22:01:57 <armax> #startmeeting neutron_drivers 22:01:58 <openstack> Meeting started Thu Jul 14 22:01:57 2016 UTC and is due to finish in 60 minutes. The chair is armax. Information about MeetBot at http://wiki.debian.org/MeetBot. 22:01:59 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 22:02:02 <openstack> The meeting name has been set to 'neutron_drivers' 22:02:28 <amuller> o/ 22:04:36 <dougwig> ? 22:04:45 <kevinbenton> [][][][][][][][] 22:05:42 <kevinbenton> armax: alive? 22:06:04 <johnsom> Can you hear us now? grin 22:06:22 <kevinbenton> netsplit? 22:07:18 <dougwig> i don't see one. shall we start on the rfe list, or wait? 22:07:26 <dougwig> yep, there he went. 22:07:33 <dougwig> anyone have the link handy? 22:07:38 <amuller> https://bugs.launchpad.net/neutron/+bugs?field.status%3Alist=Confirmed&field.tag=rfe 22:07:45 <amuller> That's bugs in confirmed to be vetted for discussion 22:08:23 <armax> hello 22:08:27 <armax> anyone there? 22:08:31 <kevinbenton> hi 22:08:34 <amuller> there you are 22:08:35 <armax> ok 22:08:40 <armax> I dunno what happened 22:08:48 <dougwig> oh, there he is 22:08:48 <amuller> you forgot to type :( 22:08:49 <carl_baldwin> Glad you're back. 22:08:55 <armax> I was saying 22:08:56 <armax> to special request from kevinbenton 22:09:02 <armax> I would like to start with this announcement 22:09:07 <armax> #link http://lists.openstack.org/pipermail/openstack-dev/2016-July/099281.html 22:09:19 <armax> please share your thoughts on 22:09:20 <armax> #link https://etherpad.openstack.org/p/neutron-project-mascot 22:09:30 * HenryG sneaks in late 22:09:42 <dougwig> committee naming. this will end well. 22:09:47 <armax> yak shave away 22:10:00 <dougwig> i put in 'newt', because i'm corny and unoriginal. 22:10:04 <armax> but let’s do it offline :) 22:10:13 <HenryG> CHANGE THE TOPIC NOW!!! 22:10:18 <armax> for now let’s chew up on the RFE list 22:10:29 <armax> #link https://bugs.launchpad.net/neutron/+bugs?field.status%3Alist=Triaged&field.tag=rfe 22:10:29 <dougwig> mascot bike shedding sounds like more fun 22:10:39 <armax> we only have 5 RFEs to go through 22:10:42 <armax> easy peasy 22:10:50 <armax> bug #1583694 22:10:50 <openstack> bug 1583694 in neutron "[RFE] DVR support for Allowed_address_pair port that are bound to multiple ACTIVE VM ports" [Wishlist,Triaged] https://launchpad.net/bugs/1583694 - Assigned to Swaminathan Vasudevan (swaminathan-vasudevan) 22:11:12 <johnsom> easy peasy and he starts here..... 22:11:19 <armax> we talked about this last week 22:11:21 <dougwig> kill dvr. done, easy. 22:11:24 <armax> and the week before 22:11:36 <armax> dougwig: if it were that simple! 22:12:52 <armax> I think that the need of having this work on DVR has unveiled a much larger problem were FIP and allowed address pairs work implicitly together 22:12:54 <johnsom> Would this "redundant FIP" be provisioned differently via the API or magically happen behind the scene? 22:13:34 <armax> johnsom: I would lean on the former, but we could explore what magically behind the scene means 22:13:37 <kevinbenton> armax: more generally, it's that before DVR, FIPs could target arbitrary IP addresses. after dvr, FIPs became restricted to actual port IPs 22:14:42 <johnsom> I lean towards magic as it would mean a different API experience based on if DVR is enabled or not 22:14:51 <armax> kevinbenton: yes, it feels to me that the distributed nature of DVR has unveiled a potential issue with the way FIP can work with VRRP clusters 22:14:59 <armax> johnsom: not per se 22:15:07 <armax> johnsom: we could make this work for both CVR and DVR 22:15:13 <amuller> Is this a DVR specific issue? Wouldn't say ODL and OVN have the same issue? 22:15:19 <johnsom> Ok 22:15:41 <armax> johnsom: it feels to me that the FIP + allowed address pairs is a trick to make a VRRP use case work 22:15:47 <carl_baldwin> amuller: which ones of those have floating ips? 22:16:12 <dougwig> what is CVR? and the previous 10 lines have an amusing acronym density 22:16:14 <armax> johnsom: when ideally a user could be oblivious of allowed address pairs to associate the FIP to multiple ports 22:16:15 <amuller> I'm not sure but if they don't have now they will with OVS 2.5 soon enough 22:16:16 <johnsom> armax Yes, but the user creating the FIP may or may not know if the endpoint is VRRP enabled. 22:16:24 <armax> dougwig: Centralized 22:16:27 <russellb> both have it in some degree 22:17:09 <armax> johnsom: I’d argue he/she does, as he/she is the one creating the FIP and associating it to a dangling port for a very specific reason 22:17:13 <kevinbenton> russellb: in OVN, everything is statically programmed so it would break on this as well, right? 22:17:29 <kevinbenton> russellb: i.e. there is no mechanism to discover where the IP is living 22:17:44 <amuller> I think this is a challenging use case to cover in any distributed routing solution so I would't give DVR a bad rep here :) 22:17:45 <russellb> right, it's bound 22:18:03 <amuller> (without involving the control plane on failover) 22:18:09 <armax> associating a FIP to a dangling (unbound) port and then pair with a port via allowed address pairs 22:18:18 <armax> is not exactly what I would call it kosher 22:18:22 <johnsom> armax My use case is, user asks for load balancer, we give them a VIP for that load balancer. They then turn around and create a FIP that points to the VIP. They don't necessarily know if we created the VIP VRRP or not. 22:18:39 <armax> johnsom: agreed 22:19:19 <armax> right now the VIP is the IP you give to the unbound port, that’s gonna be the entry into your allowed address pair attributes for whichever ports you want to sit behind the vip correct? 22:19:43 <johnsom> Correct 22:19:50 <armax> now, I am thinking, if we make this somewhat explicit, then it’s easier and less error prone implementing the logic for DVR 22:20:18 <armax> because we’re not reusing a construct that wasn’t exactly designed to work with this set of hacks 22:20:33 <carl_baldwin> I think the issue, as armax is trying to state it, is an API issue that isn't specific to any implementation. 22:20:36 <johnsom> It seems like we can query the VIP port, see AAP is enabled, and create a "redundant FIP" 22:21:12 <johnsom> I think I'm getting into implementation details too much here. 22:21:16 <armax> if DVR’s FIP is by design placed on the compute note, moving it around, locking it to the central snat, and potentially having to deal with moving it again if the VM migrate or get delete would be incredibly brittle logic 22:21:54 <kevinbenton> armax: wouldn't it just be "all unbound ports are on central snat" ? 22:22:02 <armax> whereas for a ‘redundant FIP’ or whatever we want to call it, we can assume by design that the object is confined to a central network node and its limited to being there for its life cycle 22:23:10 <dougwig> one of the only compelling use cases of FIPs is for VIPs. (the issue them for everything mentality is madness.) your previous statements just relegated the common use case for elastic IPs back into a non-DVR world. 22:24:17 <armax> dougwig: FIP are typically associated to a single port at any given time, in this case the FIP is serving multiple ports at any given time 22:24:23 <armax> dougwig: or am I talking nonsense? 22:24:38 <armax> dougwig: in other words, you take allowed address pairs out the picture 22:24:49 <armax> FIP for VIPs breaks even for CVR 22:25:00 <armax> centralized virtual router 22:25:01 <dougwig> FIPs are just a deployment aid. bridging to rare public IPs, or when moving the IP is more important/needs to be faster than DNS ttl. that we map them to single port is implementation. 22:25:43 <armax> true but the implementation is expressed throught the API 22:25:47 <dougwig> allowed address pair is just ACLs; i'm not sure how that's relevant. 22:25:47 <armax> the association is one to one 22:25:48 <carl_baldwin> I think it'd be nice if there were an explicit relationship between the IP and the ports that should be allowed to received traffic for it. Instead of using allowed_address_pairs for an implicit one. 22:25:53 <armax> FIP <-> PORT 22:26:12 <armax> carl_baldwin: +1 22:26:44 <armax> I wonder if by adopting a more explicit relationship, the DVR solution looks simpler and less prone to regressions 22:26:46 <dougwig> then how to do FIP to a vrrp? 22:27:07 <armax> I am totally sold on the use case, I am unconvinced of the proposed solution as it stands 22:27:16 <kevinbenton> dougwig: is it possible on EC2 to do that? How does their API look for this? 22:27:28 <armax> dougwig: not sure I understand the question 22:27:31 <dougwig> kevinbenton: i've never tried. 22:27:48 <armax> so my question to you guys is 22:28:20 <armax> in order to address this RFE, do you think it’s sensible to explore ways to model the need of FIP for VIP a little more formally? 22:28:24 <johnsom> The current proposed patch does not solve the problem in a good way 22:28:35 <armax> before diving into the implementation details? 22:28:42 <amuller> armax: exploring ways is always sensible, that's almost a tautology =p 22:28:48 <armax> johnsom: and I am hoping that revisiting the model might address that 22:29:27 <amuller> I wonder if we could use distributed port bindings somehow, by binding the fixed IP port to two hosts 22:29:29 <dougwig> armax: yes, because you're right, the proposed fix feels like a duct tape band-aid. 22:29:37 <amuller> then having that info in Neutron would let DVR do the right thing 22:30:14 <armax> amuller: at this point I am happy to brainstorm, the mid-cycle is approaching and perhaps we can nail this down 22:30:31 <carl_baldwin> amuller: Each instance still needs its own port. I think we need to think about this like moving a VIP between ports. 22:30:40 <amuller> carl_baldwin: yeah, for the VIP 22:30:48 <amuller> carl_baldwin: each instance has its own port + a port that is bound to both 22:31:09 <armax> so have I managed to seed the weed? 22:31:26 <armax> I don’t know what it means :) 22:31:39 <armax> seed the germ of doubt :) 22:31:40 <dougwig> what is that? are we all supposed to light up now? 22:31:43 <carl_baldwin> amuller: Ports have other extra stuff that wouldn't make sense, like macs, vif binding, etc. 22:32:05 <amuller> that's true 22:32:08 <kevinbenton> need to make IP allocations first class citizens 22:32:29 <amuller> we already have ports in neutron that float between nodes 22:32:30 <armax> we should probably go ahead and crunch the rest of the list 22:32:30 <carl_baldwin> kevinbenton: That's never come up before. ;) 22:32:33 <kevinbenton> :) 22:32:35 <amuller> the HA routers qr interfaces 22:32:50 <amuller> anyway 22:33:00 <armax> but at this point I guess we’re all in agreement that we cannot accept the proposed solution as is 22:33:04 <kevinbenton> maybe the work to bind a port to multiple hosts can help here 22:33:12 <armax> and more thinking has to go into how this use case is solved 22:33:16 <kevinbenton> then the floating IP can be associated to a port bound to multiple hosts 22:33:18 <dougwig> armax +1 +1 22:33:20 <armax> kevinbenton: amuller said that 22:33:24 <armax> kevinbenton: pay attention! 22:33:39 <carl_baldwin> kevinbenton: and I expressed some doubt. 22:33:39 <johnsom> armax +1 22:34:06 <armax> ok 22:34:10 <armax> shall we move on? 22:34:34 <kevinbenton> can we just pitch CVR as a feature that solves this? 22:34:47 <armax> kevinbenton: shut up 22:35:04 <armax> kevinbenton is sitting next to me, he knows I am joking 22:35:14 <amuller> Before we move on, what is supposed to happen before next week? 22:35:14 <kevinbenton> "ever thought you're routing was getting out of hand being everywhere? centralize it!" 22:35:21 <armax> bug #1586056 22:35:21 <openstack> bug 1586056 in neutron "[RFE] Improved validation mechanism for QoS rules with port types" [Wishlist,Triaged] https://launchpad.net/bugs/1586056 - Assigned to Slawek Kaplonski (slaweq) 22:35:37 <armax> #undo 22:35:38 <openstack> Removing item from minutes: <ircmeeting.items.Link object at 0x7f5bbf33c9d0> 22:35:54 <armax> amuller: we’ll get together with carl_baldwin and lay out a plan 22:35:57 <armax> bug #1586056 22:36:44 <HenryG> you have put the meeting bot to sleep 22:36:45 <dougwig> kevinbenton: now you're talking! 22:36:48 <amuller> johnsom: do you feel like you have a way to move forward? 22:37:26 <armax> ajo and/or ihar might not be around 22:37:46 <amuller> they're both returning from travel 22:37:53 <armax> ok 22:37:54 <johnsom> amuller Not sure I follow. I'm here to give input, help understand the problem. I think the next steps is more design work. 22:38:39 <armax> johnsom: yes, I’d rather nail down the design now than deal with the pain later 22:38:40 <amuller> johnsom: alright 22:38:47 <armax> as for QoS 22:39:16 <armax> and this RFE 22:39:28 <armax> I am unclear how this is being tackled 22:39:29 <armax> anyone? 22:40:09 <amuller> we need QoS team leaders for this, I suggest we skip 22:40:29 <armax> ok 22:40:41 <armax> bug #1592028 22:40:41 <openstack> bug 1592028 in neutron "[RFE] Support security-group-rule creation with address-groups" [Wishlist,Triaged] https://launchpad.net/bugs/1592028 - Assigned to Roey Chen (roeyc) 22:41:28 <armax> this didn’t seem outrageous to me, but I wonder if this is something that could be handled by FWaaS, any fwaas expert in the room? 22:41:45 <kevinbenton> security groups themselves already represent a group of addresses 22:41:54 <kevinbenton> (all of the ports that are a member of that group) 22:42:04 <kevinbenton> is this to handle cases where the IP addresses don't belong to neutron ports? 22:42:19 <armax> that’s a good question to ask on teh bug report 22:42:56 <dougwig> i think it's meant to be, "allow all from rfc1918" style groups. 22:43:20 <kevinbenton> "An Openstack cloud may require connectivity between instances and external services which are not provisioned by Openstack, each service may also have multiple endpoints." 22:43:20 <kevinbenton> yeah 22:43:24 <kevinbenton> i didn't read close enough 22:43:30 <kevinbenton> I'm fine with this idea 22:43:58 <dougwig> at one time sc68cal wanted SG's frozen, and all of this going into fwaas. i think he reversed that position. 22:44:00 <armax> so that means a spec to understand the API proposal etc 22:44:29 <armax> dougwig: I think we all come to the realization that we diverged from Amazon’s style security groups anyway 22:44:30 <sc68cal> haven't reversed 22:44:40 <sc68cal> but I appear to be a minority viewpoint 22:44:47 <kevinbenton> so a destination/source can be a CIDR/securitygroup right now 22:44:59 <kevinbenton> and the adjustment would be that it could be an 'addressgroup' 22:45:06 <kevinbenton> also 22:45:18 <armax> and that OpenStack relaxed its EC2 compliance somewhat 22:45:33 <armax> so say we’ll give this the go ahead 22:45:57 <armax> is there anyone in the group willing to volunteer for taking care of the review process? 22:46:06 <armax> we can ask on the bug report 22:46:21 <armax> but if don’t find volunteers this must have to go on the backburner 22:46:58 <armax> I assume that lack of comment means, backburner does it? 22:47:02 <armax> moving on 22:47:05 <armax> bug #1592918 22:47:05 <openstack> bug 1592918 in neutron "[RFE] Adding Port Statistics to Neutron Metering Agent" [Wishlist,Triaged] https://launchpad.net/bugs/1592918 - Assigned to Sana Khan (sana.khan) 22:47:11 <dougwig> is there anyone not so overcommitted that it's hollow anyway? i mean, i'd love to say yes, but... 22:47:19 <armax> dougwig: fair point 22:47:46 <armax> I am still waiting for your braindump on https://bugs.launchpad.net/neutron/+bug/1524916 22:47:46 <openstack> Launchpad bug 1524916 in neutron "neutron-ns-metadata-proxy uses ~25MB/router in production" [Medium,In progress] - Assigned to Doug Wiegley (dougwig) 22:47:48 <armax> but I digress 22:48:01 <dougwig> heh. 22:48:12 <armax> dougwig: I’ll bug you until you comply :) 22:48:20 <kevinbenton> dougwig promised a simple nginx solution! :) 22:48:27 <dougwig> armax: an effective strategy. 22:48:34 <armax> dougwig: it’s not working right now 22:48:39 <armax> dougwig: not sure it’s effective 22:48:51 <armax> so talking about the port stats thingy 22:48:53 <dougwig> i have the bug open in a tab, and i feel guilt when i see it. that's more than last week. 22:49:02 <armax> ah 22:49:04 <armax> ok so progress! 22:49:20 <amuller> We don't have a scenario test for metering do we 22:49:23 <amuller> We have API and unit tests 22:49:27 <armax> let’s see how you feel next week when I’ll ship a dead horse’s head to your house 22:49:29 <amuller> nothing that checks that it works end to end, *I think* 22:49:48 <amuller> I think we should require such a test before any RFEs in the metering area 22:49:48 <armax> amuller: we have some tests in the gate 22:49:54 <armax> right 22:50:02 <armax> but that goes back to a staffing problem 22:50:10 <amuller> it would be on the bug reporter 22:50:12 <armax> rossella_s volunteered but she’s spread thin 22:50:46 <armax> I gather from this meeting and the past one that no-one has objections or reserves on this requet 22:50:48 <armax> request 22:50:50 <amuller> forget staffing for a sec, does anyone care about metering and wants to discuss the usefulness of the RFE? 22:51:04 <armax> though someone has to help the reporter through the review pipeline 22:51:32 <armax> amuller: I sense that all of us are lukewarm when it comes to metering 22:52:06 <amuller> in that case I wouldn't block the RFE, just let it through on a best effort basis, and if the author is persistent enough maybe he or she will actually get reviews :) 22:52:17 <armax> but that’s not a reason to reject when there’s some degree of usefulness in the counters collected 22:52:37 <amuller> armax: agreed 22:52:49 <armax> ok 22:53:04 <armax> no rejection, best effort basis assumed the right steps are taken 22:53:13 <armax> amuller: can you point out your demands on teh bug report? 22:53:18 <amuller> will do 22:53:29 <armax> and we can figure out how stringent or painful they are :) 22:53:39 <armax> bug #1599488 22:53:39 <openstack> bug 1599488 in neutron "[RFE] Enhance Quota API calls to return resource usage per tenant" [Wishlist,Triaged] https://launchpad.net/bugs/1599488 - Assigned to Sergey Belous (sbelous) 22:53:53 <armax> this one seems ‘easy' 22:54:02 <armax> I have asked salv_orlando to look at it 22:54:05 <armax> but he’s worse than dougwig 22:54:08 <armax> erm :) 22:54:14 * dougwig sighs. 22:54:53 <armax> I think this also deserves a spec to better understand what the proposal looks like, being an API change required 22:55:26 <armax> unless there are complications on making sure that the attribute reliably represent the value the reporter is interested in 22:55:43 <armax> then this seems a nice addition to the quota API 22:55:52 <armax> any thoughts? 22:55:59 <armax> lukewarm anyone? 22:56:08 <amuller> a consistency with the other core projects would be... nice. 22:56:26 <dougwig> it would also be downright un-openstack! 22:56:27 <armax> amuller: quota API is not exactly consistent across projects 22:57:09 <sc68cal> I poked sbelous to file the RFE. 22:57:26 <sc68cal> so I can be the sherpa for it I guess 22:57:31 <armax> ok 22:57:52 <armax> let’s refresh the bug report with this ntoes 22:57:53 <armax> notes 22:57:58 <armax> anything anyone wants to add? 22:58:08 <armax> if not let’s get 3 minutes back 22:58:16 <armax> so that dougwig can do his braindump 22:58:20 <armax> 2 minutes now 22:58:59 <armax> #stopmeeting 22:59:01 <carl_baldwin> bye 22:59:05 <kevinbenton> bye 22:59:06 <armax> #endmeeting