Wednesday, 2025-01-22

« Tuesday, 2025-01-21 Index Thursday, 2025-01-23 »
opendevreviewRodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI  https://review.opendev.org/c/openstack/neutron/+/93260107:37
opendevreviewRodolfo Alonso proposed openstack/neutron master: [eventlet-removal] Use non-eventlet metadata proxy in OVN metadata agent  https://review.opendev.org/c/openstack/neutron/+/93839307:42
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: async_process: remove usage of eventlet for AsyncProcess  https://review.opendev.org/c/openstack/neutron/+/93934807:44
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: ovs: reimplement signals handling  https://review.opendev.org/c/openstack/neutron/+/93932107:44
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: common: fix wait_until_true to support native thread  https://review.opendev.org/c/openstack/neutron/+/93784307:44
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: ovs: remove the usage of eventlet in the OVS agent  https://review.opendev.org/c/openstack/neutron/+/93776507:44
opendevreviewLajos Katona proposed openstack/tap-as-a-service master: Doc: add documentation for usage and driver details for SRIOV driver  https://review.opendev.org/c/openstack/tap-as-a-service/+/88180707:56
sahidralonsoh: o/08:09
sahidI just replied to https://review.opendev.org/c/openstack/neutron/+/939627 if you don't mind commenting again ;-) I may have missed something08:09
ralonsohI'll check it08:12
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Member batch actions to increase performance  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/93676508:38
opendevreviewLajos Katona proposed openstack/tap-as-a-service master: bandit: add bandit and bashate checks for tox  https://review.opendev.org/c/openstack/tap-as-a-service/+/91542108:38
opendevreviewSlawek Kaplonski proposed openstack/neutron master: Don't change original target dict by the OwnerCheck policy rule  https://review.opendev.org/c/openstack/neutron/+/93962410:59
opendevreviewSlawek Kaplonski proposed openstack/neutron master: Make API policies for tags to be working with resource attributes  https://review.opendev.org/c/openstack/neutron/+/93813511:00
opendevreviewRodolfo Alonso proposed openstack/neutron master: [eventlet-removal] Remove the usage of eventlet in the Neutron API  https://review.opendev.org/c/openstack/neutron/+/93865912:24
opendevreviewRodolfo Alonso proposed openstack/neutron master: WIP == [OVN] ``PortBindingUpdateUpEvent``  https://review.opendev.org/c/openstack/neutron/+/93934512:26
opendevreviewRodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI  https://review.opendev.org/c/openstack/neutron/+/93260112:27
opendevreviewBence Romsics proposed openstack/neutron master: Do not assume the existence of a trunk bridge since os-vif may have deleted it  https://review.opendev.org/c/openstack/neutron/+/93978612:43
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: async_process: remove usage of eventlet for AsyncProcess  https://review.opendev.org/c/openstack/neutron/+/93934812:50
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: ovs: reimplement signals handling  https://review.opendev.org/c/openstack/neutron/+/93932112:50
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: common: fix wait_until_true to support native thread  https://review.opendev.org/c/openstack/neutron/+/93784312:50
opendevreviewSahid Orentino Ferdjaoui proposed openstack/neutron master: ovs: remove the usage of eventlet in the OVS agent  https://review.opendev.org/c/openstack/neutron/+/93776512:50
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add to setup.cfg the long_description and type fields  https://review.opendev.org/c/openstack/neutron/+/93980614:27
ralonsohlajoskatona, slaweq ^ if you don't mind, a trivial patch14:27
ralonsoha CI job is failing because of that14:27
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add to setup.cfg the long_description and type fields  https://review.opendev.org/c/openstack/neutron/+/93980615:07
haleybralonsoh: i'll take a look as well15:11
opendevreviewRodolfo Alonso proposed openstack/neutron master: DNM - Test "neutron-ovn-tempest-ipv6-only-ovs*" with WSGI  https://review.opendev.org/c/openstack/neutron/+/93260115:26
slaweqralonsoh I just commented on https://review.opendev.org/c/openstack/neutron/+/93980615:34
ralonsohslaweq, yes, this is related to the README file15:35
haleybchanging to # didn't help, there's some indendation it doesn't like? how do we run that job locally?15:36
ralonsohhaleyb, it is needed to execute some zuul-config roles manually15:37
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add to setup.cfg the long_description and type fields  https://review.opendev.org/c/openstack/neutron/+/93980615:38
haleybright, i was just wondering how to run it locally with tox15:38
ralonsohno, I don't know how to do this15:39
ralonsohbut you can build the dist and then run twine15:39
haleyback, hopefully your latest change makes it happy15:39
ralonsohstack@u22ovn:/opt/stack/neutron$ twine check dist/*15:40
ralonsohChecking dist/neutron-26.0.0.0b3.dev135.tar.gz: PASSED15:40
haleyb\o/15:40
ralonsohthis is passing locally... but I don't know why is failing in the CI15:40
haleybbecause it knows we're watching it :)15:41
opendevreviewMerged openstack/neutron-fwaas master: [OVN] Fix the provider error in devstack settings  https://review.opendev.org/c/openstack/neutron-fwaas/+/93410315:45
ralonsohhaleyb, I don't understand15:49
ralonsohhttps://documatt.com/restructuredtext-reference/element/section.html15:49
ralonsohaccording to this, PS1 should be correct15:49
opendevreviewBodo Petermann proposed openstack/neutron master: Allow plugins to add periodics to maintenance worker  https://review.opendev.org/c/openstack/neutron/+/93981715:51
haleybralonsoh: i'm looking at other repos, and most don't have this. But pyroute2 does - it has no '=====' on the top line, and in setup.cfg has "file: README.rst" for long_description (no ""), don't know what else to try yet15:56
ralonsohhaleyb, yes, I was looking at something like this15:56
ralonsohbecause we already have description_file =15:56
ralonsoh    README.rst15:56
ralonsohso my current patch is redundant15:56
haleybah15:57
haleybso you just need the long_description_content_type line?15:58
*** gthiemon1e is now known as gthiemonge15:58
ralonsohyes, I think so, I'm testing locally16:01
ralonsoh30 mins for a packaing error...16:01
ralonsohpffff16:01
haleybi can take over if you want to work on other things, i have the time to wait-out zuul failures16:02
ralonsohnext patch will be the last for today16:02
ralonsohI need to go in 5 mins16:02
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980616:04
ralonsohsee you tomorrow16:04
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980617:26
opendevreviewBrian Haley proposed openstack/neutron master: Make API policies for tags to be working with resource attributes  https://review.opendev.org/c/openstack/neutron/+/93813517:37
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980617:53
fricklerhttps://www.openwall.com/lists/oss-security/2025/01/22/5 relevant for anyone running OVN I guess19:24
sean-k-mooneyoh fun19:29
sean-k-mooneyfrickler: so im not sure about ovn but egree in ovs i considerd ingress in neutron/nova19:30
sean-k-mooneyas in egree form ovs is leaving ovs and entering the vm or nic19:31
sean-k-mooneyat least in terms of qos19:31
sean-k-mooneyso i think what they are descibing would affect security group ingress rules potientially if dns cahcing is enabled19:32
sean-k-mooneyim not famiar enouch with how neuton uses ovn to say really, and if dns caching in ovn is normally enabled in an openstack context19:33
frickleryes, I don't understand the impact myself yet, but JayF and haleyb being listed as references makes me assume there is one for neutron19:35
JayFI emailed the list including the OpenStack bug ref19:36
JayFThat openstack bug report describes the impact in a neutron context pretty clearly19:36
JayFAIUI the tl;dr is that in some configurations, DNS ports will be wide open to the internet regardless of your filtering config19:37
sean-k-mooneyah the email you jsut ssent title "[security-sig][ops][neutron] OVN Security issue can impact OpenStack users"19:37
frickleroh, I didn't see that mail before, thx for the pointer19:38
sean-k-mooneyso https://bugs.launchpad.net/ossa/+bug/208828019:38
JayFYeah, about two hours ago, it wasn't public/released until late last night my-local-time19:38
sean-k-mooneyoh yep i didnt check the time it was just the top one in my openstack-discuss folder19:39
sean-k-mooneyhum, so i tought udp port 53 was alwasy open in neutron by design for dns19:39
sean-k-mooneyso that might be expected19:40
sean-k-mooneyi.e. udp packets form port 53 are always allowed19:40
JayFI would take that up with the neutron developers who were consulting on that bug; Slawek Kaplonski and Brian Haley19:41
JayFI mainly played the role of paperwork-pusher with a VMT hat on; I'm not an OVN or really a neutron expert outside of NGS (which is technically Ironic) :D 19:42
sean-k-mooneyi metioned it to them internally just to make sure it was on there radar19:43
JayFeither way, OVN clearly didn't intend the behavior so it's a win for them :)19:44
sean-k-mooneyah this is what i was thinking of, we allow dhcp/neber discovery by default not dns19:48
sean-k-mooneyhttps://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L544-L55519:48
sean-k-mooneywe do the same for the openflow firewall https://github.com/openstack/neutron/blob/7031da2cc2bca3364e4c169975bfca8fba39f1bf/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/br_int.py#L11419:53
sean-k-mooneyi personally stopped workign on neutron before ovn was brought in tree so i never look at how this works in that case btu we do knwo that there are difference between ml2/ovs and ml2/ovn19:54
haleybright, this was just DNS, and luckily a pretty straightforward fix20:04
fricklerwell just udp src port 53 doesn't necessarily restrict it to DNS? even then this might be critical for some applications20:08
sean-k-mooneywell if you explcitly open port 53 for ingress in your security group rules that woud take precendce20:13
sean-k-mooneynuetons default secufity groups allow all traiffc out and now trafic in except for dhcp adn related conenctions20:14
sean-k-mooneyi.e. when clodu init reaches out to the metadata api that request will be trakced by hte kernel connection tracker to allow the responce to the tcp/http request20:15
sean-k-mooneyso i think think this ovn fix shoudl break anything but if it did you could explcitly allow udp port 53 again20:15
haleybsean-k-mooney: while i have you here, could you take a look at https://bugs.launchpad.net/neutron/+bug/2051863 ? i think it's really nova/os-vif figured you might have an opinion20:17
sean-k-mooneysure20:18
sean-k-mooneyso that expected behgavior becuase we have to create the port in ovs before libvirt creates the tap so that neutron can wire it up before we start the vm20:18
sean-k-mooneyi have not read it fully yet by the way20:19
haleyback, just wondering if it's a new race condition20:20
sean-k-mooneyso here they are tryign to sue flavor based qos on the tap20:20
sean-k-mooneywhich is sort of deprecated20:20
sean-k-mooneywe tell peopel not ot od that any more and prefer neutorn qos20:21
sean-k-mooneybecause the flavor based qos only work when using linux bridge or ml2/ovs with iptables20:21
sean-k-mooneyif this is ml2/ovs with the ovs secuirty group driver or ovn then you cant do qos with tc directly on the tap20:22
sean-k-mooneyunless im misremebering20:22
sean-k-mooneyits posible this was broken as a result of https://github.com/openstack/os-vif/commit/c0d101aa81cff200e1db2a0746598b72e26748e420:24
haleybhah, i was looking at that bug too. in my case we also see this on yoga-series so that change isn't in play20:25
sean-k-mooneyits posible that ovs and libvirt are fightign over the qdisk on the tap20:26
haleybso in my case i do see flavor settings, like quota:vif_inbound_burst='250000' - when did we start recommending using neutron qos instead? i mean, if we can say "do this instead" and remove that it would be an easy answer20:30
sean-k-mooneyabout 6 to 8 years ago20:34
sean-k-mooneyhaleyb: basically when qos was added to neutron :)20:34
haleybi see rocky and later then :)20:34
sean-k-mooneymore or less20:35
sean-k-mooneyas i said this was only supproted in a limite number of cases20:35
haleybat least google found rocky20:35
sean-k-mooneyovs with iptabels and linux bridg if i recall20:35
haleybso i have an outlier here then, they're running ml2/ovs with ovs firewall20:37
haleybi can at least push them in a direction20:37
sean-k-mooneyi have a comment pendign20:37
sean-k-mooneybut i think https://github.com/openvswitch/ovs-issues/issues/26820:37
sean-k-mooneyis what broke this20:37
haleybthat nova bug ^^^ might need a similar push, don't know20:38
sean-k-mooneybasically before ovs woudl ignore the qdisc on a tap if it had one that it did nto add20:38
sean-k-mooneybut later ovs was chagned to override it20:38
sean-k-mooneyhaleyb: https://bugs.launchpad.net/neutron/+bug/2051863/comments/7 that a brain dump of the relevnet context i have20:46
sean-k-mooneyhaleyb: the only thing that i can think fo to try to make this work woudl be to modify https://github.com/openstack/os-vif/blob/master/vif_plug_ovs/ovs.py#L422-L426 to return None if the flavor has vif qos20:49
sean-k-mooneythat would result in us creatign the port withotu addign any qos to it in ovs20:50
sean-k-mooneybut i think that may not have the desired effect20:50
sean-k-mooneywe no set it to linux-noop by default20:51
sean-k-mooneywe could also allow a way to explcity opt out of a default here https://github.com/openstack/os-vif/blob/master/vif_plug_ovs/ovs.py#L104-L10820:51
sean-k-mooneybut again i think ovs will jsut remove the qdisc added by libvirt20:51
sean-k-mooneyalthoguh as the doc text says https://github.com/openstack/os-vif/blob/master/vif_plug_ovs/ovs.py#L110-L11520:52
sean-k-mooneyovs shoudl not modify the qdsc fi we set linux-noop20:53
haleybright, should leave alone20:53
sean-k-mooneyso i dont think that is the actual probelm20:53
sean-k-mooneythey are runing zed20:53
sean-k-mooneyi wonder if that patch is backported to zed20:53
sean-k-mooneythat woudl be a no20:54
sean-k-mooneyhttps://review.opendev.org/c/openstack/os-vif/+/88301620:54
sean-k-mooneyi fixed it in bobcat20:54
haleybthis customer is going to yoga, so that wouldn't apply. i only saw that change back to 2024.2 i think?20:55
sean-k-mooneyya so i backported this downstream20:55
sean-k-mooneyhttps://review.opendev.org/q/Id9ef7074634a0f23d67a4401fa8fca363b51bb4320:55
haleyb2023.2 was the backport20:55
sean-k-mooneyupsteam we created them but the branches were out of supprot20:56
sean-k-mooneyso we didnt merge them in the end20:56
sean-k-mooneywe backproted it all the way to wallaby for 17 downstream and made the pathces avaible for other to use if they wanted them20:56
haleybi hate cherry-picking unmerged code downstream if i can help it, since like you i'd need to hit everything in-between lts releases :(20:57
sean-k-mooneywell i alwasy do that regardless20:58
sean-k-mooneyi.e. if im backproting it downstream ill bakcport to all open upstream stable patches first20:58
sean-k-mooneybefore doign the down stream cherry pick20:58
haleybwe do things differently here of course, no clone of upstream repos downstream, we *are* upstream :-p21:00
sean-k-mooneyif our downsteam was not usign unreasonably old version i would love to do that21:01
sean-k-mooneyi consierd any release of opesntack that is more then 2 year behidn master to be unreasonable old to use in production21:01
haleybbut our customers don't of course, and they pay the bills21:02
sean-k-mooneydamb users and custoemrs 21:03
sean-k-mooneyexpecting long term support and working software21:03
sean-k-mooneyso unreasonabel21:03
haleybcan you re-create that on master with devstack doesn't work21:03
sean-k-mooneyoh you tried it and it does not work21:04
sean-k-mooneyare you usign ovn or ml2/ovs with iptables21:04
haleybthanks for looking at the bug, i'll watch and see if there are any positive replies21:04
haleybwe are mostly ovn, occasional ml2/ovs with ovs firewall, but there are some unicorns out there21:05
haleybi advised on using neutron qos, if i get feedback will add to the bug21:06
sean-k-mooneyjust to clarif did you try this on master?21:07
sean-k-mooneyand it didnt work21:07
sean-k-mooneyif its broken on master then it might eb somethign we can fix if its only broken on zed because that does nto have the os-vif chagne then thats differnt21:08
sean-k-mooneyif it works on master using os-vif 3.2.0 might resolve the issue for them21:08
haleybwe can't re-create the issue of course on yoga, but fyi it involves instances with ~5 interfaces, just 1 is usually fine21:09
sean-k-mooneyack. i can see if i can replciate this tomorrow21:10
sean-k-mooneyim just finishing for today but i have a releivly recent devstack with ovn i think21:10
sean-k-mooneyso ill see if i can replcaite that or not21:10
sean-k-mooneyo/21:10
haleybthanks sean o/21:10
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980622:02
opendevreviewBrian Haley proposed openstack/neutron master: Optionally configure IPv6 metadata address  https://review.opendev.org/c/openstack/neutron/+/92649722:13
opendevreviewJakub Libosvar proposed openstack/neutron master: Update NAT entry on FIP update  https://review.opendev.org/c/openstack/neutron/+/93991822:17
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980622:42
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980622:48
-opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily for a restart to put some database compaction config changes into effect, and will return within a few minutes22:54
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980622:58
opendevreviewBrian Haley proposed openstack/neutron master: Add to setup.cfg the long_description_content_type field  https://review.opendev.org/c/openstack/neutron/+/93980623:16
« Tuesday, 2025-01-21 Index Thursday, 2025-01-23 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!