14:04:01 <irenab> #startmeeting kuryr 14:04:02 <openstack> Meeting started Mon Nov 6 14:04:01 2017 UTC and is due to finish in 60 minutes. The chair is irenab. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:04:05 <openstack> The meeting name has been set to 'kuryr' 14:04:14 <ltomasbo> o/ 14:04:22 <janonymous> o/ 14:04:36 <irenab> hi guys 14:04:54 <irenab> anyone else for the weekly? 14:04:59 <dulek> o/ 14:05:52 <leyal> o/ 14:06:07 <irenab> I guess dmellado and apuimedo won't join since they are at OS summit 14:06:25 <irenab> #topic kuryr 14:07:06 <irenab> Anyone have updates related to general kuryr? 14:07:43 <irenab> moving on then 14:07:54 <irenab> #topic kuryr-libnetwork 14:08:22 <irenab> anything to discuss related to kuryr-libnetwork? 14:08:56 <irenab> moving on 14:09:06 <irenab> #topic kuryr-kubernetes 14:09:43 <dulek> Shall I start with CNI daemon status? 14:09:50 <irenab> dulek, yes, please 14:10:14 <dulek> https://review.openstack.org/#/c/515186/ - initial patch has +2 from apuimedo and I think irenab is testing it. 14:10:37 <dulek> I'm working on support for running kuryr-daemon containerized. I'll be pushing a patch soon. 14:10:40 <irenab> dulek, correct, will finalize it today 14:10:46 <dulek> And I'll need to update and rebase the documentation patch. 14:11:33 <dulek> And that will be it! I'll need to do a few lower priority follow up patches that fix up corner cases and bugs that are now being visible when using CNI daemon. 14:11:42 <irenab> dulek, any plans about the gate for cni split? 14:12:08 <dulek> irenab: That's a very good question. How about I'll try to fix our tempest gates first? 14:12:16 <dulek> Currently does are constantly failing. 14:12:26 <irenab> dulek, :-), totally agree on priorities 14:12:41 <dulek> Once we have gates functional it'll be easier to add it. :) 14:13:01 <irenab> but we need to have gate to make sure its stable to switch cni split to default in devstack 14:13:20 <dulek> irenab: I totally agree, thank you for reminding that. 14:13:39 <irenab> and then probably deprecate the original support 14:14:01 <irenab> dulek, thank you for the update 14:14:14 <irenab> anyone who can test the patch, please do so 14:14:24 <irenab> #link https://review.openstack.org/#/c/515186/ 14:14:38 <ltomasbo> sure, I'm happy to test the folow up one (mix containerized and split) 14:14:48 <ltomasbo> I've already tested cni split and works fine! 14:14:56 <irenab> ltomasbo, perfect 14:15:21 <irenab> ltomasbo, any update on stuff you are working on? 14:15:29 <ltomasbo> this is ready for reviews: https://review.openstack.org/#/c/510157/ 14:16:01 <ltomasbo> and I'm working on an OOM problem at ODL when using it with kuryr 14:16:17 <irenab> OOM? 14:16:23 <ltomasbo> out of memory 14:16:36 <irenab> on ODL or kuryr side? 14:16:49 <ltomasbo> in ODL mostly 14:17:03 <ltomasbo> but increase the chances due to being deployed with devstack 14:17:18 <ltomasbo> as the java memory is limited to 512MB (instead of 2GB) 14:17:35 <ltomasbo> should be fine from the kuryr side 14:18:04 <ltomasbo> I'm digging also in some problems (probably on kuryr side, but most probably on docker/kubernetes) 14:18:13 <ltomasbo> regarding containers taking long time to boot up 14:18:32 <irenab> #action irenab apuimedo review the patch https://review.openstack.org/#/c/510157/ 14:18:39 <ltomasbo> long time until the first one is up, in the nested case 14:18:52 <irenab> ltomasbo, including the image load or when image is local? 14:18:59 <ltomasbo> but still didn't find the culprit (though I know I'm affected by a couple of bugs) 14:19:10 <ltomasbo> irenab, once the image is already there 14:19:18 <ltomasbo> as well as the ports are present in the pool 14:19:35 <ltomasbo> so, it should be faster 14:19:49 <ltomasbo> and it takes more than a minute for the first ocntainer when booting 100 at once 14:19:58 <irenab> interesting , any idea where time is spent? 14:20:22 <ltomasbo> digging a bit it seems I hit this: https://bugzilla.redhat.com/show_bug.cgi?id=1425278 14:20:23 <openstack> bugzilla.redhat.com bug 1425278 in docker ""SELinux: mount invalid. Same superblock, different security settings for (dev mqueue, type mqueue)" error message in logs" [Urgent,New] - Assigned to dwalsh 14:20:24 <irenab> I wonder if the CNI split may improve or it is on the controller side 14:20:35 <ltomasbo> and this https://bugzilla.redhat.com/show_bug.cgi?id=1267291 14:20:35 <openstack> bugzilla.redhat.com bug 1267291 in openvswitch "[Openvswitch] balance-tcp bond mode causing issues with OSP Deployments" [High,Closed: currentrelease] - Assigned to nyechiel 14:21:01 <ltomasbo> and I disabled the os_vif.plug to test if that was also adding some time, but it was not 14:21:53 <dulek> ltomasbo: Ah, commenting out os_vif.plug created an issue for me in OVS on baremetal case. 14:22:08 <irenab> ltomasbo, please report the issue as kuryr bug 14:22:22 <ltomasbo> dulek, not an issue for the nested case 14:22:30 <ltomasbo> as the plug basically does a 'pass' 14:22:40 <ltomasbo> it removed it just to about the privsep thing 14:22:47 <ltomasbo> but it is not helping, so I set it back 14:22:51 <dulek> ltomasbo: Okay, I would need to dig more to understand that. :P 14:23:14 <ltomasbo> irenab, I'm not sure it is a kuryr bug, I need to dig a bit more to figure out what to report... 14:23:32 <ltomasbo> irenab, and the OOM came on my way while debugging... 14:23:55 <ltomasbo> as soon as I understand a bit more about the issue, I'll open a bug! 14:24:00 <irenab> ltomasbo, I wonder if this happens only for the bulk or on the single or lets say 2 Pods spawing 14:24:22 <ltomasbo> irenab, it is somehow proportional to the amount of pods being created 14:24:32 <ltomasbo> I have 3 worker VMs 14:24:49 <ltomasbo> and if I create 3 containres (on on each VM) it takes around 5-8 seconds to start the first one 14:25:03 <ltomasbo> if I create 30, it takes around 20-30 seconds to start the first one 14:25:13 <ltomasbo> and if it is 100, it takes around 70 seconds 14:25:27 <ltomasbo> so, my bet is on something we do for each container 14:25:42 <irenab> and you sure its on kuryr side? 14:25:54 <ltomasbo> but not sure if it is at the controller (gettting the subnet information) or at the cni side 14:26:06 <ltomasbo> irenab, I'm not sure about that 14:26:13 <ltomasbo> it may not even be on kuryr side 14:26:41 <ltomasbo> I'll dig more during this week and let you know if I find it 14:26:44 <irenab> I wonder if there is some scale impact in case of native k8s 14:26:50 <irenab> ltomasbo, thanks! 14:27:18 <ltomasbo> irenab, it could be on k8s, yes 14:27:38 <ltomasbo> but we haven't seen that on the scale testing we did a couple of months ago 14:27:52 <irenab> #action ltomasbo to investigate case with large number of containers and update on findings 14:27:54 <ltomasbo> perhaps it is related to the OOM that I was hitting 14:28:24 <irenab> scale was with ovs and you see the issue with ODL? 14:28:29 <ltomasbo> so, it may well be ODL 14:28:30 <ltomasbo> ODL 14:28:42 <ltomasbo> scale test was done with OVN 14:28:51 <irenab> I will try to see if can run similar test with Dragonflow 14:28:52 <ltomasbo> and I'm doing it with ODL 14:29:04 <ltomasbo> irenab, it would be great to test that 14:29:32 <irenab> #action irenab try to run scale test for kuryr+dragonflow, nested 14:29:44 <ltomasbo> I can help you recreating my env if you need help (it was a devstack base multinode deployment 14:29:58 <ltomasbo> with 4 VMs (1 master + 3 workers) 14:30:22 <irenab> ltomasbo, would appreciate your help. I guess you have some heat stack for that, right? 14:30:41 <ltomasbo> yep, I'm using a kuryr_heat_pike to create the VMs 14:31:07 <irenab> ltomasbo, I will sync with you offline to get the details 14:31:10 <ltomasbo> and then an ansible-based script to install openshift on top of the VMs 14:31:12 <ltomasbo> sure! 14:31:13 <ltomasbo> thanks! 14:31:28 <irenab> ltomasbo, thank you for the update 14:31:40 <ltomasbo> that's all from my side 14:31:49 <irenab> leyal, would you like to update regarding network policy progress? 14:32:02 <leyal> yes 14:32:26 <irenab> please go ahead 14:32:38 <leyal> I created (with a lot help from irenab) a draft for detailed-design for supporting network-poilcy , will be happy for reviews on that .. 14:32:55 <leyal> https://docs.google.com/document/d/1GShzI4DemoraZdjnpZe9ug1GI9xgl3JcIyjnllTtQN4/edit?usp=sharing 14:33:07 <irenab> #link https://docs.google.com/document/d/1GShzI4DemoraZdjnpZe9ug1GI9xgl3JcIyjnllTtQN4/edit?usp=sharing 14:33:39 <irenab> leyal, any specific issues/questions you would like to discuss now? 14:33:58 <leyal> Hope to upload patch with spec soon. 14:34:49 <leyal> Lets discuses in the draft/spec(when it's will be ready) .. 14:35:02 <ltomasbo> great! I'll read it and try to provide some feedback 14:35:28 <irenab> gdoc has very detailed information regarding the Network Policy support, so anyone who has some spare cycles please take a look before leyal uploads the rst 14:35:51 <irenab> ltomasbo, thanks! 14:35:53 <leyal> ltomasbo , thanks 14:36:24 <irenab> anyone else on kuryr-kubernetes topics? 14:36:59 <yboaron> I can update about my progress with openshift route 14:37:14 <irenab> yboaron, go ahead 14:38:12 <yboaron> started to work on integrating openshift route support with KURYR-K8S , I will share a design doc for review in the next few days 14:38:42 <irenab> yboaron, openshift route is like Ingress Controller or something else? 14:38:57 <yboaron> irenab, right 14:39:35 <irenab> yboaron, is there any launchpad bp for this? 14:40:30 <yboaron> I'll open one , in a very high level KURYR should translate route objects into lbaas L7-policy/pool resources 14:41:10 <irenab> yboaron, great, looking forward to see the details 14:41:29 <yboaron> that's it , I will open a bp , and will share a design doc soon 14:41:57 <irenab> I plan to fix the https://bugs.launchpad.net/kuryr-kubernetes/+bug/1723938 14:41:58 <openstack> Launchpad bug 1723938 in kuryr-kubernetes "Cannot access service of LoadBalancer type " [High,New] - Assigned to Irena Berezovsky (irenab) 14:42:25 <irenab> hope to get it fixed by next week 14:42:25 <ltomasbo> irenab, is that just a security group configuration? 14:43:21 <irenab> yes, but seems to be done upon service creation but not in advance as with other sec. groups configuration 14:44:19 <irenab> the fix should be quite trivial. And the funny thing it works without the fix with reference neutron implementation 14:44:27 <ltomasbo> ohh, true 14:44:38 <ltomasbo> now I remember 14:44:59 <ltomasbo> did you find out why it works with default ml2/ovs? 14:45:03 <ltomasbo> it is a bug? 14:45:11 <yboaron> irenab, same solution for ha-proxy and octavia ? 14:45:52 <irenab> octavia sets proper SGs, so the additional SG configuration will be required only for HA Proxy 14:46:37 <irenab> ltomasbo, I think I checked, but do not remember ... 14:46:49 <ltomasbo> xD 14:47:00 <ltomasbo> same here... maybe even you already mentioned on kuryr channel... 14:47:01 <irenab> the issue is only when FIP is assigned for a vIP 14:47:23 <irenab> ltomasbo, I will check, maybe the details are saved :-) 14:47:56 <irenab> anything else for k8s support? 14:48:38 <irenab> #topic open discussion 14:49:29 <irenab> Well, looks like all of us are pretty occupied with k8s support :-) 14:50:16 <ltomasbo> xD 14:50:23 <irenab> if no one has topic to discuss, I think we can close a meeting 14:50:50 <irenab> thanks everyone for joining 14:51:02 <irenab> #endmeeting