17
mlavallewould network security network bindings only allowed on shared networks or any kind of network?14:17
mlavalleI understand that for shared networks, tenenats wou;dn't be able to change security at the port level14:18
joaI'm not very knowledgeable in the various use-cases that neutron oversees, but I personally see no conflicting reason that would warrant not doing so. The way I see it at the moment, is that the SG(s) on the network are automatically applied to all ports. But this should not prevent the user from adding additional SGs on their ports. Then the rules would be merged, form the port's POV14:19
lajoskatona1good point14:20
joawhich is where the policy comes in, to provide the "lock" mechanism we need in our specific situation14:20
mlavalleahh, I get it now14:20
mlavallethe lock is acomplished at the policy level for shared networks in your use case14:21
joayes, by using the specific network's ID, to only "lock" for specific "external services" networks that we, as the administrators, would provide "some" projects.14:21
mlavalleyeah, slaweq knows a thing or two about policies14:22
joaHe did point me towards that, and I spent a bit of time trying to understand why it wouldn't work out of the box. Though, but good learning on the policy side.14:22
mlavalleyeap14:23
haleybso i'm still trying to draw a picture in my head about what this looks like... you have an external network where you have hosts offering services; you want to add SG rules to allow Openstack tenants access to certain IPs on that network; and vice-versa?14:24
haleybi had a long day yesterday and brain is still 'off'14:25
haleybthe "Prevent Each VM on this network from seeing each other" is about the openstack tenant network(s)14:25
lajoskatona1I am not sure if we can ask for a spec before officially accepting the rfe, but I feel that some details should be added14:26
joaahah no worries. To be more specific, the service is hidden behind a VIP, for which, on our legacy infrastructure, we've setup custom routing. We want to be able to provide access to the "service network" only for some projects (through rbac), and make sure that this network _ONLY_ enables contacting the said service14:26
joaand yes, we don't want the VMs to see each other from this network, in part because our product does not offer this feature by default, but also because we might share the network to multiple tenants, and don't want them to start communicating involuntarily with each other14:27
joalajoskatona1: I was unsure how to proceed for this, as it seemed like a design question that warranted discussion before we tried to formulate things more precisely. If the general idea seems OK for the neutron team, then I'll gladly work on properly formulating what we envision in a spec.14:29
mlavalleIn principle I personally think this proposal is worth exploring. In fact, I'm surprised it's taken all these years to bubble up. I agree with lajoskatona1 that a spec will help us to sort out the details14:29
lajoskatona1+114:29
haleybyes, or even a picture :) we will just need to have the larger team present to approve anything14:30
lajoskatona1yeah network bound sec-group sounds great, but I can imagine some skeletons under the years of code :-)14:30
mlavalleand I think the spec must differentiate clearly the overall design from the specific way you intend to use it in your case14:31
joaMHhh I'm an adept of mermaid for visualisations, I'm guessing launchpad does not render it ? :D14:31
joa(in which case I'll join the generated pngs)14:31
haleybi would be ok with you creating a spec to further explain some details raised here14:31
haleybeven ascii art is sometimes useful, or it will make sense in an hour :)14:31
lajoskatona1joa: for specs we also use ascii art :-)14:32
* mlavalle 's last spec included an ascii art diagram. so it works14:32
haleybi have another meeting i have to run to unfortunately14:32
lajoskatona1or you can attach png to your text (https://opendev.org/openstack/neutron-specs/src/branch/master/images )14:32
mlavalledon't forget to close the meeting haleyb 14:33
haleybjoa: can you create a spec for this so we can discuss at a future meeting?14:33
haleybit's ok if im a little late, can sneak in14:33
joaSure, will do. end of next week probably14:33
mlavallejoa: thanks for the proposal. good stuff in my opinion14:33
lajoskatona1thanks for it14:33
haleybthere is a neutron-specs repo14:33
haleybi do think it would be useful14:33
haleybalright, thanks for coming every and thanks for the discussion14:34
mlavalleI guess it is cross pollination from a group with a different experience implementing an IaaS platform14:34
haleybyes, glad to see new users and use cases14:34
lajoskatona1joa: here you can check example specs: https://review.opendev.org/q/project:openstack/neutron-specs14:34
mlavalle\o have a nice weekend y'all14:35
haleyb#endmeeting14:35
opendevmeetMeeting ended Fri Aug 23 14:35:54 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:35
opendevmeetMinutes:        https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-08-23-14.01.html14:35
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-08-23-14.01.txt14:35
opendevmeetLog:            https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-08-23-14.01.log.html14:35
lajoskatona1o/14:35
haleybbye for now14:36
joathanks everyone :)14:36
opendevreviewMerged openstack/networking-sfc master: Fix _delete_ports_flowrules_by_id so that it expects only one port_id  https://review.opendev.org/c/openstack/networking-sfc/+/92689215:43
opendevreviewGhanshyam proposed openstack/neutron master: DNM debugging designate job  https://review.opendev.org/c/openstack/neutron/+/92694518:58
cidHello people!20:16
« Thursday, 2024-08-22 Index Saturday, 2024-08-24 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!