Friday, 2025-05-30

« Thursday, 2025-05-29 Index Saturday, 2025-05-31 »
*** elodilles is now known as elodilles_ooo05:45
opendevreviewLajos Katona proposed openstack/networking-bagpipe master: Remove py39 job and reference in setup.cfg  https://review.opendev.org/c/openstack/networking-bagpipe/+/95095607:47
opendevreviewLajos Katona proposed openstack/networking-bgpvpn master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/networking-bgpvpn/+/95095808:38
opendevreviewLajos Katona proposed openstack/networking-sfc master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/networking-sfc/+/95096308:42
opendevreviewLajos Katona proposed openstack/neutron-fwaas master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-fwaas/+/95095908:44
opendevreviewLajos Katona proposed openstack/neutron-vpnaas master: Remove py39 jobs and reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-vpnaas/+/95096008:47
opendevreviewLajos Katona proposed openstack/neutron-dynamic-routing master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/95096108:49
opendevreviewElvira García Ruiz proposed openstack/neutron master: Consider logging options when using OVNdbsync  https://review.opendev.org/c/openstack/neutron/+/94878309:20
opendevreviewLajos Katona proposed openstack/neutron-dynamic-routing master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-dynamic-routing/+/95096110:05
opendevreviewLajos Katona proposed openstack/neutron-vpnaas master: Remove py39 jobs and reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-vpnaas/+/95096010:05
opendevreviewLajos Katona proposed openstack/neutron-fwaas master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/neutron-fwaas/+/95095910:06
opendevreviewLajos Katona proposed openstack/networking-sfc master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/networking-sfc/+/95096310:06
opendevreviewLajos Katona proposed openstack/networking-bgpvpn master: Remove py39 reference from setup.cfg  https://review.opendev.org/c/openstack/networking-bgpvpn/+/95095810:06
opendevreviewDai Dang Van proposed openstack/neutron master: [WIP] Add dns proxy l2 extension  https://review.opendev.org/c/openstack/neutron/+/95139010:40
opendevreviewMerged openstack/neutron-tempest-plugin master: Use only "ubuntu-22.04-minimal" advance image  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/95114911:19
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Ensure LB with HM rechecks member status after re-enable  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/95127412:30
opendevreviewElvira García Ruiz proposed openstack/neutron master: Consider logging options when using OVNdbsync  https://review.opendev.org/c/openstack/neutron/+/94878312:45
mlavallehaleyb: are we meeting today?13:03
mlavallehaleyb: ok, it seems we are not meeting today. I have some errands to run. Have a nice weekend13:11
lajoskatona1mlavalle: :) Have a nice weekend13:11
ralonsohwe have the drivers meeting, but at 1400UTC13:14
ralonsohmlavalle, ^13:14
ralonsohactually we have agenda and is pretty packed 13:14
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Ensure LB with HM rechecks member status after re-enable  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/95127413:22
haleybmlavalle: yes, we are meeting, sorry did not send out agenda13:51
haleybralonsoh: had you seen my neutron release patches for 2024.1/2 and 2025.1? I only saw one backport in-flight for your provider network resources filter, if you wanted to wait for that13:55
haleybeg https://review.opendev.org/c/openstack/releases/+/95119113:55
ralonsohhaleyb, checking now13:57
ralonsohhaleyb, maybe we can add https://review.opendev.org/q/topic:%22bug/2109354%2213:58
ralonsohno, don't worry13:58
ralonsohthis is not an urgent patch (just for U/S testing)13:58
ralonsohwe can keep going13:58
haleybhttps://review.opendev.org/c/openstack/neutron/+/950328 was the only one i saw for 2024.1 and others13:59
ralonsohyes, this not an urgent patch, to be honest 13:59
ralonsohif it doesn't make this release, we can wait for the next one14:00
haleybralonsoh: ack, will ping you after meeting about it14:00
haleyb#startmeeting neutron_drivers14:00
opendevmeetMeeting started Fri May 30 14:00:54 2025 UTC and is due to finish in 60 minutes.  The chair is haleyb. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'neutron_drivers'14:00
fnordahlo/14:00
haleybPing list: ykarel, mlavalle, mtomaska, slaweq, obondarev, tobias-urdin, lajoskatona, haleyb, ralonsoh14:01
ralonsohhello!14:01
lajoskatona1o/14:01
toreo/14:01
obondarevo/14:01
mkalcoko/14:01
haleybwe can get started, others might show up late, but we have a number of topics14:02
haleybjlibosva: are you coming?14:02
jlibosvayes :) hi :)14:02
haleybah, perfect14:02
haleybfirst is this one14:02
haleyb#link https://bugs.launchpad.net/neutron/+bug/211127614:03
haleyb[RFE] Integrate OVN BGP capabilities into Neutron OVN driver14:03
haleybi know you added it, but fnordahl also has an interest14:03
slaweqo/14:03
haleybi'll let either or both of you talk about it while i read the latest update14:03
jlibosvaright, so basically the idea would be to replace the ovn-bgp-agent - either by implementing the same like right now I have some PoC where the public switches connecting to the provider network connect to some underlaying BGP routers instead of local port. That would require no Neutron API changes14:04
jlibosvaor something smarter using existing API like networking-bgpvpn if there is interest and use case for it14:05
lajoskatona1+1 for reusing existing APIs or extending them14:05
lajoskatona1(or no new API :P)14:06
jlibosvathe first approach would likely be a knob in Neutron conf and then Neutron would manage the BGP resources similarly to what ovn-bgp-agent does today14:06
jlibosvaand FIPs, directly connected ports to provider networks and LBs would get automatically advertised their routes14:07
toreif EVPN is in scope (I certainly hope it would be), it would be necessary to be able to associate the provider network with L2VNI and/or L3VNI values14:07
jlibosvaEVPN is in mind - but currently the work in core OVN is at very early stages but we would be interested in it too :)14:07
fnordahltore: I linked the OVN Community A/V meeting notes which has link to spec on the bug14:08
jlibosvabut for this particular RFE it is out of the scope but we definitely keep it in mind so once we get the support we can continue with the work14:08
torefnordahl: I saw, thanks14:08
jlibosvaand I assume a neutron-spec with details would be required :)14:09
haleybfnordahl: i have not read through all the docs you linked yet, but does this match with what you were thinking?14:09
fnordahl+1 on spec and we have roadmap time to contribute to such a spec14:10
ralonsoha couple of questions14:10
lajoskatona1is there something than have to happen first in core  OVN ?14:10
jlibosvathanks fnordahl for the comments on the LP - just to make it more clear - the BGP protocol itself would be managed by external tool - like FRR14:11
jlibosvalajoskatona1: I have a working PoC - manually configured running with Neutron and core OVN advertising FIPs14:11
toreI am not very familiar with the Neutron or OVN codebases, so I don't know how much I could contribude development-wise (would perhaps need a mentor), but I am very happy to provide an operator's perspective on how this feature could be implemented in a sensible and useful manner14:11
jlibosvaso, so far it seems it has everything we need :)14:11
lajoskatona1jlibosva: ack, thanks14:11
ralonsohjlibosva, you said there is not API change. Do we need DB changes? Any agent (we do, I think)?14:11
ralonsohand would this be implemented as a service plugin? So anyone can enable/disable it?14:12
mkalcokjlibosva: "yes" to your question about the external tool like FRR14:12
jlibosvaralonsoh: The changes will be mostly creating the underlaying topology and avoiding using localnet ports. Now MySQL DB changes or agents14:12
slaweqand what about migration from existing ovn-bgp-agent - will that require any extra steps or will be as easy as stop old agent and run new one with proper config/extension?14:12
jlibosvaralonsoh: that's a great question about where to put it - it would make sense to separate it from the mech driver14:13
ralonsohcool14:13
jlibosvaslaweq: probably a migration path would be needed if required. the agent configures the host networking so we would need some cleanup14:14
fnordahlThere are multiple approaches to this, it could either be a light touch (from Neutron's POV) implementation where we only do the changes needed for it to work with the features provided by OVN, and then have downstream deployment tooling do the lifting of BGP agents and such, or Neutron could take more. I think this needs to be ironed out at spec creation time14:14
slaweqjlibosva will such migration tool be part of this RFE?14:15
jlibosvafnordahl: I think the BGP speaker configuration and such should be done by some deployment tooling14:16
fnordahl+114:16
jlibosvaslaweq: I don't think it will in my opinion14:17
haleybare there any other questions? should we vote on this?14:18
* haleyb is assuming jlibosva and fnordahl will work together on the spec14:18
jlibosvaI would be happy to14:18
fnordahlI might include other people in my team too , and yes14:19
lajoskatona1No questions from me, big +1 for spec14:19
ralonsoh+1 (with spec, of course). I would like to have this RFE14:19
haleybgreat, thanks14:19
tore+114:19
haleyb+1 for me to move forward with spec14:19
obondarev+114:19
haleybslaweq: ?14:20
slaweqahh sorry14:20
slaweq+114:20
slaweqeven if migration will be done separately14:20
haleybgreat, that's consensus, i'll approve the rfe and looking forward to the spec14:21
jlibosvathanks for the questions and for the interest :)14:21
fnordahl\o/14:21
haleybwe can move onto next rfe14:22
haleyb#link https://bugs.launchpad.net/neutron/+bug/211189914:22
haleyb[RFE] Use stateless NAT rules for FIPs14:22
ralonsohyeah, this is a feature already implemented14:22
ralonsohand the reverted14:22
ralonsohit was reverted because the expected benefit with HW offladed envs didn't happen14:22
ralonsohbecause the dnat rule flows where not offloaded14:23
ralonsohbut this feature can "bring joy" (and good performance) to DPDK envs14:23
ralonsohbecause we skip the conntrack module (that is always a pain with DPDK)14:23
ralonsohso I would like to re-propose it but this time configurable14:23
ralonsohquestions?14:24
obondarevall clear14:24
haleybi see from the original change stateless fips were added to OVN 20.03 so that's good14:24
toredid the hw offloaded environments experience a performance degradation, or was it just same performance as before?14:24
ralonsohyes, very old core OVN14:24
ralonsohtore, performance degradation because these flows in particular were not offloaded14:25
ralonsoh(don't ask me for more details in this, I would need to request them)14:25
toreunderstood, then it makes sense to me why it was reverted14:25
ralonsohbut for DPDK, for sure, this is a performance boost, as long as the FIPs rules do not need conntrack14:25
lajoskatona1+1 for configurable14:26
haleybralonsoh: so is the offloading of dnat particular to the nic involved? i.e. they didn't exist when this originally merged? but do now?14:27
slaweqI agree, we can add it back as configurable option14:27
ralonsohhaleyb, at least, as far a I know, the tests done with this feature were not good14:28
toremakes perfect sense for me to have 1:1 NAT rules be stateless, so +1 from me for being able to activate this14:28
ralonsohand actually they initially implemented that for HW offloaded envs14:28
haleybralonsoh: ack. i think i'm fine with the change and config option, but just wanted to make sure we somehow explain where it's expected to work or not work, maybe the release note would be enough?14:30
ralonsohfor sure I'll add a release note explaining the rationale of this implementation14:30
haleybsince it is clear as mud to me how to get this improvement other than trying it out and doing perf testing14:30
ralonsohand where it could be benefitial14:30
ralonsohof course, anyone will be able to enable/disable (restaring the API) this feature and restest again14:31
ralonsohI'll add a maintenance method to change the existing FIPs to the configured value14:31
ralonsohso it will be just a matter of changing the parameter and test14:31
haleybralonsoh: and since you did mention a performance degradation initially should include that wording so it's not treated as a silver bullet14:34
haleybanyways, let's vote14:34
ralonsohsure, I'll add where this is actually a benefit (DPDK) and why14:34
haleybperfect14:35
obondarev+114:35
haleyb+1 from me14:35
lajoskatona1+114:35
slaweq+114:36
haleybok, i believe that is quorum (4)14:37
haleybi will approve and add a link to discussion14:38
ralonsohthanks folks14:38
ralonsoh(please, skip my next point in the agenda)14:38
haleybralonsoh: ack, can discuss in a future meeting14:38
ralonsohsure14:39
haleybnext is a bug created by tore so glad he is here14:39
haleyb#link https://bugs.launchpad.net/neutron/+bug/211189114:39
haleybIPv6 Subnet-Router anycast address inappropriately used for gateway_ip when specifying --subnet-range14:39
torethanks for the invite, haleyb :)14:40
haleybslaweq mentioned making this change is a change in the API behaviour14:40
toreso to my mind it makes no sense that the behaviour differs from when using --subnet-range or not, that seems very inconsistent, and just that alone is imho a bug14:41
torefor what it is worth, for ipv4 "address one" is always used, both with or without --subnet-range being specified14:42
haleybtore: so my IPv6 knowledge in this area is a little rusty, but if that address is configured in the neutron router it cannot be used? not sure if i read that correctly14:42
haleybi thought all the routers could use the anycast address14:43
torehaleyb: it cannot be used by VMs that are routers themselves, i.e., has enabled IPv6 forwarding. which I believe dockerd and such does automatically14:43
haleybbut i do agree it's odd this one case if different from the others14:43
haleybah, ok, vm deployed as a router14:43
torehaleyb: if the VM enables forwarding sysctl (is a router), it is required by the spec to consider the subnet-router "address zero" as a *local* address14:43
toremeaning it is unusable as an ipv6 default gateway, since it is a next-hop pointing to itself essentially14:44
slaweqfor this this proposal sounds reasonable, I just wanted to have it discussed here as it will change API which we have now14:44
haleybtore: understood, thanks for the explanation14:44
torenote it will not be a problem if using ipv6_ra_mode=something. because then the default gateway is a fe80::x link-local address learned from RA, and the gateway_ip address isn't used for anything14:45
torebut if ipv6_ra_mode is left at default "none" (another bad default imho, but that's a different issue), the VM would need to get the default route from metadata service or manual config, and in that case gateway_ip will be used as next-hop14:46
tore…and break the moment VM enables forwarding sysctl14:47
haleybslaweq: i can understand the API change, but it seems like as it's implemented it creates a broken object14:48
haleybi'm curious what the API says about the address used, if anything14:48
haleyb"If the gateway_ip is not specified, OpenStack Networking allocates an address from the CIDR for the gateway for the subnet by default"14:49
ralonsohOk, it took me a while to find it14:50
ralonsohhttps://review.opendev.org/q/I3f2905c2c4fca02406dfa3c801c166c14389ba4114:50
haleybso we don't actually say, although we do typically pick .1/::114:50
ralonsohwhere in the RFC is this issue commented?14:51
torethere is one exception to this problem, which is /127 p2p subnets where the subnet-router anycast address is disabled, cf. https://datatracker.ietf.org/doc/html/rfc6164. so for /127s "address zero" would be the appropriate choice14:51
haleybralonsoh: thanks for finding that, i even +2'd it14:51
tore(same thing for ipv4 /31s I guess)14:51
haleybralonsoh: it just says you can use it - "This anycast address is syntactically14:53
haleyb   the same as a unicast address for an interface on the link with the14:53
haleyb   interface identifier set to zero."14:53
haleybit doesn't say you *should* use it, and maybe in practice it's not a good idea14:53
torehttps://blog.apnic.net/2023/08/28/behavioural-differences-of-ipv6-subnet-router-anycast-address-implementations/ Ctrl-F strange behaviour14:54
haleybbut yes, we clearly single out IPv614:54
haleybhttps://review.opendev.org/c/openstack/neutron/+/647484/10/neutron/db/ipam_backend_mixin.py14:54
haleybtore: and obviously, you can specify the ::1 address and it all works14:55
toreyep, so this is about default behaviour (and the inconsistency between using --subnet-range and not)14:56
toreit also seems conceivable that on a multi-node network where >0 VMs have forwarding enabled, this could be problematic for other VMs even with forwarding disabled, because the router VM(s) might answer Neighbour Solicitations for that address, effectively hijacking traffic14:58
torehaven't tested this though. might be portsec will prevent it14:59
haleybi don't know the best thing to do here, seems you've found a corner case, but it does change the API. I would be inclined to make it consistent saying you can still choose :: manually, but have reservations15:00
obondarev(sorry, have to logoff)15:01
ralonsohI think we can document it15:01
haleybi have a hard stop as well, any other opinions?15:01
toreagreed, would be fine to explicitly request the ::0 address, but it's not a good default imho, regardless of --subnet-range being used15:01
ralonsohthe user can always defined the gw-ip when creating the subnet15:01
ralonsohat least let's document it15:02
haleybralonsoh: change and document? or just document it could be an issue?15:02
ralonsohdocument that this could be an issue15:02
ralonsohI think we have a section for ipv615:02
ralonsoh(somewhere...)15:02
lajoskatona1https://docs.openstack.org/neutron/latest/admin/config-ipv6.html15:03
lajoskatona1I beleive this one 15:03
ralonsohcorrect15:03
haleybso i don't think we'll have consensus on changing to use ::1, so documenting would be next best thing15:05
toreI'm most concerned about the user behaviour here. users clicking through the web ui or using "openstack subnet create" shouldn't be handed a loaded gun pointing at themselves, imho15:05
haleybi'm not a fan of creating a broken config by default though15:05
torethere's also the issue of the unexplained inconsistency between not using --subnet-range and using it. if you want to clean up that inconsistency, you'll need to change something anyway...15:06
slaweqIMHO we can fix it in master, maybe not backporting to stable branches though15:06
haleybwe can maybe continue discussion in the bug or next week, but i have to go to kids school presentation15:06
lajoskatona1good idea15:06
slaweqand highlight in the release notes that default behaviour has changed since this release15:06
haleybI would be fine with slaweq's suggestion15:07
tore+1 to slaweq 15:07
haleybi really have to go so will end meeting15:07
haleyb#endmeeting15:07
opendevmeetMeeting ended Fri May 30 15:07:40 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:07
opendevmeetMinutes:        https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-05-30-14.00.html15:07
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-05-30-14.00.txt15:07
opendevmeetLog:            https://meetings.opendev.org/meetings/neutron_drivers/2025/neutron_drivers.2025-05-30-14.00.log.html15:07
slaweqok, I have to go too, have a great weekend15:07
slaweqo/15:07
lajoskatona1o/15:07
haleybcan discuss more in bug, etc15:07
torehave an nice weekend o/15:07
jlibosvao/15:08
ralonsohbye15:09
*** haleyb is now known as haleyb|out16:59
« Thursday, 2025-05-29 Index Saturday, 2025-05-31 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!