Tuesday, 2024-08-27

« Monday, 2024-08-26 Index Wednesday, 2024-08-28 »
opendevreviewIhar Hrachyshka proposed openstack/neutron master: Introduce ovs-lts jobs that run against the latest ovn LTS branch  https://review.opendev.org/c/openstack/neutron/+/92722100:33
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM test nested snat with ovn  https://review.opendev.org/c/openstack/neutron/+/92722200:51
opendevreviewIhar Hrachyshka proposed openstack/neutron master: Remove remnants of Open Daylight  https://review.opendev.org/c/openstack/neutron/+/92722301:28
opendevreviewIhar Hrachyshka proposed openstack/neutron master: Remove remnants of NSX  https://review.opendev.org/c/openstack/neutron/+/92722401:31
mlavallehaleyb: I implemented the improvement you recommended for https://review.opendev.org/c/openstack/neutron/+/917800. It is ready for the next review. Thanks in advance!01:43
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: DNM: enable nested_snat scenario for ovn  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92722501:52
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM test nested snat with ovn  https://review.opendev.org/c/openstack/neutron/+/92722201:53
opendevreviewRodolfo Alonso proposed openstack/neutron master: Make RPC event cast synchronous with the event  https://review.opendev.org/c/openstack/neutron/+/92692206:28
opendevreviewRodolfo Alonso proposed openstack/neutron master: Monkey patch the system libraries before calling them  https://review.opendev.org/c/openstack/neutron/+/92537606:29
opendevreviewRodolfo Alonso proposed openstack/neutron master: [WSGI] Move all OVN jobs to use WSGI API module  https://review.opendev.org/c/openstack/neutron/+/92431706:29
opendevreviewRodolfo Alonso proposed openstack/neutron master: [OVN][FT] Ensure the non OVN agent is correctly created  https://review.opendev.org/c/openstack/neutron/+/92723607:36
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add new "tagging" API method: create (POST)  https://review.opendev.org/c/openstack/neutron/+/92472408:05
opendevreviewMerged openstack/neutron master: Bump ``oslo.serialization`` to version 5.5.0  https://review.opendev.org/c/openstack/neutron/+/92709809:47
opendevreviewMerged openstack/ovn-octavia-provider stable/2024.1: Error log for missing certs with NB and SB DBs  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92711410:24
opendevreviewMerged openstack/ovn-octavia-provider stable/2023.2: Error log for missing certs with NB and SB DBs  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92720310:24
opendevreviewMerged openstack/ovn-octavia-provider stable/2023.1: Error log for missing certs with NB and SB DBs  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92717410:38
opendevreviewLajos Katona proposed openstack/neutron-tempest-plugin master: DNM test os-vif change in neutron gate  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92338912:21
sean-k-mooneyhi folks im unsure how to proceed with https://review.opendev.org/c/openstack/os-vif/+/923036/comment/65489f07_383b2fe2/13:01
sean-k-mooneyit seam liek since we implemnted supprot for vlan trunking for ml2/ovs some changes have been made to neutron that changes the behavior which breaks os-vif13:02
sean-k-mooneyalso a config option  explicitly_egress_direct=true13:02
sean-k-mooneywas added that replaces using the normal action which is part of the core design of how the trunk prots implementation works13:03
sean-k-mooneythis is entrily invisable to nova/os-vif which is concerning13:04
sean-k-mooneythe core part of the fix is correct13:04
sean-k-mooneyhttps://review.opendev.org/c/openstack/os-vif/+/923036/2/vif_plug_ovs/ovs.py#21313:04
sean-k-mooneysetting  kwargs['vlan_mode'] = 'trunk'13:05
sean-k-mooney            kwargs['trunks'] = constants.DEAD_VLAN13:05
sean-k-mooneyis the bit i kind of take issue with as that to me is not backportable13:05
ralonsohsean-k-mooney, explicitly_egress_direct is false by default, it is used to avoid the normal action flooding when using the OVS FW13:05
ralonsohthe release note has a comment about using it with other services13:06
sean-k-mooneyyep i read13:06
sean-k-mooneybut either neutorn has to reject vlan trunking when its set to true13:06
sean-k-mooneyor you need to reimplemnt the trunking behavior13:06
ralonsohI don't think this config option was even tested with trunks13:06
sean-k-mooneyand that was not part fo the orginal commit that added it as far as i saw when skiming it13:06
ralonsohactually this config option is for optimizing the OVS FW, trunks cannot be used with FW13:07
sean-k-mooneyyep so the issue i have with https://review.opendev.org/c/openstack/os-vif/+/923036/2/vif_plug_ovs/ovs.py#21513:07
sean-k-mooneyis that we have never supproted anything other then acesss port when we were using libvirt to do the pluggin13:07
sean-k-mooneywe now dont and use os-vif explcively13:07
sean-k-mooneybut the current config was not doable when libvirt did the port plugging13:08
ralonsohwhy https://review.opendev.org/c/openstack/os-vif/+/923036/4/vif_plug_ovs/ovs.py is not possible?13:08
sean-k-mooneyso to me this is more of a feature then a bug fix if you actuly want to have os-vif create ovs ports as trunks not acces ports13:08
ralonsohsorry, I don't understand the relationship 13:08
ralonsohno no, this code is to mark the port as dead, a similar code is used in Neutron13:09
ralonsohby marking the vlan_mode=trunk, this port only accepts vlan traffic, and the we use DEAD_VLAN13:09
sean-k-mooneyi know but untill wallaby ish this port was not created by os-vif when not using hybrid plug13:09
sean-k-mooneyralonsoh: right which is not how this feature is ment ot work13:10
sean-k-mooneyralonsoh: form my point of view this is a backward incompatible change in behaivor and change in the contract between os-vif and neutron13:11
ralonsohsean-k-mooney, but I don't understand, os-vif always creates the port (we are not talking here of trunk ports)13:11
ralonsohsean-k-mooney, https://review.opendev.org/c/openstack/neutron/+/827315/12/neutron/agent/common/ovs_lib.py13:11
sean-k-mooney so the ports on the br-int can be trunk ports if neutron wants13:12
sean-k-mooneythose are created by neutron13:12
sean-k-mooneybut the tap device on the trunk bridge13:12
sean-k-mooneyis ment to allow all vlans13:12
sean-k-mooneythe bug here is that we incorrectly applien teh dead vlan to the tap when the tap was on a trunk bridge13:13
sean-k-mooneywe should not be marking the tap as a trunkin my view that what i take issue with13:13
sean-k-mooneythe vlan mapping/filtering is done by taging each end of the patch port that conencts the trunk bridge and br-int13:14
sean-k-mooneyand we rely on the normal actoin to do the vlan translation13:14
ralonsohsean-k-mooney, but this code will apply only if "not self._is_trunk_bridge(bridge)"13:14
ralonsohwe are not doing that on ports on the trunk bridge13:15
sean-k-mooneyit will but until now nova/os-vif/libvirt has never created trunk prots on br-int13:15
ralonsohsean-k-mooney, this is NOT for trunk ports13:15
sean-k-mooneyi know13:15
sean-k-mooneybut we are changing how prots are created on br-int form being a accessport to now always being a trunk port13:15
sean-k-mooneywhich would mean that neurton will now have to fix that13:16
ralonsohwe are doing it but later, once the TAP port has been created13:16
sean-k-mooneyso we cant safely backport this unless we know that the neutron code has already been backported13:16
ralonsohthe Neutron code that undo this config (in other words, the code that unsets the vlan_mode and sets the correct tag) is https://review.opendev.org/c/openstack/neutron/+/81956713:18
ralonsohhas been there since Zed13:18
sean-k-mooneythe packet flooding issue by the way i think is because at somepoint neturon change the drop rule for the dead vlan13:19
sean-k-mooneyit change to the one that also supprot the qos bits instad of the older and simpler dl_vlan mathc or whatever the old one was13:20
sean-k-mooneyusin the tsi one or what ever its using currently didnt work properly13:20
ralonsohsean-k-mooney, sorry, I don't know what code are you talking about13:21
sean-k-mooneythe orgainl code that was added to ensure that the dead valn used dl_vlan=4095 to match in the flow rule13:21
sean-k-mooneyat some point it was updated to vlan_tci=0x0fff/0x1fff 13:21
sean-k-mooneywhic did not work13:21
sean-k-mooneythat is what caused the packet flooding i belvie13:22
ralonsohwe only use this match for flat traffic: 0x0000/0x1fff13:24
ralonsohFLAT_VLAN_TCI = '0x0000/0x1fff'13:24
sean-k-mooneywhen we did the dead vlan stuff orginally we add priority=65535,dl_vlan=4095,action=drop13:25
sean-k-mooneyim 99% sure of that but i could be wrong13:25
sean-k-mooneythis was part of https://bugs.launchpad.net/neutron/+bug/173432013:26
sean-k-mooneyhttps://review.opendev.org/c/openstack/neutron/+/616609/2/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py#4613:27
lajoskatonasean-k-mooney, ralonsoh: I planned to bring this topic to today's Neutron meeting's on-demand agenda, but worst case we can add this also to the drivers meeting agenda to give time for people to think about the issue and the history of it13:28
sean-k-mooneyhttps://review.opendev.org/c/openstack/neutron/+/616609/2/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/native/test_br_int.py13:28
sean-k-mooneyso when i fixed the cve i expleictly use priority=65535,dl_vlan=4095,action=drop13:28
ralonsohsean-k-mooney, that was updated in https://review.opendev.org/c/openstack/neutron/+/82089713:30
ralonsohthe rationale is in the commit message13:30
sean-k-mooneyso i dont think that commit was correct13:30
sean-k-mooneyalso its not the same as i orginally impelmented13:30
sean-k-mooneythe comit says the flow looks liek 13:31
sean-k-mooneypriority=65535,vlan_tci=0x0fff/0x1fff actions=drop13:31
sean-k-mooneywhich is not what i used13:31
sean-k-mooneyi sued dl_vlan=4095 intentially becaue it ignore the qos bits and only matches on the vlan id13:31
sean-k-mooneyif you use the tsi version you have to also match on the tos bits on the valan frame13:32
sean-k-mooneyso at some poitn the python bidnign stop generating "priority=65535,dl_vlan=4095,action=drop" and started generating "priority=65535,vlan_tci=0x0fff/0x1fff actions=drop" which are not semanticly the same13:33
ralonsohsean-k-mooney, I'll check what "install_drop" is doing in this case13:34
sean-k-mooneyi assume neutron does not stil have the ofctl driver?13:37
ralonsohno, long time ago13:38
sean-k-mooneyso i think this was a silent secuiryt bug intoduced in os-ken13:38
sean-k-mooneyor neuton causing dl_vlan to be tanslated to vlan_tci incorretly13:39
sean-k-mooneyralonsoh: the commit message for that fix in neutorn say tey were settin the top bit to emulaate the old behavior 13:39
ralonsohI'll open a LP bug to investigate it13:39
sean-k-mooney "priority=65535,vlan_tci=0x0fff/0x1fff actions=drop"  to  "priority=65535,vlan_tci=0x1fff/0x1fff actions=drop" 13:39
sean-k-mooneybut if that was actully working then it would not need use to mark the prots as trunk prots when adding them to br-int13:40
sean-k-mooneyos-ken has translation code to upgrade flow to new version of openflow and i dont think that is correctly handeling dl_vlan13:44
sean-k-mooneyhttps://github.com/openstack/os-ken/blob/fc77cfdbc9df7af9cb45fc4474551cf6c226a0eb/os_ken/lib/ofctl_v1_5.py#L138-L18013:44
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM try with Ales' fix for FIP-to-FIP vs zero-snat  https://review.opendev.org/c/openstack/neutron/+/92727213:45
sean-k-mooneyhttps://github.com/openstack/os-ken/blob/unmaintained/zed/os_ken/lib/ofctl_utils.py#L174-L17913:46
sean-k-mooneyits proably becasue of this note about hex notation13:46
rubasoveven if the vlan_tci match is corrected to the dl_vlan match, the dead_vlan drop rule cannot see the vlan of an access port, please read the email on the ovs-dev mailing list, I referred to from the review comments13:47
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM try with Ales' fix for FIP-to-FIP vs zero-snat  https://review.opendev.org/c/openstack/neutron/+/92727213:47
sean-k-mooneyrubasov: im pretty sure we verifed that the drop rule worked as part of fixing the cve by looking at the ovs-dpctl and ovs-ofctl output13:52
sean-k-mooneyits been 5 years since we did this so i cant recall all thet details but im pretty sure we check this actully worked as part fo the cve verificaion13:53
sean-k-mooneythe ovs behvior may have chnaged but if the drop rule did not work the the cve was never patched13:54
rubasovI assumed that the dead vlan drop rule must have worked (and was tested by somebody) when it was introduced, but today it does not. I also do not understand how this could have changed. I was flabbergasted until people from ovs-dev explained to me what's going on.13:56
sean-k-mooneyso the problem is that os-vif and nova cant assume that neutorn has supprot for managing ovs ports with vlan mode = trunk13:59
sean-k-mooneynova/os-vif to date has expclivily supproted only access ports13:59
sean-k-mooneynow ralonsoh say this supprot was backported to zed13:59
sean-k-mooneyso we may be able to say any stable branch supprots this14:00
ralonsohwhat support? the patch I mentioned? it was implemented in zed14:00
ralonsohbut I think it was also backported14:00
sean-k-mooneybut that a pretty fundemental change in the prot bluging bevhiaor14:00
haleyb#startmeeting networking14:00
opendevmeetMeeting started Tue Aug 27 14:00:52 2024 UTC and is due to finish in 60 minutes.  The chair is haleyb. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'networking'14:00
haleybPing list: bcafarel, elvira, frickler, mlavalle, mtomaska, obondarev, slaweq, tobias-urdin, ykarel, lajoskatona, jlibosva, averdagu, amotoki, haleyb, ralonsoh14:00
mlavalle\o14:00
rubasovo/14:01
ralonsohhello14:01
obondarevo/14:01
sean-k-mooneyo/14:01
ihrachyso/14:01
elvirao/14:01
ykarelo/14:01
haleyb#topic announcements14:01
haleybI had forgotten to mention i was going to be out yesterday, i'll catch-up with the pings today14:02
frickler\o14:02
haleybI will also be out Thursday but will at least change my nick :)14:02
cbuggyo/14:02
slaweqo/14:02
haleybWe are now in Dalmatian release week (R - 5)14:03
haleybWork on libraries should be wrapping up!14:03
haleybNon-client library freeze was last week14:03
haleybClient library freeze: August 29th14:03
haleybDalmatian-3 milestone: August 29th14:03
haleybOnly bugfixes should be allowed in the master branch beyond this point. Any feature work past that deadline has to be raised as a Feature Freeze Exception (FFE) and approved by the team PTL14:04
haleybi.e. after D-314:04
ihrachyswhat's the timeline for release branch spin-off?14:04
haleybwhen they will tag it? that should be thursday14:05
lajoskatonao/14:06
ihrachyssorry. was the note about master branch applying to client / lib only?14:06
ihrachyscontext: I have a feature. I don't have a requirement to land it for dalmatian. but I would like to be able to land it earlier. so if master is locked, I'd like to understand when it gets unlocked.14:07
fricklerbranch creation patches will be proposed next week by the release team iiuc14:08
haleybihrachys: what is the feature? we can discuss exceptions14:08
ralonsohthe stable branches are proposed by the release team14:09
ihrachysthe nested snat thingy for ovn.14:09
haleybfrickler: so next thursday? everything seems to be on a thursday14:09
ihrachysfrickler: ah ok so a matter of a week or two14:09
ralonsohand should be this thursday14:09
haleybihrachys: i'd call that a bug fix not a feature14:09
slaweqfrickler aren't branches created during the RC-1 week?14:10
slaweqand according to https://releases.openstack.org/dalmatian/schedule.html is in 2 weeks14:11
slaweqnot next week14:11
fricklerslaweq: this is the proposal task https://etherpad.opendev.org/p/dalmatian-relmgt-tracking#L35214:11
ralonsohright14:11
haleybi think i still have vacation on the brain, yes that schedule is the best place for info14:11
fricklerthey then have some time to get approved or amended if needed14:11
haleybRC-1 target week is R-3, which is in two weeks, so basically features should be done (or exceptions filed) by this week, continue fixing bugs for 2 weeks14:12
slaweqahh, ok, so next week it will be for libraries14:13
slaweqand branch for e.g. neutron will be created in R-3 week which is in 2 weeks14:13
haleyblibraries should be tagged this week, R-514:14
haleybsorry if i confused anyone, but the schedule slaweq linked is the source of truth14:15
haleybone thing i will mention is if you have any cycle highlights i will start making a short list, please ping me if you have something that should make that list14:16
haleybReminder: If you have a topic for the drivers meeting on Friday, please add it to the wiki @ https://wiki.openstack.org/wiki/Meetings/NeutronDrivers14:17
slaweqplease remember that cycle highlights should be "marketing oriented  list of features", not very technical one14:17
haleybright, that might be a short list, and as i remember we only include 2-3 at the most anyways14:19
slaweqyeap14:20
haleybi did not have any other announcements, does anyone else?14:20
haleybi think nominations for PTL/TC elections end tomorrow, please see the ML email which has more info14:21
haleyblooks like there are only 3 nominations for 4 TC openings at the moment14:22
slaweqyes, tomorrow at 23:45 utc14:22
slaweqThere is 4 nominations for TC already14:22
slaweqbut anyone is welcome to nominate themself :)14:23
haleyboh, ok, your email was at 3am my time so a lot has happened :)14:23
mlavallewe live in the past this side of the pond14:23
slaweqyes, after I sent it, there was 4th nomination proposed so that has changed already14:23
frickleryes, this morning we were at 31% PTL candidacies, this is looking a bit better now14:23
slaweq:)14:23
lajoskatonamlavalle: :D14:24
haleybI did have one more announcement regarding priorities for the rest of the cycle...14:25
haleybPlease use the priorities dashboard for patches in the "ready to merge" state. This could be older changes as well as new ones14:25
haleybso set RP+1 - that way we can check that dashboard and get it reviewed14:26
haleybthat was all i had, can move to bugs14:27
haleyb#topic bugs14:27
haleybrubasov was the bug deputy last week, his report is at14:27
haleyb#link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/3HPRIASSKJPRRMFU6XBACVNE5EXDJR6M/14:27
mlavallerememeber to set RP+1 again if your submit a revision to your patch14:27
haleybmlavalle: oh, it gets cleared?14:28
rubasovovn-octavia maintainers please have a look at the untriaged bug14:28
mlavalleyes, I made that mistake last night14:28
rubasovI'll follow up with Anton on the incomplete one, when he responds14:28
rubasovotherwise all new bugs are assigned14:28
haleybi did not see this one assigned, unless anton will also take that over?14:29
haleyb#link https://bugs.launchpad.net/neutron/+bug/207753314:29
haleybregarding DVR router processing14:29
rubasovthat's the incomplete - at least that's how I understood it14:30
haleyback, i'll just follow it14:30
rubasovbut please correct me there if you think differently14:31
haleybthere was one related to fwaas and IPv6 cidrs, which almost seemed like a bug14:31
haleyb#link https://bugs.launchpad.net/neutron/+bug/207759614:31
haleybrubasov: no, that's fine14:31
rubasovwe had a previous similar one handled as an rfe, because there was an api behavior change14:32
haleyb#link https://bugs.launchpad.net/neutron/+bug/186912914:33
rubasovI believe that's why the reporter opened it as an rfe, however he did not write about yet his proposed change (I assume it would similarly involve an api behavior change)14:33
haleybi hadn't noticed we tagged that as an rfe due to the nature of the change, but makes sense14:33
haleybi will re-read and see what Liu's response it14:35
slaweqI think we had discussion about that long time ago and we added "normalized_cidr" field to the SG rule14:37
slaweqto make people aware what is really set by the backend14:37
haleybslaweq: right, thanks for the reminder14:37
ihrachyscurious - did we talk to ovn then to see if they should just support it?14:38
slaweqit was related to the RFE you linked already https://bugs.launchpad.net/neutron/+bug/186912914:38
haleybihrachys: the review was https://review.opendev.org/c/openstack/neutron/+/73638614:41
ihrachyslooks like horizon UX concerns were pushed down to neutron. I guess the ship has sailed.14:43
sean-k-mooneykind of 14:43
sean-k-mooneyso conceptually the neturon api should be concistent acrros backends14:44
sean-k-mooneyi.e. if openstack security group rule create --protocol icmp --remote-ip 10.10.10.175/32 cidr14:44
sean-k-mooneyis valide for one backend it should be valid for all of them that supprot security groups14:45
haleybit is now after that change i believe14:45
sean-k-mooneyah ok14:45
sean-k-mooneywe have a similar probelm in nova related to regex matchs in list ectra14:45
sean-k-mooneythe regex has to be in the db's native format...14:46
haleybjob security :)14:46
sean-k-mooneyit shoudl be normalise vai a standar pcre step good to know cidrs are now normalised14:46
haleybralonsoh: i did have a question for you - did your RPC change make the gate better?14:48
ralonsohyes, please check the DNM patch14:48
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/92678814:48
haleyback, will look after meeting14:48
haleybThis week mlavalle is the bug deputy, next week will be ihrachys14:49
haleybis that good for both of you14:49
noonedeadpunkhey folks! I'm trying to debug ovn + octavia provider misbehaviour here and got slightly cornered. Maybe you can point me to how it is supposed to work14:49
mlavalleyes14:49
mlavallefine with me14:49
haleybjust trying to move along since we have 10 minutes left14:49
ihrachyshaleyb: ok14:49
haleybCurrent bug count this week: 717, down 5 from last week14:50
haleybnoonedeadpunk: someone can sync with you after the meeting perhaps14:50
haleyb#topic community-goals14:50
lajoskatonaI had no time to work on the SDK realted topic last week, so no news from me14:52
haleybralonsoh: seems like once the RPC change is merged the monkeypatch one will follow. then just the template change?14:52
haleyb#link https://review.opendev.org/c/openstack/neutron/+/924317/914:52
haleybfor evenlet that is14:52
ralonsohyes, that's correct. Right now there is an issue with the ovn tempest ipv6 job14:52
ralonsohbut the other jobs (ovn and ovs) seems to run fine with wsgi14:53
noonedeadpunkso the thing is that I'm able to reach octavia backends via VIPs (an unattached port) but somehow FIP is not reachable14:53
ralonsohthe next step: to disable eventlet in oslo.service and make the agents run fine...14:53
ralonsohthat's all from me14:53
haleybralonsoh: great, thanks14:53
noonedeadpunkthough I do see in OVN NAT rules for the port. But what I'm confused about (and not sure if that should matter), is that port is not binded to any gateway node14:54
lajoskatonaralonsoh: but that is (make oslo.service eventletless) is for the coming cycles am I right<14:54
mlavalleralonsoh haleyb: should https://review.opendev.org/c/openstack/neutron/+/926922 be in the priority list?14:54
lajoskatona?14:54
ralonsohlajoskatona, yes, we are still reviewing the spec for this change14:54
ralonsohmlavalle, could be, yes, it could be interesting to have in before we end Dalmatian14:55
haleybmlavalle: yes, i was going to review right after meeting so maybe moot if we approve, but will add if not14:55
mlavalleyeah, the monkey patch follow up was in the priority list. so it makes sense14:55
haleybso i did have one RBAC question in the community goals section, seems the default override change is still failing the designate job14:57
haleyb#link https://review.opendev.org/c/openstack/neutron/+/92608514:57
slaweqyes, I have it in my todo list to check that locally14:58
slaweqbut I still didn't had time to get to this yet14:58
haleybslaweq: is that a bug on the neutron or designate side you think?14:59
johnsomIt passes in the Designate gates14:59
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: DNM Use fip-to-fip-vs-snat Ales patch for plugin jobs  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92728314:59
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM try with Ales' fix for FIP-to-FIP vs zero-snat  https://review.opendev.org/c/openstack/neutron/+/92727214:59
johnsomIt seems to fail when neutron is using the oslo policy 4.4 in the neutron API.15:00
johnsomThough I don't have a "why" either15:00
slaweqmost likely on neutron, as we are using probably wrong context to make request15:00
slaweqbut as I said, I will deploy it locally and try to reproduce and investigate, probably next week15:00
haleybah, ok, i'll watch the change and thanks everyone that's looked into it15:01
haleyb#topic on-demand15:01
opendevreviewMerged openstack/neutron master: Get ips from system dns resolver without scope  https://review.opendev.org/c/openstack/neutron/+/92607915:01
haleybwe are over time, did anyone have another topic?15:01
mlavallecan I get eyes on https://review.opendev.org/c/openstack/neutron/+/917800. I implemented the improvement recommended by haleyb. And I want it to be included in Dalmatian15:01
haleybmlavalle: yes, i will take a look, thanks for the update!15:02
mlavallethank you, that was a nice optimization15:02
haleybthanks for attending and the good discussions, as i said i'm out thursday if you're looking for me then, back on friday15:03
haleyb#endmeeting15:03
opendevmeetMeeting ended Tue Aug 27 15:03:25 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:03
opendevmeetMinutes:        https://meetings.opendev.org/meetings/networking/2024/networking.2024-08-27-14.00.html15:03
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/networking/2024/networking.2024-08-27-14.00.txt15:03
opendevmeetLog:            https://meetings.opendev.org/meetings/networking/2024/networking.2024-08-27-14.00.log.html15:03
ralonsohbye15:03
mlavalle\o15:03
otherwiseguyhaleyb: My testing of https://patchwork.ozlabs.org/project/ovn/patch/20240827085252.458355-1-amusil@redhat.com/ with setting logical_ip=0.0.0.0/0 for nested nat shows it working for host2fip, fip2fip, and nested scenarios. You might want to test too just to make sure that it works for your specific case.15:07
haleybralonsoh: i had a nitty comment in https://review.opendev.org/c/openstack/neutron/+/926922 - i will approve if you just want to fix it in a follow-on15:10
ralonsohhaleyb, right, let me push a new PS15:10
opendevreviewRodolfo Alonso proposed openstack/neutron master: Make RPC event cast synchronous with the event  https://review.opendev.org/c/openstack/neutron/+/92692215:11
mlavalleralonsoh haleyb and I approved to monkey patch one, which depended on ^^^^15:12
ralonsohthanks15:12
haleybotherwiseguy: great! i will have to pull in that change locally and test. And I saw your comment that 22.04 might work (i think) but maybe i mis-understood that? it's almost like it worked by accident?15:15
otherwiseguyhaleyb: 23.09 might work, but 22.03 didn't.15:16
otherwiseguy(I mistyped before)15:17
haleybotherwiseguy: ah, i had it backwards, so i'd need to look for a needle in that haystack, then try and apply ales' change15:17
otherwiseguyhaleyb: I think the plan is to backport the fix though.15:18
ihrachyshaleyb: on a related note, https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/618557 I think we should enable this before landing anything for ovn nested since it should catch one of the regressions that were present in v1 of the Ales' patch15:18
otherwiseguynot sure exactly how far they'll go.15:18
ihrachys(also it seems like overall a good idea to actually cover fip-to-fip communication...)15:18
* haleyb will get his popcorn and watch that one15:18
ihrachysotherwiseguy: I don't think Ales knows what is missing in 22.03 or that he planned to look into it himself. I may be wrong. haleyb may have to bribe someone!15:19
ihrachyson a more witty note, haleyb I wonder what's your gut reaction to https://review.opendev.org/c/openstack/neutron/+/927216 ?15:20
haleybihrachys: i can ship beer anywhere, or if they are in the Boston area will deliver :)15:20
otherwiseguyihrachys: haleyb: yeah, and if it was an LTS, I think those get support for 2 years which would be over by now?15:20
haleybif we get it back to a certain point, i will have to bug our ovn engineering team to look at it15:21
ihrachyscurrent lts is 24.03 and "LTS releases will receive bug fixes until the point that another LTS is released. At that point, the old LTS will receive an additional year of critical and security fixes. Critical fixes are those that are required to ensure basic operation (e.g. memory leak fixes, crash fixes). Security fixes are those that address concerns about exploitable flaws in OVN and that 15:21
ihrachyshave a corresponding CVE report."15:21
ihrachysis this "critical"? that's where bribes would make a difference.15:22
haleybotherwiseguy: we support LTS for like 10-12 years :-o15:22
haleybi mean downstream of course15:22
ihrachyshaleyb: obviously we as in people paid for products support it for as long as they do pay; they as in ovn upstream community will drop 22.03 some time in 2025 for good15:22
ihrachyson a relevant note, we should also run our tests against their lts: https://review.opendev.org/c/openstack/neutron/+/927221 this adds experimental checks but we could promote (some of) them to periodic or whatever15:24
haleybihrachys: yeah, and that's when we start supporting things like 24.xx on older releases when possible since it gets ugly dealing with backporting15:24
ihrachysat one point the gate switches to a "later" ubuntu that ships a newer ovn, correct?15:25
opendevreviewElvira García Ruiz proposed openstack/neutron stable/2024.1: Get ips from system dns resolver without scope  https://review.opendev.org/c/openstack/neutron/+/92729215:27
haleybihrachys: regarding linux bridge, i will put that in the topics for Epoxy meetings. We had a recent-ish bug and there is noone that can really dig into such things15:27
ihrachysalso dibbler15:27
ihrachysI'd say the experimental section is currently misused15:27
ihrachysor has a wrong name15:27
ihrachysit's not experimental, it's "on_death_bed"15:28
opendevreviewElvira García Ruiz proposed openstack/neutron stable/2023.2: Get ips from system dns resolver without scope  https://review.opendev.org/c/openstack/neutron/+/92729315:28
haleybihrachys: yes, there will be a time when the gate moves forward, no comment from me on that :(15:28
ihrachysif I were to decide, i'd just pull the plug and let the code go with peace :p15:28
haleybihrachys: 'check on_death_bed'15:29
opendevreviewElvira García Ruiz proposed openstack/neutron stable/2023.1: Get ips from system dns resolver without scope  https://review.opendev.org/c/openstack/neutron/+/92729415:29
ihrachyshaleyb: epoxy is slurp; probably a good time to clean up rotten code after it's cut off then you think? or before that?15:31
haleybihrachys: yes, good time for cleanup15:32
ihrachysbefore or after? do we want to ship a slurp release with lb / dibbler / (probably there's more)?15:33
haleybihrachys: i don't think we can deprecate in dalmatian, would need to consult the docs15:35
ihrachysexperimental in my mind is even worse than deprecated - you already have to do some legwork to allow it in the first place.15:36
ihrachyscan't miss the fact15:36
ihrachysso what would be the plan you think? mark deprecated post-dalmatian (if not already), then kill for good post-epoxy?15:37
ihrachysI'm talking about lb and dibbler so far but we can discuss the feature list more systematically after dalmatian.15:38
ihrachyse.g. I don't know if we test / people use metering agent or macvtap agent. or what's the plan for iptables fw for ml2/ovs. etc. etc.15:38
ihrachyswe can consult user surveys (btw 2024 one closes tomorrow I think), but e.g. 2023 one showed ~30% on LB. should this fact stop us from killing the unattended code?15:39
opendevreviewIhar Hrachyshka proposed openstack/neutron master: DNM try with Ales' fix for FIP-to-FIP vs zero-snat  https://review.opendev.org/c/openstack/neutron/+/92727215:43
opendevreviewMerged openstack/neutron stable/2023.1: [stable-only][2023.1] Remove CI job "tox-py311"  https://review.opendev.org/c/openstack/neutron/+/92715715:58
sean-k-mooneymacvtap is a very simple ml2 plugin but we dont test it in ci16:00
sean-k-mooneyit is nice if you want really really simple networking16:00
sean-k-mooneybut it has much less functionality16:00
sean-k-mooneyi would expect ml2/ovs with iptabels still proably has a large userbase16:01
sean-k-mooneybut it would be interesting to see if that pans out in the survay16:02
haleybihrachys: sorry, too many meetings here. With LB moving to experimental, and then having almost no bugs filed, is that 30% number accurate? It's either super stable or people just click the box (along with others) since they know the name16:17
haleybi've never seen a deployment in production here, mostly OVN with some ML2/OVS/DVR because our installer is opinionated16:19
opendevreviewChris Buggy proposed openstack/neutron stable/2023.1: Add rate-limiting to metadata agents  https://review.opendev.org/c/openstack/neutron/+/92730116:38
opendevreviewMerged openstack/neutron-vpnaas master: VPNaaS support for OVN: documentation  https://review.opendev.org/c/openstack/neutron-vpnaas/+/89565117:34
ihrachyshaleyb: I'm looking at the charts here: https://www.openstack.org/analytics17:54
ihrachys"Which OpenStack Network (Neutron) drivers are you using?"17:54
ihrachysit says 14% Linuxbridge + 16% ML2 - Linuxbridge17:54
ihrachysovs is 46+4117:54
ihrachyswe don't support linuxbridge for redhat openstack either17:55
ihrachyswe won't even support ml2/ovs for the upcoming release. and we deprecated ml2/ovs workloads in the previous (current) release.17:56
ihrachysso from my perspective, unless community steps in, these pieces will naturally die. the last time I checked, redhatters were quite a slice of contributions to neutron. this situation will naturally transform in less attention to ml2/ovs over time, at least for new releases.17:57
ihrachysone explanation as to why people still pick linuxbridge in surveys is that they run really old deployments. whether this should define our actions for main branch is debatable.17:58
slaweqlast time when I started talking about deprecation of LB backend there was many users who said there are using it still and wants to use it17:59
slaweqbut nobody really wanted to maintain it17:59
slaweqthat's why we moved it to be "experimental" so that we don't really guarantee anything and don't need to run any ci jobs with it18:00
ihrachysi hardly see how redhat can justify pulling the driver forward when we don't support it since ages. same applies to canonical. that we do still do seems like a charity, and that's not a great foundation for sustainability.18:01
ihrachyswe still run ci jobs with it. unit tests, functional, fullstack.18:02
slaweqI know, it was kind of compromise between maintainers and users who still uses it - we keep it in tree but with no guarantee that it will work, and if any test/job will stop working, we can simply remove it to unblock gate and don't care about it18:05
slaweqI agree that for us would be better to just drop this code from repo but apparently I wasn't "brave" enough when I was PTL :)18:06
ihrachyshaleyb: ARE YOU BRAVE ENOUGH18:06
ihrachysI've just checked the election program of our BDFL here https://review.opendev.org/c/openstack/election/+/927043/1/candidates/2025.1/Neutron/haleyb.dev@gmail.com and it seems like a good vote for stability program. which is fine. I wonder though if considering the SLURP coming etc. we should be more aggressively conservative as to what the project should be.18:08
haleybihrachys: regarding the analytics, my guess is people chose both the Linuxbridge and ML2 Linuxbridge variants since (even to me) it's confusing to have both, and didn't want to be missed. If that's accurate it means 15% run it18:40
haleybIt's most likely self-managed clouds since we (collectively) don't see customers running it18:41
slaweqthere is more confusing answers there IMO and I was trying to change it at some point but it wasn't easy really18:41
slaweqso finally I gave up on that18:42
haleybAm I brave enough? We could send another email to the list saying it's unmaintained for X years now, and as that progresses our risk increases for having a CVE appear, and noone will fix it (imo) as noone has stepped-up yet18:43
haleybIs that the next logical step? Marking it deprecated? If that list is accurate that's 15% of users that won't be happy, even if that is the state it's in already18:44
haleybslaweq: are we just ending a cycle of feedback there? i.e. we'll have new numbers by end of cycle timeframe?18:45
haleybi literally just got the email, closing tomorrow on user survey18:47
slawequser survey is closing tomorrow, and I think that we should have anonymized data around october (it was like that last year as far as I checked it)18:49
haleyback. using the filter there and choosing Antelope, 58% of deployments were OVN, 21% LB, OVS was somewhere in the middle (OVS vs ML2/OVS)18:52
haleybif the next one has a 18:53
haleybCaracal option, will those numbers be even higher for OVN?18:53
slawequnfortunatelly noonedeadpunk just pointed out in the tc channel that this year's survey has only releases up to Antelope to choose :/18:55
slaweqso there will be no Caracal info until next year's survey for sure18:55
haleyb:( at least most things will be in the ML2 bucket, meaning ML2/OVN, ML2/OVS, ML2/LB, i hope18:59
jrosserthe structure of the survey is unhelpful19:00
jrosserI totally missed that chowing ml2 makes another set of options appear right at the bottom of the page19:00
jrosser*choosing19:00
ihrachyshaleyb: interesting that lb is on par with ovs.19:05
haleybihrachys: by in the middle it might be 40%, i didn't know how to could OVS+ML2/OVS, hopefully the new survey will help with that19:09
haleybi'm going through the survey again and it's really long19:11
haleyband you can choose >1 network backend. which is why i was more interested in filtering by latest release - since it gets at the "is anyone using this on master" question19:12
opendevreviewGhanshyam proposed openstack/neutron master: DNM debugging designate job  https://review.opendev.org/c/openstack/neutron/+/92694519:39
mlavallehaleyb: this is the maintenace task https://review.opendev.org/c/openstack/neutron/+/918151 associated to https://review.opendev.org/c/openstack/neutron/+/91780020:05
mlavallealready merged20:05
mlavallethanks for the review!20:05
opendevreviewMiro Tomaska proposed openstack/neutron stable/2024.1: Fix support of IPv6 only networks in OVN metadata agent  https://review.opendev.org/c/openstack/neutron/+/92732120:06
opendevreviewMiro Tomaska proposed openstack/neutron stable/2023.2: Fix support of IPv6 only networks in OVN metadata agent  https://review.opendev.org/c/openstack/neutron/+/92732220:07
opendevreviewMiro Tomaska proposed openstack/neutron stable/2023.2: [ovn] Add support for IPv6 metadata  https://review.opendev.org/c/openstack/neutron/+/92732420:41
opendevreviewMiro Tomaska proposed openstack/neutron stable/2023.2: [ovn] Add support for IPv6 metadata  https://review.opendev.org/c/openstack/neutron/+/92732420:49
opendevreviewIhar Hrachyshka proposed openstack/neutron master: Introduce ovs-lts jobs that run against the latest ovn LTS branch  https://review.opendev.org/c/openstack/neutron/+/92722123:56
« Monday, 2024-08-26 Index Wednesday, 2024-08-28 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!