14:02:31 <sc68cal> #startmeeting neutron_ipv6 14:02:32 <openstack> Meeting started Tue Mar 18 14:02:31 2014 UTC and is due to finish in 60 minutes. The chair is sc68cal. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:02:35 <openstack> The meeting name has been set to 'neutron_ipv6' 14:02:38 <baoli> hi 14:03:06 <sc68cal> So - we have some good news 14:03:19 <sc68cal> the subnet attributes patch was merged yesterday 14:03:21 <shshang> What's it? 14:03:26 <shshang> Oh, cool! 14:03:33 <sc68cal> and part of dzyu's patch for EUI64 addresses 14:03:41 <shshang> That's excellent! Congrats, sc68cal! 14:03:44 <sc68cal> we had to split it though 14:03:49 <sc68cal> so we added the utility library 14:04:08 <sc68cal> but we did not patch db_base_plugin_v2 14:04:26 <sc68cal> Here's the bad news 14:04:33 <sc68cal> shshang's patch did not land 14:04:47 <sc68cal> there are concerns about networks with multiple v6 subnets 14:04:56 <shshang> that's fine. :) 14:05:19 <sc68cal> Basically if you have 2 v6 subnets with slaac 14:05:20 <shshang> that's means, I can take my time and no need to rush now 14:05:29 <sc68cal> no idea which prefix is going to be used 14:06:09 <sc68cal> Now the good news is that since the attributes patch landed - no more rebasing to chase the HEAD alembic script 14:06:23 <shshang> Yup, that is true. :D 14:06:26 <baoli> well, I patched in the change, and tried it myself. the VM will get both prefixes. 14:06:26 <sc68cal> which was like 90% of the churn 14:06:46 <SridharG> sc68cal: Did the client (python-neutronclient) side changes also got merged? 14:06:54 <xuhanp> not yet 14:06:57 <sc68cal> SridharG: good question 14:07:04 <xuhanp> I got one -1 about unit test 14:07:09 <xuhanp> I just restored it today 14:07:48 <sc68cal> The other possible piece is that for Icehouse 14:07:59 <sc68cal> we may patch it so that the v6 attributes are not returned to API requests 14:08:11 <sc68cal> since there is nothing behind the API - since the dnsmasq changes did not land 14:08:33 <sc68cal> but once J opens - they'll undo the disable 14:08:50 <sc68cal> so we'd be able to continue our work 14:09:21 <sc68cal> Otherwise - I think we did a great job given the circumstances 14:09:34 <sc68cal> Everyone - pat yourselves on the back 14:10:08 <xuhanp> sc68cal, do we still have time for my security group patch to get merged? 14:10:32 <sc68cal> xuhanp: since that is a bug - it is possible 14:10:45 <xuhanp> I have one small problem with the unit test due to recent code change. 14:10:59 <xuhanp> sc68cal, good to know 14:12:01 <sc68cal> #topic blueprints 14:12:24 <sc68cal> #link https://blueprints.launchpad.net/neutron?searchtext=ipv6 Ipv6 Blueprints 14:13:34 <sc68cal> Since we're moving towards RCs - make sure you've got your BPs all set 14:14:16 <sc68cal> baoli: did we ever register a bp for prefix delegation? 14:14:29 <baoli> sc68cal, I did 14:14:29 <sc68cal> oh there it is 14:14:38 <sc68cal> #link https://blueprints.launchpad.net/neutron/+spec/ipv6-prefix-delegation Prefix Delegation 14:14:53 <sc68cal> perfect 14:15:18 <sc68cal> if there isn't anything else, we'll continue on 14:15:54 <sc68cal> #topic bugs 14:16:05 <sc68cal> #link https://bugs.launchpad.net/neutron/+bugs?field.tag=ipv6 IPv6 tagged bugs 14:16:09 <shshang> so if I understand you correctly, we won't be able to make the change to the code until Juno, is that correct? 14:16:33 <absubram> sc68cal: Sean - congrats on getting the neutron side of the new IPv6 attributes getting merged last night 14:16:54 <sc68cal> shshang: Yes - so usually that's the week after the summit 14:16:56 <absubram> unfortunately in the Horizon community, we decided to move the Horizon BP out to Juno 14:17:19 <shshang> OK, good to know. Thank you 14:17:19 <absubram> it should go in very early in J hopefully 14:17:21 <sc68cal> absubram: that's fine - since the attributes don't do anything currently 14:17:59 <sc68cal> Any other bugs to discuss? 14:18:42 <sc68cal> #topic reviews 14:19:15 <sc68cal> So - I don't know if there is anything to report besides what we spoke about in the beginning 14:19:38 <sc68cal> otherwise I'll turn us over to open discussion 14:19:56 <xuhanp> sc68cal, I hope more people can help review my security group bug patch if that's possible :-) 14:20:10 <xuhanp> I kind of changed the design from the beginning 14:20:23 <sc68cal> careful what you wish for :) 14:20:43 <xuhanp> :-) 14:21:19 <sc68cal> But yes - we should review it since there's a chance of it getting merged for icehouse 14:21:44 <sc68cal> anything else before we go to open discussion> 14:21:50 <shshang> Other than that, we can celebrate, right? :) 14:22:35 <sc68cal> I got my celebrating in yesterday - st. patrick's day and getting ipv6 stuff merged 14:22:55 <sc68cal> :) 14:23:06 <shshang> Go GREEN! :D 14:23:22 <sc68cal> But yes - everyone should be proud of the work we've done 14:23:51 <sc68cal> We built a team and made Ipv6 a priority for Neutron 14:24:08 <sc68cal> we put it on the map, and it's only going to get better from here 14:24:16 <shshang> Yup 14:24:19 <xuhanp> sc68cal, good to have you as the lead! 14:24:46 <sc68cal> Haha - well I don't think of it quite that way - I just start the meetings and end them 14:25:26 <sc68cal> We had some great work that was floating around in private forks and we just pulled them out into the public 14:25:58 <sc68cal> #topic open discussion 14:25:59 <SridharG> sc68cal: can you please share the link for the security group bug patch. 14:26:04 <sc68cal> SridharG: sure. 14:26:16 <sc68cal> https://review.openstack.org/#/c/72252/ 14:26:26 <SridharG> sc68cal: thanks 14:27:14 <sc68cal> xuhanp: One thing that comes to mind 14:27:31 <sc68cal> your TODO about finding the GUA for a router - if it's put in the subnet's gateway field 14:28:04 <sc68cal> baoli: is GUA for a gateway unusual? 14:28:44 <baoli> sc68cal, not sure. 14:28:53 <xuhanp> sc68cal, you mean my TODO in my patch? 14:28:55 <sc68cal> I know we've probably talked about this a couple times - where we were thinking if the admin sets it that way- we just trust that they know what they're doing 14:28:58 <sc68cal> xuhanp: yes 14:29:48 <baoli> sc68cal, I think that we are talking about LLA here. 14:30:40 <sc68cal> the TODO on line 274 of xuhanp 's patch 14:30:54 <xuhanp> with my security group patch. Only LLA can be used when ra mode is off 14:31:13 <xuhanp> I think this is sc68cal is talking about? 14:31:45 <sc68cal> I think so 14:31:56 <sc68cal> but for Comcast - we'd be setting a gateway IP that is a LLA 14:32:10 <sc68cal> since it'd be a physical device that we know up front 14:32:59 <baoli> sc68cal, that is https://review.openstack.org/#/c/76125/ 14:33:29 <sc68cal> right - for routers that neutron creates 14:33:45 <baoli> In that case, we should check if a qr-xxx port is created by neutron when the subnet is added into a router 14:34:12 <baoli> It doesn't seem to make sense to create a neutron port in that case. 14:35:03 <xuhanp> baoli, you are saying we should not allow this subnet be attached to a router? 14:35:08 <shshang> I am confused about which use case you guys refer to.... 14:35:19 <shshang> baoli, would u plz elaborate? 14:35:35 <sc68cal> if i'm not mistaken 14:35:42 <baoli> xuhanp, it's a provider net, right? 14:35:47 <xuhanp> yes 14:35:54 <sc68cal> 76125 allows you to create a subnet with a LLA address 14:36:04 <sc68cal> then when you create a router for that subnet, it uses that LLA address 14:36:11 <sc68cal> *attach a router that you've created 14:36:41 <baoli> sc68cal, I think my qeustion is if it's a provider net, and ra is done externally, why would you need a neutron router 14:36:57 <sc68cal> baoli: I don't think 76125 was meant to address that 14:37:07 <sc68cal> remember this patch was in response to the -1 that you did for another review 14:37:12 <sc68cal> where you created a v6 subnet 14:37:15 <sc68cal> then created a router 14:37:29 <sc68cal> with a pre-defined gateway IP that was an LLA address 14:37:52 <sc68cal> and when Neutron tried to set the router's IP to that LLA address that was stored in the subnet's gateway attribute - it blew up 14:38:37 <sc68cal> https://review.openstack.org/#/c/72252/2/neutron/db/securitygroups_rpc_base.py 14:38:42 <baoli> sc68cal, I agree. So you are saying that this subnet with LLA gateway IP still needs to be added in a router? 14:38:43 <sc68cal> line 264 14:39:06 <baoli> sc68cal, I'm not questioning about the change. 14:39:47 <sc68cal> I think all we're trying to fix was this error 14:39:52 <sc68cal> 400-{u'NeutronError': {u'message': u'Invalid input for operation: IP address fe80::2001:1 is not a valid IP for the defined subnet.', u'type': u'InvalidInput', u'detail': u''}} 14:40:04 <sc68cal> which happened when you did openstack@devstack-16:~/devstack$ neutron router-interface-add 7cf084b4-fafd-4da2-9b15-0d25a3e27e67 myipv6sub 14:40:20 <sc68cal> but I could be mistaken 14:40:46 <xuhanp> sc68cal, I think baoli's question is do we ever need to do that. 14:41:09 <baoli> xuhanp, yes, that's my question with provider net 14:41:09 <xuhanp> to attach a provider network to the router 14:41:34 <shshang> if it is provider network, then neutron doesn't need to deal with qr- interface any more, right? 14:41:35 <xuhanp> baoli, I don't think neutron limit that provider network should not be attached to a router. 14:41:35 <sc68cal> I don't think this error was related to a provider network and external gateway 14:41:58 <shshang> so what sc68cal described is not applicable for provider network 14:42:09 <sc68cal> this was an error encountered when you were making a neutron router with a predefined gateway 14:42:15 <sc68cal> that was an LLA 14:42:22 <shshang> Yup 14:42:30 <sc68cal> Neutron would try and set the router's IP to an LLA address and the whole thing would blow up 14:43:27 <baoli> sc68cal, yes. Now that the error is fiexed: a user can create a predefined gateway that's not on the subnet, would it make sense to add that subnet into the router any more? 14:43:37 <sc68cal> I don't think it is fixed 14:43:49 <xuhanp> it was supported 14:43:55 <xuhanp> before 14:44:17 <xuhanp> someone wants to change it but Anthoy stopped that. 14:44:28 <xuhanp> If I remember correctly 14:46:15 <baoli> yes, I knew that it was allowed, then the restriction (gateway on the same subnet) was added later 14:48:19 <xuhanp> baoli, yep. with a configuration flag 14:48:29 <shshang> boali, yes, in ipv6 subnet case, it still makes sense to add that subnet to the router 14:49:03 <baoli> shshang, can you explain? 14:49:22 <shshang> I think the use case you mentioned is valid, only for IPv6 14:49:40 <shshang> "a user can create a predefined gateway that's not on the subnet, would it make sense to add that subnet into the router any more?" 14:49:58 <sc68cal> I believe that's the only way that subnet would be able to get traffic out 14:50:07 <sc68cal> if the gateway IP is an LLA address 14:50:11 <shshang> yes 14:50:25 <sc68cal> otherwise the router attach step fails and the subnet has no gateway 14:50:36 <shshang> I remember in IPv6, you can add the GUA as default gateway, and you can also add LLA as default gateway 14:50:53 <shshang> The latter case is the scenario baoli wants to address, right? 14:51:21 <shshang> the former case will pass the check, but the latter case will blow up, because the checkpoint think it is not in the same subnet 14:51:28 <shshang> Is my understanding correct, baoli? 14:51:57 <baoli> shshang, if you create a subnet with a LLA gateway, and then add it to a router. 14:52:13 <baoli> you would end up having two LLAs on the qr-xxx port 14:52:44 <sc68cal> are we sure of that 14:52:44 <shshang> one is predefined, one is auto-calculated, right? 14:52:59 <baoli> shshange, right 14:53:03 <sc68cal> currently it just blows up - no router is created 14:53:23 <sc68cal> so there are no qr-xxx ports 14:53:42 <baoli> Plus, it's against the routing principle to allow a gateway not on the same subnet to forward the subnet's traffic. 14:53:55 <baoli> That's why my question about adding such a subnet into a router. 14:54:12 <sc68cal> but LLAs are not on the same subnet 14:54:26 <sc68cal> in the way Neutron thinks of things being on the same subnet 14:55:35 <sc68cal> am I following this correctly? please let me know if I am mistaken 14:55:37 <baoli> sc68cal, if a gateway with the LLA is external, then it shouldn't be added into a router with the same LLA. But as you said, it's up to the admin to do the right thing. In that case, it would be fine 14:55:48 <shshang> baoli, now I see your point...I am not sure about whether it is legal to have more than 1 LLA. Let me double check 14:55:50 <sc68cal> baoli: The gateway is not external 14:56:06 <baoli> shshang, it's legal 14:56:08 <sc68cal> This is for a subnet that you create - with a predefined LLA address, that you then create a router in neutron 14:56:22 <sc68cal> that will use that LLA address that was set as the subnet's gateway 14:56:29 <sc68cal> which currently fails 14:56:41 <sc68cal> this has nothing to do with an external gateway that is a physical device 14:56:44 <sc68cal> am I correct? 14:57:20 <sc68cal> ok - we need to take this to the mailing list 14:57:39 <sc68cal> we've probably discussed this a couple times and not gotten anywhere - so I will start a thread on the ML 14:57:40 <shshang> baoli, according to Cisco doc, multiple IPv6 link-local addresses on an interface are not supported 14:57:41 <baoli> sc68cal, if that's the case, the change (or fix), I think, will be different. 14:57:57 <baoli> shshang, cisco is not supporting it 14:58:01 <shshang> yup 14:58:02 <baoli> but others do 14:58:16 <baoli> it doesn't seem to be useful with multiple LLAs 14:58:26 <sc68cal> baoli: I don't agree - I think xuhanp's change fixes 14:59:21 <sc68cal> ok - I'll post on the ML 14:59:25 <sc68cal> thanks everyone 14:59:33 <baoli> sc68cal, we can discuss on the ML 14:59:35 <baoli> thanks 14:59:37 <sc68cal> #endmeeting