#openstack-meeting-alt log

16:01:59 <Sukhdev> #startmeeting networking_ml2
16:02:00 <openstack> Meeting started Wed May 13 16:01:59 2015 UTC and is due to finish in 60 minutes.  The chair is Sukhdev. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:02:01 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:02:04 <openstack> The meeting name has been set to 'networking_ml2'
16:02:08 <Sukhdev> #topic: Agenda
16:02:27 <Sukhdev> #ilnk: https://wiki.openstack.org/wiki/Meetings/ML2#Agenda
16:02:41 <Sukhdev> Welcome folks to ML2 meeting
16:02:56 <Sukhdev> #topic: Announcements:
16:03:13 <Sukhdev> I am proposing that we cancel next two meetings
16:03:36 <Sukhdev> we will be at summit next week and tired the following week recovering from travels
16:03:44 <shivharis> duh..ok
16:03:46 <yamahata> +1
16:03:48 <Sukhdev> Is everybody OK with this?
16:03:53 <yamamoto> +1
16:03:59 <rkukura> +1
16:04:00 <yalie> +1
16:04:01 <Sukhdev> cool
16:04:14 <Sukhdev> Lets dive into the Agenda then
16:04:26 <Sukhdev> #topic: Task Flow discussion
16:04:38 <Sukhdev> #link: https://docs.google.com/document/d/1aSgTVB7nW_v7lHH0Z0DUgfymEsx0O16k1Jgu7QFXkFA/edit?usp=sharing
16:04:51 <Sukhdev> manishg: want to lead the discussion?
16:05:13 <Sukhdev> Are folks reviewing the document?
16:05:14 <manishg> sure.  would like to first know if folks have the read document :)
16:05:34 <manishg> I updated the doc based on the discussion from last week.
16:05:43 <shivharis> btw: i am ok with not going through all the state changes - as discussed last meeting
16:05:54 <rkukura> I see there have been signficant updates since I last looked!
16:06:19 <manishg> rkukura: yeah, the updates are based on last meeting
16:06:25 <Sukhdev> shivharis: you mean intermediate states, right?
16:06:35 <shivharis> Sukhdev: yes
16:06:41 <manishg> rkukura: one of the items was to update the document with the discussion.
16:07:11 <rkukura> manishg: Much appreciated!
16:07:26 <Sukhdev> manishg: the doc is looking good -
16:07:49 <Sukhdev> But, I did not see any additional comments on it - I saw one and answered it
16:07:50 <manishg> based on comments I've tried to put the conclusion in proposal #1 - which is also echoed you and Sukhdev also suggested.
16:09:03 <manishg> The idea is to let the updates continue to happen, and intermediate updates won't count (assuming the original operation is still in-progress).  Once the operation on back-end is done, it moves on to the latest db state and tries to execute that.
16:09:20 <manishg> I have noted the issues as well.
16:10:00 <manishg> One thing not mentioned in the document is that we should move in lock-step with all the mechanism drivers registered for the resource.  This way the backend state is consistent.
16:10:47 <rkukura> manishg: What do you mean by “move in lock-step with all the MDs …”?
16:10:59 <manishg> Let's say have operations O1, O2, O3, O4.  O2-4 happenn while all mech-drivers are still on O1.
16:11:15 <manishg> if some drivers finish O1, then we still wait for others to finish O1.
16:11:31 <manishg> before moving to realizing latest state O4.
16:12:14 <manishg> This way if O4 , fails we can move back to known good state O1.  If all drivers (registered for the resource) are in different states then the resource is not considered in consistent state.
16:12:20 <manishg> rkukura: makes sense?
16:12:23 <rkukura> manishg: Wouldn’t that mean one MD having problems would block all other MDs? Are we sure this is what we want?
16:12:53 <rkukura> I’m thinking a more optimistic strategy might be better.
16:12:54 <manishg> If an MD is having issues with a resource then do we actually want to move ahead with others?
16:13:11 <Sukhdev> manishg: I think so
16:13:12 <rkukura> We basically would move forward assuming the MDs will eventually catch up.
16:13:21 <manishg> is the resource considered realized if one of the MDs that is registered doesn't complete the operation?
16:13:27 <Sukhdev> manishg: let the sync process take care of dealing with the failures
16:13:35 <rkukura> And make it visible to clients via the state whether MDs are caught up.
16:13:56 <rkukura> But not try to roll-back operations that have appeared to complete from the client’s perspective.
16:14:15 <manishg> rkukura: hmm... so really an operation is N independent operations (one per registered driver)?
16:14:30 <rkukura> Here, complete means the REST operation returned, but MDs may not have synced yet.
16:14:40 <manishg> if we do that, what would really a rollback mean?
16:14:59 <rkukura> I’m thinking the operation is really the DB state change. The drivers are always chasing the DB state.
16:15:20 <Sukhdev> manishg: rollback becomes less interesting - I mentioned this in one of my comments
16:15:28 <shivharis> rkukura: is this a security hole?
16:15:31 <manishg> so then there is really no rollback.
16:15:57 <Sukhdev> shivharis: security hole - you lost me there
16:16:07 <shivharis> let me explain:
16:16:13 <Sukhdev> manishg: I think so
16:16:19 <manishg> rkukura, Sukhdev: so if an MD fails, then the state of that resource is really unknown and the operator must figure it out.
16:16:32 <shivharis> a network get s deleted, some mds do not delete the network( i.e. vlan)
16:16:55 <manishg> is everyone else okay with no rollback?
16:17:07 <shivharis> new network gets created for a new vm - but the vlan is not released by some backend
16:17:23 <rkukura> I think I’m OK with no rollback of updates that have been committed to the DB.
16:17:49 <Sukhdev> shivharis: This case can not happen if the VLAN is still in the DB
16:18:00 <manishg> rkukura: so in case of error, the resource is sort of abandoned/ error state for operator to interven?
16:18:06 <rkukura> Maybe shivharis’s scenario could be avoided by not releasing a network’s resources (i.e. VLANs) until the delete has really completed for all MDs.
16:18:41 <Sukhdev> rkukura: correct - long time ago we discussed this in ML2 meeting
16:18:51 <shivharis> so that is a hole that needs special attention - are there any other such?
16:18:53 <manishg> shivharis: in this case, the db delete will be marked 'DELETING'
16:19:04 <manishg> shivharis: so cannot use the resource until it's gone from db.
16:19:36 <shivharis> so this logic should also be taken care for in delete port
16:19:49 <Sukhdev> manishg: simply reverse the calls in ML2 plugin - i.e. post_commit_delete() ahead of pre_commig_delete()
16:19:50 <shivharis> or in general all objects
16:20:10 <manishg> Sukhdev: there is no concept of pre- post- anymore.  why do you need it?
16:20:33 <manishg> the idea is to update the state, then after it's realized set it to final state.
16:20:40 <Sukhdev> manishg: I know, I used it to elaborate the idea - that it should be in the reverse direction
16:20:42 <manishg> shivharis: this applies to all resources.
16:20:42 <rkukura> manishg: I think the client API should be designed such that normally, if the operation completes and the REST call returns, the expectation is that the things are working. If this isn’t the case, it should be visible to the client via the status of the resource, and the operator should be able to get more details (i.e. from admin ops and/or logs).
16:21:14 <manishg> Sukhdev: it doesn't need to be reversed.  you mark it 'DELETING' in db.  then call drivers async.  when they are done, delete from db.
16:21:41 <Sukhdev> manishg: that means the same - we are on the same page
16:21:57 <Sukhdev> rkukura: +1
16:21:59 <shivharis> only if all backends say deleted - only then the resource gets deleted
16:22:07 <manishg> Sukhdev: if we are doing async, it is not the same thing
16:22:15 <Sukhdev> rkukura: Nova API, I believe, work like that
16:22:25 <manishg> rkukura: are we saying , the calls are 'sync' (= blocking)?
16:22:49 <manishg> because otherwise when the call returns , things aren't working (because they are being set in parallel)
16:23:19 <rkukura> manishg: I think we are saying that clients use the API in a synchronous way - i.e. they continue with the next step when the call returns. But if they need to, they can look to see if the backends are in sync.
16:24:19 <rkukura> The point where we really need to make sure the backends are in sync is when we notify nova that a port is plugged adn the VM can continue booting.
16:24:19 <Sukhdev> manishg: no sync - all is async, the burden is shifted to client side
16:24:23 <manishg> rkukura: ok.  then we are on same page.  call returns and clients can proceed with next operation but the operation in the backend may be still going on.  The clients would need to know that much.
16:24:53 <manishg> Sukhdev: if all is sync, calling "post-" first will not change anything .  By the time it's actually executed the pre- would have deleted from db.
16:25:02 <manishg> so, the intermediate state is the way to go.
16:25:12 <manishg> and that doesn't have any issues that shivharis mentioned.
16:26:05 <manishg> I think we are all on the same page more or less that in the end backend should sync with db (outside of rest call)
16:26:15 <Sukhdev> manishg: I am not a huge fan of intermediate state
16:26:37 <Sukhdev> manishg: agree with your last statement
16:26:39 <rkukura> By “intermediate state”, do you mean CREATING, UPDATING, and DELETING?
16:26:47 <manishg> rkukura: yes
16:27:08 <manishg> I think for async that will be sort of a basic requirement.  agree?
16:27:11 <Sukhdev> manishg: Oh I misunderstood - then I am OK as well with intermediate state
16:27:31 <manishg> ok.  there are two main questions I have.
16:27:44 <manishg> One was about the lock-step issue (error in one driver).
16:27:54 <rkukura> Are we agreeing that if you create a network and it returns in CREATING state (MDs not yet synced), its OK to immediately create a port on that network?
16:27:55 <manishg> How do we deal with that.  I think we didn't close that.
16:28:42 <rkukura> Specifically, that the client doesn’t have to way for a READY state before creating the port?
16:28:42 <manishg> rkukura: I think we are agreeing that we can perform other operations on that resource.  But in this example,
16:29:04 <manishg> I think the resource would have to be realized, correct?
16:29:07 <rkukura> s/way/wait/
16:29:20 <rkukura> The resource would be realized in the DB.
16:29:33 <Sukhdev> rkukura: the desired state and actual state are not same (based upon my model), hence, the resource is not available yet
16:29:40 <manishg> if the backend can deal with this then it shouldn't be an issue.
16:29:41 <rkukura> But the backend work would be async.
16:30:41 <manishg> so in this case, the port-creation would need to wait for the network-creation.
16:31:08 <rkukura> I’m arguing for an “optimistic” approach where the client proceeds creating and using resources without normally worrring about whether the backends are in sync.
16:31:13 <manishg> inter-resource dependency.  I need to think more about this.  I was mainly focusing on operations on the same resource.  any ideas?
16:31:20 <Sukhdev> rkukura: one should not be allowed to act on that resource until desired state == actual state - they could create port on different network, but, not on this one
16:31:48 <manishg> rkukura: yes, the client could move ahead.  but the backend may not be able to.
16:32:01 <rkukura> Sukhdev: I think trying to reject API calls related to the resource would break exisitng clients badly.
16:32:02 <manishg> Sukhdev: what does the client see?  desired state?
16:32:22 <Sukhdev> manishg: correct
16:32:23 <manishg> I think rkukura is trying to preserve the existing model where client doesn't change.
16:32:47 <manishg> Sukhdev: in that case, the client might as well as see if the state is READY or not (ACTIVE or not), etc.
16:32:56 <rkukura> Why not just let the API proceed from transaction to transaction, and only really wait for the backend to catch up when absolutely necessary (like when notifying nova the port is up)?
16:32:57 <Sukhdev> rkukura: actually - more I think about it, I think, it would be OK to allow subsequent operations - that would be OK
16:32:59 <manishg> but rkukura is saying the client shouldn't have to.
16:33:48 <Sukhdev> I think I am agreeing with rkukura as I am thinking more about it -
16:33:54 <manishg> rkukura: yes, that's what I understood from the last discussion.  Let me address this case in the doc also.
16:34:11 <rkukura> Sure, a client could create a network, wait to make sure the backends sync, then create the port, but they shouldn’t need to wait.
16:34:21 <manishg> so the MDs may block on port-create until network is available to them.
16:34:42 <shivharis> here is what i think will work (i need to sit peacefully to account for all repercussions though)
16:34:44 <Sukhdev> the back-ends should be able to handle this - task flow engine has to make sure that it ensures that if desired state in not equal to actual state, it will keep re-trying the operation
16:34:53 <manishg> rkukra: yes, the client doesn't need to.  but the port won't be active until the netowrk + port is created in the backend.
16:35:15 <shivharis> operations on a specific object may be fast forwarded
16:35:27 <shivharis> but inter-object dependencies cannot
16:35:58 <manishg> shivharis: that would be up to the implementation of the MD for that resource.  It will know the dependency.
16:36:30 <shivharis> manishg: i am looking from the client side
16:36:49 <manishg> so port-create for a yet-to-be-realized network will succeed at REST call level.  port will be in CREATING state. and the MDs could block on port-create till network is actually available.
16:37:07 <manishg> shivharis: rkukura doesn't want the client to change
16:37:08 <Sukhdev> shivharis manishg : If you have access to Arista's sync implementation - we deal with these interdependencies based up the DB state only
16:37:40 <shivharis> manishg: i need time to think this through..
16:37:48 <manishg> Sukhdev: how do you create a port in your implementation if the network in the backend doesn't exist but exists in the db?
16:38:10 <Sukhdev> manishg: We have precedence on the resources -
16:38:17 <rkukura> It sounds like we are close to consensus on what this looks like from the client API perspective, but I think we all need to think about how the backend sync would work with that.
16:38:35 <shivharis> rkukura: +1
16:38:53 <Sukhdev> manishg: Higher precedence resources are ensured to sync first and then lower - this works out OK
16:39:07 <manishg> rkukura: +1
16:39:57 <Sukhdev> So, I see we have converged - manishg can you please capture this in your doc?
16:39:57 <manishg> Sukhdev: yes, if there is some inter-resource dependency defined then this works fine I think.
16:40:37 <Sukhdev> Folks, Please review the document and post the comments there
16:40:39 <manishg> I'll note this in the doc as well.  But doesn't look like many people have read the doc.
16:41:09 <Sukhdev> manishg: too many things on plates, perhaps :)
16:41:11 <yamamoto> i'm not sure if ml2 meeting is an appropriate place for these rest api discussion
16:41:18 <yamamoto> it needs wider audience
16:41:30 <Sukhdev> Summit will give us opportunity to sit down face-to-face and discuss this all
16:41:58 <Sukhdev> Shall we move on?
16:42:04 <yamamoto> i have a question
16:42:13 <Sukhdev> yamamoto: please ask
16:43:21 <Sukhdev> In the mean time, lets keep marching forward
16:43:22 <manishg> yamamoto: +1 (re discussion)
16:43:41 <Sukhdev> #topic: Design Summit Discussion
16:43:45 <Sukhdev> #link: https://etherpad.openstack.org/p/YVR-neutron-contributor-meetup
16:43:54 <Sukhdev> shivharis: added ML2 topics
16:43:54 <yamamoto> please move on.  i realized my question was invalid while typing.
16:44:00 <rkukura> yamahata: I’d agree that if we were changing the API or the way the client uses it, we’d need wider discussion. But I think if we solidify how ML2 MDs sync, but preserve the current client API and interactions, we can proceed.
16:44:13 <Sukhdev> yamamoto:-) it happens :-)
16:44:29 <rkukura> shivharis: thanks for updating the etherpad!
16:44:48 <shivharis> I have added ml2 topics  - we need to sort this however - now or at summit?
16:45:01 <Sukhdev> Are we OK with what shivharis added?
16:45:14 <Sukhdev> Please review it and feel free to add/update
16:45:20 <shivharis> have i missed anything dear to you?
16:45:52 <rkukura> I think we should identify 3 or 4 top-level topics, and maybe move some things under these.
16:45:55 <Sukhdev> Lets all review and update with your name next to any updates
16:46:08 <Sukhdev> rkukura+1
16:46:21 <shivharis> i can do it offline before the summit
16:46:25 <rkukura> This will also likely evolve during the summit based on the other sessions.
16:46:39 <Sukhdev> I will be very actively driving Bare Metal integration
16:46:58 <rkukura> Sukhdev: There is a design session for bare metal, right?
16:47:32 <Sukhdev> rkukura: There are two - one on Neutron side, and other on Ironic side - I am going to request all ML2 folks to attend both
16:47:52 <Sukhdev> neutron side is on Wednesday PM and Ironic side is on Thursday PM
16:48:01 <rkukura> Sukhdev: Good - we can use some of Friday to followup if needed, but should identify other topics for Friday.
16:48:20 <Sukhdev> There is a huge interest in this topic, hence, both sides gave me the sessions
16:48:23 <rkukura> Is there much interest in more flexibility for security groups within ML2? I know ODL people are interested in this.
16:48:59 <shivharis> there is a topic in design session wrt SG and FW and the future of SG?
16:50:16 * Sukhdev moving on - running out of time
16:50:25 <Sukhdev> #topic: Liberty BP
16:50:52 <Sukhdev> #link: https://review.openstack.org/#/c/169223/3/specs/liberty/ml2-extension-driver-convert.rst
16:51:06 <yalie> Hi all, I submit a converting extension driver for addres-pairs and sec-group
16:51:22 <yalie> but don't know if this is the direction of the ML2
16:51:49 <Sukhdev> yalie: I saw this today - have not had time to digest
16:52:00 <yalie> rkukura mentioned maybe we can do something for agentless MD
16:52:18 <yalie> Sukhdev: right, maybe we can discuss it later
16:52:31 <yalie> in the neutorn room
16:52:32 <shivharis> rkukura: we should address security group, since we really do not know what the design session has to offer
16:52:33 <rkukura> In principal, I like the idea of turning as many extensions as possible into oprional pluggable extension drivers, simpifying the “core” of ML2.
16:53:42 <rkukura> seems we’ve got plenty to discuss for ML2 Friday at the summit!
16:53:43 <yalie> I don't quite get that "the server-side implementation of security groups in terms of RPCs to L2 agents on the compute nodes is hardwired into ML2."
16:53:44 <Sukhdev> yalie: next week Summit may be a good place to discuss this - consider adding to etherpad
16:54:12 <yalie> rkukura: thanks
16:54:21 <rkukura> yalie: yes, lets add this if its not already there
16:54:35 * Sukhdev moving on
16:54:36 <yalie> rkukura: OK
16:54:44 <Sukhdev> #topic Open Discussion
16:54:54 <Sukhdev> I have few questions listed
16:55:14 <Sukhdev> Do we support N:M relationship between ports and networks
16:55:30 <Sukhdev> i.e. one port on multiple networks and vice-a-vera?
16:55:36 <rkukura> I don’t think we do currently.
16:55:52 <rkukura> I think this is the “trunk port” idea that has been kicked around.
16:56:11 <Sukhdev> rkukura: I tested on thing - Launch a VM from horizon and add to two networks - it works
16:56:44 <rkukura> Sukhdev: Is this with two separate neutron ports, one for each network, as two separate vNICs on the VM?
16:56:45 <Sukhdev> rkukura: do not know what goes on under the covers - anybody knows?
16:57:00 <Sukhdev> rkukura: yes
16:57:05 <yamamoto> doesn't the VM has 2 ports?
16:57:29 <Sukhdev> yamamoto: I think yes
16:57:40 <Sukhdev> So, this will imply one port to one network -
16:57:57 <Sukhdev> however a given instance can connect to multiple networks
16:58:07 <rkukura> Sukhdev: Do you want to add “trunk ports” to the etherpad to look at extending this to multiple networks per port/vNIC?
16:58:49 <yamahata> vlan-aware-vm session is allocated for this topic.
16:59:00 <Sukhdev> rkukura: good idea - let me add to the etherpad - I will bring it up in the main design session
16:59:16 <rkukura> before we finish - we skipped bugs, but I’d appreciate if people would review https://review.openstack.org/#/c/182134/, which is the 1st step on completing the DVR code clenaup.
16:59:19 <rkukura> cleanup
16:59:23 <Sukhdev> yamahata: can you elaborate?
16:59:34 <yamahata> I mean https://etherpad.openstack.org/p/YVR-neutron-vlan-trunk
16:59:35 <rkukura> yamahata: right
16:59:49 <Sukhdev> yamahata: Thanks for the link
16:59:49 <yalie> vlan-transparent seems has been implemented
17:00:00 <yalie> vlan-aware-vm has not
17:00:12 <yalie> I am not sure
17:00:36 <yamamoto> we run out time
17:00:56 <Sukhdev> any body wants to discuss anything? 1 min left
17:01:00 <rkukura> I rhink vlan-transparent means one neutron network is a trunk of VLANs, where the newer idea is more flexible, composing a neutron port from multiple networks.
17:01:39 <yalie> rkukura: thanks for clarify!
17:02:10 <rkukura> we need to wrap up
17:02:11 <Sukhdev> Folks, this was a very good meeting - good discussion
17:02:21 <rkukura> thanks Sukhdev!
17:02:22 <Sukhdev> Thanks for attending
17:02:34 <Sukhdev> will see you in Vancouver next week
17:03:10 <Sukhdev> #endmeeting