13:59:35 #startmeeting neutron_ipv6 13:59:36 Meeting started Tue Feb 4 13:59:35 2014 UTC and is due to finish in 60 minutes. The chair is sc68cal. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:59:37 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:59:39 The meeting name has been set to 'neutron_ipv6' 14:00:46 #topic recap previous meeting 14:01:14 #link https://wiki.openstack.org/wiki/Meetings/Neutron-IPv6-Subteam#Agenda_for_Feb_4th Agenda for today 14:01:49 Looks like shshang isn't here yet 14:03:03 So, last week I had an action to rebase the review and add the second ipv6 attribute to subnets 14:03:27 #link https://review.openstack.org/#/c/52983/ Create new IPv6 attributes for Subnets 14:04:20 So at this point it's just fixing some issues with the migration and db models to make them play nice with postgresql 14:05:08 shshang has a review that we're trying to get rebased on top of that review, so the gate will test it properly 14:05:32 is that the one that the of you were working out in #openstack-neutron last week? 14:06:18 sc68cal, one question with this review: https://review.openstack.org/#/c/58186/. Is it completely abandoned? shshang's new review covers dhcp. What about the remaining changes in 58186? 14:06:50 baoli: I imagine that will be rebased 14:06:54 baoli: I think that one is abandoned, as it's using an old model 14:07:10 that was basing on running the entire dhcpv6 server out of the router space 14:07:12 Yes, that one is abandoned 14:07:23 ah whoops 14:07:27 ok. 14:07:49 For some reason I was thinking the IPV6 SLAAC blueprint - which was just abandoned this morning 14:08:14 So the changes in the firewall module is no longer needed with this new model 14:08:52 which changes? 14:09:08 https://review.openstack.org/#/c/58186/2/neutron/agent/linux/iptables_firewall.py 14:09:34 The firewall changes, I think, is duplicating with DaoZhao's code 14:09:47 +1 14:09:59 I think it actually duplicates this 14:10:04 it's necessary, but will be compartmentalized to be added only for gateway IPs 14:10:19 and that's what DaoZhao's working on 14:10:21 hello everyone, sorry for being late 14:10:25 https://github.com/netoisstools/neutron/commit/cecd7591533e2c046aedba3b8e5d14a5b2fa7fe9 14:10:32 Hey, xuhanp 14:10:53 hey. sorry for interrupting, pleaes continue. 14:11:24 got it. 14:11:38 shshang: Do you have the link handy for the blueprint for horizon that we needed to register? 14:12:12 I have an old one - https://blueprints.launchpad.net/horizon/+spec/neutron-subnet-mode-support 14:12:38 No....I didn't register one yet for horizon....Sorry about that. :( 14:12:50 Will do today 14:12:56 shshang: OK - well let's just repurpose the one I created a while back 14:13:22 #action sc68cal edit horizon blueprint to match new attribute blueprints in neutron 14:13:28 Hi can we add some more details to that Horizon bp please? 14:13:58 #topic blueprints 14:14:11 absubram: Yes - do you have any suggestions? 14:15:12 Alright. Moving on 14:15:34 sc68cal, shshang, one more question regarding the abandoned review: https://review.openstack.org/#/c/58186/2/neutron/agent/l3_agent.py. what happens to that change? 14:16:05 well I am new to this.. but I was taking a look at it from what needed to be done in Horizon.. and I am not really sure what the ipv6 effort adds from neutron.. 14:16:12 so maybe just some whiteboard notes 14:16:23 The l3_agent function will be carried onto icehouse release. I am waiting for Randy to join. He owns that piece 14:16:25 baoli: Check out shshang's new review https://webmail.comcast.com/owa/redir.aspx?C=QxLI8ZBxq0GPzZXTFxWndIhLZPRF9dAIqAyUc7s4-RSvq9I03V1QBlP0VXz43dUkRD1zumO4wBI.&URL=https%3a%2f%2freview.openstack.org%2f70649 14:16:30 shit 14:16:34 that way it'd be easier to figure out what needs to be done from Horizon to support this? 14:16:38 https://review.openstack.org/#/c/70649/ 14:16:52 absubram: the horizon piece is going to need to reflect the new options we're adding to the API 14:17:05 I am only working on the tenant network side 14:17:11 there are two keywords going in for managin IPv6 subnets 14:17:21 and Randy is working on the external network side 14:18:06 shshang, another BP or a bug? 14:18:27 aveiga: thanks! can we add that detail and what the new keywords are? In the horizon bp.. 14:18:48 absubram: Yes, because it will be directly linked to the other BP covering said attributes 14:19:00 absubram: there's a link to the neutron bp in the description for the horizon bp 14:19:22 https://blueprints.launchpad.net/neutron/+spec/ipv6-two-attributes 14:19:38 ok thanks! 14:19:41 will look at it 14:20:50 absubram: you might want to go back and take a look at our past meeting minutes to catch up, there's a lot we've discussed previously that explains why we're doing what we're doing: https://wiki.openstack.org/wiki/Meetings/Neutron-IPv6-Subteam 14:21:57 shshang, so this BP will also cover the change in l3_agent.py, and Randy will be working on it. thanks. 14:22:37 aveiga: good suggestion.. I'll be sure to do that 14:23:48 Anything else on the blueprint side before I turn it over to open discussion? 14:23:58 so besides the Horizon BP, are there any missing to complete our existing goals for Icehouse? 14:24:05 Any work with devstack to setup ipv6? 14:24:06 I think no, at this point 14:24:17 sc68cal, I still need your help to link my code to your base 14:24:45 sc68cal has been setting up devstack in our lab with v6, but it's tweaked to use provider networks. I don't think there's much to change though for GRE 14:25:09 sc68cal, do you have some time today and we can use google hangout? 14:25:15 sc68cal: would it be possible to post your configs as a gist? 14:25:31 or maybe in the openstack etherpad 14:25:39 shshang: Yes - I can help you today 14:26:07 I can post my configs for devstack as well that we use in the lab 14:26:33 cool 14:26:35 I also have a branch of devstack that creates v6 subnets - so I'll post that branch as well 14:27:30 @baoli: yes, I am addressing the l3_agent.py for external gateway 14:27:51 rtuttle1015, thanks. 14:28:23 sc68cal, would the changes you have for devstack needs to be upstreamed? 14:28:53 #action sc68cal post branch of Devstack + configs on the mailing list 14:29:07 baoli: They'd need some work for that 14:29:11 baoli: not sure, like I said they're specific to provider nets and I know devstack doesn't normally do that 14:29:24 ^^^ what aveiga said 14:29:43 but if they can be altered to do GRE tunnels, then I don't see why not 14:29:54 start exposing the rest of openstack devs to v6 as soon as we can 14:30:04 well, let me think about that 14:30:15 once they're up, have a look 14:30:23 if you see something you can do to integrate them, go nuts 14:30:34 sure thing 14:30:59 I think we're clear on BPs then 14:31:21 #topic open discussion 14:31:53 Randy and I have a question regarding semantic check 14:32:24 In two attributes combination, some modes are not valid for some use cases 14:32:51 I think the determination we made last time was to let it go 14:33:03 We think we need to add semantic check to return errors to client (both neutron CLI and Horizon) 14:33:04 if the user is configuring these, they need to know enough about IPv6 networks 14:33:20 for the same reason that we covered not just assuming it's invalid 14:33:31 maybe a user is trying to do something we haven't come across yet 14:33:52 yes, so in this case, we need to let user be aware what they are doing is not supported 14:34:04 but if the wrong combos get to the agent on network node, weird configs get hard to debug. why not send the error back from API 14:34:06 what's not supported, though? 14:34:18 rtuttle1015: which use case are you referring to? 14:34:28 So the best place we can think of is on neutron server side 14:34:33 shshang's table are the valid cases 14:34:51 which can cover both neutron client and horizon 14:35:05 can we not include a static table of some sort that determines the valid combos 14:35:14 I think we can add the check to Sean's code which is validating the two modes 14:35:28 we can't make a determination on validity 14:35:28 yes, this is what shshang and I were thinking 14:35:32 xuhanp, that is what we are thinking too 14:35:33 that's the core of what I'm getting at 14:35:55 no, we have shshang's table which highlight the current supported combos. 14:36:10 rtuttle1015: ah , is that what those red squiggles are? 14:36:12 a truth table of sorts 14:36:22 I can't seem to find the table 14:36:39 or at least, the most recent version 14:36:40 #link https://www.dropbox.com/s/rq8xmbruqthef38/IPv6%20Two%20Modes%20v2.0.pdf Ipv6 modes table 14:36:45 sc68cal, yes, the highlighted one are the ones we support and we developed 14:36:51 yes, that's it 14:37:07 you guys should amend that PDF to add that - I sort of was wondering what it was 14:37:21 yes, we will 14:37:36 that PDF has everything underlined except the cases where averything is off 14:37:50 which is the equivalent to setting enable_dhcp = 0 14:37:56 for example, if subnet has no gateway port, and user want dnsmasq to send RA, then we need to return error 14:38:23 I need to update the link to version 3.0 14:38:32 shshang: what if the gateway is going to be added by config drive when a service VM starts up? 14:38:39 it would need to be on-net before the port could be added 14:39:14 that is the case we didn't have time to cover yet 14:39:19 right 14:39:27 that's why I'm saying don't throw a validation error 14:39:32 just silently let it go 14:39:37 aveiga: I imagine we'd need to talk to the service insertion folks 14:39:55 sc68cal: I'm imagining this is possible on your own today even without that piece 14:39:57 since they're tackling the problem of how to insert firewalls and other services into the wire 14:40:28 I could spin up an haproxy today on v6, use config drive to manually add the v6 address that's not part of the pool but still inside the /64, and then use the api to add it as the gateway 14:40:29 aveiga, that is actually the next topic I want to bring up 14:41:18 the validation should be there based on the current configuration. If later on, the setup is changed, then we need to trigger the validation again. 14:41:31 So this is 2-fold story 14:42:14 but according to your table, all modes are valid except off/off 14:42:47 I refer to a case in the last email thread, which discuss private network v.s. provider network..... 14:43:20 You bring up a good point of provider network in your reply. 14:44:28 I think we have a different issue here 14:44:48 that's a question of which addresses we want to use on a private network 14:45:03 technically, we don't need any since LLA should be sufficient 14:45:31 yes, that cover address assignment side. How are about RA side? 14:45:38 no RA 14:45:41 if you're using LLA 14:45:44 but that's not the question 14:45:45 exactly 14:45:57 the question is do we want to support GRAs on a private network? 14:46:01 or even ULAs 14:46:06 what if user configure ipv6_ra_mode with attribute to enable RA 14:46:21 enabling RA only works if there's a gateway port 14:46:22 we know we don't need RA, but user may not know 14:46:53 there is nothing prevent them from typing ipv6_ra_mode = DHCPV6 Stateful 14:47:07 and if that happens, the system needs to tell them, sorry, this is wrong 14:47:28 if there's no gateway, then we report that we can't issue RAs 14:47:31 no matter what mode 14:47:43 aveiga, why enabling RA only works if there's a gateway port? 14:47:46 exactly. The "report" piece is what I am looking for 14:47:52 baoli: something has to send the RA 14:48:03 The "report" is what I refer to semantic check 14:48:10 the system need to throw error 14:48:11 You can send it through the dhcp port, right? 14:48:26 baoli: only if you want to permanently blackhole that network 14:48:37 if I add a gateway port later, it won't do anything 14:48:47 most linux distros ignore multiple RAs for the same subnet 14:49:06 so the second RA would come from the valid gateway, but get ignored. Then you can't route 14:49:34 I think that's the purpose of ULA? In addition, a port can have mutiple ipv6 addresses in addition to ULA 14:50:12 aveiga, a route can be associated with a preference value 14:50:13 if you want ULA, then you have to advertise only ULA 14:50:26 baoli: linux doesn't honor the preference value 14:50:32 there are MANY bugs filed against this 14:51:02 If user add a gateway port later, DB is updated. If user prefer change the subnet mode, then they can do it now. 14:51:06 I've been testing this in production environments for the past 5 years, and it's not reliable 14:51:20 shshang: that's fine, but they have to re-address 14:51:21 aveiga, I tried. I have radvd running in both the dhcp namespace and the router space, and I have the route from the router spave have higher preference, and that route is chosen 14:51:43 or you have to have a really short RA lifetime and remove it completely from the dhcp server 14:52:37 do you want to extend the semantics check to only allow advertising RAs from the DHCPv6 namespace when there's also no gateway and only using ULA space? 14:52:49 but then that's not goign to be pleasant either, because ULA can be routed 14:53:09 or we just only support LLA on non-routed networks? 14:53:18 this is not a simple question 14:53:32 I have a couple of more questions, 1. are the two new subnet modes exposed to the normal users? 2. normally a user launches a VM with nova boot --nic, and the nic will be associated with one of the subnets available in a network. how does the VM user indicate that the VM should be enabled with ipv6 and with which ipv6 subnet? 14:53:34 aveiga, is that question to me, or to baoli? 14:53:41 shshang: to all 14:54:05 baoli: they don't, this is only network-level configuration 14:54:11 How are about this, would u plz do me a favor sending all of the use cases to the ML, and we can chew on it. 14:54:23 shshang: I don't think I can even cover them all 14:54:23 it also gives us a chance to think it through. 14:54:28 I'm sure I will miss a bunch 14:54:38 but I can try 14:54:48 Just a couple of them, which will impose challenges on the semantic checks 14:54:57 sc68cal: AI me to cover private network addressing cases on the ML, please 14:54:58 how about a short-list of the most important use cases 14:55:09 #action aveiga cover private network addressing cases on the ML 14:55:10 and then we can table this to the ML, since we're running out of time 14:55:17 these are the ones we will allow, and then drop all others with error to user 14:55:55 Can someone help me with my second question? 14:55:55 rtuttle1015: I want to avoid that 14:56:04 that's why we're stuck with broken SLAAC today 14:56:19 aveiga, your points about post configuration change are valid. I don't have answer right now. But I believe we can find a solution/workaround jointly. 14:56:26 but we can't boil the ocean, and certainly can't address "unknown" use cases 14:56:27 baoli: if there's a v6 subnet on the network, they get v6 14:56:29 that's simple 14:56:38 so let's allow those we know, drop all others (for now) 14:56:46 aveiga, thanks. 14:56:55 rtuttle1015: agreed, but I'd rather err on allowing them even if they aren't considered "valid" 14:57:10 better to let a guilt man go free then put an honest one in prison, no? 14:57:33 if we want a WARN: in the logs, I'm ok with that 14:57:36 so what you're really saying is drive the error checking down to the agent (network node), spit a log silently and then go debug later 14:57:37 How are about we document them, so user at least have a reference of the limitation? 14:57:44 rtuttle1015: yes 14:57:50 I don't like that 14:57:53 shshang: I will, hence the AI 14:58:02 makes network node do unnecessary work 14:58:11 checking should be on neutron-server 14:58:30 but it makes unkown cases possible instead of requiring someone to rewrite code to compensate 14:58:50 sc68cal, can we make sure this topic will be in next week's agenda? We need to reach consensus. 14:58:56 agreed 14:58:59 +1 14:59:02 in any case, I need to drop for another meeting 14:59:19 see you all on the ML 14:59:22 o/ 14:59:27 LOL 14:59:32 yah, we only have 1 min left 14:59:33 shshang: yeah we'll recap it next week based on the mailing list convo 14:59:37 Yup 14:59:39 will do 14:59:42 Alright everyone 14:59:51 aveiga, thank you for your points 15:00:00 thanks for joining, we'll reconvene next week 15:00:04 #endmeeting