#openstack-neutron log

14:00:35 <lajoskatona> #startmeeting neutron_drivers
14:00:35 <opendevmeet> Meeting started Fri Jan 28 14:00:35 2022 UTC and is due to finish in 60 minutes.  The chair is lajoskatona. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:35 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:35 <opendevmeet> The meeting name has been set to 'neutron_drivers'
14:00:39 <lajoskatona> Hi
14:00:39 <mlavalle> o/
14:00:46 <ralonsoh> hello
14:00:58 <slaweq> hi
14:01:08 <yamamoto> hi
14:01:10 <obondarev_> hi
14:01:55 <lajoskatona> Hi yamamoto
14:02:14 <lajoskatona> Ok, let's start
14:02:31 <lajoskatona> We have no RFE for today, but 2 topics in the "on demand agenda"
14:02:57 <lajoskatona> 1 from me, and it is to go back to the question of neutron-fwaas maintenance
14:03:16 <lajoskatona> see discussion on #openstack-tc with gmann: https://meetings.opendev.org/irclogs/%23openstack-tc/%23openstack-tc.2022-01-24.log.html
14:04:16 <lajoskatona> TC would like to make simpler to have maintainers for fwaas (anything) if I understand well, and to avoid project renaming where possible
14:04:58 <lajoskatona> so the question is if Inspur can keep maintaining / developing current fwaas repo in openstack/neutron-fwaas
14:05:08 <mlavalle> why don't we go to my original proposal  in December to Inspur?
14:05:56 <mlavalle> we can have them go though the process of formally rehabilitating the project in the stadium and we have the tamplates to guide us?
14:05:57 <slaweq> mlavalle: can You remind what was it exactly?
14:06:21 <mlavalle> I proposed using the template to evaluate stadium projects
14:06:27 <lajoskatona> perhaps this was it: http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026425.html
14:06:31 <lajoskatona> I mean the mail
14:07:30 <lajoskatona> more likely this mail: http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026442.html sorry
14:07:41 <mlavalle> yes the latter one
14:08:04 <lajoskatona> thanks mlavalle
14:08:09 <mlavalle> they already agreed to follow that path
14:08:17 <opendevreview> Merged openstack/neutron-lib stable/train: Enforce policy for qos_policy_id attribute  https://review.opendev.org/c/openstack/neutron-lib/+/826225
14:08:56 <obondarev_> does it contradict with what gmann suggested?
14:09:00 <mlavalle> and if we follow that process, it will alleviate the concern of adding more workload to the core team, because there will be commitments on th side of Inspur
14:09:56 <lajoskatona> mlavalle: yes, I think this can work
14:10:11 <slaweq> ++ for that if it will be better to have it in stadium again, instead of moving it to x/
14:10:17 <obondarev_> +1
14:10:32 <lajoskatona> If there is no activity we have still the option to stop fwaas maintenance again
14:10:33 <mlavalle> obondarev_: a little bit, but I think that Inspur, if they really want to maintain the project, should have some skin in the game
14:10:51 <slaweq> and regarding question about if we want to have it in stadium or not: I personally am fine with having it in stadium if the inspur team will maintain it
14:11:12 <lajoskatona> +1
14:11:14 <mlavalle> yeah, as long as we have a commitment
14:11:21 <mlavalle> from Inspur
14:11:25 <slaweq> we can make some of their developers cores in the neutron-fwaas repo even so we will not need to do a lot there hopefully
14:11:28 <ralonsoh> one question: being in stadium means releasing every cycle, right?
14:11:30 <mlavalle> and we formalize that commitment in a doc
14:11:47 <ralonsoh> (a part from other requirements)
14:11:57 <slaweq> ralonsoh: usually yes, but that generally depends on the release model for the project IIIUC
14:12:00 <mlavalle> ralonsoh: yes
14:12:05 <ralonsoh> thanks
14:12:46 <ralonsoh> so +1 from me, good to see people collaborating on Neutron orbit
14:13:57 <mlavalle> and I think Inspur will have a better offering to their customers. They now can claim that the new FWaaS has the official recornition of being in the Stadium
14:13:58 <lajoskatona> +1 from me also
14:14:25 <mlavalle> they can claim that Saint Lajos has annointed the project :-)
14:14:42 <lajoskatona> :-)
14:14:52 <lajoskatona> not me but the team
14:14:58 <slaweq> +1 from me too
14:15:11 <obondarev_> +1
14:15:18 <mlavalle> +1
14:15:18 <yamamoto> +1
14:15:43 <lajoskatona> but I can send the mail about it, so my stamp will be on top ;)
14:15:51 <mlavalle> cool
14:15:59 <mlavalle> you got the idea
14:17:03 <lajoskatona> ok, next topic is from slaweq: https://bugs.launchpad.net/neutron/+bug/1959332
14:17:17 <slaweq> thx lajoskatona
14:17:29 <slaweq> everything is already described in the bug description
14:17:37 <slaweq> but I will quickly explain here too
14:18:12 <slaweq> basically, with new rbac policies and scopes enforcement, project_admin user can access everything but from one project only
14:18:21 <slaweq> there is no "super user" who can access everything
14:18:43 <slaweq> so basically there is no user which can do "openstack port list" and see ports used as router external gateway
14:19:08 <slaweq> with old defaults, project admin (admin) can see all resources so also such ports
14:19:42 <slaweq> If we look at code https://github.com/openstack/neutron/blob/d0fd4aa30adc883971bd4d87e0540523bded7a38/neutron/db/l3_db.py#L337 - it is done intentionally that this port don't belongs to any project
14:20:03 <ralonsoh> I was looking for this
14:20:06 <slaweq> and now the question is - if we want to have those ports visible in api somehow, and if yes, how to solve it :)
14:20:16 <ralonsoh> why is that?
14:20:25 <slaweq> why is what ralonsoh ?
14:20:40 <ralonsoh> to let the port without project
14:20:45 <ralonsoh> the GW port
14:20:59 <slaweq> According to the comment there, to not expose such ports for regular users
14:21:22 <ralonsoh> this is not a good reason with RBACs in place now
14:21:36 <slaweq> we could probably change it to belong to tenant and add policy rule so such ports would be available only for admin users
14:21:46 <lajoskatona> with new RBAC model whose project_id should be there?
14:22:03 <ralonsoh> for project admin/users yes
14:22:03 <slaweq> lajoskatona: IMO it should be same owner as of router
14:22:15 <mlavalle> yeah I think so
14:22:18 <lajoskatona> ok
14:22:29 <ralonsoh> I agree with the second alternative you propose: to assign the project ID
14:22:35 <mlavalle> me too
14:22:37 <ralonsoh> matching the router project ID
14:22:41 <mlavalle> is the cleanest
14:22:54 <ralonsoh> (of course, for sure that will have a ton of issue will see later)
14:23:03 <obondarev_> yeah, the one without "hardcode" word in description :)
14:23:08 <slaweq> and new policy rule to make such ports available only for the PROJECT_ADMIN by default, right?
14:23:17 <lajoskatona> that's sounds reasonable
14:23:21 <ralonsoh> yes
14:23:33 <slaweq> so operator will even be able to modify it if will want to expose such ports to users
14:23:36 <mlavalle> yeah, but that's probably the shake up that needs to happen as a consequence of implementing the new RBAC model OpenStack wide
14:23:47 <slaweq> sounds like step in good direction with new rbac
14:24:28 <slaweq> mlavalle: I think that there will be many such shake ups there :)
14:24:38 <slaweq> this is really huge change
14:24:38 <mlavalle> yeap, me too
14:25:19 <slaweq> ok, thx for Your opinions on this
14:25:23 <slaweq> I think I know what to do now
14:25:29 <mlavalle> btw, I think that we should not only fix this in Neutron, but also we should share the "incident" with the new RBAC czars leading this at the OpenStack weide level
14:25:36 <slaweq> so I will summarize this discussion in the Launchpad and will propose some patch
14:25:53 <mlavalle> they should see the consequences of their decisions
14:26:24 <mlavalle> maybe there is a learning in this for them too
14:26:28 <slaweq> mlavalle: sure, I will add people responsible by RBAC to the review of that patch and will explain it to them
14:27:12 <mlavalle> they might even have suggestions based on the impact they've seen in other projects
14:28:06 <slaweq> TBH I don't think so - this is probably something specific to neutron that resource which normally belongs to the project, don't belong to any project in some case
14:28:14 <lajoskatona> I see long discussions again for the PTG :-)
14:28:19 <mlavalle> lol
14:28:26 <slaweq> and it sounds for me like "hack/workaround" on our side :)
14:28:44 <mlavalle> cool
14:28:57 <slaweq> thx for Your feedback and suggestions on this
14:29:01 <slaweq> that was all from me
14:29:23 <lajoskatona> thanks for bringing it here and taking care of it
14:29:25 <mlavalle> thanks for bringing this up
14:30:19 <lajoskatona> If there's nothing more, we can close the meeting for today
14:30:26 <slaweq> ++
14:30:30 <mlavalle> nothing else from me
14:30:45 <lajoskatona> #endmeeting