#openstack-meeting-3 log

13:01:46 <alexpilotti> #startmeeting hyper-v
13:01:47 <openstack> Meeting started Wed Apr  6 13:01:46 2016 UTC and is due to finish in 60 minutes.  The chair is alexpilotti. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:01:50 <openstack> The meeting name has been set to 'hyper_v'
13:02:00 <alexpilotti> bonjour!
13:02:04 <claudiub|2> \o/
13:02:05 <abalutoiu> Hello
13:02:09 <atuvenie> Hi
13:02:10 <sagar_nikam> hi
13:02:57 <alexpilotti> Focus this week is mostly on releasing Mitaka
13:03:16 <alexpilotti> so we have a bunch of Py3 bugs that came up
13:03:21 <alexpilotti> #topic Py3 bugs
13:03:27 <lpetrut> Hi
13:03:37 <alexpilotti> claudiub|2: would you like to list the bugs?
13:04:12 <alexpilotti> we still need to file them, but if somebody is aiming at running a Py3 compute node, I think it's useful to know they exist
13:04:34 <claudiub|2> sure. i've fixed a couple of bugs on nova master. primarely about attached volumes, configdrive, etc. you can see them at #link https://review.openstack.org/#/q/status:open+project:openstack/nova+branch:master+topic:bp/nova-python3-newton
13:05:45 <alexpilotti> anything else to add here?
13:06:02 <claudiub|2> python 3 is generally slower
13:06:18 <claudiub|2> so, it should be used only when absolutely necessary. :)
13:06:44 <alexpilotti> we need to do some profiling to see why this happens
13:06:49 <claudiub|2> even when running py3 unit tests in nova gate, they are about 66% slower than py27 tests.
13:07:14 <claudiub|2> yep.
13:07:23 <alexpilotti> if it's 66.6% slower we can possible do an exorcism on Py3
13:07:54 <claudiub|2> well, i can definetely say that there's something unholy about it. :)
13:08:18 <alexpilotti> there's a reason why it's the nova-compute daemon
13:08:31 <alexpilotti> anyway
13:08:35 <alexpilotti> onwards
13:09:09 <alexpilotti> #topic OVS 2.5
13:09:25 <alexpilotti> We have a OVS 2.5 MSI under test
13:09:51 <alexpilotti> sagar_nikam: do you know if sonu or somebody in your team is testing OVS?
13:10:37 <sagar_nikam> i know sonu has it in plans. dont know the exact time
13:10:41 <sagar_nikam> when it will be done
13:11:00 <alexpilotti> sagar_nikam: ok, I dont see him online, can you please let him know about 2.5?
13:11:08 <sagar_nikam> sure
13:11:45 <sagar_nikam> sonu: has joined
13:12:01 <alexpilotti> Sonu: hey sonu
13:12:04 <sagar_nikam> sonu: alexpilotti: wants to know the plans of testing OVS2.5
13:12:30 <Sonu> What is new with OVS 2.5 for Windows?
13:12:45 <Sonu> I thought we are focused to test OVS 2.6
13:13:15 <Sonu> 'cz that comes Microsoft certified. Am I wrong?
13:13:28 <alexpilotti> 2.5 will be certified as well
13:13:46 <alexpilotti> we're currently testing it, before sending it to certification
13:13:47 <Sonu> great. then we will use OVS 2.5 + WMI security driver
13:13:57 <alexpilotti> cool
13:14:03 <Sonu> and it should all work for VXLAN
13:14:28 <alexpilotti> so, if you guys could give it a test-ride before we send it to MSFT signature, it'd be great
13:14:37 <alexpilotti> yes, VXLAN support is there
13:15:16 <Sonu> alexpilotti: Do you test security groups with OVS?
13:16:02 <alexpilotti> we will
13:16:20 <alexpilotti> unfortunately for now this means networking-hyperv security groups
13:16:59 <alexpilotti> on the good side, conntrack is coming in 2.6
13:17:12 <Sonu> I know. But that is ok, since our aim is VXLAN.
13:17:24 <alexpilotti> VXLAN is also in 2.5
13:17:31 <alexpilotti> actually even in 2.4
13:17:42 <Sonu> Yes we got that working with 2.4
13:17:58 <Sonu> with promt help from Alin
13:17:59 <alexpilotti> di dyou manage to do some more benchmarking on the latest networking-hyperv security groups?
13:18:12 <Sonu> in progress.
13:18:29 <alexpilotti> we're very pleased with the current results (in the limits of the WMI ACL API)
13:18:37 <Sonu> We are running our scale tests with native threads and pyMI and Enahanced RPC support
13:18:41 <alexpilotti> but I'm curious to hear your results
13:18:56 <alexpilotti> Sonu: perfect, that's also what we are using
13:19:47 <alexpilotti> based on latest Rally tests, we're even faster than KVM on Hadoop workloads
13:20:04 <alexpilotti> not by a big margin, just a tad faster :)
13:20:21 <alexpilotti> but still a huge step forward from the pre-pymi days
13:20:40 <alexpilotti> where we used to be 4x slower :)
13:20:53 <alexpilotti> anywthing else to add on this?
13:21:13 <Sonu> thanks for efforts.
13:21:36 <alexpilotti> Sonu: thanks, I take is a "nothing to add" :)
13:22:16 <alexpilotti> #topic ton of new stuff coming in new-ton
13:22:29 <alexpilotti> sorry, I couldnt resist
13:22:53 <alexpilotti> actually there are two main areas on which we will work:
13:23:07 <alexpilotti> Magnum support for Windows containers
13:23:13 <alexpilotti> and
13:23:37 <alexpilotti> New Neutron plugin for the Windows Server 2016 networking stack
13:24:07 <alexpilotti> the new stack is based on it's own controller, using REST API
13:24:18 <Sonu> OVSDB based?
13:24:35 <alexpilotti> it has some OVSDB compatibility
13:24:55 <alexpilotti> but it's not as complete and hence usable as the full OVS porting
13:25:13 <alexpilotti> so on the long term our general vision is to have:
13:25:24 <sagar_nikam> alexpilotti: magnum support is intresting, we would be intrested
13:26:03 <alexpilotti> OVS for people wanting to have multiple hypervisor types / interop solutions
13:26:23 <alexpilotti> especially with OVN, OpendayLight, NSX, etc
13:26:45 <alexpilotti> and the new Neutron Hyper-V plugin for Hyper-V only scenarios
13:27:21 <alexpilotti> given the current usage distribution, the former (OVS) will most probably have more traction
13:27:48 <alexpilotti> sagar_nikam: is there any HP core reviewer in Magnum?
13:28:05 <sagar_nikam> alexpilotti: not sure, can check
13:28:17 <Sonu> alexpilloti: while it seems like more flexibility, but won't this be a challenge to maintain two approaches? one native Hyper-V versus OVS based
13:28:27 <alexpilotti> there's a non trivial amount of work required around the fact that Heat temmplates used by Magnum are very Linux specific
13:28:59 <alexpilotti> Sonu: it's what we are doing already today with networking-hyperv and OVS
13:29:19 <alexpilotti> this new plugin will become networking-hyperv v2
13:30:08 <sagar_nikam> alexpilotti: any BPs already ready for magnum ?
13:31:12 <alexpilotti> sagar_nikam: not yet, we are planning to discuss this at the summit with the Magnum team and get the BPs up shortly afterwards
13:31:37 <sagar_nikam> ok
13:31:39 <alexpilotti> this reminds me of the fact that we have a design session at the summit
13:32:00 <alexpilotti> claudiub|2: can you post details?
13:32:26 <claudiub|2> yep. sure. it's on wednesday, from 9:00AM to 9:40AM
13:32:33 <claudiub|2> let me get the exact details.
13:33:08 <sagar_nikam> alexpilotti: any plans in magnum hyperv supporting freezer and monasca ?
13:33:19 <sagar_nikam> https://wiki.openstack.org/wiki/Freezer
13:33:26 <sagar_nikam> https://wiki.openstack.org/wiki/Monasca
13:33:43 <sagar_nikam> i mean any plans in newton release
13:33:52 <alexpilotti> that's also on the TODO list
13:34:03 <alexpilotti> are you guys already using them in production scenarios?
13:34:09 <claudiub|2> #info Winstackers: Work session: 2016-04-27, 09:00-09:40, Boardroom 401
13:34:18 <sagar_nikam> monasca PTL is from HPE, i can connect you to him
13:34:29 <alexpilotti> sagar_nikam: that'd be great!
13:34:40 <sagar_nikam> Freezer and Monasca for KVM is supported in production
13:34:57 <alexpilotti> if you have some core reviewer in Freezer to introduce us to, that'd be great
13:35:14 <sagar_nikam> alexpilotti: shall i request for a meeting between Monasca PTL and your team in summit ?
13:35:15 <alexpilotti> I mean HP core reviewers
13:35:22 <alexpilotti> sagar_nikam: yes please!
13:35:41 <alexpilotti> for Freezer, Hyper-V has a new API, called RCT
13:36:02 <sagar_nikam> Freezer PTL is also from HPE, if i remember right
13:36:43 <sagar_nikam> i can find it and request for a meeting with your team and Freezer PTL
13:37:15 <alexpilotti> cool
13:37:29 <sagar_nikam> alexpilotti: do you need any meetings with cinder team from HPE ?
13:38:13 <alexpilotti> lpetrut: anything on the agenda for Cinder worth requesting a meeting?
13:38:29 <alexpilotti> it'd be great meeting in person, of course
13:38:41 <lpetrut> well, os-brick may be one of the topics
13:39:23 <sagar_nikam> let me check and try to schedule a meeting between lpetrut: and hpe cinder team
13:39:29 <alexpilotti> cool
13:39:44 <alexpilotti> sagar_nikam Sonu: are you guys coming to Austin?
13:39:50 <sagar_nikam> alexpilotti: do you need to meet anybody else from HPE
13:40:11 <lpetrut> I guess I can talk about os-brick Windows support with Walter Boring at the summit, as far as I know, he's in charge of the project
13:40:20 <sagar_nikam> not me. i am not coming to austin. hopefully some other time
13:40:29 <alexpilotti> sagar_nikam: no thanks, I think those are the main areas
13:40:41 <sagar_nikam> lpetrut: sure i will request for a meeting
13:41:00 <Sonu> alexpilloti: I have one of my team member attend the design session for hyper-v
13:41:17 <sagar_nikam> alexpilotti: sure, will try to arrange for those 2 meetings, monasca and freezer
13:42:11 <alexpilotti> ok, for today's topics, we have a new major feature ready for release:
13:42:19 <alexpilotti> #topic Shielded VMs
13:42:52 <alexpilotti> we will upload the bits soon
13:43:17 <alexpilotti> but if you guys plan to test the feature, we can already provide some info
13:43:26 <Sonu> thats news to us. Any blue print?
13:44:41 <alexpilotti> there's a vTPM BP, which is the basis for shielded VMs
13:44:46 <sagar_nikam> alexpilotti: we will get back on shielded VMs
13:45:10 <alexpilotti> just wanted to make sure it's on your radar
13:45:18 <claudiub|2> this was the bp that was approved in Liberty: #link https://review.openstack.org/#/c/195068/
13:46:18 <Sonu> thanks. I will read through it to understand the case.
13:46:43 <alexpilotti> shielded VM specs: https://review.openstack.org/#/c/274709/4/specs/newton/approved/hyper-v-shielded-vms.rst
13:46:52 <sagar_nikam> alexpilotti: i have a update on SSL/TLS, we can discuss later when we are done with this topic
13:48:01 <alexpilotti> sure, I'm done with this
13:48:05 <alexpilotti> also time is -12'
13:48:31 <alexpilotti> #topic SSL/TLS
13:48:51 <sagar_nikam> alexpilotti: thanks to the notes from alin: i was able to get the glance image download working as part of nova boot
13:49:15 <alexpilotti> sweet
13:49:22 <sagar_nikam> next i am hitting a issue in invoking neutron agent
13:49:26 <sagar_nikam> wil debug further
13:49:30 <sagar_nikam> in the meanwhile
13:49:34 <sagar_nikam> i have a question
13:49:43 <sagar_nikam> we added the crt file in nova .conf
13:49:51 <sagar_nikam> point to some location on hyperv host
13:50:04 <sagar_nikam> that was a self signed certificate
13:50:14 <sagar_nikam> how do we add multiple certificates
13:50:30 <sagar_nikam> suppose a customer does not want to use the self signed certs
13:50:40 <sagar_nikam> and adds his own certificate
13:50:56 <sagar_nikam> possible multiple certificates
13:51:05 <sagar_nikam> how do we handle it
13:51:21 <alexpilotti> multiple because you have multiple endpoints for the same service?
13:51:30 <sagar_nikam> no
13:51:43 <sagar_nikam> same endpoint for a service
13:52:06 <sagar_nikam> but assuming the customer adds his own signed certificate
13:52:15 <alexpilotti> each service has it's own config, I'd expect
13:52:53 <alexpilotti> plus, I need to check, but if the cert is signed by a CA, on the client side the CA cert should be enough
13:52:54 <sagar_nikam> in case of KVM, multiple certs can be added in cert manager
13:53:03 <alexpilotti> provided that CN matches the hostname
13:53:27 <alexpilotti> one SSL/TLS endpoint = 1 cert
13:53:47 <sagar_nikam> ok
13:53:56 <sagar_nikam> will investigate further and get back
13:54:03 <alexpilotti> cool
13:54:05 <lpetrut> clear
13:54:15 <lpetrut> wrong window, sorry
13:54:20 <alexpilotti> np :)
13:54:21 <sagar_nikam> on freerdp
13:54:26 <alexpilotti> ok
13:54:31 <sagar_nikam> how does it work
13:54:37 <sagar_nikam> if TLS is enabled ?
13:54:52 <sagar_nikam> on the network which tenants access horizon
13:54:56 <alexpilotti> same: wsgate.ini has settings for the certifcate
13:55:09 <sagar_nikam> ok
13:55:19 <alexpilotti> our MSI generates a self signed one, for ease of use
13:55:35 <sagar_nikam> ok
13:55:40 <alexpilotti> which can be replaced by a CA signed one for most production usages
13:55:55 <alexpilotti> if you just override it, it just works
13:55:58 <sagar_nikam> thats good
13:56:17 <alexpilotti> -4'
13:56:30 <alexpilotti> #topic open discussion
13:56:37 <sagar_nikam> if the same works for nova, i mean signed certificate from a customer, by just adding in nova.conf, we are good
13:56:48 <alexpilotti> yes
13:57:05 <alexpilotti> anything else that you guys would like to add before wrapping up?
13:57:26 <sagar_nikam> nothing from my end
13:57:58 <alexpilotti> alright, thanks y'all see you next week!
13:58:04 <alexpilotti> #endmeeting